▼ user and group
resource allocation:
Authentication: Authentication
Authorization: Authorization
Accouting | Audition: audit
User user
Linux users: Username / UID
administrator: root, 0
average user: 1-60000 automatic distribution
system users: 1-499, 1-999 (CentOS7)
access to resources for the daemon assign permissions
to log users: 500 + 1000 + ( CentOS7)
interactive logon
group group
Linux Group: Groupname / GID
Administrators group: root, 0
Normal Group:
Systems Group: 1-499, 1-999 (CENTOS7)
general group: 500+, 1000 + (CENTOS7)
Linux security context
Running program: Process (process)
run as the initiator of the process:
root: / bin / CAT
MAGE: / bin / CAT
permission to access the resources of the process depends on the identity of the person running the process
category Linux group
User's primary group (primary group)
the user must belong to one group and only one primary
group name with a user name, and contains only one user, the group private
additional set of users (supplementary group)
a user may belong to zero or more additional groups
▷ user and group profiles
main configuration file:
/ etc / the passwd: users and their attribute information (name, UID, primary group ID, etc.)
/ etc / group: group attribute information and
/ etc / shadow: user password and Related properties
/ etc / gshadow: group password and associated attributes
passwd file format
[root@centos7 ~]$cat /etc/passwd chen:x:1000:1000:chen:/home/chen:/bin/bash
1.login name: Log in with name (wang)
2.passwd: password (the X-)
3.UID: user identification number (1000)
4.GID: Log in default where the group number (1000)
5.GECOS: Full name or comment
6.home directory: the user's home directory (/ home / wang)
7.shell: user default shell (/ bin / bash)
shadow file format
[root@centos7 ~]$cat /etc/shadow chen:*::0:99999:7:::
1. Log in with the name
2. User password: general use sha512 encryption
3. From 1 January 1970 to play last time the password is changed
4. password can be changed in a few days (0 means may be changed at any time)
5. In a few days the password must be changed (99999 represents never expires)
6. A few days before the password expires system to alert the user (the default one week)
7. the account will be locked passwords expire after a few days
8. from January 1970 1st date, number of days accounts fail
group file format
Group name: Group name is the
group password: usually no need to set password is recorded in the / etc / gshadow. Set group password allows ordinary users to join the group (to just know the password)
the GID: group ID is
the current user group list of additional groups (separator is a comma)
vigr, corresponds VI / etc / Group
gshdow File Format
Group Name: is the name of the group of
group password:
group administrator list: list to change the group passwords and group administrators member of
the current group additional groups of users list: among multiple users separated by commas
vigr -s equivalent vi / etc / gshadow
▼ file permissions
pwck and grpck
User Management Command
1.useradd
2.usermod
3.userdel
4.id
5.su
6.passwd
7.chage
group account maintenance command
1.groupadd
2.groupmod
3.groupdel
4.gpasswd
5.groupmems
6.groups
▷ user management commands
● New user related files and commands
related files
/ etc / default / useradd
/ etc / skel / *
/etc/login.defs
newusers passwd file format batch create user
chpasswd bulk modify user password
useradd用户创建:
useradd [Options] LOGIN
-u UID
-o -u option with no check UID uniqueness
-g GID specified in the basic group the user belongs, for the group name, or GID
-c "the COMMENT" user comment information
-d HOME_DIR specified path (not present) to the home directory
specified in the user's default shell -s sHELL, the list of available / etc / shells file
-G GROUP1 [, GROUP2, ...] for the user to specify additional groups, groups subject to prior presence
-N not create a private group group shots, the shots using the group users group
-r create a system user. 6 the CentOS: ID <500, the CentOS. 7: ID <1000
-m create home directory for users of the system
-M home directory is not created , a non-system user
usermod [OPTION] USERNAME "Modify User Properties"
the usermod [OPTION] the Login
-u UID: new UID
-g GID: new main group
-G GROUP1 [, GROUP2, ... [ , GROUPN]]]: Additional new group, the original group will be additional coverage; if you keep original, will have to use the -a option
-s SHELL: new default SHELL
-c 'the cOMMENT': a new annotation information
-d hOME: home directory is not automatically created; To create a new home directory and mobile home original data, Meanwhile -m option
-l login_name: new name
-L: lock the specified user, increase in the / etc / shadow password bar!
