一.Linux的安全模型
1>.安全3A
这并不是Linux特有的概念,在很多领域都有3A的概念,比如思科,微软,华为等设备都有安全的概念。大致归类为以下介个术语。 认证(Authentication): 即验明真身,主要是验证您是谁的功能。 授权(Authorization): 授权一般是验证您的身份后,您用的相应权限。 审计(Accouting|Audition): 审计一般是起到监督作用,可以反馈从一些存在的问题,比如安全审计,公司财务审计等等。
2>.用户user
令牌:
token,identity
Linux用户:
Username/UID
管理员:
root,0(需要注意的是,并不是叫root的用户名才是管理员,而是因为它的uid为0)
普通用户:
1-60000编号是自动分配的,但如果我们认为指定用户编号的话是可以超过默认的分配阈值(60000),Linux用户分为系统用户和登录用户。
系统用户:1-499(CentOS6.X),1-999(CentOS7.X),对守护进程获取资源进行权限分配(给运行软件使用的用户,比如:"mysql","apache","hdfs"用户等等)
登录用户:500+(CentOS6.X),1000+(CentOS7.X),交互式登录(一般用来登录操作系统,比如yinzhengjie)
3>.组group
Linux组: Groupname/GID 管理员组: root,0 普通组: 系统组:1-499(CentOS6.X),1-999(CentOS7.X) 普通组:500+(CentOS6.X),1000+(CentOS7.X) Linux组的类别: 用户的主要组(primary group) 用户必须术语一个且只有一个主组 默认创建一个用户后会自动加入一个组名同用户名,且仅包含一个用户,我们也可以称之为该用户的私有组。 用户的附加组(supplementary group) 一个用户可以属于零个或多个辅助组 [root@node101.yinzhengjie.org.cn ~]# idroot uid=0(root) gid=0(root) groups=0(root) [root@node101.yinzhengjie.org.cn ~]#
4>.用户和组的配置文件
Linux用户和组的主要配置文件: /etc/passwd: 用户及其属性信息(名称、 UID、主组ID等) /etc/group: 组及其属性信息 /etc/shadow: 用户密码及其相关属性 /etc/gshadow: 组密码及其相关属性
passwd文件格式如下: loginname:登录用名( wang) passwd:密码 (x) UID:用户身份编号 (1000) GID:登录默认所在组编号 (1000) GECOS:用户全名或注释 home directory:用户主目录 (/home/wang) shell:用户默认使用shell (/bin/bash) [root@node101.yinzhengjie.org.cn ~]# cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:999:998:User for polkitd:/:/sbin/nologin libstoragemgmt:x:998:995:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin colord:x:997:994:User for colord:/var/lib/colord:/sbin/nologin rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin gluster:x:996:993:GlusterFS daemons:/run/gluster:/sbin/nologin saslauth:x:995:76:Saslauthd user:/run/saslauthd:/sbin/nologin abrt:x:173:173::/etc/abrt:/sbin/nologin rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin pulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin radvd:x:75:75:radvd user:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin unbound:x:994:989:Unbound DNS resolver:/etc/unbound:/sbin/nologin chrony:x:993:988::/var/lib/chrony:/sbin/nologin qemu:x:107:107:qemu user:/:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin geoclue:x:992:986:User for geoclue:/var/lib/geoclue:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin sssd:x:991:985:User for sssd:/:/sbin/nologin setroubleshoot:x:990:984::/var/lib/setroubleshoot:/sbin/nologin saned:x:989:983:SANE scanner daemon user:/usr/share/sane:/sbin/nologin gdm:x:42:42::/var/lib/gdm:/sbin/nologin gnome-initial-setup:x:988:982::/run/gnome-initial-setup/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin yinzhengjie:x:1000:1000:yinzhengjie:/home/yinzhengjie:/bin/bash [root@node101.yinzhengjie.org.cn ~]#
shadow文件格式 登录用名 用户密码:一般用sha512加密 从1970年1月1日起到密码最近一次被更改的时间 密码再过几天可以被变更( 0表示随时可被变更) 密码再过几天必须被变更( 99999表示永不过期) 密码过期前几天系统提醒用户(默认为一周) 密码过期几天后帐号会被锁定 从1970年1月1日算起,多少天后帐号失效 [root@node101.yinzhengjie.org.cn ~]# cat /etc/shadow root:$6$MLowZZoTkB4Lfzlp$6vkz/bmyWgvPZQEtlQ2Fki1EzZpUdcEecxp2rfzJ1IkvE9amik19QYv.6sYgxCiRgCNPRlfESp78KhUWbaKcN/: :0:99999:7:::bin:*:17834:0:99999:7::: daemon:*:17834:0:99999:7::: adm:*:17834:0:99999:7::: lp:*:17834:0:99999:7::: sync:*:17834:0:99999:7::: shutdown:*:17834:0:99999:7::: halt:*:17834:0:99999:7::: mail:*:17834:0:99999:7::: operator:*:17834:0:99999:7::: games:*:17834:0:99999:7::: ftp:*:17834:0:99999:7::: nobody:*:17834:0:99999:7::: systemd-network:!!:18109:::::: dbus:!!:18109:::::: polkitd:!!:18109:::::: libstoragemgmt:!!:18109:::::: colord:!!:18109:::::: rpc:!!:18109:0:99999:7::: gluster:!!:18109:::::: saslauth:!!:18109:::::: abrt:!!:18109:::::: rtkit:!!:18109:::::: pulse:!!:18109:::::: radvd:!!:18109:::::: rpcuser:!!:18109:::::: nfsnobody:!!:18109:::::: unbound:!!:18109:::::: chrony:!!:18109:::::: qemu:!!:18109:::::: tss:!!:18109:::::: usbmuxd:!!:18109:::::: geoclue:!!:18109:::::: ntp:!!:18109:::::: sssd:!!:18109:::::: setroubleshoot:!!:18109:::::: saned:!!:18109:::::: gdm:!!:18109:::::: gnome-initial-setup:!!:18109:::::: sshd:!!:18109:::::: avahi:!!:18109:::::: postfix:!!:18109:::::: tcpdump:!!:18109:::::: yinzhengjie:$6$9k0Xxx.f$YsthR1XeMhMRhJE7sLrXNecLCRDQDvrnaHkWeBOcWqSUg0d5t2l.cKGmwbJdhY9Y5cpSqk/YZbM.ZS/FGQUeI/:1 8122:0:99999:7:::[root@node101.yinzhengjie.org.cn ~]#
group文件格式 群组名称:就是群组名称 群组密码:通常不需要设定,密码是被记录在 /etc/gshadow GID:就是群组的 ID 以当前组为附加组的用户列表(分隔符为逗号) [root@node101.yinzhengjie.org.cn ~]# cat /etc/group root:x:0: bin:x:1: daemon:x:2: sys:x:3: adm:x:4: tty:x:5: disk:x:6: lp:x:7: mem:x:8: kmem:x:9: wheel:x:10: cdrom:x:11: mail:x:12:postfix man:x:15: dialout:x:18: floppy:x:19: games:x:20: tape:x:33: video:x:39: ftp:x:50: lock:x:54: audio:x:63: nobody:x:99: users:x:100: utmp:x:22: utempter:x:35: input:x:999: systemd-journal:x:190: systemd-network:x:192: dbus:x:81: polkitd:x:998: cgred:x:997: printadmin:x:996: libstoragemgmt:x:995: colord:x:994: rpc:x:32: dip:x:40: gluster:x:993: ssh_keys:x:992: saslauth:x:76: abrt:x:173: rtkit:x:172: pulse-access:x:991: pulse-rt:x:990: pulse:x:171: radvd:x:75: rpcuser:x:29: nfsnobody:x:65534: unbound:x:989: chrony:x:988: kvm:x:36:qemu qemu:x:107: tss:x:59: libvirt:x:987: usbmuxd:x:113: geoclue:x:986: ntp:x:38: sssd:x:985: setroubleshoot:x:984: saned:x:983: gdm:x:42: gnome-initial-setup:x:982: sshd:x:74: slocate:x:21: avahi:x:70: postdrop:x:90: postfix:x:89: stapusr:x:156: stapsys:x:157: stapdev:x:158: tcpdump:x:72: yinzhengjie:x:1000:yinzhengjie screen:x:84: [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
gshdow文件格式 群组名称:就是群的名称 群组密码: 组管理员列表:组管理员的列表,更改组密码和成员 以当前组为附加组的用户列表:多个用户间用逗号分隔 [root@node101.yinzhengjie.org.cn ~]# cat /etc/gshadow root::: bin::: daemon::: sys::: adm::: tty::: disk::: lp::: mem::: kmem::: wheel::: cdrom::: mail:::postfix man::: dialout::: floppy::: games::: tape::: video::: ftp::: lock::: audio::: nobody::: users::: utmp:!:: utempter:!:: input:!:: systemd-journal:!:: systemd-network:!:: dbus:!:: polkitd:!:: cgred:!:: printadmin:!:: libstoragemgmt:!:: colord:!:: rpc:!:: dip:!:: gluster:!:: ssh_keys:!:: saslauth:!:: abrt:!:: rtkit:!:: pulse-access:!:: pulse-rt:!:: pulse:!:: radvd:!:: rpcuser:!:: nfsnobody:!:: unbound:!:: chrony:!:: kvm:!::qemu qemu:!:: tss:!:: libvirt:!:: usbmuxd:!:: geoclue:!:: ntp:!:: sssd:!:: setroubleshoot:!:: saned:!:: gdm:!:: gnome-initial-setup:!:: sshd:!:: slocate:!:: avahi:!:: postdrop:!:: postfix:!:: stapusr:!:: stapsys:!:: stapdev:!:: tcpdump:!:: yinzhengjie:!!::yinzhengjie screen:!:: [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
5>.用户相关操作(对应“/etc/passwd”)
[root@node101.yinzhengjie.org.cn ~]# whatis passwd passwd (5) - password file passwd (1) - update user's authentication tokens sslpasswd (1ssl) -compute password hashes [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# man 5 passwd PASSWD(5) Linux Programmer's Manual PASSWD(5) NAME passwd - password file DESCRIPTION The /etc/passwd file is a text file that describes user login accounts forthe system. It should have read permission allowed for all users (many utilities, like ls(1) use it to map user IDs to user‐ names), but write access only forthe superuser. In the good old days there was no great problem with this general read permission. Everybody could read the encrypted passwords, but the hardware was too slow to crack a well-chosen password, and more‐ over the basic assumption used to be that of a friendly user-community. These days many people run some version of the shadow password suite, where /etc/passwd has an 'x' character inthe password field, and the encrypted passwords are in /etc/shadow, whichis readable by the superuser only. If the encrypted password, whether in /etc/passwd or in /etc/shadow, is an empty string, loginis allowed without even asking fora password. Note that this functionality may be intentionally dis‐ abled in applications, or configurable (for example using the "nullok" or "nonull"arguments to pam_unix.so). If the encrypted password in /etc/passwd is "*NP*"(without the quotes), the shadow record should be obtained from an NIS+server. Regardless of whether shadow passwords are used, many system administrators use an asterisk (*) inthe encrypted password field to make sure that this user can not authenticate him-or herself using a password. (But see NOTES below.) If you create a new login, first put an asterisk (*) in the password field, then use passwd(1) to set it. Each line of the file describes a single user, and contains seven colon-separated fields: name:password:UID:GID:GECOS:directory:shell The field are as follows: name This is the user's login name. It should not contain capital letters. password This is either the encrypted user password, an asterisk (*), or the letter 'x'. (See pwconv(8) for an explanation of 'x'.) UID The privileged root login account (superuser) has the user ID 0. GID This is the numeric primary group ID for this user. (Additional groups forthe user are defined in the system group file; see group(5)). GECOS This field (sometimes called the "comment field") is optional and used only forinforma‐ tional purposes. Usually, it contains the full username. Some programs (forexample, finger(1)) display information from this field. GECOS stands for "General Electric Comprehensive Operating System", whichwas renamed to GCOS when GE's large systems division was sold to Honeywell. Dennis Ritchie has reported: "Sometimes we sent printer output or batch jobs to the GCOS machine. The gcos field in the password file was a place to stash the information for the $IDENTcard. Not elegant." directory This is the user's home directory: the initial directory where the user is placed after logging in. The value inthis field is used to set the HOME environment variable. shell This is the program to run at login (if empty, use /bin/sh). If set to a nonexistent exe‐ cutable, the user will be unable to login through login(1). The value inthis field is used to set the SHELL environment variable. FILES /etc/passwd NOTES If you want to create user groups, there must be an entry in /etc/group, or no group will exist. If the encrypted password is set to an asterisk (*), the user will be unable to login using login(1), but may still login using rlogin(1), run existing processes and initiate new ones through rsh(1), cron(8), at(1), or mail filters, etc. Trying to lock an account by simply changing the shell field yields the same result and additionally allows the use of su(1). SEE ALSO login(1), passwd(1), su(1), getpwent(3), getpwnam(3), crypt(3), group(5), shadow(5) COLOPHON This page is part of release 3.53 of the Linux man-pages project. A description of the project, and information about reporting bugs, can be found at http://www.kernel.org/doc/man-pages/. Linux 2012-05-03 PASSWD(5)
