The knowledge of Linux account and permission management at a glance

1. Overview of user accounts and group accounts

(1) Linux controls resource access based on user identity

1. User account
Super user, ordinary user, program user

2. Group account
Basic group (private group)
additional group (public group)

3. UID and GID
UID (User IDentity, user identification number)
GID (Group IDentify, group identification number)

(2) User account

Super User: The root user is the
default super user account in the Linux operating system and has the highest authority to the host. The super user is the only one in the system.

Ordinary user: Created by the root user or other administrator users, the permissions they have will be restricted, and generally only have full permissions in the user's own home directory.

Program users: When installing the Linux operating system and some applications, certain low-privileged user accounts are added. These users are generally not allowed to log in to the system and are only used to maintain the normal operation of the system or a program, such as bin, daemon , Ftp, mail, etc.

Group account
Basic group (private group): There is only one basic group account, usually the group specified when creating a user. The 4th field recorded in the /etc/passwd file is the user's basic group GID number.

Additional group (public group): In addition to the basic group, the user adds a specified group.

UID: User identification number
GID: Group identification number
The UID and GID number of the root user account are fixed values ​​0 The UID and GID number of the
program user account defaults to 1~499
Ordinary users UIDRGID defaults to 500~60000

2. User account file

(1) User account file /etc/passwd

1. Save basic information such as user name, host directory, and login Shell.
File location: /etc/passwd
Each line corresponds to a user's account record

[root@localhost~]# head-2 /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin

2. The user account file /etc/passwd is
based on system operation and management needs. All users can access the contents of the passwd file, but only the root user can make changes.
In the early UNIX operating system, the password information of the user account is stored in the passwd file. Unscrupulous users can easily obtain the password string and perform brute force cracking, so there are certain security risks. After improvement, the password was transferred to a special shadow file, and only the password placeholder "x" was kept in the passwd file

root:x:0:0:root:/root:/bin/bash
字段1：用户帐号的名称
字段2：用户密码占位符"x"
字段3：用户帐号的UID号
字段4：所属基本组帐号的GID号
字段5：用户全名
字段6：宿主目录
字段7：登录Shell 信息（ /bin/bash为可登陆系统，/sbin/nologin和/bin/false为禁止用户登陆系统）

Here you need to use the cat command to view the contents of /etc/passwd

(2) User account file /etc/shadow

1. Save the user's password, account validity period and other information
File location: /etc/shadow
Each line corresponds to a user's password record

[root@localhost~]# head-2   /etc/shadow
[root@localhost-]# tail -1   /etc/shadow     

2. The user account file /etc/shadow
defaults that only the root user can read the content in the shadow file, and it is not allowed to directly edit the content in the file.

root: $6$VyOUGgOC$v5H1LM1wagZc/FwGfnrtJFn1T:18445:0:99999:7:::
字段1：用户帐号的名称
字段2：使用MD5加密的密码字串信息,当为"*"或"! "时表示此用户不能登录到系统。若该字段内容为空,则该用户无须密码即可登录系统
字段3：上次修改密码的时间,表示从1970年01月01日算起到最近一次修改密码时间隔的天数
字段4：密码的最短有效天数, 自本次修改密码后,必须至少经过该天数才能再次修改密码。默认值为0,表示不进行限制
字段5：密码的最长有效天数, 自本次修改密码后,经过该天数以后必须再次修改密码。默认值为99999,表示不进行限制
字段6：提前多少天警告用户密码将过期,默认值为7
字段7：在密码过期之后多少天禁用此用户
字段8：帐号失效时间,此字段指定了用户作废的天数(从1970年01月01日起计算) ,默认值为空,表示账号永久可用。
字段9：保留字段(未使用)

3. Use cat to view /etc/shadow. By default, only the root user can read the contents of the file, and it is not allowed to directly edit the contents of the file.
If the program upgrade procedure fails during environmental production and an error message that the account has expired appears, you can set the account to never expire, that is, change the fifth field to 99999, which means that there is no restriction.

After cd /etc, use ll to view the list, and found that the permissions of shadow are very high and cannot be read, edited or executed.

(Three), add user account useradd

1. The useradd command

useradd  选项   用户名

2. Common options
-u, -d, -e, -g, -G, -M, -s

[root@localhost~]#useradd  -d  /ftphome/mike  -g  mike  -G  ftpuser  -s   /sbin/nologin   mike

3. Add the user account useradd or adduser to
add the record of the user account at the end of the /etc/passwd file and /etc/shadow file.
If the user's home directory is not explicitly specified, a home directory with the same name as the user account will be automatically created in the /home directory, and various initial configuration files of the user will be created in this directory.
If the group to which the user belongs is not clearly specified, a basic group account with the same name as the user account will be automatically created, and the record information of the group account will be saved in the /etc/group and /etc/gshadow files.

