System bottom security control and its optimization method
1. Significance of users and their user groups
catalogue
System bottom security control and its optimization method
1. Significance of users and their user groups
2) Significance of user group existence
4. User related configuration files
5. Creation and deletion of users and user groups
6. Information management of users and user groups
7. User authentication information management
8. Decentralization of user authority
1) Meaning of user existence
The resources of the system are limited and need to be allocated reasonably
1. Identity account
2. Authorization author
3. Certification auth
3A mechanism constitutes the lowest architecture in the system
2) Significance of user group existence
User group is a logical container that classifies and authorizes users uniformly
For example, Liezi people are sensitive to names and insensitive to numbers, but computers are sensitive to numbers and insensitive to characters
The user is a line of characters in / etc/passwd
A user group is a line of characters in / etc/group
2. User creation
Create a user in the virtual machine
[root@localhost Desktop]# vim /etc/passwd
Add a user information at the bottom of the file
Then create a file zzz, give the identity of the group 1234, change the directory attributes and set the password, and a user is established
[root@localhost Desktop]# mkdir /home/zzz
[root@localhost Desktop]# vim /etc/group
zzz:x:1234: --Identity given to group
[root@localhost Desktop]# Chown zzz.zzz/home/zzz/ -- change directory properties
[root@localhost Desktop]# passwd zzz -- set password
Changing password for user zzz.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
3. User switching
1) User view
View with command id
[root@localhost Desktop]# id -u zzz -- View UID 1234 [root@localhost Desktop]# id -g zzz -- View initial group ID 1234 [root@localhost Desktop]# id -G zzz -- view all group IDs 1234 [root@localhost Desktop]# vim /etc/group -- join users to other groups [root@localhost Desktop]# id -G zzz 1234 974 [root@localhost Desktop]# id -Gn zzz -- view group name - n cannot be used directly. You must see whether it is a user name or a group name zzz rngd [root@localhost Desktop]# id -un zzz -- View user name zzz [root@localhost Desktop]# whoami -- view current user root
2) User switching
With the su command, there are two ways
The first one only switches the user identity and does not switch the environment
The second identity environment has been switched
[root@localhost Desktop]# su zzz bash-4.4$ whoami zzz bash-4.4$ exit exit [root@localhost Desktop]# su - zzz [zzz@localhost ~]$ whoami zzz
This is a security vulnerability for ordinary users on the super user desktop. You must add it when switching with su-
[root@localhost Desktop]# su zzz bash-4.4$ pwd /root/Desktop --On the super user desktop bash-4.4$ exit
After switching users with su command, you must exit. Do not switch with su all the time, otherwise it will become stuck, and an error will be reported when executing some graphic commands.
4. User related configuration files
If you can't remember, you can view it with the man 5 file name
[root@localhost Desktop]# man 5 file name
/etc/passwd -- User identity information
zzz:x:1234:1234:zzz:/home/zzz:/bin/bash name:password:UID:GID:User description:Home directory:Used shell
/etc/group -- Group identity information
rngd:x:974:zzz user name:password:GID:Additional members in the group
/ect/shadow -- User environment configuration template
/home/username -- User home directory
/var/spool/mali/username -- User mailbox file
5. Creation and deletion of users and user groups
Open two terminals, one for monitoring and one for operation
[root@localhost Desktop]# watch -n 1 "tail -n 3 /etc/passwd /etc/group ;each ===;ls -l /home/"
delete user
[root@localhost Desktop]# userdel zzz -- delete only the user identity and manually delete the file [root@localhost Desktop]# rm -rf /home/zzz [root@localhost Desktop]# userdel -r ljb -- the user identity and its related files are deleted together
New user
