《Linux-Redhat用户管理》由会员分享,可在线阅读,更多相关《Linux-Redhat用户管理(16页珍藏版)》请在金锄头文库上搜索。
1、User AdministratorOverview: User policy Considerations The User Account Database - /etc/passwd Adding a New User Account User Private Groups Group Administration Modifying/Deleting Accounts Password Aging Policies Login Shell Scripts Non Login Shell Scripts Switching Accounts Sudo Network Users Auth
2、entication Configuration Example:NIS Configuration Example:LDAP Configuration File Ownership Linux File Permissions SUID/SGID Executables The Sticky Bit The Setgid Access Mode Default File Permissions Access Control Lists(ACLs)一、 User Policy Considerations (管理user时需要考量的因素)1. Amount of system access
3、except the users account(除了系统中已有的用户外有谁需要访问)A. The amount of access on system files and resources(有多少人来访问系统中的档案和资源)B. Whether to limit logins at certain times and places(是否限制某些用户在特定时间和地点才能访问系统)2. Expiration of password and accounts (用户密码使用的期限)Whether to force periodic password changes(是否需要强制定期修改密码)3.
4、 DISK usage and CPU limits (磁盘空间和CPU限制)A. Whether to enforce CPU and memory limits(是否限制用户使用的CPU和memory资源)B. Whether to enable disk quotas(是否需要使用磁盘配额)二、 The User Account Database - /etc/passwdContains account information used at login and by other programs(所有用户登陆的信息和其它程式)1. One account per line with
5、seven colon-delimited fields(每个帐号使用1个行用5个冒号分为7个栏位)第1栏为帐号名,第2栏X表示需要密码登陆,删除X表示无需密码即可登陆第3栏是uid,其中root的uid是0,1-499保留为系统服务或 应用程式使用手动建立的帐号uid从500开始 第4栏为gid,其中root的gid是0第5栏为finger information可以编辑关于这个帐号的注解 可以使用finger命令查看帐号的注解 可以使用chfn命令来变更帐号的注解第6栏为帐号的家目录位置第7栏为帐号对应的shell类型nologin表示这个帐号只能通过ftp进行登陆False表示这个帐号只
6、能收发邮件不能登陆系统2. Should have permissions rw-rr(/ect/passwd 文档的权限不要更改否则其他用户可能登陆不了)三、 Adding a New User Account1. Most common method is useradduseradd username2. Running useradd is equivalent to:A. Edit /etc/passwd,/etc/shadow,/etc/groupB. Create and populate home directoryC. Set permissions and ownershi
7、p实例: /home/user3中的文件都是从/etc/skel中复制过来的3. Set account password using passwd4. Accounts may be added in a batch with new users四、 User Private Groups1. When user accounts are created, a private group is also createWith same nameA. Users are assigned to this private groupB. Users new files affiliated wi
8、th this group2. Advantage:Prevents new files from belonging to a “public” group五、 Group AdministrationEntries added to /etc/groupgroupaddgroupmodgroupdel六、 Modifying / Deleting Accounts1. To change fields in a users /etc/passwd entry you can:A. Edit the file by bandB. Use usermod options username例1:
9、 更改user5 /etc/shadow中家目录的位置,必须手工创建目录例2:将user1加入到user6的group中2. To remove a user either:A. Manually remove the user from /etc/passwd,/etc/shadow,/etc/group/var/spool/mail/usernameB. Use userdel -r username七、 Password Aging Policies (密码有效期限)1. By default,passwords do not expire2. Forcing passwords to
10、expire is part if a strong security policy3. Modify default expiration settings in /etc/login.defs4. To modify password aging for exsiting users,use the change commandChange options username例:查看帐号密码的信息列表八、 Login Shell Scripts/etc/profile 存放全局设置 only runs for login shells,Non-login sheels do not invo
11、ke this script 会调用 /etc/profile.d/*.sh 下面的内容 /.bash_profile 存放某个用户的设置会调用 /.bashrc 它会继续调用下在的rc文件 /etc/bashrc九、 Non Login Shell Scripts /.bashrc 会调用下面的rc文件 /etc/bashrc /etc/profile.d/*.shProfile与bashrc进行比较十、 Switching Accounts1. Syntax su - user su - user c command2. Allows the user to temporarily bec
12、ome another userDefault user is root3. The “-” option makes the new shell a login shell十一、 sudo1. User listed in /etc/sudoers exectue commands with:A. An effective user id of 0B. Group id of roots group2. An administrator will be contacted if a user not listed on/etc/sudoers attempts to use sudo只能使用
13、visudo命令打开/etc/sudoers 文档进行编辑 输入www1的密码十二、Network Users1. Information about users may be centrally stored and managed on a remote server2. Two types of information must always be provided for each user accountA. Account information:UID number,default shell,home directory,group memberships,and so onB
14、. Authentication: a way to tell that password provided on login for an account is correct十三、Authentication Configuration1. system-config-authenticationA. GUI tool to configure authenticationB. For text-based tool,use -nox optionC. authconfig2. Supported account information services:Local files、NIS、LDAP、Hesiod、Winbind3. Supported authentication mechanisms:NSS、Kerberos、LDAP、SMB、Winbind十四、Example:NIS Configureation (client)1. Must install ypbind and portmap RPMs2. Run system-config-authenticationA. Enable NIS to