-U:! UNLOCK specified user, the / etc / shadow the password field is removed
-e YYYY -MM-DD: indicates that the user account expiration date
-f iNACTIVE: set period of inactivity
su [options ...] [-] [user [args ...]] "Switch User or execute commands as another user":
Switch User ways:
su UserName: nonlogin type switch that does not read the target user's profile, does not change the current working directory
su - UserName: Log type switch, reads the target user's profile, switch to the home directory , completely switched
root SU to other users without the password; non-root user password is required to switch
to change the identity Run:
SU [-] UserName -C 'the cOMMAND'
SU corresponds -l UserName su - UserName
passwd [OPTIONS] UserName "password":
Common options:
-d: delete the specified user password
-l: Lock the specified user
-u: To unlock a specific user
-e: force users to change password at next logon
-f: Force operations
-n mindays: specifying a minimum period of use
-x maxdays: maximum period of use
-w warndays: how many days in advance began to warn
-i inactivedays: inactive period
--stdin: receiving a user password from the standard input
example: echo "pASSWORD" | passwd --stdin USERNAME
Modify the user password policy:
chage [OPTION]... LOGIN
-d LAST_DAY
-E --expiredate EXPIRE_DATE
-I --inactive INACTIVE
-m --mindays MIN_DAYS
-M --maxdays MAX_DAYS
-W --warndays WARN_DAYS
-l 显示密码策略
Other user-related commands:
- chfn specify personal information
- chsh specified shell
- finger
Group of related commands
Group Create
the groupadd [the OPTION] ... GROUP_NAME
-g GID GID number specified; [GID_MIN, GID_MAX]
-R & lt creates a system group
the CentOS. 6: ID <500
the CentOS. 7: ID <1000
Modify and delete groups
edit group properties: groupmod
groupmod [OPTION] ... Group
-n group_name: new name
-g GID: new GID
group deletion: groupdel
groupdel the GROUP
Change and view group members
groupmems [Options] [Action]
Options:
-g, --group GROUPNAME change to the specified group (only root)
Actions:
-a, --add username specified user to join the group
-d, --delete username delete users from a group
- p, --purge removed from all members of the group
-l, --list display a list of group members
groups [OPTION]. [USERNAME] ... view the list of groups the user belongs
file permission
- The main file permissions defined for three types of objects
- It is the main owner, u
- group is a group, g
- other other, o
- Each file for each class defines three visitors have permission
r can use the file viewer class tools to get its content
w can modify its content
x can put this document to draw the kernel starts a process
directory:
r You can use ls to view this directory in the file list
w can create files in this directory can also be delete the files in the directory
x can use ls -l to view file metadata (must be compatible with r) in this directory, you can cd into the directory
X x only to the directory permissions, not the permissions to the file x
The owner and group of modified file
owner modified file: chown
chown [the OPTION] ... [OWNER] [: [the GROUP]] ... the FILE
instructions:
OWNER
OWNER: the GROUP
: the GROUP, colon can also be replaced.
-R: recursively
chown [OPTION] ... --reference = RFILE fILE ...
is a group of the modified file: chgrp
chgrp [the OPTION] ... ... the fILE the gROUP
chgrp [the OPTION] = ... --reference the FILE ... RFile
-R & lt recursively
Modify file permissions
the chmod [the OPTION] ... ... the FILE OCTAL the MODE-
-R & lt: recursively permission to modify
the chmod [the OPTION] ... the MODE [, the MODE] ... ... the FILE
the MODE:
modifying a class of users all permissions
u = g = o = ug = a = u =, g =
modified by a user or a certain class of permission bits
U UG + + G- O + a + A- + O- -
the chmod [the OPTION] ... - reference = RFILE fILE ...
reference RFILE file permissions, modify fILE for the same RFILE
New default permissions for files and directories (the umask)
the umask value can be used to keep the created file permissions
New default permissions file: 666-umask, if the results obtained by the presence of execution (odd) authority, it is permission +1
default permissions for new directories: 777-umask
non-privileged user umask is 002
root's umask is 022
Special privileges (SUID, SGID, Sticky) on a Linux file system
(1) any executable file for the process can not be started, the initiator of the program depends on whether the file has execute permission
after (2) to start the process, its process is a main group is the initiator, the initiator of the process is a group belongs
authority when (3) the process of access to the file, the initiator of the process depends on
the initiator (a) of the process, with the owner of the file: the application file attributes main rights
initiator (b) processes, files belonging to the genus group; the application file is a set of permissions
© application files "other" permission
1.SUID "permissions on the executable file"
Any executable file can not start for the process: the initiator of the program depends on whether the file has execute permission
after starting as a process, the process of its owner is the owner of the original file
SUID binary executables only valid
SUID set nonsensical directory
permissions:
chmod u+s FILE... chmod u-s FILE...
