Linux--Account and permission management--User account and group account--Directory and file permissions and ownership


Preface

  • As a multi-user, multi-task server operating system, Linux system provides a strict authority management mechanism
  • Mainly restrict resource access from two aspects: user identity and file permissions

1. Manage user accounts

1. User account overview

  • Compared with the windows operating system, the role of user accounts and group accounts in Linux systems is essentially the same
  • It is also based on user identity to control access to resources, but there are some differences in the form of expression and individual details

1.1 User account

In the Linux system, user accounts are divided into different types according to the needs of system management, and their permissions and roles are also different, mainly including the following three categories

  • Super user: The
    root user is the
    default super user account in the Linux operating system and has the highest authority to the host; the super user is the only one in the system
  • Ordinary users are
    created by root users or other administrator users, and their permissions will be limited. Generally, they only have full permissions in the user's own home directory
  • Program users
    will add some specific low-privileged user accounts when installing the Linux operating system and some applications. These users are generally not allowed to log in to the system and are only used to maintain the normal operation of the system or a program, such as bin, daemon, ftp, mail, etc.

1.2 UID number

  • Every user account in the Linux system has a digital identity mark called UID (User IDentity, user identification number)
  • For the system, UID is used as the basic basis for distinguishing users. In principle, the UID number of each user should be unique
  • The UID number used by root is a fixed value of 0; the UID number of the program user account defaults to 1 ~ 999; the default UID of ordinary users is 1000 ~ 60000

1.3 User account file

Linux wants the user account, password and other information in the system to be stored in the response configuration file. You can manage the user account by directly modifying these files or using user management commands.

1.3.1 User account file-/etc/passwd

  • Save basic information such as user name, home directory, and login shell
  • File location: /etc/passwd
  • Each row corresponds to a user’s account record
[root@localhost~]# head-2 /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin

1.3.2 User account file-/etc/shadow

  • By default, only the root user can read the contents of the shadow file
  • And it is not allowed to directly edit the content in the file
root: $6$VyOUGgOC$v5H1LM1wagZc/FwGfnrtJFn1T:18445:0:99999:7:::
字段1:用户帐号的名称
字段2:使用MD5加密的密码字串信息,当为"*"或"! "时表示此用户不能登录到系统。若该字段内容为空,则该用户无须密码即可登录系统
字段3:上次修改密码的时间,表示从1970年01月01日算起到最近一次修改密码时间隔的天数
字段4:密码的最短有效天数, 自本次修改密码后,必须至少经过该天数才能再次修改密码。默认值为0,表示不进行限制
字段5:密码的最长有效天数, 自本次修改密码后,经过该天数以后必须再次修改密码。默认值为99999,表示不进行限制
字段6:提前多少天警告用户密码将过期,默认值为7
字段7:在密码过期之后多少天禁用此用户
字段8:帐号失效时间,此字段指定了用户作废的天数(从1970年01月01日起计算) ,默认值为空,表示账号永久可用。
字段9:保留字段(未使用)
  • Use cat to view /etc/shadow. By default, only the root user can read the contents of the file, and it is not allowed to directly edit the contents of the file
  • If the program upgrade program fails during environmental production and an error message that the account has expired appears, you can set the account to never expire, that is, change the fifth field to 99999, which means that there is no restriction.
  • Shadow’s permissions are very high and cannot be read, edited or executed.

2. User account management

2.1 Add user account-useradd

  • Basic command format:
useradd [选项] 用户名

The simplest usage is: do not add any options, only use the user name as the parameter of the useradd command, and create the specified user account according to the system default configuration.
When adding a user account using the useradd command, the following tasks are mainly completed:
1. In /etc/ Add a record of the user account at the end of the passwd file and the /etc/shadow file
2. If the user's home directory is not explicitly specified, a home directory with the same name as the user account will be automatically created in the /home directory and created in this directory Various initial configuration files of the user
3. If the group to which the user belongs is not clearly specified, a basic group account with the same name as the user account will be automatically created, and the record information of the group account will be saved in the /etc/group and /etc/gshadow files

