rh131筆記---unit5-user administration.txt

一,使用者管理
useradd
usermod
userdel

二，組管理
groupadd
groupmod
groupdel[@more@]

三，密碼策略管理
chage -l root
密碼策略儲存在/etc/shadow檔案中

四, sudo
users listed in /etc/sudoers execure comands with:
an effective user id of 0
group id of root's group

an administrator will be contacted if a user not listed in /etc/sudoers attempts to use sudo


五，network users
配置：system-config-authentication

NIS configuration
must install ypbind and portmap RPMS

LDAP　Configuration
must install nss-ldap and openldap RPMS


六，suid and sgid
chmod u+s filename 繼承使用者許可權
chmod g+s filename 繼承目錄許可權

大小寫S的區別：
如果執行位上沒有許可權，則為大寫
如果執行位上有許可權，則為小寫


例子：
[root@server1 ~]# touch 1
[root@server1 ~]# ls -al 1
-rw-r--r-- 1 root root 0 06-06 00:24 1
[root@server1 ~]# chmod u+s 1
[root@server1 ~]# ls -al 1
-rwSr--r-- 1 root root 0 06-06 00:24 1
[root@server1 ~]# chmod g+s 1
[root@server1 ~]# ls -al 1
-rwSr-Sr-- 1 root root 0 06-06 00:24 1
[root@server1 ~]#


[root@server1 ~]# touch 2
[root@server1 ~]# chmod +x 2
[root@server1 ~]# ls -al 2
-rwxr-xr-x 1 root root 0 06-06 00:26 2
[root@server1 ~]# chmod u+s 2
[root@server1 ~]# chmod g+s 2
[root@server1 ~]# ls -al 2
-rwsr-sr-x 1 root root 0 06-06 00:26 2
[root@server1 ~]#


七，The Sticky Bit
normally users with write permissions to a directory can delete any file in that directory regardless of that file's permissions or ownership
with the sticky bit set on a directory, only the owner of a file can delete the file
example:
[root@server1 ~]# ls -al /tmp
drwxrwxrwt 8 root root 4096 06-05 23:45 .

chmod o+t /home/share


八，default file permissions
使用：
[root@server1 ~]# umask
0022
[root@server1 ~]# cat /etc/bashrc
# /etc/bashrc

# System wide functions and aliases
# Environment stuff goes in /etc/profile

# By default, we want this to get set.
# Even for non-interactive, non-login shells.
if [ $UID -gt 99 ] && [ "`id -gn`" = "`id -un`" ]; then
umask 002
else
umask 022
fi


九，access control lists
Grant rwx access to files and directories for multiple users or groups

mount -o acl /directory

檢視acl
getfack file|directory

設定acl
setfacl -m u:gandolf:rwx file|directory
setfacl -m g:nazgul:rw file|directory
setfacl -m d:u:frodo:rw directory

刪除acl
setfacl -x u:samwise file|directory

十，selinux
all files and processes have a security context
the context has several elements,depending on the security needs

user:role:type:sensitivity:category
user_u:object_r:tmp_t:s0:c0
not all systems will display s0:c0

ls -Z
ps -Z

例子：
[root@server1 ~]# ls -Z /etc/shadow
-r-------- root root system_u:object_r:shadow_t:s0 /etc/shadow
[root@server1 ~]# ls -Z /etc/aliases
-rw-r--r-- root root system_u:object_r:etc_aliases_t:s0 /etc/aliases
[root@server1 ~]#


修改許可權
chcon -t tmp_t /etc/hosts

恢復檔案的預設許可權
restorecon /etc/hosts

修改系統的預設設定
getenforce 得到當前的狀態
setenforce 0|1 重新設定selinux 配置

/etc/sysconfig/selinux
system-config-securitylevel
system-config-selinux

安裝下面這個包可以看到那些被阻止
setroubleshootd
advises on how to avoid errors,not ensure security.