如何讓系統更安全
Linux權限體系, rwx permission denied
作業:
批量添加用戶 exam1..exam3,並設置固定的密碼1 (要求不能使用循環 for while)
批量添加用戶 exam1..exam3,並設置8位隨機密碼 (要求不能使用循環 for while)
[root@manager ~]$ useradd exam1 ;echo 1 |passwd --stdin exam1
[root@manager ~]$ useradd exam2 ;echo 1 |passwd --stdin exam2
[root@manager ~]$ useradd exam3 ;echo 1 |passwd --stdin exam3
[root@manager /exam]$ ll
total 20
drwxr-xr-x. 3 root root 18 Nov 21 07:18 ceo
-rw-r--r--. 1 root root 465 Nov 21 10:23 fstab
-rw-r--r--. 1 root root 158 Nov 21 10:25 hosts
-rw-r--r--. 1 root root 352 Nov 19 10:51 reg.txt
-rw-r--r--. 1 root root 86 Nov 19 12:29 sed.txt
drwxr-xr-x. 6 root root 4096 Nov 21 10:23 sysconfig
[root@manager /exam]$ ll ceo/
total 0
drwxr-xr-x. 2 root root 24 Nov 21 07:19 yoyo
[root@manager /exam]$ ll -d /exam/
drwxr-xr-x. 4 root root 90 Nov 21 10:30 /exam/添加一個虛擬用戶 mysql 指定用戶的 uid gid 爲12306
[root@manager /exam]$ useradd -u 12306 -s /sbin/nologin -M mysql
[root@manager /exam]$ id mysql
uid=12306(mysql) gid=12306(mysql) groups=12306(mysql)
[root@manager /exam]$ useradd yuyu
[root@manager /exam]$ id yuyu
uid=12307(yuyu) gid=12307(yuyu) groups=12307(yuyu)
[root@manager /exam]$ w
13:56:04 up 16 min, 1 user, load average: 0.00, 0.01, 0.02
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 10.74.144.165 13:41 4.00s 0.05s 0.01s wdate -s 完整日期時間(YYYY-MM-DD hh:mm[:ss]):修改日期、時間
[root@manager /exam]$ date -s '2019-12-2 19:15:50'
Mon Dec 2 19:15:50 EST 2019
[root@manager /exam]$ date
Mon Dec 2 19:15:53 EST 2019
[root@manager /exam]$ w
19:17:20 up 25 min, 1 user, load average: 0.00, 0.01, 0.02
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 10.74.144.165 13:41 0.00s 0.04s 0.00s w
[root@manager /exam]$ uptime
19:17:45 up 25 min, 1 user, load average: 0.00, 0.01, 0.02
[root@manager /exam]$ 
自動對比
1、記錄文件的指紋 police.md5
[root@manager /exam]$ md5sum exam.txt
924684b0d8ad52fd16ea0030122be50a exam.txt
[root@manager /exam]$ echo uouo >exam.txt
[root@manager /exam]$ md5sum exam.txt
7a9ac8bf65a46efebaf8b81f13124c25 exam.txt[root@manager /exam]$ md5sum exam.txt
924684b0d8ad52fd16ea0030122be50a exam.txt
[root@manager /exam]$ echo uouo >exam.txt
[root@manager /exam]$ md5sum exam.txt
7a9ac8bf65a46efebaf8b81f13124c25 exam.txt
[root@manager /exam]$ md5sum exam.txt >police.md5
[root@manager /exam]$ cat police.md5
7a9ac8bf65a46efebaf8b81f13124c25 exam.txt
[root@manager /exam]$ md5sum exam.txt >>police.md5
[root@manager /exam]$ cat police.md5
7a9ac8bf65a46efebaf8b81f13124c25 exam.txt
7a9ac8bf65a46efebaf8b81f13124c25 exam.txt2、根據庫指紋進行對比
[root@manager /exam]$ md5sum --check police.md5
exam.txt: OK
exam.txt: OK
[root@manager /exam]$ echo 11111 >>exam.txt
[root@manager /exam]$ md5sum --check police.md5
exam.txt: FAILED
exam.txt: FAILED
md5sum: WARNING: 2 computed checksums did NOT match[root@manager /exam]$ find /exam/ -type f |xargs md5sum
15e2278b038244708bae6cf3468015ff /exam/reg.txt
cd36a10d8421743acd1e2c88ca83de46 /exam/sed.txt
d41d8cd98f00b204e9800998ecf8427e /exam/ceo/yoyo/youyou.txt
8fa3246990109d2ac5f1835bd2a04d2d /exam/sysconfig/ip6tables-config
13f6028cd7c8d8d6400ade9003d219c9 /exam/sysconfig/iptables-config
de08f397138caf0c99bda7e7322b2172 /exam/sysconfig/cbq/avpkt
760fb2971fb9b19e62564169e0bd94f9 /exam/sysconfig/cbq/cbq-0000.example
52b80b4ab7cafb63b53013edb769037c /exam/sysconfig/rdisc
62f39cb6e6ced2b374af6955bda3ed8f /exam/sysconfig/init[root@manager /exam]$ md5sum -c /root/police2.md5
/exam/reg.txt: OK
/exam/sed.txt: OK
/exam/ceo/yoyo/youyou.txt: OK
/exam/sysconfig/ip6tables-config: OK
/exam/sysconfig/iptables-config: OK
/exam/sysconfig/cbq/avpkt: OK
/exam/sysconfig/cbq/cbq-0000.example: OK
/exam/sysconfig/rdisc: OK
/exam/sysconfig/init: OKsodu 給普通用戶臨時成爲 root 的權限,普通用戶可以臨時以root 身份運行某個命令
sudo -l 查看當前有哪些可以執行的命令
[yuyu@manager /root]$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for yuyu:
Sorry, user yuyu may not run sudo on manager.給yuyu 用戶授權兩個命令 ls touch
90 ##
91 ## Allow root to run any commands anywhere
92 root ALL=(ALL) ALL
93
94 yuyu ALL=(ALL) /bin/ls, /bin/touch[root@manager /]$ su yuyu
[yuyu@manager /]$
[yuyu@manager /root]$ sudo touch exam
[yuyu@manager /root]$ ls
ls: cannot open directory .: Permission denied
[yuyu@manager /root]$ sudo ls
anaconda-ks.cfg df.txt exam police2.md5
[yuyu@manager /root]$ sudo ll
sudo: ll: command not found
[yuyu@manager /root]$ pwd
/rootvisodu == vi /etc/sudoers
visodu 自帶檢查功能
[root@manager /]$ visudo
#>>> /etc/sudoers: syntax error near line 93 <<<
What now?
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
給yuyu 用戶授權/bin 下所有命令,排除某個命令或參數
yuyu ALL=(ALL) /bin/*
yuyu ALL=(ALL) /bin/* !/bin/mkdir
#yuyu ALL=(ALL) /bin/ls, /bin/touch
!## Allow root to run any commands anywhere
root ALL=(ALL) ALL
yuyu ALL=(ALL) /bin/*
yuyu ALL=(ALL) ALL
yuyu ALL=(ALL) /bin/*, !/bin/rm
yuyu ALL=(ALL) NOPASSWD: ALL
#yuyu ALL=(ALL) /bin/ls, /bin/touch應按需授權,需要什麼命令給什麼命令
用戶 可以在所有服務器使用sudo=(你可以成爲誰)
總結:
w 每一部分含義
如何讓系統更安全
sudo 臨時讓用戶獲得 root權限