10 Linux Practical Operations - Group Management and Rights Management
Article directory
- The learning video comes from Station B [Xiaobai Getting Started is easy to understand] 2021 Han Shunping learned Linux in a week .
- The materials that may be used are as follows, and the download link is at the end of the article:
This chapter is more important, and it is a little difficult to understand.
10.1 Linux group management
10.1.1 Basic Introduction of Linux Group
In "Chapter 8 User Management", the concept of "user group" has been introduced (see section 8.6 for details), this section continues to introduce the "owner", "group", and "other groups" of files/directories in depth. Each user in Linux must belong to a group and cannot be independent from the group, just like everyone has a nationality in real life. When creating a new user, you can specify which group to add the user to; if you do not specify the group it belongs to, the system will create a group with the same name by default and put the user into it. Of course, you can change the group of a user with root administrative privileges:
# 基本语法-改变用户所在组
usermod -g 新组名 用户名
# 基本语法-改变用户登录的初始目录
usermod -d 目录名 用户名 # 注意用户需要有进入到新目录的权限!!
Since a user belongs to a certain group, each file also has the concepts of "owner", "group", and "other groups". The above picture shows their relationship more vividly. As shown in the figure above, when a user tom
creates a file a.txt
, a.txt
the "owner" is the default tom
, and of course it can be changed to another "owner". The tom
group you are in is the a.txt
"group you are" by default , and all members in this group have permission A for this file; all other groups under Linux are a.txt
"other groups" , and users in "other groups" have permission for this file With permission B. The "authority A" and "authority B" here are general concepts, indicating different permissions, which will be introduced in detail later.
10.1.2 Owner-Modifychown
The "owner" is generally the creator of the file/directory, and whoever creates the file/directory will naturally become the owner of the file/directory. Here is the basic syntax for viewing and modifying the "owner" of a file/directory:
# 基本语法-查看文件/目录的所有者
ls -ahl
# 基本语法-修改文件/目录所有者
chown 新的所有者 文件/目录 # 修改所有者
chown 新的所有者:新的所在组 文件/目录 # 修改所有者和所在组
# 常用选项-chown
-R 如果是目录,则使其下所有子文件或目录递归生效
The following three application cases are shown, the first two are to view the "owner", and the last two are to modify the "owner" [take a file as an example, the directory is the same]:
# 【案例1-查看所有者】使用root创建文件/home/a.txt,并查看其所有者。
[root@CentOS76 ~]# cd /home
[root@CentOS76 home]# touch a.txt
[root@CentOS76 home]# ls -ahl
总用量 32K
drwxr-xr-x. 8 root root 4.0K 7月 20 11:10 .
dr-xr-xr-x. 18 root root 4.0K 7月 13 17:12 ..
-rw-r--r--. 1 root root 0 7月 20 11:09 a.txt
drwx------. 3 jack jack 4.0K 7月 20 11:09 jack
drwx------. 3 king king 4.0K 7月 20 11:09 king
drwx------. 15 lyl lyl 4.0K 7月 13 17:38 lyl
drwx------. 3 milan milan 4.0K 7月 20 11:09 milan
drwx------. 3 tom tom 4.0K 7月 20 11:08 tom
drwx------. 3 zwj wudang 4.0K 7月 20 11:10 zwj
# 上面第三列就是每个文件的所有者
# 【案例2-查看所有者】将上述/home/a.txt的所有者改成tom。
[root@CentOS76 home]# chown tom a.txt
[root@CentOS76 home]# ls -ahl
总用量 32K
drwxr-xr-x. 8 root root 4.0K 7月 20 11:10 .
dr-xr-xr-x. 18 root root 4.0K 7月 13 17:12 ..
