方案清单
序号 | 问题 | 方法 |
---|---|---|
1 | 限制root账户登录 | 设置root账户的login shell为nologin(管理员权限用户仍有user1,user2) |
2 | admin用户改名 | 用户名admin改为xxx,主组为users,附加组sudo |
3 | umask权限点问题 | 002改为022 |
具体操作
1. 限制root账户登录
sudo vim /etc/passwd
root:x:0:0:root:/root:/bin/bash
改为root:x:0:0:root:/root:/usr/sbin/nologin
2.admin用户问题
admin是一个管理员用户账号。尽管我创建了一个普通用户admin
$ id admin
uid=1001(admin) gid=1001(admin) groups=1001(admin)
但因它在admin组内,则不需要加入sudo组就将拥有sudo的管理员权利
查询相关配置文件如下
sudo cat /etc/sudoers
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
由此可见,当使用sudo命令时,在admin组内的用户都默认拥有根权限。
查询,可知Ubuntu 12.04 LTS之前的版本是通过加入admin组来获得sudo权限的,之后的版本则是加入sudo来获得权限,保留该组是为了兼容。
参考:What is the difference between the ‘sudo’ and ‘admin’ group?
3.umask
umask部分取值如下:
umask | file | directory | 备注 |
---|---|---|---|
0022 | 644 | 755 | 整改需求 |
0027 | 640 | 750 | |
0002 | 664 | 775 | 当前值 |
077 | 600 | 700 | |
277 | 400 | 500 |
系统默认新建的用户umask初始值为002,即新建文件的权限为664,新建目录的权限为775。客户要求:umask权限为022 敏感文件权限均不超过644
the following default ACL is equivalent to a umask of 022
,即默认的ACL标准也是022,即 u::rwx,g::r-x,o::r-x
参考:Ubuntu Manus-18.04LTS-Umask
原理
umask | file | directory | 备注 |
---|---|---|---|
- | 666 | 777 | 他们的权限是用对应的最高权限(目录777,文件666)减去umask值获得 |
0022 | 644 | 755 | 666-022=644,777-022=755 |
0002 | 664 | 775 | 666-002=664,777-002=775 |
方法一:修改当前用户的umask为022
$ umask
0002
$ umask 022
$ umask
0022
重新登录后/切换用户,umask将被重设为默认值…
$ umask
0002
因此我们需要通过配置文件去修改
方法二:修改配置文件
cat /etc/login.defs
相关内容如下
# UMASK is the default umask value for pam_umask and is used by
# useradd and newusers to set the mode of the new home directories.
# 022 is the "historical" value in Debian for UMASK
# 027, or even 077, could be considered better for privacy
# There is no One True Answer here : each sysadmin must make up his/her
# mind.
#
# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
# for private user groups, i. e. the uid is the same as gid, and username is
# the same as the primary group name: for these, the user permissions will be
# used as group permissions, e. g. 022 will become 002.
#
# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
#
ERASECHAR 0177
KILLCHAR 025
UMASK 022
#
# Enable setting of the umask group bits to be the same as owner bits
# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
# the same as gid, and username is the same as the primary group name.
#
# If set to yes, userdel will remove the user's group if it contains no
# more members, and useradd will create by default a group with the name
# of the user.
#
USERGROUPS_ENAB yes
当USERGROUPS_ENAB
设置为yes
时,UMASK的022会被modify为002.先来看下USERGROUPS_ENAB yes
作用。
USERGROUPS_ENAB yes
会在useradd时候创建用户的时候自动创建一个同名的group,在userdel删除用户的时候会删除对应的group。
我设置USERGROUPS_ENAB no
不启动该功能,useradd创建的用户会自动添加到users(gid:100)中,重新登录后所有的用户的umask都被设为022,也就是禁用USERGROUPS_ENAB
后UMASK 022
才起作用。
$ id
uid=1010(abc) gid=100(users) groups=100(users)
$ umask
0022