Upload
agthsdftryq3ef
View
221
Download
0
Embed Size (px)
Citation preview
7/31/2019 04 Accounts Permissions
1/27
Ti khon NSD v phn quyn
truy cp tp
7/31/2019 04 Accounts Permissions
2/27
7/31/2019 04 Accounts Permissions
3/27
Khi nim ngi s dng
NSD thng thng
Qun tr
Nhm NSD
To mt ngi s dng
Tn, Mt khu, home ca ngi s dng (/home/tn)
Nhm (mt ngi s dng c th thuc mt hoc nhiu
nhm, tuy nhin cn phi xc nh mt nhm chnh)Tt c cc thng tin v ngi s dng c lu trong file:/etc/passwd
7/31/2019 04 Accounts Permissions
4/27
/etc/passwd
Username:password:UID:GID:Info:Home:Shell
Username: It is used when user logs in. It should be between 1 and 32 characters in length.
Password: An x character indicates that encrypted password is stored in /etc/shadow file.
User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for rootand UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved
by system for administrative and system accounts/groups. Group ID (GID): The primary group ID (stored in /etc/group file)
User ID Info: The comment field. It allow you to add extra information about the users suchas user's full name, phone number etc. This field use by finger command.
Home directory: The absolute path to the directory the user will be in when they log in. If
this directory does not exists then users directory becomes /
Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is ashell. Please note that it does not have to be a shell.
9/5/2011 @ Ha Quoc Trung 2009 4
7/31/2019 04 Accounts Permissions
5/27
/etc/shadow
User:Pwd:Last pwd change :Minimum:Maximum:Warn:Inactive :Expire
User name : It is your login name
Password: It your encrypted password. The password should be minimum 6-8 characters longincluding special characters/digits
Last password change (lastchanged): Days since Jan 1, 1970 that password was last changed
Minimum: The minimum number of days required between password changes i.e. thenumber of days left before the user is allowed to change his/her password
Maximum: The maximum number of days the password is valid (after that user is forced tochange his/her password)
Warn : The number of days before password is to expire that user is warned that his/herpassword must be changed
Inactive : The number of days after password expires that account is disabled Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when
the login may no longer be used
9/5/2011 @ Ha Quoc Trung 2009 5
7/31/2019 04 Accounts Permissions
6/27
Nhm ngi s dng
Mi ngi s dng c th thuc v mt hoc nhiunhm
Mt nhm = tn nhm + danh sch cc thnh vinKh nng chia s cc file gia nhng ngi s dng trong
cng mt nhm.
Danh sch cc nhm c lu tr trong file: /etc/group
root c kh nng to ra cc nhm b xung, ngoi cc nhmm h iu hnh ngm nh
7/31/2019 04 Accounts Permissions
7/27
/etc/group
group_name:Password:Group ID (GID): Group List group_name: It is the name of group. If you run ls -l
command, you will see this name printed in the group field. Password: Generally password is not used, hence it is
empty/blank. It can store encrypted password. This isuseful to implement privileged groups. X means passwd isstored in /etc/gshadow
Group ID (GID): Each user must be assigned a group ID. Youcan see this number in your /etc/passwd file.
Group List: It is a list of user names of users who aremembers of the group. The user names, must be separatedby commas.
9/5/2011 @ Ha Quoc Trung 2009 7
7/31/2019 04 Accounts Permissions
8/27
/etc/gshadow
Group name The name of the group. Used by various utility programsas a human-readable identifier for the group.
Encrypted password The encrypted password for the group. If set, non-members of the group can join the group by typing the password for thatgroup using the newgrp command. If the value of this field is !, then nouser is allowed to access the group using the newgrp command. A value of
!! is treated the same as a value of ! however, it also indicates that apassword has never been set before. If the value is null, only groupmembers can log into the group.
Group administrators Group members listed here (in a commadelimited list) can add or remove group members using the gpasswdcommand.
Group members Group members listed here (in a comma delimited list)are regular, non-administrative members of the group.
9/5/2011 @ Ha Quoc Trung 2009 8
7/31/2019 04 Accounts Permissions
9/27
Cng c
useradd/mod/del
passwd
groupadd/mod/del
gpasswd sg/newgrp
su
users/groups
id
9/5/2011 @ Ha Quoc Trung 2009 9
7/31/2019 04 Accounts Permissions
10/27
Cc quyn
Mi file lun thuc v mt ngi s dng vmt nhm xc nhNgi to ra file hoc th mc s l ngi s hu,
nhm cha ngi to ra file hoc th mc s lnhm s hu i vi file/th mc.
S phn quyn cho php xc nh r ccquyn m ngi s dng c i vi mt file
hoc mt th mc.
7/31/2019 04 Accounts Permissions
11/27
Quyn truy cp
r : c
Cho php hin th ni dung ca file hoc th mc
w : ghi
Cho php thay i ni dung ca fileCho php thm hoc xa cc file trong mt th mc
x : thc thi
Cho php thc thi file di dng mt chng trnh
Cho php chuyn n th mc cn truy cp
7/31/2019 04 Accounts Permissions
12/27
Cc nhm ngi s dng
C 3 nhm ngi s dng i vi 1 file/ th mc:
u (ngi s hu) : ngi s hu duy nht ca file
g (group) : nhng ngi s dng thuc nhm cha fileo (others) : nhng ngi s dng khc, khng phi l
ngi s hu file cng nh khng thuc nhm cha file.
Mi nhm ngi s dng s c mt tp cc quyn (r,
w, x) xc nh.
