First, the security model of Linux
1. Security 3A
Authentication (authentication), Authorization (authorization), Accounting (audit) (AAA) is used for access to computer resources, policy enforcement, audit usage, and information required to provide service bills, etc. A term for the basic components that function intelligently. Most people agree that these three combined processes are important to effective network administration and system security management.
In the first step, the authentication policy provides a way to identify a user, generally requiring the user to enter a valid user name and valid password before the authentication succeeds. The authentication process depends on each user having a unique standard for obtaining access rights. The AAA service will compare the standard (password) with the password in the database. If they match, they will be allowed to access the computer; otherwise, the authentication will fail and the access will be denied.
In the second step, after the authentication is completed, the user must be authorized to do specific things and handle related tasks. After logging into a system, users may try to run related commands. The authorization process determines whether the user has the right to run the command. Simply put, authorization is the process of enforcing policy: the process of determining what type or quality of activity, resource, or service a user is permitted to use. Typically, authorization occurs within the context of authentication. Once you authenticate a user it means that the user is also authorized for different kinds of access and activities.
The last item in the AAA framework is auditing, which means monitoring and measuring resource usage during access. Authentication, authorization, and auditing services are usually provided by dedicated AAA services, which are programs that perform these functions.
2. What happens behind the user login to linux
2. Users and groups in the Linux system and related files
1. User types in the linux system
Generally, linux users are divided into administrators and ordinary users. The default name of the administrator is: root; its UID is: 0 2, the UID of ordinary users: 1-60000 is automatically assigned by the system; divided into: system users and login users system users: 1-499 (CentOS6), 1-999 (CentOS7 ) The system user is responsible for assigning permissions to the resources acquired by the daemon process. Login users: 500+, 1000+ (CentOS7) Use interactive login 2. The group ID (GID) of the
user group administrator group in linux is also 0, called the root group
(Even if you add other users to the root group, he is still an ordinary user) Ordinary groups are divided into system groups and ordinary groups: System group: 1-499, 1-999 (CENTOS7) Ordinary group: 500+, 1000+ (CENTOS7 )
Types of Linux groups
The user's primary group (primary group)
The user must belong to one and only one primary group, the group name is the same as the user name, and contains only one user, and the private group user
's additional group (supplementary group)
A user can belong to zero Or multiple auxiliary groups
3. The main configuration files of Linux users and groups
The configuration files of users and groups are located in the /etc folder
/etc/passwd: save users and their attribute information (name, UID, main group ID, etc.)
/ etc/group: save the group and its attribute information
/etc/shadow: save the user password and its related attributes
/etc/gshadow: save the group password and its related attributes
passwd file format
passwd file format:
1:2:3:4:5 :6:7 # Each user uses a line of text records in a specific format
1: login name: login name (steve)
2: passwd: password (x)
3: UID: user ID (1000)
4: GID: login default The group number (1000)
5:GECOS: user’s full name or comment
6:home directory: user’s home directory (/home/steve)
7:shell: user uses shell (/bin/bash) shadow
file format by default
daemon:*:18027:0:99999:7::: # Each user uses a line of text records in a specific format
1:2:3:4:5:6:7:8:9
1: login name
2: user Password: Generally encrypted with sha512
3: From January 1, 1970 to the time when the password was last changed
4: The password can be changed in a few days (0 means it can be changed at any time)
5: The password must be changed in a few days Be changed (99999 means never expire)
6: The system reminds the user a few days before the password expires (one week by default)
7: A few days after the password expires, the account will be locked
8: Counting from January 1, 1970, how many days after the account Invalid
9: reserved for unused
group file format
group file format
daemon❌2:
1:2:3:4
1: group name: it is the group name
2: group password: usually do not need to be set, the password is recorded In /etc/gshadow
3: GID: is the ID of the group
4: User list with the current group as an additional group (the separator is a comma)
gshdow file format
gshdow file format
daemon:::
1:2:3:4
1: Group name: the name of the group
2: group password:
3: group administrator list: the list of group administrators, change the group password and members
4: user list with the current group as an additional group: use commas between multiple users separate
3. User and group management commands in Linux system
1. Related file operations
vipw & vigr vipw, vigr - edit the password, group, shadow-password or shadow-group file
-g, --group
Edit group database.
-p, --passwd
Edit passwd database.
