一、user
1.每個使用者将指派唯一使用者id(uid)
root的id為0
普通使用者id從500開始(0-500系統使用)
2.使用者名和使用者id存在 /etc/passwd中
3.當使用者登陸時系統自動為其配置設定一個使用者家目錄
4.使用者無法讀、寫、執行其他用的檔案
二、changing file ownership
1.only root can change a file‘s owner
2.only root or the owner can change a file‘s group
3.ownership is changed with chown:
chown [-r]使用者名 file|directory (-r參數可以遞歸将檔案夾及其子檔案全部修改)
4.group-ownnership is change with chgrp:
chgrp [-r]組名 file|directory
例:
[root@instructor ~]# cd /tmp
[root@instructor tmp]# mkdir ownership
[root@instructor tmp]# cd ownership
[root@instructor ownership]# ls -l
total 0
[root@instructor ownership]# cp /etc/passwd ./
total 4
-rw-r--r--. 1 root root 2051 jan 2 14:42 passwd
[root@instructor ownership]# pwd
/tmp/ownership
[root@instructor ownership]#
[root@instructor ownership]# chown eric passwd
[root@instructor ownership]# ll
-rw-r--r--. 1 eric root 2051 jan 2 14:42 passwd
三、changing permissions 字母方式
1.to change access modes:(修改通路模式)
chmod [-option]...mode[,mode] file|directory
2.mode includes:
-u,g or o for user,group and other
eg:
[root@instructor ownership]# chmod ugo+x passwd
-rwxr-xr-x. 1 eric root 2051 jan 2 14:42 passwd
or:
[root@instructor ownership]# chmod a+x passwd
[root@instructor ownership]# chmod a-x passwd
-+,- or = for grant,deny or set
-r,w or x for read,write and execute
3.option include(遞歸修改)
- -r recursive
4.examples:
- chmod ugo+r file:grant access to all for file
(所有使用者添加可讀權限)
- chmod o-wx dir:deny write and execute to others for dir
(other使用者去掉可寫和可執行權限)
四、changing permissions 數字方式
1.uses a thress-digit mode number
-first digit specifies owner‘s permissions
(第一位數字代表使用者的權限)
-second digit specifies group permissions
(第二位數字代表group的權限)
-third digit represents others‘ permissions
(第三位數字代表others的權限)
--- 000
--x 001
-w- 010
-wx 011
r-- 100
r-x 101
rw- 110
rwx 111
将某檔案的權限修改為:rwxr-x---(使用者讀寫可執行,組可讀可執行,other無權限)
rwxr-x---:750
[root@instructor ownership]# chmod 750 passwd
-rwxr-x---. 1 eric root 2051 jan 2 14:42 passwd
2.permissions are calculated by adding:
-4(for read)
-2(for write)
-1(for execute)
3.example:
-chmod 640 myfile
五、user and group id number
1.user names map to user id number
2.group names map to group id number
3.data stored on the hard disk is stored numberically
六、/etc/passwd,/etc/shadow,and /etc/group files
authentication information is stored in plain text files:
- /etc/passwd (使用者資訊)
- /etc/shadow (密碼資訊)
- /etc/group (使用者組資訊)
- /etc/gshadow (不再使用)
1./etc/passwd
user account information
[root@instructor tmp]# tail -2 /etc/passwd
tommy:x:502:503::/home/tommy:/bin/bash
test:x:503:504::/home/test:/bin/bash
col1:user name (tommy)
col2:placeholder (占位符,現在不用)
col3:user id (502)
col4:user group id (503)
col5:comment (自定義資訊)
col6:user home directory (/home)
col7:user login shell (/bin/bash)
2./etc/shadow
user password information
[root@instructor ~]# tail -2 /etc/shadow
tommy:!!:15952:0:99999:7:::
test:$6$v0bj8hdm$yfydydphkya4s7vrsr8zhgb2eofmsee9vpxdwsxwkwj/hzxcbpnu7qukspru/iwoyywpzwsgp7oxz.piduyoq.:15955:0:99999:7:::
col1:user name
col2:encrypted user password
col3:last password change(since 1970-1-1)
col4:the minimum number of days between password changes(0)
col5:the maximum number of days the password is valid(99999)
col6:the number of days before password is to expired that user is warned(7)
col7:the number of day after password expires that account is disabled
col8:days since jan 1,1970 that account is disable
col9:reserved(保留)
3./etc/group
[root@instructor ~]# grep "adm" /etc/group
sys:x:3:bin,adm
adm:x:4:adm,daemon
desktop_admin_r:x:498:
七、user default configures
1.user default files
- copied from /etc/skel
2.user environment initialization files (使用者初始檔案夾)
[root@instructor ~]# ls -a /etc/skel
. .. .bash_logout .bash_profile .bashrc .gnome2 .mozilla
-~/.bash_profile:souring after user login
-~/.bashrc:souring after user enter into a new bash shell
-~/.bash_logout:executed after user logout
[root@instructor ~]# cat ~/.bashrc
# .bashrc
# user specific aliases and functions
alias rm=‘rm -i‘
alias cp=‘cp -i‘
alias mv=‘mv -i‘
alias grep=‘grep --color=auto‘
# source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
八、alias别名
[root@instructor ~]#alias l=‘ls -a‘
但是重新登陸後,需要再次執行該指令。為了友善,可以直接将該指令
寫入.bash_profile
九、sourcing files
1.changes to profile and bashrc files need to be sourced
2.two methods:(執行shell腳本的兩種方式)
-.scriptname
-source scriptname
3.shell scripts can source other files
十、user management tools
1.gui
-system-config-users
2.cli
-useradd
-usermod
-userdel[-r]删除使用者的時候一定要帶-r參數,否則會暴露隐私
eg:修改使用者的shell
[root@instructor ~]# usermod -s /sbin/nologin eric
[root@instructor ~]# su - eric
this account is currently not available.
[root@instructor ~]# usermod -s /bin/bash eric
[eric@instructor ~]$
十一、password aging policies
1.by default,passwords do not expire
2.forcing passwords to expire is part of a strong security policy
3.modify default expiration settings in /etc/login.defs
4.to modify existing users.either:
-edit /etc/shadow by hand
-use chage [option] username
eg:vim /etc/login.defs
十二、default permissions
1.default permission for diretories is 777 minus umask
2.default permission fro files is the directory default without
execute permission
3.umask is set with the umask command
4.non-privileged users‘ umask is 002
- files will have permissions of 664
- directories will have permissions of 775
5.root‘s umask is 002
- files will have permissions of 644
- directories will have permissions of 755
user:(普通使用者)
dir:777-umask(002)=775 (普通使用者建立新目錄時的權限)
rwxrwxr-x
file:777-umask(002)-xxx=664 (普通使用者建立新檔案時的權限)
rw-rw-r--
root
dir:777-umask(022)=755
rwxr-xr-x
file:777-umask(022)-xxx=644
rw-r--r--
![YII中一步一步的配置SRBAC[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)