-rw-r--r--. 1 tom root 0 7月 20 11:09 a.txt
drwx------. 3 jack jack 4.0K 7月 20 11:09 jack
drwx------. 3 king king 4.0K 7月 20 11:09 king
drwx------. 15 lyl lyl 4.0K 7月 13 17:38 lyl
drwx------. 3 milan milan 4.0K 7月 20 11:09 milan
drwx------. 3 tom tom 4.0K 7月 20 11:08 tom
drwx------. 3 zwj wudang 4.0K 7月 20 11:10 zwj
# 【案例3-修改所有者】新建/home/kkk目录,并将kkk目录下所有的文件和目录的所有者和所在组都修改成tom。
[root@CentOS76 home]# mkdir kkk
[root@CentOS76 home]# touch ./kkk/a.txt
[root@CentOS76 home]# touch ./kkk/b.txt
[root@CentOS76 home]# ll kkk
总用量 0
-rw-r--r--. 1 root root 0 7月 21 11:35 a.txt
-rw-r--r--. 1 root root 0 7月 21 11:35 b.txt
[root@CentOS76 home]# chown -R tom:tom kkk
[root@CentOS76 home]# ll kkk
总用量 0
-rw-r--r--. 1 tom tom 0 7月 21 11:35 a.txt
-rw-r--r--. 1 tom tom 0 7月 21 11:35 b.txt
Note that in the following case, I restore the state of the virtual machine to the original state, and then recreate all users. The first duplication is that I didn't restore the dummy before, which I suspect made me play a serious bug.
[root@CentOS76 home]# cd /home
[root@CentOS76 home]# touch a.txt
[root@CentOS76 home]# ls -ahl
总用量 36K
drwxr-xr-x. 9 root root 4.0K 7月 20 10:43 .
dr-xr-xr-x. 18 root root 4.0K 7月 17 11:49 ..
-rw-r--r--. 1 root root 0 7月 20 10:43 a.txt
drwx------. 3 tom a 4.0K 7月 15 15:49 jack
drwx------. 5 jerry jerry 4.0K 7月 16 16:31 jerry
drwx------. 3 milan jerry 4.0K 7月 15 15:50 king
drwx------. 15 lyl lyl 4.0K 7月 15 10:59 lyl
drwx------. 5 zwj wudang 4.0K 7月 15 12:12 milan
drwx------. 3 zwj a 4.0K 7月 15 15:08 tom
drwx------. 3 jerry 1009 4.0K 7月 16 10:35 zwj
# 上面第三列就是每个文件的所有者
10.1.3 Group - Modifychgrp
Obviously, when a user creates a file/directory, the user's group is the "group" of the file/directory. Here is the basic syntax for viewing and modifying the "group" of a file/directory:
# 基本语法-查看文件/目录所在组
ls -ahl
# 基本语法-修改文件/目录所在的组
chgrp 新的所在组 文件/目录 # 修改所在组
# 常用选项-chgrp
-R 如果是目录,则使其下所有子文件或目录递归生效
The following shows three application cases [take files as an example, and the directory is the same]:
Tip: Lao Han’s demonstration [Case 1] [Case 2] is to directly log out of Xshell and log in again, instead of
su - 用户名
jumping directly.
# 【案例1-查看所在组】fox登录,创建文件/home/ok.txt,查看其所在组。
[fox@CentOS76 ~]$ pwd
/home/fox
[fox@CentOS76 ~]$ touch ok.txt
[fox@CentOS76 ~]$ ls
ok.txt
[fox@CentOS76 ~]$ ll
总用量 0
-rw-r--r--. 1 fox monster 0 7月 20 11:43 ok.txt
# 上述第三列表示所有者是fox,第四列表示所在组是monster。
# 【案例2-修改所在组】root登录,新建fruit组,并将上述/home/fox/ok.txt文件的所在组修改到fruit组。
[root@CentOS76 ~]# groupadd fruit
[root@CentOS76 ~]# chgrp fruit /home/fox/ok.txt
[root@CentOS76 ~]# ll /home/fox
总用量 0
-rw-r--r--. 1 fox fruit 0 7月 20 11:43 ok.txt
# 【案例3-修改所在组】root登录,创建/home/kkk目录,并将其下所有的文件和目录的所在组都修改成shaolin(少林)。
[root@CentOS76 home]# mkdir kkk
[root@CentOS76 home]# touch ./kkk/a.txt
[root@CentOS76 home]# touch ./kkk/b.txt
[root@CentOS76 home]# ll kkk
总用量 0
-rw-r--r--. 1 root root 0 7月 21 11:58 a.txt
-rw-r--r--. 1 root root 0 7月 21 11:58 b.txt
[root@CentOS76 home]# chgrp -R shaolin kkk
[root@CentOS76 home]# ll
总用量 32
drwxr-xr-x. 2 root shaolin 4096 7月 21 11:58 kkk
# 其余的文件/目录就不展示了
[root@CentOS76 home]# ll kkk
总用量 0
-rw-r--r--. 1 root shaolin 0 7月 21 11:58 a.txt
-rw-r--r--. 1 root shaolin 0 7月 21 11:58 b.txt
10.1.4 Other groups
Except for the "owner" and "group" users of the file/directory, other users of the system are all other groups of the file/directory.
