linux file permissions

Others 2022-04-22 16:10:57 views: 0

Security in Linux

1. /etc/passwd file

The fields of the /etc/passwd file
contain the following information:
 Login Username
 User Password
 User Account UID (numeric form)
 User Account Group ID (GID) (numeric form)
 User Account Text Description (called the Memo field)
 User HOME The location of the directory the
 user's default shell
2./etc/shadow file

The etc/shadow file keeps a record for each user account on the system. The record looks like this:
rich:$1$.FfcK0ns$f1UgiyHQ25wrB/hykCn020:11627:0:99999:7:::
There are 9 fields in each record in the /etc/shadow file:
 with /etc/passwd The login name corresponding to the login name field in the file
 Encrypted password
 The number of days since the last password change password (since January 1, 1970)
 How many days before the password can be
changed How many days after the password must be
changed How many days in advance to remind the user to change the password before the password expires

 The number of days after the password expires to disable the user account
 The date the user account was disabled (expressed as the number of days from January 1, 1970 to the current day)
 Field reserved for future use

3. Add new user

# /usr/sbin/useradd -D
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
#

The default values ​​listed for this example are as follows:
 The new user will be added to the public group with GID 100;
 The new user's HOME directory will be at /home/loginname;
 The new user account password will not be disabled after it expires;
 The new user account has no expiration date set;
 The new user account uses the bash shell as the default shell;
 The system will copy the contents of the /etc/skel directory to the user's HOME directory;
 The system is the user account in the mail directory Create a file for receiving mail

useradd command line arguments

Parameter description
-c comment
Add notes to new users
-d home_dir
specifies a name for the home directory (if you don't want to use the login name as the home directory name)
-e expire_date
specifies an account expiration date in YYYY-MM-DD format
-f inactive_days
Specify how many days after the account password expires this account will be disabled; 0 means that the password will be disabled as soon as the password expires, 1 means that
this function is disabled
-g initial_group
specifies the GID or group name of the user's login group
-G group ...
specifies the user except the login group
-k
must be used with -m to copy the contents of the /etc/skel directory to the user's home directory -m
create
the user's home directory
-M
do not create the user's home directory (when The default setting requires this option to be created)
-n
creates a new group with the same name as the user's login name

-r
create system account
-p passwd
specify default password for user account
-s shell
specify default login shell
-u uid
specify unique UID for account

useradd parameter to change default value

-b default_home
changes the default location where the user's HOME directory is created
-e expiration_date
changes the default expiration date for new accounts
-f inactive
changes the default new user number of days from password expiration until the account is disabled
-g group
changes the default group name or GID
-s shell
Change the default login shell

4. Delete user

userdel

5. Modify the user

usermod
modifies the fields of the user account, and can also specify the ownership of the main group and additional groups
passwd
modifies the password of an existing user
chpasswd
reads the login name and password pair from the file, and updates the password
chage
modifies the expiration date of the password
chfn
modifies the user account Remarks
chsh
modifies the default login shell of the user account

5.1usermod

 -c modifies the remarks field, -e modifies the expiration date, -g modifies the default login group. Beyond that, there are other
options that might come in handy.
 -l Modify the login name of the user account.
 -L Locks the account so that the user cannot log in.
 -p Change the password of the account.
 -U Unlocks the user to log in.
The -L option is especially useful. It can lock the account so that the user cannot log in without deleting the account and the user's data.
To get the account back to normal, just use the -U option.

5.2. passwd and chpasswd

An easy way to change a user's password is to use the passwd command.
# passwd test
Changing password for user test.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
#

The -e option forces the user to change the password the next time they log in. You can start by setting a simple password for your users, and then force them to change to a more complex password that they can remember on their next login.

If you need to change passwords for a large number of users on your system, the chpasswd command can do more with less. The chpasswd command automatically reads a list of login and password pairs (separated by colons) from standard input, encrypts the passwords, and sets them for user accounts. You can also use the redirect command to redirect files containing userid:passwd pairs to this command.
# chpasswd < users.txt

5.3. chsh 、 chfn 和 chage

The chsh , chfn and chage tools are designed to modify specific account information. The chsh command is used to quickly modify the default user login shell. When using it, you must use the full path name of the shell as a parameter, not just the shell name.
# chsh -s /bin/csh test
Changing shell for test.
Shell changed.

The chfn command provides a standard way of storing information in the memo field of the /etc/passwd file.

