Users and Groups
Security 3A
Resource allocation:
- Authentication: Authentication
- Authorization: Authorization
- Accouting | Audition: audit
User user
Token token, the Identity
Linux users: Username / UID
- Administrator: root, 0
- Average user: 1-60000 automatically assigned
- System users: 1-499, 1-999 (CentOS7)
- Access to resources for the daemon assign permissions
- Access to resources for the daemon assign permissions
- Login User: 500+, 1000+ (CentOS7)
- Interactive logon
- System users: 1-499, 1-999 (CentOS7)
Group group
Linux Group: Groupname / GID
Administrators group: root, 0
Normal Group:
- Systems Group: 1-499, 1-999 (CENTOS7)
- Normal Group: 500+, 1000+ (CENTOS7)
Users must have a primary group, root user uid 0, otherwise who uid 0 Who is the administrator privileges
Security Context
Linux security context
- Running program: Process (process) run as the initiator of the process:
- root: /bin/cat
- mage: /bin/cat
Run's rights to access the resources of the process depends on the process
Group Category
Linux group category
- User's primary group (primary group)
- The user must belong to one and only one primary group
- Group name with the user name, and contains only a user private group
- Additional groups of users (supplementary group)
- A user may belong to zero or more auxiliary groups
User and group profiles
Linux users and groups the main configuration file:
- / Etc / passwd: users and their attribute information (name, UID, primary group ID, etc.)
- / Etc / group: Group attribute information and
- / Etc / shadow: user passwords and their associated properties
- / Etc / gshadow: group password and their associated properties
passwd file format
- login name: login with a name (wang)
- passwd: password (x)
- UID: user identification number (1000)
- GID: Log in default where the group number (1000)
- GECOS: Full name or comment
- home directory: the user's home directory (/ home / wang)
- shell: User default shell (/ bin / bash)
shadow file format
- Login with name
- Password: general use sha512 encryption
- From January 1, 1970 play time password was last changed
- In a few days the password can be changed (0 indicates may be changed at any time)
- In a few days the password must be changed (99999 represents never expires)
- A few days before the password expires system to alert the user (the default one week)
- A few days after the account password expiration will be locked
- From January 1, 1970 date, number of days accounts fail
Password Encryption
Encryption mechanisms:
- Encryption: plaintext -> ciphertext
- Decryption: ciphertext -> plaintext
One-way encryption:
- Hash algorithms, different text, different ciphertext will
- Fixed-length output of the same algorithm to obtain the original ciphertext data irreversibly Release
- Avalanche effect: small changes in initial conditions lead to enormous changes in the results
- md5: message digest, 128bits
- sha1: secure hash algorithm, 160bits
- sha224: 224bits
- sha256: 256bits
- sha384: 384bits
- sha512: 512bits
Change the encryption algorithms:
- authconfig --passalgo=sha256 --update
Password complexity policy:
- Long enough
- Numbers, uppercase letters, lowercase letters and special characters in at least three
- Use random password
- Regular replacement, do not ever use recently used passwords
Password Age:
group file format
- Group Name: group name is
- Group Password: usually no need to set the password is recorded in the / etc / gshadow
- GID: is the group's ID
- In an additional group of the current group list of users (a comma-separated)
gshadow file format
- Group Name: is the name of the group
- Group Password:
- Group administrator list: list to change the password and group members of a group of administrators
- In an additional group of the current user group list: a plurality of users separated by commas between
File Operations
- vipw and vigr
- pwck and grpck
User and group management commands
User management commands:
- useradd
- usermod
- userdel
Group Account Maintenance command:
- groupadd
- groupmod
- groupdel
User-created: useradd
useradd [options] LOGIN
- -u UID
- Uniqueness with -o -u option, do not check the UID
- -g GID specified user belongs basic group, the group may be a name, you may be GID
- -c comment information "COMMENT" users
- -d HOME_DIR specified path (not present) to the home directory
- -s SHELL specified user's default shell program that you can list in / etc / shells file
- -G GROUP1 [, GROUP2, ...] for the user to indicate the additional group, the group must preexisting
- -N does not create a private group group call the shots, group shots using the users group
- -r Create System User CentOS 6: ID <500, CentOS 7: ID <1000
- -m Create a home directory for users of the system
- -M do not create home directories for non-system users
The default value is set: / etc / default / useradd
- Display or change the default settings
- useradd -D
- useradd –D -s SHELL
- useradd –D –b BASE_DIR
- useradd –D –g GROUP
supplement:
- useradd -D: View / etc / default / useradd file, is useradd defaults, view the files with cat can
- Use newuser command to create a batch file users
- Username: password ways to create the file, and cat pass.txt | chpasswd can change your password batch
New user related files and commands
- /etc/default/useradd
- /etc/skel/*
- /etc/login.defs
- newusers passwd file format batch create user
- chpasswd bulk modify user password
Modify User Properties
usermod [OPTION] login
- -u UID: 新 UID
- -g GID: new main group -G GROUP1 [, GROUP2, ... [, GROUPN]]]: Additional new group, the original group will be additional coverage; if you keep the original, will have to use the -a option
- -s SHELL: SHELL new default
- -c 'COMMENT': new annotations
- -d HOME: home directory is not automatically created; To create a new home directory and mobile home original data while using the -m option
- -l login_name: new name
- -L: lock the user specified in / etc increase / shadow password bar!
