- 论坛徽章:
- 0
|
Certification Objective 1.06:Basic Security
认证目的 1.06:基本安全[性]
The basic security of a Linux computer is based on file permissions.
Linux 计算机的基本安全[性] 以文件许可为基础。
Default file permissions are set through the umask shell variable.
内定的文件许可被设定过 umask 外壳变数。
SUID and SGID permissions can give all users access to specific files.
SUID 和 SGID 许可能给所有的使用者对特定的文件存取。
Ownership is based on the default user and group IDs of the person who created a file.
所有权以内定用户和创造了一个文件的人的组身份证为基础。
Managing permissions and ownership involves commands such as chmod, chown, and chgrp.
管理许可而且所有权包括指令,像是 chmod 、 chown 和 chgrp 。
Users and groups own files.
使用者和组拥有文件。
Users and groups have passwords.
使用者和组有口令[字] 。
Security can be enhanced if you configure users and groups in the Shadow Password Suite.
如果你在影子口令[字] 程序组中配置使用者和组,安全[性] 能被提高。
File Permissions
文件许可
Linux file permissions are straightforward.
Linux 文件许可是笔直的。
Take the following output from ls -l /sbin/fdisk:
采取来自 ls 的下列的输出 -l/sbin/fdisk:
-rwxr-xr-x 1 root root 80236 Sep 1 18:26 /sbin/fdisk
The permissions are shown on the left-hand side of the listing.
许可在列表的左手边上被显示。
Ten characters are shown.
十个字符被显示。
The first character determines whether it's a regular or a special file.
第一个字符决定它是否是一个老客户或一个特别的文件。
The remaining nine characters are grouped in threes, applicable to the file owner (user), the group owner, and everyone else on that Linux system.
剩馀的九个字符被聚集在三, 适用于文件系主 (使用者) ,组系主和其他人在那 Linux 系统上。
The letters are straightforward:
文字是笔直的:
r=read, w=write, x=execute.
r=阅读, w=书写, x=运行。
These characters are described in Table 1-6.
这些字符在表 1-6 被描述。
Table 1-6: Description of File Permissions
表 1-6: 文件许可的描述
Position
放置
Description
描述
1
Type of file; - = regular file, d=directory, b=device, l=linked file
文件的型态; -= 一般的文件、 d=directory 、 b=device, l=联接了文件
234
Permissions granted to the owner of the file
许可对文件的系主允许
567
Permissions granted to the group owner of the file
许可对文件的组系主允许
890
Permissions granted to all other users on the Linux system
许可在 Linux 上允许至所有的其他使用者系统
Key commands that can help you manage the permissions and ownership of a file are chmod, chown, and chgrp.
能帮助你处理文件的许可和所有权的主要指令是 chmod 、 chown 和 chgrp 。
The chmod command uses the numeric value of permissions associated with the owner, group, and others.
chmod 指令使用与系主、组和其他有关的许可的数字数值。
In Linux, permissions are assigned the following numeric values:
在 Linux ,许可被分配下列的数字数值:
r=4, w=2, and x=1.
For example, if you were crazy enough to give read, write, and execute permissions on fdisk to all users, you would run the chmod 777 /sbin/fdisk command.
举例来说,如果你够发狂来给阅读,书写, 而且运行在 fdisk 之上的许可至所有的使用者,你会运行 chmod 777/sbin/fdisk 指令。
The chown and chgrp commands adjust the user and group owners associated with the cited file.
chown 和 chgrp 指令调整与被引证的文件有关的使用者和组系主。
Users, Groups, and umask
使用者、组和 umask
Linux, like Unix, is configured with users and groups.
Linux,像 Unix,与使用者和组一起配置。
Everyone who uses Linux is set up with a username, even if it's just 'guest.
每个人谁使用 Linux 与一个使用者名称一起建立,即使它仅仅 '客人。
' Take a look at /etc/passwd.
One version of this file is shown in Figure 1-5.
这一个文件的一个版本在图 1-5 被显示。
Figure 1-5: /etc/passwd
As you can see, all kinds of usernames are listed in the /etc/passwd file.
当你能见到,各种的使用者名称在那 /etc/passwd 文件中被列出。
Even a number of Linux services such as mail, news, nfs, and apache have their own usernames.
