Users, groups, and permissions
1 Linux Security Model
Resource allocation:
- Authentication: Authentication, verify the user's identity
- Authorization: Authorization, different users to set different permissions
- Accouting | Audition: audit
when the user logs in successfully, the system will automatically assign the token token, including: user identification information and group members, etc.
1.1 Users
Linux each user is uniquely identified by User Id (UID)
- Administrator: root, 0
- Average user: 1-60000 automatic distribution
system users: 1-499 (CentOS 6 before), 1-999 (after CentOS 7)
access to resources for the daemon assign permissions
to log users: 500+ (CentOS 6 before), 1000 + ( CentOS 7 later)
to the user interactively login using
1.2 User Group
In a Linux or more users may be added to the user group, user groups are uniquely identified by Group Id (GID) of
- Administrator: root, 0
- Average user:
System Group: 1-499 (CentOS 6 before), 1-999 (after CentOS 7)
access to resources for the daemon assign permissions
ordinary group: 500+ (CentOS 6 before), 1000 + (after CentOS 7) to user
The relationship between users and groups 1.3
- User's primary group (primary group): The user must belong to one and only one main group, the default group and user names are automatically created when you create a user of the same name, as the user's primary group because this group is only one user, also known as private group
- Additional groups of users (supplementary group): A user can belong to zero or more auxiliary groups, affiliated group
1.4 Security Context
Linux security context Context: Permissions programs running, that process (process), run as the initiator of the process, the process can access resources depends on the identity of the person running the process
2 user and group profiles
2.1 user and group profiles of major
- / Etc / passwd: users and their attribute information (name, UID, primary group ID, etc.)
- / Etc / shadow: user passwords and their associated properties
- / Etc / group: Group attribute information and
- / Etc / gshadow: group password and their associated properties
2.2 passwd file format
login name: login user
passwd: password
UID: user identification number
GID: group number where the default login
GECOS: Notes user's full name or
home directory: the user's home directory
shell: User default shell
2.3 shadow file format
Login Username
Password: sha512 encryption is generally used
from 1 January 1970 to play last time the password is changed the
password for a few days can be changed (0 indicates that at any time can be changed)
password must be changed in a few days (99999 means never expire)
before the password expires a few days system to alert the user (the default one week)
account will be locked after the password expires a few days
from January 1, 1970 date, number of days the account fail
to change the password encryption algorithm:
authconfig --passalgo=sha256 --update
password security strategy
- Long enough
- Numbers, uppercase letters, lowercase letters and special characters in at least three
- Use random password
- Regular replacement, do not ever use recently used passwords
2.4 group file format
Name the group:
group password: usually no need to set the password is recorded in the / etc / gshadow
the GID: group ID is
the current user group list of additional groups (comma separators)
2.5 gshdow file format
Group Name
Group Password
group administrator list: list to change the group passwords and group administrators member of
the current group additional groups of users list: among multiple users separated by commas
2.6 File Operations
- vipw and vigr
- pwck and grpck
3 user and group management commands
User Management Commands
- useradd
- usermod
- userdel
group account maintenance commands - groupadd
- groupmod
- groupdel
3.1 users to create
useradd command to create a new Linux user
format:
useradd [options] LOGIN
Common options:
-u UID
-o 配合-u选项,不检查UID的唯一性
-g GID 指明用户所属基本组,可为组名,也可以GID
-c "COMMENT" 用户的注释信息
-d HOME_DIR 以指定的路径为家目录
-s SHELL 指明用户的默认shell程序,可用列表在/etc/shells文件中
-G GROUP1[,GROUP2,...] 为用户指明附加组,组须事先存在
-N 不创建私用组做主组,使用users组做主组
-r 创建系统用户CentOS 6之前:ID<500,CentOS 7以后:ID<1000
-m 创建家目录,用于系统用户
-M 不创建家目录,用于非系统用户
useradd command specifies the default values / etc / default / useradd defined
display or change the default settings
useradd -D
useradd -D -s SHELL
useradd -D -b BASE_DIR
useradd -D -g GROUP
New user's documents
- /etc/default/useradd
- /etc/skel/“ * ”
- /etc/login.defs
batch create user
newsusers passwd 格式文件
batch modify user password
echo username:passwd | chpasswd
3.2 Modify User Properties
usermod command to modify user attributes
Format:
usermod [OPTION] login
Common options:
-u UID: 新UID
-g GID: 新主组
-G GROUP1[,GROUP2,...[,GROUPN]]]:新附加组,原来的附加组将会被覆盖;若保留原有,则要同时使用-a选项
-s SHELL:新的默认SHELL
-c 'COMMENT':新的注释信息
-d HOME: 新家目录不会自动创建;若要创建新家目录并移动原家数据,同时使用-m选项
-l login_name: 新的名字
-L: lock指定用户,在/etc/shadow 密码栏的增加 !
