A chapter takes you to understand Liunx account and permission management

User account files and group account files

Linux is based on user identity to control resource access

user account

Super User (root): The root user is the default super user account in the Linux operating system and has the highest authority on the host. The super user is the only one in the system.

Ordinary user: Created by the root user or other administrator users, the permissions they have will be restricted, and generally only have full permissions in the user's own host daily record.

Program users: When installing the Linux operating system and some applications, certain low-privileged user accounts are added. These users are generally not allowed to log in to the system and are only used to maintain the normal operation of the system or a program, such as bin, daemon , Ftp, mail, etc.

Group account

Basic group (private group): There is only one basic group account, usually the group specified when creating a user.
The 4th field recorded in the /etc/passwd file is the user's basic group GID number.

Additional group (public group): In addition to the basic group, the user adds a
specified group.

UID and GID

UID (User IDentity, user identification number)
GID (Group IDentity, group identification number)
The UID and GID number of the root user account are fixed values. 0 The UID and GID number of the
program user account defaults to
the UID and GID numbers of ordinary users from 1 to 499 The default is 500～60,000

User account management

User account file useradd

Function: Save basic information such as user name, host directory, login Shell, etc.
File location: /etc/passwd
Each line corresponds to a user's account record

Field	Description
Field 1	The name of the user account
Field 2	User password placeholder "x" (Because in the early UNIX operating system, the password information of the user account is stored in the passwd file. Unscrupulous users can easily obtain the password string and brute force it, so there are certain Security risks. So after improvement, the password was transferred to a special shadow file, and only the password placeholder "x" was kept in the passwd file)
Field 3	UID number of user account
Field 4	GID number of the account of the basic group to which it belongs
Field 5	User's full name
Field 6	Home directory
Field 7	Login shell information (/bin/bash is the login system, /sbin/nologin and /bin/false are forbidden users to log in to the system)
E.g	root：x：0:0:root : / root : /bin/ bash

User account file shadow

By default, only the root user can read the content in the shadow file, and it is not allowed to directly edit the content in the file.
Function: save the user's password, account validity period and other information.
File location: /etc/shadow
Each line corresponds to a user's password record

Field	Description
Field 1	The name of the user account
Field 2	Use MD5 encrypted password string information. When it is "*" or "!!", it means that the user cannot log in to the system. If the content of this field is empty, the user can log in to the system without a password
Field 3	The time when the password was last modified, which means the number of days between the time of the last password modification from January 1, 1970
Field 4	The minimum number of days for the password to be valid. After the password is changed this time, at least this number of days must elapse before the password can be changed again. The default value is 0, which means no restriction
Field 5	The maximum number of days the password is valid. After the password is changed this time, the password must be changed again after this number of days. The default value is 99999, which means no restriction
Field 6	How many days in advance to warn the user that the password will expire, the default value is 7
Field 7	How many days after the password expires to disable this user
Field 8	Account expiration time. This field specifies the number of days the user is invalidated (calculated from January 1, 1970). The default value is empty, which means the account is permanently available
Field 9	Reserved field (unused)
E.g	root:$6$VyoUGqoC$v5HlLM1wagzC/FwGfnrtJFnlT:18445:0:99999:7:::

Add user account useradd or adduser

useradd [options] username

Add the record of the user account at the end of the /etc/passwd file and /etc/shadow file.
If the user's home directory is not explicitly specified, a home directory with the same name as the user account will be automatically created in the /home directory, and various initial configuration files of the user will be created in this directory.
If the group to which the user belongs is not clearly specified, a basic group account with the same name as the user account will be automatically created, and the record information of the group account will be saved in the /etc/group and /etc/gshadok files.

Options	Description
-u	The UID number of the specified user requires that the UID number is not used by other users
-d	Specify the user's home directory location (when used with -M, it does not take effect) can only specify the directory with an absolute path
-e	指定用户的账户失效时间 可使用YYYY-MM-DD的日期格式。
-g	指定用户的基本组名（或使用GID号） 对应的组名必须已存在
-G	指定用户的附加组名（或使用GID号) 对应的组名必须已存在。
-M	不建立宿主目录
-s（小写）	指定用户的登录Shell /bin/bash为可登陆系统，/sbin/nologin和/bin/false为禁止用户登陆系统
例如	useradd -d / admin -g wheel -G root admin1 useradd -e 2020-12-31 -s / sbin/nologin admin2

设置/更改用户口令passwd

passwd [选项] 用户名
不指定用户名时，修改当前账号的密码
root用户可以指定用户名作为参数，对指定账号的密码进行管理
普通用户只能执行单独的"passwd"命令修改自己的密码

选项	命令
-d	清空指定用户的密码，仅使用用户名即可登录系统
-l	锁定用户账户，锁定的用户账号将无法再登录系统
-S（大写）	查看用户账户的状态（是否被锁定)
-u	解锁用户账户

设置用户密码方法二
echo “密码” | passwd --stdin 用户名

修改用户账号的属性usermod

usermod [选项] 用户名

选项	说明
-l	更改用户账号的登录名
-L	锁定用户账号
-U	解锁用户账号
其他	-u、-d、-e、-g、-G、-s与useradd命令的含义相同
例如	将admin1用户的登录名改为master usermod -l master admin1

