Linux basic learning notes

System bottom security control and its optimization method

1. Significance of users and their user groups

catalogue

System bottom security control and its optimization method

1. Significance of users and their user groups

1) Meaning of user existence

2) Significance of user group existence

2. User creation

3. User switching

1) User view

2) User switching

4. User related configuration files

5. Creation and deletion of users and user groups

delete user

New user

6. Information management of users and user groups

7. User authentication information management

8. Decentralization of user authority

Permission view

  Hard and soft link diagram

9. Change file permissions

10. Special authority

1) Meaning of user existence

The resources of the system are limited and need to be allocated reasonably

1. Identity         account

2. Authorization         author

3. Certification         auth

3A mechanism constitutes the lowest architecture in the system

2) Significance of user group existence

User group is a logical container that classifies and authorizes users uniformly

For example, Liezi people are sensitive to names and insensitive to numbers, but computers are sensitive to numbers and insensitive to characters

  The user is a line of characters in / etc/passwd

A user group is a line of characters in / etc/group

2. User creation

Create a user in the virtual machine

[root@localhost Desktop]# vim /etc/passwd

Add a user information at the bottom of the file

  Then create a file zzz, give the identity of the group 1234, change the directory attributes and set the password, and a user is established

[root@localhost Desktop]# mkdir /home/zzz
[root@localhost Desktop]# vim /etc/group
                            zzz:x:1234:    --Identity given to group
[root@localhost Desktop]# Chown zzz.zzz/home/zzz/ -- change directory properties
[root@localhost Desktop]# passwd zzz -- set password
Changing password for user zzz.
New password: 
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 
passwd: all authentication tokens updated successfully.

3. User switching

1) User view

View with command id

[root@localhost Desktop]# id -u zzz -- View UID
1234
[root@localhost Desktop]# id -g zzz -- View initial group ID
1234
[root@localhost Desktop]# id -G zzz -- view all group IDs
1234
[root@localhost Desktop]# vim /etc/group -- join users to other groups
[root@localhost Desktop]# id -G zzz    
1234 974
[root@localhost Desktop]# id -Gn zzz -- view group name - n cannot be used directly. You must see whether it is a user name or a group name
zzz rngd
[root@localhost Desktop]# id -un zzz -- View user name
zzz
[root@localhost Desktop]# whoami -- view current user
root

2) User switching

With the su command, there are two ways

The first one only switches the user identity and does not switch the environment

The second identity environment has been switched

[root@localhost Desktop]# su zzz
bash-4.4$ whoami
zzz
bash-4.4$ exit
exit
[root@localhost Desktop]# su - zzz
[zzz@localhost ~]$ whoami
zzz

This is a security vulnerability for ordinary users on the super user desktop. You must add it when switching with su-

[root@localhost Desktop]# su zzz
bash-4.4$ pwd
/root/Desktop    --On the super user desktop
bash-4.4$ exit

After switching users with su command, you must exit. Do not switch with su all the time, otherwise it will become stuck, and an error will be reported when executing some graphic commands.

4. User related configuration files

If you can't remember, you can view it with the man 5 file name

[root@localhost Desktop]# man 5 file name

/etc/passwd         -- User identity information

zzz:x:1234:1234:zzz:/home/zzz:/bin/bash
 name:password:UID:GID:User description:Home directory:Used shell

/etc/group         -- Group identity information

rngd:x:974:zzz
 user name:password:GID:Additional members in the group

/ect/shadow         -- User environment configuration template

/home/username         -- User home directory

/var/spool/mali/username         -- User mailbox file

5. Creation and deletion of users and user groups

Open two terminals, one for monitoring and one for operation

[root@localhost Desktop]# watch -n 1 "tail -n 3 /etc/passwd /etc/group ;each ===;ls -l /home/"

delete user

[root@localhost Desktop]# userdel zzz -- delete only the user identity and manually delete the file
[root@localhost Desktop]# rm -rf /home/zzz
[root@localhost Desktop]# userdel -r ljb -- the user identity and its related files are deleted together