10.2 Linux permission management
10.2.1 Detailed explanation of rwx permissions
The use of permissions is an important point in Linux, and it is relatively difficult. As mentioned in Section 10.1, members of a file's "current group" and "other groups" have different permissions on the file. How many kinds of permissions are there in Linux, and how are they allocated? This section will introduce. For example, log in to the root account to create the /home/a.txt file and write 6 characters - "hello~", and then use to ll
view the file list, as follows:
[root@CentOS76 home]# touch a.txt
[root@CentOS76 home]# echo "hello~" >> a.txt
[root@CentOS76 home]# ll
总用量 48
-rw-r--r--. 1 root root 7 7月 21 19:05 a.txt
drwx------. 5 fox monster 4096 7月 22 09:31 fox
drwx------. 3 jack jack 4096 7月 20 11:09 jack
drwxrwxr-x. 5 judy police 4096 7月 21 17:05 judy
drwx------. 3 king king 4096 7月 20 11:09 king
drwx------. 15 lyl lyl 4096 7月 13 17:38 lyl
drwx------. 3 milan milan 4096 7月 20 11:09 milan
lrwxrwxrwx. 1 root root 5 7月 22 09:55 myroot -> /root
drwx------. 3 nick police 4096 7月 21 16:21 nick
drwx------. 5 sheep bandit 4096 7月 21 17:05 sheep
drwx------. 5 tom tom 4096 7月 21 11:06 tom
drwx------. 5 wolf police 4096 7月 21 17:05 wolf
drwx------. 3 zwj mojiao 4096 7月 20 11:10 zwj
Let's take the first line above
a.txt
as an example to explain the meaning of each column in detail:
- [Column 1] 10 characters: determine the permissions of different users on the file. The first character represents the file type (the common ones are
-
,b
,c
,d
,l
). The remaining characters are 9 characters, and each group of 3 (rwx) represents the read ® and write (w ), execute (x) permissions.
- [Bit 0]: Determine the file type (the common ones are
-
,b
,c
,d
,l
).
-
It is an ordinary file;b
it is a block device, such as/dev
a hard disk under a directory;c
it is a character device file, such as/dev
a mouse, a keyboard, etc. under a directory;d
it is a directory, which is equivalent to a folder in Windows;l
it is a link, which is equivalent to a shortcut in Windows;
- [Bit 1, 2, 3]: "Owner" rwx permissions to the file. —User
- [Bit 4, 5, 6]: The rwx permissions of other users of the "group" on the file. —Group
- [bits 7, 8, and 9]: All users in the "other group" have rwx permissions to the file. —Other
- [Column 2]
1
: Indicates the "hard link number" of the file, or the "subdirectory number + file number" of the directory. In this casea.txt
it is an ordinary file, so it is 1.- 【Column 3】
root
: File owner. The owner in this casea.txt
is obviously root.- 【Column 4】
root
: The group where the file belongs to. The group in this examplea.txt
is obviously the root user's same-named group root.- 【Column 5】
7
: If it is a file, it will display the total number of bytes of the file (unit: Byte); if it is a folder, it will display 4096. In this example, although onlya.txt
6 characters "hello~" are written in, a string end mark will be automatically added at the end of the document\0
, so there are 7 characters in total.- [Columns 6, 7, 8]
7月 21 19:05
: The last modification date of the file/directory.- 【Column 9】
a.txt
: file/directory name.