[root@localhost Desktop]# useradd -u 6666 ljb -- specify UID to create user [root@localhost Desktop]# userdel -r ljb [root@localhost Desktop]# useradd -g 72 ljb -- specify GID to create user [root@localhost Desktop]# id ljb uid=1000(ljb) gid=72(tcpdump) groups=72(tcpdump) --Only one group identity [root@localhost Desktop]# userdel -r ljb [root@localhost Desktop]# useradd -G 72 ljb [root@localhost Desktop]# id ljb uid=1000(ljb) gid=1000(ljb) groups=1000(ljb),72(tcpdump) --There are two groups of identities [root@localhost Desktop]# useradd -c "ljb shuai" ljb -- specify user description to create user [root@localhost Desktop]# userdel -r ljb [root@localhost Desktop]# useradd -d /home/ljb ljb -- specify home to create user [root@localhost Desktop]# userdel -r ljb [root@localhost Desktop]# Useradd - S / bin / sh LJB -- specifies the shell creation user [root@localhost Desktop]# userdel -r ljb [root@localhost Desktop]# useradd -s /sbin/nologin -M ljb -- system account cannot log in without home directory
New group
groupadd - g id groupname -- Create group specify group name
groupdel groupname -- delete group
6. Information management of users and user groups
[root@localhost Desktop]# usermod -l zzz ljb -- change user name [root@localhost Desktop]# usermod -l ljb zzz [root@localhost Desktop]# usermod -u 6666 ljb -- change user UID [root@localhost Desktop]# usermod -g 72 ljb -- change user GID [root@localhost Desktop]# usermod -g 1000 ljb [root@localhost Desktop]# usermod -G 72 ljb -- change user other group ID [root@localhost Desktop]# id ljb uid=6666(ljb) gid=1000(ljb) groups=1000(ljb),72(tcpdump) [root@localhost Desktop]# usermod -aG 974 ljb -- add a user other group ID [root@localhost Desktop]# id ljb uid=6666(ljb) gid=1000(ljb) groups=1000(ljb),974(rngd),72(tcpdump) [root@localhost Desktop]# usermod -d /home/zzz ljb -- change user home directory [root@localhost Desktop]# usermod -d /home/ljb ljb [root@localhost Desktop]# usermod -md /home/zzz ljb -- change the user's home directory and file name [root@localhost Desktop]# usermod -md /home/ljb ljb [root@localhost Desktop]# usermod -s /sbin/nologin ljb -- change user shell
7. User authentication information management
/The content of the etc/shadow file indicates that 9 pieces of information cannot be remembered. Use the command man 5 shadow to view
ljb:!!:18962:0:99999:7::: name:password:Last modified time:Minimum period of validity:Maximum validity:Warning period:Inactive days:account expires:
Monitor files
[root@localhost Desktop]# watch -n 1 "tail -n 3 /etc/shadow"
Modify information
There are conditions for different users to change their passwords
[root@localhost Desktop]# echo ljb | passwd --stdin ljb -- change password directly [ljb@localhost ~]$ passwd --Ordinary users modify their own passwords (with restrictions) Changing password for user ljb. Current password: New password: BAD PASSWORD: The password is shorter than 8 characters passwd: Authentication token manipulation error [ljb@localhost ~]$ exit logout [root@localhost Desktop]# passwd -e ljb -- let the usage period expire immediately (change to 0) Expiring password for user ljb. passwd: Success [root@localhost Desktop]# passwd -n 1 ljb -- change the minimum validity period to 1 day Adjusting aging data for user ljb. passwd: Success [root@localhost Desktop]# passwd -x 30 ljb -- changes are valid for up to 30 days Adjusting aging data for user ljb. passwd: Success [root@localhost Desktop]# passwd -w 2 ljb -- change the warning period to 2 days Adjusting aging data for user ljb. passwd: Success [root@localhost Desktop]# passwd -i 2 ljb -- change the number of inactive days to 2 days (you can log in two days after expiration) Adjusting aging data for user ljb. passwd: Success [root@localhost Desktop]# chage -E "2021-12-25" ljb -- change the found expiration date to 2021-12-25 [root@localhost Desktop]# passwd -d ljb -- delete password Removing password for user ljb. passwd: Success
8. Decentralization of user authority
The following naming is not recommended because there is no error prompt
vim /etc/sudoers
General use
visudo
The file can be written anywhere. It is generally written in 100 lines (code normalization)
[root@localhost Desktop]# Hostname -- View hostname localhost.localdomain [root@localhost Desktop]# visudo -- delegation of authority root ALL=(ALL) ALL ljb localhost.localdomain=(root) NOPASSWD: /sbin/useradd, /sbin/userdel --Secret free execution :wq [root@localhost Desktop]# su - ljb [ljb@localhost ~]$ sudo useradd text [ljb@localhost ~]$ sudo userdel text
Permission view
[root@localhost Desktop]# ls -l text -- view file permissions
-rw-r--r--. 1 root root 0 Dec 2 03:52 text
Type, permission, hidden point, deleted once, deleted, user, user group, size, last modified time, name
[root@localhost Desktop]# ls -ld study -- View Folder Permissions
drwxr-xr-x. 2 root root 6 Nov 30 21:12 study
Type, permission, hidden point, how many subdirectories, users, user groups
[root@localhost Desktop]# ls study/ -a
. ..
