1. System Security
The security of the system is the user account. Permissions are granted for the user's login login. The permission setting is The information is in the /etc/passwd file.
|
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
|
The main contents of passwd above are as follows.
example: root:x:0:0:root:/root:/bin/bash
■ First Field: Username (root)
■ Second Field: User's Password (x, encrypted and not visible)
■ Third Field: User ID: User ID value (0)
■ Fourth Field: Group ID to which the user belongs
■ Fifth Field: User description and comments
■ 6th Field: User's Home directory
■ 7th Field: Shell Script (Bash Shell) used by the user
In the example above, there are many IDs that are not actually created by the user. These are called system users and are ids automatically created by the Linux system. IDs of these system users are assigned less than 500 times, and IDs created by general users are created with more than 500 IDs.
In the past systems, the user passworf was encrypted and stored in the /etc/passwd file, but problems such as hacking This has been Then let's learn about the shadow file.
The information in /etc/shadow is as follows.
|
rich:$1$.FfcK0ns$f1UgiyHQ25wrB/hykCn020:11627:0:99999:7:::
|
Each information above is separated by a semicolon (:) and there are 9 pieces of information.
■ First Field: rich represents the user name
■ Second Field: Indicates the encrypted password ($1$.FfcK0ns$f1UgiyHQ25wrB/hykCn020) ■ Third Field: Displays the number of days since January 1, 1970 (11627).
■ Fourth Filed: Indicates the minimum number of days to change the password (0)
■ Fifth Field: Indicates the validity period of the password (99999)
■ 6th Field: The day when the user starts to be warned about the remaining validity period of the password.
■Seventh Field: The number of days after password expiration to disable the user.
■ Eighth Field: Displays how many days have passed since January 1, 1970 since the user was disabled.
■ Ninth Field: This field is reserved for future use.
Add users
To add a user, use the useradd command. The useradd command creates a user with several values set at once. How to check the default value is as follows.
|
# /usr/sbin/useradd -D
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
#
|
When a user is created through usdadd, the above values are applied to that user by default.
In the example above, "SKEL=/etc/skel" The role of this parameter is to automatically copy the default files to be created in the user's HOME directory from the skle directory when a user is created. If there are files to be created by default, just copy them to the skel folder.
When changing the default value, you can use the parameter you want to change with the -D option.
|
# useradd -D -s /bin/tsch
# useradd -D
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/tsch
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
#
|
The available parameters are shown in the table below.
This is an example of creating a user. First, let's create a directory called home/test and create a user called test.
$mkdir /home/test
$useradd test
And if you look at the /etc/passwd file, you can see that it was created correctly.
$ cat /etc/passwd | grep test
test:x:1001:1001::/home/test:
Deleting a user
Users can be deleted using the userdel command. However, if you want to delete all files created by the user, use the -r option together to delete the files owned by the user.
$userdel -r test
Edit user information The following command is used to edit user information. You can use usermod in order of user options.
ex) usermod test -l test1234
■ -l : : This option is used to change the user account.
■ -L : This option locks the user from logging in.
■ -p : This option is used to change the user's password.
■ -U : This option releases the user's status from the lock.
passwd and chpasswd
If you simply want to change the password of one user, you can use passwd as follows.
passwd root
New password:
Confirm password:
However, chpasswd is useful when entering passwords for many users. How to use it is as follows.
$chpasswd
root:1234
snoopy:1234
test01:1234 d
Ctrl + D ==> Type to finish typing.
chsh, chfn
The chsh command can change the Shell Script to be used by the user.
# chsh -s /bin/csh test
Changing shell for test.
Shell changed.
#
The chgn command is a command that can change user information displayed through the finger command.
# chfn test
Changing finger information for test.
Name []: Ima Test
Office []: Director of Technology
Office Phone []: (123)555-1234
Home Phone []: (123)555-9876
Finger information changed.
# finger test
Login: test
Directory: /home/test
Office: Director of Technology
Home Phone: (123)555-9876
Never logged in.
No mail.
No Plan.
#
2. Using Linux Groups
The user management seen above is not enough to share resources. The use of Group is very useful when sharing resources between users, and let's see how to use Group.
Group configuration information is in the /etcgroup file.
$cat /etc/group
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
rich:x:500:
mama:x:501:
katie:x:502:
jessica:x:503:
mysql:x:27:
test:x:504:
■The first field indicates the group name.
■ The second field indicates the group password.
■The third field represents the group ID.
■The fourth field indicates users belonging to the relevant group.
When congratulating a user to a group, do not edit the /etc/group file, but add it using usermod.
Create a group and add users.
Create a group
$groupadd shared
# tail /etc/group
haldaemon:x:68:
xfs:x:43:
gdm:x:42:
mysql:x:27:
test:x:504:
shared:x:505:
#
Add users to groups
$ # /usr/sbin/usermod -G shared rich
# tail /etc/group
haldaemon:x:68:
xfs:x:43:
test:x:504:
shared:x:505:rich, test
Edit group information
$ groupmod -n sharing shared ==> The -n option changes the group name $ groupmod sharing -g 2000 ==> -g option change group id
3. Using file permissions
You can check the permissions of each file and directory by using the ls command.
