【正文】
2023, 10 Γ В ?用戶與文件 ↓ ?從 POST到 sh ↓ Γ В ?認(rèn)證、授權(quán) Authentication、Authorization ?PAM Pluggable Authentication Modules ?SUID ?Permission ?setuid etc Γ В ?認(rèn)證 /鑒別 Authentication ?誰是誰 ?授權(quán) Authorization ?能干什么 ?鑒別手段 ?基于口令 /令牌 /卡 /指紋 /聲音等信息 ?授權(quán)方法 ?訪問控制矩陣 ACL/ACM Γ В ?傳統(tǒng)的 AA ?應(yīng)用程序自己管理 ?PAM ?標(biāo)準(zhǔn)庫 ?PAM in Linux Γ В ? PAM was first proposed by Sun Microsystems in an Open Software Foundation Request for Comments (RFC) dated October 1995. It was adopted as the authentication framework of the Common Desktop Environment. ? As a standalone infrastructure, PAM first appeared from an opensource, LinuxPAM, development in Red Hat Linux in August 1996. ? PAM is currently supported in the AIX operating system, DragonFly BSD, FreeBSD, HPUX, Linux, Mac OS X, NetBSD and Solaris. ? PAM was later standardized as part of the X/Open UNIX standardization process, resulting in the X/Open Single Signon (XSSO) standard. Γ В ?Every application required its own security and authentication mechanism. Γ В ?“is this user authorized to use me?” Γ В ? Γ В ?PAM is used, for example, to dynamically link system binaries. ?(Dynamic linking does necessitate a recovery mechanism to address potential problems in the linker or in shared libraries. One way of implementing a recovery mechanism is to supply a /rescue directory that contains statically linked versions of important system binaries. This method is used in both NetBSD and FreeBSD.) Γ В ? 第一部分是 libpam,是實現(xiàn) PAM API的庫, ? 第二部分是 PAM配置文件, /etc/, ? 第三部分有一套動態(tài)可裝載兩進(jìn)位對象組成,常常用來調(diào)用一些處理實際鑒別 (authentication)工作的服務(wù)模塊。 ? 最后模塊是使用 PAM API的系統(tǒng)命令組成,如login,us,ftp,tel etc Γ В ? include security/ ? include security/ ? int pam_start (..)。 ? int pam_end (..)。 ? const char *pam_strerror (..)。 ? pam_set_item()。 pam_get_item()。 pam_authenticate()。 pam_chauthtok()。 … Γ В Γ В Γ В Γ В ?Authorization in Linux based on file permissions ? Exception: root is allowed to do everything ?Once logged in, users cannot change their identity ? except through a SUID program,