System security commands required for Linux

Although Linux is a multi-user system like Windows NT/2000, there are many important differences between them. For many administrators who are used to Windows, there are many new challenges to ensure the security and reliability of the Linux operating system. This article focuses on Linux system security commands.

Passwd

1. Role
The passwd command is used to change the logon password of an account. The permission is granted to all users.

2. Format
Passwd [Option] account name

3. Main Parameters
-L: the name of the named account is locked and can only be used by users with super user permissions.
-U: Unlock the account lock status. Only users with Super User Permissions can use it.
-X, -- maximum = DAYS: maximum Password usage time (DAYS). Only users with Super User Permissions can use it.
-N, -- minimum = DAYS: minimum Password usage time (DAYS). Only users with Super User Permissions can use the password.
-D: Delete the user's password. Only users with Super User Permissions can use it.
-S: Check the password authentication type of a specified user. Only users with Super User Permissions can use the password.

4. Application Instance

$ Passwd
Changing password for user cao.
Changing password for cao
(Current) UNIX password:
New UNIX password:
Retype new UNIX password:
Passwd: all authentication tokens updated successfully.

As you can see above, the passwd command requires entering the old password and then entering the new password twice.

Su

1. Role
Su is used to change the identity of another user. Except for a Super User, you need to enter the user's password.

2. Format
Su [Option]... [-] [USER [ARG]...]

3. Main Parameters
-F, -- fast: does not need to read the Startup File (such as csh. cshrc). It is only used for csh or tcsh shells.
-L, -- login: After this parameter is added, it is like re-logging into the USER. Most environment variables (such as HOME, SHELL, and USER) are based on this USER) and the working directory will change. If no USER is specified, the default value is root.
-M,-p, -- preserve-environment: the environment variable is not changed when su is executed.
-C command: the USER who changed the account to USER, and then executes the command to change it back to the original USER.
USER: USER account to be changed. ARG is used to input new Shell parameters.

4. Application Instance
Change the account to a Super User, and restore the user after executing the df command.
Su-c df root

Umask

1. Role
Umask sets the default blocking value for creating files in User Files And Directories. If you place this command in the profile file, you can control the access permission for subsequent files created by the user. It tells the system not to grant access permission to anyone when creating a file. The permission is granted to all users.

2. Format
Umask [-p] [-S] [mode]

3. Parameters
-S: determines the current umask settings.
-P: Modify umask settings.
[Mode]: Modify the value.

4. Description
The umask value of traditional Unix is 022, which prevents other users in the same group and users in other groups from modifying the user's files. Since each user has a private group, this "group protection mode" is not needed. Strict permission settings constitute the foundation of Linux security, and making mistakes in permissions is fatal. Note that the umask command is used to set the read and write permissions of the files created by the process. The safest value is 0077, that is, to disable the read and write permissions of all processes other than the process where the files are created, -rw -------. In ~ /. In bash_profile, the umask 0077 command can be added to ensure that the umask permission of the process can be correctly set after each Shell startup.

5. Application Instance
Umask-S
U = rwx, g = rx, o = rx
Umask-p 177
Umask-S
U = rw, g =, o =

The preceding five-line command first shows the current status, and then changes the umask value to 177. Only the file owner has the permission to read and write the file, and other users cannot access the file. This is obviously a very safe setting.

Chgrp

1. Role
Chgrp indicates the group to which one or more files or directories belong. The permission is a Super User.

2. Format
Chgrp [Option]... group file...
Or
Chgrp [Option]... -- reference = reference file...
Set the group to which each <File> belongs.

3. Parameters
-C, -- changes: Like -- verbose, but the result is displayed only when there is a change.
-- Dereference: affects the objects indicated by the symbolic link, rather than the symbolic link itself.
-H, -- no-dereference: affects the symbolic link itself, rather than the destination indicated by the symbolic link (this option is valid only when the system supports changing the owner of the symbolic link ).
-F, -- silent, -- quiet: removes most error messages.
-- Reference = reference file: Use the group to which the <reference File> belongs, rather than the specified <group>.
-R, -- recursive: recursively processes all files and subdirectories.
-V, -- verbose: displays information when processing any file.