删除用户账号userdel

userdel [-r] 用户名
添加-r时，表示连用户目录的宿主目录一并删除

例如：删除用户账号stu01

用户账号的初始配置文件

文件来源
useradd命令添加一个新的用户账号后会在该用户的宿主目录中建立一些初始配置文件
这些文件账号模板目录/etc/skel/,基本上都是隐藏文件
用户宿主目录下的初始配置文件只对当前用户有效

主要的用户初始配置文件

文件	说明
~ /.bash_profile	此文件中的命令将在该用户每次登录时被执行,它会设置一些环境变量，并且会调用该用户的-/.bashrc
-/.bashrc	此文件中的命令会在每次打开新的bash shell时(也包括登录系统）被执行，并且会调用/etc/bashrc文件
-/.bash_logout	此文件中的命令将在用户每次退出登录或退出bash shell时执行

以下是全局配置文件对所有用户有效

文件	说明
/etc/profile	这个文件是为系统全局变量配置文件，可通过重启系统或者执行source（.） /etc/profile 命令使profile文件被读取
/etc/profile.d/	这个文件是/etc/profile的子目录，存放的是一些应用程序所需的启动脚本
/etc/bashrc	每一个运行bash shell的用户都会执行此文件，可通过执行bash 命令打开一个新的bash shell时，使 bashrc文件被读取

PATH变量

PATH变量用于设置可执行程序的默认搜索路径
PATH生效的原理
每次启动系统的时候会初始化命令，会执行/etc/profile和-/.bash_profile。/etc/profile会将路径/usr/local/bin、/use/bin、/usr/local/sbin、/usr/sbin 追加到PATH中，然后调用/etc/profile.d 目录下的脚本

组账号管理

组账号文件与用户文件类型

文件位置	作用
/etc/group	保存组账号的基本信息
/etc/gshadow	保存组账号的密码信息

字段	描述
字段1	组账号的名称
字段2	占位符"x"
字段3	组账号的GID号
字段4	组账号包含的用户成员 多个成员之间用“,” 分隔
例如	mail：x：12:postfix postfix：x：89:

添加组账号groupadd

groupadd [-g GID] 组账号名

选项	说明
-g	指定GID号
例如	groupadd -g 1000 market

添加/删除组成员gpasswd

作用：设置组账号密码、添加/删除组成员

选项	说明
-a	向组内添加一个用户
-d	从组内删除一个用户成员
-M	定义组成员列表，以逗号分隔
例如	gpasswd -M root,mike,postfix market

删除组账号groupdel

groupdel 组账号名

查询账号信息

groups

作用：查询用户所属组
groups [用户名]

id

作用：查询用户身份标识（身份标识就是ID号、GID或UID）
id [用户名]

finger

finger命令系统不自带，需要先进行finger软件包的安装（yum install -y finger）
作用：查询用户账号的登录属性
finger [用户名]

w、whos、user

作用：查询已经登录到主机的用户信息

通过tty快捷键的切换也可查询已经登录到主机的用户信息
通常使用tty来简称各种类型的终端设备。
CentOS7系统中tty1表示图形界面，tty2-tty6表示文字界面。可以使用Ctrl+Alt+F1-F6进行切换。
例如按Ctrl+Alt+F2登录，执行w命令查看使用的终端就是tty2
pts说明是用远程工具连接的，比如xshell。后面的数字代表登录时间顺序，越小证明登录的越早

文件/目录的权限和归属

访问权限

读取r：允许查看文件内容、显示目录列表
写入w：允许修改文件内容，允许在目录中新建、移动、删除文件或子目录
可执行x:允许运行程序、切换目录

归属（所有权）

属主：拥有该文件或目录的用户账号
属组：拥有该文件或目录的组账号

查看文件/目录的权限和归属

这里的数字用的是八进制数字
权限s：s（setuid）该位是让普通用户临时拥有root用户的权限去执行相关程序与命令

设置目录与文件权限（chmod）

chmod [ugoa] [+ -=] [rwx] 文件或目录…
或者
chmod [nnn] 文件或目录

u:属主
g:属组
o:其他用户
a:所有用户
+:增加权限
-:去除权限
=:设置权限
r:读权限
w:写权限
x:运行权限
nnn:3位八进制数
-R：递归修改指定目录下所有子项的权限

设置目录与文件归属（chown）

chown命令
chown 属主 文件或目录
chgrp 属组 文件（此命令只能修改文件）
chown :属组 文件或目录
chgrp 属组 文件或目录
chown 属主:属组 文件或目录
chown 属主.属组 文件或目录

-R：递归修改指定目录下所有子项的权限

设置目录与文件的默认权限（umask）

作用：
1.控制新建的文件或目录的权限
2.默认权限去除umask的权限则为新建的文件或目录的权限
（普通文件的最大默认权限为6，目录的最大默认权限问7）

umask 022（设置权限为022）
umask（查看）