Linux - System and User Security

Part 1: User Accounts

There are several text files in the /etc directory that contain the account data of the users and groups that are defined on the system. For example, if you wanted to see if a specific user account has been defined on the system, then the place to check is the /etc/passwd file.

The /etc/passwd file defines some of the account information for user accounts. Oddly enough, the passwords for the accounts are not stored in the /etc/passwdfile, as the file name implies, but rather the /etc/shadow file.

1. /etc/passwd File

Each line of the /etc/passwd file relates to a user account. The following graphic shows the first ten lines of a typical /etc/passwd file:

Each line is separated into fields by colon characters. The fields from left to right are as follows:

name:password placeholder:user id:primary group id:comment:home directory:shell

The following table describes each of these fields in detail, using the first line of the output of the previous graphic (root:x:0:0:root:/root:/bin/bash):

Field Example Description
name root
This is the name of the account. This name is used by the person when they log in to the system and when file ownership is provided with the ls -l command. Typically, the system uses the user ID(see below) internally and the account name is provided to make it easiest for regular users to refer to the account.

The root account is normally a special administrative account. However, it is important to note that not all systems have a root account and that it is really the user id of 0 (zero) that provides administrative privileges on the system.

password placeholder x At one time, the password for the user was actually stored in this location, but now it is stored in the/etc/shadow file. The x in the password placeholder field indicates to the system that the password is not stored here, but rather in the/etc/shadow file.
user id 0
Each account is assigned a user ID (UID). The UID is what really defines the account as the user name is normally not directly used by the system. For example, files are owned by UIDs, not by user names.

Some UIDs are special. For example, the UID of 0 provides that user account with administrative privileges.

UIDs below 500 (on some Linux distributions 1,000) are reserved for system accounts. System accounts will be covered in more detail later in this chapter.

primary group id 0
Each file and directory is owned by a user account. Normally the person who creates the account owns the file. In addition, each file is owned by a group, normally the user‘s primary group.

Groups are assigned numeric IDs just like users are.

When a user creates a file, the file is owned by the user‘s UID and also owned by a group id (GID), the user‘s primary GID. This field defines which GID is the user‘s primary GID.

Besides, providing default group ownership on a file, this field also indicates that the user is a member of the group, which means the user will have special permissions on any file that is owned by this group. Permissions will be covered in detail in a later chapter.

comment root
This field can contain any information about the user, including their real (full) name and other useful information.

This field is also called the GECOS (General Electric Comprehensive Operating System ) field. GECOS is a rarely used predefined format for this field that defines a comma-separated list of items, including the user‘s full name, office location, phone number and additional information.

An administrator can modify GECOS information with the chfn command and users can display this information with the finger command.

home directory /root
This field defines the location of the user‘s home directory. For regular users, this would normally be/home/username where username is replaced with the user‘s username. For example, a username of bob would have a home directory of /home/bob.

The root user normally has a different place for the home directory: /root.

System accounts rarely have home directories as they typically are not used to create or store files.

shell /bin/bash
This is the location of the user‘s login shell. By default, the user is "placed in" this shell whenever the user logs into a command line environment or opens a terminal window. The user could then switch to a different shell by typing the name of the shell, for example: /bin/tcsh.

The bash shell (/bin/bash) is the most common shell for Linux users.

Note that while this chapter describes the contents of the user and group files, the next chapter will describe the commands and tools used to modify user and group account information.

2. /etc/shadow File

As previously mentioned, the /etc/shadow file contains account information related to the user‘s password. A typical /etc/shadow file would look like the following graphic:

The fields of the /etc/shadow file are:

name:password:last change:min:max:warn:inactive:expire:reserved

The following table describes the fields of the /etc/shadow file in more detail, using the following account that describes a typical user account:

sysadmin:$6$lS6WJ9O/fNmEzrIi$kO9NKRBjLJJTlZD.L1Dc2xwcuUYaYwCTS.gt4elijSQW8ZDp6GLYAx.TRNNpUdAgUXUrzDuAPsYs5YHZNAorI1:15020:5:30:7:60:15050:
Field Example Description
name sysadmin This is the name of the account, which matches the account name in the /etc/passwd file.
password $6$.........rI1
The password field contains the encrypted password for the account. This very long string (which was truncated in the example to the left of this cell) is a one-way encryption, meaning that it can‘t be "reversed" to determine the original password.