[root@node101.yinzhengjie.org.cn ~]# tail -1 /etc/passwd yinzhengjie:x:1000:1000:yinzhengjie:/home/yinzhengjie:/bin/bash [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# chfn yinzhengjie #修改用户全名或注释 Changing finger information foryinzhengjie. Name [yinzhengjie]: jason Office []: bigdata Office Phone []: 10086 Home Phone []: 10010 Finger information changed. [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# tail -1 /etc/passwd yinzhengjie:x:1000:1000:jason,bigdata,10086,10010:/home/yinzhengjie:/bin/bash [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# df -h | grep /dev/sr0 /dev/sr0 11G 11G 0 100% /run/media/root/CentOS 7x86_64 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# rpm -ivh /run/media/root/CentOS 7 x86_64/Packages/finger-0.17-52.el7.x86_ 64.rpm Preparing... ################################# [100%] Updating /installing... 1:finger-0.17-52.el7 ################################# [100%] [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# finger yinzhengjie Login: yinzhengjie Name: jason Directory: /home/yinzhengjie Shell: /bin/bash Office: bigdata, x1-0086 Home Phone: x1-0010 Last login Wed Aug 14 12:46 (CST) on pts/4 from 172.30.1.1 Mail last read Wed Aug 14 12:50 2019(CST) No Plan. [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# tail -1 /etc/passwd yinzhengjie:x:1000:1000:jason,bigdata,10086,10010:/home/yinzhengjie:/bin/bash [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# getent passwdyinzhengjie #我们不难发现,使用getent命令可以获取指定用户的信息 yinzhengjie:x:1000:1000:jason,bigdata,10086,10010:/home/yinzhengjie:/bin/bash [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# chsh -s /bin/csh yinzhengjie #我们这里修改shell类型为"/bin/csh" Changing shell foryinzhengjie. Shell changed. [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# getent passwdyinzhengjie yinzhengjie:x:1000:1000:jason,bigdata,10086,10010:/home/yinzhengjie:/bin/csh [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
6>.用户密码相关操作(对应“/etc/shadow”)
[root@node101.yinzhengjie.org.cn ~]# whatis shadow shadow (5) - shadowed password file shadow (3) - encrypted password fileroutines [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# man 5shadow SHADOW(5) File Formats and Conversions SHADOW(5) NAME shadow - shadowed password file DESCRIPTION shadow is a file which contains the password information for the system's accounts and optional aging information. This file must not be readable by regular users ifpassword security is to be maintained. Each line of this file contains 9 fields, separated by colons (“:”), inthe following order: loginname It must be a valid account name, whichexist on the system. encrypted password Refer to crypt(3) for details on how this stringis interpreted. If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in (but the user may log inthe system by other means). This field may be empty, in which caseno passwords are required to authenticate as the specified login name. However, some applications which read the /etc/shadow filemay decide not to permit any access at all ifthe password field is empty. A password field whichstarts with a exclamation mark means that the password is locked. The remaining characters on the line represent the password field before the password was locked. date of lastpassword change The date of the last password change, expressed as the number of days since Jan 1, 1970. The value 0 has a special meaning, which is that the user should change her pasword the next time she will log inthe system. An empty field means that password aging features are disabled. minimum password age The minimum password age is the number of days the user will have to waitbefore she will be allowed to change her password again. An empty field and value 0mean that there are no minimum password age. maximum password age The maximum password age is the number of days after whichthe user will have to change her password. After this number of days is elapsed, the password may still be valid. The user should be asked to change her password the next time she will log in. An empty field means that there are no maximum password age, no password warning period, and no password inactivity period (see below). If the maximum password age is lower than the minimum password age, the user cannot change her password. password warning period The number of days before a password is going to expire (see the maximum password age above) during whichthe user should be warned. An empty field and value 0mean that there are no password warning period. password inactivity period The number of days after a password has expired (see the maximum password age above) during which the password should still be accepted (and the user should update her password during the next login). After expiration of the password and this expiration period is elapsed, no loginis possible using the current user's password. The user should contact her administrator. An empty field means that there are no enforcement of an inactivity period. account expiration date The date of expiration of the account, expressed as the number of days since Jan 1, 1970. Note that an account expiration differs from a password expiration. In caseof an acount expiration, the user shall not be allowed to login. In caseof a password expiration, the user is not allowed to loginusing her password. An empty field means that the account will never expire. The value 0should not be used as it is interpreted as either an account with no expiration, or as an expiration on Jan 1, 1970. reserved field This field is reserved forfuture use. FILES /etc/passwd User account information. /etc/shadow Secure user account information. /etc/shadow- Backup file for /etc/shadow. Note that this fileis used by the tools of the shadow toolsuite, but not by all user and password management tools. SEE ALSO chage(1), login(1), passwd(1), passwd(5), pwck(8), pwconv(8), pwunconv(8), su(1), sulogin(8). shadow-utils 4.1.5.1 10/30/2018 SHADOW(5)
[root@node101.yinzhengjie.org.cn ~]# getent passwd yinzhengjie #我们发现密码不存在"/etc/passwd"文件中 yinzhengjie:x:1000:1000:jason,bigdata,10086,10010:/home/yinzhengjie:/bin/bash [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie #CentOS7.X版本中密码存放在"/etc/shadow"文件中 yinzhengjie:$6$9k0Xxx.f$YsthR1XeMhMRhJE7sLrXNecLCRDQDvrnaHkWeBOcWqSUg0d5t2l.cKGmwbJdhY9Y5cpSqk/YZbM.ZS/FGQUeI/:1 8142:0:99999:7::: [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# pwunconv #我们这里使用该命令可以将"/etc/shadow"中存放的密码放入到"/etc/passwd"文件中 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# getent passwdyinzhengjie #密码的确回归了 yinzhengjie:$6$9k0Xxx.f$YsthR1XeMhMRhJE7sLrXNecLCRDQDvrnaHkWeBOcWqSUg0d5t2l.cKGmwbJdhY9Y5cpSqk/YZbM.ZS/FGQUeI/:1 000:1000:jason,bigdata,10086,10010:/home/yinzhengjie:/bin/bash[root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie #但是"/etc/shadow"文件中内容都没有了 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# getent passwdyinzhengjie yinzhengjie:$6$9k0Xxx.f$YsthR1XeMhMRhJE7sLrXNecLCRDQDvrnaHkWeBOcWqSUg0d5t2l.cKGmwbJdhY9Y5cpSqk/YZbM.ZS/FGQUeI/:1 000:1000:jason,bigdata,10086,10010:/home/yinzhengjie:/bin/bash[root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# getentshadow yinzhengjie [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# pwconv #将用户名和密码分开存放,即将密码存放在"/etc/shadow"文件中,默认就是存放该文件中。 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# getentshadow yinzhengjie yinzhengjie:$6$9k0Xxx.f$YsthR1XeMhMRhJE7sLrXNecLCRDQDvrnaHkWeBOcWqSUg0d5t2l.cKGmwbJdhY9Y5cpSqk/YZbM.ZS/FGQUeI/:1 8142:0:99999:7:::[root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# getent passwdyinzhengjie yinzhengjie:x:1000:1000:jason,bigdata,10086,10010:/home/yinzhengjie:/bin/bash [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# getentshadow yinzhengjie yinzhengjie:$6$9k0Xxx.f$YsthR1XeMhMRhJE7sLrXNecLCRDQDvrnaHkWeBOcWqSUg0d5t2l.cKGmwbJdhY9Y5cpSqk/YZbM.ZS/FGQUeI/:1 8142:0:99999:7::: [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# usermod -L yinzhengjie #锁定用户 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie #将用户锁定后,我们发现密码那一列会多出来一个"!"符号,其实它就是用来标记用户是否被锁定的。 yinzhengjie:!$6$9k0Xxx.f$YsthR1XeMhMRhJE7sLrXNecLCRDQDvrnaHkWeBOcWqSUg0d5t2l.cKGmwbJdhY9Y5cpSqk/YZbM.ZS/FGQUeI/: 18142:0:99999:7::: [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# passwdyinzhengjie #我们修改用户的密码后,会发现密码已经解锁啦! Changing password foruser yinzhengjie. New password: BAD PASSWORD: The password is shorter than 8characters Retype new password: passwd: all authentication tokens updated successfully. [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# getentshadow yinzhengjie yinzhengjie:$6$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:1 8142:0:99999:7::: [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# getentshadow yinzhengjie yinzhengjie:!$6$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741: 18142:0:99999:7::: [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# usermod -U yinzhengjie #解锁用户 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# getentshadow yinzhengjie yinzhengjie:$6$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:1 8142:0:99999:7::: [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# getentshadow yinzhengjie yinzhengjie:$6$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:1 8142:0:99999:7::: [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# chage -M 42yinzhengjie #修改用户密码过期时间为42天 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# getentshadow yinzhengjie yinzhengjie:$6$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:1 8142:0:42:7::: [root@node101.yinzhengjie.org.cn ~]#
C:Usersyinzhengjie>net accounts #WINDOWS操作系统默用户也有过期时间 强制用户在时间到期之后多久必须注销?: 从不 密码最短使用期限(天): 0 密码最长使用期限(天): 42#默认过期时间为42天 密码长度最小值: 0 保持的密码历史记录长度: None 锁定阈值: 从不 锁定持续时间(分): 30 锁定观测窗口(分): 30 计算机角色: WORKSTATION 命令成功完成。 C:Usersyinzhengjie>
