Account and permission management
- User account files and group account files
- User account management
- Group account management
- Query account information
- Permission and ownership of files/directories
- Set directory and file permissions (chmod)
- Set directory and file ownership (chown)
- Set default permissions for directories and files (umask)
User account files and group account files
Linux is based on user identity to control resource access
user account
Super User (root): The root user is the default super user account in the Linux operating system and has the highest authority on the host. The super user is the only one in the system.
Ordinary user: Created by the root user or other administrator users, the permissions they have will be restricted, and generally only have full permissions in the user's own host daily record.
Program users: When installing the Linux operating system and some applications, certain low-privileged user accounts are added. These users are generally not allowed to log in to the system and are only used to maintain the normal operation of the system or a program, such as bin, daemon , Ftp, mail, etc.
Group account
Basic group (private group): There is only one basic group account, usually the group specified when creating a user.
The 4th field recorded in the /etc/passwd file is the user's basic group GID number.
Additional group (public group): In addition to the basic group, the user adds a
specified group.
UID and GID
UID (User IDentity, user identification number)
GID (Group IDentity, group identification number)
The UID and GID number of the root user account are fixed values. 0 The UID and GID number of the
program user account defaults to
the UID and GID numbers of ordinary users from 1 to 499 The default is 500~60,000
User account management
User account file useradd
Function: Save basic information such as user name, host directory, login Shell, etc.
File location: /etc/passwd
Each line corresponds to a user's account record
Field | Description |
---|---|
Field 1 | The name of the user account |
Field 2 | User password placeholder "x" (Because in the early UNIX operating system, the password information of the user account is stored in the passwd file. Unscrupulous users can easily obtain the password string and brute force it, so there are certain Security risks. So after improvement, the password was transferred to a special shadow file, and only the password placeholder "x" was kept in the passwd file) |
Field 3 | UID number of user account |
Field 4 | GID number of the account of the basic group to which it belongs |
Field 5 | User's full name |
Field 6 | Home directory |
Field 7 | Login shell information (/bin/bash is the login system, /sbin/nologin and /bin/false are forbidden users to log in to the system) |
E.g | root:x:0:0:root : / root : /bin/ bash |
User account file shadow
By default, only the root user can read the content in the shadow file, and it is not allowed to directly edit the content in the file.
Function: save the user's password, account validity period and other information.
File location: /etc/shadow
Each line corresponds to a user's password record
Field | Description |
---|---|
Field 1 | The name of the user account |
Field 2 | Use MD5 encrypted password string information. When it is "*" or "!!", it means that the user cannot log in to the system. If the content of this field is empty, the user can log in to the system without a password |
Field 3 | The time when the password was last modified, which means the number of days between the time of the last password modification from January 1, 1970 |
Field 4 | The minimum number of days for the password to be valid. After the password is changed this time, at least this number of days must elapse before the password can be changed again. The default value is 0, which means no restriction |
Field 5 | The maximum number of days the password is valid. After the password is changed this time, the password must be changed again after this number of days. The default value is 99999, which means no restriction |
Field 6 | How many days in advance to warn the user that the password will expire, the default value is 7 |
Field 7 | How many days after the password expires to disable this user |
Field 8 | Account expiration time. This field specifies the number of days the user is invalidated (calculated from January 1, 1970). The default value is empty, which means the account is permanently available |
Field 9 | Reserved field (unused) |
E.g | root: 6 6 6VyoUGqoC$v5HlLM1wagzC/FwGfnrtJFnlT:18445:0:99999:7::: |
Add user account useradd or adduser
useradd [options] username
Add the record of the user account at the end of the /etc/passwd file and /etc/shadow file.
If the user's home directory is not explicitly specified, a home directory with the same name as the user account will be automatically created in the /home directory, and various initial configuration files of the user will be created in this directory.
If the group to which the user belongs is not clearly specified, a basic group account with the same name as the user account will be automatically created, and the record information of the group account will be saved in the /etc/group and /etc/gshadok files.