The meaning of the first character at the far left of each file is as follows
■ - : means a file.
■ d : means a directory.
■ l : means a link file.
■ c : means character file.
■ b : It means a block file.
■ n : means network file
The next 9 characters are divided by 3, and the permission indicates the permission of the owner/group/all of the file as shown below. r is the permission to read the file, and w is the permission to write. x means the permission to execute the file.
Understanding umasks
In a Linux system, if you create a file or directory without giving any options, the default file permissions are applied. It is set with the umask value.
If you look at the file permissions below, they are set when umsak is set to 022.
-rw-r--r-- 1 root root 0 Apr 12 22:27 newfile
When a file has full permissions, the decimal value is 666. Here, the default permission is created by subtracting the umask value. In other words. If the umaks value is 0022, the first 0 is a sticky value, so it is omitted. The second 0 is a value to extend the owner's authority, and the third 2 is the group's authority and the authority of other for the last 2 years.
Then the file's full permission value is 666 - 022 = 644
If you display 644 in binary, it will be created like this: rw-r--r--. Calculate the group's full permission value as 777 as above.
4. Try changing permissions
The format of the command to change the permissions of a file or directory is as follows. $chmod options mode file
Here, mode can be expressed in numeric or symbolic form.
number format
$ chmod 760 newfile ==> 7 (rwx for owner), 6 (r, w for group), no permission for other
$ ls -l newfile
-rwxrw---- 1 rich rich 0 Sep 20 19:16 newfile*
symbolic format
Usage syntax: [ugoa...][[+-=][rwxXstugo...] example)
$ chmod o+r newfile ==> Add r (read) permission to o (owner)
The meanings of options in symbolic form are as follows.
[First group]
■ u : owner
■ g: group
■ o : another user
■ a : all users [Second group]
■ r: grant read permission
■ w: grant write permission
■ x: grant execute permission
5. Change Ownership
The method of changing the ownership of a file is as follows.
chown option owner[.group] filename
example)
1) Changing the owner class
# chown test testfile
# ls -l testfile -rw-rw-r-- 1 test testuser 0 Sep 20 19:16 newfile
#
2) Changing the owner and group together (specify the group name using a dot (.) after the owner)
# chown test1.test testfile
#ls -l testfile -rw-rw-r-- 1 test1 test 0 Sep 20 19:16 newfile
#
3) Change group only
#chown .test1 testfile (omit owner, change group only)
#ls -l testfile -rw-rw-r-- 1 test1 test1 0 Sep 20 19:16 newfile
#
4) Change ownership to the default group to which the user belongs
#chown test. testfile (If you write only a dot and omit the group name, it is designated as the default group)
#ls -l testfile -rw-rw-r-- 1 test test 0 Sep 20 19:16 newfile
#
5) Useful options
-R: This option can be used to apply ownership changes to both subdirectories and files.
-h: Changes the ownership of all symbolic links.
6) Points to note
Only the root user can change the ownership of the file, and other users can only change the default group of the file. However, the user can only change files belonging to the same group. The chgrp command makes it easy to change the default group of files or directories.
$ chgrp test testfile
$ ls -l testfile -rw-rw-r-- 1 rich test 0 Sep 20 19:16 testfile*
$
6. File Sharing
When a user creates a file in a Linux system, the user's UID and GID are used to grant permission. In order for other users to access this file, you need to change the security permission or change the default group. This can be cumbersome on systems with a large number of files or users. But here's an easy way to get rid of this hassle.
In Linux, there are 3 additional bits related to file permissions, and when each value is set, the effect is as follows.
■ The set user id (SUID): When a file is executed by a user, the program is executed under the authority of the file owner.
■ The set group id (SGID): The file is executed under the authority of the filegroup, and the directory directory group is used as the default group for newly created files.
■ The sticky bit: Files processed by the process remain in memory.
The chmod command is generally used together with chmod 755, but in fact, when chmod is entered, it is executed as chmod 0755. Therefore, when you want to use the corresponding bit as above, you can use it like chmod 1755d. Let's use SGID for file sharing here. When SGID is set, all files created in the Test directory belong to the directory group.
$ mkdir test ==> Create test directory
$ ls -l drwxrwxr-x 2 rich 4096 Sep 20 23:12 test/
$ chgrp shared test ==> Change test directory to shared group
$ chmod g+s test ==> After setting the SGID in the test directory, all files created in this directory are shared with shared
$ ls -l drwxrwsr-x 2 rich shared 4096 Sep 20 23:12 testdir/ $ umask 002 ==> Changed to only perform full permission for the owner, full permission for the group, and read permission for other users
$ cd test
$ touch testfile
$ ls -l total 0 rw-rw-r-- 1 rich shared 0 Sep 20 23:13 testfile
$
'Shell Script' 카테고리의 다른 글
| 7 Structured Command (5) | 2022.08.11 |
|---|---|
| 6. Basic Shell Script writing (3) | 2022.08.11 |
| 4 Environment variables (1) | 2022.08.11 |
| 3 Bash Shell Command (8) | 2022.08.10 |
| 2.Bash Shell Basic Command (6) | 2022.08.10 |