Linux account and authority management
- user account
-
-
- Linux controls resource access based on user identity
- 1. Overview of user accounts: In the Linux system, user accounts are divided into different types according to the needs of system management, and their permissions and roles are also different.
- 2. Group account overview: For user accounts, the corresponding group accounts can be divided into basic groups (private groups) and additional groups (public groups). Each user account can be a member of multiple group accounts, but there is only one basic group account. The fourth field in the "/etc/passwd" file is the user's basic group GID number. For those additional groups that the user belongs to, it needs to be reflected in the corresponding group account file.
- 3. Overview of UID and GID: Every user account and group account in the Linux system has a digital identity mark called UID (User IDentity, user identification number) and GID (Group IDentify, group identification number). For the core of the system, UID is the basic basis for distinguishing users. In principle, the UID number of each user should be unique.
- 4. User account file /etc/passwd
- 5. User account file /etc/shadow
- 6. Add user account
- 7. Set/change user password passwd
- 8. Modify user account attributes usermod
- 9. Delete the user account userdel
- 10. The initial configuration file of the user account
-
- Group account
- Permission and ownership of files and directories
user account
Linux controls resource access based on user identity
1. Overview of user accounts: In the Linux system, user accounts are divided into different types according to the needs of system management, and their permissions and roles are also different.
●Super administrator: the default super user account in the root user-type Linux operating system, which has the highest authority on this machine, and the super administrator in the system is the only
●Ordinary user: created and owned by the root user or other administrator users Permissions will be restricted. Generally, users only have full permissions in their own home directories.
●Program users: When installing Linux systems and some applications, certain low-privileged user accounts will be added. These users are generally not allowed to log in to the system. It is only used to maintain the normal operation of the system or a program. For example: bin, daemon, ftp, mail, etc.
●Anonymous user: the anonymous user in Windows is guest, and the anonymous user in Linux system is nobody.
2. Group account overview: For user accounts, the corresponding group accounts can be divided into basic groups (private groups) and additional groups (public groups). Each user account can be a member of multiple group accounts, but there is only one basic group account. The fourth field in the "/etc/passwd" file is the user's basic group GID number. For those additional groups that the user belongs to, it needs to be reflected in the corresponding group account file.
Basic group (private group): established with the creation of users, with the same name as the user.
Additional group (public group): directly create an empty group, and you can freely add existing users. After setting permissions for a group, all users in the group have this permission.
3. Overview of UID and GID: Every user account and group account in the Linux system has a digital identity mark called UID (User IDentity, user identification number) and GID (Group IDentify, group identification number). For the core of the system, UID is the basic basis for distinguishing users. In principle, the UID number of each user should be unique.
| user | UID number and GID number |
|---|---|
| general user | UID and GID 5-6 million |
| Program user | UID and GID 1—499 |
| root user | UID and GID=0 |
4. User account file /etc/passwd
●Save basic information such as user name, home directory, login shell, etc.
●File location: /etc/passwd
●Each line corresponds to a user's account record
●All users can access the content in the passwd file, but only the root user can make changes
● In the early system, the account password was stored in the passwd file. Because it was easy to brute force, the account password was put into the shadow file later, and the passwd file only retained the password placeholder X.
Each line in the passwd file contained 7 The configuration fields separated by colons are as follows:
☛
The first paragraph: User account—the name of the user account, which is also the identification name used when logging in to the system. The
second paragraph: Password placeholder—means that you have a password. The
third paragraph: User account ID (UID)—the UID number of
the user account . The fourth section: Group account ID (GID)—the GID number of the basic group account to which it belongs. The
fifth section: User description—the full name of the user, which can fill in the description information related to the user. The
sixth section: Home directory (home directory)—the user login The default working directory where you are after the
seventh paragraph: Login Shell—login shell and other information, the shell used by the user after logging in (/bin/bash is the login system, /sbin/nologin and /bin/false are forbidden to log in to the system)
5. User account file /etc/shadow
●Save the user’s password, account validity period and other information
●File location /etc/shadow
●Each line corresponds to a user’s password record
●By default, only the root user can read the contents of the shadow file, and it is not allowed to directly compile the contents of the file
● The shadow file is also called "shadow file", which stores the password information of various user accounts, so the access to the shadow file should be strictly restricted.
