当前位置:网站首页>Users, groups, and permissions

Users, groups, and permissions

2022-07-07 12:56:00 LC181119

1.Linux Security model

resource allocation :

  • Authentication: authentication , Verify user identity
  • Authorizaation: to grant authorization , Different users set different permissions
  • Accounting | Audition: Audit

1.1 user

Linux Each user in is through User Id (UID) To uniquely identify

  • Administrators :root,0
  • Ordinary users :1-60000 Automatically assigned
    • System users :1-499(CentOS 6 before ),1-999(CentOS 7 in the future )

                 Allocate permissions to the resources obtained by the daemon

  • The logged in user :500+ (CentOS 6 before ),1000+ (CentOS 7 in the future )

                 Interactive login for users

1.2 User group

Linux You can add one or more users to a user group , The user group is through Group IDGID) To uniquely identify .
  • Administrators group :root, 0
  • The normal group :
    • System group :1-499CentOS 6 before ), 1-999CentOS7 in the future ), Divide the permissions of the daemon to obtain resources with
    • The normal group :500+CentOS 6 before ), 1000+CentOS7 in the future ), For users

 ​​1.3 The relationship between users and groups

  • The primary group of users (primary group): Users must belong to one and only one main group , By default, users will be created automatically A group with the same name as the user name , As the primary group of users , Because there is only one user in this group , Also known as private group
  • Additional groups for users (supplementary group) A user can belong to zero or more secondary groups , Affiliate group

 1.4 Security context

Linux Security context Context: Running program , Process (process), Run as the process initiator , Process can
Access to resources depends on the identity of the operator of the process
such as : Respectively by root and wang The identity of running /bin/cat /etc/shadow , The results are different , Can resources
To be accessed , It is determined by the identity of the carrier , Not the program itself

2. User and group profiles  

2.1 Primary profiles for users and groups

  • /etc/passwd: User and its attribute information ( name 、UID、 The main group ID etc. )
  • /etc/shadow: User password and its associated attributes
  • /etc/group: Group and its attribute information
  • /etc/gshadow: Group passwords and their associated attributes

2.2passwd File format

login name: Log in with your first name (wang
passwd: password (x)
UID: User id (1000)
GID: Login default group number (1000)
GECOS: User full name or comment
home directory: User home directory (/home/wang)
shell: User default use shell (/bin/bash)

2.3shadow File format

Log in with your first name
User password : It's usually used sha512 encryption
from 1970 year 1 month 1 From the date of the last password change
The password can be changed in a few days (
0 Can be changed at any time )
The password must be changed in a few days (99999 Never expire )
The system reminds the user a few days before the password expires ( Default to one week )
A few days after the password expires, the account will be locked
from 1970 year 1 month 1 Day count , How many days later the account will be invalid
Change password encryption algorithm : 
authconfig   --passalgo=sha256 --update
Password security policy
  • Long enough
  • Using a digital 、 Capital 、 At least... In lowercase letters and special characters 3 Kind of
  • Use random passwords
  • Replace regularly , Don't use passwords that have been used recently

2.4group File format

The name of the group : That's the group name
Group password : Usually no setting is required , The password is recorded in /etc/gshadow
GID: It's the group ID
List of users with the current group as an additional group ( The separator is a comma )

2.5gshdow File format

The name of the group : It's the name of the group
Group password :
Group administrator list : List of group Administrators , Change group password and membership
List of users with the current group as an additional group : Multiple users are separated by commas

2.6 Document operation

  • vipw and vigr
  • pwck and grpck

3.  User and group management commands

User management command
  • useradd
  • usermod
  • userdel
Group account maintenance command
  • groupadd
  • groupmod
  • groupdel

3.1  The user to create

useradd Command can create new Linux user

Format : 
useradd [options] LOGIN
Common options :
-u UID
-o coordination -u Options , Do not check UID Uniqueness
-g GID Specifies that the user belongs to the base group , A group name , It's fine too GID
-c "COMMENT“ User's comment information
-d HOME_DIR In the specified path ( non-existent ) Catalog for home
-s SHELL Indicate the user's default shell Program , The available list is /etc/shells In file
-G GROUP1[,GROUP2,...] Specify additional groups for users , The group must exist in advance
-N Do not create private group as master group , Use users Group is the main group
-r Create system user CentOS 6 Before : ID<500,CentOS7 in the future : ID<1000
-m Create a home directory , For system users
-M Do not create a home directory , For non system users
-p Specify the encrypted password

