一,用户管理
useradd
usermod
userdel
二,组管理
groupadd
groupmod
groupdel[@more@]
三,密码策略管理
chage -l root
密码策略保存在/etc/shadow文件中
四, sudo
users listed in /etc/sudoers execure comands with:
an effective user id of 0
group id of root's group
an administrator will be contacted if a user not listed in /etc/sudoers attempts to use sudo
五,network users
配置:system-config-authentication
NIS configuration
must install ypbind and portmap RPMS
LDAP Configuration
must install nss-ldap and openldap RPMS
六,suid and sgid
chmod u+s filename 继承用户权限
chmod g+s filename 继承目录权限
大小写S的区别:
如果执行位上没有权限,则为大写
如果执行位上有权限,则为小写
例子:
[root@server1 ~]# touch 1
[root@server1 ~]# ls -al 1
-rw-r--r-- 1 root root 0 06-06 00:24 1
[root@server1 ~]# chmod u+s 1
[root@server1 ~]# ls -al 1
-rwSr--r-- 1 root root 0 06-06 00:24 1
[root@server1 ~]# chmod g+s 1
[root@server1 ~]# ls -al 1
-rwSr-Sr-- 1 root root 0 06-06 00:24 1
[root@server1 ~]#
[root@server1 ~]# touch 2
[root@server1 ~]# chmod +x 2
[root@server1 ~]# ls -al 2
-rwxr-xr-x 1 root root 0 06-06 00:26 2
[root@server1 ~]# chmod u+s 2
[root@server1 ~]# chmod g+s 2
[root@server1 ~]# ls -al 2
-rwsr-sr-x 1 root root 0 06-06 00:26 2
[root@server1 ~]#
七,The Sticky Bit
normally users with write permissions to a directory can delete any file in that directory regardless of that file's permissions or ownership
with the sticky bit set on a directory, only the owner of a file can delete the file
example:
[root@server1 ~]# ls -al /tmp
drwxrwxrwt 8 root root 4096 06-05 23:45 .
chmod o+t /home/share
八,default file permissions
使用:
[root@server1 ~]# umask
0022
[root@server1 ~]# cat /etc/bashrc
# /etc/bashrc
# System wide functions and aliases
# Environment stuff goes in /etc/profile
# By default, we want this to get set.
# Even for non-interactive, non-login shells.
if [ $UID -gt 99 ] && [ "`id -gn`" = "`id -un`" ]; then
umask 002
else
umask 022
fi
九,access control lists
Grant rwx access to files and directories for multiple users or groups
mount -o acl /directory
查看acl
getfack file|directory
设置acl
setfacl -m u:gandolf:rwx file|directory
setfacl -m g:nazgul:rw file|directory
setfacl -m d:u:frodo:rw directory
删除acl
setfacl -x u:samwise file|directory
十,selinux
all files and processes have a security context
the context has several elements,depending on the security needs
user:role:type:sensitivity:category
user_u:object_r:tmp_t:s0:c0
not all systems will display s0:c0
ls -Z
ps -Z
例子:
[root@server1 ~]# ls -Z /etc/shadow
-r-------- root root system_u:object_r:shadow_t:s0 /etc/shadow
[root@server1 ~]# ls -Z /etc/aliases
-rw-r--r-- root root system_u:object_r:etc_aliases_t:s0 /etc/aliases
[root@server1 ~]#
修改权限
chcon -t tmp_t /etc/hosts
恢复文件的默认权限
restorecon /etc/hosts
修改系统的默认设置
getenforce 得到当前的状态
setenforce 0|1 重新设置selinux 配置
/etc/sysconfig/selinux
system-config-securitylevel
system-config-selinux
安装下面这个包可以看到那些被阻止
setroubleshootd
advises on how to avoid errors,not ensure security.
来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/312079/viewspace-1007352/,如需转载,请注明出处,否则将追究法律责任。