-s, --shadow
Edit shadow or gshadow database.
pwck
pwck - verify integrity of password files
grpck
grpck - verify integrity of group files
2. User and group management commands
User management commands
useradd usermod userdel
Group Account Maintenance Commands
groupadd groupmod groupdel
useradd Create user
options\usage useradd [options] LOGIN
-u UID Specify user UID
-o Cooperate with -u option, do not check the uniqueness of UID, you can create users with different usernames and UIDs
-g GID GID indicates the basic group to which the user belongs, It can be a group name, or GID
-c "COMMENT" to specify the user's comment information
-d HOME_DIR to specify the path (does not exist) as the home directory
-s SHELL to specify the user's default shell program, the available list is in the /etc/shells file
- G GROUP1[,GROUP2,…] Specify the additional group for the user, the group must exist in advance
-N Do not create a private group as the primary group, use the users group as the primary group
-r Create a system user CentOS 6: ID<500, CentOS 7: ID< 1000
-m Create a home directory for system users
-M Do not create a home directory for non-system users
Create a default value setting file /etc/default/useradd
Display or change the default setting useradd -D Display the current default value
useradd –D -s SHELL Change the default shell of the new user
useradd –D –b BASE_DIR Change the default home directory of the new user
useradd –D –g GROUP Change the group of the new user
Relevant files and commands of the new user
/etc/default/useradd
/etc/skel/*
/etc/login.defs
newusers Use the passwd format file to create users
in batches chpasswd Batch modify the format of multiple user passwords per line: username:passwd
usermod Modify user attributes
Parameters\Usage usermod [OPTION] login
-u UID Specify a new UID
-g GID Specify a new main group
-G GROUP1[,GROUP2,…[,GROUPN]]] Specify a new additional group, the original additional group will be overwritten; if you keep the original, you must use the -a option at the same time -s SHELL
New default SHELL
-c 'COMMENT' New comment information
-d HOME The new home directory will not be created automatically; if you want to create a new home directory and move the original home data, use the -m option
-l login_name new name
-L lock to specify the user, that is Add an exclamation mark in the /etc/shadow password column!
-U unlock to specify the user, remove the ! in the /etc/shadow password column
-e YYYY-MM-DD specify the user account expiration date
-f INACTIVE set the inactive period
userdel delete User
Option\Usage userdel [OPTION]... Login
-f, --force force delete user
-r, --remove delete user home directory and mailbox
id command to view user related ID information
Option\Usage id [OPTION]... [USER]
-u display UID
-g display GID
-G display the ID of the group to which the user belongs -n
display name, need to cooperate with ugG to use
the su command to switch users or execute commands as other users
Options\ Usage [user [args...]]
The way to switch users
su UserName Non-login switching, that is, the configuration file of the target user will not be read, and the current working directory will not be changed
su - UserName Login switching, the configuration file of the target user will be read , Switch to the home directory, completely switch to
root and use su to switch to other users without a password; non-root users need a password
to switch to another identity Execute the command
UserName -c 'COMMAND' After executing the command, you are still under the current user
Options: -l --login
su -l UserName is equivalent to su - UserName
Use the passwd command to set the password
Options\Usage passwd [OPTIONS] UserName: Modify the password of the specified user
Common options
-d Delete the specified user password
-l Lock the specified user
-u Unlock the specified user
-e Force the user Change password at next login
-f Mandatory operation
-n mindays Specify minimum usage period
-x maxdays Maximum usage period
-w warndays How many days in advance to start warning
-i inactivedays Inactive period
–stdin Receive user password from standard input
Example: echo “PASSWORD” | passwd --stdin
Other commands related to USERNAME user
chfn Specify personal information
chsh Specify shell
finger to view related Comment information
Use the groupadd command to create a group
Options\Usage groupadd [OPTION]... group_name
-g GID Specify the GID number; range [GID_MIN, GID_MAX]
-r Create a system group
CentOS 6: ID<500
CentOS 7: ID<1000
modify groupmod and delete Group groupdel
option\usage groupmod [OPTION]... group
-n group_name specifies the new name of the group
-g GID new GID
group deletion: groupdel groupdel GROUP
gpasswd command changes the group password
option\usage gpasswd [OPTION] GROUP
-a user adds user To the specified group
-d user Remove the user user from the specified group
-A user1,user2,… Set the list of users with administrative rights
newgrp command: Temporarily switch the main group
If the user does not belong to this group, you need to
change the group password groupmems and groups to view group members
