Linux users and privileges - reprint: https: //www.cnblogs.com/fengdejiyixx/p/10773731.html
Linux operating system to manage multiple users, it is very tedious, so use the concept of groups becomes simple to manage users, each user can be in a separate groups, each user can have zero or more users .
Linux system is a user ID to identify the user, a default length is 32-bit ID, ID number from the default from zero, but in order, and is compatible with older systems, the user ID is limited to 60000 or less, a total divided into three sub-Linux users, respectively, as follows:
root user (ID 0)
The system user (ID 1-499)
Ordinary users (ID 500 above)
Linux system, each file or folder, there is a user-owned and affiliated groups, using the id command to display the current user's information, use the passwd command to change the current user password. Linux operating system users the following features:
Each user has a UserID, the operating system is actually read UID, rather than a user name;
Each user belonging to a primary group, belonging to one or more affiliated groups have a maximum of 31 users affiliated groups;
Each group has a the GroupID;
Each process runs as a user, the user can have the resources to control the rights to the process;
Each user can have a designated landing Shell environment.
Linux User Management
Linux users can perform daily management and maintenance of the operating system, related to the configuration file as follows:
/ Etc / passwd store user information
/ Etc / shdaow of your password (stored in encrypted form)
/ Etc / group information group saved
/etc/login.defs user attribute restrictions, password expiration, password maximum length limit
/ Etc / default / useradd useradd display or change the default configuration file
To create a new user, you can use the command useradd, execute the command useradd test1 test1 user to create, and it will create a group with the same name test1, test1 default the user belongs to the main group.
Useradd test1 command to create the default user test1, will operate according to the following steps:
Add user information in / etc / passwd file;
Such as creating a password using the passwd command, the password is encrypted and stored in / etc / shdaow in;
Create a home directory for test1: / home / test1;
Copy the file / etc / skel in .bash beginning to / home / test1 home directory;
Create a user name and the same group test1, test1 test1 user belongs to the default group of the same name;
test1 group information stored in / etc / group file configuration.
When you create a user using the useradd command, you can support the following parameters:
Usage: useradd [options] Login
useradd -D
useradd -D [Options]
Options:
-b, --base-dir BASE_DIR specified home directory for new accounts;
-c, --comment COMMENT new account GECOS field;
-d, --home-dir HOME_DIR new account's home directory;
-D, --defaults useradd display or change the default configuration;
-e, --expiredate EXPIRE_DATE expiration date of the new account;
Password inactivity -f, --inactive INACTIVE new accounts;
-g, --gid GROUP main group of new account name or ID;
-G, additional lists --groups GROUPS new accounts;
-h, --help display this help and launched;
-k, --skel SKEL_DIR This directory is used as the backbone directory;
-K, --key KEY = VALUE /etc/login.defs default value is not used;
-l, --no-log-init Do not add this user to login and download the most recent failed database;
-m, --create-home create the user's home directory;
-M, --no-create-home does not create the user's home directory;
-N, --no-user-group does not create a group with the same name;
-o, --non-unique allow users to create duplicate the UID;
-p, --password PASSWORD after the new account password encryption;
-r, --system create a system account;
-R, --root CHROOT_DIR chroot to the directory;
-s, --shell SHELL new account login shell;
-u, --uid UID new user account ID;
-U, --user-group created with the user of the same group;
-Z, --selinux-user SEUSER SELinux user mapping is specified SEUSER.
Linux Group Management
The concept of all Windows or Linux systems are set through group can more easily manage user, group concept is applied to each line of business, such as the classification of companies will use department, function or geographic area to manage members, mapping Linux system , users can also create and use the concept of the group of its management.
Linux group has the following characteristics:
Each group has a group ID;
Group information is stored in / etc / group; and
Each user has at least one main group, but also can have 31 affiliated groups.
groupadd, groupdel, groupmod to be managed by the group of commands, the parameters are as follows:
groupadd usage
-f, --force if the group already exists a successful exit;
GID already exists and if it is canceled -g;
-g, --gid GID use GID for the new group;
-h, --help display this help and launched;
-K, --key KEY = VALUE /etc/login.defs default value is not used;
-o, --non-unique allows the creation of duplicate GID group;
-p, --password PASSWORD use this encrypted password for the new group;
-r, --system create a system account;
groupmod usage
-g, --gid GID group ID to the GID;
-h, --help display this help and launched;
-n, --new-name NEW_GROUP renamed NEW_GROUP;
-o, --non-unique allow duplicate the GID;
-p, --password PASSWORD change the password (encrypted) PASSWORD;
groupdel usage
groupdel admin delete the admin group;
Two, Linux rights management
Linux is the operating system permission mechanism used to limit access to resources, rights are generally divided into read, write, execute. Each file system has specific permission, and the respective user belongs to the group, to limit which users or groups of users through such a mechanism can perform operations on a particular file.
Linux each process is run as a user, privileged processes with the user's permission, like, the greater the user's permission, the process has greater privileges.