While regular users have encrypted passwords in this field, system accounts will have an * character in this field. See more details about system accounts later in this chapter.

last change 15020
This field contains a number that represents the last time the password was changed. The number 15020 is the number of days since January 1, 1970 (called the Epoch) and the last day the account password was changed.

This value is automatically generated when the user‘s password is modified. This value is important as it is used by the password aging features provided by the rest of the fields of this file.

min 5
This is one of the password aging fields; a non-zero value in this field indicates that after a user changes their password, the password can‘t be changed again for the specified number of days (5 days in this example). This field is important when the max field is used (see below).

A value of zero in this field means the user can always change their password.

max 5
This field is used to force users to change their passwords on a regular basis. A value of 30 in this field means the user must change their password at least every 30 days to avoid having their account "locked out".

Note that if the min field is set to 0, the user may be able to immediately set their password back to the original value, defeating the purpose of forcing the user to change their password every 30 days. So, if the max field is set, the min field is normally set as well.

For example, a min:max of 5:60 means the user must change their password every 60 days and, after changing, the user must wait 5 days before they can change their password again.

If the max field is set to 99999, the maximum possible value, then the user essentially never has to change their password (because 99999 days is approximately 274 years).

warn 7
If the max field is set, the warn field indicates that the user would be "warned" when the maxtimeframe is approaching. For example, if warn is set to 7, then any time during the 7 days before themax timeframe is reached, the user would be warned to change their password during the login processes.

The user is only warned at login, so some administrators have taken the approach to set thewarn field to a higher value to provide a greater chance of having a warning issued.

If the max timeframe is set to 99999, then the warnfield is essentially useless

inactive 60
If the user ignores the warnings and they exceed the max password timeframe, their account will be locked out. In that case, the inactive field provides the user with a "grace" period in which their password can be changed, but only during the login process.

If the inactive field is set to 60, the user has 60 grace days to change to a new password. If they fail to do so, then the administrator would be needed to reset the password for the user.

expire 15050
This field represents the number of days from January 1, 1970 and the day the account will "expire". An expired account will be locked, not deleted, meaning the administrator can reset the password to unlock the account.

Accounts with expiration dates are normally provided to temporary employees or contractors. The account will automatically expire after the user‘s last day of work.

When an administrator sets this field, a tool is used to convert from a real date to an "Epoch" date. There are also several free converters available on the Internet.

reserved  
Currently not used, this field is reserved for future use.

Regular users can‘t view the contents of the /etc/shadow file for security reasons. In order to view the contents of this file, you must log in as the administrator (the root account).

3. Viewing Account Information

A good way to view account information from the /etc/passwd file is to use the grep command to output just the line containing the account that you are interested in. For example, to see the account information for the user name named "sysadmin", use the grep sysadmin /etc/passwd command:

Another technique for retrieving user information that is normally contained in the/etc/passwd and /etc/shadow files is to use the getent command. One advantage to using the getent command is that it can retrieve account information that is defined locally (/etc/passwd and /etc/shadow) or on a network directory server.

The general syntax of a getent command is: getent database record. For example, the getent passwd sysadmin command would retrieve the passwd account information for the sysadmin user:

4. Viewing Login

When you log into different user accounts, it can be confusing as to who you are currently logged in as. To verify your identity (view whose account you are currently using) you can execute the id command.

The id command will report the current identity, both by user name and user ID. In addition to providing the user account information, the group membership is also displayed. With no argument, the id command will display your identity. Given a user name as an argument, such as id root, the command will display other account information:

The output includes Security Enhanced Linux context (the content= part of the output), a topic which is beyond the scope of this course.

