Linux permissions and user management
Privileges and User Categories
rwx stands for read/write/execute (permission), ugoa stands for owner/group/other/everyone (user category), MODE stands for 0000-7777 authority (digital representation)
File and directory permissions
Default permission umask command to view the default permission mask (/etc/umask) umask 2 ways to change the default permission umask MODE umask [ugoa][+-=][rwx]
| Types of | Default permissions |
|---|---|
| document | 0666-umask |
| content | 0777-umask |
Different meanings of file and directory permissions
| permission name | document | content |
|---|---|---|
| r | read file content | List directory files |
| w | Modify file content | Create/delete files |
| x | executable file | enter directory / show file details |
Privileges and User Class Commands
- chmod [ogoa] [+-=] [rwx] FILE/DIR (chmod MODE FILE/DIR)
- chown USER[:GRP] FILE/DIR Modify owner/group
- chgrp FILE/DIR modify group chmod chown chgrp command common options
- -R recursively modify directory permissions/owner/group
- -v display detailed processing information
- -c display changed information
- --reference=path/file path/file assign the former permission/owner/group to the latter
- --deference acts on the file pointed to by the soft link (chmod does not support)
special permissions
SUID : When running a program, the owner of the corresponding process is the owner of the program file itself, not the initiator. chmod u+s FILE If the original owner of the FILE has the execution permission, it will be displayed as s, otherwise it will be displayed as S
SGID : When running a program, the group of the corresponding process is the group of the program file itself, not the group of the initiator. chmod g+s FILE If the FILE has the original execution permission of the group, it is displayed as s, otherwise it is displayed as S. chmod g+s DIR Created in the directory The files are not their own basic group, but the subgroup of the directory.
Sticky : Set sticky special permissions for chmod o+t DIR the directory. You can create files in this directory, delete your own files, but not delete other people's files.
access control list
- getfacl FILE/DIR to view ACL information
- setfacl -[m|x] [D:]T:N:P FILE/DIR set/cancel ACL information
- m: set ACL
- x: cancel ACL
- D: Is it a directory (files in a directory inherit ACL recursively)
- T: [u|g] user or group
- N: UID|GID|username|groupname
- P: Permissions [rwx]
setfacl --mask PERM FILE set the mask in facl (cannot exceed the permission of umask)
hidden attribute
- chattr [+-=][ia] FILE/DIR modify hidden attribute
- a: The file can only add data, but cannot be deleted or modified.
- i: Operations like rename/delete/link/modify cannot be used on this file.
- lsattr FILE/DIR show hidden attributes
- -a show hidden files
- -d show directory attributes
- -R display recursively
User Management
User/group configuration
- User category (group category: administrator group/system group/general group)
- Administrator (root) UID=0
- System User UID=[1, 499]
- General user UID=[500, 65535]
Private group: When a user is created, the system automatically creates a group with the same name as the user. Additional group: Add an additional group for the user, and the user can switch to the additional group.
-
User and Group Information File
- /etc/passwd
- /etc/group
-
User and Group Shadow Password File
- /etc/shadow
- /etc/gshadow
-
Information in /etc/passwd Username: Password: UID: GID: Comment: Home Directory: Default SHELL
-
Information in /etc/group groupname:password:GID:list of users to which this group is an additional group
-
Information in /etc/shadowUsername:Password:Last Password Changed Time:Minimum Use Period:Maximum Use Period:Warning Time:Inactive Time:Expire Time:Reserved Minimum Use Period: Shortest Time to Change Password Again Period of use: The password must be changed within this time, otherwise the state-owned enterprise's time warning time: The account has not changed the password after the time has expired. The time of being warned Inactive time: The time that the account can continue to use after changing the password. Expiration time: The expiration time of the account.
/etc/login.defs User login default information (lower priority than /etc/shadow) /etc/shells All SHELL provided by the system
User management commands
- useradd USER add user
- -r create system account
- -p PASSWD specify default password for user account
- -m create home directory
- -M do not create home directory
- -b HOME_DIR specifies the home directory location
- -k must be used with -m to copy the contents of the /etc/skel directory to the user's home directory.
- usermod USER modifies user information
- -l NAME Modify user account name
- -L Lock user password (can't log in/invalid password)
- -U unlocks the password lock useradd/usermod common options
- -u UID specifies the UID
- -g INITIAL_GROUP specify GID or group name
- -d NAME specifies the home directory name
- -c COMMENT Add/modify user comments
- -s SHELL specifies the default login shell
- -G GROUP... specify user additional group
- -e EXPIRE_DATE specifies the account expiration time
- -f INACTIVE_DAYS Specifies account inactivity time immediately (0), never (-1)
- userdel USER delete user
- -r also deletes the user's home directory
- -f force delete even if user is online
- **id USER ** display user information
- -u UID
- -g GID
- -G additional group
- -n for -ugG display name instead of value
- -r display name instead of username
- chsh USER modifies the user's default login shell (same as usermod -s)
- chfn USER modifies user remarks (same as usermod -c)
- passwd USER adds a password to the user
- --stdin enter password from standard input
- -d delete the password (users can log in without entering a password)
- -S Display user password information
- -l Same as (usermod -L) lock user
- -u Same as (usermod -U) to unlock user
- -g Same as (gpasswd GROUP) set group password
- chage USER update user password information
- -l list the current chage settings
- -m MIN_DATE Minimum age unlimited (0)
- -M MAX_DATE maximum age
- -w WARN_DATE warning time
- -E EXPIRE_DATE expiration time
- -d LAST_PSWD_DATE to modify the last password change time
- -i INACTIVE_DATE inactive time
- pwck check user account integrity -q report errors only -s sort files by user ID -r run command read-only
- groupadd GROUP create group
- -g GID specify GID
- -r set to system group
- groupmod GROUP modify group information
- -g GID specify GID
- -n NAME change group name
- groupdel GROUP delete group
- gpasswd GROUP set group password
- -a USER add user to group
- -d USER remove user from group
- -A USER... specify group administrator
- -M USER... specify group members
- -r remove group password
- -R limit user group (only members of the group can use newgrap to join the group)
- newgrp GROUP switch to a new group