3.2 User property modification

usermod Commands can modify user properties
Format : 
usermod [OPTION] login
Common options :
-u UID: new UID
-g GID: New main group
-G GROUP1[,GROUP2,...[,GROUPN]]]: New additional group , The original additional group will be covered ; If you keep the original , At the same time
use -a Options
-s SHELL: New default SHELL
-c 'COMMENT': New notes
-d HOME: The new home directory will not be created automatically ; To create a new home directory and move home data , Use at the same time -m Options
-l login_name: New name
-L: lock Designated user , stay /etc/shadow The addition of password column !
-U: unlock Designated user , take /etc/shadow Code bar ! Remove
-e YYYY-MM-DD: Specify the expiration date of the user account
-f INACTIVE: Set an inactive period , That is, the grace period

3.3 Delete user

userdel Deleting Linux user
Format : 
userdel [OPTION]... Login
Common options :
-f, --force   mandatory
-r, --remove Delete user home directory and mailbox

3.4 View user related ID Information

id Command to view the user's UID,GID Etc 
id [OPTION]... [USER]
Common options :
u: Show UID
-g: Show GID
-G: Displays the... Of the group to which the user belongs ID
-n: The display name , Need to cooperate ugG Use

3.5 Switch users or execute commands as other users

su: namely switch user, Command can switch user identity , And execute the command as the specified user
Format :
su [options...] [-] [user [args...]]
Common options :
-l   --login   su -l UserName   amount to su - UserName
-c, --command <command>         pass a single command to the shell with -c
How to switch users :
  • su UserName: Non login switch , That is, the configuration file of the target user will not be read , Do not change the current working directory , That is, incomplete switching
  • su - UserName: Login switch , Will read the profile of the target user , Switch to your home directory , That is, complete switching
explain :root su To other users without password ; Not root The user needs a password to switch
Be careful :su After switching to a new user , Use exit Return to the old user identity , Instead of using su Switch to old user , Otherwise, it will generate very Much of the bash Subprocesses , The environment may be chaotic .
Change your identity and execute the order : 
su [-] UserName -c 'COMMAND'

3.6 Set the password

passwd You can change the user password
Format : 
passwd [OPTIONS] UserName
Common options :
-d: Delete the specified user password
-l: Lock the specified user
-u: Unlock the specified user
-e: Force user to change password next time login
-f: Force operation
-n mindays: Specify the minimum service life
-x maxdays: Maximum service life
-w warndays: How many days in advance to start warning
-i inactivedays: Period of inactivity
--stdin: Receive user password from standard input ,Ubuntu No such option

3.7 Change user password policy

chage You can modify the user password policy
Format : 
chage [OPTION]... LOGIN
Common options :
-d LAST_DAY               # Time to change password
-m --mindays MIN_DAYS
-M --maxdays MAX_DAYS
-W --warndays WARN_DAYS
-I --inactive INACTIVE # Grace period after password expiration
-E --expiredate EXPIRE_DATE # User's validity period
-l Show password policy

3.8 Other user related commands

  • chfn Specify personal information
  • chsh Appoint shell, amount to usermod -s
  • finger You can view the user's personal information

3.9 Create group

groupadd Implement creating groups
Format 
groupadd [OPTION]... group_name

Common options :

-g GID To specify GID Number ;[GID_MIN, GID_MAX]
-r Create system group ,CentOS 6 Before : ID<500,CentOS 7 in the future : ID<1000

3.10 Modify the set of

groupmod Group property modification
Format : 
groupmod [OPTION]... group
Common options :
-n group_name: New name
-g GID: new GID

3.11 groups deleting

groupdel You can delete groups
Format 
groupdel [options] GROUP
Common options :
-f, --force Mandatory deletion , Even the user's primary group is forced to delete the group , However, users without a primary group will be unavailable and unable to log in

