-
User identity management
- UID(User Identification)
- UID of Administrator is 0
- UID of Sys Users is range from 1~999, for the sake of security, Linux allows individual sys-user for each services by default which prevents massive destruction from
Hackers
to some extent. - Ordinary users their UID starts from 1000 that must be created by Administrator
- UID must be independent, and Linux also has GID(Group Identification) to which the
similar Users
can be put together for the betterment of management.
When a new user is created, there is a
basic group
automatically created which has the same name as the user, this basic group has only one user and that is the current user itself. If the current user is added by other groups, then the latter groups are called "extended groups
" which helps to improve the betterment of the work or services.- id
Print real and effective user and group IDs
[root@linuxprobe userAndFilePermission]# id linuxprobe uid=1000(linuxprobe) gid=1000(linuxprobe) groups=1000(linuxprobe)
- useradd
create a new user or update default new user information
The default home directory would be put in the/home
directory and the default shell interpreter is/bin/shell
-d home directory(default directory /home/username)
-e user account expiration at YYYY-MM-DD.
-u Default UID
-g Initial group(basic group)
-G extended groups
-N Don't create the home directory with the same name of the user
-s default bash interpreter[root@linuxprobe userAndFilePermission]# useradd test [root@linuxprobe userAndFilePermission]# id test uid=1005(test) gid=1005(test) groups=1005(test) # useradd with cusotmized options [root@linuxprobe userAndFilePermission]# useradd -d /home/linuxtest -u 8889 -s /sbin/noloing linuxtest [root@linuxprobe userAndFilePermission]# id linuxtest uid=8889(linuxtest) gid=8889(linuxtest) groups=8889(linuxtest) [root@linuxprobe userAndFilePermission]# su linuxdown su: failed to execute /sbin/noloing: No such file or directory
- groupadd
create a new group
Add user to a group which cause better convenience since the permissions will be automatically set to the same for all users that are in the same group
[root@linuxprobe userAndFilePermission]# groupadd xuan
- usermod
user modify
modify a user account
-c comment for the particular user
-d -m set home directory and move all data to
-e set the expiration at YYYY-MM-D
-g change the group
-G change the extended group
-L disable login
-U enable login
-s change default terminal /sbin/...
-u change UID[root@linuxprobe cool]# usermod -G root linxprobe [root@linuxprobe cool]# usermod -u 10000 linxprobe [root@linuxprobe cool]# id linxprobe uid=10000(linxprobe) gid=8889(linxprobe) groups=8889(linxprobe),0(root) [root@linuxprobe cool]# usermod -s /sbin/nologin linxprobe [root@linuxprobe cool]# su - linxprobe This account is currently not available. # once the default terminal has been changed to /sbin/nologin, this user will not be able to login in to the terminal but the service still work
- passwd
password
passwd
can be used to change user password.
ordinary user can use passwd to change the password itself, root can change all users password
-l disable login
-u enable login
--stdin allow changing passwd through standard input, e.g. echo "NewPassWord" | passwd --stdin Username
-d allow empty passwd login
-e force user change passwd during next login
-S check whether the login is disabled, and the autentication algorithm# root user [root@linuxprobe cool]# passwd Changing password for user root. New password: Retype new password: passwd: all authentication tokens updated successfully. [root@linuxprobe cool]# passwd -S linxprobe linxprobe LK 2021-01-20 0 99999 7 -1 (Password locked.) # ordinary user [linuxprobe@linuxprobe cool]$ passwd Changing password for user linuxprobe. Current password: New password: Retype new password: passwd: all authentication tokens updated successfully. # lock and unlock user root@linuxprobe ~]# passwd -l linuxprobe Locking password for user linuxprobe. passwd: Success [root@linuxprobe ~]# passwd -u linuxprobe Unlocking password for user linuxprobe. passwd: Success
- userdel
user delete
delete the exist users.userdel
will delete the account and remain the home directory, add-r
parameter will remove it completely
-f force to delete the user
-r delete the user completely which will cause the home directory to be removed togetherNormally it is recommended to remain the home directory for which the data is valuable in the future
[root@linuxprobe ~]# userdel linxprobe [root@linuxprobe ~]# id linxprobe id: ‘linxprobe’: no such user [root@linuxprobe ~]# cd /home [root@linuxprobe home]# tree . ├── cool ├── linuxcool ├── linuxprobe │ ├── Desktop │ ├── Documents │ ├── Downloads │ ├── Music │ ├── Pictures │ ├── Public │ ├── Templates │ ├── test │ ├── the job from file rather than standard input. │ └── Videos └── linxprobe 13 directories, 1 file [root@linuxprobe home]# rm -fR linxprobe/
-
File Permission and Ownership
- Each file relates to a particular user and group in Linux and the permission which are read, write, and executable.
