1.权限管理 - 文件与目录的默认权限控制(umask)
[root@localhost ~]# umask
0022
[root@localhost ~]# echo "echo 'hello';" > sugid.sh
[root@localhost ~]# ls -l sugid.sh
-rw-r--r-- 1 root root 14 Sep 14 13:23 sugid.sh对应八进制sugid.sh的默认权限为644,而这正是通过666-022
得到的权限点位值,linux是不允许文件在一创建时就有x属性,
所以对于普通文件来说,它的最大点位权限值只能是666;而目录
则可以是777。[root@localhost ~]# mkdir sugid
[root@localhost ~]# ls -l | grep sugid
drwxr-xr-x 2 root root 4096 Sep 14 13:31 sugid777-022 = 755
[root@localhost ~]# umask 0000
[root@localhost ~]# rm -f sugid.sh;touch sugid.sh[root@localhost ~]# rm -rf sugid;mkdir sugid;ls -l | grep sugid
drwxrwxrwx 2 root root 4096 Sep 14 13:34 sugid
-rw-rw-rw- 1 root root 0 Sep 14 13:33 sugid.sh
2.SetUIDS与SetGIDS -- 调用者继承拥有者权限
[root@localhost ~]# ls -l ls_shadow.sh ; cat ls_shadow.sh
-rwxrwxrw- 1 root oinstall 17 Sep 14 14:03 ls_shadow.sh
cat /etc/shadow;[ora10g@localhost ~]$ /root/ls_shadow.sh
-bash: /root/ls_shadow.sh: Permission denied --当前用户没有进入/root的权限[root@localhost ~]# chgrp oinstall /root
[ora10g@localhost ~]$ /root/ls_shadow.sh
cat: /etc/shadow: Permission denied --cat在继承当前用户权限后,无权限查看shadow文件[root@localhost ~]# ls -l /bin/cat
-rwxr-xr-x 1 root root 25216 Jul 13 2009 /bin/cat
[root@localhost ~]# chmod u+s /bin/cat --使/bin/cat继承拥有者权限
[root@localhost ~]# ls -l /bin/cat
-rwsr-xr-x 1 root root 25216 Jul 13 2009 /bin/cat
[root@localhost ~]# su - ora10g
[ora10g@localhost ~]$ /root/ls_shadow.sh
root:$1$T/8xw6hF$LoDfMD9Pq4Ysel86RWFgG.:15586:0:99999:7:::
...
[root@localhost ~]# ls -l /bin/cat
-rwsr-xr-x 1 root root 25216 Jul 13 2009 /bin/cat
[root@localhost ~]# chmod u-s /bin/cat
[root@localhost ~]# ls -l /bin/cat
-rwxr-xr-x 1 root root 25216 Jul 13 2009 /bin/cat
[root@localhost ~]# chmod g+s /bin/cat --继承文件组权限
[root@localhost ~]# chgrp oinstall /bin/cat
[root@localhost ~]# su - ora10g
[ora10g@localhost ~]$ /root/ls_shadow.sh
cat: /etc/shadow: Permission denied
PS: 组权限[root@localhost /]# mkdir /student
[root@localhost /]# groupadd student
[root@localhost /]# chgrp student /student
[root@localhost /]# ls -l / | egrep '.+student'
drwxrwxrwx 2 root student 4096 Sep 14 14:27 student[ora10g@localhost ~]$ cd /student/
[ora10g@localhost student]$[root@localhost /]# chmod o-r-w-x /student
[ora10g@localhost ~]$ cd /student/
-bash: cd: /student/: Permission denied[root@localhost /]# usermod -g oinstall -G dba,student ora10g
[ora10g@localhost ~]$ cd /student/
[ora10g@localhost student]$[ora10g@localhost student]$ rm -rf /student/
rm: cannot remove directory `/student/': Permission denied
3./etc/passwd
root : x : 0 : 0 : root : /root : /bin/bash
| | | | | | |
name use shadow uig gid GECOS home dir shell
[root@localhost /]# useradd -d /home/oo -g oinstall -G dba -s /bin/bash -c 'zhang yu test' ooPS:用户可使用的shell
[root@localhost skel]# cat /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/bin/tcsh
/bin/csh
/bin/ksh
/usr/bin/ksh
/usr/bin/pdksh
[root@localhost skel]# chsh -l
/bin/sh
/bin/bash
/sbin/nologin
/bin/tcsh
/bin/csh
/bin/ksh
/usr/bin/ksh
/usr/bin/pdksh启动脚本:即默认的.bash_profile,.bashrc等,默认创建用户时会从这里copy默认的启动脚本文件,一般
位于/etc/skel目录下。
4./etc/shadow
root : $1$T/8xw6hF$LoDfMD9Pq4Ysel86RWFgG.: 15586 : 0 : 99999 : 7 : : :
各片段解释:
▼ Login name
■ Encrypted password
■ Days since January 1, 1970, that password was last changed --最后变更密码时间,自1970/01/01到变更时天数
■ Days before password may be changed
■ Days after which password must be changed
■ Days before password is to expire that user is warned
■ Days after password expires that account is disabled
■ Days since January 1, 1970, that account is disabled
▲ A reserved field
综上,通过/etc/shadow不仅可以控制密码安全,而且可以控制密码使用策略。
5./etc/group文件
student:x:502: ora10g,root
字段:组名,是否使用/etc/gshadow加密,组ID,用户列表。
另外,给group加密是使用gpasswd命令。
给组加密后即使这个组没有给到当前用户,那么使用newgrp时,如果输入了
正确的密码,也可以切入这个组。
6.删除用户
[root@localhost skel]# userdel -rf tt
-rf就像数据库中的cascade选项,即级联删除相关资源。