4. Common options:
-u: Specify the user's UID number, requiring that the UID number is not used by other users.
-d: Specify the user's home directory location (when used with -M, it does not take effect). Only absolute paths can be used to specify directories.
-e: Specify the expiration time of the user's account, using the date format YYYY-MM-DD.
-g: Specify the user's basic group name (or use GID number), the corresponding group name must already exist.
-G: Specify the user's additional group name (or use GID number), the corresponding group name must already exist.
-M: Do not create a host directory.
-s: Specify the user's login
shell, (for example, /bin/bash is the login system, /sbin/nologin and /bin/false are forbidden users to log in to the system).

5. When using useradd or adduser to add a user, no operations can be performed because the user is not activated. Only after configuring a password for this user can it be activated and then can be operated.

6. Use useradd to add a user named "lisi", and then use the cat /etc/passwd command to view and find that the lisi user is added successfully.

7. Use -d to specify a directory, -g to specify the basic group lisi, -G to specify the additional group zhangsan, and -u to specify the user UID number (note that the UID number cannot be repeated and needs to be unique), and finally admin5 is a new one created username

(4) Set/change user password passwd

1. The passwd command

passwd 选项 用户名

2. Common options:
-d, -l, S, -u
-d: Clear the password of the specified user, and only use the user name to log in to the system.
-l: Lock the user account, the locked user account will no longer be able to log in to the system.
-S: View the status of the user account (whether it is locked)
-u: Unlock the user account.
When the user name is not specified, the password of the current account is changed.

3. Set the password for the user account passwd The
root user can specify the user name as a parameter to manage the password of the specified account; if the user name is not specified, modify the password of the current account. Ordinary users can only execute a single "passwd" command to change their password.

4. Set user password method two: echo "password" | passwd --stdin username

5. Set a password for the lisi user created earlier. Then you can log in to the lisi user account with a password in the corresponding virtual.


Use the -d command to clear the password of the lisi user:

experiment with several other options:

(5) Modify the attributes of the user account usermod

1. The usermod command

usermode  选项  用户名

2. Common options
-l 、 -L 、 -U
3. The following options have the same meaning as in the useradd command
-U, -d, -e, -g, -G, -s

4. Modify user account attributes usermod
-u: modify the user's UID number
-d: modify the location of the user's home directory.
-e: modify the user's account expiration time, you can use the date format YYYY-MM-DD.
-g: modify the user's basic group name (or use GID number)
-G: modify the user's additional group name (or use GID number)
-s: specify the user's login shell.
-l: change the login name of the user account
-L: lock the user account
-U: unlock the user account

5. Use the -l command to change the user name of lisi to wangwu. After the user name is changed, the UID and GID of the original lisi will not change

(6) Delete the user account userdel

1. The userdel command

userdel  -r  用户名
#添加 -r 选项时,表示连用户的宿主目录一并删除

(7) Initial configuration file of user account

1. File source
1) The useradd command adds a new user account and creates some initial configuration files in the user's home directory. These files come from the account template directory /etc/skell and are basically hidden files.
2) The main user initial profile
~/.bash_profile
~/.bashrc
~/.bash_logout

2. The initial configuration file under the user's home directory is only valid for the current user (that is, the configuration file under the lisi home directory is only useful for lisi)
~/.bash_profile
The commands in this file will be executed every time the user logs in, It will set some environment variables and call the user's ~/.bashrc file

~/.bashrc
The commands in this file will be executed every time a new bash shell is opened (including the login system), and the /etc/bashrc file will be called

~/.bash_logout The commands in
this file will be executed every time the user logs out or exits the bash shell

The global configuration file is valid for all users:
/etc/profile
This file is a configuration file for system global variables. The profile file can be read by restarting the system or executing the source /etc/profile command

The file /etc/profile.d is actually a subdirectory of /etc/profile, which stores the startup scripts required by some applications

/etc/bashrc
Every user who runs a bash shell will execute this file. When a new bash shell is opened by executing the bash command, the bashrc file can be read

vim /etc/bashrc
alias myls=’/bin/ls -lhrt’

bash
type myls

The PATH variable is used to set the default search path for executable programs.
The principle that PATH takes effect:
every time the system is started, the command is initialized, and /etc/profile and ~/.bash_profile are executed. /etc/profile will append the paths /usr/local/bin, /usr/bin, /usr/local/sbin, and /usr/sbin to the PATH. Then call the script in the /etc/profile.d directory.