Common options Explanation
-u Specify the UID number of the user, and require that the UID number is not used by other users
-d Specify the user's home directory location (when used with -M, it does not take effect). Only use absolute path to specify directory
-e Specify the user's account expiration time, you can use the date format YYYY-MM-DD
-g Specify the user's basic group name (or use GID number), the corresponding group name must already exist
-G Specify the user's additional group name (or use the GID number), the corresponding group name must already exist
-M Do not create a home directory
-s Login of the specified user

Shell, (for example, /bin/bash is the login system, /sbin/nologin and /bin/false are forbidden users to log in to the system)

  • When using useradd or adduser to add a user, you cannot perform any operations because the user is not activated; only after the user is configured with a password can it be activated and then can be operated

2.2 Set/change user password-passwd

  • After adding a user account through the useradd command, you need to set a password for it to be used normally
  • Use the passwd command to set or modify the password. The root user has the right to manage the passwords of other accounts (just specify the account name as a parameter)
pawwd [选项] 用户名
Common options Explanation
-d Clear the password of the specified user, and log in to the system with only the user name
-l Lock the user account, the locked user account will no longer be able to log in to the system
-S View the status of the user account (whether it is locked)
-u Unlock user account

When the user name is not specified, that is, to modify the password of the current account. The
root user can specify the user name as a parameter to manage the password of the specified account; when the user name is not specified, the password of the current account
can only be modified by ordinary users. passwd" command to modify your own password

  • Set user password method two:
echo “密码” | passwd --stdin 用户名

2.3 Modify user account attributes-usermod

  • For user accounts that already exist in the system, you can use the usermod command to reset various attributes
  • When using the usermod command, most of its options correspond to the options of the useradd command, and the functions are similar.
Common options Explanation
-u Modify the user's UID number
-d Modify the user's home directory location
-e Modify the user's account expiration time, you can use the date format YYYY-MM-DD
-g Modify the user's basic group name (or use GID number)
-G Modify the user's additional group name (or use GID number)
-s The login shell of the specified user
-l Change the login name of a user account
-L Lock user account
-U Unlock user account

After using the -l command to change the user name, the original UID and GID will not change

2.4 Delete user account-userdel

userdel  -r  用户名
#添加 -r 选项时,表示连用户的宿主目录一并删除

2.5 Initial configuration file of user account

  1. File source
1.useradd 命令添加一个新的用户账号后在该用户的宿主目录中建立一些初始配置文件
这些文件来自于账号模板目录/etc/skell,基本上都是隐藏文件  

2.主要的用户初始配置文件
~/.bash_profile
~/.bashrc
~/.bash_logout
  1. The initial configuration file in the user's home directory is only valid for the current user
~/.bash_profile  
此文件中的命令将在该用户每次登录时被执行,它会设置一些环境变量,并且会调用该用户的~/.bashrc文件

~/.bashrc  
此文件中的命令会在每次打开新的bash shell 时(也包括登录系统)被执行,并且会调用/etc/bashrc文件

~/.bash_logout
此文件中的命令将在用户每次退出登录或退出bash shell时执行
  1. The global configuration file is valid for all users:
/etc/profile
这个文件是为系统全局变量配置文件,可通过重启系统或者执行 source /etc/profile 命令使profile文件被读取

/etc/profile.d
这个文件实际上是 /etc/profile 的子目录,存放的是一些应用程序所需的启动脚本

/etc/bashrc
每一个运行bash shell的用户都会执行此文件,可通过执行bash 命令打开一个新的bash shell 时,使bashrc文件被读取

vim /etc/bashrc
alias myls=’/bin/ls -lhrt’

bash
type myls
  1. The PATH variable is used to set the default search path for executable programs
  2. How PATH takes effect:
每次启动系统的时候会初始化命令,会执行 /etc/profile 和 ~/.bash_profile
/etc/profile会将路径 /usr/local/bin、/usr/bin、 /usr/local/sbin、/usr/sbin追加到PATH中去
然后调用 /etc/profile.d 目录下的脚本

Two, management group account

1. Group account management

  • Relatively few use of group account commands
  • For user accounts, the corresponding group accounts can be divided into two types: basic group (private group) and additional group (public group)
  • Each user account can be a member of multiple group accounts, but there is only one basic group account
  • The fourth field in the "/etc/passwd" file is the user's basic group GID number
  • For which additional groups the user belongs to, it needs to be reflected in the file of the corresponding account

