I have begun to contact Linux user management, user group management, and permission management, which are full of keywords. These keywords are really high for me as a front-end programmer. When I tried to learn Linux before, I always jumped over these terms subconsciously and didn't dare to look at them. When I mentioned these words Immediately, a noun always pops up in my mind, and there is infinite worship! Today, I will bite the bullet and take care of these concepts, hoping to gain something.
1. Starting from /etc/passwd
In the previous basic command learning, we introduced the use of the passwd command to modify user passwords. For the operating system, where are the usernames and passwords stored? We all know that the username and password of a site are stored in the database, and the database is used to save the record data. Our commonly used databases are MySQL, Oracle , MongoDB, etc. In fact, it is not rigorous for us to call MySQL, etc. a database, because they are only database management software. In a broad sense, anything that can save data can be called a database. such as text.
The database is used to save data, and the user name and password in the operating system should also be stored in the database. What is this database? Under Linux, it's a file called passwd in /etc. Let's take a look at what's in this file.
When most people see this kind of stuff, they usually say: What? Are you sure this isn't a book from heaven? What can be seen here? To be honest, I don't know any of them except the line number!
Well, take a closer look and look for the rules. After your careful observation, you may notice the following messages:
-
- Each line of text has several colons (:) in English format, which separate each line of text
- Count carefully, each line of text has the same number of colons
- Counting again, if we call the stuff before and after the colon fields, the number of fields in each line of text is the same (including empty fields)
- The root in the first line and charley in the last line are our two accounts, aren't they?
So you make a bold guess: yes! This is our user table. These tables also contain fields, which are used to store some information about users! In fact, this is exactly the case. /etc/passwd saves user-related information, including user names, passwords, groups, and so on. Maybe you still have questions: obviously we only have two users, one is the administrator account root, and the other is the ordinary user charley, so what are the other things? Why do they also appear in this table? Don't worry, let's start with grouping.
2. Some common grouping forms
Below, we discuss users, user groups, and some of the above questions. First, some methods of grouping users or user groups are introduced. From different perspectives, different distinctions can be made.
-
- By user type grouping, we can divide users into:
- administrator
- general user
- By grouping by user group type, we can divide user groups into:
- admin group
- common user group
- From the user's point of view, we can divide the user group into:
- Basic group (default group)
- Extra Group (Additional Group)
- For ordinary users, we can also be divided into:
- system user
- general user
- Therefore, for ordinary user groups, we can also be divided into:
- system user group
- common user group
- By user type grouping, we can divide users into:
Does the above grouping method make you dazzled? It doesn't matter, in fact, the grouping of users or user groups is inherently multi-solution, but because of the different angles of the stations, different results are produced. From another angle, we can also have N grouping forms. The above is just a conventional method of division. Since the form of these groups can be reflected in our create user or user group command options, after learning the commands for creating users and creating user groups, it is easy to understand these concepts.
3. Understand the user
We know that /etc/passwd is equivalent to the database where the operating system saves user information, so it can be concluded that each row of data in the table represents a specific user, except for the root user of the system and a common user charley we created. Besides, there are many other things, what are these things? Are they also users? Yes, these things we don't know are also users, but they are not created by us, but by the operating system, so they are called system users.
If someone wants to use some functions of the operating system, he must be a user on the system (guest users are also users). After a user logs in to the operating system, the operating system can assign permissions based on the user's feature code to use the functions of the operating system.
We use computers and operating systems so that they can help us complete certain tasks. Specifically, we use the software on the operating system to complete them, and let the software do things for us. When the operating system starts, there are some necessary applications, services, etc. that need to be started. Following the simple logic mentioned above, the user on the operating system must start the software. According to this logic, the Linux system creates some system users for us through which the corresponding files are executed when the operating system starts. It can be seen that system users do not need to log in, also called non-login users, please remember this first.
The user feature code is mentioned above, and the user is identified by the user feature code during the operating system. For the kinky class, we identify users by their usernames, because usernames (strings) are easy to remember. The computer thinks that numbers are easier to remember, so when creating a user, the system will assign it a unique feature code to identify the user, this feature code is also called UID. Likewise, user groups also have signatures, called GIDs.
