linux system is a multi-tasking, multi-user system for the system permissions centralized management is particularly important, how to implement the system privileges meticulous management, operation and maintenance personnel are issues we need to consider.
User rights management system liunx our traditional approach is to provide the right user.
How to achieve a specific permission meticulous management division of power and governance, we can complete the following steps:
(1) collect information and develop matching and user rights, the principle of least privilege is given, but can complete the job responsibilities undertaken.
(2) corresponding to the respective user group permissions, what to what, fine instruction corresponds to each respective packet.
(3) planning permission to create groups of users, add the relevant user group.
Open (4) increase sudo permissions determine the user to join soduers permissions list, and detailed content settings open permissions, and execute permissions need to select the relevant password open.
(5) does not recommend ALL give permission, later ruled out. Recommended whitelist mechanism.
(6) combat debugging test permissions correctly configured.
(7) written instructions, and related precautions.
(8) debugging, e-mail notification of all personnel system permissions settings to take effect, and comes with instructions and related precautions.
Implementation case:
The first step: to collect information and assign permissions to match the permissions of the user
Deployment and configuration service account permissions:
/bin/rpm, /usr/bin/up2date, /usr/bin/yum,/sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
Network management and test account permissions:
/sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
Step Two: assign a corresponding user group permissions
Definition of service deployment and configuration of user groups to SERVER;
Network management and the definition of the test groups was NETMANAGE;
SERVER对应权限:/bin/rpm, /usr/bin/up2date, /usr/bin/yum,/sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
NETMANAGE对应权限:/sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
Step 3: Create groups of users and user groups
User01-user20 need to create a SERVER group of users;
Net01-net20 need to create a NET User Group;
Create a user can use the shell script to achieve.
In the user profile sudoers added to the user group.
Step four: Open to the user group permissions
Step five: Debug permission is configured correctly
Step Six: Write Configuration Instructions
Step Seven: notify the user