2018-05-18课堂笔记

Posted HJM

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了2018-05-18课堂笔记相关的知识,希望对你有一定的参考价值。

2018-05-18课堂笔记

目录
一、用户配置文件和密码配置文件
二、用户组管理
三、用户管理
四、usermod命令
五、用户密码管理
六、mkpasswd命令
七、su命令
八、sudo命令
九、限制root远程登录

一、用户配置文件和密码配置文件

1.用户文件/etc/passwd

[[email protected] ~]# head -n 5 /etc/passwd
//从/etc/passwd文件可以看到,第一行都包括7个字段,第个字段间用":"分隔
//格式   用户名:密码:UID:GID:用户信息说明:用户家目录:shell
//密码字段是加密码后的密码,若为"x",则密码保存在/etc/shadow文件中,如用户没有密码,则为空
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
......中间段信息略
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
hjm:x:5000:5000:HJM:/home/hjm:/bin/bash

2.用户密码文件/etc/shadow

/etc/shadow文件是/etc/passwd的影子文件,这两个文件互补,该文件只有root权限可以读取和操作。

[[email protected] ~]# cat /etc/shadow
//etc/shadow内容包括九个字段,字段间以":"分隔
//格式    用户名:密码:上次密码修改时间:密码不可被修改的天数:密码需要重新修改的天数:密码需要重新修改前的警告期限:密码过期的宽限时间:帐号失效日期:保留
//这里的密码是真正的密码,是经过加密的密文,如果该字段包含!或*,表示该用户无法登录,该字段为空,表示用户登录无需密码,以!号开始,表示密码已经被锁定。
//第三个字段和第八个字段的日期都是使用1970年1月1日作为1
root:$6$wuyQ2nlLIXTI2IPk$99X/7wGl4kR856WTD8tU9QkNjkY3BnlP83pzuROgydZB09Ushf2UmeaeprPdXf46ohfHujbmtGYKxfOyq5L8z.::0:99999:7:::
bin:*:17110:0:99999:7:::
daemon:*:17110:0:99999:7:::
adm:*:17110:0:99999:7:::
lp:*:17110:0:99999:7:::
......中间段信息略
postfix:!!:17641::::::
chrony:!!:17641::::::
sshd:!!:17641::::::
hjm:$6$iB95gZCu1U7k6axG$rsEXykYY1zg/rmdLNEgn/tsG9MjpKIbBX0tiaNNH2c7YcDInGyr5LJNZij/nci0fN.HbYhnyqjEYwBJ4InHWG0::0:99999:7:::

二、用户组管理

1.组配置文件/etc/group

[[email protected] ~]# cat /etc/group
///etc/group包括4个字段,以":"分隔
//格式    用户组名称:用户组密码:GID:用户组成员
//用户组密码如果为x,表示未设置密码。通常无须设置。
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
......中间段信息略
postfix:x:89:
chrony:x:996:
sshd:x:74:
hjm:x:5000:hjm

2.组密码配置文件/etc/gshadow

[[email protected] ~]# cat /etc/gshadow
//在/etc/gshadow文件中,每个用户组独占一行,每行包括4个字段,字段间以":"分隔
//格式    用户组名称:用户组密码:用户组管理者:组成员
//用户组密码是加密后的密码,该字段为空,表示只有组内成员可以拥有该组的权限。
root:::
bin:::
daemon:::
sys:::
adm:::
tty:::
......中间段信息略
postfix:!::
chrony:!::
sshd:!::
hjm:!!::hjm

3.添加组

//新建一个组名为group1的用户组
[[email protected] ~]# groupadd group1
[[email protected] ~]# grep group1 /etc/group /etc/gshadow
/etc/group:group1:x:5001:
/etc/gshadow:group1:!::

//新建一个名为group2的系统组
[[email protected] ~]# groupadd -r group2
[[email protected] ~]# grep group2 /etc/group /etc/gshadow
/etc/group:group2:x:994:
/etc/gshadow:group2:!::

//添加GID为1111的用户组group3
[[email protected] ~]# groupadd -g 1111 group3
[[email protected] ~]# grep group3 /etc/group /etc/gshadow
/etc/group:group3:x:1111:
/etc/gshadow:group3:!::

4.删除组

//删除用户组group3
[[email protected] ~]# groupdel group3
//group3用户组被成功删除
[[email protected] ~]# grep group3 /etc/group /etc/gshadow

