Some things about user management seem to be more messy, here to write some modifications to some of the files involved in user management.
1. Control the login location of the user
File /etc/secruity/access.conf controls the user's login location, in order to use Access.conf, you must add the following line to file /etc/pam.d/login:
Account Required /LIB/Security/pam-access.so
Access.conf file format:
Permission: Uses: ORIGINS
among them:
Permission: It can be " " or "-", indicating allowing or rejection.
User: It can be a username, a user group name, and if all, all users are indicated.
Origins: Login location. Local represents the local, all represents all locations, and console represents the console. In addition, ORIGINS can also be a network.
In the back of the two domains, Except is "except". For example: In addition to the user Wheel, ShutDown, Sync is prohibited from login:
-: All Except Wheel Shutdown Sync: Console
The login location of the root account is not controlled in the Access.conf file, but is controlled by the / etc / securetty file. If you want root to log in from PTS / 0, add a line in this file, and the content is 0, and you should push from PTS / 1. Or modify /etc/pam.d/login,
Auth request /lib/security/pam_securetty.so
Note You can also allow root to log in remotely.
2. Assign privileges for ordinary users
Sometimes we don't want a user to have superuser privileges, and I want the user to execute some superusers to execute the command. We can specify that a normal user of a list of / etc / sudoers files can take advantage of Sudo to perform some commands that only superuses can execute.
The configuration rules for / etc / sudoers are as follows:
Host_alias: The host used to create a host alias [Optional], the host must be separated by a comma, if you want to set multiple individual names, you can use the colon to separate, keep the keyword all represents all hosts. E.g:
Host_Alias Bluesun = Grind, Glass
Here are the two machines of these two machines with alias Bluesun.
User_Alias: Used to create user alias [optional], the username in the list must be separated by a comma. Its format is with host alias, and the keyword all represents all commands.
Cmnd_alias: Used to create a command alias [optional], the commands in the list must be separated by commas, if you want to define a command is invalid, you can add it before!
User command usage: User command uses the syntax as follows:
Username host = [run user's name] CommandList
UserName Specifies a real username or defined alias, Host makes a real host name or a defined host alias. CommandList can be a comma-separated list of commands, or an alias that has been defined. Under normal circumstances, all commands performed by sudo are performed as root. But some special procedures, such as some programs that need to be safe security cannot be performed as root, can specify the user name to "Run User's Name". E.g:
Grind Glass = / Sbin / Route
This sentence shows that the user Grind can run the routing table command on the Glass host. 3. Initialization environment: / etc / skel
When you create a new user, if you do not specify a user directory, the system creates a login directory for it, this login directory is using / etc / skel as template, all files are the same as the / etc / skel. System administrators can create files in / etc / skel that provide users with a good default environment. For example, he can build a /etc/skel/.profile file to define the settings of some of the properties after the user is logged in. However, if you change the / etc / skel's folder, it will definitely lead to some files of users who created before the change in the change, and some files created after the change are different, so as long as it is possible, try to put global configuration into the global file, such as / ETC / Profile to implement some of the system users' settings. / etc / skel's existence, such as a server that specializes in a virtual host, you can only put an index.html in / etc / skel, so that each newly added user does not have system installation. Those. Bashrc and other files, ensuring unity of the page of the user who is not placed the home page.
4. Permissions for the file directory
Under Linux, each file, each directory has a home owner, and the user yourself, the user is in group, and all other accounts are defined separately, write, execute three permissions. When the user Grind cres a new file, we can use ls -l filename to see the properties of this file as follows:
-rw-rw-r - 1 GrindlinuxLab0 May 10 19:36 Test
And file permissions are: The first part indicates that the file authority attribute, the third part represents the file owner, the Group IV.
The file authority attribute has a total of ten characters "-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw," if it is D, if it is D, it means that this is the connection file, "indicating is ordinary File, b means block device files, c finger file devices. The second to fourth digits represent the read (R: Read), write (W: WRITE) attributes, respectively, and the fifth to seven is the read, write, execute permission of the file parties. The eighth to tenth is the read, write, execution permission of other users. If the corresponding bit is the corresponding letter, there is this corresponding authority, otherwise, "-", indicating that this license is not obtained. Has written permissions, but also has permission to modify and delete files. If you have write permissions to the directory, you can create, delete, or modify any files or subdirectories in this directory, even if the file and subdirectories are not deleted. You must also have read and execute permissions to list programs such as LS to list lists. Users with read-only licenses to the directory must also have execution licenses to enter the directory with the CD command. Only users who have execute permissions on the directory, want to access files with read permissions in this directory, must know the file name Can be accessed. The file listed above is the owner to read and write, this group can read and write, other users can read, all users (including themselves) cannot perform it.
We use u, g, o to refer to the owner, group, other accounts, which can make the permissions of files and directories. Of course, we can also use A to represent all three items. For example, we have to set permissions on the above Test file, you can read and execute for all users, and the file owner also allows writing license, then we can use the following command:
CHMOD A RX, U W TEST We know that in the output of LS -L, file permissions are represented as "-rw-rw-rw-r," the former one is only related to the directory, and the other nine is just It is divided into three sections, each three, "rw -", "rw-" and "r -", "-" representatives invalid "0", other characters represent valid "1", then the permission of this file is "110 "," 110 "," 100 ", converting this 2 Branding string into a corresponding 8-based number is 6, 6, 4, that is, the authority of the file is 664 (three binary numbers). We can also use similar to this three-digit number to set file authorization, such as two examples, or write as:
CHMOD 755TEST
Of course, when the user creates a file, the default privilege attribute can be defined by itself, can perform UMASK to achieve default permissions, if the UMASK 022 is executed, the corresponding permissions are blocked, 2 is the write rights limit, This establishment of the file default permission attribute is that people outside the file owner cannot rewrite the file, ensuring the security of the file.
