Gudanar da Masu amfani & Ƙungiyoyi, Izinin Fayil & Halaye da Ba da damar shiga sudo akan Asusu - Sashe na 8

A watan Agustan da ya gabata, Gidauniyar Linux ta fara ba da takaddun shaida na LFCS (Linux Foundation Certified Sysadmin), sabon shiri wanda manufarsa ita ce ba da damar mutane a ko'ina da kuma ko'ina su yi jarrabawa don samun ƙwararrun tallafi na matsakaicin tallafi na tsarin Linux, wanda ya haɗa da. tallafawa tsarin gudanarwa da ayyuka, tare da sa ido da nazari gabaɗaya, tare da yanke shawara mai hankali don samun damar yanke shawara lokacin da ya dace don haɓaka al'amura zuwa ƙungiyoyin tallafi mafi girma.

Da fatan za a yi saurin kallon bidiyo mai zuwa wanda ke bayyana gabatarwa ga Shirin Takaddar Gidauniyar Linux.

Wannan labarin shine Sashe na 8 na jerin tsayin koyarwa 10, anan cikin wannan sashin, zamu jagorance ku akan yadda ake sarrafa masu amfani da izini na ƙungiyoyi a cikin tsarin Linux, waɗanda ake buƙata don gwajin takaddun shaida na LFCS.

Tun da Linux tsarin aiki ne na masu amfani da yawa (domin yana ba da damar masu amfani da yawa akan kwamfutoci ko tashoshi daban-daban don samun damar tsarin guda ɗaya), kuna buƙatar sanin yadda ake gudanar da ingantaccen sarrafa mai amfani: yadda ake ƙara, gyara, dakatarwa, ko sharewa. asusun masu amfani, tare da ba su izini masu dacewa don yin ayyukan da aka ba su.

Ƙara Asusun Mai amfani

Don ƙara sabon asusun mai amfani, zaku iya gudanar da ɗayan umarni biyu masu zuwa azaman tushen.

# adduser [new_account]
# useradd [new_account]

Lokacin da aka ƙara sabon asusun mai amfani zuwa tsarin, ana aiwatar da ayyuka masu zuwa.

1. An ƙirƙiri littafin tarihin gidan sa (/gida/sunan mai amfani ta tsohuwa).

2. Ana kwafi waɗannan ɓoyayyun fayiloli masu zuwa cikin kundin adireshin gida na mai amfani, kuma za a yi amfani da su don samar da masu canjin yanayi don zaman mai amfani da shi.

.bash_logout
.bash_profile
.bashrc

3. An ƙirƙiri spool mail don mai amfani a /var/spool/mail/username.

4. An ƙirƙiri ƙungiya kuma ana ba da suna iri ɗaya da sabon asusun mai amfani.

Ana adana cikakken bayanin asusun a cikin fayil ɗin /etc/passwd. Wannan fayil ɗin yana ƙunshe da rikodin kowane asusun mai amfani da tsarin kuma yana da tsari mai zuwa (falaye ana iyakance ta hanji).

[username]:[x]:[UID]:[GID]:[Comment]:[Home directory]:[Default shell]

  1. Filaye [username] da [Comment] bayanin kansu ne.
  2. x a cikin fili na biyu yana nuna cewa ana kiyaye asusun ta hanyar kalmar sirri mai inuwa (a cikin /etc/shadow), wanda ake buƙatar shiga azaman [sunan mai amfani].
  3. Filayen [UID] da [GID] lambobin lamba ne da ke wakiltar Identification User da Identity Primary Group Identification to which [username] nasa ne, bi da bi.
  4. [Bayanin Gida] yana nuna cikakkiyar hanyar zuwa [username] kundin adireshin gida, da
  5. [Default shell] shine harsashin da za a yi wa wannan mai amfani lokacin da ya shiga tsarin.

Ana adana bayanan rukuni a cikin fayil ɗin /etc/group. Kowane rikodin yana da tsari mai zuwa.