3.12 Change group password

gpasswd command , You can change the group password , You can also modify the membership of additional groups
Format 
gpasswd [OPTION] GROUP
Common options :
-a user take user Add to specified group
-d user Removes the user from the specified additional group user
-A user1,user2,... Set the list of users with administrative rights

3.13 Temporarily switch main group

newgrp The command can temporarily switch the main group , If the user does not belong to this group , Group password is required
Format : 
newgrp [-] [group]
If you use - Options , You can initialize the user environment

3.14 Change and view group members

groupmems You can manage the membership of additional groups
Format 
groupmems [options] [action]
Common options :
-g, --group groupname   # Change to the specified group ( Only root)
-a, --add username     # Specify the user to join the group
-d, --delete username # Remove user from group
-p, --purge               # Clear all members from the group
-l,  --list                 # Displays a list of group members
groups You can view user group relationships
Format 
# View the user's group list 
groups [OPTION].[USERNAME]...

4. File permission management

4.1 File owner and group attribute operation

4.1.1 Set the owner of the file chown

chown Command can modify the owner of the file , You can also modify the file group
Format 
chown [OPTION]... [OWNER][:[GROUP]] FILE...
chown [OPTION]... --reference=RFILE FILE...
instructions :
OWNER   # Only modify the owner
OWNER:GROUP # Modify the owner and group at the same time
:GROUP   # Modify only the group , Colons are also available . Replace
--reference=RFILE  # Refer to the specified properties , To modify the  
-R# recursive , Use this option with caution , Very dangerous !

4.1.2 Set the group information of the file chgrp

chgrp The command can modify only the group of the file
Format 
 chgrp [OPTION]... GROUP FILE...
 chgrp [OPTION]... --reference=RFILE FILE...
-R recursive

4.2 File permissions

4.2.1 File permission description

File permissions are mainly defined for three types of objects
owner Belong to , u
group Generic group , g
other other , o
Be careful :
The final authority of the user , It's order matching from left to right , namely , owner , Subordinate to the group , others , Once the permissions are matched, they take effect immediately , No more to
Right view its permissions
r and w Permission pair root Invalid user
As long as the owner , Group or other One of the three is x jurisdiction ,root You can execute
Each file defines three common permissions for each type of visitor
Each file defines three permissions for each type of visitor
r Readable
w Writable
x eXcutable
Permissions on files :
r You can use file view class tools , such as :cat, You can get its content
w It can be modified
x You can request the kernel to start this file as a process , That is, it can be executed ( function ) This file ( The contents of this file must be executable )
Permissions on directories :
r have access to ls View in this directory
File list
w You can create files in this directory , You can also delete files in this directory , It has nothing to do with the permission of the deleted file
x Sure cd Enter this directory , have access to ls -l View the file metadata in this directory ( Must cooperate with r jurisdiction ), Minimum accessible permissions belonging to the directory
X Just give the catalog x jurisdiction , Do not give files without execution permission x jurisdiction

4.2.2 Modify file permissions chmod

Format 
chmod [OPTION]... MODE[,MODE]... FILE...
chmod [OPTION]... OCTAL-MODE FILE...
# Reference resources RFILE File permissions , take FILE It is the same as RFILE
chmod [OPTION]... --reference=RFILE FILE...

4.3 Default permissions for new files and directories

umask The value of can be used to retain the permission to create files
Realization way :
  •          Default permissions for new files : 666-umask, If a bit of the result exists, execute ( Odd number ) jurisdiction , Then its permissions +1, accidentally The number remains the same
  •          Default permissions for new directories : 777-umask
Non privileged users umask The default is 002
root Of umask The default is 022
see umask
umask
# Display in mode 
umask –S 
# The output can be called 
umask –p

  modify umask

umask #
Long term preservation umask
  • Global settings : /etc/bashrc
  • User Settings :~/.bashrc