甚至一些 Linux 服务,像是邮件、新闻、 nfs 和流氓有他们自己的使用者名称。
In any case, the /etc/passwd file follows a specific format, described in more detail in Chapter 4.
无论如何, 那 /etc/passwd 文件跟随一个特定的格式,在第 4 章更详细地描述.
For now, note that the only users shown in this file are mj and tb, their user IDs (UID) and group IDs (GID) are 500 and 501, and their home directories match their usernames.
因为现在,注意在这一个文件中显示的唯一的使用者是 mj 和 tb, 他们的使用者身份证 (UID) 和组身份证 (GID) 是 500 和 501 ,而且他们的家目录相配他们的使用者名称。
The next user gets UID and GID 502, and so on.
下一个使用者拿 UID 和 GID 502,等等。
Users can change their own passwords with the passwd command.
使用者能以 passwd 指令来取代他们自己的口令[字] 。
The root user can change the password of any user.
根使用者能改变任何使用者的口令[字] 。
For example, the passwd mj command allows the root user to change user mj's password.
举例来说, passwd mj 指令让根使用者改变使用者 mj 的口令[字] 。
umask
The way umask works in Red Hat Enterprise Linux may surprise you, especially if you're coming from a different Unix style environment.
方法 umask 在红帽企业 Linux 的作品可能使你吃惊,尤其如果你正在来自不同的 Unix 风格环境。
You cannot configure umask to automatically allow you to create new files with executable permissions.
你不能够配置 umask 自动地让你用可运行的许可产生新的文件。
This is a recent change that promotes security;
这是促进安全[性] 的一个最近的变化;
if fewer files have executable permissions, fewer files are available for a cracker to use to run programs to break through your system.
如果较少的文件有可运行的许可,较少的文件可用来一个破坏者使用进行程序突破你的系统。
On The Job In the world of Linux, a hacker is a good person who simply wants to create better software.
在 Linux 的全球的作业上,一个 [计算机]黑客是只是想要产生较好的软件的一个好人。
A cracker is someone who wants to break into your system for malicious purposes.
一个破坏者是想要为怀恶意的目的闯入你的系统的某人。
Every time you create a new file, the default permissions are based on the value of umask.
每一次,你产生一个新的文件,内定的许可以 umask 的数值为基础。
In the past, the value of umask cancelled out the value of numeric permissions on a file.
过去, umask 的数值取消了数字许可对一个文件的数值。
For example, if the value of umask is 000, the default permissions for any file created by that user are 777 - 000 = 777, which corresponds to read, write, and execute permissions for all users.
举例来说,如果 umask 的数值是 000 ,对于被那一个使用者建立的任何的文件内定的许可是 777- 000=777, 哪一个符合读,写, 而且运行所有的使用者的许可。
When you type the umask command, you get a four-number output such as 0245.
当你键入 umask 指令的时候, 你拿一四数目的输出如此的当做 0245.
As of this writing, the first number in the umask output is always 0 and is not used.
当做这写作, 在输出总是 0 而且没被用的 umask 中的第一个数目。
In the future, this first number may be usable to allow for new files that automatically include the SUID or SGID bits.
未来,这个第一个数目可能可使用考虑到自动地包括 SUID 或 SGID 位元的新的文件。
Also, no matter what the value of umask, new files in Red Hat Enterprise Linux can no longer be automatically created with executable permissions.
同时, 没有物质什么 umask 的数值, 在红帽企业 Linux 的新的文件能不再自动地与可运行的许可一起建立。
In other words, a umask of 0454 leads to identical permissions on new files as a umask of 0545.
换句话说, 0454 的 umask 当做 0545 umask 的对在新的文件上的同一的许可引线.
You need to use commands such as chmod to specifically set executable permissions on a file.
你需要使用指令如此的当做 chmod 到明确地在一个文件上设定可运行的许可。
SUID and SGID
Permissions can be a risky business.
许可可能是危险的生意。
But you need to give all users access to some programs.
但是你需要给所有的使用者对一些程序的存取。
To set full read, write, and execute permissions for all users on a Linux system can be dangerous.
设定充足的阅读,书写, 而且在一个 Linux 系统上运行所有的使用者的许可可能是危险的。
One alternative is setting the SUID and the SGID permission bits for a file.
一替代选择正在置位 SUID 和为一个文件 SGID 许可位元。
When active, these bits allow you to configure appropriate permissions on the subject file.