So what exactly is rwx permission? The following is a detailed explanation of rwx permissions [difficulties]. The rwx permissions for "files" and "directories" in Linux have different meanings:
rwx permission of the file:
- 【
r
】: You can read and view the file.- 【
w
】: Represents writable (write): can be modified, but it does not mean that the file can be deleted. The prerequisite for deleting a file is that the directory where the file is located has write permission to delete the file.- 【
x
】: Represents executable (execute): Indicates that the system can./文件名
execute the file.a.txt
For example, write in a file with execution permissionls -al
, and then directly enter it in the terminal./a.txt
, then the command will be executed accordingly.- 【
-
】: Indicates that there is no corresponding permission.The rwx permission of the directory:
- 【
r
】: Represents readable (read): Represents the list of files that can be read in this directory, such as usingls
instructions.- 【
w
】: Represents writable (write): Indicates that the file list of this directory can be modified, that is, delete, create, and rename the directory/file under it.- 【
x
】: Represents executable (execute): Indicates that the directory can be entered, which is very different from the x permission of the file . If you only have x permissions, you can also read and write files with read and write permissions, but it's like looking for something in the dark, it all depends on memory.- 【
-
】: Indicates that there is no corresponding permission.Example
a.txt
: So-rw-r--r--
it means thata.txt
it is an ordinary file, the "owner" has "read" and "write" permissions but cannot "execute", other users in the "group" only have "read" permissions, and all users in "other groups" also Only have "read" permission.
Note: In Linux, use BCD8421 code to indicate the corresponding authority: r=4, w=2, x=1. Therefore, the use of numbers 0~7 can represent any combination of permissions.
10.2.2 Modify permissions -chmod
As can be seen from the above description, a file/directory is assigned default permissions just after it is created, but sometimes this permission is not appropriate, for example, I want all users in the "group" to have the rw of the file Permissions, at this time you need to use chmod
instructions to modify permissions. Here are two chmod
ways to use it, and give some examples:
# 基本语法-chmod
# 【方式一】+、-、=变更权限,u:所有者 g:所有组 o:其他人 a:所有人(u、g、o的总和)
chmod u=rwx,g=rx,o=x 文件/目录名 # 给文件/目录的u用户rwx权限、g用户rx权限、o用户x权限
chmod o+w 文件/目录名 # 给文件/目录的o用户添加w权限
chmod a-x 文件/目录名 # 剥夺文件/目录的a用户的x权限
# 【方式二】r=4,w=2,x=1
chmod 751 文件/目录名 # 等价于chmod u=rwx,g=rx,o=x 文件/目录名
Four application examples are shown below:
[Case 1-Using ±=] Give the owner of the abc file read/write/execute permissions, give read/execute permissions to the group, and give read/execute permissions to other groups.
[root@CentOS76 home]# touch abc
[root@CentOS76 home]# chmod a-rwx abc
[root@CentOS76 home]# ll
总用量 28
----------. 1 root root 0 7月 21 11:15 abc
# 其余的文件/目录就不展示了
[root@CentOS76 home]# chmod u=rwx,g=rx,o=rx abc
[root@CentOS76 home]# ll
总用量 28
-rwxr-xr-x. 1 root root 0 7月 21 11:15 abc
# 其余的文件/目录就不展示了
[Case 2-Using ±=] Remove the execute permission for the owner of the abc file, and increase the group write permission.
[root@CentOS76 home]# chmod u-x,g+w abc
[root@CentOS76 home]# ll
总用量 28
-rw-rwxr-x. 1 root root 0 7月 21 11:15 abc
# 其余的文件/目录就不展示了
[Case 3 - Using ±=] Add read permission to all users of the abc file.
[root@CentOS76 home]# chmod a+r abc
[root@CentOS76 home]# ll
总用量 28
-rw-rwxr-x. 1 root root 0 7月 21 11:15 abc
# 其余的文件/目录就不展示了
[Case 4 - Using Numbers] Modify the permission of the abc file to ---------
:rwxr-xr-x
[root@CentOS76 home]# chmod 000 abc
[root@CentOS76 home]# ll
总用量 28
----------. 1 root root 0 7月 21 11:15 abc
# 其余的文件/目录就不展示了
[root@CentOS76 home]# chmod 755 abc
[root@CentOS76 home]# ll
总用量 28
-rwxr-xr-x. 1 root root 0 7月 21 11:15 abc
# 其余的文件/目录就不展示了
10.2.3 Exercises after class - Zootopia
This section takes "Zootopia" as the background and demonstrates how to change the user's group and modify file permissions. Specifically, do the following:
- Create two groups (
police
,bandit
), two police users (nick
,judy
), and two bandit users (sheep
,wolf
). Their grouping relationship is shown in the figure above.- Log in as root and record that wolf has defected to the police.
