Password policy
The validity period of Linux account expiration strategy is mainly controlled in the /etc/login.defs file
PAM authentication module
Linux-PAM (Linux pluggable authentication module) is a set of shared libraries that allows local system administrators to choose the authentication method of the program at will. In other words, it is possible to recompile an application program that includes PAM functions without (rewriting) Change the authentication mechanism it uses. In this way, even if the local authentication mechanism is upgraded, there is no need to modify the program.
PAM uses the file under the configuration /etc/pam.d/ to manage the authentication method of the program. The application calls the corresponding The configuration file to call the local authentication module. The module is placed under / lib / security and loaded in the form of a dynamic library. When we use the su command, the system will prompt you to enter the password of the root user. This is the su command by calling PAM module implementation.
Path
/etc/pam.d/system-auth
Linux-PAM has four types of modules, representing four different tasks, they are:
Authentication management (auth) means that the authentication interface module type is used to check users and passwords and assign permissions;
Account management (account) refers to the account interface, which is mainly responsible for checking the validity of the account, confirming whether the account has expired, and whether it has permission to log in to the system;
Session management (session) session class interface. Realize session control from user login success to logout;
And password management (password) password type interface. Control the whole process of user changing password. That is, some documents say to upgrade the user verification mark.
User rights
The file directory permissions in Linux are divided into three types of read and write execution,
u: User, that is, the owner of the file or directory.
g: Group, that is, the group to which the file or directory belongs.
o: Other, except for the owner of the file or directory or the group to which it belongs, all other users belong to this scope.
a: All, that is all users, including the owner, the group to which they belong, and other users.
The part about the permission code is listed below:
r: Read permission, the digital code is "4".
w: Write permission, the digital code is "2".
x: Execute or switch permissions, the digital code is "1".
-: No authority, the digital code is "0".
s: special? b> function description: change the permissions of files or directories.
