Linux-account and permission management
- Overview of user accounts and group accounts
-
- 1. Account introduction
- 2. UID and GID
- 3. User account file /etc/passwd
- 4. User account file /etc/shadow
- 5. Add user account-useradd command
- 6. Set/change user password passwd
- 7, modify the attributes of the user account usermod
- 8. Delete the user account userdel
- 9. The initial configuration file of the user account
- 10. Group account file
- 11. Add group account groupadd
- 12. Add and delete group members gpasswd
- 13, delete the group account groupdel
- 14. Query account information
- Second, the authority and ownership of the file directory
Overview of user accounts and group accounts
1. Account introduction
- user account
- Super User: The root user is the default super user account in the Linux operating system and has the highest authority on the host. The super user is the only one in the system.
2. Ordinary users: created by root users or other administrator users, their permissions will be limited, generally only have full permissions in the user's own home directory.
3. Program users: When installing the Linux operating system and some applications, certain low-privileged user accounts will be added. These users are generally not allowed to log in to the system and are only used to maintain the normal operation of the system or a program, such as bin , Daemon, ftp, mail, etc.
- Group account
Basic group (private group): There is only one basic group account, usually the group specified when creating a user.
The 4th field recorded in the /etc/passwd file is the user's basic group GID number.
Additional group (public group): In addition to the basic group, the user adds a specified group.
2. UID and GID
- UID and GID
UID (User IDentity, user identification number)
GID (Group IDentify, group identification number)
The UID and GID number of the root user account are fixed values 0 The UID and GID number of the
program user account The default value is 1~499
UID and UID of ordinary user account The default value of GID number is 500~60000
3. User account file /etc/passwd
- Save basic information such as user name, home directory, login shell, etc.
File location: /etc/passwd
Each line corresponds to a user's account record
[root@localhost ~]# head -2 /etc/passwd
root:x :0:0:root :/root:/bin/bash
bin:x :1:1:bin:/bin:/sbin/nologin - The user account file /etc/passwd is
based on the needs of system operation and management. All users can access the contents of the passwd file, but only the root user can make changes.
In the early UNIX operating system, the password information of the user account is stored in the passwd file. Unscrupulous users can easily obtain the password string and perform brute force cracking, so there are certain security risks. After improvement, the password was transferred to a special shadow file, and only the password placeholder "x" was kept in the passwd file.
root:x0:0:root:/root/:/bin/bash
Field 1: The name of the user account
Field 2: The user password placeholder "x"
Field 3: The UID number of the user account
Field 4: The account of the basic group to which it belongs GID number
Field 5: User's full name
Field 6: Host directory
Field 7: Login Shell information (/bin/bash is the login system, /sbin/nologin and /bin/false are forbidden users to log in to the system)
4. User account file /etc/shadow
- Save the user's password, account validity period and other information
File location: /etc/shadow
Each line corresponds to a user's password record
[root@localhost~]# head -2 /etc/shadow
root:$ 1$ 55HB4pbx$acHqk4IZiHTZ9cw0ZJe8f0:14374:0 :99999:7:…bin:*:14374:0:99999:7:.
[root@localhost ~]# tail -1 /etc/shadow
teacher:$1 $ BT7teaYX$s2sr6uFUwKhtU.8/8VpzB1:14374:0:99999 :7:…: - The user account file /etc/shadow, by
default, only the root user can read the content in the shadow file, and it is not allowed to directly edit the content in the file.
root::18665:0:99999:7:::
Field 1: The name of the user account.
Field 2: The password string information encrypted by Mos. When it is "*" or "!!", it means that the user cannot log in to the system. If the field is empty, the user does not need a password to log into the system
Field 3: The last time the password was modified to indicate from 1 January 1970 to date last modified password every time the number of days
Field 4: password The minimum number of valid days. After the password is changed this time, at least this number of days must elapse before the password can be changed again. The default value is 0, which means no restriction.
Field 5: The maximum number of days the password is valid. After the password is changed this time, the password must be changed again after this number of days. The default value is 9999, which means no restriction.
Field 6: How many days in advance to warn the user that the password will expire, the default value is 7
Field 7: How many days after the password expires to disable this user
Field 8: Account expiration time, this field specifies the user to void The number of days (calculated from January 1, 1970), the default value is empty, indicating that the account is permanently available.