Options\Usage groupmems [options] [action]
options:
-g, --group groupname Change to the specified group ( only root)
actions:
-a, --add username specify user to join group
-d, --delete username remove user from group
-p, --purge remove all members from group
-l, --list display group member list
groups [OPTION].[USERNAME]... View the list of groups the user belongs to
. Practice
Questions and answers
Create user gentoo, additional groups are bin and root, default shell is /bin/csh, comment information is "Gentoo Distribution" useradd -G bin,root - s /bin/csh -c "Gentoo Distribution" gentoo
creates the following users, groups, and group memberships Group
named webs groupadd webs
user nginx, use webs as an additional group useradd -G webs nginx
user varnish, use webs as an additional group useradd -G webs varnish
The user mysql cannot log in to the system interactively, and is not a member of webs. The passwords for nginx, varnish, and mysql are magedu
useradd mysql -s /bin/nologin
cat > passwd <<EOF
nginx:magedu
varnish:magedu
mysql:magedu
EOF
echo passwd | chpasswd
4. File permission management in Linux system
1. File attributes and commands
File attributes
File attribute operation command
chown Set the owner of the file
chgrp Set the group information of the file
Use chown/chgrp to modify the owner and group of the file
Options/Usage chown [OPTION]… [OWNER][:[GROUP]] FILE…
chown OWNER file Change the owner of the file
chown OWNER:GROUP Change the owner and the group at the same time
chown:GROUP Only change the group, colons are also available. Replace
-R: Recursive
chown [OPTION]... --reference=RFILE FILE... Inherit the owner of the file Belonging group
Modify the belonging group of the file: chgrp
chgrp [OPTION]... GROUP FILE...
chgrp [OPTION]... --reference=RFILE FILE...
-R Recursive
2. File permissions
File permissions are mainly defined for three types of objects
owner owner , u
group Belongs to the group, g
other Others, oEach
file defines three types of permissions for each type of visitor
r Readable
w Writable
x eXcutable
The specific allowable behaviors corresponding to each type of permission
File
r can be obtained by using file viewing tools Content
w can modify its content
x You can submit this file to the kernel to start a process Directory
r
You can use ls to view the file list in this directory
w You can create files in this directory, and you can also delete files in this directory
x You can use ls -l to view the files in this directory Metadata (must cooperate with r), you can cd into this directory
X to only give the directory x permission, not to the file x permission
Use touch chmod to change the file permission
Options/usage
chmod [OPTION]... OCTAL-MODE FILE...
-R: recursively modify permissions
chmod [OPTION]... MODE[,MODE]... FILE...
MODE: modify all permissions of a class of users
u= g= o= ug= a= u=, g=
modify a certain or some bits of a class of users
u+ u - g+ g- o+ o- a+ a- + -
chmod [OPTION]... --reference=RFILE FILE...
Refer to the permission of the RFILE file, modify the FILE to the same RFILE
permission setting example
chgrp market files
chown root:admins testfile
chmod u +wx,gr,o=rx file
chmod -R g+rwX /pat/to/dir
chmod 600 file
chown steve file1
Use umask to specify the default permissions of newly created files and directories
Default permissions for
new files = 666- umask
The umask of the privileged user is 002. The umask
of the root is 022. By default, the umask
of the current shell environment is viewed . Call configuration file: global setting: /etc/bashrc user setting: ~/.bashrc practice When the user docker has no execution permission on the /testdir directory, what operations cannot be done? Docker cannot create, rename, or delete files, cannot append file content in a directory, and cannot switch to this directory. When the user mongodb has no read permission for the /testdir directory, what operations cannot be performed? When the user redis has no write permission to the /testdir directory, can the read-only file file1 in this directory be modified and deleted? No. When the user zabbix has write and execute permissions on the /testdir directory, can the read-only file file1 in this directory be modified and deleted? Read-only files can only be read and cannot be modified, because they have execute permissions on the directory, all files can be deleted
Copy the /etc/fstab file to /var/tmp, set the owner of the file to tomcat with read and write permissions, and the group it belongs to is the apps group with read and write permissions, and others have no permission cp /etc/fstab /var/tmp/–> chown tomcat:apps /var/tmp–> chmod 660 /var/tmp/fstab
accidentally deleted the home directory of the user git, please rebuild and restore the user’s home directory and the corresponding permission attributes cp -a /etc/skel/ /home/ git/ --> chown -R git:git /home/git/–>chmod -R 700 /home/git
Five, special permissions in the Linux system
1. There are three special permissions
SUID SGUI Sticky
for executable files in Linux It is used to set the Sticky bit for executable files and directories. Only the owner of the file or root can delete the file. 2.