The chage command is used to help manage the validity period of user accounts. You need to set multiple parameters for each value

Reference number description

-d, --lastday last date set the last password set time to "last date"
  -E, --expiredate expiration date set account expiration time to "expiration date"
  -h, --help display this help message and exit
  -I, --inactive INACITVE Set the password to be invalid after the number of INACTIVE days expired
  -l, --list Display account age information
  -m, --mindays Minimum days Set the minimum number of days between two password changes to " "minimum days"
  -M, --maxdays maximum days Set the maximum number of days between password changes to "maximum days"
  -R, --root CHROOT_DIR The directory to chroot to
  -W, --warndays Warning days will expire warnings Days set to "Warning Days"

Using Linux groups

Create a new group groupadd

When creating a new group, by default no users are assigned to the group. The groupadd command does not provide an option to add users to a group
, but the usermod command can be used to compensate for this.
# /usr/sbin/usermod -G shared rich

Modify group

As you can see in the /etc/group file, there is not much group information that needs to be modified.
The groupmod command can modify the GID (with the -g option) or group name (with the -n option) of an existing group .
# /usr/sbin/groupmod -n sharing shared
# tail /etc/group
haldaemon:x:68:

Understanding file permissions

1 Using file permission characters

$ ls –l
total 68
-rw-rw-r-- 1 rich rich 50 2010-09-13 07:49 file1.gz

drwxrwxr-x 2 rich rich 4096 2010-09-03 15:12 test1

The first field of the output is an encoding describing file and directory permissions. The first character of this field represents the type of object:
 - for file
 d for directory
 l for link
 c for character device
 b for block device
 n for network device
followed by three sets of three-character encoding. Each group defines 3 access rights:
 r means the object is readable
 w means the object is writable

 x means that the object is executable.
If there is no permission, a single dash will appear in the permission bit. These three groups of permissions correspond to the three security levels of
the object:  The owner of the
object  The group of the object
 Other users of the system

2 Default file permissions

Subtract the umask value from the object's full permission value. For files, the value for full permissions is 666 (all users have read and write permissions); for directories, it is 777 (all users have read, write, and execute permissions).

Since the default permission of a directory is 777, the directory permissions generated by umask are different from the generated file permissions. The umask value of 026 is subtracted from 777, leaving 751 as the directory permission setting.

Change security settings

1 Change permissions

The chmod command is used to change the security settings of files and directories. The format of the command is as follows:
chmod options mode file

Instead of the usual three sets of three-character permission characters, the chmod command takes a different approach. Below is the format for specifying permissions in symbolic mode.
[ugoa…][[+-=][rwxXstugo…]
The first set of characters defines the object of the permission:
 u for user
 g for group
 o for others
 a for all of the above

The symbol that follows indicates whether you want to add a permission (+) to an existing permission, remove a permission (-) from an existing permission, or set the permission to the following value (=)

Finally, the third symbol represents permissions that act on the settings. You will find that this value is more than the usual rwx. Additional settings are the following.

  X : Grant execute permission if the object is a directory or it already has execute permission.
 s : Reset UID or GID at runtime.
 t: Keep the file or directory.
 u : Set the permissions to be the same as the owner.
 g : Set the permissions to be the same as the owning group.
 o : Set permissions as other users.

The -R option makes permission changes recursively apply to files and subdirectories.

2 Change the affiliation

The format of the chown command is as follows.
chown options owner[.group] file

The chown command takes some different option arguments. The -R option with wildcards can recursively change the ownership of subdirectories and files. The -h option can change the ownership of all symbolic links to this file

shared documents

To create a shared directory so that new files in the directory can inherit the directory's group, simply set the directory's SGID
bit.
$ mkdir testdir
$ ls -l
drwxrwxr-x 2 rich rich 4096 Sep 20 23:12 testdir/
$ chgrp shared testdir
$ chmod g+s testdir
$ ls -l
drwxrwsr-x 2 rich shared 4096 Sep 20 23:12 testdir/
$ umask 002
$ cd testdir
$ touch testfile
$ ls -l
total 0
-rw-rw-r-- 1 rich shared 0 Sep 20 23:13 testfile
$
First, use the mkdir command to create the directory you want to share. Then use the chgrp command to change the default group of the directory to the group
that contains all users who need to share files (you must be a member of this group). Finally, set the SGID position of the
directory to ensure that all newly created files in the directory use shared as the default group.

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=325132417&siteId=291194637
Recommended
The “35-year-old curse” of Chinese coders
蘭雅 CorelDRAW 插件 2024.5.1 国际劳动节版,免费下载
Ranking
Methods and Practices of Manufacturing Data Quality Improvement
Serial port upgrade program for efficient transmission of large firmware
Use KITTI to run LIOSAM and complete the EVO evaluation
Calling methods on string literals (Java)
ActiveMQ and Spring integration (4)
You have to know the HTTPS! ! !
PAT whether Structures and Algorithms 7-4 with a binary search tree (40 rows streamlined structure)
el-upload brings request background
UVA - 1204 Fun Game-like pressure dp
2019-12-28
Daily
More
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)

Code World

© 2018 codetd.com