In Linux systems, UIDs are divided as follows:
-
- 0 means administrator (root)
- 1 - 500 for system users
- 501 - 65535 for normal users
- Different Linux distributions, these numbers may vary
4. Field analysis in /etc/passwd
The fields in /etc/passwd represent the following information (the field names are taken by myself):
-
- ACCOUNT: username
- PASSWORD: Password placeholder
- UID: User ID
- GID: User group ID
- COMMAND: comment information
- HOME DIR: User home directory
- SHELL: the user's default shell
A password placeholder whose value is x, which is obviously not a real password. Where are the real passwords stored? In the /etc/shadow file, the password stored in this file is not the plaintext password, but the encrypted password. Let's take a look at the contents of /etc/shadow (root only):
It can be seen that the data table is also saved in /etc/shadow, and this table is also related to the user. Remember the man command mentioned the next day? The fifth chapter of the man manual is a special file, let's try a wave of man:
For the meaning of each field in /etc/shadow, instructions are given in the manual, we can go to reference (only a part of the screenshots are given here). Similarly, for /etc/passwd, we can also view the meaning of each field through man 5 passwd.
Well, back to the PASSWORD field, let's take a look at the value of this field for the root user and charley, and we can see that there are some rules to follow in this value:
-
- $1$XXXXXXXX$XXXXXXXXXX.....
We can get the following information through this field:
-
- The number 1 in the first two dollar signs indicates that the encryption method is md5
- The string between the second and third dollar signs is the encrypted password salt
- The string after the third dollar sign is the encrypted feature code of the password plaintext
Now that we've talked about encryption and salts, let's review the basics about encryption. The encryption methods we usually use are as follows:
-
-
Symmetric encryption: use the same set of ciphers for encryption and decryption
- Public key encryption: each password is paired with a secret key and a public key. The encryption performed by the public key is decrypted using its paired private key, and vice versa. Relative to symmetric encryption, the speed is very slow. , generally not used for encryption, but key exchange
-
One-way encryption (hash encryption): can only encrypt but not decrypt. That is to say, the ciphertext can only be obtained from the plaintext, and the plaintext cannot be obtained from the ciphertext. After one-way encryption, a unique feature code is obtained, and the feature code of each data is unique, so it is also called fingerprint encryption. If the signature obtained by the two algorithms is the same, then it is the same piece of data. One-way encryption can be used for data verification. If the data is passively manipulated, the characteristic code of the data will be different. Commonly used hash encryption methods are:
- MD5: fixed-length 128-bit output feature code
- SHA1: fixed-length 160-bit output feature code
- There are other ways, mainly reflected in the difference in the output length of the feature code
- One-way encryption features:
- irreversible
- Avalanche effect: small changes in data can cause large changes in signatures
- Fixed-length output: Regardless of the length of the encrypted content, the length of the output feature code is the same
- Salting: If two users use the same password, the signature after MD5 hash encryption is the same. If one user accidentally finds that the signature of another user is the same as himself, then it can be inferred that another user has the same signature. A user's password. This is not very safe. For the sake of security, we need to use the avalanche effect in the hash encryption feature, and add some extra impurity (content) to the password, so that the encrypted feature code is very different. This process is called salting.
-
5.useradd command: add user
Having said so much, finally come to the real thing, use the useradd command to add a user in Linux. This command is as simple as adding a user with just useradd USERNAME.
We create a new user MIKE, and then view the corresponding content in /etc/passwd:
In the last line of /etc/passwd, we see the user just added, and the system automatically sets some attributes of the user, such as UID, GID, HOME DIR, etc. We can also manually specify the information of the new user:
-
- useradd -u UID: Specify UID, this UID must be greater than or equal to 500, and there is no UID occupied by other users
- useradd -g GID/GROUPNAME: Specify the default group, which can be GID or GROUPNAME, and must also exist
- useradd -G GROUPS: specify additional groups
- useradd -c COMMENT: Specifies the user's comment information
- useradd -d PATH: specify the user's home directory
- useradd -s SHELL: Specifies the user's default shell, preferably a path that exists in /etc/shells
- useradd -s /sbin/nologin: The user cannot log in. Remember that the system user we mentioned above cannot log in? We can see that the shell field of the system user is also /sbin/nologin
- echo $SHELL : View the shell type of the current user
- useradd -M USERNAME: create user but not home directory
- useradd -mk USERNAME: Create a home directory while creating a user, and copy the contents of /etc/skel to the home directory. About the /etc/skel directory will be explained again in the next Linux permission management.