4. Application description
This command changes the user group to which the specified file belongs. The group can be either the user group ID or the group name of the user group in the/etc/group file. A file name is a list of files separated by spaces to change the group. Wildcards are supported. If the user is not the owner or super user of the file, the file group cannot be changed.

5. Application Instance
Change the owner group of all files in/opt/local/book/and its subdirectories to book. The command is as follows:
$ Chgrp-R book/opt/local/book

Chmod

1. Role
The chmod command is very important. It is used to change the access permissions of files or directories. You can use it to control the access permissions of files or directories.

2. Format
The chmod command can be used in two ways. One is the character setting method that contains letters and operator expressions (relative permission setting), and the other is the number setting method that contains numbers (absolute permission setting ).
(1) character setting method
Chmod [who] [+-=] [mode] File Name

◆ The operation object who can be any one of the following letters or their combination
U: indicates the user, that is, the owner of the file or directory.
G: Indicates users in the same group, that is, all users with the same group ID as the file owner.
O: other users.
A: All users. It is the default value.

◆ Operation symbol
+: Add a permission.
-: Cancel a permission.
=: Grant the given permission and cancel all other permissions (if any ).

◆ Set the mode permission to any combination of the following letters
R: readable.
W: writable.
X: executable.
X: append the x attribute only when the target file is executable to some users or the target file is a directory.
S: During File Execution, set the owner or group ID of the process to the file owner of the file. In the format of "u + s" to set the user ID of the file, and "g + s" to set the group ID.
T: Save the program text to the swap device.
U: The same permissions as the file owner.
G: users in the same group as the file owner have the same permissions.
O: The same permissions as other users.
File Name: list of files separated by spaces to change permissions. Wildcards are supported.
Multiple permission methods can be provided in a command line, separated by commas.
(2) number setting method
The number setting method is generally in the following format:
Chmod [mode] File Name

The numeric attribute should be in the format of three Octal numbers 0 to 7, in the order of (u) (g) (o) file names, separated by spaces to change the permission of the file list, wildcard characters are supported.
 
The number indicates the permission. 0001 indicates the execution permission of the owner, 0002 indicates the write permission of the owner, 0004 indicates the read permission of the owner, and 0010 indicates the execution permission of the group; 0020 is the write permission of the group; 0040 is the read permission of the group; 0100 is the execution permission of others; 0200 is the write permission of others; 0400 is the read permission of others; 1000 indicates the position of the file to be pasted. 2000 indicates that if the file is an executable file, the Group ID indicates the position; otherwise, the file is locked; 4000 indicates that if the file is an executable file, the user ID is the location.
 
3. Instance
If a system administrator writes a form (tem) for all users to enter, the user must be authorized to read and write the file. You can run the following command:
# Chmod1 666 tem

In the code above, how is the 666 number calculated? 0002 is the write permission of the owner, 0004 is the read permission of the owner, 0020 is the write permission of the group, 0040 is the read permission of the group, and 0200 is the write permission of others, 0400 is the read permission of others, and the total number of these six numbers is 666 (the above numbers are octal ).

The permission for the tem file is-rw-, that is, the user has read and write permissions on the file.
 
Use the following command to set the character permission:
# Chmod a = wx tem

Chown

1. Role
Change the owner and group of one or more files or directories. The permission is a Super User.

2. Format
Chown [Option] user or group file

3. Main Parameters
-- Dereference: The objects indicated by symbolic links are affected, not the symbolic links themselves.
-H, -- no-dereference: affects the symbolic link itself, rather than the destination indicated by the symbolic link (this option is valid only when the system supports changing the owner of the symbolic link ).
-- From = Current Owner: the current group changes the owner and group only when the owner and group of each file meet the specified options. Where