[root@localhost Desktop]# touch study/1
[root@localhost Desktop]# ls study/ -l
total 0
-rw-r--r--. 1 root root 0 Dec 2 04:12 1
1+1 +1 +1 +1 +1 +1 +1 +1=9
[root@localhost Desktop]# ls -ld study/
drwxr-xr-x. 2 root root 15 Dec 2 04:12 study/
9+610 in total
first place
- Indicates a file
d indicates a folder
Two to ten
The first three indicate the owner's permissions
The middle three digits indicate group permissions
The last three digits indicate other group permissions
r Indicates that the file can be read -- 4
w Indicates that the file can be written -- 2
x Indicates that the file can be executed (if it is a program) - 1
- Indicates that the corresponding permission has not been granted
Hard and soft link diagram
[root@localhost Desktop]# Chown LJB / MNT / test / -- change directory owner [root@localhost Desktop]# chown -R ljb /mnt/test / -- change the owner of all files in the directory [root@localhost Desktop]# chgrp ljb /mnt/ljb1 -- change file GID [root@localhost Desktop]# Chown ljb.ljb/mnt/ljb2 -- change file GID
9. Change file permissions
[root@localhost Desktop]# chmod --reference=/mnt/test /mnt/ljb1 -- permission replication [root@localhost Desktop]# Chmod, U + X, G + W, o-r / MNT / ljb5 -- setting permissions by character [root@localhost Desktop]# chmod ug-w /mnt/ljb5 -- same bits can be merged [root@localhost Desktop]# chmod a=rwx /mnt/ljb5 [root@localhost Desktop]# chmod 744 /mnt/ljb4 -- setting permissions in digital mode
10. Special authority
[root@localhost Desktop]# mdikr /pub [root@localhost Desktop]# chmod 777 /pub [root@localhost Desktop]# chmod o+t /pub / -- paste bit (even if you have permission, you can't delete other people's files) [root@localhost Desktop]# chmod 1777 /pub/ [root@localhost Desktop]# chmod g+s /pub / -- the files created by the owner are owned by the directory [root@localhost Desktop]# chmod 2777 /pub/ [root@localhost Desktop]# chmod 3777 /pub / -- both [root@localhost Desktop]# chmod g+s /bin/cat -- quite all running cat are root users, and the permissions should be improved -rwxr-sr-x. 1 root root 51856 Jan 11 2019 /bin/cat [root@localhost Desktop]# chmod u+s /bin/cat -- anyone running is a super user running [root@localhost Desktop]# ls -l /bin/cat -rwsr-sr-x. 1 root root 51856 Jan 11 2019 /bin/cat
Detect users in the system
[root@localhost Desktop]# ps ax -o user,group,comm | grep cat [root@localhost Desktop]# watch -n 1 "ps ax -o user,group,comm | grep cat"
Permission list
[root@localhost Desktop]# touch /mnt/ljb [root@localhost Desktop]# ls -ld /mnt/ljb -rw-r--r--. 1 root root 0 Dec 2 05:18 /mnt/ljb [root@localhost Desktop]# setfacl -m u:ljb:rwx /mnt/ljb -- specify a user's permissions on files [root@localhost Desktop]# ls -ld /mnt/ljb -rw-rwxr--+ 1 root root 0 Dec 2 05:18 /mnt/ljb //+No. means that normal permissions are no longer being viewed [root@localhost Desktop]# getfacl /mnt/ljb -- View method getfacl: Removing leading '/' from absolute path names # file: mnt/ljb # owner: root # group: root user::rw- user:ljb:rwx group::r-- mask::rwx other::r--