当活跃的时候,这些位元让你在服从的文件上配置适当的许可。
For example, one common practice is to set the SUID bit for the KPPP Internet Connection Utility so all users can use it to dial in to the Internet.
举例来说,一个常见的做法将设定 KPPP 因特网连接公用程式如此所有使用者的 SUID 位元能使用它拨在对因特网。
You can set the SUID bit on this utility with the following command:
你能设定 SUID 以下列的指令在这公用程式上咬:
# chmod u+s /usr/sbin/kppp
SGID permissions can be useful when you're setting up a special group of users who need to share files on a specific task or project.
当你正在需要在一个特定的任务上共享文件或者计画的特别一群使用者上面置位的时候, SGID 许可可能是有用的。
This process is discussed in more detail in Chapter 11.
这一程序在第 11 章更详细地被讨论。
Shadow Passwords
阴影口令[字]
When you look at the default /etc/passwd file, you should see an 'x' in the second column.
当你审查内定值的时候 /etc/passwd 文件, 你应该在第二个栏中见到 'x'。
Older versions of Linux had an encrypted version of user passwords in this column.
Linux 的较旧的版本在这一个栏中有一个使用者口令[字] 的密码化版本。
As /etc/passwd is accessible to all users, a cracker could copy this file and decrypt everyone's password on a Linux computer.
当做 /etc/passwd 是可接近的至所有的使用者, 一个破坏者可以拷贝这一个文件而且解密每个人口令[字] 在一部 Linux 计算机上。
This problem led to the development of the Shadow Password Suite.
这一个问题导致了影子口令[字] 程序组的发展。
Shadow Password Suite
阴影口令[字] 程序组
Historically, all that was needed to manage Linux users and groups was the information included in the /etc/passwd and /etc/group files.
在历史上, 所有的哪一被需要了处理 Linux 使用者和组是在那 /etc/passwd 中包含的信息和 /etc/group 文件。
These files included passwords and are by default readable by all users.
由所有使用者,这些文件包含了口令[字] 而且是预先设定地可读的。
The Shadow Password Suite was created to provide an additional layer of protection.
影子口令[字] 程序组被建立提供一个保护的另外层。
It is used to encrypt user and group passwords in shadow files (/etc/shadow and /etc/gshadow) that are readable only by users with root privileges.
它被用由使用者只有用根特权在可读的阴影文件 (/etc/shadow和 /etc/gshadow) 中编加密码使用者而且聚集口令[字] 。
The Shadow Password Suite is now enabled by default in Red Hat Enterprise Linux.
影子口令[字] 程序组现在在红帽企业 Linux 预先设定地被能够。
Standard commands for creating new users and groups automatically set up encrypted passwords in the Shadow Password Suite files.
自动地创造新的使用者和组的标准的指令在阴影口令[字] 程序组文件中建立密码化的口令[字] 。
These commands are described in more detail in Chapter 4.
这些指令在第 4 章更详细地被描述。
But if you're restoring a system, you may not have access to these special commands.
但是如果你正在修复一个系统,你可能没有对这些特别的指令存取。
The old way of creating new users and groups is by editing the /etc/passwd and /etc/group files directly.
创造新的使用者和组的旧方法是藉由编辑那 /etc/passwd 和 /etc/group 直接地的文件。
Four commands allow you to convert passwords to and from the /etc/shadow and /etc/gshadow files:
四个指令让你将口令[字] 转换成和从那 /etc/shadow和 /etc/gshadow 文件:
pwconv Converts passwords from /etc/passwd.
pwconv 转换口令[字] 从 /etc/passwd。
This command works even if some of the passwords are already encrypted in /etc/shadow.
这指令工作即使一些口令[字] 已经被编加密码在 /etc/shadow。
pwunconv Opposite of pwconv.
pwunconv pwconv 的相对事物。
grpconv Converts passwords from /etc/group.
grpconv 皈依者口令[字] 从 /etc/group。
This command works even if some of the passwords are already encrypted in /etc/gshadow.
这指令工作即使一些口令[字] 已经被编加密码在 /etc/gshadow。
grpunconv Opposite of grpconv.
grpunconv grpconv 的相对事物。
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/22330/showart_269244.html |
|
免费注册
发表于 2007-04-01 23:06