[root@node101.yinzhengjie.org.cn ~]# getentshadow yinzhengjie yinzhengjie:$6$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:1 8142:0:42:7::: [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# chage -I 5yinzhengjie #指定密码过期后几天用户被锁定,我这里设置的是5天,如果在指定的42天内没有修改密码在5天后用户会被锁定,锁定用户就无法登录操作系统。 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# getentshadow yinzhengjie yinzhengjie:$6$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:1 8142:0:42:7:5:: [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# getentshadow yinzhengjie yinzhengjie:$6$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:1 8142:0:42:7:5:: [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# chage -E 365yinzhengjie #指定用户的有效期天数,我这里设置的为365天,但是需要注意的是,它的起始时间是从1970年开始的! [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# getentshadow yinzhengjie yinzhengjie:$6$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:1 8142:0:42:7:5:365: [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# passwd --help Usage: passwd [OPTION...] <accountName> -k, --keep-tokens 保留未过期的身份验证令牌-d, --delete 删除指定用户密码-l, --lock 锁定指定用户-u, --unlock 解锁指定用户-e, --expire 强制用户下次登录修改密码-f, --force 强制操作 -x, --maximum=DAYS 最大使用期限 -n, --minimum=DAYS 指定最短使用期限 -w, --warning=DAYS 提前多少天开始警告用户 -i, --inactive=DAYS 非活动期限 -S, --status 报告指定用户的密码状态 --stdin 从标准输入接受用户密码 Help options: -?, --help Show this help message --usage Display brief usage message [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# echobigdata bigdata [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# echo bigdata | passwd --stdin yinzhengjie Changing password foruser yinzhengjie. passwd: all authentication tokens updated successfully. [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# echo bigdata | passwd --stdin yinzhengjie &> /dev/null#生产环境修改密码方式 [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# getentshadow yinzhengjie yinzhengjie:$6$kXs/Ht35$1zMelm2cS78cwxBq14kzZzsQrQShIBX0ADXTvb7rkX0.LXYhF1cORtDAnvqacoIdQipj33u1tHbEPGv3RbTuJ.:18142:0: 42:7:5:365: [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# passwd -l yinzhengjie #将用户锁定 Locking password foruser yinzhengjie. passwd: Success [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie #注意观察密码前多了2个"!" yinzhengjie:!!$6$kXs/Ht35$1zMelm2cS78cwxBq14kzZzsQrQShIBX0ADXTvb7rkX0.LXYhF1cORtDAnvqacoIdQipj33u1tHbEPGv3RbTuJ.:18142: 0:42:7:5:365: [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# getentshadow yinzhengjie yinzhengjie:!!$6$kXs/Ht35$1zMelm2cS78cwxBq14kzZzsQrQShIBX0ADXTvb7rkX0.LXYhF1cORtDAnvqacoIdQipj33u1tHbEPGv3RbTuJ.:18142: 0:42:7:5:365: [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# passwd -u yinzhengjie #将用户解锁 Unlocking password foruser yinzhengjie. passwd: Success [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# getentshadow yinzhengjie yinzhengjie:$6$kXs/Ht35$1zMelm2cS78cwxBq14kzZzsQrQShIBX0ADXTvb7rkX0.LXYhF1cORtDAnvqacoIdQipj33u1tHbEPGv3RbTuJ.:18142:0: 42:7:5:365: [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# getentshadow yinzhengjie yinzhengjie:$6$kXs/Ht35$1zMelm2cS78cwxBq14kzZzsQrQShIBX0ADXTvb7rkX0.LXYhF1cORtDAnvqacoIdQipj33u1tHbEPGv3RbTuJ.:18142:0: 42:7:5:365: [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# passwd -e yinzhengjie #让用户密码过期,下次用户登录后需要立即更改密码才行。 Expiring password foruser yinzhengjie. passwd: Success [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# getentshadow yinzhengjie yinzhengjie:$6$kXs/Ht35$1zMelm2cS78cwxBq14kzZzsQrQShIBX0ADXTvb7rkX0.LXYhF1cORtDAnvqacoIdQipj33u1tHbEPGv3RbTuJ.:0:0:42:7 :5:365: [root@node101.yinzhengjie.org.cn ~]#
7>.用户组相关操作(对应“/etc/group”)
[root@node101.yinzhengjie.org.cn ~]# whereisgroup group: /etc/group /usr/share/man/man5/group.5.gz [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# mangroup GROUP(5) Linux Programmer's Manual GROUP(5) NAME group - user group file DESCRIPTION The /etc/group file is a text file that defines the groupson the system. There is one entry per line, with the following format: group_name:password:GID:user_list The fields are as follows: group_name the name of the group. password the (encrypted) group password. If this field is empty, no password is needed. GID the numeric group ID. user_list a list of the usernames that are members of this group, separated by commas. FILES /etc/group BUGS As the 4.2BSD initgroups(3) man page says: No-one seems to keep /etc/group up-to-date. SEE ALSO login(1), newgrp(1), getgrent(3), getgrnam(3), passwd(5) COLOPHON This page is part of release 3.53 of the Linux man-pages project. A description of the project, and information about reporting bugs, can be found at http://www.kernel.org/doc/man-pages/. Linux 2010-10-21 GROUP(5)
8>.用户组密码相关操作(对应“/etc/gshadow”)
[root@node101.yinzhengjie.org.cn ~]# whereisgshadow gshadow: /etc/gshadow /usr/include/gshadow.h /usr/share/man/man5/gshadow.5.gz [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# mangshadow GSHADOW(5) File Formats and Conversions GSHADOW(5) NAME gshadow - shadowed group file DESCRIPTION /etc/gshadow contains the shadowed information forgroup accounts. This file must not be readable by regular users ifpassword security is to be maintained. Each line of this file contains the following colon-separated fields: group name It must be a valid group name, whichexist on the system. encrypted password Refer to crypt(3) for details on how this stringis interpreted. If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, users will not be able to use a unix password to access the group (but group members donot need the password). The password is used when an user whois not a member of the group wants to gain the permissions of this group (see newgrp(1)). This field may be empty, in which caseonly the group members can gain the group permissions. A password field whichstarts with a exclamation mark means that the password is locked. The remaining characters on the line represent the password field before the password was locked. This password supersedes any password specified in /etc/group. administrators It must be a comma-separated list of user names. Administrators can change the password or the members of the group. Administrators also have the same permissions as the members (see below). members It must be a comma-separated list of user names. Members can access the group without being prompted fora password. You should use the same list of users as in /etc/group. FILES /etc/group Group account information. /etc/gshadow Secure group account information. SEE ALSO gpasswd(5), group(5), grpck(8), grpconv(8), newgrp(1). shadow-utils 4.1.5.1 10/30/2018 GSHADOW(5)
[root@node101.yinzhengjie.org.cn ~]# cat /etc/gshadow | grepyinzhengjie yinzhengjie:!!::yinzhengjie [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# gpasswd yinzhengjie #我们可以给组加密 Changing the password forgroup yinzhengjie New Password: Re-enter new password: [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# cat /etc/gshadow | grepyinzhengjie yinzhengjie:$6$D/VCeiXW$ZQjYDmM29epe6gYQh670NhKCc2CzrgO190qnQ2JDuV04qltsIAD5ZdiC.A.hKFNZn5DDvnNxuzmLMVoX8T.pp0:yinzhengjie [root@node101.yinzhengjie.org.cn ~]#
9>.密码策略
密码加密 加密机制: 加密:明文-->密文 解密:密文-->明文 单向加密:哈希算法,原文不同,密文必不同 相同算法定长输出,获得密文不可逆推出原始数据 雪崩效应:初始条件的微小改变,引起结果的巨大改变 md5: message digest, 128bits sha1: secure hash algorithm, 160bits sha224: 224bits sha256: 256bits sha384: 384bits sha512: 512bits 更改加密算法: authconfig --passalgo=sha256 --update 密码的复杂性策略 足够长 使用数字、大写字母、小写字母及特殊字符中至少3种 使用随机密码 定期更换,不要使用最近曾经使用过的密码 密码期限示意图如下所示。
10>.用户(组)及密码(组)文件操作
一般情况下不推荐大家直接去修改文件,容易出现格式错误的情况。如果你非要用修改文件的格式的方法去修改用户及密码的配置文件,推荐使用以下工具,它们会带有语法检查的功能。
vipw:
相当于"vi /etc/passwd",只不过该命令有语法检查的功能。
如果使用"vipw -s"相当于"vi /etc/shadow",也有语法检查功能。
vigr:
相当于"vi /etc/group",也有语法检查功能。
如果使用"vigr -s"相当于"vi /etc/gshadow",也有语法检查功能。
pwck:
检查"/etc/passwd"配置文件,比如验证用户是否有家目录等,执行后会有相应的提示信息。
grpck:
见擦汗"/etc/group"配置文件,详情请参考“grpck --help”
二.用户和组管理命令
用户管理命令
useradd
usermod
userdel
组帐号维护命令
groupadd
groupmod
groupdel
1>.用户创建: useradd
[root@node101.yinzhengjie.org.cn ~]# useradd -h Usage: useradd [options] LOGIN useradd -D useradd -D [options] Options: -b, --base-dir BASE_DIR base directory forthe home directory of the new account -c, --comment COMMENT 指定用户的注释信息 -d, --home-dirHOME_DIR 以指定的(不存在)路径为家目录 -D, --defaults print or change default useradd configuration -e, --expiredate EXPIRE_DATE expiration dateof the new account -f, --inactive INACTIVE password inactivity period of the new account -g, --gid GROUP 指明用户所属基本组,可为组名,也可以使用GID -G, --groupsGROUPS 为用户指明附加组,组须事先存在 -h, --help display this help message and exit -k, --skel SKEL_DIR use this alternative skeleton directory -K, --key KEY=VALUE override /etc/login.defs defaults -l, --no-log-init donot add the user to the lastlog and faillog databases -m, --create-home 创建用户的家(主)目录,用于系统用户 -M, --no-create-home 不创建家目录,用于非系统用户 -N, --no-user-group 不创建私用组作为主组,使用users组做主组。 -o, --non-unique 配合"-u"选线,不检查UID的唯一性 -p, --password PASSWORD encrypted password of the new account -r, --system 创建系统用户,注意CentOS6.X系统的UID小于500,CentOS7.X系统的UID小于1000 -R, --root CHROOT_DIR directory to chrootinto -s, --shell SHELL 指明用户的默认shell程序,可用列表在"/etc/shells"文件中 -u, --uid UID user ID of the new account -U, --user-group create a group with the same name as the user -Z, --selinux-user SEUSER use a specific SEUSER forthe SELinux user mapping [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# useradd -D #显示默认设置 GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL=/bin/bash SKEL=/etc/skel CREATE_MAIL_SPOOL=yes [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# cat /etc/default/useradd #以上用户的默认设置均来自该文件 # useradd defaults file GROUP=100 #组编号默认为100,即为user组 HOME=/home #家目录位置 INACTIVE=-1 #密码过期策略过期后的宽限期,默认是永远宽限,即"-1"。 EXPIRE= #指定用户的过期时间,即账户的有限使用时间。 SHELL=/bin/bash #指定默认的登录shell类型 SKEL=/etc/skel #指定家目录的默认数据 CREATE_MAIL_SPOOL=yes [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /etc/login.defs #用户默认配置信息 # # Please note that the parameters in this configuration filecontrol the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwdcommand) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for moreinformation. # # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is forQmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection inuseradd # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201 SYS_UID_MAX 999 # # Min/max values for automatic gid selection ingroupadd # GID_MIN 1000 GID_MAX 60000 # System accounts SYS_GID_MIN 201 SYS_GID_MAX 999 # # If defined, this command is run when removing a user. # It should remove any at/cron/print jobs etc. owned by # the user to be removed (passed as the first argument). # #USERDEL_CMD /usr/sbin/userdel_local # # If useradd should create home directories forusers by default # On RH systems, we do. This option is overridden with the -m flag on # useradd command line. # CREATE_HOME yes # The permission mask is initialized to this value. If not specified, # the permission mask will be initialized to 022. UMASK 077 # This enables userdel to remove user groups ifno members exist. # USERGROUPS_ENAB yes # Use SHA512 to encrypt password. ENCRYPT_METHOD SHA512 [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# getentgroup users users:x:100: [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# useradd -N tom #不创建私有组作为主组,使用users组作为主组 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# idtom uid=1001(tom) gid=100(users) groups=100(users) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ls -a /etc/skel/ . .. .bash_logout .bash_profile .bashrc .mozilla [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ls -a /home/tom/ #我们不难发现,创建的用户家目录存在的数据和我们在"/etc/default/useradd"配置文件中的"SKEL"属性一致。 . .. .bash_logout .bash_profile .bashrc .mozilla [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# useradd -r mysql -s /sbin/nologin #使用"-r"命令就不会去创建默认的家目录了,因为它创建的是一个系统用户。我们使用"-s"选项来指定用户的登录shell类型。 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# id mysql #很明显,在CentOS7.X版本系统的UID是小于1000的,这个在"/etc/login.defs"文件中有相应的记录。 uid=987(mysql) gid=981(mysql) groups=981(mysql) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# getent passwdmysql mysql:x:987:981::/home/mysql:/sbin/nologin [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# useradd -u 10086jason #创建jason用户并指定其UID为10086 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# idjason uid=10086(jason) gid=10086(jason) groups=10086(jason) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# getent passwdjason jason:x:10086:10086::/home/jason:/bin/bash [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# idyinzhengjie #我们直到默认情况下,每个用户都有唯一的一个UID,如果想要创建2个不同的用户名但UID一样的情况,并让这两个用户都拥有同一个UID的权限就得需要使用相应的useradd选项。 uid=1000(yinzhengjie) gid=1000(yinzhengjie) groups=1000(yinzhengjie) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# useradd -u 1000 -o jenny #使用"-o"选线,咱们这里创建了2个不同的用户名,但是UID却是一样的,如果你想要两个不同用户名使用同一个UID权限的话就可用这样干。 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# getent passwd jenny #由于Linux识别用户是基于UID来识别的,我们发现如果设置2个同UID的不同用户名可能会产生信息混乱的情况。因此还是谨慎使用呀~ jenny:x:1000:10087::/home/jenny:/bin/bash [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# idjenny uid=1000(yinzhengjie) gid=1000(yinzhengjie) groups=1000(yinzhengjie) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll /home/#两个用户的家目录还是不一样的哟 total 0 drwx------. 3 jason jason 78 Sep 3 17:08jason drwx------. 3 yinzhengjie jenny 78 Sep 3 17:12jenny drwx------. 3 tom users 78 Sep 3 16:41tom drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46yinzhengjie [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# getentgroup yinzhengjie yinzhengjie:x:1000:yinzhengjie [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# idyinzhengjie uid=1000(yinzhengjie) gid=1000(yinzhengjie) groups=1000(yinzhengjie) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# useradd -g yinzhengjie danny #创建一个danny用户,并指定其组为"yinzhengjie",即并不会使用默认的同名组。 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# iddanny uid=10088(danny) gid=1000(yinzhengjie) groups=1000(yinzhengjie) [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# useradd -g root -G yinzhengjie,jason,jenny yzj #创建yzj用户,让其主组归为root组,附加组为yinzhengjie,jason,jenny各组,有点类似于咱们运维工程师,在企业身兼数职。 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# idyzj uid=10089(yzj) gid=0(root) groups=0(root),1000(yinzhengjie),10086(jason),10087(jenny) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# groupmems -l -g yinzhengjie #查看yinzhengjie这个组有哪些用户 yinzhengjie yzj [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# groupmems -l -g jason yzj [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# groupmems -l -g jenny yzj [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# groupsyzj #查看yzj这大概用户有哪些组,一般排在第一个为主组,后面的均为附加组。 yzj : root yinzhengjie jason jenny [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll /home/#需要注意的是,尽管一个用户可用被加入到多个组,但是用户的家目录依旧属于主组,如下所示。 total 0 drwx------. 3 danny yinzhengjie 78 Sep 3 17:28danny drwx------. 3 jason jason 78 Sep 3 17:08jason drwx------. 3 jenny jenny 78 Sep 3 17:12jenny drwx------. 3 tom users 78 Sep 3 16:41tom drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46yinzhengjie drwx------. 3 yzj root 78 Sep 3 17:32yzj [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# mkdir /data [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# useradd -d /data/bigdata hdfs #创建用户并指定其家目录为"/data/bigdata" [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll /data/ total 0 drwx------. 3 hdfs hdfs 78 Sep 3 17:41bigdata [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll /data/bigdata/ -a #很显然,家目录的默认数据和"/etc/skel"目录是一致的哟 total 12 drwx------. 3 hdfs hdfs 78 Sep 3 17:41. drwxr-xr-x. 3 root root 21 Sep 3 17:41.. -rw-r--r--. 1 hdfs hdfs 18 Oct 31 2018.bash_logout -rw-r--r--. 1 hdfs hdfs 193 Oct 31 2018.bash_profile -rw-r--r--. 1 hdfs hdfs 231 Oct 31 2018.bashrc drwxr-xr-x. 4 hdfs hdfs 39 Aug 1 21:58.mozilla [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll /etc/skel/ -a total 24 drwxr-xr-x. 3 root root 78 Apr 11 2018. drwxr-xr-x. 146 root root 8192 Sep 3 17:41.. -rw-r--r--. 1 root root 18 Oct 31 2018.bash_logout -rw-r--r--. 1 root root 193 Oct 31 2018.bash_profile -rw-r--r--. 1 root root 231 Oct 31 2018.bashrc drwxr-xr-x. 4 root root 39 Aug 1 21:58.mozilla [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll /home/ total 0 drwx------. 3 danny yinzhengjie 78 Sep 3 17:28danny drwx------. 3 jason jason 78 Sep 3 17:08jason drwx------. 3 jenny jenny 78 Sep 3 17:12jenny drwx------. 3 tom users 78 Sep 3 16:41tom drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46yinzhengjie drwx------. 3 yzj root 78 Sep 3 17:32yzj [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# useradd -r -m apache #我们知道使用“-r”是创建系统用户,该参数不会创建相应的家目录,如果非要强行创建,则可以使用"-m"选项。 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll /home/ total 0 drwx------. 3 apache apache 78 Sep 3 17:51apache drwx------. 3 danny yinzhengjie 78 Sep 3 17:28danny drwx------. 3 jason jason 78 Sep 3 17:08jason drwx------. 3 jenny jenny 78 Sep 3 17:12jenny drwx------. 3 tom users 78 Sep 3 16:41tom drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46yinzhengjie drwx------. 3 yzj root 78 Sep 3 17:32yzj [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# idapache uid=986(apache) gid=980(apache) groups=980(apache) [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll /home/ total 0 drwx------. 3 apache apache 78 Sep 3 17:51apache drwx------. 3 danny yinzhengjie 78 Sep 3 17:28danny drwx------. 3 jason jason 78 Sep 3 17:08jason drwx------. 3 jenny jenny 78 Sep 3 17:12jenny drwx------. 3 tom users 78 Sep 3 16:41tom drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46yinzhengjie drwx------. 3 yzj root 78 Sep 3 17:32yzj [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# useradd -M dengziqi #创建用户时不允许创建家目录。 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll /home/ total 0 drwx------. 3 apache apache 78 Sep 3 17:51apache drwx------. 3 danny yinzhengjie 78 Sep 3 17:28danny drwx------. 3 jason jason 78 Sep 3 17:08jason drwx------. 3 jenny jenny 78 Sep 3 17:12jenny drwx------. 3 tom users 78 Sep 3 16:41tom drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46yinzhengjie drwx------. 3 yzj root 78 Sep 3 17:32yzj [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# iddengziqi uid=10091(dengziqi) gid=10091(dengziqi) groups=10091(dengziqi) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# getent passwddengziqi dengziqi:x:10091:10091::/home/dengziqi:/bin/bash [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll /home/ total 0 drwx------. 3 apache apache 78 Sep 3 17:51apache drwx------. 3 danny yinzhengjie 78 Sep 3 17:28danny drwx------. 3 hadoop hadoop 78 Sep 3 17:41hadoop drwx------. 3 jason jason 78 Sep 3 17:08jason drwx------. 3 jenny jenny 78 Sep 3 17:12jenny drwx------. 3 tom users 78 Sep 3 16:41tom drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46yinzhengjie [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# cat user.txt #这个格式咱们可以参考"/etc/passwd"格式即可 hadoop101:x:2019:2019:hdfs user101:/home/hadoop101:/bin/csh hadoop102:x:2020:2020:hdfs user102:/home/hadoop102:/bin/bash hadoop103:x:2021:2021:hdfs user103:/home/hadoop103:/bin/csh [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# newusers user.txt #newusers可以按照"/etc/passwd"格式来批量创建用户。 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# tail -3 /etc/passwd#很明显用户被创建成功啦 hadoop101:x:2019:2019:hdfs user101:/home/hadoop101:/bin/csh hadoop102:x:2020:2020:hdfs user102:/home/hadoop102:/bin/bash hadoop103:x:2021:2021:hdfs user103:/home/hadoop103:/bin/csh [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll /home/#也生成了对应的用户家目录 total 0 drwx------. 3 apache apache 78 Sep 3 17:51apache drwx------. 3 danny yinzhengjie 78 Sep 3 17:28danny drwx------. 3 hadoop hadoop 78 Sep 3 17:41hadoop drwx------. 2 hadoop101 hadoop101 6 Sep 5 09:36hadoop101 drwx------. 2 hadoop102 hadoop102 6 Sep 5 09:36hadoop102 drwx------. 2 hadoop103 hadoop103 6 Sep 5 09:36hadoop103 drwx------. 3 jason jason 78 Sep 3 17:08jason drwx------. 3 jenny jenny 78 Sep 3 17:12jenny drwx------. 3 tom users 78 Sep 3 16:41tom drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46yinzhengjie [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# tail -3 /etc/shadow hadoop101:$6$0wBgf/Cr$vYRQzifVMrxaXwlsn/7FxsS/Ekjw4x.aNElIIMgyvsCT6.7KQmG2DGNKJtyx./.ARcLOGW09035OH9g/NZ4A8.:181 44:0:99999:7:::hadoop102:$6$g6O4GJL21PZH$TMZGml4bo1BVBWEpE145mvxjlYzYIDDpKXweFzUbeoGeIdckN3bDnRAtOzdWwOXaWsyxxW39hzAGhcRSumHZH/ :18144:0:99999:7:::hadoop103:$6$cCnLp/tV0jS/$5AST/AOjMOrd5EIWRoDek2uR1VPHyCMCM7iHLJXjmxrvq5z5AFpMSt1Letqt7FTv1PSkg51MEPm4sH66hux/r1 :18144:0:99999:7::: [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# cat passwd.txt #保存密码格式 hadoop101:yinzhengjie hadoop102:yinzhengjie hadoop103:yinzhengjie [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# cat passwd.txt |chpasswd #批量修改用户密码 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# tail -3 /etc/shadow hadoop101:$6$dDpTknD8SzSKoq$mgvwwy03zUFurrxw6GKvhkUClLL7r/Hsb5Jg1XzVF1KimXDHDlAZiqoma0GDTBYdgtC7Mav86w.CwiLqklHI y0:18144:0:99999:7:::hadoop102:$6$LDGCW/7daOR/Pm$5YqXe6HXW22RQRjDp/xHnuMTfzdEekP0vcf9oPs7o2M.OD24HE24CEu5lO2TlNrH1WXIhzaMMkkGTyfFnn7R V/:18144:0:99999:7:::hadoop103:$6$CBgr./2XG$HC4Y2YHYiRar76y9QLHp.qY3I3lG.mn.z2qLSm.jUES3QCDqgGAgYQ7PrHNsX9VCYOn9jjLPBIBPwcBAcY4jW0:18 144:0:99999:7::: [root@node101.yinzhengjie.org.cn ~]#
2>.用户属性修改: usermod