[Group name]:[Group password]:[GID]:[Group members]

  1. [Sunan rukuni] shine sunan rukuni.
  2. An x a cikin [Rukunin kalmar sirri] yana nuna ba a amfani da kalmomin shiga rukuni.
  3. [GID]: daidai yake da a /etc/passwd.
  4. [Membobin Rukunin]: jerin waƙafi ne na masu amfani waɗanda suke mambobi na [Sunan rukuni].

Bayan ƙara wani asusu, zaku iya gyara waɗannan bayanan (don sunaye kaɗan) ta amfani da umarnin usermod, wanda ainihin ma'anar usermod shine kamar haka.

# usermod [options] [username]

Yi amfani da tutar – ƙarewa sannan kwanan wata a tsarin YYYY-MM-DD.

# usermod --expiredate 2014-10-30 tecmint

Yi amfani da haɗin -aG, ko –append –ƙungiyoyi zaɓuɓɓukan, sai jerin ƙungiyoyin waƙafi.

# usermod --append --groups root,users tecmint

Yi amfani da -d, ko –gida zaɓuɓɓukan, tare da cikakkiyar hanyar zuwa sabon kundin adireshin gida.

# usermod --home /tmp tecmint

Yi amfani da –harsashi, sannan hanyar zuwa sabon harsashi.

# usermod --shell /bin/sh tecmint

# groups tecmint
# id tecmint

Yanzu bari mu aiwatar da duk umarnin da ke sama a tafi ɗaya.

# usermod --expiredate 2014-10-30 --append --groups root,users --home /tmp --shell /bin/sh tecmint

A cikin misalin da ke sama, za mu saita ranar ƙarewar asusun mai amfani da tecmint zuwa 30 ga Oktoba, 2014. Hakanan za mu ƙara asusun zuwa tushen da rukunin masu amfani. A ƙarshe, za mu saita sh azaman tsohuwar harsashi kuma mu canza wurin adireshin gida zuwa /tmp:

Karanta kuma:

  1. 15 mai amfani yana ƙara Misalai na Umurni a cikin Linux
  2. Misalan Umurnin Mai amfani 15 a cikin Linux

Don asusun da ake da su, za mu iya kuma yin abubuwa masu zuwa.

Yi amfani da -L (babba L) ko zaɓin –kulle don kulle kalmar sirrin mai amfani.

# usermod --lock tecmint

Yi amfani da –u ko –unlock zaɓi don buɗe kalmar sirrin mai amfani da aka toshe a baya.

# usermod --unlock tecmint

Gudanar da jerin umarni masu zuwa don cimma burin.

# groupadd common_group # Add a new group
# chown :common_group common.txt # Change the group owner of common.txt to common_group
# usermod -aG common_group user1 # Add user1 to common_group
# usermod -aG common_group user2 # Add user2 to common_group
# usermod -aG common_group user3 # Add user3 to common_group

Kuna iya share ƙungiya tare da umarni mai zuwa.

# groupdel [group_name]

Idan akwai fayiloli na group_name, ba za a goge su ba, amma za a saita mai rukunin zuwa GID na rukunin da aka goge.

Izinin Fayil na Linux

Bayan ainihin karantawa, rubutawa, da aiwatar da izini waɗanda muka tattauna a cikin Kayan Aikin Rubutu da Saita Halayen Fayil - Sashe na 3 na wannan silsilar, akwai wasu saitunan izini waɗanda ba a yi amfani da su ba (amma ba ƙasa da mahimmanci ba), wani lokacin ana kiran su \ izini na musamman”.

Kamar ainihin izini da aka tattauna a baya, ana saita su ta amfani da fayil na octal ko ta hanyar wasiƙa (alamar alama) wacce ke nuna nau'in izini.

Kuna iya share asusu (tare da kundin adireshin gida, idan na mai amfani ne, da duk fayilolin da ke cikin su, da kuma spool mail) ta amfani da umarnin userdel tare da –cire. zaɓi.

