► userdel
— This command completely removes a user's account (thereby eliminating that user's home directory and all files it contains).
► passwd
— This command updates the authentication tokens used by the password management system.
TIP
To lock a user out of his account, use the following command:
# passwd -l username
This prepends a double !
(exclamation point, also called a bang) to the user's encrypted password; the command to reverse the process uses the -u option. This is a more elegant and preferred solution to the problem than the traditional UNIX way of manually editing the file.
► usermod
— This command changes several user attributes. The most commonly used arguments are -s
to change the shell and -u to change the UID. No changes can be made while the user is logged in or running a process.
► chsh
— This command changes the user's default shell. For Fedora, the default shell is /bin/bash
, known as the Bash , or Bourne Again Shell.
Monitoring User Activity on the System
Monitoring user activity is part of the sysadmin's duties and an essential task in tracking how system resources are being used. The w
command tells the sysadmin who is logged in, where he is logged in, and what he is doing. No one is able to hide from the super user. The w
command can be followed by a specific user's name to show only that user.
The ac
command provides information about the total connect time of a user measured in hours. It accesses the /var/log/wtmp
file for the source of its information. The ac
command is most useful in shell scripts to generate reports on operating system usage for management review.
TIP
Interestingly, a phenomenon known as timewarp can occur in which an entry in the wtmp
files jumps back into the past and ac
shows unusual amounts of connected time for users. Although this can be attributed to some innocuous factors having to do with the system clock, it is worthy of investigation by the sysadmin because it can also be the result of a security breach.
The last
command searches through the /var/log/wtmp
file and lists all the users logged in and out since that file was first created. The user reboot
exists so that you might know who has logged in since the last reboot. A companion to last
is the command lastb
, which shows all failed, or bad, logins. It is useful for determining whether a legitimate user is having trouble or a hacker is attempting access.
NOTE
The accounting system on your computer keeps track of user usage statistics and is kept in the current /var/log/wtmp
file. That file is managed by the init
and login
processes. If you want to explore the depths of the accounting system, use the GNU info system: info accounting
.
Under Linux (and UNIX), everything in the file system, including directories and devices, is a file. And every file on your system has an accompanying set of permissions based on owner ship. These permissions form the basis for security under Linux, and designate each file's read, write, and execute permission for you, members of your group, and all others on the system.
You can examine the default permissions for a file you create by using the umask
command, or as a practical example, by using the touch
command and then the ls command's long-format listing, like this:
$ touch file
$ ls -l file
-rw-rw-r-- 1 andrew andrew 0 2007-10-23 18:50 file
In this example, the touch
command is used to quickly create a file. The ls
command then reports on the file, displaying information (from left to right) in the first field of output (such as -rw-rw-r--
previously):
► The first character of the field is the type of file created— The common indicator of the type of file is a leading letter in the output. A blank (which is represented by a dash in the preceding example) designates a plain file, d
designates a directory, c
designates a character device (such as /dev/ttyS0
), and b is used for a block device (such as /dev/hda
).
► Permissions— Read, write, and execute permissions for the owner, group, and all others on the system. (You learn more about these permissions later in this section.)
► Number of links to the file— The number one ( 1
) designates that there is only one file, whereas any other number indicates that there might be one or more hard-linked files. Links are created with the ln
command. A hard-linked file is an exact copy of the file, but it might be located elsewhere on the system. Symbolic links of directories can also be created, but only the root operator can create a hard link of a directory.
► The owner— The account that created or owns the file; you can change this designation by using the chown
command.
► The group— The group of users allowed to access the file; you can change this designation by using the chgrp
command.
► File size and creation/modification date— The last two elements indicate the size of the file in bytes and the date the file was created or last modified.
Under Linux, permissions are grouped by owner, group, and others, with read, write, and execute permission assigned to each, like so:
Owner Group Others
rwx rwx rwx
Permissions can be indicated by mnemonic or octal characters. You can use the following mnemonic characters:
► r
indicates permission for an owner, member of the owner's group, or others to open and read the file.
► w
indicates permission for an owner, member of the owner's group, or others to open and write to the file.
► x
indicates permission for an owner, member of the owner's group, or others to execute the file (or read a directory).
In the previous example for the file named file
, the owner, andrew
, has read and write permission, as does any member of the group named andrew.
All other users may only read the file. Also note that default permissions for files created by the root operator will differ! This happens because of umask
settings assigned by the shell.
Many users prefer to represent permissions with numeric codes, based on octal (base 8) values. Here's what these values mean:
► 4
indicates read permission.
► 2
indicates write permission.
► 1
indicates execute permission.
In octal notation, the previous example file has a permission setting of 664
(read + write or 4 + 2
, read + write or 4 + 2
, read-only or 4
). Although you can use either form of permissions notation, octal is easy to use quickly after you visualize and understand how permissions are numbered.
NOTE
In Linux, you can create groups to assign a number of users access to common directories and files based on permissions. You might assign everyone in accounting to a group named accounting
, for example, and allow that group access to accounts payable files while disallowing access by other departments. Defined groups are maintained by the root operator, but you can use the newgrp
command to temporarily join other groups to access files (as long as the root operator has added you to the other groups). You can also allow or deny access to your files by other groups by modifying the group permissions of your files.
Читать дальше