●Each line of the shadow file contains nine configuration fields separated by colons, an example is as
follows☛
| Field | Description |
|---|---|
| The first field (root) | User account name |
| Second field | Use MD5 encrypted password string information. When it is "*" or "!!", it means that the user cannot log in to the information. If the field content is empty, the user can log in to the system normally without a password |
| The third field (14374) | The time when the password was last changed, which represents the number of days between January 1, 1970 and the last password change |
| The fourth field (0) | The minimum number of days the password is valid. After the password is changed this time, at least this number of days must pass before the password can be changed again. The default value is 0, which means no restriction |
| The fifth field (99999) | The maximum number of days the password is valid. After this modification, the password must be modified again after this number of days. The default value is 99999, which means no restriction |
| The sixth field (7) | How many days in advance to warn the user that the password will expire, the default value is 7 |
| Seventh field | How many days after the password expires to disable this user |
| Eighth field | Account expiration time. This field specifies the number of days for the user to become invalid (from January 1, 1970). The default value is empty, which means the account is permanently available |
| Ninth field | Reserved field, currently has no specific purpose |
6. Add user account
●useradd command
useradd [options] user name
common options
-u→specify the user's UID number, requiring that the UID number is not used by other users
-d→specify the user's home directory location (when used with -M, it does not take effect)
- e→Specify the user’s account expiration time, you can use the date format of YYYY-MM-DD
-g→indicate basic group
-G→indicate additional group-
M→do not create a home directory, even if the /etc/login.defs system configuration has been Set to create a host directory
-s → login shell of the specified user
7. Set/change user password passwd
●The root user can specify the user name as a parameter to manage the password of the specified account. If the user is not specified, modify the password of the current account.
●Ordinary users can only execute a separate "passwd" command to modify their own password.
●The passwd command
passwd [ Option] Username
Common options
-d→clear the password of the specified user, and log in to the system using only the user name
-l→lock user account
-S→check whether the user account is locked
-u→unlock user account
● The second way to change the password:
eho "password" | passwd --stdin username
8. Modify user account attributes usermod
●usermod [options] username
●Common options:
-u modify user uid number
-d modify host directory
-e modify user account expiration time, you can use YYYY-MM-DD date format
-s specify user login shell
-l change user Login name
-L lock user
-U unlock user
-g modify the basic group the user belongs to (using GID number)
-G modify the additional group the user belongs to (using GID number)
9. Delete the user account userdel
●userdel [-r] Username
●Note: When -r is added, it means to delete the user's home directory together
●killall -u closes all processes of the user
10. The initial configuration file of the user account
●File source
1. The useradd command will create some initial configuration files in the host directory after adding a new user account
. 2. These files come from the account template directory /etc/skel/, which are basically the
main user initial hidden files Accessory file
●~/.bash_profile The commands in this file will be executed every time the user logs in, it will set some environment variables, and will call the user’s ~/.bashrc file
●~/.bashrc in this file The command will be executed every time a new bash shell is opened (including the login system), and the /etc/bashrc file will be called
●~/.bash_logout The commands in this file will be executed every time the user exits the login or exits the bash shell Execution
●/etc/profile This file is a configuration file for system global variables, which can be read by restarting the system or executing the source /etc/profile command
●/etc/profile.d This file is actually /etc/profile The subdirectory stores the startup scripts required by some applications.
●/etc/bashrc Every user running the bash shell will execute this file. When a new bash shell is opened by executing the bash command, the bashrc file is read
The PATH variable is used to set the default search path for executable programs.
The principle that PATH takes effect.