# userdel --remove [username]

A duk lokacin da aka ƙara sabon asusun mai amfani a cikin tsarin, ana ƙirƙira ƙungiyar mai suna iri ɗaya tare da sunan mai amfani a matsayin memba ɗaya tilo. Ana iya ƙara wasu masu amfani zuwa ƙungiyar daga baya. Ɗaya daga cikin dalilan ƙungiyoyi shine aiwatar da sauƙin sarrafawa zuwa fayiloli da sauran albarkatun tsarin ta hanyar saita izini masu dacewa akan waɗannan albarkatun.

Misali, a ce kuna da masu amfani masu zuwa.

  1. mai amfani1 (ƙungiyar farko: mai amfani1)
  2. user2 (rukuni na farko: mai amfani2)
  3. user3 (ƙungiyar farko: mai amfani3)

Dukkansu suna buƙatar karanta da rubuta damar zuwa fayil mai suna common.txt wanda yake a wani wuri a cikin tsarin gida na ku, ko wataƙila a kan hanyar sadarwa ta raba wannan. mai amfani1 ya ƙirƙira. Ana iya jarabtar ku don yin wani abu kamar,

# chmod 660 common.txt
OR
# chmod u=rw,g=rw,o= common.txt [notice the space between the last equal sign and the file name]

Koyaya, wannan zai ba da damar karanta da rubuta kawai ga mai fayil ɗin da waɗancan masu amfani waɗanda suke membobin rukunin masu fayil ɗin (user1<) a wannan yanayin). Hakanan, ana iya jarabtar ku don ƙara user2 da user3 zuwa rukunin user1, amma hakan kuma zai basu damar shiga sauran fayilolin da suka mallaka. ta mai amfani mai amfani1 da rukuni mai amfani1.

Wannan shi ne inda ƙungiyoyi suka zo da amfani, kuma ga abin da ya kamata ku yi a cikin irin wannan hali.

Lokacin da aka yi amfani da izinin setuid akan fayil ɗin da za a iya aiwatarwa, mai amfani da ke tafiyar da shirin ya gaji ingantaccen gata na mai shirin. Tunda wannan hanyar zata iya tayar da damuwar tsaro a haƙiƙa, adadin fayilolin da ke da izinin saiti dole ne a kiyaye shi zuwa ƙarami. Wataƙila za ku sami shirye-shirye tare da wannan saitin izini lokacin da mai amfani da tsarin ke buƙatar samun dama ga fayil mallakar tushen.

Taƙaice, ba wai kawai mai amfani zai iya aiwatar da fayil ɗin binary ba, amma kuma yana iya yin hakan tare da gata na tushen. Misali, bari mu duba izinin /bin/passwd. Ana amfani da wannan binary don canza kalmar sirri ta asusu, da kuma gyara fayil ɗin /etc/shadow. Mai amfani zai iya canza kalmar sirrin kowa, amma duk sauran masu amfani yakamata su iya canza nasu kawai.

Don haka, kowane mai amfani yakamata ya sami izinin gudanar da /bin/passwd, amma tushen kawai zai iya tantance asusu. Sauran masu amfani za su iya canza kalmar sirrin da ta dace kawai.

Lokacin da aka saita setgid, ingantaccen GID na ainihin mai amfani ya zama na mai rukunin. Don haka, kowane mai amfani zai iya samun dama ga fayil a ƙarƙashin gatan da aka bai wa mai wannan fayil ɗin. Bugu da kari, lokacin da aka saita setgid bit akan kundin adireshi, sabbin fayilolin da aka ƙirƙira suna gaji rukuni ɗaya da kundin adireshi, kuma sabbin kundin adireshi da aka ƙirƙira suma zasu gaji setgid bit na directory na iyaye. Wataƙila za ku yi amfani da wannan hanyar a duk lokacin da membobin wata ƙungiya ke buƙatar samun dama ga duk fayilolin da ke cikin kundin adireshi, ba tare da la’akari da rukunin farko na mai fayil ba.