//如果用户还存在,无法删除用户的主组
[[email protected] ~]# grep adminuser /etc/passwd
adminuser:x:5001:5002::/home/adminuser:/bin/bash
[[email protected] ~]# grep adminuser /etc/group
adminuser:x:5002:
[[email protected] ~]# groupdel adminuser
groupdel: cannot remove the primary group of user ‘adminuser‘

//将组中的用户移走后,可删除该组
[[email protected] ~]# groupadd newgroup
[[email protected] ~]# usermod -g newgroup adminuser
[[email protected] ~]# groupdel adminuser
//成功删除
[[email protected] ~]# grep adminuser /etc/group

三、用户管理

1.新建用户

可使用useradd命令建立用户帐户和创建用户的起始目录,但只有超级用户才有权限。

useradd命令加添用户时,如不加任何参数,则系统将根据默认的参数来添加用户(/etc/login.defs和/etc/default/useradd,/etc/skel/*)

//不加任何参数,以系统默认值建立一个用户admin
[[email protected] ~]# useradd admin
[[email protected] ~]# grep admin /etc/passwd /etc/shadow /etc/group /etc/gshadow
/etc/passwd:admin:x:5002:5002::/home/admin:/bin/bash
/etc/shadow:admin:!!:17670:0:99999:7:::
/etc/group:admin:x:5002:
/etc/gshadow:admin:!::
[[email protected] ~]# ls -la /home/admin
total 12
drwx------  2 admin admin  62 May 19 16:26 .
drwxr-xr-x. 5 root  root   47 May 19 16:26 ..
-rw-r--r--  1 admin admin  18 Aug  3  2017 .bash_logout
-rw-r--r--  1 admin admin 193 Aug  3  2017 .bash_profile
-rw-r--r--  1 admin admin 231 Aug  3  2017 .bashrc

//添加用户user1,设置其真实名字"a common user",其家目录在/opt/user1下,让其归属为组admin,root成员,其shell类型为tcsh
/etc/passwd:user1:x:5003:5004:a common user:/opt/user1:/bin/tcsh
/etc/shadow:user1:!!:17670:0:99999:7:::
/etc/group:root:x:0:user1
/etc/group:admin:x:5002:user1
/etc/group:user1:x:5004:
/etc/gshadow:root:::user1
/etc/gshadow:admin:!::user1
/etc/gshadow:user1:!::

// 添加自定义用户ID为5005的用户user2
[[email protected] ~]# useradd -u 5005 user2
[[email protected] ~]# grep user2 /etc/passwd
user2:x:5005:5005::/home/user2:/bin/bash

//新建用户时不生成家目录
[[email protected] ~]# useradd -M user3
[[email protected] ~]# ls -al /home/user3
//说明家目录文件夹不存在
ls: cannot access /home/user3: No such file or directory
//但是user3是有家目录的,只是家目录文件夹不存在,可以手动创建
[[email protected] ~]# grep user3 /etc/passwd
user3:x:5006:5006::/home/user3:/bin/bash
[[email protected] ~]# su - user3
su: warning: cannot change directory to /home/user3: No such file or directory
-bash-4.2$

2.删除用户

[[email protected] ~]# grep user2 /etc/passwd
user2:x:5005:5005::/home/user2:/bin/bash
//不带参数,删除用户user2, 家目录还在
[[email protected] ~]# userdel user2
[[email protected] ~]# grep user2 /etc/passwd
[[email protected] ~]#
[[email protected] ~]# ls -ld /home/user2
drwx------ 2 5005 5005 62 May 19 17:45 /home/user2

//带参数-r,删除用户的同时,删除其家目录
[[email protected] ~]# grep admin /etc/passwd
admin:x:5002:5002::/home/admin:/bin/bash
[[email protected] ~]# ls -ld /home/admin
drwx------ 2 admin admin 62 May 19 16:26 /home/admin
[[email protected] ~]# userdel -r admin
[[email protected] ~]# grep admin /etc/passwd
[[email protected] ~]#
[[email protected] ~]# ls -ld /home/admin
ls: cannot access /home/admin: No such file or directory

四、Usermod

usermod的作用:修改用户类型、所归属的组,修改用户密码的有效期,还能修改登录名

常用选项

-g 修改用户的所属组

//用户nico的主组id为5007,主组名:nico
[[email protected] ~]# grep nico /etc/passwd
nico:x:5007:5007::/home/nico:/bin/bash
[[email protected] ~]# grep 5007 /etc/group
nico:x:5007:
//变更nico主组为newgroup
[[email protected] ~]# usermod -g newgroup nico
[[email protected] ~]# id nico
uid=5007(nico) gid=5003(newgroup) groups=5003(newgroup)
//用户nico的主组已经变更为newgroup