4.4 Linux Special permissions on the file system

Three common permissions were introduced earlier :r, w, x There are also three special permissions :SUID, SGID, Sticky
Special privileges
  • SUID Act on binary executables , The user will inherit the rights of the owner of this program
  • SGID
                 Act on binary executables , Users will inherit the permissions of all groups in this program
                 On the catalogue , The group of newly created files in this directory will automatically inherit from this directory
  • STICKY Act on the directory , Files in this directory can only be deleted by the owner

4.4.1 Special privileges SUID

Premise : Processes have owners and groups ; The file has the owner and the group
  • Can any executable program file be started as a process , It depends on whether the initiator has execution rights to the program file
  • After starting as a process , The owner of the process is the initiator , The group of the process is the group of the initiator
  • Permissions for a process to access a file , It depends on the initiator of the process
Binary executable SUID Authority function :
  • Can any executable program file be started as a process : It depends on whether the initiator has execution rights to the program file
  • After starting as a process , The owner of the process is the owner of the original program file
  • SUID Valid only for binary executables
  • SUID Setting on the directory makes no sense
SUID Permission setting : 
chmod u+s FILE...
chmod 4xxx FILE
chmod u-s FILE...

4.4.2 Special privileges SGID

Binary executable SGID Authority function :
  • Can any executable program file be started as a process : It depends on whether the initiator has execution rights to the program file
  • After starting as a process , The process belongs to the original program file

SGID Permission setting :

chmod g+s FILE... 
chmod 2xxx FILE
chmod g-s FILE...
On the catalog SGID Authority function :
         Silent In case of recognition , When a user creates a file , Its group is the primary group to which the user belongs , Once a directory is set SGID, This directory has The group of the file created by the user with write permission in this directory is the group of this directory , Usually used to create a collaboration Directory
SGID Permission setting :
chmod g+s DIR...
chmod 2xxx DIR
chmod g-s DIR...

4.4.3 Special privileges Sticky position

A directory with write permission. Usually, the user can delete any file in the directory , Regardless of the permission or ownership of the file
Set... In the directory Sticky position , Only the owner of the document or root You can delete the file
sticky Setting doesn't make sense on the file
Sticky Permission setting :
chmod o+t DIR...
chmod 1xxx DIR
chmod o-t DIR...

4.4.4 Special authority digital method

SUID SGID STICKY
000 0
001 1
010 2
011 3
100 4
101 5
110 6
111 7
Permission bit mapping
SUID: user, Occupy the execution permission bit of the owner
        s: The owner owns x jurisdiction
        S: The owner did not x jurisdiction
SGID: group, Occupy the execution permission bit of the group
        s: group Have x jurisdiction
        S:group No, x jurisdiction
Sticky: other, occupy other The execution permission bit of
        t:other Have x jurisdiction
        T:other No, x jurisdiction

4.5 Set file special properties

Set the special properties of the file , You can visit root The user mistakenly deletes or modifies the file
Can't delete , Change of name , change 
chattr +i file
Can only add content , Can't delete , Change of name 
chattr +a file
Show specific properties 
lsattr

4.6 Access control list ACL

4.6.1 ACL Authority function

ACLAccess Control List, Realize flexible permission management
Except for the owner of the file , Group and others , You can set permissions for more users
CentOS7 Created by default xfs and ext4 The file system has ACL function
CentOS7 The previous version , It is created manually by default ext4 The file system has no ACL function , It needs to be added manually
ACL The order of entry into force :
owner , Custom user , Subordinate to the group | Custom groups , others

 4.6.2 ACL Relevant command

setfacl Can be set up ACL jurisdiction
getfacl You can view the settings ACL jurisdiction
mask jurisdiction
  • mask Only affect owners and other Maximum permissions for people and groups other than
  • mask After logical and operation with the user's permission , To become a limited authority (Effective Permission)
  • User or group settings must exist in mask It will take effect only when the permission is set

4.6.3 Backup and restore ACL

Main file operation commands cp and mv All support ACL, It's just cp The order needs to add -p Parameters . however tar And other common backup tools are not Will keep directories and files ACL Information
原网站

版权声明
本文为[LC181119]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/02/202202130616434278.html

边栏推荐

猜你喜欢

随机推荐