- -U: unlock specified user, the / etc / shadow the password field is removed!
- -e YYYY-MM-DD: specified user account expiration date
- -f INACTIVE: set period of inactivity
delete users
userdel [OPTION]... Login
- -f, --force mandatory
- -r, --remove delete the user's home directory and mailbox
- When a user is logged can not be deleted, but add the -f option to delete, delete after landing still there, but times have been deleted
View information related to the user ID
id [OPTION]... [USER]
- -u: display UID
- -g: show GID
- -G: displaying a user ID belongs to a group of
- -n: display name, you need to use with ugG
Switch User or execute commands as another user
su [options...] [-] [user [args...]]
- User switching manner:
- su UserName: nonlogin type switch that does not read the target user's profile, does not change the current working directory
- su - UserName: Log type switch, reads the target user's profile, switch to the home directory, complete switch
- SU to another user without root password; password is required to switch the non-root
- A change in the identity of the command:
- su [-] UserName -c 'COMMAND'
- Options: -l --login
- su -l UserName equivalent Yu su - UserName
set password
passwd [OPTIONS] UserName: modify the specified user's password
- -d: delete the specified user password
- -l: Specifies the user lock
- -u: To unlock a specific user
- -e: force users to change password at next logon
- -f: Force operations
- -n mindays: specifying a minimum lifetime
- -x maxdays: maximum lifespan
- -w warndays: How many days in advance began warning
- -i inactivedays: inactive period
- --stdin: receiving a user password from the standard input
- 示例:echo "PASSWORD" | passwd --stdin USERNAME
Modify the user password policy
chage [OPTION]... LOGIN
- -d LAST_DAY
- -E --expiredate EXPIRE_DATE
- -I --inactive INACTIVE
- -m --mindays MIN_DAYS
- -M --maxdays MAX_DAYS
- -W --warndays WARN_DAYS
- -l displays password policy
Example:
- Single sign-force password resets at chage -d 0 tom
- chage -m 0 –M 42 –W 14 –I 7 tom
- chage -E 2016-09-10 tom
Other user-related commands
- chfn specify personal information
- chsh specified shell
- finger
Create Group
groupadd [OPTION]... group_name
- -g GID GID number specified; [GID_MIN, GID_MAX]
- -r Create a system group
- CentOS 6: ID<500
- CentOS 7: ID<1000
Modify and delete groups
Group Properties Modify: groupmod
- groupmod [OPTION]... group
- -n group_name: new name
- -g GID: new GID
- Group Delete: groupdel
- groupdel GROUP
Change Group Password
Group Password: gpasswd
- gpasswd [OPTION] GROUP
- -a user will be added to the specified user group
- -d specified user to remove the user from the user group
- -A user1, user2, ... to set a list of users with administrative privileges
- newgrp command: temporary switch main group
- If the user does not belong to this group, you need to set a password
Change and view group members
groupmems [options] [action]
- options:
- -g, --group groupname change to the specified group (only root)
- actions:
- -a, --add username specified user to join the group
- -d, --delete username delete users from a group
- -p, --purge remove all members from the group
- -l, --list display a list of group members
groups [OPTION]. [USERNAME] ... view the list of groups the user belongs