Three, group account file

(1) Similar to user account files

/etc/group: save the basic information of the group account
/etc/gshadow: save the password information of the group account

Group account file:

grep "postfix"  /etc/group
mail:x:12:postfix
postfix:x:89:
字段1：组帐号的名称
字段2：占位符"x"
字段3：组账号的GID
字段4：组账号包含的用户成员(一般不包括基本组对应的用户帐号) ,多个成员之间以逗号","分隔

When the group to be queried is used as a basic group, the members of its basic group are not displayed, only the members of the additional group are displayed.

(Two), add group account groupadd

1. The groupadd command

groupadd  [-g  GID]  组账号名

2. Example

groupadd  -g 1000  market     #添加组账号market  ,-g：指定GID号
tail  -1  /etc/group
market:x:1000:

3. Add group account groupadd
-g: specify GID number

(Three), add and delete group members gpasswd

1. The gpasswd command
sets the group account password (rarely used), adds and deletes group members

gpasswd  选项  组账号名

2. Common options
-a: add a user to the group
-d: delete a user member from the group
-M: define a list of group members, separated by commas

When deleting admin5, add its corresponding group name zhangsan:

Use the -M command to overwrite group members

(4) Delete the group account groupdel

1. The groupdel command

groupdel  组账号名

2. Example

groupdel  market     #删除组账号market
grep "market" /etc/group  

Four, query account information

(1), groups command

Query the group to which the user belongs

groups  用户名

Query user ID

id  用户名

Use groups to query group account information (you can add grep to filter if necessary):

Use id to query group information:

(Two), finger command

1. Query the login attributes of the user account.
Note: You need to install the finger package first (yum install -y finger installs the finger package)

finger   用户名

Install the finger package:

(Three), w, who, users commands

Query the information of users who have logged in to the host

Supplement: Usually use tty to refer to various types of terminal devices, Centos7 system, tty1 means graphical interface, and tty2-tty6 means text interface, you can use ctrl+Alt+F1-F6 to switch.
Press Ctrl+Alt+F2 to log in, execute the w command, and check that the terminal used is tty2

pts indicates that it is connected with a remote tool, such as xshell. The number behind represents the time sequence of login. The smaller the number, the earlier the login

Five, the authority and ownership of the file directory

(1) Access authority

Read r: allow to view file content and display directory list.
Write w: allow to modify file content, allow to create, move, delete files or subdirectories in the directory.
Executable x: allow to run programs and switch directories

read	write	carried out
r	w	x	-
4	2	1	0

(s) setuid: This bit allows ordinary users to run programs or commands that only the root account can run as the root user

(2) Attribution (ownership)

1. Owner: the user account that owns the file or directory
2. Ownership: the group account that owns the file or directory

(3) View the authority and ownership of files/directories

ls  -l  install.log 
-rw-r--r--  1  root  root   34298  04-02  00:23   install.log    #  -rw-r--r-- :文件类型、权限    root  root   属主、属组

(4) Set the ownership of files and directories to chown

1. The chown command

chown  属主  文件或目录
chown  :属组   文件或目录
chown  属主：属组   文件或目录

2. Common option
-R: recursively modify the ownership of all files and subdirectories in the specified directory

3. Example: Modify the owner of wangwu to gcc

(5) Set file or directory permissions chmod

1、chmod   [ugoa...]    [+-=]    [rwx]    文件或目录
"ugoa"表示该权限设置所针对的用户类别。"u"代表文件属主，"g"代表文件属组内的用户， "o"代表其他任何用户,，"a"代表所有用户(缺省时为a)。

"+-="表示设置权限的操作动作。“+"代表增加相应权限，"-"代表减少相应权限， "="代表仅设置对应的权限。

"rwx"是权限的字符组合形式,也可以拆分使用,如""rx"等。

2. chmod nnn file or directory

-R: Recursively modify the permissions of all subdirectories and files in the specified directory

3. Example (change wangwu's authority to the highest authority, and +777)

(6) Set the default permissions umask of directories and files

1. The role of umask:
specify the default value of the current user's permission when
creating a new file or directory. The permission of the new file or directory is the default maximum permission minus umake (the maximum default permission for ordinary files is 6, and the maximum default permission for directories is 7)

2. umask setting:: umask 022
3. umask viewing: umask
4. Example
　　set umask000, create a new directory or file, and view permissions
　　set umask to 022, create a new directory or file, and then view permissions