Although Linux is a multi-user system like the Windows nt/2000 system, there are a number of important differences between them. For many administrators accustomed to Windows systems, there are many new challenges to ensuring that Linux operating systems are secure and reliable. This article will focus on the Linux system security commands.
passwd
1. Role
passwd command originally modify the account login password, the use of permissions are all users.
2. Format
passwd [option] account name
3. Main parameters
-L: Locks the name of the account that is already named, only available to users who have superuser privileges.
-U: Unlock account lockout status, only users who have Superuser privileges can use it.
-X,--maximum=days: Maximum password usage time (days), only used by users with superuser privileges.
-N,--minimum=days: Minimum password usage time (days), only used by users with superuser privileges.
-D: Deletes the user's password, which is available only to users who have superuser privileges.
-S: Check the type of password authentication for the specified user, only users who have Superuser privileges can use it.
4. Application examples
$ passwd
Changing password for user Cao.
changing password for Cao
(current) UNIX Password:
New UNIX Password:
Retype new UNIX Password:
Passwd:all authentication tokens updated successfully.
As you can see from the above, use the passwd command to enter the old password, and then enter the new password two times.
Su
1. Role
The role of SU is to change the identity of other users, except for Superuser, who needs to type the user's password.
2. Format
su [Options] ... [-] [USER [ARG] ...]
3. Main parameters
-F,--fast: Do not need to read startup files (such as CSH.CSHRC, etc.), only for csh or tcsh two shell.
-L,--login: After adding this parameter, it is as if it were a login to the consumer, most environment variables (such as home, Shell, and USER) are based on that user (user), and the working directory changes. If user is not specified, the default is root.
-M,-P,--preserve-environment: Do not change the environment variables when performing su.
-C command: Change the account as user, and execute the Command (command) and then change back to the original user.
User: The user account you want to change, ARG passes in the new shell parameter.
4. Application examples
Change the account to Superuser and restore the user after the DF command is executed.
Su-c DF Root
Umask
1. Role
Umask set the user files and directories of the file to create a default screen value, if you put this command into the profile file, you can control the user's subsequent file access permissions. It tells the system who does not give permission to the file when it is created. Use permissions are all users.
2. Format
Umask [-P] [-S] [mode]
3. Parameter
-S: Determines the current umask setting.
-P: Modify umask settings.
[mode]: modifies the value.
Instructions for system security commands to be learned under 4.Linux
The traditional Unix umask value is 022, which prevents users who belong to the group and other groups from modifying the user's files. Since each user owns and belongs to a private group of its own, this "group protection mode" is not needed. Strict permission settings form the basis of Linux security, and it is fatal to make mistakes in permissions. Note that the Umask command is used to set read-write access to the files created by the process, with the safest value of 0077, which is to turn off read and write access to all processes other than the process that created the file, expressed as-RW-------。 In ~/.bash_profile, adding one line of command Umask 0077 guarantees that the process's umask permissions can be set correctly each time the shell is started.
5. Application examples
Umask-s
U=rwx,g=rx,o=rx
UMASK-P 177
Umask-s
u=rw,g=,o=
The 5-line command, which first displays the current state, then changes the Umask value to 177, only to the effect that the file owner has permission to read and write files, and other users cannot access the file. This is clearly a very secure setting.
Chgrp
1. Role
CHGRP represents modifying the group to which one or more files or directories belong. Use permissions are superuser.
2. Format
chgrp [Options] ... Group File ...
Or
chgrp [Options] ...--reference= reference file ...
Set the group of each < file > to < group >.
3. Parameter
-C,--changes: like--verbose, but displays results only if there are changes.
--dereference: Affects the object indicated by the symbolic link, not the symbolic link itself.
-H,--no-dereference: Affects the symbolic link itself, not the destination indicated by the symbolic link (this option is available when the system supports changing the owner of the symbolic link).
-F,--silent,--quiet: Remove most of the error messages.
--reference= Reference File: Use < reference file > 's owning group, not the specified < group >.
-R,--recursive: recursively handles all files and subdirectories.
-V,--verbose: Processing Any file will display information.
4. Application Instructions
This command changes the user group to which the specified file belongs. Where group can be the user group ID or the group name of the user group in the/etc/group file. The file name is separated by a space to change the list of files in the group, supporting wildcard characters. If the user is not the owner or superuser of the file, the group of the file cannot be changed.
5. Application examples
Change the group of all files under/opt/local/book/and its subdirectories to book, as follows:
$ chgrp-r Book/opt/local/book
chmod
1. Role
The chmod command is important to change the access rights of a file or directory, and users can use it to control access to files or directories, which are superuser.
2. Format
There are two uses of the chmod command. One is the character setting method that contains the letter and operator expressions (relative permission setting), and the other is the numeric setting method (absolute permission setting) that contains numbers.
(1) Character setting method
chmod [who] [+-=] [mode] File name
Manipulating objects who can be any of the following letters or their combinations
U: Represents the user, that is, the owner of the file or directory.
G: Represents the same group of users, that is, all users who have the same group ID as the owner of the file.
O: Represents another user.
A: Represents all users, which is the system default value.
Action symbol
+: Add a permission.
-: Cancels a permission.
=: give the given permission and cancel all other permissions, if any.
The permission to set mode can be any combination of the following letters
R: Readable.
W: Writable.
X: Executable.
X: Append the x attribute only if the target file is executable for some users or if the destination file is a directory.
S: The owner or group ID of the process is placed as the file owner of the file when the file is executed. Mode "U+s" sets the user ID bit of the file, and "G+s" sets the group ID bit.
T: Saves the text of the program to the switching device.
U: Has the same permissions as the owner of the file.
G: Have the same permissions as users who are in the same group as the file owner.
O: Have the same permissions as other users.
File name: A space-separated list of files to change permissions to support wildcard characters.
Multiple permission methods can be given in one command line, separated by commas.
(2) Digital setting method
The general form of the digital setting method is:
chmod [mode] filename
Current 1/4 page
1234 Next read the full text