- It is easier to understand w,r, and x for ordinary files but directories. In fact, files and directories have a similar but different approach in Linux permission management.
The following content shows the difference between file and directory operations
The following content shows the different permission and its text and digital representation as well as the ownership
[root@linuxprobe ~]# ls -la total 36 dr-xr-x---. 5 root root 221 Jan 20 21:16 . dr-xr-xr-x. 17 root root 224 Jan 6 22:13 .. -rw-------. 1 root root 1403 Jan 6 22:20 anaconda-ks.cfg -rw-------. 1 root root 281i Jan 19 01:28 .bash_history -rw-r--r--. 1 root root 18 Aug 13 2018 .bash_logout -rw-r--r--. 1 root root 176 Aug 13 2018 .bash_profile -rw-r--r--. 1 root root 176 Aug 13 2018 .bashrc
Every 3 bits represents read, write, and execute properties respectively as well as the ownerships, either in text form or digital form
Frequently used file type:
- Ordinary File(-)
- Directory(d)
- LinkFile(l)
- Pipe(p)
- Block(b)
- CharacterDevice(c)
-
Special Permssion
- SUID
SUID
provides special permission for binary applications which allows the user who executes the binary applications to get theowner
permission temporarily(only work for binary application). e.g. thepasswd
command can do the password modification for the user itself, even though the password are stored within the/etc/shadow
file which has the default permission000
-Only root user can make the change for it
. It is feasible sincepasswd
hasSUID
Permission[root@linuxprobe ~]# ls -l /bin/passwd -rwsr-xr-x. 1 root root 34512 Aug 12 2018 /bin/passwd
Warning!!!, SUID is powerful and dangerous, it must be avoided to have vim, cat, rm, etc...
- SGID
- User will require the same
permission
of thegroup
as the file belongs to rather than the file itself
When the user access the file onlyroot.txt will require the same permission as the file belongs to which is root[root@linuxprobe sgid]# chmod 440 onlyroot.txt [root@linuxprobe sgid]# ls -l onlyroot.txt -r--r-----. 1 root root 14 Jan 20 15:53 onlyroot.txt [root@linuxprobe sgid]# chmod g+s onlyroot.txt [root@linuxprobe sgid]# ls -l onlyroot.txt -r--r-S---. 1 root root 14 Jan 20 15:53 onlyroot.txt
- For a directory, the newly created file will be put into the same group as the directory, e.g. If we set up a directory with
SGID
permission and the directory will be shared with all the people in the same department. Now everyone in this department will generate the file in which belongs to thesame group as the directory
as we set up before withSGID
permission.
# create a test directory for sgid with root permission and gorup [root@linuxprobe sgid]# chmod -R 777 sgidDir/ [root@linuxprobe sgid]# chmod -R g+s sgidDir/ [root@linuxprobe sgid]# ls -ald sgidDir/ drwxrwsrwx. 3 root root 18 Jan 20 16:06 sgidDir/ # switch to an ordinary user and create a new file within the same directory as above, # check the group name of this newly generated text file [test@linuxprobe test]$ echo "test" > test.txt [test@linuxprobe test]$ ls -al test.txt -rw-rw-r--. 1 test root 5 Jan 20 16:24 test.txt # switch to another directory and now the group name becomes to the ordinary user group, #i.e. the basic group [test@linuxprobe userAndFilePermission]$ ls -la test.txt -rw-rw-r--. 1 test test 5 Jan 20 16:31 test.txt
- User will require the same
- SBIT
SBIT
also known assticky bit
is has a special function that willonly
allow the file to be deleted by thecreator
himself,not other
users.