-U: unlock指定用户,将 /etc/shadow 密码栏的 ! 拿掉
-e YYYY-MM-DD: 指明用户账号过期日期
-f INACTIVE: 设定非活动期限,即宽限期
3.3 Delete User
userdel to delete Linux user
format:
userdel [OPTION]... Login
Common options:
-f --force 强制
-r --remove 删除用户家目录和邮箱
3.4 View related user ID information
id command to view the user's UID, GID and other information
id [OPTION]... [USER]
common options:
-u: 显示UID
-g: 显示GID
-G: 显示用户所属的组的ID
-n: 显示名称,需配合ugG使用
3.5 Switch User or execute commands as another user
su: That switch user, command to switch user, and execute commands as the specified user
format:
su [options...] [-] [user [args...]]
Common options:
-l --login su -l UserName 相当于 su - UserName
-c, --command <command> pass a single command to the shell with -c
User switching manner:
- su UserName: nonlogin type switch that does not read the target user's profile, does not change the current working directory, that is incomplete
full switching - su - UserName: Log type switch, reads the target user's profile, switch to their own home directory, that is completely switched
description: root su to another user without password; password is required for non-root user switches
Note: su switch to a new user after using the exit to return to the old user, and not use su to switch to the old user, otherwise it will generate a lot of bash child process environment may be confusing.
A change in the identity of the command:
su [-] UserName -c 'COMMAND'
3.6 password
passwd can change the user password
Format:
passwd [OPTIONS] UserName
Common options:
-d:删除指定用户密码
-l:锁定指定用户
-u:解锁指定用户
-e:强制用户下次登录修改密码
-f:强制操作
-n mindays:指定最短使用期限
-x maxdays:最大使用期限
-w warndays:提前多少天开始警告
-i inactivedays:非活动期限
--stdin:从标准输入接收用户密码,Ubuntu无此选项
3.7 modify the user password policy
chage can modify the user password policy
Format:
chage [OPTION]... LOGIN
Common options:
-d LAST_DAY #更改密码的时间
-m --mindays MIN_DAYS
-M --maxdays MAX_DAYS
-W --warndays WARN_DAYS
-I --inactive INACTIVE #密码过期后的宽限期
-E --expiredate EXPIRE_DATE #用户的有效期
-l 显示密码策略
Other user-related commands 3.8
- chfn specify personal information
- chsh specify the shell, the equivalent usermod -s
- finger to see the user's personal information
3.9 Create Group
Create Group groupadd achieve
Format:
groupadd [OPTION]... group_name
Common options:
-g GID GID number specified; [GID_MIN, GID_MAX]
-R & lt creates a system group, before CentOS 6: ID <500, after CentOS 7: ID <1000
3.10 Modify Group
groupmod Group Properties Modify
Format:
groupmod [OPTION]... group
Common options:
-n group_name: new name
-g GID: new GID
3.11 Delete Group
groupdel can delete a group
format:
groupdel [options] GROUP
Common options:
-f, --force forcibly removed, even if the user's primary group also forcibly remove a group
3.11 Change Group Password
gpasswd command, you can change the group password, you can modify additional membership group
format:
gpasswd [OPTION] GROUP
Common options:
-a user 将user添加至指定组中
-d user 从指定附加组中移除用户user
-A user1,user2,... 设置有管理权限的用户列表
3.12 Temporary main switch group
newgrp command can temporarily switch the main group, if the user does not belong to this group, the group password is required
format:
newgrp [-] [group]
If - option, the user can initialize the environment
3.13 to change and view group members
groupmems can manage group memberships additional
formats:
groupmems [options] [action]
Common options:
-g, --group groupname #更改为指定组 (只有root)
-a, --add username #指定用户加入组
-d, --delete username #从组中删除用户
-p, --purge #从组中清除所有成员
-l, --list #显示组成员列表
groups can view the user-group relationship
format:
#查看用户所属组列表
groups [OPTION].[USERNAME]...
