Managing user groups in a Linux system is not laborious, but the related commands may be more flexible than you know.
User groups play an important role in Linux systems. User groups provide an easy way for a group of users to share files with each other. User groups also allow system administrators to manage user permissions more effectively, because administrators can assign permissions to user groups instead of assigning them to individual users one by one.
Although user groups are usually created as long as a user account is added to the system, there is still a lot to know about how user groups work and how to use user groups.
One user, one user group?
Most user accounts in Linux systems are set to the same user name as the user group name. Users jdoewill be given a named jdoeuser group, and became the only member of the new user group. As shown in this example, the user's login name, user id and group id users are added to the account in the new /etc/passwdand /etc/groupfiles:
$ sudo useradd jdoe
$ grep jdoe /etc/passwd
jdoe:x:1066:1066:Jane Doe:/home/jdoe:/bin/sh
$ grep jdoe /etc/group
jdoe:x:1066:
复制代码The configuration file allows the system to text ( jdoe) and digital ( 1066) each transition between these two forms of user id - jdoeis 1006, and 1006is jdoe.
The UID (user id) and GID (user group id) assigned to each user are usually the same and increase in order. If Jane Doe is the most recently added user in the above example, the user id and user group id assigned to the next new user are likely to be 1067.
GID = UID
UID and GID may be inconsistent. For example, if you use groupaddto add a user group id command without specifying a user group, a user will be assigned the next available group id (in this case 1067). The next user added to the system will have a UID of 1067 and a GID of 1068.
You can avoid this problem by specifying a smaller user group id when adding a user group instead of accepting the default value. In the following command we add a user group and provide a GID, which is smaller than the GID value range used for the user account.
$ sudo groupadd -g 500 devops
复制代码You can specify a shared user group when creating an account, if this is more appropriate for you. For example, you might want to add new developers to the same DevOps user group instead of one user group.
$ sudo useradd -g staff bennyg
$ grep bennyg /etc/passwd
bennyg:x:1064:50::/home/bennyg:/bin/sh
复制代码Primary user group and secondary user group
There are actually two user groups: the primary user group primary group and the secondary user group secondary group.
The main user group is stored in the /etc/passwduser group file, the user groups configured when the account was created. When a user creates a file, the user's primary user group is associated with the file.
$ whoami
jdoe
$ grep jdoe /etc/passwd
jdoe:x:1066:1066:John Doe:/home/jdoe:/bin/bash
^
|
+-------- 主要用户组
$ touch newfile
$ ls -l newfile
-rw-rw-r-- 1 jdoe jdoe 0 Jul 16 15:22 newfile
^
|
+-------- 主要用户组
复制代码Those user groups that are added once the user has an account are secondary user groups. Secondary user group membership in /etc/groupa display file.
$ grep devops /etc/group
devops:x:500:shs,jadep
^
|
+-------- shs 和 jadep 的次要用户组
复制代码/etc/groupThe file assigns a group name to the user group (for example 500= devops) and records the members of the secondary user group.
Preferred criteria
Each user is a member of his own primary user group and can be a member of any number of secondary user groups. Such a rule allows users to more easily separate personal files from files that need to be shared with colleagues. When a user creates a file, members of different user groups to which the user belongs may not have access rights. Users must chgrpassociate files up command group and the secondary user.
Not as good as your own home directory
When you add a new account important detail is that useraddthe command does not have to add a new user home directory / home home directory. If you only want to add some time to the home directory for the user, you can useraddjoin command -moptions (you can think of it as "home" option).
$ sudo useradd -m -g devops -c "John Doe" jdoe2
复制代码The options in this command are as follows:
-mCreate a home directory and generate initial files in it-gSpecify the user group to which the user belongs-cAdd account description information (usually the user's name)
If you want to always create the home directory, you can edit the /etc/login.defsfile to change the default mode of operation. Change or add a CREATE_HOMEvariable and set it to yes:
$ grep CREATE_HOME /etc/login.defs
CREATE_HOME yes
复制代码Another method is to use their account settings so that the alias useraddhas been with the -moption.
$ alias useradd=’useradd -m’
复制代码Make sure to add the alias to your ~/.bashrcfile or similar startup file to make it permanent.
In-depth understanding of /etc/login.defs
The following command lists /etc/login.defsall of the settings file. The following grepcommand will hide all comments and blank lines.
$ cat /etc/login.defs | grep -v "^#" | grep -v "^$"
MAIL_DIR /var/mail
FAILLOG_ENAB yes
LOG_UNKFAIL_ENAB no
LOG_OK_LOGINS no
SYSLOG_SU_ENAB yes
SYSLOG_SG_ENAB yes
FTMP_FILE /var/log/btmp
SU_NAME su
HUSHLOGIN_FILE .hushlogin
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
TTYGROUP tty
TTYPERM 0600
ERASECHAR 0177
KILLCHAR 025
UMASK 022
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
UID_MIN 1000
UID_MAX 60000
GID_MIN 1000
GID_MAX 60000
LOGIN_RETRIES 5
LOGIN_TIMEOUT 60
CHFN_RESTRICT rwh
DEFAULT_HOME yes
CREATE_HOME yes <===
USERGROUPS_ENAB yes
ENCRYPT_METHOD SHA512
复制代码Note that the various settings in this file will determine the value range of the user id, the password lifetime and other settings (such as umask).
How to display the user group to which a user belongs
A user may be a member of multiple user groups for various reasons. User group membership gives users access to files and directories owned by the user group. Sometimes this way of working is essential. To generate a list of the user group, with the groupscommand.
$ groups jdoe
jdoe : jdoe adm admin cdrom sudo dip plugdev lpadmin staff sambashare
复制代码You can type without any parameters groupscommand to list your own user group.
How to add users to user groups
If you want to add an existing user to another user group, you can follow the command below:
$ sudo usermod -a -G devops jdoe
复制代码You can also specify a comma-separated list of user groups to add a user to multiple user groups:
$ sudo usermod -a -G devops,mgrs jdoe
复制代码Parameter -ameans "add", -Gspecifies the list of user groups.
You can edit the /etc/groupfile with your username removed from the user group membership list, so the user is removed from the group. usermodThe command may also have an option to remove a member from the user group.
fish:x:16:nemo,dory,shark
|
V
fish:x:16:nemo,dory
复制代码Synopsis
Adding and managing user groups is not particularly difficult, but consistency in configuring accounts can make this task easier in the long run.
Author: Linux Chinese
link: https: //juejin.cn/post/6844903898038140942