219 lines
4.2 KiB
HTML
219 lines
4.2 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
|
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Access control</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="Linux System Administrators Guide"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Logging In And Out"
|
|
HREF="log-in-and-out.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="X and xdm"
|
|
HREF="x-xdm.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Shell startup"
|
|
HREF="shell-startup.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Linux System Administrators Guide: </TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="x-xdm.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 10. Logging In And Out</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="shell-startup.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="ACCESS-CONTROL"
|
|
></A
|
|
>10.5. Access control</H1
|
|
><P
|
|
> The user database is traditionally contained in the
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>/etc/passwd</TT
|
|
> file. Some systems use
|
|
<I
|
|
CLASS="GLOSSTERM"
|
|
>shadow passwords</I
|
|
>, and have moved the
|
|
passwords to <B
|
|
CLASS="COMMAND"
|
|
>/etc/shadow</B
|
|
>. Sites with many
|
|
computers that share the accounts use NIS or some other method
|
|
to store the user database; they might also automatically copy
|
|
the database from one central location to all other computers.
|
|
</P
|
|
><P
|
|
> The user database contains not only the passwords, but
|
|
also some additional information about the users, such as their
|
|
real names, home directories, and login shells. This other
|
|
information needs to be public, so that anyone can read it.
|
|
Therefore the password is stored encrypted. This does have
|
|
the drawback that anyone with access to the encrypted password
|
|
can use various cryptographic methods to guess it, without
|
|
trying to actually log into the computer. Shadow passwords try
|
|
to avoid this by moving the password into another file, which
|
|
only root can read (the password is still stored encrypted).
|
|
However, installing shadow passwords later onto a system that
|
|
did not support them can be difficult. </P
|
|
><P
|
|
> With or without passwords, it is important to make
|
|
sure that all passwords in a system are good, i.e., not easily
|
|
guessed. The <B
|
|
CLASS="COMMAND"
|
|
>crack</B
|
|
> program can be used
|
|
to crack passwords; any password it can find is by definition
|
|
not a good one. While <B
|
|
CLASS="COMMAND"
|
|
>crack</B
|
|
> can be run
|
|
by intruders, it can also be run by the system administrator
|
|
to avoid bad passwords. Good passwords can also be enforced
|
|
by the <B
|
|
CLASS="COMMAND"
|
|
>passwd</B
|
|
> program; this is in fact more
|
|
effective in CPU cycles, since cracking passwords requires quite
|
|
a lot of computation. </P
|
|
><P
|
|
> The user group database is kept in
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>/etc/group</TT
|
|
>; for systems with shadow
|
|
passwords, there can be a <TT
|
|
CLASS="FILENAME"
|
|
>/etc/shadow.group</TT
|
|
>.
|
|
</P
|
|
><P
|
|
> root usually can't login via most terminals
|
|
or the network, only via terminals listed in the
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>/etc/securetty</TT
|
|
> file. This makes it necessary
|
|
to get physical access to one of these terminals. It is, however,
|
|
possible to log in via any terminal as any other user, and use
|
|
the <B
|
|
CLASS="COMMAND"
|
|
>su</B
|
|
> command to become root. </P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x-xdm.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="shell-startup.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>X and xdm</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="log-in-and-out.html"
|
|
ACCESSKEY="U"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Shell startup</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |