Although Linux and Windows NT/2000 are just as multi-user systems, there are many important differences between them. For many administrators who are accustomed to Windows systems, how to ensure the security and reliability of Linux operating systems will face many new challenges. This article will focus on the security commands of Linux system.
passwd
1. Function
The passwd command originally modified the account's login password, and the usage permissions are for all users.
2. Format
passwd [Options] Account Name
3. Main parameters
-l: Lock the name of the named account, which can only be used by users with super user permissions.
-u: Unlock the account, only users with super user permissions can use it.
-x, --maximum=DAYS: The maximum password usage time (days), which can only be used by users with super user permissions.
-n, --minimum=DAYS: Minimum password usage time (days), only users with super user permissions can use it.
-d: Delete the user's password, which can only be used by users with super user permissions.
-S: Check the type of password authentication for the specified user. Only users with super user permissions can use it.
4. Application examples
$ passwd
Changing password for user cao.
Changing password for cao
(current) UNIX password:
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
As you can see from above, using the passwd command requires entering the old password and then entering the new password twice.
su
1. Function
The function of su is to change the identity of other users, except for super users, and you need to type the user's password.
2. Format
su[Option]... [-] [USER [ARG]...]
3. Main parameters
-f , --fast: There is no need to read the startup file (such as , etc.), it is only used for two types of shells: csh or tcsh.
-l , --login: After adding this parameter, it is like logging in again as the user. Most environment variables (such as HOME, SHELL, USER, etc.) are mainly based on the user (USER), and the working directory will also change. If no USER is specified, the default is root.
-m, -p , --preserve-environment: The environment variables are not changed when executing su.
-c command: Change the account to the user of USER, and execute the command (command) before changing back to the original user.
USER: To change the user account, ARG passes in new shell parameters.
4. Application examples
Change the account to super user and restore the user after executing the df command.
su -c df root
umask
1. Function
umask sets the default mask value for the file creation of user files and directories. If you put this command into the profile file, you can control the access permissions of subsequent files created by the user. It tells the system who does not give permission to access when creating the file. Usage permissions are for all users.
2. Format
umask [-p] [-S] [mode]
3. Parameters
-S: Determine the current umask setting.
-p: Modify the umask settings.
[mode]: Modify the value.
The following must-learn system safety command instructions
The umask value of traditional Unix is 022, which can prevent other users of the same group and users of other groups from modifying the user's files. Since each user owns and belongs to his own private group, this "group protection mode" is no longer needed. Strict permission settings form the basis of Linux security, and making mistakes in permissions is fatal. It should be noted that the umask command is used to set the read and write permissions of files created by the process. The safest value is 0077, which means that the read and write permissions of all processes except the process that creates the file, which is expressed as -rw-----. In ~/.bash_profile, adding a line of command umask 0077 can ensure that the process's umask permissions can be correctly set after each startup of the shell.
5. Application examples
umask -S
u=rwx,g=rx,o=rx
umask -p 177
umask -S
u=rw,g=,o=
The above 5-line commands first display the current status, and then change the umask value to 177. As a result, only the file owner has permission to read and write the file, and other users cannot access the file. This is obviously a very safe setup.
chgrp
1. Function
chgrp means modifying the group to which one or more files or directories belong. The usage permission is superuser.
2. Format
chgrp [Options]... Group Files...
or
chgrp [Options]... --reference=reference file file...
Set the group to which each <file> belongs to <group>.
3. Parameters
-c, --changes : Like -verbose, but the result is displayed only when there are changes.
--dereference: affects the object indicated by the symbolic link, not the symbolic link itself.
-h, -no-dereference: It affects the symbolic link itself, not the destination indicated by the symbolic link (this option is only valid when the system supports changing the owner of the symbolic link).
-f, --silent, --quiet: Remove most error information.
--reference=Reference: Use the group to which the <reference file> belongs, rather than the specified <group>.
-R, --recursive: Recursively process all files and subdirectories.
-v, --verbose: The information will be displayed when processing any file.
4. Application instructions
This command changes the user group to which the specified file belongs. The group can be the user group ID or the group name of the user group in the /etc/group file. File names are separated by spaces and are file lists to change the group, and wildcard characters are supported. If the user is not the owner or superuser of the file, the group of the file cannot be changed.
5. Application examples
Change the group of all files under /opt/local /book/ and its subdirectories to book, and the command is as follows:
$ chgrp - R book /opt/local /book
chmod
1. Function
The chmod command is very important to change the access rights of a file or directory. The user can use it to control the access rights of a file or directory. The usage rights are superusers.
2. Format
There are two uses of the chmod command. One is the character setting method (relative permission setting) that contains letters and operator expressions; the other is the number setting method (absolute permission setting).
(1) Character setting method
chmod [who] [+ - =] [mode] File name
◆The operation object who can be any one of the following letters or a combination of them
u: represents the user, that is, the owner of a file or directory.
g: represents the same group of users, that is, all users with the same group ID as the file owner.
o: Represents other users.
a: Represents all users, it is the system default value.
◆Operating symbols
+: Add a permission.
-: Cancel a permission.
=: Grant a given permission and cancel all other permissions (if any).
◆The permission to set mode can be used to any combination of the following letters
r: readable.
w: Writable.
x: Executable.
X: Append x attribute only if the target file is executable to some users or the target file is a directory.
s: When the file is executed, the owner or group ID of the process is set as the owner of the file. The method "u+s" sets the user ID bit of the file, and "g+s" sets the group ID bit.
t: Save the text of the program to the exchange device.
u: Have the same permissions as the file owner.
g: Have the same permissions as users in the same group as the file owner.
o: Have the same permissions as other users.
File name: A list of files to change permissions separated by spaces, supports wildcard characters.
Multiple permissions can be given in a command line, separated by commas.