-G 增加用户的附属组

[[email protected] ~]# id nico
uid=5007(nico) gid=5003(newgroup) groups=5003(newgroup)
[[email protected] ~]# usermod -G nico nico
[[email protected] ~]# id nico
uid=5007(nico) gid=5003(newgroup) groups=5003(newgroup),5007(nico)

-u 修改用户的uid

[[email protected] ~]# id nico
uid=5007(nico) gid=5003(newgroup) groups=5003(newgroup),5007(nico)
[[email protected] ~]# usermod -u 5008 nico
[[email protected] ~]# id nico
uid=5008(nico) gid=5003(newgroup) groups=5003(newgroup),5007(nico)

-L 锁定用户

//密码字段第一位不为!,说明用户没有锁定
[[email protected] ~]# grep nico /etc/shadow
nico:$6$Q52VYIOk$MhEHOcBLqPSiAwz.j4K.74mvfSuYKhluACR25QOrsn6yRRWEBOeP8fN6s1KWObm0IJcdah5wrXkuize5Anlgn1:17670:0:99999:7:::
//锁定用户
[[email protected] ~]# usermod -L nico
[[email protected] ~]# grep nico /etc/shadow
nico:!$6$Q52VYIOk$MhEHOcBLqPSiAwz.j4K.74mvfSuYKhluACR25QOrsn6yRRWEBOeP8fN6s1KWObm0IJcdah5wrXkuize5Anlgn1:17670:0:99999:7:::

-U 解锁用户

[[email protected] ~]# grep nico /etc/shadow
nico:!$6$Q52VYIOk$MhEHOcBLqPSiAwz.j4K.74mvfSuYKhluACR25QOrsn6yRRWEBOeP8fN6s1KWObm0IJcdah5wrXkuize5Anlgn1:17670:0:99999:7:::
[[email protected] ~]# usermod -U nico
[[email protected] ~]# grep nico /etc/shadow
nico:$6$Q52VYIOk$MhEHOcBLqPSiAwz.j4K.74mvfSuYKhluACR25QOrsn6yRRWEBOeP8fN6s1KWObm0IJcdah5wrXkuize5Anlgn1:17670:0:99999:7:::

-l修改用户登录名

-d修改用户家目录

//将kennminn用户改名为shelly,并将其家目录转移到/opt/shelly
[[email protected] ~]# usermod -d /opt/shelly -m -l shelly -U kennminn
[[email protected] ~]# ls -ld /opt/shelly/
drwx------ 2 shelly kennminn 62 May 19 19:58 /opt/shelly/
[[email protected] ~]# groupadd shelly
[[email protected] ~]# chown -R shelly.shelly /opt/shelly
[[email protected] ~]# ls -ld /opt/shelly/
drwx------ 2 shelly shelly 62 May 19 19:58 /opt/shelly/

五、用户密码管理

可以用passwd命令来实现对用户密码的管理

//交互式修改用户密码
[[email protected] ~]# useradd nico
[[email protected] ~]# passwd nico
Changing password for user nico.
New password:    //输入密码
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:  //再次输入密码
passwd: all authentication tokens updated successfully.

//非交互式修改用户密码方法1
[[email protected] ~]# echo ‘12345‘ | passwd --stdin nico
Changing password for user nico.
passwd: all authentication tokens updated successfully.

//非交互式修改用户密码方法2
[[email protected] ~]# echo -e "123456\n123456" | passwd nico
Changing password for user nico.
New password: BAD PASSWORD: The password is shorter than 8 characters
Retype new password: passwd: all authentication tokens updated successfully.

//删除用户密码
[[email protected] ~]# passwd -d nico
Removing password for user nico.
passwd: Success

//锁定用户帐户
[[email protected] ~]# passwd -l nico
Locking password for user nico.
passwd: Success

//解锁用户帐户
[[email protected] ~]# passwd -u nico
Unlocking password for user nico.
passwd: Success