时间: 2024-10-16 10:48:59

Linux - System and User Security的相关文章

Method and system for providing security policy for linux-based security operating system

A system for providing security policy for a Linux-based security operating system, which includes a template policy module configured to set an authority using policy information of a downloaded application so that the template policy module can set

Windows System Account、Linux System Account SSH Weak Password Detection Automatic By System API

catalog 0. 引言 1. windows系统账户弱密码检测 2. windows弱密码检测遇到的问题 3. linux系统账户弱密码检测 0. 引言 windows.linux密码暴力破解.身份认证.密码策略加固的相关知识,请参阅另外两篇文章 http://www.cnblogs.com/LittleHann/p/3662161.html http://www.cnblogs.com/LittleHann/p/4515498.html 今天我们来讨论一下如何在客户端通过系统API实现弱密

Linux System Reinforcement

目录 1.文件系统及访问权限 2. Linux日志审计 3. 帐号安全管理 4. 基础物理安全 5. 系统编译环境安全 6. 系统病毒.后门.rootkit安全 7. 系统端口.服务安全 8. 系统内核安全 1.文件系统及访问权限 Linux为每个文件都分配了一个文件所有者,称为"文件属主",并赋予文件主惟一的注册名 1. 对文件的控制取决于文件主或超级用户root(linux系统中的root用户有无条件的最高权限) 2. 文件或目录的创建者(属主)对所创建的文件或目录拥有特别使用权

Music player on Linux system for classical music: Audacious

The default music player on Debian 7.0 is Rhythmbox. At the first look, its appearance seems not so bad. Although it has the problem of displaying Chinese characters, this can be solved by changing the Exec line in /usr/share/applications/rhythmbox.d

Linux System Programming 学习笔记(八) 文件和目录管理

1. 文件和元数据 每个文件都是通过inode引用,每个inode索引节点都具有文件系统中唯一的inode number 一个inode索引节点是存储在Linux文件系统的磁盘介质上的物理对象,也是LInux内核通过数据结构表示的实体 inode存储相关联文件的元数据 ls -i 命令获取文件的inode number /* obtaining the metadata of a file */ #include <sys/types.h> #include <sys/stat.h>

Linux System Programming 学习笔记(十) 信号

1. 信号是软中断,提供处理异步事件的机制 异步事件可以是来源于系统外部(例如用户输入Ctrl-C)也可以来源于系统内(例如除0) 内核使用以下三种方法之一来处理信号: (1) 忽略该信号.SIGKILL和SIGSTOP不能被忽略. (2) 捕捉并且处理该信号.The kernel will suspend execution of the process's current code path and jump to a previously registered function. SIGK

Linux System Programming 学习笔记(五) 进程管理

1. 进程是unix系统中两个最重要的基础抽象之一(另一个是文件) A process is a running program A thread is the unit of activity inside of a process the virtualization of memory is associated with the process, the threads all share the same memory address space 2. pid The idle pro

use entire drive|replace existing linux system|use free space

use entire drive|replace existing linux system|use free space 在装 Linux 的时候,到分割硬盘及格式化硬盘这步的时候,有几个选项,他们的意思及将执行的操作分别是: ( 1 ) Use entire drive (使用整个磁盘) 这个方案会删除硬盘上所有分割区,然后再重新分割硬盘.如果您硬盘上有您想保留的操作系统,请不要选择此项. ( 2 ) Replace exiting Linux system (替换掉现有的 Linux 系统

Linux System Programming 学习笔记(九) 内存管理

1. 进程地址空间 Linux中,进程并不是直接操作物理内存地址,而是每个进程关联一个虚拟地址空间 内存页是memory management unit (MMU) 可以管理的最小地址单元 机器的体系结构决定了内存页大小,32位系统通常是 4KB, 64位系统通常是 8KB 内存页分为 valid or invalid: A valid page is associated with an actual page of data,例如RAM或者磁盘上的文件 An invalid page is