table of Contents
- 1. Overview of user accounts and group accounts
- 2. User account files
- 3. User account
- Four, group account file
- 5. Permission and ownership of files/directories
- to sum up
1. Overview of user accounts and group accounts
1. User account
1) Super user: The root user is the default super user account in the Linux operating system and has the highest authority to the host. The super user is the only one in the system.
2) Ordinary users: Created by root users or other administrator users, their permissions will be restricted, and generally only have full permissions in the user's own home directory.
3) Program users: When installing the Linux operating system and some applications, certain low-privileged user accounts will be added. These users are generally not allowed to log in to the system and are only used to maintain the normal operation of the system or a program, such as bin , Daemon, ftp, mail, etc.
2. Group account
1) Basic group (private group): There is only one basic group account, usually the group specified when creating a user.
The 4th field recorded in the /etc/passwd file is the user's basic group GID number.
2) Additional group (public group): In addition to the basic group, the user adds a specified group.
3. UID and GID
UID: User identification number
GID: Group identification number
The UID and GID number of the root user account are fixed values 0 The UID and GID number of the
program user account defaults to 1~499
The UID and GID number of ordinary users defaults to 500~60,000
2. User account files
1. User account file /etc/passwd
Based on system operation and management needs, all users can access the contents of the /etc/passwd file, but only the root user can make changes.
In the early UNIX operating system, the password information of the user account is stored in the passwd file. Unscrupulous users can easily obtain the password string and perform brute force cracking, so there are certain security risks. After improvement, the password was transferred to a special shadow file, and only the password placeholder "x" was kept in the passwd file.
Each row corresponds to a user's account record
root:x:0:0:root:/root:/bin/bash
字段1:用户帐号的名称 (root)
字段2:用户密码占位符“x”(x)
字段3:用户帐号的UID号(0)
字段4:所属基本组帐号的GID号(0)
字段5:用户全名(root)
字段6:宿主目录(/root)
字段7:登录Shell信息(/bin/bash为可登陆系统,/sbin/nologin和/bin/false为禁止用户登陆系统;)
注:字段7中/bin/nologin登录时被拒绝,有提示拒绝登录;/bin/false 没有提示
2. User account file /etc/shadow
By default, only the root user can read the content in the /etc/shadow file, and is not allowed to directly edit the content in the file.
Each line corresponds to a user's password record
root:$6$VyOUGqOC$v5HlLM1wagZC/FwGfnrtJFnlT:18445:0:99999:7:::
字段1:用户帐号的名称(root)
字段2:使用MD5加密的密码字串信息,当为“*”或“!!”时表示此用户不能登录到系统。若该字段内容为空,则该用户无须密码即可登录系统($6$VyOUGqOC$v5HlLM1wagZC/FwGfnrtJFnlT)
字段3:上次修改密码的时间,表示从1970年01月01日算起到最近一次修改密码时间隔的天数(18445)
字段4:密码的最短有效天数,自本次修改密码后,必须至少经过该天数才能再次修改密码。默认值为0,表示不进行限制(0)
字段5:密码的最长有效天数,自本次修改密码后,经过该天数以后必须再次修改密码。默认值为99999,表示不进行限制(99999)
字段6:提前多少天警告用户密码将过期,默认值为7(7)
字段7:在密码过期之后多少天禁用此用户(空)
字段8:帐号失效时间,此字段指定了用户作废的天数(从1970年01月01日起计算),默认值为空,表示账号永久可用。(空)
字段9:保留字段(未使用)(空)
注:字段7、8、9使用较少,一般使用默认,了解即可
3. User account
1. Add user account useradd or adduser
- Add the record of the user account at the end of the /etc/passwd file and /etc/shadow file.
- If the user's home directory is not explicitly specified, a home directory with the same name as the user account will be automatically created in the /home directory, and various initial configuration files of the user will be created in this directory.
- If the group to which the user belongs is not clearly specified, a basic group account with the same name as the user account will be automatically created, and the record information of the group account will be saved in the /etc/group and /etc/gshadow files.
- When using useradd or adduser to add a user, you cannot perform any operations, because the user is not activated. Only after configuring a password for this user can it be activated and then can be operated.
格式:useradd [选项] 用户名
常用选项:
-u:指定用户的 UID 号,要求该 UID 号码未被其他用户使用。
-d:指定用户的宿主目录位置(当与-M 一起使用时,不生效)。
-e:指定用户的账户失效时间,可使用 YYYY-MM-DD 的日期格式。
-g:指定用户的基本组名(或使用 GID 号),对应的组名必须已存在。
-G:指定用户的附加组名(或使用 GID 号),对应的组名必须已存在。
-M:不建立宿主目录。
-s:指定用户的登录 Shell,(比如/bin/bash为可登陆系统,/sbin/nologin和/bin/false为禁止用户登陆系统)。
例如:
useradd -d /admin -g wheel -G root admin1
useradd -e 2020-12-31 -s /sbin/nologin admin2
Add user account 101 (note: when adding user account 101, user directory 101 is created at the same time), as shown in the figure below,
create a user name li1, UID number 1005, and host home directory location in /home/zhang , The account will expire on November 27, 2020, the basic group name is zhangsan, and the additional group name is li.
