Linux commands-user rights management
- 1. Linux user management
- Two, Linux permission management
- Three, summary of permissions
1. Linux user management
Linux user management
- Users are an important part of the work of the Linux system. User management includes the management of users and group accounts .
- Account management refers to issues such as adding, deleting, and modifying accounts, account planning, and granting permissions .
- In a Linux system, whether it is logged in to the system locally or remotely, each system must have an account and have different permissions to use different system resources .
Linux user permissions
- There are two types of users under Linux: super user (root) and ordinary user .
- The root account in the Linux system is usually used for system maintenance and management, and it has unrestricted access to all parts of the Linux operating system . In most versions of Linux, it is not recommended to log in to the system directly with the root account.
- The operation of ordinary Linux users under the system is limited.
- The command prompt of a super user is "#", and the command prompt of a normal user is "$"
<1> View current user: whoami
whoami This command allows the user to view the user name of the current account of the current system. You can view system user information through cat /etc/passwd.
Because system administrators usually need to log in to the system with multiple identities, for example, they usually use ordinary users to log in to the system, and then use the su command to switch to the root identity to manage traditional systems. At this time, you can use whoami to view the identity of the current user. Then enter the exit command, you can exit to the original user identity.
<2> View the logged-in user: who
The who command is used to view the information of all users currently logged in to the system.
Common options:
| Options | meaning |
|---|---|
| -m or am I | Only display the user name, login terminal and login time of the who command |
| -q or --count | Only display the user's login account and the number of logged-in users |
| -u or –heading | Show column headings |
<3> Add user account: useradd
To add a user account in Linux, you can use the adduser or useradd command, because the adduser command is a link to the useradd command, so the format of these two commands is exactly the same.
The format of the useradd command is as follows:
useradd [parameter] New user account
| parameter | meaning |
|---|---|
| -d | Specify the user's home directory when logging in to the system. If this parameter is not used, the system will automatically create a home directory with the same name as the user name in the /home directory. |
| -m | Create directory automatically |
| -g | Specify group name |
<4> Set user password: passwd
In Unix/Linux, super users can use the passwd command to set or modify user commands for ordinary users. Users can also directly use this command to modify their own commands, without the need to use the user name after the command.
<5> Delete user: userdel
| command | meaning |
|---|---|
| userdel abc (user name) | Delete the abc user, but will not automatically delete the user's home directory |
| userdel -r abc (user name) | Delete the user and delete the user’s home directory at the same time |
<6> Add and delete group accounts: groupadd, groupdel
groupadd Create a new group account groupdel Group account cat /etc/group View user groups
<7> Modify the user's group: usermod
<8> View which groups the user is in: groups
Two, Linux permission management
2.1 Classification of file visitors (persons)
Owners of files and file directories: u—User
Users of the group where the owners of files and file directories belong: g—Group
Other users: o—Others
02. File types and access permissions (things attributes)
2.2 File types and access permissions
- file type
d: Folder
-: Ordinary file
l: Soft link (similar to Windows shortcut)
b: Block device file (such as hard disk, CD-ROM, etc.)
p: Pipe file
c: Character device file (such as serial port device such as screen)
s: Set Interface file
- Basic permissions
Read (r/4): For files, Read has the right to read the content of the file; for directories, it has the right to browse the information in the directory.
Write (w/2): For files, it has the right to modify the content of the file. For the directory, it has the permission to delete files in the mobile directory.
Execute (x/1): For the file, execute has the permission to execute the file; for the directory, it has the permission to enter the directory.
"—" means not This permission
2.3 Representation method of file permission value
- Character representation
| Linux said | Description |
|---|---|
| r- - | Read only |
| -w- | Writable only |
| - -x | Executable only |
| rw- | Read and write |
| r-x | Readable and executable |
| -wx | Writable and executable |
| rwx | Readable, writable and executable |
| - - - | No permission |
- Octal number representation method
| Permission symbol | Octal | Binary |
|---|---|---|
| r- - | 4 | 100 |
| -w- | 2 | 010 |
| - -x | 1 | 001 |
| rw- | 6 | 110 |
| r-x | 5 | 101 |
| -wx | 3 | 011 |
| rwx | 7 | 111 |
| - - - | 0 | 000 |
2.4 Related setting methods and commands for file access permissions
<1> Modify file permissions: chmod
There are two methods for chmod to modify file permissions: letter method and number method.