- If the user does not have a home directory, you cannot switch to the user
6.userdel command: delete user
-
- userdel USERNAME: delete user
- userdel -r USERNAME: delete the user's home directory while deleting the user
7.id command: display account attribute information
-
- id -g USERNAME: show default group ID
- id -G USERNAME: show additional group id
- id -u USERNAME: show UID
- id -n -g/-G/-U: show the name of the default group/additional group/user
8.finger command: retrieve user information, more friendly than using the id command
9.usermod command: modify user information
-
- The basic usage is similar to useradd, here are the points to pay attention to
- usermod -G GROUPS USERNAME: changing the user's additional group will completely replace the original additional group
- usermod -G -a GROUPS USERNAME: Append additional groups to the original additional groups
- usermod -d PATH USERNAME: Modify the home directory. After modification, the files in the original home directory cannot be accessed because these files do not exist in the current home directory.
- usermod -l NEWNAME USERNAME: change username
- usermod -e USERNAME: Specify the expiration time for this user
- usermod -L USERNAME: lock user
- usermod -U USERNAME: Unlock user
10. Shortcut Commands
-
- chsh SHELL USERNAME: change the default shell
- chfn USERNAME: Modify the comment information to increase the user's detailed information, such as company, address, etc. Corresponding changes can be viewed by finger.
11.passwd
-
- passwd --stdio: read password from standard input passwd -l: lock user account (root only)
- echo "newpassword" | passwd --stdio MIKE
- passwd -u: Unlock user account (root only)
- passwd -d: Delete user password. The user cannot log in after the password is deleted.
- passwd --stdio: read password from standard input passwd -l: lock user account (root only)
12.pwch (password check): Check the integrity of the password file, you can get some warning information
13.groupadd command: add group
-
- groupadd -g GID GROUPNAME:指定GID
- groupadd -r GROUPNAME: add a system user group (-r also applies to useradd)
- groupadd -r apache
13.groupmod command: modify group
-
- groupmod -g NEWGID GROUPNAME: modify GID
- groupmod -n NEWGROUPNAME GROUPNAME: modify the group name
14.groupdel command: delete group
-
- groupdel GROUPNAME
15. gpasswd command: add a password to a group
-
-
gpasswd GROUPNAME
-
16.newgrp: Temporarily specify the basic group, which is described below.
17. The role of adding a password to a group
Why do you need to add a password to the group? Let's talk about the user's basic group first. It seems that we haven't talked about the basic group yet, hehe. The basic group is very simple. Linux stipulates that each user needs to be in a certain group, so when creating a user, we can specify the user's basic group (default group): useradd -g GROUPNAME USERNAME. If we do not manually specify the user's basic group, the system will create a group with the same name as the current user by default, and then set this group as the user's basic group. By default, the GID of the base group is the same as the user UID (if not occupied).
Why do users have to have a group? Because Linux stipulates that a file needs to have three permissions: the permissions of the owner of the file, the permissions of the group where the owner of the file belongs, and the permissions of other users. Therefore, if the file belongs mainly to no basic group, is it very embarrassing? This issue is addressed here first.
Looking back at the role of gpasswd, under normal circumstances we do not need to set a password for the group. Now put forward a requirement: when performing an operation, to use the permissions of other groups, you need to temporarily switch to other groups, but do not want to change the existing group, then you need to use the newgrp command, the newgrp command is used to temporarily switch User basic group, note that this operation is only valid for the current login. When using newgrp, we may be required to enter the group password. Why is it possible? Because when the extra group is temporarily set as the user's base group, no password is required. Passwords are only required if groups that were previously unrelated to the user are temporarily set as basic groups. To restore the basic group: exit or logout.
18. Summary
This article mainly introduces Linux user management and user group management, and introduces /etc/passwd and /etc/shadow, two files related to users. Files related to user groups are located in /etc/group and /etc/gshadow. In addition, common forms of encryption are introduced: symmetric encryption, public key encryption, and hash encryption. About users and user groups are introduced here. On this basis, we will introduce Linux permissions management in the next article, which belongs to the same series as this article.
Reprinted in: https://www.cnblogs.com/licheng/p/8370977.html