Each time the system is started, the command will be initialized, and /etc/profile and ~/.bash_profile will be executed through /usr/local/bin, / usr/bin, /usr/local/sbin, /usr/sbin are
appended to the PATH, and then the scripts in the /etc/profile.d directory are called
Group account
1. Group account file information
●/etc/group saves the basic information of the group account
●/etc/gshadow saves the password information of the group account First
paragraph: the name of the group account
Second paragraph: placeholder "X"
Third paragraph: the GID number of the group account
fourth Segment: the user members included in the group account (generally not including the user account corresponding to the basic group), multiple members are separated by a comma ","
2. Add group account groupadd
●group command
groupadd [-g GID] group account name
-g specifies the GID number
3. Add and delete group members gpasswd
● gpasswd command
Set group account password, add/remove group members
gpasswd [Options] Group account name
● Common options
-a add a user to the group
-d delete a user member from the group
-M define a list of group members, separated by commas
4. The groupdel command deletes a group account
●groupdel group account name
5. Query account information
●In the user management work, although you can directly view the user account, the configuration file of the group account can also query related information, but it is not very optimistic. In the Linux system, you can also use several commonly used command query tools.
● id command: query the identity of a user account.
● Use id command to quickly view the UID, GID and other information of the specified user account.
●id command
id [user name] query user identification
●groups command
groups [user name] query user's group
●finger command
finger [user name] query user login attributes
Note: Finger needs additional installation to
check whether rpm -qa is installed | grep finger
yum install yum install -y finger
●w who users
query the information of users who log in to the host
Permission and ownership of files and directories
●Access
Read r: allows you to view the contents of a file, directory listing
written w: allows you to modify the contents of files in the directory to allow new, move, delete files or subdirectories
executable x: allows you to run the program, change directory
● ownership (ownership)
is a Primary: the user account
that owns the file or directory. Group: the group account that owns the file or directory
●Understand the meaning of the permission field -rw-r–r–
| character | Description |
|---|---|
| The first character "-" | Indicates the file type. It can be d (directory), b (block device file), c (character device file), "-" ordinary file, letter "l" (link file), etc. |
| Characters 2-4 "rw-" | Indicates the access authority of the file owner (User) to the file. |
| The 5th-7th character "r–" | Indicates the access authority of each member user (Group) of the file's belonging group to the file |
| The 8th-10th character "r–" | Indicates the access rights of any other user (Other) to the file |
●The meaning of other fields
| Field | Description |
|---|---|
| 1 | Number of sub files |
| The first root | Owner |
| Second root | Belong to group |
| 34298 | Size, unit: byte |
| 04-02 00:23 | Creation time |
●We can use -rwxrwxrwx to represent permissions or 777 to represent permissions.
●rwx is expressed as 7 in the form of accumulated numbers, rx is expressed as 5, rwxr-xr-x is expressed as 755, and rw-r–r- is expressed as 644
● The number is fixed and does not change, and an ordinary data file has no execution authority.
Set file/directory permissions chmod command
●chmod [ugoa] [±=] [rwx] file or directory
(u, g, o, a respectively represent owner, group, other users, all users) (±=respectively indicate add, remove, set permissions)
●chmod nnn file or directory (most commonly used) (nnn represents a three-digit octal number, such as 777,755,644, etc. just mentioned)
●-R recursively modify the permissions of all sub-items in the specified directory
● chown owner file or directory
● chown: group file or directory
● chown owner: group file or directory
Permission mask umask
● Umask function:
1. Control the permissions of newly created files or directories.
2. The default permissions remove the permissions of the umask to the permissions of the newly created files or directories.
3. The default maximum permission for ordinary files is 6, and the directory is 7
● umask score refers to It is "the default value needs to be subtracted from the permissions." Therefore, if you execute "umask 022", it means that the group and other have been removed from the permission "2", that is, the write permission is removed.
If the command “umask 000” is executed, the default permission of the file is “777”.
If the command “umask 022” is executed, the default permission of the file is “755”.