So the critical point is whether the user has# the other user permission "x" now becomes "t", i.e. the sticky bit # in another words, only the owner of /tmp can delete the file within [root@linuxprobe ~]# ls -lad /tmp drwxrwxrwt. 23 root root 4096 Jan 20 16:37 /tmp
read, write, and delete
permission within the particular directoryrather than
theuser permission himself
# create a new file with /tmp in which it has sbit permssion configured already [root@linuxprobe ~]# cd /tmp [root@linuxprobe tmp]# echo "test for sbit" > sbit_test.txt [root@linuxprobe tmp]# ls -al sbit_test.txt -rw-r--r--. 1 root root 14 Jan 20 16:45 sbit_test.txt [root@linuxprobe tmp]# chmod +777 sbit_test.txt [root@linuxprobe tmp]# ls -al sbit_test.txt -rwxrwxrwx. 1 root root 14 Jan 20 16:45 sbit_test.txt # switch to the ordinary user [root@linuxprobe tmp]# su test # try to delete the file and it is ended up with an error of lacking permission [test@linuxprobe tmp]$ rm -f sbit_test.txt rm: cannot remove 'sbit_test.txt': Operation not permitted
- chmod, chown
- chmod change the mod bits, i.e. to change file or directory permission bits
- chown change file or directory owner or group
[root@linuxprobe sgid]# echo "test for chmod and chown" >> chmod_chown.txt [root@linuxprobe sgid]# dir chmod_chown.txt onlyroot.txt sgidDir [root@linuxprobe sgid]# ls -l chmod_chown.txt -rw-r--r--. 1 root root 25 Jan 20 16:53 chmod_chown.txt [root@linuxprobe sgid]# chmod +440 chmod_chown.txt [root@linuxprobe sgid]# chown linuxprobe:test chmod_chown.txt [root@linuxprobe sgid]# ls -la chmod_chown.txt -rw-r--r--. 1 linuxprobe test 25 Jan 20 16:53 chmod_chown.txt
u+s +SUID
u-s -SUID
g+s +SGID
g-s -SGID
o+t +SBIT
o-t -SBIT
Conclusion
SUID
Let ordinary user can execute the program as the owner of the program temporarily
SGID
Let ordinary user require the same permission as the file belongs to; let the file be created within the directory belongs to the directory owner
SBIT
Let other users cannot execute the delete operation even they have the full permissionr,w,x
If the original permission is _ the special permission will be ended up with upper case, lower case otherwise
special permission and ordinary permission can be mixed together that suid, sgid and sbit are also can be represented as the digital nums 4, 2, 1, and the special permission is taken by the first bit of the permission list, i.e.[root@linuxprobe full_permission]# chmod +7777 fullP.txt [root@linuxprobe full_permission]# ls -la fullP.txt -rwsrwsrwt. 1 root root 12 Jan 20 17:15 fullP.txt
- SUID
-
Hidden attribute
-
chattr change file attributes on a Linux file system
Usage: chattr [-pRVf] [-+=aAcCdDeijPsStTu] [-v version] files...i
Disable file modification; For the directory, disable create and delete
aAppend only, deletion is not allowed
SSync the file content right off the bat
sDelete the data thoroughly, recovery is not allowed, fill the original data with all ZERO
Astop updating the atime attribute
bstop updating the mtime attribute
Ddetect the error or corruption of the compressed file
dignore the current file when using dump command
ccompress the file by default
uremain the actual data after file deletion
tallow tail-merging
xallow direct-access from the compressed file
Try to delete a file with
+a append only
attribute# without +a [root@linuxprobe test]# echo "test " > testForHidden.txt [root@linuxprobe test]# rm testForHidden.txt rm: remove regular file 'testForHidden.txt'? y [root@linuxprobe test]# chattr +a linuxHidden.txt [root@linuxprobe test]# rm linuxHidden.txt rm: remove regular file 'linuxHidden.txt'? y rm: cannot remove 'linuxHidden.txt': Operation not permitted
-
lsattr list file attributes on a Linux second extended file system
[root@linuxprobe test]# lsattr linuxHidden.txt --S-iadA---------- linuxHidden.txt
One of the most widely used operations of the hidden attribute is to set up +a for
log
files /var/log/messages, hence the hacker won't be able to clean up the path where he has walked though
-
-
FACL file access control lists
Permission management we have been talking about so far works for one group or one type of user, there is also
