wd and cc

— Happy every day

涉及到linux系统安全的几个文件

Posted at — Jul 24, 2007

部分内容转自这里

1 cron.allow,cron.deny

If the cron.allow file exists, then you must be listed therein in order to be allowed to use this command. If the cron.allow file does not exist but the cron.deny file does exist, then you must not be listed in the cron.deny file in order to use this command. If neither of these files exists, only the super user will be allowed to use this command.

上面是引用 man crontab 里面的一段解释。如果 cron.allow 存在,那里面的用户可以使用crontab命令。如果cron.allow 不存在,而 cron.deny 存在,那么列在里面的用户不可以使用crontab命令。如果都不存在,那么只允许super用户来使用这个命令。

安装rh的时候,默认就会存在一个 cron.deny 的空文件,所以普通用户也可以使用crontab。

2 at.allow,at.deny

The superuser may use these commands in any case. For other users, permission to use at is determined by the files
/etc/at.allow and /etc/at.deny.

If the file /etc/at.allow exists, only usernames mentioned in it are allowed to use at.

If /etc/at.allow does not exist, /etc/at.deny is checked, every username not mentioned in it is then allowed to use at.

If neither exists, only the superuser is allowed use of at.

An empty /etc/at.deny means that every user is allowed use these commands, this is the default configuration.

这个其实和上面那个是类似的。默认也是有个空的 at.deny 文件,允许所有用户使用at。

3 /etc/security/access.conf

# Login access control table.
#
# When someone logs in, the table is scanned for the first entry that
# matches the (user, host) combination, or, in case of non-networked
# logins, the first entry that matches the (user, tty) combination. The
# permissions field of that table entry determines whether the login will
# be accepted or refused.

login 权限控制表。可以控制允许登陆的ip,登陆的tty等信息。

# Disallow console logins to all but a few accounts.
#
#-:ALL EXCEPT wheel shutdown sync:LOCAL

比如可以设置只允许某些用户从本地登陆。建议设置root用户不能从本地登陆。

4 /etc/securetty

该文件可控制根用户登录的设备,该文件里记录的是可以作为根用户登录的设备名,如tty1、tty2等。用户是不能从不存在于该文件里的设备登录为根用户的。这种情况用户只能以普通用户登录进来,再用su命令转为根用户。/etc/securetty文件的格式如下:

# /etc/securetty: list of terminals on which root is allowed to login.
# See securetty(5) and login(1).
console
# for people with serial port consoles
ttyS0
# for devfs
tts/0
# Standard consoles
tty1
tty2
tty3
...

如果/etc/securetty是一个空文件,则根用户就不能从任务的设备登录系统。只能以普通用户登录,再用su命令转成根用户。如果/etc/securetty文件不存在,那么根用户可以从任何地方登录。这样会引发安全问题,所以/etc/securetty文件在系统中是一定要存在的。

5 /etc/login.defs


login.defs是设置用户帐号限制的文件,在这里我们可配置密码的最大过期天数,密码的最大长度约束等内容。该文件里的配置对root用户无效。如果/etc/shadow文件里有相同的选项,则以/etc/shadow里的设置为准,也就是说/etc/shadow的配置优先级高于 /etc/login.defs。下面内容是该文件的节选:

...
#
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password change.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
...
#
# Number of significant characters in the password for crypt().
# Default is 8, don't change unless your crypt() is better.
# If using MD5 in your PAM configuration, set this higher.
#
PASS_MAX_LEN 8
...

6 /etc/pam.d/su


通过pam来限制su命令的使用。比如可以设置哪些组,哪些用户才能使用。


#auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth required /lib/security/$ISA/pam_wheel.so group=admin


comments powered by Disqus