Linux root Account Management

Article Title: several inspirations about linux root Account Management. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

As we all know, linux root accounts, like Microsoft's Administrator account, play a vital role in the operating system. How to manage the ROOT account is critical to the security and stability of the Linux system. Next, I will talk about some of my inspiration for managing the ROOT account for your reference.

　　Revelation 1: ROOT users are used only as backup accounts.

Whether you use the Linux system on your own, or use it by other employees in the enterprise, or use it as a server, it is best not to use the ROOT user directly.

If your company's employees are using the Linux system, as the administrator of the Linux system, employees cannot directly log on to the system using the ROOT account. Instead, we need to configure other users for daily business work. This is mainly because the ROOT account has the highest management permissions for the operating system. Linux systems are unfamiliar to employees. If you give them such high permissions, sometimes the system accidentally changes a file, it will cause the system to crash. Therefore, in actual account management, we need to set an account with minimum permissions for common users.

In fact, in the Linxu system, the conversion of permissions between common users and administrator users is not as troublesome as Microsoft operating system. You only need some simple commands to complete permission conversion, which saves us the trouble of frequent logout.

For example, a user's Linux system has a ROOT account and a SA001 account. This account is only a common permission and cannot perform any configuration actions on the operating system, including the permission to install software or mount other shared folders. My company now deploys a file server on the internal network of the enterprise. Now we need to connect the file server to this operating system. But what should we do if the user is using the SA001 account to log in?

If we directly use the common account SA001 to execute the mount command to connect to the server, the system will prompt us that this command must be run only with the administrator privilege. If you are using a Windows operating system, you can also select the identity of the command in "open mode. But in Linux, what should we do? Do you need to restart the system? In fact, in Linux, permission conversion is much simpler than in Windows.

In this case, you can directly enter su under the command line, and then enter the password of the ROOT account. Then, you can run the program as root. In this case, we can directly mount the shared directory using the mount command in this command line window.

For example, we have two administrator accounts, such as two network applications installed on a file server, which are managed by two administrators. We have set up different administrator accounts for them, such as AD001 and AD002. At this time, we need to log in with the Administrator account of AD002. At this time, we can use su? In the form of AD002. In this case, any program running in this command window will run as AD002. This operation is much easier than Windows.

However, in this conversion process, we need to pay attention to two issues. First, this permission is only for the window you log on to. If you exit this window or other windows do not have this administrator permission. For example, we now open two terminals and use the su command in one terminal window to log on as an administrator. At this point, if we run the mount command in this terminal, it can run normally. However, if we run the mount command in another terminal window, there will still be an error message "no permission to execute this command. That is to say, in the terminal window, after the administrator privilege is converted using the su command, it only takes effect on the current terminal, but it does not affect other ports.

Another problem is that the environment variable corresponding to the su command permission conversion in the terminal window is still the environment variable of the original account SA001. For example, in Linux, if a JAVA program is installed and related environment variables are configured under the root user. At this point, if we first log on to the system as a common user SA001 and use the su command on the terminal to switch to the Administrator permission, we run the java command, the system prompts "No environment variable is configured for JAVA ". We can see that we have obtained the Administrator permission using the su command, but have not obtained the corresponding environment variable.

What should we do if we want to include the corresponding environment variables after using the su command for permission conversion? In this case, we need to add a parameter after the su command to meet our needs. For example, we can use su? (Small Horizontal Bar) command to convert permissions. At this time, the converted environment variable is the environment variable corresponding to the root administrator account.

[1] [2] Next page