2. Set the password passwd for the user account
The root user can specify the user name as a parameter to manage the password of the specified account.
Ordinary users can only execute a single "passwd" command to change their passwords.
命令格式:passwd [选项] 用户名
常用选项:
-d:清空指定用户的密码,仅使用用户名即可登录系统。
-l:锁定用户账户,锁定的用户账号将无法再登录系统。
-S:查看用户账户的状态(是否被锁定)。
-u:解锁用户账户。(-u解锁时,如果没有密码会提示,需要使用-f强制解锁)
Set a password. Here, if the password is less than 8 digits, an invalid password will be prompted, but if you enter it again, the setting is successful.
Clear the password of zhangsan After the password is
cleared, directly click on the account to log in.
Lock the password of zhangsan and check if it is
locked. After the account is locked, the account on the login interface disappears, even if you enter the account password, you can’t log in.
Unlock zhangsan. If the password is empty, add -f to
unlock After that, the account on the login interface is back and you can log in.
Supplement: echo "password" | passwd --stdin username (password with double quotes is the same as without)
3. Modify user account attributes usermod
命令格式:usermod [选项] 用户名
常用选项:
-u:修改用户的 UID 号。
-d:修改用户的宿主目录位置。
-e:修改用户的账户失效时间,可使用 YYYY-MM-DD 的日期格式。
-g:修改用户的基本组名(或使用 GID 号)。
-G:修改用户的附加组名(或使用 GID 号)。
-s:指定用户的登录 Shell。
-l:更改用户账号的登录名称。
-L:锁定用户账户。
-U:解锁用户账户。
Change the user name of li1 to zhan1, as shown in the figure below, it can be seen that the name has been changed, and the others have not changed
4. Delete the user account userdel
命令格式:userdel [-r] 用户名
添加“-r”选项时可以将该用户的宿主目录一并删除
Create a ceshi account and delete it with -r, you can find that the home directory is deleted.
If the home directory to be deleted contains other accounts, the home directory will not be deleted
5. The initial configuration file of the user account
1) File source
useradd command adds a new user account and creates some initial configuration files in the user's home directory. These files come from the account template directory /etc/skell, and are basically hidden files.
2) Effective configuration file
用户宿主目录下的初始配置文件只对当前用户有效(~为当前账号的家目录)
~/.bash_profile #此文件中的命令将在该用户每次登录时被执行,它会设置一些环境变量,并且会调用该用户的~/.bashrc文件
~/.bashrc #此文件中的命令会在每次打开新的bash shell时(也包括登录系统)被执行,并且会调用/etc/bashrc文件
~/.bash_logout #此文件中的命令将在用户每次退出登录或退出bash shell时执行
全局配置文件对所有用户有效
/etc/profile #这个文件是为系统全局变量配置文件,可通过重启系统或者执行source /etc/profile 命令使profile文件被读取
/etc/profile.d #这个文件实际上是/etc/profile的子目录,存放的是一些应用程序所需的启动脚本
/etc/bashrc #每一个运行bash shell的用户都会执行此文件,可通过执行bash 命令打开一个新的bash shell时,使 bashrc文件被读取
更改全局配置,使每个用户下的/bin/ls -lh命令都改成myls
vim /etc/bashrc
alias myls='/bin/ls -lhr'
bash 切换到bash的子进程中
type myls
exit 退出子进程
There is a lot of code in the file after vim /etc/bashrc, we ignore it first, and add the alias to be created at the end, I use alias myls='/bin/ls -lhr', switch to the bash subprocess, and view the command You can see that the alias is in effect.
3) The PATH variable is used to set the default search path
PATH for executable programs. The principle of effectiveness:
every time the system is started, the command will be initialized and /etc/profile and ~/.bash_profile will be executed. /etc/profile will append the paths /usr/local/bin, /usr/bin, /usr/local/sbin, and /usr/sbin to the PATH. Then call the script in the /etc/profile.d directory.
