rh131筆記---unit5-user administration.txt
一,使用者管理
useradd
usermod
userdel
二,組管理
groupadd
groupmod
groupdel[@more@]
三,密碼策略管理
chage -l root
密碼策略儲存在/etc/shadow檔案中
四, sudo
users listed in /etc/sudoers execure comands with:
an effective user id of 0
group id of root's group
an administrator will be contacted if a user not listed in /etc/sudoers attempts to use sudo
五,network users
配置:system-config-authentication
NIS configuration
must install ypbind and portmap RPMS
LDAP Configuration
must install nss-ldap and openldap RPMS
六,suid and sgid
chmod u+s filename 繼承使用者許可權
chmod g+s filename 繼承目錄許可權
大小寫S的區別:
如果執行位上沒有許可權,則為大寫
如果執行位上有許可權,則為小寫
例子:
[root@server1 ~]# touch 1
[root@server1 ~]# ls -al 1
-rw-r--r-- 1 root root 0 06-06 00:24 1
[root@server1 ~]# chmod u+s 1
[root@server1 ~]# ls -al 1
-rwSr--r-- 1 root root 0 06-06 00:24 1
[root@server1 ~]# chmod g+s 1
[root@server1 ~]# ls -al 1
-rwSr-Sr-- 1 root root 0 06-06 00:24 1
[root@server1 ~]#
[root@server1 ~]# touch 2
[root@server1 ~]# chmod +x 2
[root@server1 ~]# ls -al 2
-rwxr-xr-x 1 root root 0 06-06 00:26 2
[root@server1 ~]# chmod u+s 2
[root@server1 ~]# chmod g+s 2
[root@server1 ~]# ls -al 2
-rwsr-sr-x 1 root root 0 06-06 00:26 2
[root@server1 ~]#
七,The Sticky Bit
normally users with write permissions to a directory can delete any file in that directory regardless of that file's permissions or ownership
with the sticky bit set on a directory, only the owner of a file can delete the file
example:
[root@server1 ~]# ls -al /tmp
drwxrwxrwt 8 root root 4096 06-05 23:45 .
chmod o+t /home/share
八,default file permissions
使用:
[root@server1 ~]# umask
0022
[root@server1 ~]# cat /etc/bashrc
# /etc/bashrc
# System wide functions and aliases
# Environment stuff goes in /etc/profile
# By default, we want this to get set.
# Even for non-interactive, non-login shells.
if [ $UID -gt 99 ] && [ "`id -gn`" = "`id -un`" ]; then
umask 002
else
umask 022
fi
九,access control lists
Grant rwx access to files and directories for multiple users or groups
mount -o acl /directory
檢視acl
getfack file|directory
設定acl
setfacl -m u:gandolf:rwx file|directory
setfacl -m g:nazgul:rw file|directory
setfacl -m d:u:frodo:rw directory
刪除acl
setfacl -x u:samwise file|directory
十,selinux
all files and processes have a security context
the context has several elements,depending on the security needs
user:role:type:sensitivity:category
user_u:object_r:tmp_t:s0:c0
not all systems will display s0:c0
ls -Z
ps -Z
例子:
[root@server1 ~]# ls -Z /etc/shadow
-r-------- root root system_u:object_r:shadow_t:s0 /etc/shadow
[root@server1 ~]# ls -Z /etc/aliases
-rw-r--r-- root root system_u:object_r:etc_aliases_t:s0 /etc/aliases
[root@server1 ~]#
修改許可權
chcon -t tmp_t /etc/hosts
恢復檔案的預設許可權
restorecon /etc/hosts
修改系統的預設設定
getenforce 得到當前的狀態
setenforce 0|1 重新設定selinux 配置
/etc/sysconfig/selinux
system-config-securitylevel
system-config-selinux
安裝下面這個包可以看到那些被阻止
setroubleshootd
advises on how to avoid errors,not ensure security.