(2) Digital setting method
The general form of digital setting method is:
chmod [mode] File name
passwd
1. Function
The passwd command originally modified the account's login password, and the usage permissions are for all users.
2. Format
passwd [Options] Account Name
3. Main parameters
-l: Lock the name of the named account, which can only be used by users with super user permissions.
-u: Unlock the account, only users with super user permissions can use it.
-x, --maximum=DAYS: The maximum password usage time (days), which can only be used by users with super user permissions.
-n, --minimum=DAYS: Minimum password usage time (days), only users with super user permissions can use it.
-d: Delete the user's password, which can only be used by users with super user permissions.
-S: Check the type of password authentication for the specified user. Only users with super user permissions can use it.
4. Application examples
$ passwd
Changing password for user cao.
Changing password for cao
(current) UNIX password:
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
As you can see from above, using the passwd command requires entering the old password and then entering the new password twice.
su
1. Function
The function of su is to change the identity of other users, except for super users, and you need to type the user's password.
2. Format
su[Option]... [-] [USER [ARG]...]
3. Main parameters
-f , --fast: There is no need to read the startup file (such as , etc.), it is only used for two types of shells: csh or tcsh.
-l , --login: After adding this parameter, it is like logging in again as the user. Most environment variables (such as HOME, SHELL, USER, etc.) are mainly based on the user (USER), and the working directory will also change. If no USER is specified, the default is root.
-m, -p , --preserve-environment: The environment variables are not changed when executing su.
-c command: Change the account to the user of USER, and execute the command (command) before changing back to the original user.
USER: To change the user account, ARG passes in new shell parameters.
4. Application examples
Change the account to super user and restore the user after executing the df command.
su -c df root
umask
1. Function
umask sets the default mask value for the file creation of user files and directories. If you put this command into the profile file, you can control the access permissions of subsequent files created by the user. It tells the system who does not give permission to access when creating the file. Usage permissions are for all users.
2. Format
umask [-p] [-S] [mode]
3. Parameters
-S: Determine the current umask setting.
-p: Modify the umask settings.
[mode]: Modify the value.
The following must-learn system safety command instructions
The umask value of traditional Unix is 022, which can prevent other users of the same group and users of other groups from modifying the user's files. Since each user owns and belongs to his own private group, this "group protection mode" is no longer needed. Strict permission settings form the basis of Linux security, and making mistakes in permissions is fatal. It should be noted that the umask command is used to set the read and write permissions of files created by the process. The safest value is 0077, which means that the read and write permissions of all processes except the process that creates the file, which is expressed as -rw-----. In ~/.bash_profile, adding a line of command umask 0077 can ensure that the process's umask permissions can be correctly set after each startup of the shell.
5. Application examples
umask -S
u=rwx,g=rx,o=rx
umask -p 177
umask -S
u=rw,g=,o=
The above 5-line commands first display the current status, and then change the umask value to 177. As a result, only the file owner has permission to read and write the file, and other users cannot access the file. This is obviously a very safe setup.
chgrp
1. Function
chgrp means modifying the group to which one or more files or directories belong. The usage permission is superuser.
2. Format
chgrp [Options]... Group Files...
or
chgrp [Options]... --reference=reference file file...
Set the group to which each <file> belongs to <group>.
3. Parameters
-c, --changes : Like -verbose, but the result is displayed only when there are changes.
--dereference: affects the object indicated by the symbolic link, not the symbolic link itself.
-h, -no-dereference: It affects the symbolic link itself, not the destination indicated by the symbolic link (this option is only valid when the system supports changing the owner of the symbolic link).
-f, --silent, --quiet: Remove most error information.
--reference=Reference: Use the group to which the <reference file> belongs, rather than the specified <group>.
-R, --recursive: Recursively process all files and subdirectories.
-v, --verbose: The information will be displayed when processing any file.
4. Application instructions
This command changes the user group to which the specified file belongs. The group can be the user group ID or the group name of the user group in the /etc/group file. File names are separated by spaces and are file lists to change the group, and wildcard characters are supported. If the user is not the owner or superuser of the file, the group of the file cannot be changed.
5. Application examples
Change the group of all files under /opt/local /book/ and its subdirectories to book, and the command is as follows:
$ chgrp - R book /opt/local /book
chmod
1. Function
The chmod command is very important to change the access rights of a file or directory. The user can use it to control the access rights of a file or directory. The usage rights are superusers.
2. Format
There are two uses of the chmod command. One is the character setting method (relative permission setting) that contains letters and operator expressions; the other is the number setting method (absolute permission setting).
(1) Character setting method
chmod [who] [+ - =] [mode] File name
◆The operation object who can be any one of the following letters or a combination of them
u: represents the user, that is, the owner of a file or directory.
g: represents the same group of users, that is, all users with the same group ID as the file owner.
o: Represents other users.
a: Represents all users, it is the system default value.
◆Operating symbols
+: Add a permission.
-: Cancel a permission.
=: Grant a given permission and cancel all other permissions (if any).
◆The permission to set mode can be used to any combination of the following letters
r: readable.
w: Writable.
x: Executable.
X: Append x attribute only if the target file is executable to some users or the target file is a directory.
s: When the file is executed, the owner or group ID of the process is set as the owner of the file. The method "u+s" sets the user ID bit of the file, and "g+s" sets the group ID bit.
t: Save the text of the program to the exchange device.
u: Have the same permissions as the file owner.
g: Have the same permissions as users in the same group as the file owner.
o: Have the same permissions as other users.
File name: A list of files to change permissions separated by spaces, supports wildcard characters.
Multiple permissions can be given in a command line, separated by commas.
(2) Digital setting method
The general form of digital setting method is:
chmod [mode] File name
1234Next pageRead the full text