Four, group account file
1. Group account file
/etc/group:保存组帐号基本信息
/etc/gshadow:保存组帐号的密码信息
[root@promote home]#grep "ceshi1" /etc/group
ceshi:x:1002:ceshi1
ceshi1:x:1003:
字段1:组帐号的名称
字段2:占位符“x”
字段3:组账号的GID号
字段4:组账号包含的用户成员(一般不包括基本组对应的用户帐号),多个成员之间以逗号“,”分隔
When using the command query, only the additional group members are displayed, not the basic group members
2. Add and delete group account groupadd
添加组账号
命令格式:groupadd [-g GID] 组账号名
删除组账号
命令格式:groupdel 组账号名
示例:groupadd -g 2000 ceshi2 添加一个组账号名为ceshi2,GID号为2000的组账号
tail -1 /etc/group 查看此文档的最后一行,一般最后一行就是刚添加的
Add group account
Delete group account
3. Add and delete group members gpasswd
命令格式:gpasswd [选项] 组账号名
常用选项:
-a:向组内添加一个用户
-d:从组内删除一个用户成员
-M:定义组成员列表,以逗号分隔
Create ceshi5, add ceshi5 to the group of ceshi2, query the group that ceshi5 belongs to,
query the group name of ceshi5, you can see that there are ceshi3 and ceshi4 users originally, I use -M to define this group member list as ceshi3 and ceshi5, you can see ceshi4 Gone, ceshi5 members appeared, so the members defined by -M are the members in the last group. (Original coverage, addition not in the group, removal not in the definition list.)
Deleting is the same as adding
4. Query account information
1) Query the groups to which the user belongs
groups [用户名]
2) Query user identification id
id [用户名]
3) Query the detailed information finger of the user account
Need to install the finger package first
yum install -y finger 安装finger(版本可能不一样,可以直接Tab补齐)
finger [用户名]
4) Query user information that has logged in to the host
w 、who、users命令
supplement:
- The tty in the above figure is the abbreviation of various types of terminal devices. Centos7 system, tty1-tty6 represent the text interface, you can use Ctrl+Alt+F1-F6 to switch, +F7 is tty7, switch back to the graphical interface.
- Press Ctrl+Alt+F2 to log in, execute w, the terminal used is tty2
- If you use xshell and other tools to connect to the machine remotely, the terminal used is pts, and the number after it represents the time sequence of login. The smaller the number, the earlier the login.
5. Permission and ownership of files/directories
1. File/directory permissions
Read r: allow to view the contents of files and display the directory list.
Write w: allow to modify the contents of files, and allow to create, move or delete files or subdirectories in the directory.
Executable x: allow to run programs and switch directories
| Permission item | read | write | carried out | |
|---|---|---|---|---|
| Character representation | r | w | x | - |
| Digital representation (octal) | 4 | 2 | 1 | 0 |
Supplement: (s) setuid: This bit allows ordinary users to run programs or commands that only the root account can run in the role of root user
2. Ownership (ownership)
- Owner: the user account that owns the file or directory
- Group: the group account that owns the file or directory
3. View the permissions and ownership of files/directories
drwx------. 3 ceshi1 ceshi1 78 11月 22 13:40 ceshi1
文件类型和权限 属主 属组
对照下面的图可以看出这个文件的权限为:700
4. Set the permissions of directories and files chmod
第一种:
chmod [ugoa…][+-=][rwx] 文件或目录
“ugoa”表示该权限设置所针对的用户类别。“u”代表文件属主,“g”代表文件属组内的用户,“o”代表其他任何用户,“a”代表所有用户(缺省时为a)。
“+-=”表示设置权限的操作动作。“+”代表增加相应权限,“-”代表减少相应权限,“=”代表仅设置对应的权限。
“rwx”是权限的字符组合形式,也可以拆分使用,如“r”“rx”等。
第二种:
chmod nnn 文件或目录
“nnn”表示三位八进制数
常用选项
-R:递归修改指定目录下所有子目录及文件的权限
Create a directory aa/bb/cc and give write permissions to users in the file group and other users
. The first method, -R is not used here, so give them write permissions on the aa file.
The second method, plus -R Later, the bb file inside also has write permission
5. Set the ownership chown of directories and files
chown 属主 文件或目录
chown :属组 文件或目录
chgrp 属组 文件或目录
chown 属主:属组 文件或目录
chown 属主.属组 文件或目录
-R:递归修改指定目录下所有子目录及文件的归属
Here I will give an example: change the owner of ceshi1 to li, the others are similar, just distinguish the owner and the group.
6. Set the default permissions umask of directories and files
1) Function
- Specify the default value of the current user's permission when creating a new file or directory
- The permission of a newly created file or directory is the default maximum permission minus umake (the maximum default permission of ordinary files is 6, and the maximum default permission of directories is 7)
2) umask setting: umask 000
first create a normal file named 2 in this file, ll look at the permission is 666, I use umask 022 to create a normal file named 3, you can see that the permission has become 644, And 666-022=644. (Similar to the anti-mask of the network part) The
directory is the same, but the maximum permission is 777.
3) View umask: umask
is the 022 I just set
to sum up
Create public data storage directory
useradd user account-------add user account
groupadd group account-------add group account
chmod 777 user-------give users the highest authority (use with caution)
chown Owner user-----change the user’s owner
mkdir file name 1-----create a public directory
chmod 777 file name 1------change the public directory permissions to 777
so that the public data storage directory is Built