[root@node101.yinzhengjie.org.cn ~]# usermod -h Usage: usermod [options] LOGIN Options: -c, --comment COMMENT 新的注释信息 -d, --home HOME_DIR 新家目录不会自动创建;若要创建新家目录并移动原家目录数据,同时使用"-m"选项 -e, --expiredate EXPIRE_DATE 用来指明用户账号过期日期 -f, --inactive INACTIVE 设置非活动期限 -g, --gid GROUP 新的主组 -G, --groups GROUPS 新的附加组,原来的附加组见会被覆盖;若保留原有,则要同时使用通过"-a"选项 -a, --append append the user to the supplemental GROUPS mentioned by the -G option without removing him/her from other groups -h, --help display this help message and exit -l, --loginNEW_LOGIN 新的名字 -L, --lock lock指定用户,在"/etc/shadow"密码栏的增加"!"符号。 -m, --move-home move contents of the home directory to the new location (use only with -d) -o, --non-unique allow using duplicate (non-unique) UID -p, --password PASSWORD use encrypted password forthe new password -R, --root CHROOT_DIR directory to chrootinto -s, --shell SHELL 新的默认SHELL -u, --uid UID 指定新的UID -U, --unlock unlock指定用户,将"/etc/shadow"密码栏的"!"符号拿掉。 -Z, --selinux-user SEUSER new SELinux user mapping forthe user account [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# getent passwdjenny jenny:x:1000:10087::/home/jenny:/bin/bash [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# idjenny uid=1000(yinzhengjie) gid=1000(yinzhengjie) groups=1000(yinzhengjie) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# usermod -u 10087jenny #修改jenny用户的UID,注意修改用户的UID时该用户不能登录哟,否则可能会报错。 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# idjenny uid=10087(jenny) gid=10087(jenny) groups=10087(jenny) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# getent passwdjenny jenny:x:10087:10087::/home/jenny:/bin/bash [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# getent passwdhdfs #注意观察hdfs用户的家目录及uid hdfs:x:10090:10090::/data/bigdata:/bin/bash [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# idhdfs uid=10090(hdfs) gid=10090(hdfs) groups=10090(hdfs) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll /home/ total 0 drwx------. 3 apache apache 78 Sep 3 17:51apache drwx------. 3 danny yinzhengjie 78 Sep 3 17:28danny drwx------. 3 jason jason 78 Sep 3 17:08jason drwx------. 3 jenny jenny 78 Sep 3 17:12jenny drwx------. 3 tom users 78 Sep 3 16:41tom drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46yinzhengjie drwx------. 3 yzj root 78 Sep 3 17:32yzj [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# usermod -l hadoop hdfs -d /home/hadoop #我们将hdfs用户更名为hadoop用户并指定家目录为"/home/hadoop",但此时并不会自动生成相应的家目录,需要咱们手动操作。 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll /home/ total 0 drwx------. 3 apache apache 78 Sep 3 17:51apache drwx------. 3 danny yinzhengjie 78 Sep 3 17:28danny drwx------. 3 jason jason 78 Sep 3 17:08jason drwx------. 3 jenny jenny 78 Sep 3 17:12jenny drwx------. 3 tom users 78 Sep 3 16:41tom drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46yinzhengjie drwx------. 3 yzj root 78 Sep 3 17:32yzj [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# mv /data/bigdata/ /home/hadoop #因此我们需要手动将"hdfs"用户的家目录迁移至"hadoop"指定的家目录路径。 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll /home/ total 0 drwx------. 3 apache apache 78 Sep 3 17:51apache drwx------. 3 danny yinzhengjie 78 Sep 3 17:28danny drwx------. 3 hadoop hdfs 78 Sep 3 17:41hadoop drwx------. 3 jason jason 78 Sep 3 17:08jason drwx------. 3 jenny jenny 78 Sep 3 17:12jenny drwx------. 3 tom users 78 Sep 3 16:41tom drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46yinzhengjie drwx------. 3 yzj root 78 Sep 3 17:32yzj [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# idhadoop uid=10090(hadoop) gid=10090(hdfs) groups=10090(hdfs) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# getent passwdhadoop #观察hadoop的家目录和uid是否和原来的hdfs用户一致 hadoop:x:10090:10090::/home/hadoop:/bin/bash [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# tail -5 /etc/passwd danny:x:10088:1000::/home/danny:/bin/bash yzj:x:10089:0::/home/yzj:/bin/bash apache:x:986:980::/home/apache:/bin/bash dengziqi:x:10091:10091::/home/dengziqi:/bin/bash hadoop:x:10090:10090::/home/hadoop:/bin/bash [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# idyzj uid=10089(yzj) gid=0(root) groups=0(root),1000(yinzhengjie),10086(jason),10087(jenny) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# groupsyzj yzj : root yinzhengjie jason jenny [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# usermod -aG dengziqi,hadoop yzj #我们为"yzj"用户新追加附加组"dengziqi"和"hadoop"组 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# idyzj uid=10089(yzj) gid=0(root) groups=0(root),1000(yinzhengjie),10086(jason),10087(jenny),10091(dengziqi),10090(hadoop) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# groupsyzj yzj : root yinzhengjie jason jenny dengziqi hadoop [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# idyzj uid=10089(yzj) gid=0(root) groups=0(root),1000(yinzhengjie),10086(jason),10087(jenny),10091(dengziqi),10090(hado op)[root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# groupsyzj yzj : root yinzhengjie jason jenny dengziqi hadoop [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# usermod -G "" yzj #清空所有附加组,注意没有"-a"选项啦 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# idyzj uid=10089(yzj) gid=0(root) groups=0(root) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# groupsyzj yzj : root [root@node101.yinzhengjie.org.cn ~]#
3>.删除用户:userdel
[root@node101.yinzhengjie.org.cn ~]# userdel -h #查看"userdel"命令的帮助信息 Usage: userdel [options] LOGIN Options: -f, --force force some actions that would fail otherwise e.g. removal of user still logged in or files, even ifnot owned by the user -h, --help display this help message and exit -r, --remove remove home directory and mail spool -R, --root CHROOT_DIR directory to chrootinto -Z, --selinux-user remove any SELinux user mapping forthe user [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll /home/ total 0 drwx------. 3 apache apache 78 Sep 3 17:51apache drwx------. 3 danny yinzhengjie 78 Sep 3 17:28danny drwx------. 3 hadoop hadoop 78 Sep 3 17:41hadoop drwx------. 3 jason jason 78 Sep 3 17:08jason drwx------. 3 jenny jenny 78 Sep 3 17:12jenny drwx------. 3 tom users 78 Sep 3 16:41tom drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46yinzhengjie drwx------. 3 yzj root 78 Sep 3 17:32yzj [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# getent passwdyzj yzj:x:10089:0::/home/yzj:/bin/bash [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# userdel -r yzj #删除用户及其家目录(生产环境慎用,有可能该员工已经离职但其数据可能对其它同时有用) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll /home/ total 0 drwx------. 3 apache apache 78 Sep 3 17:51apache drwx------. 3 danny yinzhengjie 78 Sep 3 17:28danny drwx------. 3 hadoop hadoop 78 Sep 3 17:41hadoop drwx------. 3 jason jason 78 Sep 3 17:08jason drwx------. 3 jenny jenny 78 Sep 3 17:12jenny drwx------. 3 tom users 78 Sep 3 16:41tom drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46yinzhengjie [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
4>.查看用户相关的ID信息
[root@node101.yinzhengjie.org.cn ~]# idpostfix #查看"postfix"用户相关的ID信息,如果用户不存在会提示"no such user"相关错误信息。 uid=89(postfix) gid=89(postfix) groups=89(postfix),12(mail) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# id -u postfix #显示“postfix”用户的UID 89 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# id -g postfix #显示"postfix"用户的GID 89 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# id -G postfix #显示"postfix"用户所属的组的ID(包括附加组) 89 12 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# id -nG postfix #显示组的名称,"-n"参数需要和"ugG"参数配合使用 postfix mail [root@node101.yinzhengjie.org.cn ~]#
5>.切换用户或以其他用户身份执行命令(su命令的前提是要知道对方的用户密码,除非你直接使用root用户)
[root@node101.yinzhengjie.org.cn ~]# echo$PATH /usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# cd /data/ [root@node101.yinzhengjie.org.cn /data]# [root@node101.yinzhengjie.org.cn /data]# pwd /data [root@node101.yinzhengjie.org.cn /data]# [root@node101.yinzhengjie.org.cn /data]# suyinzhengjie #不完全切换,即切换后的用户依旧保留上一个用户的环境变量和工作目录 [yinzhengjie@node101.yinzhengjie.org.cn /data]$ [yinzhengjie@node101.yinzhengjie.org.cn /data]$ pwd #我们不难发现工作目录并没有变化,切换用户后并没有到"yinzhengjie"用户的家目录中 /data [yinzhengjie@node101.yinzhengjie.org.cn /data]$ [yinzhengjie@node101.yinzhengjie.org.cn /data]$ echo $PATH #注意观察当前的环境变量并非"yinzhengjie"用户,而是"root"用户的 /usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin [yinzhengjie@node101.yinzhengjie.org.cn /data]$ [yinzhengjie@node101.yinzhengjie.org.cn /data]$ exit #退出当前登录 exit [root@node101.yinzhengjie.org.cn /data]#
[root@node101.yinzhengjie.org.cn ~]# echo$PATH /usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# cd /data/ [root@node101.yinzhengjie.org.cn /data]# [root@node101.yinzhengjie.org.cn /data]# su -l yinzhengjie #完全切换,即切换到该用户的家目录且环境变量也会跟着变化,相当于使用ssh服务连接的效果。 Last login: Thu Sep 5 10:15:15 CST 2019 on pts/0 [yinzhengjie@node101.yinzhengjie.org.cn ~]$ [yinzhengjie@node101.yinzhengjie.org.cn ~]$ echo$PATH #环境变量发生了变化 /usr/lib64/qt-3.3/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/yinzhengjie/.local/bin:/home/yinzhengjie/bin [yinzhengjie@node101.yinzhengjie.org.cn ~]$ [yinzhengjie@node101.yinzhengjie.org.cn ~]$ pwd #工作目录也变为"yinzhengjie"用户的家目录啦 /home/yinzhengjie [yinzhengjie@node101.yinzhengjie.org.cn ~]$ [yinzhengjie@node101.yinzhengjie.org.cn ~]$ exit #退出当前用户 logout [root@node101.yinzhengjie.org.cn /data]# [root@node101.yinzhengjie.org.cn /data]#
[root@node101.yinzhengjie.org.cn ~]# echo$PATH /usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# cd /data/ [root@node101.yinzhengjie.org.cn /data]# [root@node101.yinzhengjie.org.cn /data]# su - yinzhengjie #完全切换用户,其实等效于"su -l yinzhengjie" Last login: Thu Sep 5 10:15:42 CST 2019 on pts/0 [yinzhengjie@node101.yinzhengjie.org.cn ~]$ [yinzhengjie@node101.yinzhengjie.org.cn ~]$ echo$PATH /usr/lib64/qt-3.3/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/yinzhengjie/.local/bin:/home/ yinzhengjie/bin[yinzhengjie@node101.yinzhengjie.org.cn ~]$ [yinzhengjie@node101.yinzhengjie.org.cn ~]$ pwd /home/yinzhengjie [yinzhengjie@node101.yinzhengjie.org.cn ~]$ [yinzhengjie@node101.yinzhengjie.org.cn ~]$ exit logout [root@node101.yinzhengjie.org.cn /data]# [root@node101.yinzhengjie.org.cn /data]#
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ su -l -c 'getent passwd hadoop' #注意,-l后面我没有指定用户名,默认就会切换到root用户。使用-c表示切换到root用户并执行一条命令即可,执行完毕并不会切换到root用户身份。 Password: hadoop:x:10090:10090::/home/hadoop:/bin/bash [yinzhengjie@node101.yinzhengjie.org.cn ~]$
6>.创建组:groupadd
[root@node101.yinzhengjie.org.cn ~]# groupadd -h Usage: groupadd [options] GROUP Options: -f, --force exit successfully ifthe group already exists, and cancel -g ifthe GID is already used -g, --gid GID 指明GID号 -h, --help display this help message and exit -K, --key KEY=VALUE override /etc/login.defs defaults -o, --non-unique allow to create groupswith duplicate (non-unique) GID -p, --password PASSWORD use this encrypted password forthe new group -r, --system 创建系统组,CentOS6.X:ID < 500,CentOS7.X:ID<1000 -R, --root CHROOT_DIR directory to chrootinto [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# groupadd yarn #创建一个yarn组 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# getentgroup yarn yarn:x:10092: [root@node101.yinzhengjie.org.cn ~]#
7>.组属性修改: groupmod