# chmod g+s [filename]

Don saita setgid a cikin octal form, saita lambar 2 zuwa ainihin izini na yanzu (ko ake so).

# chmod 2755 [directory]

Lokacin da aka saita \sticky bit akan fayiloli, Linux kawai yayi watsi da shi, alhali ga kundayen adireshi yana da tasirin hana masu amfani gogewa ko ma canza sunan fayilolin da ya kunsa sai dai idan mai amfani ya mallaki directory. fayil, ko tushen.

# chmod o+t [directory]

Don saita bit mai danko a sigar octal, saita lambar 1 zuwa ainihin izini na yanzu (ko ake so).

# chmod 1755 [directory]

Ba tare da ɗan ɗan leƙen asiri ba, duk wanda zai iya rubutawa zuwa kundin adireshi zai iya share ko sake suna fayiloli. Don haka, ana yawan samun ɗan ɗan leƙen asiri akan kundayen adireshi, kamar /tmp, waɗanda aka rubuta a duniya.

Halayen Fayilolin Linux na Musamman

Akwai wasu halayen da ke ba da damar ƙarin iyaka akan ayyukan da aka ba da izini akan fayiloli. Misali, hana fayil ɗin sake suna, motsawa, sharewa, ko ma gyara shi. An saita su tare da umarnin chattr kuma ana iya duba su ta amfani da kayan aikin lsattr, kamar haka.

# chattr +i file1
# chattr +a file2

Bayan aiwatar da waɗannan umarni guda biyu, file1 zai zama marar canzawa (wanda ke nufin ba za a iya motsa shi ba, canza suna, gyara ko share shi) yayin da file2 zai shiga yanayin append-kawai (ana iya zama kawai). bude a yanayin append don rubutu).

Shiga tushen Account da Amfani da sudo

Ɗaya daga cikin hanyoyin da masu amfani za su iya samun damar shiga asusun tushen shine ta hanyar bugawa.

$ su

sannan ka shigar da kalmar sirrin root.

Idan tantancewar ta yi nasara, za a shigar da ku azaman tushen tare da kundin tsarin aiki na yanzu kamar yadda kuke a da. Idan kuna son sanya ku a cikin kundin adireshin gida maimakon, gudu.

$ su -

sa'an nan shigar da tushen kalmar sirri.

Hanyar da ke sama tana buƙatar mai amfani na yau da kullun ya san kalmar sirrin tushen, wanda ke haifar da haɗarin tsaro mai tsanani. Don haka, sysadmin na iya saita umarnin sudo don ba wa talakawa damar aiwatar da umarni a matsayin mai amfani na daban (yawanci superuser) ta hanyar sarrafawa da iyaka. Don haka, ana iya saita hani akan mai amfani don ba shi damar gudanar da takamaiman takamaiman umarni ɗaya ko fiye ba wasu ba.

Karanta Hakanan: Bambanci Tsakanin Su da Sudo User

Don tantancewa ta amfani da sudo, mai amfani yana amfani da kalmar sirri ta kansa. Bayan shigar da umarnin, za a nemi kalmar sirrinmu (ba na superuser ba) kuma idan amincin ya yi nasara (kuma idan an ba mai amfani gata don gudanar da umarnin), ana aiwatar da takamaiman umarnin.

Don ba da damar yin amfani da sudo, dole ne mai gudanar da tsarin ya gyara fayil ɗin /etc/sudoers. Ana ba da shawarar cewa a gyara wannan fayil ɗin ta amfani da umarnin visudo maimakon buɗe shi kai tsaye da editan rubutu.

# visudo

Wannan yana buɗe fayil ɗin /etc/sudoers ta amfani da vim (zaka iya bin umarnin da aka bayar a Shigar kuma Yi amfani da vim azaman Edita – Sashe na 2 na wannan jerin don gyara fayil ɗin).