SUID permission
is used for executable files. Whether the file has execution permission
After starting as a process, the owner of the process is the owner of the original program file
SUID is only valid for binary executable programs; SUID setting is meaningless on the directory Permission
setting
chmod u+s FILE...
chmod us FILE ...
3. SGID permissions are used on executable files.
Whether any executable program file can be started as a process: depends on whether the initiator has execution permission for the program file.
After starting as a process, the process belongs to the original program file.
Permission setting:
chmod g+s FILE...
chmod gs FILE...
4. SGID permissions are used for directories to create a collaborative directory.
By default, when a user creates a file, its group belongs to the main group to which the user belongs.
Once a directory is set with an SGID, the directory The files created by users with write permission in this directory
belong to the group of this directory; it is usually used to create a collaborative directory
permission setting:
chmod g+s DIR...
chmod gs DIR...
5. Sticky bit permission
has write Permissioned directories Usually users can delete any file in the directory, regardless of the permissions or ownership of the file. If the sticky bit
is set in the directory, only the owner of the file or root can delete the file. The
sticky setting on the file is meaningless
. Permission setting:
chmod o+t DIR...
chmod ot DIR...
For example:
ls -ld /tmp
drwxrwxrwt 12 root root 4096 Nov 2 15:44 /tmp
Use numbers to indicate special permissions
Special permission number method
SUID SGID STICKY
000 0
001 1
010 2
011 3
100 4
101 5
110 6
111 7
chmod 4777 /tmp/a.txt
6. Special permission bit mapping
SUID: user, occupying the execution permission bit s of the owner,
the owner has x permission S,
the owner has no x permission SGID group, occupying the execution permission bit s of the group
owner
x permission
S group does not have x permission
Sticky other, occupies other's execution permission bit
t other has x permission
T other does not have x permission v
7. Set file specific attributes
chattr +i file cannot be deleted, renamed, changed
chattr +a file can only be appended Content
lsattr file displays specific attributes
Sixth, the FACL of the Linux file system
The full name of FACL is: File Access Control List
ACL: Access Control List is used to implement flexible permission management.
In addition to the file owner, group and others, more User setting permissions
The xfs and ext4 file systems created by default in CentOS7 have the ACL function.
In previous versions of CentOS7, the manually created ext4 file system has no ACL function by default. You need to manually add
tune2fs –o acl /dev/sdb1
mount –o acl /dev/sdb1 / mnt/test
ACL effective order: owner –> custom user –> belongs to group|custom group –> others
**Give access rights rwx to files and directories of multiple users or groups **
mount -o acl /directory enable facl function
getfacl file |directory
setfacl -mu:wang:rwx file|directory
setfacl -mg:admins:rw file| directory
setfacl -xu:wang file|directory
setfacl -b file1 clears all ACL permissions
getfacl file1 | setfacl --set-file=- file2 copies file1's acl permissions to file2
mask only affects people and groups except owner and other The maximum permission
mask needs to be logically ANDed with the user's permission before it can become a limited permission (Effective Permission).
The user or group setting must exist within the scope of the mask permission setting to take effect.
setfacl -m mask::rx file
The –set option will delete all the original ACL items and replace them with new ones. It should be noted that
the settings of UGO must be included. It can’t just add ACL like -m. Example
:
setfacl --set u::rw, u:wang:rw,g::r,o::- file1
Backup and restore ACL
The main file operation commands cp and mv both support ACL, but the -p parameter needs to be added to the cp command. However, common backup tools such as tar do not retain the ACL information of directories and files.
getfacl -R /tmp/dir1 > acl.txt
setfacl -R -b /tmp/dir1
setfacl -R --set-file=acl.txt /tmp/dir1
setfacl --restore acl.txt
getfacl -R /tmp/dir1