Linux-Redhat用户管理.doc

User AdministratorOverview: User policy Considerations The User Account Database - /etc/passwd Adding a New User Account User Private Groups Group Administration Modifying/Deleting Accounts Password Aging Policies Login Shell Scripts Non Login Shell Scripts Switching Accounts Sudo Network Users Authentication Configuration Example:NIS Configuration Example:LDAP Configuration File Ownership Linux File Permissions SUID/SGID Executables The Sticky Bit The Setgid Access Mode Default File Permissions Access Control Lists(ACLs)一、 User Policy Considerations (管理user时需要考量的因素)1. Amount of system access except the users account(除了系统中已有的用户外有谁需要访问)A. The amount of access on system files and resources(有多少人来访问系统中的档案和资源)B. Whether to limit logins at certain times and places(是否限制某些用户在特定时间和地点才能访问系统)2. Expiration of password and accounts (用户密码使用的期限)Whether to force periodic password changes(是否需要强制定期修改密码)3. DISK usage and CPU limits (磁盘空间和CPU限制)A. Whether to enforce CPU and memory limits(是否限制用户使用的CPU和memory资源)B. Whether to enable disk quotas(是否需要使用磁盘配额)二、 The User Account Database - /etc/passwdContains account information used at login and by other programs(所有用户登陆的信息和其它程式)1. One account per line with seven colon-delimited fields(每个帐号使用1个行用5个冒号分为7个栏位)第1栏为帐号名,第2栏X表示需要密码登陆,删除X表示无需密码即可登陆第3栏是uid,其中root的uid是0，1-499保留为系统服务或 应用程式使用手动建立的帐号uid从500开始 第4栏为gid,其中root的gid是0第5栏为finger information可以编辑关于这个帐号的注解 可以使用finger命令查看帐号的注解 可以使用chfn命令来变更帐号的注解第6栏为帐号的家目录位置第7栏为帐号对应的shell类型nologin表示这个帐号只能通过ftp进行登陆False表示这个帐号只能收发邮件不能登陆系统2. Should have permissions rw-rr(/ect/passwd 文档的权限不要更改否则其他用户可能登陆不了)三、 Adding a New User Account1. Most common method is useradduseradd username2. Running useradd is equivalent to:A. Edit /etc/passwd,/etc/shadow,/etc/groupB. Create and populate home directoryC. Set permissions and ownership实例: /home/user3中的文件都是从/etc/skel中复制过来的3. Set account password using passwd4. Accounts may be added in a batch with new users四、 User Private Groups1. When user accounts are created, a private group is also createWith same nameA. Users are assigned to this private groupB. Users new files affiliated with this group2. Advantage:Prevents new files from belonging to a “public” group五、 Group AdministrationEntries added to /etc/groupgroupaddgroupmodgroupdel六、 Modifying / Deleting Accounts1. To change fields in a users /etc/passwd entry you can:A. Edit the file by bandB. Use usermod options username例1: 更改user5 /etc/shadow中家目录的位置,必须手工创建目录例2:将user1加入到user6的group中2. To remove a user either:A. Manually remove the user from /etc/passwd,/etc/shadow,/etc/group/var/spool/mail/usernameB. Use userdel -r username七、 Password Aging Policies (密码有效期限)1. By default,passwords do not expire2. Forcing passwords to expire is part if a strong security policy3. Modify default expiration settings in /etc/login.defs4. To modify password aging for exsiting users,use the change commandChange options username例:查看帐号密码的信息列表八、 Login Shell Scripts/etc/profile 存放全局设置 only runs for login shells,Non-login sheels do not invoke this script 会调用 /etc/profile.d/*.sh 下面的内容 /.bash_profile 存放某个用户的设置会调用 /.bashrc 它会继续调用下在的rc文件 /etc/bashrc九、 Non Login Shell Scripts /.bashrc 会调用下面的rc文件 /etc/bashrc /etc/profile.d/*.shProfile与bashrc进行比较十、 Switching Accounts1. Syntax su - user su - user c command2. Allows the user to temporarily become another userDefault user is root3. The “-” option makes the new shell a login shell十一、 sudo1. User listed in /etc/sudoers exectue commands with:A. An effective user id of 0B. Group id of roots group2. An administrator will be contacted if a user not listed on/etc/sudoers attempts to use sudo只能使用visudo命令打开/etc/sudoers 文档进行编辑 输入www1的密码十二、Network Users1. Information about users may be centrally stored and managed on a remote server2. Two types of information must always be provided for each user accountA. Account information:UID number,default shell,home directory,group memberships,and so onB. Authentication: a way to tell that password provided on login for an account is correct十三、Authentication Configuration1. system-config-authenticationA. GUI tool to configure authenticationB. For text-based tool,use -nox optionC. authconfig2. Supported account information services:Local files、NIS、LDAP、Hesiod、Winbind3. Supported authentication mechanisms:NSS、Kerberos、LDAP、SMB、Winbind十四、Example:NIS Configureation (client)1. Must install ypbind and portmap RPMs2. Run system-config-authenticationA. Enable NIS to provide User informationB. Specify NIS server and NIS domain nameC. Keep default authentication3. What does this actually do? 这个工具会帮我们做些什么Four text-based configuration files are changed/etc/sysconfig/network NISDOMAN/etc/yp.conf NIS server for NIS Domain/etc/nsswitch.conf use NIS/etc/pam.d/system-auth shadow NIS十五、LDAP Configuration (client)1. Must install nss-ldap and openldap RPMs2. Run system-config-authenticationA. Enable LDAP to provide User informationB. Specify server,the search base DN,and TLSC. Enable LDAP to provide Authentication3. The purpose for using authentication toolFour test-based configuration files are changed/etc/ldap.conf LDAP server,TLS/ect/openldap/ldap.conf LDAP server base on DN/etc/nssitch.conf use LDAP/etc/pam.d/system-auth use LDAP十六、File Ownership1. Every file has both user and group “ownership”2. A newly created file will be owned by:A. The user who creates itB. The current primary group of that userSGID directories may change this behavior3. The chown command can be used by root to change ownership十七、Linux File Permissions1. Access levelsA. u userB. g groupC. o other2. Access modesA. r readB. w writeC. x execute3. Flags indicate access mode for each access level4. File Mode is a concise collecative of flags values expression十八、 SUID/SGID Executables1. Normally,processes started by a user run under the user and groupSecurity context of that user2. SUID and/or SGID bits set on executable file cause it to runUnder the user and/or group security context of the files ownerAnd/or group 十九、The Sticky Bit1. Normally,users with write permissisons on a directory can deleteAny file in that dirctory regardless of that files permission orOwnership(正常情况下只要有write权限就可以delete) 2. With the sticky bit set on a directory,only the owner of a file canDelete the file(如果设置了Sticky只有file的owner才能dletel它)二十、The Setgid Access Mode 1. Normally, files created in a directory belong to the default group of the user (正常情况下用户在目录里新建的file会属于这个用户默认的group) 2. When a file is created in a directory with the setgid bit set, it Belongs to the same group as the directory (如果在目录上设置了setgid权限,用户在这个目录里所新建的档案会属于这个目录所属的group,而不是用户的group)二十一、 De