- Letter method:
chmod u/g/o/a +/-/=rwx 文件名
| [ u/g/o/a ] | meaning |
|---|---|
| u | user indicates the owner of the file |
| g | group means those who belong to the same group (group) as the owner of the file, that is, the user group |
| The | other means people other than others |
| a | all means all three are |
| [ ±= ] | meaning |
|---|---|
| + | Increase permissions |
| - | Revoke authority |
| = | Set permissions |
| rwx | meaning |
|---|---|
| r | read means readable. For a directory, if there is no r permission, it means that the contents of this directory cannot be viewed through ls. |
| w | write means writable. For a directory, if there is no w permission, it means that new files cannot be created in the directory. |
| x | excute means executable. For a directory, if you don't have x permission, it means you can't enter this directory by cd. |
When executing this command, we can only perform authority operations on users or user groups, etc., as shown below:
You can also perform authority operations on users, user groups, etc. at the same time
- Numerical method: rwx can also use the octal numeric representation in section 2.3. For
example: chmod u=rwx,g=rx,o=r filename is equivalent to: chmod u=7,g=5,o=4 filename
chmod 754 filename
<2> The owner of the modified file: chown
<3> Modify the group belonging to the file: chgrp
<4> View or modify file mask: umask
The default permissions for newly created files and directories under Linux are as follows
- Default permission for new files=0666
- Default permission for new directory=0777
But in fact, the permissions of the files and directories that we create are often not the above values. The reason is that the creation of a file or directory is also affected by umask .
Assuming that the default permission is default, the file permissions actually created are:
default & ~umask
举个栗子:假设我们新建文件test1.txt,则默认权限为default为666,其二进制序列为110 110 110,那么umask为02,二进制序列为000 000 010,取反后为111 111 101。按照公式
110 110 110 ( d e f a u l t ) & 111 111 101 ( ∼ u m a s k ) 110 110 100 \ \ \ 110 \ 110 \ 110(default) \\ \& \ \ \ 111 \ 111 \ 101(\sim umask) \\ \ \ \ 110 \ 110 \ 100 \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ 110 110 110(default)& 111 111 101(∼umask) 110 110 100
那么文件test1.txt的权限就是rw- rw- --w,下图证明了上述栗子
注意:
这里会有一个误区:umask的作用是将现有的权限减去umask的权限,产生最终的权限,如果不能理解可以按照上述栗子的操作。切忌不能与减法混淆,即用666-002=664 ,这种做法是错误的!
2.5 粘滞位:t
为什么有粘滞位?
假设有这样一个目录dir对于所有用户都有rwx权限,用户就可以随意操作目录dir下的文件了,但是问题来了如果目录dir下有一个文件file.c,文件的权限如下
file.c文件对于普通用户来说只能读取,而不能写和执行,也就意味着不能对file.c进行修改和删除,但事实确不是这样的
如图所示,我虽然对你的文件只具备读权限,但是我可以删除你的文件,这也就意味着只要用户具有目录的写权限,就可以随意删除目录中的文件而不必担心文件的任何权限和拥有者。对于这种问题是不科学的,Linux操作系统引入了粘滞位的概念
粘滞位的使用
chmod +t 目录
增加了粘滞位后,我们就不可以删除别人的文件了
当一个目录被设置为"粘滞位"(用chmod +t),则该目录下的文件只能由
- 超级管理员删除
- 该目录的所有者删除
- 该文件的所有者删除
三、关于权限的总结
- 目录的可执行权限是表示你可否在目录下执行命令。
- If the directory does not have the -x permission, you cannot execute any commands on the directory, or even cd to enter the directory, even if the directory still has the -r read permission (this place is easy to make mistakes, you can enter the directory and read the files under the directory if you have the read permission )
- If the directory has the -x permission but not the -r permission, the user can execute commands and cd to enter the directory. But because there is no read permission for the directory.
- So in the directory, even if you can execute the ls command, you still don't have permission to read the files in the directory.