Waɗannan su ne layukan da suka fi dacewa.

Defaults    secure_path="/usr/sbin:/usr/bin:/sbin"
root        ALL=(ALL) ALL
tecmint     ALL=/bin/yum update
gacanepa    ALL=NOPASSWD:/bin/updatedb
%admin      ALL=(ALL) ALL

Bari mu dubi su da kyau.

Defaults    secure_path="/usr/sbin:/usr/bin:/sbin:/usr/local/bin"

Wannan layin yana ba ku damar tantance kundayen adireshi waɗanda za a yi amfani da su don sudo, kuma ana amfani da su don hana yin amfani da takamaiman kundayen adireshi, wanda zai iya cutar da tsarin.

Ana amfani da layi na gaba don tantance izini.

root        ALL=(ALL) ALL

  1. Mabuɗin ALL na farko yana nuna cewa wannan ka'ida ta shafi duk runduna.
  2. Na biyu ALL yana nuna cewa mai amfani a shafi na farko zai iya gudanar da umarni tare da gata na kowane mai amfani.
  3. Na uku ALL yana nufin kowane umarni ana iya gudanar da shi.

tecmint     ALL=/bin/yum update

Idan ba a bayyana mai amfani ba bayan alamar =, sudo yana ɗaukar tushen mai amfani. A wannan yanayin, mai amfani tecmint zai iya gudanar da yum update azaman tushen.

gacanepa    ALL=NOPASSWD:/bin/updatedb

Umarnin na NOPASSWD yana bawa mai amfani gacanepa damar gudanar da /bin/updatedb ba tare da buƙatar shigar da kalmar sirrin sa ba.

%admin      ALL=(ALL) ALL

Alamar % tana nuna cewa wannan layin ya shafi rukuni mai suna \admin Ma'anar sauran layin daidai yake da na mai amfani na yau da kullun. cewa membobin kungiyar \admin na iya gudanar da duk umarni kamar kowane mai amfani akan duk runduna.

Don ganin irin gata da aka ba ku ta sudo, yi amfani da zaɓin \-l don jera su.

PAM (Modules Tabbacin Tabbaci)

Modulolin Tabbatar da Pluggable (PAM) suna ba da sassaucin saita takamaiman tsarin tabbatarwa akan kowane aikace-aikacen da/ko kowane sabis ta amfani da kayayyaki. Wannan kayan aikin da aka gabatar akan duk tsarin rarraba Linux na zamani ya shawo kan matsalar da masu haɓakawa ke fuskanta a farkon zamanin Linux, lokacin da kowane shirin da ke buƙatar tantancewa sai an haɗa shi musamman don sanin yadda ake samun mahimman bayanai.

Misali, tare da PAM, ba komai ko an adana kalmar sirrin ku a /etc/inuwa ko akan sabar daban a cikin hanyar sadarwar ku.

Misali, lokacin da shirin shiga yana buƙatar tantance mai amfani, PAM yana ba da ɗakin karatu mai ƙarfi wanda ya ƙunshi ayyuka don ingantaccen tsarin tantancewa. Don haka, canza tsarin tabbatarwa don aikace-aikacen shiga (ko duk wani shirin ta amfani da PAM) yana da sauƙi tunda kawai ya ƙunshi gyara fayil ɗin sanyi (mafi yuwuwar, fayil mai suna bayan aikace-aikacen, wanda yake cikin /etc/pam.d) , kuma da wuya a cikin /etc/pam.conf).

Fayilolin da ke cikin /etc/pam.d suna nuna irin aikace-aikacen da ke amfani da PAM na asali. Bugu da ƙari, za mu iya sanin ko wani aikace-aikacen yana amfani da PAM ta hanyar duba ko an haɗa ɗakin karatu na PAM (libpam) da shi:

# ldd $(which login) | grep libpam # login uses PAM
# ldd $(which top) | grep libpam # top does not use PAM

A cikin hoton da ke sama muna iya ganin cewa an haɗa libpam tare da aikace-aikacen shiga. Wannan yana da ma'ana tunda wannan aikace-aikacen yana da hannu a cikin aikin tantance mai amfani da tsarin, yayin da saman baya.