7/31/2019 04 Accounts Permissions
13/27
V d
$ ls -l
----rw-rw- 1 tuananh user1 16 Feb 10 19:12 test1.txt
-rw-rw-rw- 1 tuananh user1 16 Feb 10 19:12 test2.txt
drw-r--r-- 2 tuananh user1 512 Feb 10 19:14 vanban
$ whoami
tuananh
$ cat test1.txt
cat: test1.txt: Permission denied
$ cat test2.txt
Un fichier de test
$ cp test2.txt vanbancp: vanban: Permission denied
7/31/2019 04 Accounts Permissions
14/27
Cc lu c th thm cc file, cn phi c quyn w i vi th
mc
c th xa, thay i ni dung hoc di chuyn 1 file, ngis dng cng cn phi c quyn w i vi th mc
Vic xa mt file cn ph thuc vo quyn i vi th mccha file
bo mt cc d liu, ngi s hu file thm ch c th bc quyn c r i vi tt c mi ngi s dng khc.
hn ch qu trnh truy cp vo h thng file, ngi s dngc th b quyn thc thi (x) i vi th mc gc ca h thngfile.
7/31/2019 04 Accounts Permissions
15/27
Mt s quyn c bit i vi cc file thcthi
set-uid: -rws --- ---
Chng trnh c chy di quyn ca ngi s hu
set-gid: - --- rws ---
Chng trnh c chy bi cc ngi s dng thuc cngnhm vi ngi s hu
bit sticky
Chng trnh ch c cp pht b nh trong 1 ln
7/31/2019 04 Accounts Permissions
16/27
V d
$ ls -l /etc/passwd
-rw-rw---- 1 root root 568 Feb 10 19:12 passwd
$ ls -l /bin/passwd
-rwsrws--x 1 root root 3634 Feb 10 19:12 passwd
Khi mt ngi s dng thng thng gi lnh/bin/passwd, xem nh ngi c mn quyn root thay i mt khu
trong file /etc/passwd
7/31/2019 04 Accounts Permissions
17/27
Thay i quyn truy cp (1)
$chmod
set_uid set-gid sticky user group other
rwx --x --x
1 1 0 111 001 001
6 7 1 1
$ chmod 6711 test
$ ls -l test
-rws--s--x 1 tuananh user1 Mar 10 10:20 test
$ chmod 711 test
$ ls -l test
-rwx--x--x 1 tuananh user1 Mar 10 10:20 test
7/31/2019 04 Accounts Permissions
18/27
Thay i quyn truy nhp (2)
$chmod
u | g | o | a (all) Operation
+ (thm 1 hoc 1 s quyn vo tp cc quyn file c)
- (b 1 hoc 1 s quyn khi tp cc quyn file c)
= (gn mi 1 hoc 1 s quyn cho file) Quyn = r | w | x | s
7/31/2019 04 Accounts Permissions
19/27
V d
$ ls -l test.txt
-rw-rw-r-- 1 tuananh user1 150 Mar 19 19:12 test.txt
$ chmod o+w test.txt
$ ls -l test.txt-rw-rw-rw- 1 tuananh user1 150 Mar 19 19:12 test.txt
$ chmod a-rw test.txt
$ ls -l test.txt
---------- 1 tuananh user1 150 Mar 19 19:12 test.txt
$ cat test.txtcat: test.txt: Permission denied
7/31/2019 04 Accounts Permissions
20/27
nh ngha cc quyn ngm nh khi to ra1 file
Cc quyn ngm nh ca 1 file khi to ra c thc xc nh bng lnh umask
$umask
022S 0 c ngha l quyn ca ngi s dng khng b hn ch
(rwx)
S 2 c ngha l quyn ghi (w) b hn ch (r-w).
$umask 022
7/31/2019 04 Accounts Permissions
21/27
Thay i ngi s hu v nhm
$chown [-R] Thay i ngi s hu ca file
$chgrp
Thay i nhm ca fileC th s dng ty chnR lp li vic thc hin cclnh (v d thc hin vic thay i quyn s hu hocnhm ca mi file trong cng mt th mc)
Cc lnh trn ch dnh cho nhng ngi s dng cquyn root
7/31/2019 04 Accounts Permissions
22/27
Cc quyn c bit vi tp
set-uid: -rws --- ---
Tp chng trnh c chy di quyn ca ngi s hu
set-gid: - --- rws ---
Chng trnh c chy di quyn ca nhm s hu
bit sticky
Chng trnh ch c cp pht b nh trong 1 ln
9/5/2011 @ Ha Quoc Trung 2009 22
7/31/2019 04 Accounts Permissions
23/27
Cc quyn c bit vi th mc
set-uid: -rws --- ---
set-gid: - --- rws ---
Cc tp mi c to ra c nhm ch s hu l nhm cath mc
bit sticky
Ch c root v ch s hu c xa, k c khi c quyn rwx
9/5/2011 @ Ha Quoc Trung 2009 23
7/31/2019 04 Accounts Permissions
24/27
Sticky bit example
9/5/2011 @ Ha Quoc Trung 2009 24
7/31/2019 04 Accounts Permissions
25/27
Sticky bit example
9/5/2011 @ Ha Quoc Trung 2009 25
7/31/2019 04 Accounts Permissions
26/27
Suid bit-example
9/5/2011 @ Ha Quoc Trung 2009 26
7/31/2019 04 Accounts Permissions
27/27
Suid bit-example
9/5/2011 @ Ha Quoc Trung 2009 27