[root@node101.yinzhengjie.org.cn ~]# groupmod -h Usage: groupmod [options] GROUP Options: -g, --gid GID 新的GID -h, --help display this help message and exit -n, --new-name NEW_GROUP 新名字 -o, --non-unique allow to use a duplicate (non-unique) GID -p, --password PASSWORD change the password to this (encrypted) PASSWORD -R, --root CHROOT_DIR directory to chrootinto [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll /home/ #注意观察"hadoop"用户的组名是"hdfs" total 0 drwx------. 3 apache apache 78 Sep 3 17:51apache drwx------. 3 danny yinzhengjie 78 Sep 3 17:28danny drwx------. 3 hadoop hdfs 78 Sep 3 17:41hadoop drwx------. 3 jason jason 78 Sep 3 17:08jason drwx------. 3 jenny jenny 78 Sep 3 17:12jenny drwx------. 3 tom users 78 Sep 3 16:41tom drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46yinzhengjie drwx------. 3 yzj root 78 Sep 3 17:32yzj [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# idhadoop uid=10090(hadoop) gid=10090(hdfs) groups=10090(hdfs) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# groupmod -n hadoop hdfs #将"hdfs"组名改为"hadoop" [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# idhadoop uid=10090(hadoop) gid=10090(hadoop) groups=10090(hadoop) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll /home/ #注意查看hadoop用户的组名也跟着变为"hadoop" total 0 drwx------. 3 apache apache 78 Sep 3 17:51apache drwx------. 3 danny yinzhengjie 78 Sep 3 17:28danny drwx------. 3 hadoop hadoop 78 Sep 3 17:41hadoop drwx------. 3 jason jason 78 Sep 3 17:08jason drwx------. 3 jenny jenny 78 Sep 3 17:12jenny drwx------. 3 tom users 78 Sep 3 16:41tom drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46yinzhengjie drwx------. 3 yzj root 78 Sep 3 17:32yzj [root@node101.yinzhengjie.org.cn ~]#
8>.组属性删除: groupdel
[root@node101.yinzhengjie.org.cn ~]# groupdel -h Usage: groupdel [options] GROUP Options: -h, --help display this help message and exit -R, --root CHROOT_DIR directory to chrootinto [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# getentgroup yarn yarn:x:10092: [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# usermod -aG yarn yinzhengjie #给"yinzhengjie"用户添加一个附加组“yarn” [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# idyinzhengjie uid=1000(yinzhengjie) gid=1000(yinzhengjie) groups=1000(yinzhengjie),10092(yarn) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# groupdel yarn #删除yarn组 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# idyinzhengjie uid=1000(yinzhengjie) gid=1000(yinzhengjie) groups=1000(yinzhengjie) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
9>.更改组密码:gpasswd
[root@node101.yinzhengjie.org.cn ~]# gpasswd -h Usage: gpasswd [option] GROUP Options: -a, --add USER 将user添加只指定组中 -d, --delete USER 从指定组中移除用户user -h, --help display this help message and exit -Q, --root CHROOT_DIR directory to chrootinto -r, --delete-password remove the GROUP's password -R, --restrict restrict access to GROUP to its members -M, --members USER,... set the list of members of GROUP -A, --administrators ADMIN,... 设置有管理权限的用户列表 Except for the -A and -M options, the options cannot be combined. [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# tail -5 /etc/group dengziqi:x:10091: hadoop:x:10090: hadoop101:x:2019: hadoop102:x:2020: hadoop103:x:2021: [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# groupshadoop hadoop : hadoop [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# gpasswd -a hadoop dengziqi #将hadoop用户加入到"dengziqi"组中 Adding user hadoop to group dengziqi [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# groupshadoop hadoop : hadoop dengziqi [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# groupshadoop hadoop : hadoop dengziqi [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# gpasswd -d hadoop dengziqi #从"dengziqi"组中移除"hadoop"用户 Removing user hadoop from group dengziqi [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# groupshadoop hadoop : hadoop [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# getentgshadow root root::: [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# gpasswd root #为root组加密 Changing the password forgroup root New Password: Re-enter new password: [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# getentgshadow root root:$6$fjzxSJCBrD/Vfp$PP75U2hnYoxkhPddZs95KhDVnAxM1XqgFnIRlEgKXDyMVgCQ1tgVXHypFn8WvVxY0e5bA7xWBVGjlLQLDgaka.:: [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# getentgshadow root root:$6$fjzxSJCBrD/Vfp$PP75U2hnYoxkhPddZs95KhDVnAxM1XqgFnIRlEgKXDyMVgCQ1tgVXHypFn8WvVxY0e5bA7xWBVGjlLQLDgaka.:: [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# gpasswd -r root #为root组清楚密码 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# getentgshadow root root::: [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# idhadoop #查看hadoop用户组信息 uid=10090(hadoop) gid=10090(hadoop) groups=10090(hadoop),10091(dengziqi) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# su -hadoop Last login: Thu Sep 5 11:48:15 CST 2019 on pts/0 [hadoop@node101.yinzhengjie.org.cn ~]$ [hadoop@node101.yinzhengjie.org.cn ~]$ toucha.txt [hadoop@node101.yinzhengjie.org.cn ~]$ [hadoop@node101.yinzhengjie.org.cn ~]$ ll total 0 -rw-rw-r--. 1 hadoop hadoop 0 Sep 5 11:54a.txt [hadoop@node101.yinzhengjie.org.cn ~]$ [hadoop@node101.yinzhengjie.org.cn ~]$ groups#查看组信息 hadoop dengziqi [hadoop@node101.yinzhengjie.org.cn ~]$ [hadoop@node101.yinzhengjie.org.cn ~]$ newgrp dengziqi #我们临时将附加组("dengziqi")切换为主组 [hadoop@node101.yinzhengjie.org.cn ~]$ [hadoop@node101.yinzhengjie.org.cn ~]$ groups dengziqi hadoop [hadoop@node101.yinzhengjie.org.cn ~]$ [hadoop@node101.yinzhengjie.org.cn ~]$ touch b.txt #创建文件,发现文件的所属组为"dengziqi" [hadoop@node101.yinzhengjie.org.cn ~]$ [hadoop@node101.yinzhengjie.org.cn ~]$ ll total 0 -rw-rw-r--. 1 hadoop hadoop 0 Sep 5 11:54a.txt -rw-r--r--. 1 hadoop dengziqi 0 Sep 5 11:54b.txt [hadoop@node101.yinzhengjie.org.cn ~]$ [hadoop@node101.yinzhengjie.org.cn ~]$ exit exit [hadoop@node101.yinzhengjie.org.cn ~]$ exit logout [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# su -hadoop Last login: Thu Sep 5 11:53:56 CST 2019 on pts/0 [hadoop@node101.yinzhengjie.org.cn ~]$ [hadoop@node101.yinzhengjie.org.cn ~]$ touch c.txt #当我们退出后,再次登录发现临时修改的附加组提示主组的操作失效啦~ [hadoop@node101.yinzhengjie.org.cn ~]$ [hadoop@node101.yinzhengjie.org.cn ~]$ ll total 0 -rw-rw-r--. 1 hadoop hadoop 0 Sep 5 11:54a.txt -rw-r--r--. 1 hadoop dengziqi 0 Sep 5 11:54b.txt -rw-rw-r--. 1 hadoop hadoop 0 Sep 5 11:54c.txt [hadoop@node101.yinzhengjie.org.cn ~]$
10>.更改和查看组成员
[root@node101.yinzhengjie.org.cn ~]# groupmems -h Usage: groupmems [options] [action] Options: -g, --group groupname 更改为指定组(只有root) -R, --root CHROOT_DIR directory to chrootinto Actions: -a, --add username 指定用户加入组 -d, --delete username 从组中删除用户 -h, --help display this help message and exit -p, --purge 从组中清楚所有成员 -l, --list 显示组成员列表 [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -l yinzhengjie [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -a root #将root用户加入"yinzhengjie"组中 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -l yinzhengjie root [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -l #查看组中成员 yinzhengjie root [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -d root #从"yinzhengjie"组中删除"root"用户 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -l yinzhengjie [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -l yinzhengjie root [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -p #清空组成员,只能清空附加组,不能清空主组 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -l [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# idyinzhengjie uid=1000(yinzhengjie) gid=1000(yinzhengjie) groups=1000(yinzhengjie) [root@node101.yinzhengjie.org.cn ~]#
11>.小试牛刀
案例一:创建用户gentoo,附加组为bin和root,默认shell为/bin/csh,注释信息为"Gentoo Distribution" 案例二:创建下面的用户、组和组成员关系 名字为webs 的组 用户nginx, 使用webs作为附加组 用户varnish,使用webs作为附加组 用户mysql,不可交互登录系统,且不是webs的成员, nginx, varnish,mysql的用户名密码都是"yinzhengjie"
[root@node101.yinzhengjie.org.cn ~]# useradd -s /bin/csh -c "Gentoo Distribution" -G bin,root gentoo [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# groupsgentoo gentoo : gentoo root bin [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# idgentoo uid=10092(gentoo) gid=10092(gentoo) groups=10092(gentoo),0(root),1(bin) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# groupadd webs [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# useradd -G webs nginx [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# useradd -G webs varnish [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# useradd -s /sbin/nologin mysql [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# echo "yinzhengjie" | passwd --stdin nginx Changing password foruser nginx. passwd: all authentication tokens updated successfully. [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# echo "yinzhengjie" | passwd --stdin varnish Changing password foruser varnish. passwd: all authentication tokens updated successfully. [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# echo "yinzhengjie" | passwd --stdin mysql Changing password foruser mysql. passwd: all authentication tokens updated successfully. [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
三.文件权限
1>.文件属性
2>.修改文件的属主和属组
文件属性操作 chown设置文件的所有者 chgrp 设置文件的属组信息