FACL
File Access Control Lists which works for the individual user.- File ACL - File permission will be irrelevant to the directory where the file resides
- Directory ACL - All files within the directory will inherit the permissions that the directory gives to them
[root@linuxprobe ~]# su linuxprobe [linuxprobe@linuxprobe root]$ cd /root bash: cd: /root: Permission denied
-
setfacl manage
ACL
set files ACL, it controls each individual user, group, file or directory
-m set up permission
-M detect permission
-x remove one of the permissions
-b remove all permissions
-R do the operation recursively[root@linuxprobe ~]# setfacl -Rm u:1000:rwx /root [root@linuxprobe ~]# su linuxprobe [linuxprobe@linuxprobe root]$ cd /root
[linuxprobe@linuxprobe root]$ ls -ld /root dr-xrwx---+ 15 root root 4096 Jan 22 00:28 /root # "+" sign means the **/root directory is now having ACL configuration**
-
getfacl get the facl information from file or directory
[linuxprobe@linuxprobe root]$ getfacl /root getfacl: Removing leading '/' from absolute path names # file: root # owner: root # group: root user::r-x user:linuxprobe:rwx group::r-x mask::rwx other::---
Mistakes while setting up the
ACL
, what if -_-Bacup and Restore ACL
[root@linuxprobe ~]# getfacl -R /home > backup.acl getfacl: Removing leading '/' from absolute path names [root@linuxprobe ~]# setfacl --restore ./backup.acl &> /dev/null
-
su and sudo
-
su
allows userswitch to
andback
between different accounts[root@linuxprobe /]# su - linuxprobe [linuxprobe@linuxprobe ~]$ # "-" means switch over completely
root -> user no validation
user -> root validation check -
sudo
allows user toperform some of the superuser tasks
whilelimiting
andwatching
the ordinary user from taking superuser permission completely. Linux system will record each command that has been done by an ordinary user withsudo
command, manage thosesudo users
in /etc/sudoers, as well as allow executing command without validation in a short period of time.-h display help information
-llist executable
command for thecurrent user
-u execute commands withspecified user-name/UID
-kclean up
the existing validation information,force
the user to input password when executing the new command next time
-b executes the command in thebackground
-p change the prompt for asking password-
Using visudo to edit
/etc/sudoers
file in order to make more resilient configuration forsudo
commandCall the
vim
editor
More reliable, easier to edit## Allow root to run any commands anywhere # target user available host=(permission, or user-name) executable list,seperated by "comma" root ALL=(ALL) ALL linuxprobe ALL=(ALL) ALL # when you run the following command you can see the permission for "inuxprobe" [linuxprobe@linuxprobe ~]$ sudo -l [sudo] password for linuxprobe: Matching Defaults entries for linuxprobe on linuxprobe: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User linuxprobe may run the following commands on linuxprobe: (ALL) ALL # It is unsafe to have sudo permission for all "Commands" # Modify the sudoers file and change the available command for "linuxprobe" ## Allow root to run any commands anywhere ## Allow root to run any commands anywhere root ALL=(ALL) ALL linuxprobe ALL=(ALL) /usr/bin/ls,/usr/bin/cat,/usr/sbin/reboot # now try to list the content of /root with or without "sudo" [linuxprobe@linuxprobe ~]$ ls /root ls: cannot open directory '/root': Permission denied [linuxprobe@linuxprobe ~]$ sudo ls /root anaconda-ks.cfg backup.acl Desktop Documents Downloads initial- setup-ks.cfg Music Pictures Public Templates Videos [linuxprobe@linuxprobe ~]$ cat /etc/shadow cat: /etc/shadow: Permission denied [linuxprobe@linuxprobe ~]$ sudo cat /etc/shadow root:$6$qAPQugz7F2TmGSMr$NnTP4W4WyQooEx3gmfxM611e893PraAZMMdaPUpkmNzieolNjT8rYoPyVTWcFia/Sc3XNbawKUQ9KQbDCxLqd/:18647:0:99999:7::: bin:*:17784:0:99999:7::: # NOPASS let user use "sudo" without inputting the passwd all the time ## Allow root to run any commands anywhere root ALL=(ALL) ALL linuxprobe ALL=(ALL) NOPASSWD:/usr/bin/ls,/usr/bin/cat,/usr/sbin/reboot [linuxprobe@linuxprobe ~]$ sudo reboot ......