1.1 Group account file

There are the following two configuration files related to group accounts

  • /etc/group: Save basic information such as group account name, GID number, and group members
  • /etc/gshadow: Save information such as the encrypted password string of the group account (rarely used)
grep "postfix"  /etc/group
mail:x:12:postfix
postfix:x:89:
字段1:组帐号的名称
字段2:占位符"x"
字段3:组账号的GID
字段4:组账号包含的用户成员(一般不包括基本组对应的用户帐号) ,多个成员之间以逗号","分隔
  • When the group to be queried is used as a basic group, the members of its basic group are not displayed, only the members of the additional group are displayed

1.2 Add group account-groupadd

  • You can add a group account, when you need to specify the GID number, you can use the "-g" option
groupadd  [-g  GID]  组账号名

1.3 Add, set, delete group members-gpasswd

  • The gpasswd command was originally used to set the group account password, but this function is rarely used. In fact, the command is more used to manage the user members of the group account
gpasswd  选项  组账号名
Common options Explanation
-a Add a user to the group
-d Remove a user member from the group
-M Define a list of group members, separated by commas

1.4 Delete group members-groupdel

groupdel  组账号名

2. Query account information

2.1 Query the identity-id of a user account

  • You can quickly view the UID, GID and other identification information of the specified user account
id 用户名

2.2 Query the group to which the user account belongs-groups

  • Query the group to which the user belongs
groups  用户名

2.3 Query the login attributes of the user account-finger

  • Query detailed information such as login attributes of a user account, including login name, full name, host directory, login shell, etc.
finger   用户名
  • Install the figer package
yum -y install finger

2.4 Query the user login status of the current host-w, who, users

  • Query the information of users who have logged in to the host
补充:通常使用tty来简称各种类型的终端设备,,Centos7系统, tty1表示图形界面,,tty2-tty6表示文字界面,可以用ctrl+Alt+F1-F6切换。
按Ctrl+Alt+F2登陆,执行w命令,查看使用的终端就是tty2

pts说明是用远程工具连接的,比如xshell,后面的数字代表登录的时间顺序,越小证明登录的越早

3. Permission and ownership of directories and files

  • In the security model of the Linux file system, two attributes are assigned to the files in the system: access permissions and file owners, referred to as "permissions" and "attributions" for short
  • Among them, access permissions include three basic types: read, write, and executable. Attribution includes owner (the user account that owns the file) and the group (the group account that owns the file)
  • The Linux system controls the process of user access to data according to the access rights and ownership of files or directories

1. View file permissions and ownership

ls  -l  install.log 
-rw-r--r--  1  root  root   34298  04-02  00:23   install.log    

#  -rw-r--r-- :文件类型、权限    root  root   属主、属组

mark

2. Set permissions and ownership of files

2.1 Set file permissions-chmod

chown  属主  文件或目录
chown  :属组   文件或目录
chown  属主:属组   文件或目录
  • Common options:
    -R: Recursively modify the ownership of all files and subdirectories in the specified directory

2.2 Set the ownership of the file-chown

chmod   [ugoa...]    [+-=]    [rwx]    文件或目录
"ugoa"表示该权限设置所针对的用户类别。"u"代表文件属主,"g"代表文件属组内的用户, "o"代表其他任何用户,,"a"代表所有用户(缺省时为a)。

"+-="表示设置权限的操作动作。“+"代表增加相应权限,"-"代表减少相应权限, "="代表仅设置对应的权限。

"rwx"是权限的字符组合形式,也可以拆分使用,如""rx"等。
  • chmod nnn file or directory-
    R: recursively modify the permissions of all subdirectories and files in the specified directory
  • Change the permissions of the xcf user to the highest permissions:
    chmod +777 xcf

2.3 Set default permissions for directories and files-umask

  • Specify the default value of the current user's permission when creating a new file or directory
  • The permission of a newly created file or directory is the default maximum permission minus umake (the maximum default permission of ordinary files is 6, and the maximum default permission of directories is 7)
umask设置::umask 022
umask查看: umask

将umask000,新建目录或者文件,查看权限
将umask设为022,新建目录或者文件,再查看权限

Guess you like

Origin blog.csdn.net/weixin_51486343/article/details/112155720