Field 9: reserved field (unused)
5. Add user account-useradd command
- useradd command
useradd[options]...user name - Common options
-u, -d, -e, -g, -G, -M, -s
-u: Specify the user's UID number, requiring that the UID number is not used by other users.
-d: Specify the user's home directory location (when used with -M, it does not take effect). Only the absolute path can be used to specify the directory
-e: Specify the user's account expiration time, and the date format of YYYY-MM-DD can be used.
-g: Specify the user's basic group name (or use the GID number), the corresponding group name must already exist.
-G: Specify the additional group name of the user (or use the GID number), the corresponding group name must already exist.
-M: Do not create a host directory.
-s: Specify the user's login shell, (for example, /bin/bash is the login system, and /sbin/nologin and /bin/false are for the user to log in to the system).
- 示例
useradd -d /ftphome/mike -g mike -G ftpuser -s /sbin/nologin mike
useradd -d /admin -g wheel -G root admin1
useradd -e 2020-12-31 -s /sbin/nologin admin2 - Add user account useradd or adduser to
add the record of the user account at the end of the /etc/passwd file and /etc/shadow file.
If the user's home directory is not explicitly specified, a home directory with the same name as the user account will be automatically created in the /home directory, and various initial configuration files of the user will be created in this directory. If the group to which the user belongs is not clearly specified, a basic group account with the same name as the user account will be automatically created, and the record information of the group account will be saved in the /etc/group and /etc/gshadow files.
6. Set/change user password passwd
- passwd command
passwd[options]...user name - Common options
.-d, -l, -S, u,
-d: Clear the password of the specified user, and log in to the system using only the user name.
-l: Lock the user account, the locked user account will no longer be able to log in to the system.
-S: View the status of the user account (whether it is locked).
-u: Unlock the user account.
The root user can specify the user name as a parameter to manage the password of the specified account; if the user name is not specified, modify the password of the current account. Ordinary users can only execute a single "passwd" command to change their password.
- Set user password method two: echo "password" l passwd --stdin username
7, modify the attributes of the user account usermod
- usermod command
usermod[options]...user name - Common options
-l, -L, -U (the following options have the same meaning as in the useradd command)
-u, -d, -e, -g, -G, -s
-u: modify the user's UID number.
-d: Modify the location of the user's home directory.
-e: modify the user's account expiration time, you can use the date format YYYY-MM-DD.
-g: modify the user's basic group name (or use the GID number).
-G: modify the user's additional group name (or use the GID number).
-s: Specify the user's login shell.
-l: Change the login name of the user account.
-L: Lock the user account.
-U: Unlock the user account.
- Example
Change the login name of the zhangsan user to zhangsan1
usermod -l zhangsan1 zhangsan
8. Delete the user account userdel
- userdel command
userdel[-r] username (when the -r option is added, it means to connect the user's home directory—and delete) - Example
[root@localhost~]# useradd zs
[root@localhost ~]# Is -ld /home/zs/
drwx------ 2 stu01 stu01 4096 09-09 12:38 /home/zs/
[root@ localhost~]# userdel -r zs (delete account zs)
[root@localhost ~]# Is -ld /home/zs/
ls: /homelstuo1/: No such file or directory
9. The initial configuration file of the user account
- File source The
ouseradd command adds a new user account and creates some initial configuration files in the user's home directory.
These files come from the account template directory /etc/skell, and they are basically hidden files. - Primary user initial configuration file
The initial configuration file in the user's home directory is only valid for the current user
~/.bash_profile #The
commands in this file will be executed every time the user logs in. It will set some environment variables and call the user's ~/. bashrc file
~/.bashrc #The
commands in this file will be executed every time a new bash shell is opened (including the login system), and the /etc/bashrc file will be called
~/.bash_logout #The commands in
this file will Execute every time the user logs out or exits the bash shell
- The global configuration file is valid for all users
/etc/profile #This
file is a configuration file for system global variables. The profile file can be read by restarting the system or executing the source /etc/profile command.
/etc/profile.d/
This file is actually /etc/profile The subdirectory stores the startup scripts required by some applications.
