10 Linux Practical Operations - Group Management and Rights Management

10 Linux Practical Operations - Group Management and Rights Management

• The learning video comes from Station B [Xiaobai Getting Started is easy to understand] 2021 Han Shunping learned Linux in a week .
• The materials that may be used are as follows, and the download link is at the end of the article:

1. "Bird Brother's Linux Private Kitchen Basic Learning Chapter 4th Edition" ¹
2. "Brother Bird's Linux Private Kitchen Server Setup Third Edition" ²
3. "Han Shunping_2021 Graphical Linux Comprehensive Upgrade" ³

---

This chapter is more important, and it is a little difficult to understand.

10.1 Linux group management

10.1.1 Basic Introduction of Linux Group

  In "Chapter 8 User Management", the concept of "user group" has been introduced (see section 8.6 for details), this section continues to introduce the "owner", "group", and "other groups" of files/directories in depth. Each user in Linux must belong to a group and cannot be independent from the group, just like everyone has a nationality in real life. When creating a new user, you can specify which group to add the user to; if you do not specify the group it belongs to, the system will create a group with the same name by default and put the user into it. Of course, you can change the group of a user with root administrative privileges:

# 基本语法-改变用户所在组
usermod -g 新组名 用户名

# 基本语法-改变用户登录的初始目录
usermod -d 目录名 用户名    # 注意用户需要有进入到新目录的权限！！

Figure 10-1 The owner, group, and other groups of the file

Since a user belongs to a certain group, each file also has the concepts of "owner", "group", and "other groups". The above picture shows their relationship more vividly. As shown in the figure above, when a user tomcreates a file a.txt, a.txtthe "owner" is the default tom, and of course it can be changed to another "owner". The tomgroup you are in is the a.txt"group you are" by default , and all members in this group have permission A for this file; all other groups under Linux are a.txt"other groups" , and users in "other groups" have permission for this file With permission B. The "authority A" and "authority B" here are general concepts, indicating different permissions, which will be introduced in detail later.

10.1.2 Owner-Modifychown

The "owner" is generally the creator of the file/directory, and whoever creates the file/directory will naturally become the owner of the file/directory. Here is the basic syntax for viewing and modifying the "owner" of a file/directory:

# 基本语法-查看文件/目录的所有者
ls -ahl


# 基本语法-修改文件/目录所有者
chown 新的所有者 文件/目录              # 修改所有者
chown 新的所有者:新的所在组 文件/目录    # 修改所有者和所在组

# 常用选项-chown
-R  如果是目录，则使其下所有子文件或目录递归生效

The following three application cases are shown, the first two are to view the "owner", and the last two are to modify the "owner" [take a file as an example, the directory is the same]:

# 【案例1-查看所有者】使用root创建文件/home/a.txt，并查看其所有者。
[root@CentOS76 ~]# cd /home
[root@CentOS76 home]# touch a.txt
[root@CentOS76 home]# ls -ahl
总用量 32K
drwxr-xr-x.  8 root  root   4.0K 7月  20 11:10 .
dr-xr-xr-x. 18 root  root   4.0K 7月  13 17:12 ..
-rw-r--r--.  1 root  root      0 7月  20 11:09 a.txt
drwx------.  3 jack  jack   4.0K 7月  20 11:09 jack
drwx------.  3 king  king   4.0K 7月  20 11:09 king
drwx------. 15 lyl   lyl    4.0K 7月  13 17:38 lyl
drwx------.  3 milan milan  4.0K 7月  20 11:09 milan
drwx------.  3 tom   tom    4.0K 7月  20 11:08 tom
drwx------.  3 zwj   wudang 4.0K 7月  20 11:10 zwj
# 上面第三列就是每个文件的所有者


# 【案例2-查看所有者】将上述/home/a.txt的所有者改成tom。
[root@CentOS76 home]# chown tom a.txt 
[root@CentOS76 home]# ls -ahl
总用量 32K
drwxr-xr-x.  8 root  root   4.0K 7月  20 11:10 .
dr-xr-xr-x. 18 root  root   4.0K 7月  13 17:12 ..
-rw-r--r--.  1 tom   root      0 7月  20 11:09 a.txt
drwx------.  3 jack  jack   4.0K 7月  20 11:09 jack
drwx------.  3 king  king   4.0K 7月  20 11:09 king
drwx------. 15 lyl   lyl    4.0K 7月  13 17:38 lyl
drwx------.  3 milan milan  4.0K 7月  20 11:09 milan
drwx------.  3 tom   tom    4.0K 7月  20 11:08 tom
drwx------.  3 zwj   wudang 4.0K 7月  20 11:10 zwj