Options | Description |
---|---|
-u | The UID number of the specified user requires that the UID number is not used by other users |
-d | Specify the user's home directory location (when used with -M, it does not take effect) can only specify the directory with an absolute path |
-e | 指定用户的账户失效时间 可使用YYYY-MM-DD的日期格式。 |
-g | 指定用户的基本组名(或使用GID号) 对应的组名必须已存在 |
-G | 指定用户的附加组名(或使用GID号) 对应的组名必须已存在。 |
-M | 不建立宿主目录 |
-s(小写) | 指定用户的登录Shell /bin/bash为可登陆系统,/sbin/nologin和/bin/false为禁止用户登陆系统 |
例如 | useradd -d / admin -g wheel -G root admin1 useradd -e 2020-12-31 -s / sbin/nologin admin2 |
设置/更改用户口令passwd
passwd [选项] 用户名
不指定用户名时,修改当前账号的密码
root用户可以指定用户名作为参数,对指定账号的密码进行管理
普通用户只能执行单独的"passwd"命令修改自己的密码
选项 | 命令 |
---|---|
-d | 清空指定用户的密码,仅使用用户名即可登录系统 |
-l | 锁定用户账户,锁定的用户账号将无法再登录系统 |
-S(大写) | 查看用户账户的状态(是否被锁定) |
-u | 解锁用户账户 |
设置用户密码方法二
echo “密码” | passwd --stdin 用户名
修改用户账号的属性usermod
usermod [选项] 用户名
选项 | 说明 |
---|---|
-l | 更改用户账号的登录名 |
-L | 锁定用户账号 |
-U | 解锁用户账号 |
其他 | -u、-d、-e、-g、-G、-s与useradd命令的含义相同 |
例如 | 将admin1用户的登录名改为master usermod -l master admin1 |
删除用户账号userdel
userdel [-r] 用户名
添加-r时,表示连用户目录的宿主目录一并删除
例如:删除用户账号stu01
用户账号的初始配置文件
文件来源
useradd命令添加一个新的用户账号后会在该用户的宿主目录中建立一些初始配置文件
这些文件账号模板目录/etc/skel/,基本上都是隐藏文件
用户宿主目录下的初始配置文件只对当前用户有效
主要的用户初始配置文件
文件 | 说明 |
---|---|
~ /.bash_profile | 此文件中的命令将在该用户每次登录时被执行,它会设置一些环境变量,并且会调用该用户的-/.bashrc |
-/.bashrc | 此文件中的命令会在每次打开新的bash shell时(也包括登录系统)被执行,并且会调用/etc/bashrc文件 |
-/.bash_logout | 此文件中的命令将在用户每次退出登录或退出bash shell时执行 |
以下是全局配置文件对所有用户有效
文件 | 说明 |
---|---|
/etc/profile | 这个文件是为系统全局变量配置文件,可通过重启系统或者执行source(.) /etc/profile 命令使profile文件被读取 |
/etc/profile.d/ | 这个文件是/etc/profile的子目录,存放的是一些应用程序所需的启动脚本 |
/etc/bashrc | 每一个运行bash shell的用户都会执行此文件,可通过执行bash 命令打开一个新的bash shell时,使 bashrc文件被读取 |
PATH变量
PATH变量用于设置可执行程序的默认搜索路径
PATH生效的原理
每次启动系统的时候会初始化命令,会执行/etc/profile和-/.bash_profile。/etc/profile会将路径/usr/local/bin、/use/bin、/usr/local/sbin、/usr/sbin 追加到PATH中,然后调用/etc/profile.d 目录下的脚本
组账号管理
组账号文件与用户文件类型
文件位置 | 作用 |
---|---|
/etc/group | 保存组账号的基本信息 |
/etc/gshadow | 保存组账号的密码信息 |
字段 | 描述 |
---|---|
字段1 | 组账号的名称 |
字段2 | 占位符"x" |
字段3 | 组账号的GID号 |
字段4 | 组账号包含的用户成员 多个成员之间用“,” 分隔 |
例如 | mail:x:12:postfix postfix:x:89: |
添加组账号groupadd
groupadd [-g GID] 组账号名
选项 | 说明 |
---|---|
-g | 指定GID号 |
例如 | groupadd -g 1000 market |
添加/删除组成员gpasswd
作用:设置组账号密码、添加/删除组成员
选项 | 说明 |
---|---|
-a | 向组内添加一个用户 |
-d | 从组内删除一个用户成员 |
-M | 定义组成员列表,以逗号分隔 |
例如 | gpasswd -M root,mike,postfix market |
删除组账号groupdel
groupdel 组账号名
查询账号信息
groups
作用:查询用户所属组
groups [用户名]
id
作用:查询用户身份标识(身份标识就是ID号、GID或UID)
id [用户名]
finger
finger命令系统不自带,需要先进行finger软件包的安装(yum install -y finger)
作用:查询用户账号的登录属性
finger [用户名]
w、whos、user
作用:查询已经登录到主机的用户信息
通过tty快捷键的切换也可查询已经登录到主机的用户信息
通常使用tty来简称各种类型的终端设备。
CentOS7系统中tty1表示图形界面,tty2-tty6表示文字界面。可以使用Ctrl+Alt+F1-F6进行切换。
例如按Ctrl+Alt+F2登录,执行w命令查看使用的终端就是tty2
pts说明是用远程工具连接的,比如xshell。后面的数字代表登录时间顺序,越小证明登录的越早
文件/目录的权限和归属
访问权限
读取r:允许查看文件内容、显示目录列表
写入w:允许修改文件内容,允许在目录中新建、移动、删除文件或子目录
可执行x:允许运行程序、切换目录
归属(所有权)
属主:拥有该文件或目录的用户账号
属组:拥有该文件或目录的组账号
查看文件/目录的权限和归属
这里的数字用的是八进制数字
权限s:s(setuid)该位是让普通用户临时拥有root用户的权限去执行相关程序与命令
设置目录与文件权限(chmod)
chmod [ugoa] [+ -=] [rwx] 文件或目录…
或者
chmod [nnn] 文件或目录
u:属主
g:属组
o:其他用户
a:所有用户
+:增加权限
-:去除权限
=:设置权限
r:读权限
w:写权限
x:运行权限
nnn:3位八进制数
-R:递归修改指定目录下所有子项的权限
设置目录与文件归属(chown)
chown命令
chown 属主 文件或目录
chgrp 属组 文件(此命令只能修改文件)
chown :属组 文件或目录
chgrp 属组 文件或目录
chown 属主:属组 文件或目录
chown 属主.属组 文件或目录
-R:递归修改指定目录下所有子项的权限
设置目录与文件的默认权限(umask)
作用:
1.控制新建的文件或目录的权限
2.默认权限去除umask的权限则为新建的文件或目录的权限
(普通文件的最大默认权限为6,目录的最大默认权限问7)
umask 022(设置权限为022)
umask(查看)