-
-
2021-01-18 User and File management(Permission)
最后編輯于 :
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
- 文/潘曉璐 我一進(jìn)店門萍倡,熙熙樓的掌柜王于貴愁眉苦臉地迎上來(lái),“玉大人辟汰,你說(shuō)我怎么就攤上這事列敲。” “怎么了帖汞?”我有些...
- 文/不壞的土叔 我叫張陵戴而,是天一觀的道長(zhǎng)。 經(jīng)常有香客問(wèn)我翩蘸,道長(zhǎng)所意,這世上最難降的妖魔是什么? 我笑而不...
- 正文 為了忘掉前任,我火速辦了婚禮扶踊,結(jié)果婚禮上泄鹏,老公的妹妹穿的比我還像新娘。我一直安慰自己秧耗,他們只是感情好备籽,可當(dāng)我...
- 文/花漫 我一把揭開白布。 她就那樣靜靜地躺著分井,像睡著了一般车猬。 火紅的嫁衣襯著肌膚如雪。 梳的紋絲不亂的頭發(fā)上尺锚,一...
- 那天珠闰,我揣著相機(jī)與錄音,去河邊找鬼瘫辩。 笑死铸磅,一個(gè)胖子當(dāng)著我的面吹牛,可吹牛的內(nèi)容都是我干的杭朱。 我是一名探鬼主播,決...
- 文/蒼蘭香墨 我猛地睜開眼吹散,長(zhǎng)吁一口氣:“原來(lái)是場(chǎng)噩夢(mèng)啊……” “哼弧械!你這毒婦竟也來(lái)了?” 一聲冷哼從身側(cè)響起空民,我...
- 序言:老撾萬(wàn)榮一對(duì)情侶失蹤刃唐,失蹤者是張志新(化名)和其女友劉穎,沒(méi)想到半個(gè)月后界轩,有當(dāng)?shù)厝嗽跇淞掷锇l(fā)現(xiàn)了一具尸體画饥,經(jīng)...
- 正文 獨(dú)居荒郊野嶺守林人離奇死亡,尸身上長(zhǎng)有42處帶血的膿包…… 初始之章·張勛 以下內(nèi)容為張勛視角 年9月15日...
- 正文 我和宋清朗相戀三年浊猾,在試婚紗的時(shí)候發(fā)現(xiàn)自己被綠了抖甘。 大學(xué)時(shí)的朋友給我發(fā)了我未婚夫和他白月光在一起吃飯的照片。...
- 正文 年R本政府宣布,位于F島的核電站椒涯,受9級(jí)特大地震影響柄沮,放射性物質(zhì)發(fā)生泄漏。R本人自食惡果不足惜,卻給世界環(huán)境...
- 文/蒙蒙 一祖搓、第九天 我趴在偏房一處隱蔽的房頂上張望狱意。 院中可真熱鬧,春花似錦棕硫、人聲如沸髓涯。這莊子的主人今日做“春日...
- 文/蒼蘭香墨 我抬頭看了看天上的太陽(yáng)纬纪。三九已至,卻和暖如春滑肉,著一層夾襖步出監(jiān)牢的瞬間包各,已是汗流浹背。 一陣腳步聲響...
- 正文 我出身青樓六荒,卻偏偏與公主長(zhǎng)得像护姆,于是被迫代替她去往敵國(guó)和親。 傳聞我的和親對(duì)象是個(gè)殘疾皇子掏击,可洞房花燭夜當(dāng)晚...
推薦閱讀更多精彩內(nèi)容
- Shell and its relation to computer ShellSimply put, the s...
- 一卵皂、USERS UID為0的用戶為管理員用戶,任何一個(gè)UID為0的用戶砚亭,都可為管理員用戶若系統(tǒng)沒(méi)有了UID=0的管...
- 1.安全AAA(3A) Authentication:認(rèn)證Authorization:授權(quán)Accouting|Au...
- 1.基本概念 linux 安全上下文 運(yùn)行中的程序:進(jìn)程 (process)以進(jìn)程發(fā)起者的身份運(yùn)行:root: /...
- 用戶刃泌、組、文件權(quán)限 1~3 重點(diǎn) 若對(duì)某個(gè)用戶的所屬組進(jìn)行修改署尤,相應(yīng)權(quán)限變化不會(huì)立即生效蔬咬,需要重新登錄來(lái)更新自己的...