- Judy logs in, creates a file judy.txt, and sets the permissions to read and write for himself, and for this group to read and write, and for users in other groups to read and write.
- Log in with wolf to verify that people in the same group can read and write.
- Sheep login, people in other groups who verify can only read.
# 1.root登录,创建组和用户,并设置所有用户的密码与用户名相同。
[root@CentOS76 home]# groupadd police
[root@CentOS76 home]# groupadd bandit
[root@CentOS76 home]# useradd -g police nick
[root@CentOS76 home]# useradd -g police judy
[root@CentOS76 home]# useradd -g bandit sheep
[root@CentOS76 home]# useradd -g bandit wolf
[root@CentOS76 home]# passwd judy
更改用户 judy 的密码 。
新的 密码:
无效的密码: 密码少于 8 个字符
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。
[root@CentOS76 home]# passwd nick
更改用户 nick 的密码 。
新的 密码:
无效的密码: 密码少于 8 个字符
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。
[root@CentOS76 home]# passwd sheep
更改用户 sheep 的密码 。
新的 密码:
无效的密码: 密码少于 8 个字符
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。
[root@CentOS76 home]# passwd wolf
更改用户 wolf 的密码 。
新的 密码:
无效的密码: 密码少于 8 个字符
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。
# 2.root登录,标记wolf已投靠警察
[root@CentOS76 ~]# id wolf
uid=1010(wolf) gid=1011(bandit) 组=1011(bandit)
[root@CentOS76 ~]# usermod -g police wolf
[root@CentOS76 ~]# id wolf
uid=1010(wolf) gid=1010(police) 组=1010(police)
# 3.judy登录,创建文件/home/judy/judy.txt,设置权限为自己可以读写,本组人可以读写,其它组的用户只能读。
[judy@CentOS76 ~]$ touch judy.txt
[judy@CentOS76 ~]$ ll
总用量 0
-rw-r--r--. 1 judy police 0 7月 21 16:26 judy.txt
[judy@CentOS76 ~]$ chmod g=rw,o=r judy.txt # 修改文件权限
[judy@CentOS76 ~]$ ll
总用量 0
-rw-rw-r--. 1 judy police 0 7月 21 16:26 judy.txt
[judy@CentOS76 ~]$ chmod g=rwx,o=rx /home/judy # 修改目录权限
[judy@CentOS76 ~]$ ll /home
总用量 44
drwxrwxr-x. 5 judy police 4096 7月 21 16:26 judy
# /home中其他的目录/文件就不显示了。
# 注意目录权限也要更改,否则当前组的其他成员也无法访问文件夹。
# 4.wolf登录,发现可以对judy.txt进行读写。
[wolf@CentOS76 ~]$ ll /home/judy
总用量 0
-rw-rw-r--. 1 judy police 0 7月 21 16:26 judy.txt
[wolf@CentOS76 ~]$ vim /home/judy/judy.txt
[wolf@CentOS76 ~]$ echo "i am wolf" >> /home/judy/judy.txt
[wolf@CentOS76 ~]$ cat /home/judy/judy.txt
i am wolf
# 5.sheep登录,只能读不能写。
[sheep@CentOS76 ~]$ ll /home/judy
总用量 4
-rw-rw-r--. 1 judy police 10 7月 21 16:57 judy.txt
[sheep@CentOS76 ~]$ echo "i am sheep" >> /home/judy/judy.txt
-bash: /home/judy/judy.txt: 权限不够
[sheep@CentOS76 ~]$ cat /home/judy/judy.txt
i am wolf
in conclusion:
- If you want to perform operations such as reading and writing files in a certain directory, you need to have the execute permission on the directory first.
- At least two permissions, read and execute, are required for the directory to allow other users to enter and view the directory.
- Xshell will detect the user's environment variables (that is, the group and other settings) when the user logs in. If the root user modifies the group of a user, the easiest way is to log in the user again to detect the change of the group.