SGID "permissions on the executable file"
Any executable file can not start for the process: the initiator of the program depends on whether the file has execute permission
After starting as a process, is a group of its process for the original program file is a group
Permissions:
chmod u+s FILE... chmod u-s FILE...
SGID permissions on the directory
By default, when the main group of users to create files that belong to this user group belongs
Once a directory is set SGID, then this directory has write access to user group of files created in this directory belong to this directory is a group of
Often used to create a collaborative directory
Permissions:
chmod g+s DIR... chmod g-s DIR...
[gpl@centos7 test_dir]$ touch f1 [root@centos7 test_dir]$ll total 0 -rw-rw-r--. 1 wang wang 0 May 16 05:01 f1 [root@centos7 test_dir]$chmod g+s /data/test_dir [gpl@centos7 test_dir]$ touch f2 [gpl@centos7 test_dir]$ ll total 0 -rw-rw-r--. 1 wang wang 0 May 16 05:01 f1 -rw-rw-r--. 1 wang root 0 May 16 05:01 f2 [Gpl @ centos7 test_dir] $
3. Sticky 位
Directory is usually the user has write permissions can delete any files in that directory, regardless of the file permissions or ownership
Sticky bit is set in the directory, only the owner or the root file can delete the file
sticky meaningless set on the file
Permissions:
chmod o+t DIR... chmod o-t DIR...
Permission bitmap
SUID: user, occupying owner execution permission bit
s: owner has the x privilege
S: owner No x permission
SGID: group, occupying execute permission bits belong to the group
s: Group has the x privilege
S: Group No x permissions
Sticky: other, occupy other execution permission bits
t: other permission to have x
T: other x no authority
chattr "set specific file attributes
chattr +iYou can not delete, rename, change chattr +a only the additional content lsattr display specific attributes
[root@centos7 test_dir]$chattr +i f1 [root@centos7 test_dir]$lsattr ---------------- ./f3 ---- i ----------- ./f1 [root@centos7 test_dir]$su wang [gpl@centos7 test_dir]$ mv f1 f111 mv: cannot move ‘f1’ to ‘f111’: Operation not permitted [gpl@centos7 test_dir]$
访问控制列表ACL
ACL:Access Control List,实现灵活的权限管理
除了文件的所有者,所属组和其它人,可以对更多的用户设置权限
CentOS7 默认创建的xfs和ext4文件系统具有ACL功能
CentOS7 之前版本,默认手工创建的ext4文件系统无ACL功能,需手动增加,方法如下:
tune2fs –o acl /dev/sdb1
mount –o acl /dev/sdb1 /mnt/test
ACL生效顺序:所有者,自定义用户,自定义组,其他人
所属组的权限变成mask的权限
所有权限不能超mask权限(除了user所有者的权限)
ACL文件上的group权限是mask 值(自定义用户,自定义组,拥有组的最大权限),而非传统的组权限
getfacl 可看到特殊权限:flags
通过ACL赋予目录默认x权限,目录内文件也不会继承x权限
base ACL #不能删除
setfacl -k dir # 删除默认ACL权限
setfacl –b file #清除所有ACL权限
getfacl file1 | setfacl --set-file=- file2 #复制file1的acl权限给file2
mask只影响除所有者和other的之外的人和组的最大权限
Mask需要与用户的权限进行逻辑与运算后,才能变成有限的权限(Effective Permission)
用户或组的设置必须存在于mask权限设定范围内才会生效
setfacl -m mask::rx file
–set选项会把原有的ACL项都删除,用新的替代,需要注意的是一定要包含UGO的设置,不能象-m一样只是添加ACL就可以
示例:
setfacl --set u::rw,u:wang:rw,g::r,o::- file1
备份和恢复ACL
主要的文件操作命令cp和mv都支持ACL,只是cp命令需要加上-p 参数。但是tar等常见的备份工具是不会保留目录和文件的ACL信息
备份:getfacl -R /tmp/dir1 > acl.txt 删除:setfacl -R -b /tmp/dir1 恢复:setfacl -R --set-file=acl.txt /tmp/dir1 #方式2:setfacl --restore acl.txt 查看:getfacl -R /tmp/dir1
以上到此结束,想要继续看的,未完待续。