[root@node101.yinzhengjie.org.cn ~]# chown --help Usage: chown[OPTION]... [OWNER][:[GROUP]] FILE... or: chown [OPTION]... --reference=RFILE FILE... Change the owner and/or group of each FILE to OWNER and/or GROUP. With --reference, change the owner and group of each FILE to those of RFILE. -c, --changes like verbose but report only when a change is made -f, --silent, --quiet suppress most error messages -v, --verbose output a diagnostic for every fileprocessed --dereference affect the referent of each symbolic link (this is the default), rather than the symbolic link itself -h, --no-dereference affect symbolic links instead of any referenced file (useful only on systems that can change the ownership of a symlink) --from=CURRENT_OWNER:CURRENT_GROUP change the owner and/or group of each file only if its current owner and/or group match those specified here. Either may be omitted, in which casea match is not required forthe omitted attribute --no-preserve-root do not treat '/'specially (the default) --preserve-root fail to operate recursively on '/' --reference=RFILE use RFILE's owner and group rather than specifying OWNER:GROUP values -R, --recursive operate on files and directories recursively The following options modify how a hierarchy is traversed when the -R option is also specified. If morethan one is specified, only the final one takes effect. -H ifa command line argument is a symbolic link to a directory, traverse it -L traverse every symbolic link to a directory encountered -P donot traverse any symbolic links (default) --help display this help and exit --version output version information and exit Owner is unchanged if missing. Group is unchanged ifmissing, but changed to login group if implied by a ':'following a symbolic OWNER. OWNER and GROUP may be numeric as well as symbolic. Examples: chown root /u Change the owner of /u to "root". chown root:staff /u Likewise, but also change its group to "staff". chown -hR root /u Change the owner of /u and subfiles to "root". GNU coreutils online help: <http://www.gnu.org/software/coreutils/> For complete documentation, run: info coreutils 'chown invocation' [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# chgrp --help Usage: chgrp[OPTION]... GROUP FILE... or: chgrp [OPTION]... --reference=RFILE FILE... Change the group of each FILE to GROUP. With --reference, change the group of each FILE to that of RFILE. -c, --changes like verbose but report only when a change is made -f, --silent, --quiet suppress most error messages -v, --verbose output a diagnostic for every fileprocessed --dereference affect the referent of each symbolic link (this is the default), rather than the symbolic link itself -h, --no-dereference affect symbolic links instead of any referenced file (useful only on systems that can change the ownership of a symlink) --no-preserve-root do not treat '/'specially (the default) --preserve-root fail to operate recursively on '/' --reference=RFILE use RFILE's group rather than specifying a GROUP value -R, --recursive operate on files and directories recursively The following options modify how a hierarchy is traversed when the -R option is also specified. If morethan one is specified, only the final one takes effect. -H ifa command line argument is a symbolic link to a directory, traverse it -L traverse every symbolic link to a directory encountered -P donot traverse any symbolic links (default) --help display this help and exit --version output version information and exit Examples: chgrp staff /u Change the group of /u to "staff". chgrp -hR staff /u Change the group of /u and subfiles to "staff". GNU coreutils online help: <http://www.gnu.org/software/coreutils/> For complete documentation, run: info coreutils 'chgrp invocation' [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll total 4 -rw-r--r--. 1 root root 26 Sep 5 14:22 file.txt [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# chown yinzhengjie file.txt #修改文件的属主为"yinzhengjie"用户 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll total 4 -rw-r--r--. 1 yinzhengjie root 26 Sep 5 14:22 file.txt [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll total 4 -rw-r--r--. 1 yinzhengjie root 26 Sep 5 14:22 file.txt [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# chgrp bin file.txt #修改文件的所属组 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll total 4 -rw-r--r--. 1 yinzhengjie bin 26 Sep 5 14:22 file.txt [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll total 4 -rw-r--r--. 1 yinzhengjie bin 26 Sep 5 14:22 file.txt [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# chown root:yinzhengjie file.txt #其实使用chown命令也是可以修改属主和属组的,需要用":"来分割 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll total 4 -rw-r--r--. 1 root yinzhengjie 26 Sep 5 14:22 file.txt [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll -R .: total 4 -rw-r--r--. 1 root yinzhengjie 26 Sep 5 14:22 file.txt drwxr-xr-x. 2 root root 32 Sep 5 14:44home ./home: total 0 -rw-r--r--. 1 root root 0 Sep 5 14:44a.txt -rw-r--r--. 1 root root 0 Sep 5 14:44b.txt [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# chown -R yinzhengjie.yinzhengjie home #递归修改某一个目录及其子文件的属主和数组 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll -R .: total 4 -rw-r--r--. 1 root yinzhengjie 26 Sep 5 14:22 file.txt drwxr-xr-x. 2 yinzhengjie yinzhengjie 32 Sep 5 14:44home ./home: total 0 -rw-r--r--. 1 yinzhengjie yinzhengjie 0 Sep 5 14:44a.txt -rw-r--r--. 1 yinzhengjie yinzhengjie 0 Sep 5 14:44b.txt [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll total 4 -rw-r--r--. 1 root yinzhengjie 26 Sep 5 14:22 file.txt [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# touchfile2.txt [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll total 4 -rw-r--r--. 1 root root 0 Sep 5 15:03file2.txt -rw-r--r--. 1 root yinzhengjie 26 Sep 5 14:22 file.txt [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# chown --reference file.txt file2.txt #让file2.txt文件和"file.txt"文件权限一致。 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll total 4 -rw-r--r--. 1 root yinzhengjie 0 Sep 5 15:03file2.txt -rw-r--r--. 1 root yinzhengjie 26 Sep 5 14:22 file.txt [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
3>.文件权限操作: chmod
文件的权限主要针对三类对象进行定义 owner 属主, u group 属组, g other 其他, o 每个文件针对每类访问者都定义了三种权限 r Readable wWritable x eXcutable 文件: r 可使用文件查看类工具获取其内容 w可修改其内容 x 可以把此文件提请内核启动为一个进程 目录: r 可以使用ls查看此目录中文件列表 w可在此目录中创建文件,也可删除此目录中的文件 x 可以使用ls -l查看此目录中文件元数据(须配合r),可以cd进入此目录 X 只给目录x权限,不给文件x权限
[root@node101.yinzhengjie.org.cn ~]# chmod --help Usage: chmod[OPTION]... MODE[,MODE]... FILE... or: chmod [OPTION]... OCTAL-MODE FILE... or: chmod [OPTION]... --reference=RFILE FILE... Change the mode of each FILE to MODE. With --reference, change the mode of each FILE to that of RFILE. -c, --changes like verbose but report only when a change is made -f, --silent, --quiet suppress most error messages -v, --verbose output a diagnostic for every fileprocessed --no-preserve-root do not treat '/'specially (the default) --preserve-root fail to operate recursively on '/' --reference=RFILE use RFILE's mode instead of MODE values -R, --recursive change files and directories recursively --help display this help and exit --version output version information and exit Each MODE is of the form '[ugoa]*([-+=]([rwxXst]*|[ugo]))+|[-+=][0-7]+'. GNU coreutils online help: <http://www.gnu.org/software/coreutils/> For complete documentation, run: info coreutils 'chmod invocation' [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cp -a /etc/shadow ./ [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll total 4 -r--------. 1 root root 2464 Sep 5 13:55shadow [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# chmod u+rw,g+r shadow #给属主增加rw权限,给属组加r权限 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll total 4 -rw-r-----. 1 root root 2464 Sep 5 13:55shadow [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll total 4 -rw-r-----. 1 root root 2464 Sep 5 13:55shadow [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# chmod o=wshadow #给其它人用户加w权限 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll total 4 -rw-r---w-. 1 root root 2464 Sep 5 13:55shadow [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll /bin/ls -rwxr-xr-x. 1 root root 117680 Oct 31 2018 /bin/ls [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# chmod a-x /bin/ls#我们为ls命令减去执行权限,我们发现ls命令将无法执行啦! [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll /bin/ls bash: /usr/bin/ls: Permission denied [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# chmod a+x /bin/ls [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll /bin/ls -rwxr-xr-x. 1 root root 117680 Oct 31 2018 /bin/ls [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
4>.新建文件和目录的默认权限
[root@node101.yinzhengjie.org.cn ~]# help umask umask: umask [-p] [-S] [mode] Display or set filemode mask. Sets the user file-creation mask to MODE. If MODE is omitted, prints the current value of the mask. If MODE begins with a digit, it is interpreted as an octal number; otherwise it is a symbolic mode string like that accepted by chmod(1). Options: -p if MODE is omitted, output ina form that may be reused as input -S makes the output symbolic; otherwise an octal number is output Exit Status: Returns success unless MODE is invalid or an invalid option is given. [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# umask #root用户的默认umask值为022 0022 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# su -yinzhengjie Last login: Thu Sep 5 16:38:53 CST 2019 on pts/0 [yinzhengjie@node101.yinzhengjie.org.cn ~]$ [yinzhengjie@node101.yinzhengjie.org.cn ~]$ umask #普通用户的默认umask值为002 0002 [yinzhengjie@node101.yinzhengjie.org.cn ~]$
[root@node101.yinzhengjie.org.cn ~]# umask 0022 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# umask -S #模式方式显示 u=rwx,g=rx,o=rx [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# umask 0022 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# umask -p #输出可悲调用 umask 0022 [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# umask 0022 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# umask 754 #命令行中修改umask的属性,临时生效,若想要永久生效需要将修改指令写入"~/.bashrc"文件 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# umask 0754 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# exit #我们退出终端后发现就不生效啦! logout Connection closed by foreign host. Disconnected from remote host(node101.yinzhengjie.org.cn) at 17:05:27. Type `help'to learn how to use Xshell prompt. [c:~]$ Reconnecting in 1seconds. Press any key to exit local shell. . Host 'node101.yinzhengjie.org.cn' resolved to 172.30.1.101. Connecting to 172.30.1.101:22... Connection established. To escape to local shell, press 'Ctrl+Alt+]'. Last login: Thu Sep 5 16:51:50 2019 from 172.30.1.1 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# umask #重新登录终端会发现umask的值并没有发生改变 0022 [root@node101.yinzhengjie.org.cn ~]#
umask值可以用来保留在创建文件权限。 新建文件的默认权限: 666-umask,如果所得结果某位存在执行(奇数)权限,则将其权限+1 新建目录的默认权限: 777-umask 非特权用户umask是002 ,root的umask 是022 举个例子: 比如 umask的值是754,我们通过上面的公式得出 新建的文件默认权限 : 666 - 754 => -112(得出的结果有奇数,需要进行加1操作) =>022 新建的目录默认权限 : 777 - 754 => 023 计算机是如何使用umask值的呢? 666转换二进制为:"110 110 110" 754转换二进制为:"111 101 100"(对应的位置为1则表示遮掩,需要和666二进制所对应位进行运算,若位1则取反,若为0则不变) 000 010 010(使用八进制表示即022,和上面计算结果一直) 777转换二进制为:"111 111 111" 754转换二进制为:"111 101 100"(对应的位置为1则表示遮掩,需要和666二进制所对应位进行运算,若位1则取反,若为0则不变) 000 010 011(使用八进制表示即023,和上面计算结果一直) 为了验证结果是否正确,可以观察下面的实战操作。
[root@node101.yinzhengjie.org.cn ~]# umask #root用户默认的umask值 0022 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# toucha.txt #创建一个空文件并查看其文件默认权限 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll total 0 -rw-r--r--. 1 root root 0 Sep 5 16:38a.txt [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# umask 754#我们修改root用户的umask值后,并观察创建的文件或目录对应的默认权限。 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# touchb.txt [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll total 0 -rw-r--r--. 1 root root 0 Sep 5 16:38a.txt -----w--w-. 1 root root 0 Sep 5 16:38b.txt [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# mkdirhome [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll total 0 -rw-r--r--. 1 root root 0 Sep 5 16:38a.txt -----w--w-. 1 root root 0 Sep 5 16:38b.txt d----w--wx. 2 root root 6 Sep 5 16:43home [root@node101.yinzhengjie.org.cn ~]#