六、mkpasswd

mkpasswd是一种密码生成工具,可生成随机复杂密码。

最小化安装默认没有mkpasswd命令,需安装expect软件包

//expect软件包安装
[[email protected] ~]# yum -y install expect-5.45-14.el7_1.x86_64

常见用法

-l 指定密码长度,默认长度为9

//不带参数生成默认长度为9的随机密码
[[email protected] ~]# mkpasswd 
av‘lZ8zY4

//带l参数生成指定长度的密码
[[email protected] ~]# mkpasswd -l 12
a1ivcnRXh%0m

-s 指定新生成密码中特殊字符的最小个数,默认为1

[[email protected] ~]# mkpasswd -s 3
?sA<04gN*

-d 指定新生成密码中数字的最小个数,默认为2

[[email protected] ~]# mkpasswd -d 3
W1yn&k7V5

七、su命令

通过su命令可以在用户之间切换,root用户向普通户切换无需密码,普通用户切换到其他用户需要密码。

常见用法

普通用户切换到root用户

//普通用户切换到root用户,不带"-"时,环境变量不会切换。
[[email protected] ~]$ su root
Password: 
[[email protected] hjm]# pwd
/home/hjm

//普通用户切换到root用户,带"-"时,环境变量会切换
[[email protected] ~]$ su - root
Password: 
Last login: Sat May 19 21:37:43 CST 2018 from 192.168.1.9 on pts/0
[[email protected] ~]# pwd
/root

以指定身份运行一条命令

[[email protected]equark ~]$ su - -c "head -n 5 /etc/passwd" root
Password: 
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin

若要切换到的用户没有家目,则使用系统的默认配置

[[email protected] ~]# grep user6 /etc/passwd
user6:x:5012:5013::/home/user6:/bin/bash
[[email protected] ~]# ls -ld /home/user6
ls: cannot access /home/user6: No such file or directory
[[email protected] ~]# su - user6
su: warning: cannot change directory to /home/user6: No such file or directory
-bash-4.2$ 
//可手动生成用户家目录文件夹并拷贝/etc/skel下的默认配置文件到相应目录,
[[email protected] ~]$ cp /etc/skel/* /home/user6
[[email protected] ~]# su - user6
[[email protected] ~]$ 

八、sudo

sudo允许系统管理员让普通用户执行一些或全部的root命令。

sudo通过/etc/sudoers进行授权,编辑文件时最好用visudo,它会进行简单语法检查。

授权普通用户使用root的部分命令

//授权hjm用户使用root用户的ls,cat权限
......上部略
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
hjm     ALL=(ALL)       /usr/bin/ls,/usr/bin/cat
......略

//授权的ls可以查看root家目录下的文件
[[email protected] ~]$ ls /root/
ls: cannot open directory /root/: Permission denied
[[email protected] ~]$ sudo /usr/bin/ls /root/

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for hjm: 
anaconda-ks.cfg  bbbb  day.jpg  default.jpg  demo  dir2  fd1  morning.jpg  named.pipe  night.jpg  path_demo  pxe_config

[[email protected] ~]$ cat /root/f1.txt
cat: /root/f1.txt: Permission denied
[[email protected] ~]$ sudo /usr/bin/cat /root/f1.txt
#version=DEVEL
# System authorization information
auth --enableshadow --passalgo=sha512

visudo中用户别名

......
User_Alias ADMINS = hjm, nico
ADMINS  ALL=(ALL)       /usr/bin/ls,/usr/bin/cat
......

//验证hjm用户可以使用root的ls命令
[[email protected] ~]# su - hjm
Last login: Sat May 19 22:25:17 CST 2018 on pts/0
[[email protected] ~]$ ls /root/
ls: cannot open directory /root/: Permission denied
[[email protected] ~]$ sudo /usr/bin/ls /root/
[sudo] password for hjm: 
anaconda-ks.cfg  bbbb  day.jpg  default.jpg  demo  dir2  f1.txt  fd1  morning.jpg  named.pipe  night.jpg  path_demo  pxe_config
//验证nico用户可以使用root的ls命令
[[email protected] ~]$ su - nico
Password: 
Last login: Sat May 19 19:32:49 CST 2018 on pts/0
Last failed login: Sat May 19 22:49:36 CST 2018 on pts/0
There were 2 failed login attempts since the last successful login.
[[email protected] ~]$ ls /root/
ls: cannot open directory /root/: Permission denied
[[email protected] ~]$ sudo /usr/bin/ls /root/