/etc/bashrc #Every
user running the bash shell will execute this file, and the bashrc file can be read when a new bash shell is opened by executing the bash command
vi /etc/bashrc
alias myls=' /bin/ls -lhr'
bash
type myls
- PATH change is most used to set the default search path of executable programs. The principle that PATH takes effect:
The command is initialized every time the system is started, and /etc/profile and ~/ ,bash_profile are executed. /etc/profile will append the paths /usr/local/bin, /usr/bin, /usr/local/sbin, and /usr/sbin to the PATH. Then call the script in the /etc/profile.d directory.
10. Group account file
- Similar to the user account file
/etc/group: save the basic information of the group account
/etc/gshadow: save the password information of the group account
grep "postfix" /etc/group
mail:x :12:postfix (group account name)
(list of group members) postfix: x:89:
field 1: the name of the group account
field 2: placeholder "x"
field 3: the GID number of the group account
field 4: The user members included in the group account (generally excluding the user account corresponding to the basic group), multiple members are separated by a comma ","
11. Add group account groupadd
- groupadd command
groupadd [-g GID] group account name
-g: specify the GID number
groupadd -g 1000 market - Example
[root@localhost ~]# groupadd -g 1000 market (add group account market)
[root@localhost ~]# tail -1 /etc/group
market: x :1000:
12. Add and delete group members gpasswd
- gpasswd command
Set group account password (rarely used), add/remove group members gpasswd[options]...group account name - Common options
-a, -d, -M
-a: add a user member to the group
-d: delete a user member from the group
-M: define a list of group members, separated by commas
13, delete the group account groupdel
- groupdel command
groupdel group account name - Example
Delete the group account market
[root@localhost ~]# groupdel market
[root@localhost ~]# grep “market” /etc/group
14. Query account information
- groups command
Query the groups that the user belongs to
groups[user name] - id command
Query user identification
id[user name] - finger command to
query the login attributes of the user account (note: the finger software package needs to be installed first)
yum install -y finger
finger [user name] - w, who, users commands to
query the information of users who have logged in to the host
Second, the authority and ownership of the file directory
1. Access authority
- Access permission
Read r: allow to view file content and display directory list
Write w: allow to modify file content, allow to create, move, delete files or subdirectories in the directory
Executable x: allow to run programs and switch directories - Ownership (ownership)
Owner: the user account
that owns the file or directory Ownership group: the group account that owns the file or directory - Example
[root@localhost ~]
#ls -l drwxr-xr-x. 3 root root 101 February 6 10:30 abrt
-rw-r--r--. 1 root root 16 February 6 10:34 adjtime
-rw-r--r--represents the file type and permissions
root root represents the owner and the group
Permission item | read | write | carried out | read | write | carried out | read | write | carried out |
---|---|---|---|---|---|---|---|---|---|
Character representation | r | w | x | r | w | x | r | w | x |
Digital representation | 4 | 2 | 1 | 4 | 2 | 1 | 4 | 2 | 1 |
Permission assignment|file owner|group to which the file belongs|other users
rw- equals 4+2+0=6
rx equals 4+0+1=5
2. Set the permissions of files and directories-chmod command
- chmod command
- chmod [ugoa][±=][rwx] file or directory...
u, g, o. a represents the owner, group, other users, all users
r, w, x represent read, write, and run permissions respectively
+, -, = means to add, remove, and set permissions respectively - chmod nnn file or directory...
nnn represents a 3-digit octal number - Example
touch aa
chmod ugo+x aa
chmod a+x aa
chmod -x aa
- Commonly used options
-R: recursively modify the permissions of all sub-items in the specified directory.
When aa is modified, aa/bb/cc are modified
3. Set the ownership of files and directories-chown command
- chown command
chown owner file or directory
chown: group file or directory (chgrp)
chown owner: group file or directory
chown owner. group file or directory - Common options
-R: Recursively modify the ownership of all files and subdirectories in the specified directory
4. Set the default permissions of directories and files-umask command
-
The role of umask
controls
the permissions of newly created files or directories. The default permissions are removed. The permissions of umask are the permissions of newly created files or directories. -
umask setting: umask 022
-
umask 查 觥: umask
-
Example
Set umask to 000, create a new directory or file, and view permissions.
Set umask to 022, create a new directory or file, and then view permissions
-
Set the default permissions of directories and files. umask
specifies the current user permissions when
creating new files or directories. The default value of permissions for new files or directories is the default maximum permissions minus umake (the maximum default permissions for ordinary files is 6, the maximum default permissions for directories Is 0)