5>.小试牛刀
当用户docker对/testdir 目录无执行权限时,意味着无法做哪些操作? 当用户mongodb对/testdir 目录无读权限时,意味着无法做哪些操作? 当用户redis 对/testdir 目录无写权限时,该目录下的只读文件file1是否可修改和删除? 当用户zabbix对/testdir 目录有写和执行权限时,该目录下的只读文件file1是否可修改和删除? 复制/etc/fstab文件到/var/tmp下,设置文件所有者为tomcat读写权限,所属组为apps组有读写权限,其他人无权限 误删除了用户git的家目录,请重建并恢复该用户家目录及相应的权限属性
四.Linux文件系统上的特殊权限
1>.SUID权限(让有权限运行该程序文件的用户临时拥有该程序属主的权限,系统默认的"passwd"就有suid权限,默认数字权限为"4")
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ cat /etc/shadow | tail -3 #我们发现普通用户是无法查看"/etc/shadow"文件内容的 cat: /etc/shadow: Permission denied [yinzhengjie@node101.yinzhengjie.org.cn ~]$ [yinzhengjie@node101.yinzhengjie.org.cn ~]$ exit #于是我们退出当前用户 logout [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll /usr/bin/cat#观察cat命令,属主是root用户,而且cat命令的属主是有x权限的 -rwxr-xr-x. 1 root root 54160 Oct 31 2018 /usr/bin/cat [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# chmod u+s /usr/bin/cat#我们给cat命令添加x权限 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll /usr/bin/cat#我们发现属主的x权限被s权限覆盖啦 -rwsr-xr-x. 1 root root 54160 Oct 31 2018 /usr/bin/cat [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# su -yinzhengjie #我们再一次切换到普通用户 Last login: Thu Sep 5 17:11:01 CST 2019 on pts/0 [yinzhengjie@node101.yinzhengjie.org.cn ~]$ [yinzhengjie@node101.yinzhengjie.org.cn ~]$ cat /etc/shadow | tail -3 #神奇的一幕发生了,我们竟然可以访问"/etc/shadow"文件啦 nginx:$6$.KUKZqRu$sCk.tYEAzZowA44d42qgaK.cQmpa16IPSIYX0CnON/SSCteb2PI77T21qOHDTrT01fAh2tD1/Ta6IE2m5EnkI/:18144:0:99999:7::: varnish:$6$gF6mgxv2$JtJHT.B7IqUU3MA6JZYQkbFBhqukF918goBIYIwm0hTFmcwdf6i.x2JX2Wzgz42dyEhkj/cdbMmUJi9XBhZY60:18144:0:99999:7::: mysql:$6$qWljHcJp$HtPeHnCjgOXh..Kno96j5BsS2ULUtpjb1yGznrkMdN2V7OVoTKLclY1Jaxe.Ryl32UWUox17Ux/Iw6s6dQviB0:18144:0:99999:7::: [yinzhengjie@node101.yinzhengjie.org.cn ~]$ [yinzhengjie@node101.yinzhengjie.org.cn ~]$ [yinzhengjie@node101.yinzhengjie.org.cn ~]$ exit logout [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll /usr/bin/cat -rwsr-xr-x. 1 root root 54160 Oct 31 2018 /usr/bin/cat [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# chmod u-s /usr/bin/cat #生产环境建议大家不要随意给命令公家加suid权限,我们这里了解即可,做完实验我就回滚之前的操作啦!如果我们对vim添加了"suid"权限,那么Linux所有的普通用户都可以修改Linux中任意文件啦!谨慎操作!!! [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll /usr/bin/cat -rwxr-xr-x. 1 root root 54160 Oct 31 2018 /usr/bin/cat [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
2>.SGID权限(同理,让有权限运行该程序文件的用户临时拥有该程序属组的权限,默认数字权限为"2")
[root@node101.yinzhengjie.org.cn ~]# groupadd devops #我们这里创建了一个devops的用户组 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# useradd -g devops jason #我们将jason用户加入devops组 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# idjason #查看jason组 uid=1002(jason) gid=1001(devops) groups=1001(devops) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# mkdir /data [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# chgrp devops /data [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll -d /data/ #大家注意观察这里的"/data"的权限 drwxr-xr-x. 2 root devops 6 Sep 10 06:33 /data/ [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# chmod 3770 /data/ #我们为“/data”添加suid权限和sticky权限,注意观察文件的权限变化 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll -d /data/ drwxrws--T. 2 root devops 6 Sep 10 06:33 /data/ [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# touch /data/root.txt #我们使用root用户创建一个文件 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# su -l jason Last login: Tue Sep 10 06:31:59 PDT 2019 on pts/0 [jason@node101.yinzhengjie.org.cn ~]$ [jason@node101.yinzhengjie.org.cn ~]$ touch /data/jason.txt #我们使用在"devops"组中的jason用户创建一个文件 [jason@node101.yinzhengjie.org.cn ~]$ [jason@node101.yinzhengjie.org.cn ~]$ exit logout [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# idyinzhengjie uid=1000(yinzhengjie) gid=1000(yinzhengjie) groups=1000(yinzhengjie) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# su -yinzhengjie [yinzhengjie@node101.yinzhengjie.org.cn ~]$ [yinzhengjie@node101.yinzhengjie.org.cn ~]$ touch /data/yinzhengjie.txt #这里无法创建,原因想必大家也知道,因为该用户是非devops组的普通用户,即other组用户无w权限,操作被拒绝啦! touch: cannot touch ‘/data/yinzhengjie.txt’: Permission denied [yinzhengjie@node101.yinzhengjie.org.cn ~]$ [yinzhengjie@node101.yinzhengjie.org.cn ~]$ [yinzhengjie@node101.yinzhengjie.org.cn ~]$ exit logout [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll /data/ #不难发现,不管是root用户还是jason用户创建的文件都归devops组所有,这就是SGID的魅力所在。 total 0 -rw-r--r--. 1 jason devops 0 Sep 10 06:34jason.txt -rw-r--r--. 1 root devops 0 Sep 10 06:34root.txt [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
3>.Sticky
[root@node101.yinzhengjie.org.cn ~]# mkdir /data [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# touch /data/{1..5}.txt [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# chmod 757 /data #我们给other角色有w权限,这意味着other组的成员都可以对该目录的文件进行删除操作,尽管它不能访问该目录下的文件内容 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll -d /data/ drwxr-xrwx. 2 root root 71 Sep 5 17:31 /data/ [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll /data/#我们发现里面全部都是root用户的文件,其它用户是仅有读取权限的。 total 0 -rw-r--r--. 1 root root 0 Sep 5 17:31 1.txt -rw-r--r--. 1 root root 0 Sep 5 17:31 2.txt -rw-r--r--. 1 root root 0 Sep 5 17:31 3.txt -rw-r--r--. 1 root root 0 Sep 5 17:31 4.txt -rw-r--r--. 1 root root 0 Sep 5 17:31 5.txt [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# su -l yinzhengjie Last login: Thu Sep 5 17:30:35 CST 2019 on pts/0 [yinzhengjie@node101.yinzhengjie.org.cn ~]$ [yinzhengjie@node101.yinzhengjie.org.cn ~]$ rm -f /data/1.txt #我们发现切换到普通用户后,可以随意删除root用户创建的文件,这不科学呀!!!怎么解决这个问题呢? [yinzhengjie@node101.yinzhengjie.org.cn ~]$ rm -f /data/3.txt [yinzhengjie@node101.yinzhengjie.org.cn ~]$ rm -f /data/5.txt [yinzhengjie@node101.yinzhengjie.org.cn ~]$ [yinzhengjie@node101.yinzhengjie.org.cn ~]$ exit logout [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll /data/#我们发现文件的确是被删除啦!!! total 0 -rw-r--r--. 1 root root 0 Sep 5 17:31 2.txt -rw-r--r--. 1 root root 0 Sep 5 17:31 4.txt [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll /data/ total 0 -rw-r--r--. 1 root root 0 Sep 5 17:31 2.txt -rw-r--r--. 1 root root 0 Sep 5 17:31 4.txt [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll -d /data/ drwxr-xrwx. 2 root root 32 Sep 5 17:32 /data/ [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# chmod o+t /data/ #等效与"chmod 1757 /data/" [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll -d /data/ drwxr-xrwt. 2 root root 32 Sep 5 17:32 /data/ [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# su -l yinzhengjie Last login: Thu Sep 5 17:32:03 CST 2019 on pts/0 [yinzhengjie@node101.yinzhengjie.org.cn ~]$ [yinzhengjie@node101.yinzhengjie.org.cn ~]$ rm -f /data/2.txt #我们发现普通用户尽管对"/data"目录有w权限,发现它依旧无法删除不属于它管理的文件 rm: cannot remove ‘/data/2.txt’: Operation not permitted [yinzhengjie@node101.yinzhengjie.org.cn ~]$ [yinzhengjie@node101.yinzhengjie.org.cn ~]$ rm -f /data/4.txt rm: cannot remove ‘/data/4.txt’: Operation not permitted [yinzhengjie@node101.yinzhengjie.org.cn ~]$ [yinzhengjie@node101.yinzhengjie.org.cn ~]$ ll /data/ total 0 -rw-r--r--. 1 root root 0 Sep 5 17:31 2.txt -rw-r--r--. 1 root root 0 Sep 5 17:31 4.txt [yinzhengjie@node101.yinzhengjie.org.cn ~]$ [yinzhengjie@node101.yinzhengjie.org.cn ~]$ touch /data/jason.txt #手动创建文件 [yinzhengjie@node101.yinzhengjie.org.cn ~]$ [yinzhengjie@node101.yinzhengjie.org.cn ~]$ ll /data/ total 0 -rw-r--r--. 1 root root 0 Sep 5 17:31 2.txt -rw-r--r--. 1 root root 0 Sep 5 17:31 4.txt -rw-rw-r--. 1 yinzhengjie yinzhengjie 0 Sep 5 17:43jason.txt [yinzhengjie@node101.yinzhengjie.org.cn ~]$ [yinzhengjie@node101.yinzhengjie.org.cn ~]$ rm -f /data/jason.txt #发现删除自己的文件还是轻而易举的 [yinzhengjie@node101.yinzhengjie.org.cn ~]$ [yinzhengjie@node101.yinzhengjie.org.cn ~]$ ll /data/ total 0 -rw-r--r--. 1 root root 0 Sep 5 17:31 2.txt -rw-r--r--. 1 root root 0 Sep 5 17:31 4.txt [yinzhengjie@node101.yinzhengjie.org.cn ~]$
4>.总结
SUID:
作用于二进制可执行程序,当用户执行此程序时,将会临时继承此程序所有者的权限。
SGID:
作用于二进制可执行程序,当用户执行此程序时,将会继承此程序所属组的权限。
作用于目录,当用户在此目录下创建文件时,文件的所属组会自动继承此目录的所属组。
STICKY:
作用于目录,用户只能删除自己的文件。(当然root用户除外,我们探讨权限一般情况都会自动忽略root用户,因为root用户是管理员用户)
5>.设置文件特定属性
chattr +i 不能删除,改名,更改 chattr +a 只能追加内容 lsattr 显示特定属性
[root@node101.yinzhengjie.org.cn ~]# chattr +i /etc/passwd #我们给"/etc/passwd"文件添加"i"属性后,发现我们无法对文件进行删除,改名,甚至修改该文件内容。但是root查看里面内容还是可以的。 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# rm -f /etc/passwd rm: cannot remove ‘/etc/passwd’: Operation not permitted [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# mv /etc/passwd /etc/passwd-`date +%F` mv: cannot move ‘/etc/passwd’ to ‘/etc/passwd-2019-09-10’: Operation not permitted [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# echo "尹正杰到此一游" >> /etc/passwd -bash: /etc/passwd: Permission denied [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# useradd bigdata useradd: cannot open /etc/passwd [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# lsattr /etc/passwd#查看该文件的特定属性 ----i----------- /etc/passwd [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# chattr -i /etc/passwd#我们为该文件删除其特定的i属性,发现就可以对文件进行修改操作啦 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# lsattr /etc/passwd ---------------- /etc/passwd [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# useradd bigdata [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# idbigdata uid=1003(bigdata) gid=1003(bigdata) groups=1003(bigdata) [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# lsattr /etc/passwd ---------------- /etc/passwd [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# chattr +a /etc/passwd #我们给"/etc/passwd"文件添加"a"属性后,发现我们无法对文件进行修改操作,但是可以追加或查看内容! [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# lsattr /etc/passwd -----a---------- /etc/passwd [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# useradd hadoop #我们都知道创建用户其实就是在修改"/etc/passwd"文件呢,很明显创建用户失败这意味着无法修改文件内容 useradd: cannot open /etc/passwd [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# echo "hadoop" >> /etc/passwd#大师追加文件内容确实可以的 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# tail -2 /etc/passwd#发现追加成功啦! bigdata:x:1003:1003::/home/bigdata:/bin/bash hadoop [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# chattr -a /etc/passwd #赶紧把"a"属性去掉,然后把刚刚修改的内容还原了,切记把上面的"hadoop"字符串追加内容从"/etc/passwd"文件中删除,避免系统启动时出错。 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# lsattr /etc/passwd ---------------- /etc/passwd [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
发表评论