Lnux some files and folders permissions have at least three permission, common rights as shown in Table 5-1:
| Competence |
The impact of the document |
Impact on the directory |
| r (read) |
You can read the contents of the file |
To list directory contents |
| w (write) |
You can modify the contents of the file |
Delete the content can be created in the directory |
| x (execute) |
Commands can be executed as |
Accessible directory content |
| Directory must have x permission, or can not view its contents |
||
Authorizing Linux, the default is licensed to three roles, respectively, is an association between the user, group, other, Linux and user permissions as follows:
U represents User, G representative Other Group, O;
UGO permissions for each file based settings;
A set of three permissions (rwx), while the need to authorize three roles, UGO;
Each file has one owner and a group corresponding to UGO, not belonging to the file belongs to a user or group belongs used to represent O;
In the Linux system, you can view the detailed properties peter.net directory by ls -l, shown in Figure 5-1:
| drwxrwxr-x 2 peter1 peter1 4096 Dec 10 01:36 peter.net |
Detailed peter.net directory attribute parameters as follows:
d indicates a directory, the same position if it is - it means an ordinary file;
rwxrwxr-x represents permission three roles, each role as a three, followed by u, g, o authority, as said user permissions rwx, group permissions rwx, other permission for RX;
2 shows the number of links to a folder, it is understood that the number of subdirectories of the directory;
From left to right, the first peter1 indicates that the user name, group names, compared with the second peter1 others roles not displayed by default;
4096 indicates the number of bytes occupied by the folder;
Dec 10 01:36 indicates that the file is created or modified time;
peter.net for the name of the directory, or file name.
Detailed peter.net directory attribute parameters as follows:
d indicates a directory, the same position if it is - it means an ordinary file;
rwxrwxr-x represents permission three roles, each role as a three, followed by u, g, o authority, as said user permissions rwx, group permissions rwx, other permission for RX;
2 shows the number of links to a folder, it is understood that the number of subdirectories of the directory;
From left to right, the first peter1 indicates that the user name, group names, compared with the second peter1 others roles not displayed by default;
4096 indicates the number of bytes occupied by the folder;
Dec 10 01:36 indicates that the file is created or modified time;
peter.net for the name of the directory, or file name.
Chmod user and group permissions
Modify a user group permissions for the folder with the command chmod achieve, which on behalf of that ugo ,, -, = representatives to, delete, and equal to the corresponding authority, specific cases as follows:
(1) grants the user has rwx permissions on the directory peter.net
| chmod –R u+rwx peter.net |
(2) has rwx permissions granted to a group of peter.net directory
| chmod –R g+rwx peter.net |
(3) granted to the user, group, others have rwx permissions to the directory jpeter.net
| chmod –R u+rwx,g+rwx,o+rwx peter.net |
(4) revoke the user has permission to peter.net directory w
| chmod –R u-w peter.net |
(5) revocation of users, groups, others have x permission to peter.net directory
| chmod –R u-x,g-x,o-x peter.net |
(6) granted to the user, group, others only for jpeter.net directory permissions rx
Chmod binary permissions
Permission to use the Linux rwx represented default, in order to more simplify the configuration and modification privileges in the system, the introduction of a binary representation rights Linux, the following code:
| Linux rwx permissions can be expressed in binary, which has permission to use 1 said there was no permission is represented by 0; Linux binary permissions shown below: rwx=111 r-x=101 rw-=110 r--=100 And so on, to decimal conversion, corresponding to the decimal results are shown below: rwx=111=4+2+1=7 r-x=101=4+0+1=5 rw-=110=4+4+0=6 r--=100=4+0+0=4 It concluded that, with r = 4, w = 2, x = 1 to indicate permission. |
Use binary mode to modify the permissions as case presentations, which peter.nett default directory permissions to 755:
(1) grants the user has rwx permissions on the directory peter.net
| chmod –R 755 peter.net |
(2) has rwx permissions granted to a group of peter.net directory
| chmod –R 775 peter.net |
(3) granted to the user, group, others have rwx permissions to the directory peter.net
Linux special privileges and mask
In addition to the common Linux permissions rwx permissions, there are many special privileges, the careful reader will find, why Linux default directory permissions 755, and the default permissions for the file 644, this was because Linux permissions mask umask lead.
Each terminal has a Linux umask property, can be used to determine the umask familiar with the new document, the default directory permissions, the default system permissions mask of 022. After each create a file or directory on your system, the default file permissions is 666, compared with 777 and directory permissions, permission to open relatively large, so set permissions mask, default file and directory permissions umask value is subtracted real permissions for files and directories.
The corresponding directory permissions: 777-022 = 755;
The corresponding file permissions: 666-022 = 644;
Execution umask command to view the current default mask, umask -S 023 can set the default permissions mask.
Permissions in Linux, in addition to ordinary authority, there is shown in the following Table 5-2, three special permissions:
| Competence |
The impact of the document |
Impact on the directory |
| South |
以文件的所属用户身份执行,而非执行文件的用户 |
无 |
|
sgid
|
以文件所属组身份去执行 |
在该目录中创建任意新文件的所属组与该目录的所属组相同 |
|
sticky
|
无 |
对目录拥有写入权限的用户仅可以删除其拥有的文件,无法删除其他用户所拥有的文件 |
表5-2 Linux三种特殊权限
Linux中设置特殊权限方法如下:
q 设置suid: chmod u+s peter.net
q 设置sgid: chmod g+s peter.net
q 设置sticky: chmod o+t peter.net
特殊权限与设置普通权限一样,可以使用数字方式表示:
SUID = 4
SGID = 2
Sticky = 1
可以通过chmod 4755 peter.net对该目录授予特殊权限为s的权限,Linux系统中s权限的应用常见包括:su、passwd、sudo,