New user

[root@localhost Desktop]# useradd -u 6666 ljb -- specify UID to create user
[root@localhost Desktop]# userdel -r ljb
[root@localhost Desktop]# useradd -g 72 ljb -- specify GID to create user
[root@localhost Desktop]# id ljb
uid=1000(ljb) gid=72(tcpdump) groups=72(tcpdump)    --Only one group identity
[root@localhost Desktop]# userdel -r ljb
[root@localhost Desktop]# useradd -G 72 ljb
[root@localhost Desktop]# id ljb
uid=1000(ljb) gid=1000(ljb) groups=1000(ljb),72(tcpdump)    --There are two groups of identities
[root@localhost Desktop]# useradd -c "ljb shuai" ljb -- specify user description to create user
[root@localhost Desktop]# userdel -r ljb
[root@localhost Desktop]# useradd -d /home/ljb ljb -- specify home to create user
[root@localhost Desktop]# userdel -r ljb
[root@localhost Desktop]# Useradd - S / bin / sh LJB -- specifies the shell creation user
[root@localhost Desktop]# userdel -r ljb
[root@localhost Desktop]# useradd -s /sbin/nologin -M ljb -- system account cannot log in without home directory

New group

groupadd    - g     id     groupname    -- Create group specify group name

groupdel     groupname    -- delete group

6. Information management of users and user groups

[root@localhost Desktop]# usermod -l zzz ljb -- change user name
[root@localhost Desktop]# usermod -l ljb zzz
[root@localhost Desktop]# usermod -u 6666 ljb -- change user UID
[root@localhost Desktop]# usermod -g 72 ljb -- change user GID
[root@localhost Desktop]# usermod -g 1000 ljb
[root@localhost Desktop]# usermod -G 72 ljb -- change user other group ID
[root@localhost Desktop]# id ljb
uid=6666(ljb) gid=1000(ljb) groups=1000(ljb),72(tcpdump)
[root@localhost Desktop]# usermod -aG 974 ljb -- add a user other group ID
[root@localhost Desktop]# id ljb
uid=6666(ljb) gid=1000(ljb) groups=1000(ljb),974(rngd),72(tcpdump)
[root@localhost Desktop]# usermod -d /home/zzz ljb -- change user home directory
[root@localhost Desktop]# usermod -d /home/ljb ljb
[root@localhost Desktop]# usermod -md /home/zzz ljb -- change the user's home directory and file name
[root@localhost Desktop]# usermod -md /home/ljb ljb
[root@localhost Desktop]# usermod -s /sbin/nologin ljb -- change user shell

7. User authentication information management

/The content of the etc/shadow file indicates that 9 pieces of information cannot be remembered. Use the command man 5 shadow to view

ljb:!!:18962:0:99999:7:::
name:password:Last modified time:Minimum period of validity:Maximum validity:Warning period:Inactive days:account expires:

  Monitor files

[root@localhost Desktop]# watch -n 1 "tail -n 3 /etc/shadow"

Modify information

There are conditions for different users to change their passwords

[root@localhost Desktop]# echo ljb | passwd --stdin ljb -- change password directly
[ljb@localhost ~]$ passwd    --Ordinary users modify their own passwords (with restrictions)
Changing password for user ljb.
Current password: 
New password: 
BAD PASSWORD: The password is shorter than 8 characters
passwd: Authentication token manipulation error
[ljb@localhost ~]$ exit
logout
[root@localhost Desktop]# passwd -e ljb -- let the usage period expire immediately (change to 0)
Expiring password for user ljb.
passwd: Success
[root@localhost Desktop]# passwd -n 1 ljb -- change the minimum validity period to 1 day
Adjusting aging data for user ljb.
passwd: Success
[root@localhost Desktop]# passwd -x 30 ljb -- changes are valid for up to 30 days
Adjusting aging data for user ljb.
passwd: Success
[root@localhost Desktop]# passwd -w 2 ljb -- change the warning period to 2 days
Adjusting aging data for user ljb.
passwd: Success
[root@localhost Desktop]# passwd -i 2 ljb -- change the number of inactive days to 2 days (you can log in two days after expiration)
Adjusting aging data for user ljb.
passwd: Success
[root@localhost Desktop]# chage -E "2021-12-25" ljb -- change the found expiration date to 2021-12-25
[root@localhost Desktop]# passwd -d ljb -- delete password
Removing password for user ljb.
passwd: Success

8. Decentralization of user authority

The following naming is not recommended because there is no error prompt

vim /etc/sudoers

General use

visudo

The file can be written anywhere. It is generally written in 100 lines (code normalization)

[root@localhost Desktop]# Hostname -- View hostname
localhost.localdomain
[root@localhost Desktop]# visudo -- delegation of authority
root    ALL=(ALL)       ALL

ljb     localhost.localdomain=(root) NOPASSWD: /sbin/useradd, /sbin/userdel    --Secret free execution
:wq
[root@localhost Desktop]# su - ljb
[ljb@localhost ~]$ sudo useradd text
[ljb@localhost ~]$ sudo userdel text