useradd
usermod
userdel
二,組管理
groupadd
groupmod
groupdel[@more@]
三,密碼策略管理
chage -l root
密碼策略儲存在/etc/shadow檔案中
四, sudo
users listed in /etc/sudoers execure comands with:
an effective user id of 0
group id of root's group
an administrator will be contacted if a user not listed in /etc/sudoers attempts to use sudo
五,network users
配置:system-config-authentication
NIS configuration
must install ypbind and portmap RPMS
LDAP Configuration
must install nss-ldap and openldap RPMS
六,suid and sgid
chmod u+s filename 繼承使用者許可權
chmod g+s filename 繼承目錄許可權
大小寫S的區別:
如果執行位上沒有許可權,則為大寫
如果執行位上有許可權,則為小寫
例子:
[root@server1 ~]# touch 1
[root@server1 ~]# ls -al 1
-rw-r--r-- 1 root root 0 06-06 00:24 1
[root@server1 ~]# chmod u+s 1
[root@server1 ~]# ls -al 1
-rwSr--r-- 1 root root 0 06-06 00:24 1
[root@server1 ~]# chmod g+s 1
[root@server1 ~]# ls -al 1
-rwSr-Sr-- 1 root root 0 06-06 00:24 1
[root@server1 ~]#
[root@server1 ~]# touch 2
[root@server1 ~]# chmod +x 2
[root@server1 ~]# ls -al 2
-rwxr-xr-x 1 root root 0 06-06 00:26 2
[root@server1 ~]# chmod u+s 2
[root@server1 ~]# chmod g+s 2
[root@server1 ~]# ls -al 2
-rwsr-sr-x 1 root root 0 06-06 00:26 2
[root@server1 ~]#
七,The Sticky Bit
normally users with write permissions to a directory can delete any file in that directory regardless of that file's permissions or ownership
with the sticky bit set on a directory, only the owner of a file can delete the file
example:
[root@server1 ~]# ls -al /tmp
drwxrwxrwt 8 root root 4096 06-05 23:45 .
chmod o+t /home/share
八,default file permissions
使用:
[root@server1 ~]# umask
0022
[root@server1 ~]# cat /etc/bashrc
# /etc/bashrc
# System wide functions and aliases
# Environment stuff goes in /etc/profile
# By default, we want this to get set.
# Even for non-interactive, non-login shells.
if [ $UID -gt 99 ] && [ "`id -gn`" = "`id -un`" ]; then
umask 002
else
umask 022
fi
九,access control lists
Grant rwx access to files and directories for multiple users or groups
mount -o acl /directory
檢視acl
getfack file|directory
設定acl
setfacl -m u:gandolf:rwx file|directory
setfacl -m g:nazgul:rw file|directory
setfacl -m d:u:frodo:rw directory
刪除acl
setfacl -x u:samwise file|directory
十,selinux
all files and processes have a security context
the context has several elements,depending on the security needs
user:role:type:sensitivity:category
user_u:object_r:tmp_t:s0:c0
not all systems will display s0:c0
ls -Z
ps -Z
例子:
[root@server1 ~]# ls -Z /etc/shadow
-r-------- root root system_u:object_r:shadow_t:s0 /etc/shadow
[root@server1 ~]# ls -Z /etc/aliases
-rw-r--r-- root root system_u:object_r:etc_aliases_t:s0 /etc/aliases
[root@server1 ~]#
修改許可權
chcon -t tmp_t /etc/hosts
恢復檔案的預設許可權
restorecon /etc/hosts
修改系統的預設設定
getenforce 得到當前的狀態
setenforce 0|1 重新設定selinux 配置
/etc/sysconfig/selinux
system-config-securitylevel
system-config-selinux
安裝下面這個包可以看到那些被阻止
setroubleshootd
advises on how to avoid errors,not ensure security.
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/312079/viewspace-1007352/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- rh131筆記---unit1-system initialization筆記
- rh131筆記---unit2-package management筆記Package
- rh131筆記---unit3-kernel services筆記
- rh131筆記---unit4-system services筆記
- rh131筆記--unit6-filesystem managemen筆記
- 印象筆記 --- 方法分享筆記筆記
- 筆記筆記
- CUUG筆記 ORACLE索引學習筆記筆記Oracle索引
- 主動筆記與被動筆記筆記
- 淘寶記錄筆記筆記
- 心情筆記筆記
- 命令筆記筆記
- 筆記:Docker筆記Docker
- Meteor筆記筆記
- ES筆記筆記
- AbstractQueuedSynchronizer筆記筆記
- new筆記筆記
- vio筆記筆記
- Liunx筆記筆記
- Nacos 筆記筆記
- oracle筆記Oracle筆記
- html 筆記HTML筆記
- Cookie筆記Cookie筆記
- jQuery筆記jQuery筆記
- Restful 筆記REST筆記
- kafka 筆記Kafka筆記
- 路由筆記路由筆記
- webSocket筆記Web筆記
- 筆記1筆記
- 筆記-FMDB筆記
- canvas筆記Canvas筆記
- 小馬筆記筆記
- 隨筆記筆記
- spark筆記Spark筆記
- mysql 筆記MySql筆記
- 筆記:JVM筆記JVM
- Servlet筆記Servlet筆記
- 夢筆記筆記