4 file permissions management
4.1 is a file owner and group attributes operation
Owner chown 4.1.1 settings file
chown command to modify the file owner, file owner can modify group
format:
chown [OPTION]... [OWNER][:[GROUP]] FILE...
chown [OPTION]... --reference=RFILE FILE...
Instructions:
OWNER #只修改所有者
OWNER:GROUP #同时修改所有者和属组
:GROUP #只修改属组,冒号也可用 . 替换
--reference=RFILE #参考指定的的属性,来修改
-R #递归,此选项慎用,非常危险!
It is a set of information chgrp 4.1.2 settings file
chgrp command modifies only belong to the group file
format:
chgrp [OPTION]... GROUP FILE...
chgrp [OPTION]... --reference=RFILE FILE...
4.2 File Permissions
4.2.1 Description File Permissions
The main file permissions defined for three types of objects
owner 属主, u
group 属组, g
other 其他, o
Note: The final rights of users, from left to right order matching, that is, the owner, the owning group, others, once the matching rights with immediate effect, no longer see it right permissions
for each file are defined for each class visitors three common permissions
for each file for each class defines three visitors have permission
r Readable
w Writable
x eXcutable
Permissions to the file:
r 可使用文件查看类工具,比如:cat,可以获取其内容
w 可修改其内容
x 可以把此文件提请内核启动为一个进程,即可以执行(运行)此文件(此文件的内容必须是可执行)
Access to a directory:
r 可以使用ls查看此目录中文件列表
w 可在此目录中创建文件,也可删除此目录中的文件,而和此被删除的文件的权限无关
x 可以cd进入此目录,可以使用ls -l查看此目录中文件元数据(须配合r权限),属于目录的可访问的最小权限
X 只给目录x权限,不给无执行权限的文件x权限
Permissions mathematical law
| Permission entries | file type | read | write | carried out | read | write | carried out | read | write | carried out |
|---|---|---|---|---|---|---|---|---|---|---|
| Character representation | (d/l/c/s/p) | (r) | (w) | (x) | (r) | (w) | (x) | (r) | (w) | (x) |
| Digital representation | 4 | 2 | 1 | 4 | 2 | 1 | 4 | 2 | 1 | |
| Rights Assignment | File owner | File belongs to a user group | Other users |
4.2.2 modify file permissions **** chmod
format:
chmod [OPTION]... MODE[,MODE]... FILE...
chmod [OPTION]... OCTAL-MODE FILE...
#参考RFILE文件的权限,将FILE的修改为同RFILE
chmod [OPTION]... --reference=RFILE FILE...
Description:
MODE:who opt permission
who:u,g,o,a
opt:+,-,=
permission:r,w,x
修改指定一类用户的所有权限
u= g= o= ug= a= u=,g=
修改指定一类用户某个或某个权限
u+ u- g+ g- o+ o- a+ a- + -
-R: 递归修改权限
4.3 New default permissions for files and directories
umask value can be used to create the file permissions remain in
implementation:
- New default permissions file: 666-umask, if the results obtained by the presence of execution (odd) authority, it is +1 rights, even
the number unchanged - The default permissions for new directories: 777-umask
non-privileged user umask default is 002
root of the default 022 umask
see umask
umask
#模式方式显示
umask –S
#输出可被调用
umask –p
Modify umask
umask #
persist umask
- Global Settings: / etc / bashrc
- User settings: ~ / .bashrc
Special permissions on the 4.4 Linux file system
Introduced in front of three common rights: r, w, x, there are three special privileges: SUID, SGID, Sticky
4.4.1 special permissions SUID
Prerequisite: course there is a group of owners belong; files have the owner and group
1. Any executable file can not start for the process, the initiator of the program depends on whether the file has execute permission
2. Start to process after its process the group is a group owner is the initiator, the initiator of the process belongs
permissions 3. the process accesses a file, the initiator of the process depends on
the initiator (a) of the process, with the owner of the file: the application file attributes master authorization
initiator (b) of the process, is a group belonging to the file; the application file permissions is a group
(c) application file "other" permissions
on the binary executable file permissions SUID features:
- Any executable file can not start for the process: the initiator of the program depends on whether the file has execute permission
- After starting as a process, which is the main process of the original file's owner
- SUID is valid only for binary executable program
- SUID meaningless set on a directory
SUID permissions:
chmod u+s FILE...