Permission view

[root@localhost Desktop]# ls -l text -- view file permissions
-rw-r--r--. 1 root root 0 Dec  2 03:52 text
 Type, permission, hidden point, deleted once, deleted, user, user group, size, last modified time, name

[root@localhost Desktop]# ls -ld study -- View Folder Permissions
drwxr-xr-x. 2 root root 6 Nov 30 21:12 study
 Type, permission, hidden point, how many subdirectories, users, user groups

[root@localhost Desktop]# ls study/ -a
 .  ..
[root@localhost Desktop]# touch study/1
[root@localhost Desktop]# ls study/ -l
total 0
-rw-r--r--. 1 root root 0 Dec  2 04:12 1
1+1     +1 +1  +1   +1  +1    +1       +1=9
[root@localhost Desktop]# ls -ld study/
drwxr-xr-x. 2 root root 15 Dec  2 04:12 study/
                        9+6

  10 in total

first place

-     Indicates a file

d indicates a folder

Two to ten

The first three indicate the owner's permissions

The middle three digits indicate group permissions

The last three digits indicate other group permissions

r   Indicates that the file can be read -- 4

w   Indicates that the file can be written -- 2

x   Indicates that the file can be executed (if it is a program) - 1

-   Indicates that the corresponding permission has not been granted

  Hard and soft link diagram

[root@localhost Desktop]# Chown LJB / MNT / test / -- change directory owner

[root@localhost Desktop]# chown -R ljb /mnt/test / -- change the owner of all files in the directory

[root@localhost Desktop]# chgrp ljb /mnt/ljb1 -- change file GID

[root@localhost Desktop]# Chown ljb.ljb/mnt/ljb2 -- change file GID

9. Change file permissions

[root@localhost Desktop]# chmod --reference=/mnt/test /mnt/ljb1 -- permission replication

[root@localhost Desktop]# Chmod, U + X, G + W, o-r / MNT / ljb5 -- setting permissions by character

[root@localhost Desktop]# chmod ug-w /mnt/ljb5 -- same bits can be merged

[root@localhost Desktop]# chmod a=rwx /mnt/ljb5

[root@localhost Desktop]# chmod 744 /mnt/ljb4 -- setting permissions in digital mode

10. Special authority

[root@localhost Desktop]# mdikr /pub
[root@localhost Desktop]# chmod 777 /pub
[root@localhost Desktop]# chmod o+t /pub / -- paste bit (even if you have permission, you can't delete other people's files)
[root@localhost Desktop]# chmod 1777 /pub/
[root@localhost Desktop]# chmod g+s /pub / -- the files created by the owner are owned by the directory
[root@localhost Desktop]# chmod 2777 /pub/
[root@localhost Desktop]# chmod 3777 /pub / -- both
 

[root@localhost Desktop]# chmod g+s /bin/cat -- quite all running cat are root users, and the permissions should be improved
-rwxr-sr-x. 1 root root 51856 Jan 11  2019 /bin/cat

[root@localhost Desktop]# chmod u+s /bin/cat -- anyone running is a super user running
[root@localhost Desktop]# ls -l /bin/cat
-rwsr-sr-x. 1 root root 51856 Jan 11  2019 /bin/cat

Detect users in the system

[root@localhost Desktop]# ps ax -o user,group,comm | grep cat
[root@localhost Desktop]# watch -n 1 "ps ax -o user,group,comm | grep cat"

Permission list

[root@localhost Desktop]# touch /mnt/ljb
[root@localhost Desktop]# ls -ld /mnt/ljb 
-rw-r--r--. 1 root root 0 Dec  2 05:18 /mnt/ljb


[root@localhost Desktop]# setfacl -m u:ljb:rwx /mnt/ljb -- specify a user's permissions on files
[root@localhost Desktop]# ls -ld /mnt/ljb 
-rw-rwxr--+ 1 root root 0 Dec  2 05:18 /mnt/ljb
//+No. means that normal permissions are no longer being viewed

[root@localhost Desktop]# getfacl /mnt/ljb -- View method
getfacl: Removing leading '/' from absolute path names
# file: mnt/ljb
# owner: root
# group: root
user::rw-
user:ljb:rwx
group::r--
mask::rwx
other::r--

Tags: Linux Operation & Maintenance security

Posted on Wed, 01 Dec 2021 08:34:09 -0500 by Ton Wibier