Bari mu bincika fayil ɗin sanyi na PAM don passwd - eh, sanannen mai amfani don canza kalmomin shiga. Yana nan a /etc/pam.d/passwd:

# cat /etc/passwd

Rukunin farko yana nuna nau'in na tabbatarwa da za a yi amfani da shi tare da module-path (shafi na uku). Lokacin da saƙar ya bayyana a gaban nau'in, PAM ba zai yi rikodin zuwa tsarin tsarin ba idan ba za a iya loda tsarin ba saboda ba a iya samunsa a cikin tsarin.

Akwai nau'ikan tabbatarwa masu zuwa:

  1. account: nau'in wannan nau'in yana bincika idan mai amfani ko sabis ɗin sun ba da ingantattun takaddun shaida don tantancewa.
  2. auth: wannan nau'in nau'in yana tabbatar da cewa mai amfani shine wanda ya/ta da'awar zama kuma yana ba da kowane gata da ake buƙata.
  3. password: wannan nau'in tsarin yana bawa mai amfani ko sabis damar sabunta kalmar sirrin su.
  4. zama: wannan nau'in tsarin yana nuna abin da ya kamata a yi kafin da/ko bayan an yi nasara.

Shafi na biyu (wanda ake kira control) yana nuna abin da ya kamata ya faru idan tabbatarwa tare da wannan tsarin ya gaza:

  1. bukatarsa: idan tantancewar ta wannan tsarin ya gaza, za a hana cikakken tabbaci nan da nan.
  2. da ake buƙata yayi kama da buƙatun, kodayake duk sauran samfuran da aka jera na wannan sabis ɗin za a kira su kafin ƙin tantancewa.
  3. isa: idan tantancewar ta wannan tsarin ya gaza, PAM za ta ba da tabbaci ko da na baya da aka yiwa alama kamar yadda ake buƙata ya gaza.
  4. na zaɓi: idan tantancewar ta wannan tsarin ya gaza ko ya yi nasara, babu abin da zai faru sai dai idan wannan shine kawai tsarin nau'in sa da aka ayyana don wannan sabis ɗin.
  5. hade yana nufin cewa yakamata a karanta layin nau'in da aka bayar daga wani fayil.
  6. substack yana kama da ya ƙunshi amma gazawar tantancewa ko nasara ba sa haifar da fitowar cikakken tsarin, amma kawai na ƙaramin ma'auni.

Rukunin na huɗu, idan akwai, yana nuna hujjojin da za a wuce zuwa tsarin.

Layuka uku na farko a /etc/pam.d/passwd (wanda aka nuna a sama), loda tsarin-auth don duba cewa mai amfani ya ba da ingantattun takaddun shaida (account). Idan haka ne, yana ba shi/ta damar canza kalmar sirri (Password) ta hanyar ba da izinin yin amfani da passwd (auth).

Misali, idan kun yi append

remember=2

zuwa layi mai zuwa

password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok

a /etc/pam.d/system-auth:

password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=2

kalmomin sirri guda biyu na ƙarshe na kowane mai amfani ana adana su a /etc/security/opasswd ta yadda ba za a iya sake amfani da su ba:

Takaitawa

Ingantacciyar mai amfani da ƙwarewar sarrafa fayil sune kayan aiki masu mahimmanci ga kowane mai gudanar da tsarin. A cikin wannan labarin mun rufe abubuwan yau da kullun kuma muna fatan za ku iya amfani da shi azaman farawa mai kyau don yin nuni a kai. Jin kyauta don barin sharhi ko tambayoyinku a ƙasa, kuma za mu amsa da sauri.

Duk haƙƙoƙi. © Linux-Console.net • 2019-2024