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for nico: 
anaconda-ks.cfg  bbbb  day.jpg  default.jpg  demo  dir2  f1.txt  fd1  morning.jpg  named.pipe  night.jpg  path_demo  pxe_config

visudo中命令别名设置

......省略

Cmnd_Alias ALIAS_CMD = /usr/bin/ls, /usr/bin/cat
......省略
//NOPASSWD表示用户无需输入密码
ADMINS  ALL=(ALL)       NOPASSWD:ALIAS_CMD
......省略
//验证hjm用户可以不输入密码直接使用/root的ls命令
[[email protected] ~]# su - hjm
Last login: Sat May 19 22:44:43 CST 2018 on pts/0
[[email protected] ~]$ ls /root/
ls: cannot open directory /root/: Permission denied
[[email protected] ~]$ sudo /usr/bin/ls /root/
anaconda-ks.cfg  bbbb  day.jpg  default.jpg  demo  dir2  f1.txt  fd1  morning.jpg  named.pipe  night.jpg  path_demo  pxe_config

//验证nico用户无需输入密码可以直接使用/root的ls命令
[[email protected] ~]$ su - nico
Password: 
Last login: Sat May 19 22:49:43 CST 2018 on pts/0
[[email protected] ~]$ ls /root/
ls: cannot open directory /root/: Permission denied
[[email protected] ~]$ sudo /usr/bin/ls /root/
anaconda-ks.cfg  bbbb  day.jpg  default.jpg  demo  dir2  f1.txt  fd1  morning.jpg  named.pipe  night.jpg  path_demo  pxe_config

管理员组wheel

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

//添加用户到wheel组
[[email protected] ~]# usermod -a -G wheel shelly
[[email protected] ~]# grep shelly /etc/group
wheel:x:10:shelly
shelly:x:5012:
[[email protected] ~]# su -shelly
su: failed to execute helly: No such file or directory
[[email protected] ~]# su - shelly
[[email protected] ~]$ ls /root
ls: cannot open directory /root: Permission denied
[[email protected] ~]$ sudo /usr/bin/ls /root/

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for shelly: 
anaconda-ks.cfg  bbbb  day.jpg  default.jpg  demo  dir2  f1.txt  fd1  morning.jpg  named.pipe  night.jpg  path_demo  pxe_config

九、限制root用户远程登录

鉴于直接使用Root用户登录所具有的高风险性,为避免误操作引起的事故,根据权限最小化原则,应尽量使用普通用户远程登录,只有在需要root用户权限的时候切换到root用户身份。执行完回退至普通用户。可采用如下方案:

//1. 通过visudo编辑/etc/sudoers文件,将需要切换到root用户设置到同一个别名
User_Alias ADMINS = hjm, nico
//2. 允许这些用户免密执行root用户的/usr/bin/su命令
ADMINS  ALL=(ALL)       NOPASSWD:/usr/bin/su
//这样普通用户不用知道root密码也可以切换到root用户身份,执行完也可以回退至本身的帐户
[[email protected] ~]$ sudo /usr/bin/su -
Last login: Sat May 19 23:35:30 CST 2018 on pts/0
[[email protected] ~]#
[[email protected] ~]# exit
logout
[[email protected] ~]$
//3.限制root用户不能远程ssh登录
[[email protected] ~]# sed -ni s/#PermitRootLogin\ yes/PermitRootLogin\ no/p /etc/ssh/sshd_config 
[[email protected] ~]# grep PermitRootLogin !$
grep PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin no
//4.重启sshd 服务
[[email protected] ~]# systemctl restart sshd.service

此时再以root用户远程密码登录,服务器拒绝登录。

技术分享图片

技术分享图片

此时再以普通用户登录,可正常登录

Connecting to 192.168.1.211:22...
Connection established.
To escape to local shell, press ‘Ctrl+Alt+]‘.

Last login: Sat May 19 23:39:10 2018
[[email protected] ~]$ 
//需要时可以通过sudo /usr/bin/su - 切换至root用户身份
[[email protected] ~]$ sudo /usr/bin/su - 
Last login: Sat May 19 23:44:09 CST 2018 on pts/0
Last failed login: Sat May 19 23:58:44 CST 2018 from 192.168.1.9 on ssh:notty
There were 11 failed login attempts since the last successful login.
[[email protected] ~]#









以上是关于2018-05-18课堂笔记的主要内容,如果未能解决你的问题,请参考以下文章

学习笔记:python3,代码片段(2017)

导航狗IT周报-2018年05月18日

2018/05/18 数据库 视图

[原创]java WEB学习笔记61:Struts2学习之路--通用标签 property,uri,param,set,push,if-else,itertor,sort,date,a标签等(代码片段

sh bash片段 - 这些片段大多只是我自己的笔记;我找到了一些,有些我已经找到了

最全最详细publiccms常用的代码片段