chmod 6xxx FILE
chmod u-s FILE...
4.4.2 special permission SGID
SGID binary executable file permissions feature:
- Any executable file can not start for the process: the initiator of the program depends on whether the file has execute permission
- After starting as a process, it is a group which is a group process for the original program files
SGID permissions:
chmod g+s FILE...
chmod 2xxx FILE
chmod g-s FILE...
SGID permissions on the directory function:
By default, when a user creates a file, it is a primary group for this group the user belongs to, once a directory is set SGID, then this directory has write access to user-created in this directory group the file belongs to this end is a set of directories, usually used to create a collaborative directory
SGID permissions:
chmod g+s DIR...
chmod 2xxx DIR
chmod g-s DIR...
4.4.3 special permissions Sticky bit
Directory is usually the user has write permissions can delete any files in that directory, regardless of the file permissions or ownership
in the directory Sticky bit is set, only the owner or the root file can delete the file
meaningless sticky settings on the file
Sticky rights set up:
chmod o+t DIR...
chmod 1xxx DIR
chmod o-t DIR...
4.4.4 Special Authority Digital Law
SUID SGID STICKY
000 0
001 1
010 2
011 3
100 4
101 5
110 6
111 7
Permission bitmap
SUID: user, occupying owner execution permission bit
s: owner has the x privilege
S: owner No x permission
SGID: group, occupying execute permission bits belong to the group
s: Group has the x privilege
S: Group No x permissions
Sticky: other, occupy other execution permission bits
t: other permission to have x
T: other x no authority
4.5 configuration file special attributes
Special property settings file, you can access the root user accidently delete or modify files
can not be deleted, renamed, changing
chattr +i
only the additional content can not be deleted, renamed
chattr +a
display specific properties
lsattr
4.6 Access Control Lists
4.6.1 ACL Permissions feature
ACL: Access Control List, flexible rights management
in addition to the owner, owning group, and others documents, more users can set permissions
CentOS7 default xfs and ext4 file system is created with ACL features
before CentOS7 version, manually create the default the ext4 file system without ACL, you need to manually increase
tune2fs –o acl /dev/sdb1
mount –o acl /dev/sdb1 /mnt/test
ACL take effect sequence:
owner, custom user, owning group | custom group, others
4.6.2 ACL-related commands
setfacl can set ACL permissions
ACL permissions getfacl can view the settings of
mask permissions
- mask affects only the largest human rights group in addition to the owner and other
- After the mask needs to be a logical AND operation with the user's permission to become limited permissions (Effective Permission)
- Set user or group must exist in the mask to take effect within the scope of authority set
an example:
setfacl -m mask::rx file
--set option will delete all existing ACL entries, with a new alternative, be noted that we must include UGO settings, not like -m as you can just add ACL
example:
setfacl --set u::rw,u:wang:rw,g::r,o::- file1
4.6.3 Backup and Restore ACL
The main file manipulation commands cp and mv support ACL, cp command just need to add the -p parameter. But common backup tool such as tar ACL information is not preserved directories and files
Example:
#备份ACL
getfacl -R /tmp/dir > acl.txt
#消除ACL权限
setfacl -R -b /tmp/dir
#还原ACL权限
setfacl -R --set-file=acl.txt /tmp/dir
#还原ACL权限
setfacl --restore acl.txt
#查看ACL权限
getfacl -R /tmp/dir