# 【案例3-修改所有者】新建/home/kkk目录，并将kkk目录下所有的文件和目录的所有者和所在组都修改成tom。
[root@CentOS76 home]# mkdir kkk
[root@CentOS76 home]# touch ./kkk/a.txt
[root@CentOS76 home]# touch ./kkk/b.txt
[root@CentOS76 home]# ll kkk
总用量 0
-rw-r--r--. 1 root root 0 7月  21 11:35 a.txt
-rw-r--r--. 1 root root 0 7月  21 11:35 b.txt
[root@CentOS76 home]# chown -R tom:tom kkk
[root@CentOS76 home]# ll kkk
总用量 0
-rw-r--r--. 1 tom tom 0 7月  21 11:35 a.txt
-rw-r--r--. 1 tom tom 0 7月  21 11:35 b.txt

Note that in the following case, I restore the state of the virtual machine to the original state, and then recreate all users. The first duplication is that I didn't restore the dummy before, which I suspect made me play a serious bug.

[root@CentOS76 home]# cd /home
[root@CentOS76 home]# touch a.txt
[root@CentOS76 home]# ls -ahl
总用量 36K
drwxr-xr-x.  9 root  root   4.0K 7月  20 10:43 .
dr-xr-xr-x. 18 root  root   4.0K 7月  17 11:49 ..
-rw-r--r--.  1 root  root      0 7月  20 10:43 a.txt
drwx------.  3 tom   a      4.0K 7月  15 15:49 jack
drwx------.  5 jerry jerry  4.0K 7月  16 16:31 jerry
drwx------.  3 milan jerry  4.0K 7月  15 15:50 king
drwx------. 15 lyl   lyl    4.0K 7月  15 10:59 lyl
drwx------.  5 zwj   wudang 4.0K 7月  15 12:12 milan
drwx------.  3 zwj   a      4.0K 7月  15 15:08 tom
drwx------.  3 jerry   1009 4.0K 7月  16 10:35 zwj
# 上面第三列就是每个文件的所有者

10.1.3 Group - Modifychgrp

Obviously, when a user creates a file/directory, the user's group is the "group" of the file/directory. Here is the basic syntax for viewing and modifying the "group" of a file/directory:

# 基本语法-查看文件/目录所在组
ls -ahl

# 基本语法-修改文件/目录所在的组
chgrp 新的所在组 文件/目录      # 修改所在组

# 常用选项-chgrp
-R  如果是目录，则使其下所有子文件或目录递归生效

The following shows three application cases [take files as an example, and the directory is the same]:

Tip: Lao Han’s demonstration [Case 1] [Case 2] is to directly log out of Xshell and log in again, instead of su - 用户名jumping directly.

# 【案例1-查看所在组】fox登录，创建文件/home/ok.txt，查看其所在组。
[fox@CentOS76 ~]$ pwd
/home/fox
[fox@CentOS76 ~]$ touch ok.txt
[fox@CentOS76 ~]$ ls
ok.txt
[fox@CentOS76 ~]$ ll
总用量 0
-rw-r--r--. 1 fox monster 0 7月  20 11:43 ok.txt
# 上述第三列表示所有者是fox，第四列表示所在组是monster。


# 【案例2-修改所在组】root登录，新建fruit组，并将上述/home/fox/ok.txt文件的所在组修改到fruit组。
[root@CentOS76 ~]# groupadd fruit
[root@CentOS76 ~]# chgrp fruit /home/fox/ok.txt 
[root@CentOS76 ~]# ll /home/fox
总用量 0
-rw-r--r--. 1 fox fruit 0 7月  20 11:43 ok.txt


# 【案例3-修改所在组】root登录，创建/home/kkk目录，并将其下所有的文件和目录的所在组都修改成shaolin(少林)。
[root@CentOS76 home]# mkdir kkk
[root@CentOS76 home]# touch ./kkk/a.txt
[root@CentOS76 home]# touch ./kkk/b.txt
[root@CentOS76 home]# ll kkk
总用量 0
-rw-r--r--. 1 root root 0 7月  21 11:58 a.txt
-rw-r--r--. 1 root root 0 7月  21 11:58 b.txt
[root@CentOS76 home]# chgrp -R shaolin kkk
[root@CentOS76 home]# ll
总用量 32
drwxr-xr-x.  2 root  shaolin 4096 7月  21 11:58 kkk
# 其余的文件/目录就不展示了
[root@CentOS76 home]# ll kkk
总用量 0
-rw-r--r--. 1 root shaolin 0 7月  21 11:58 a.txt
-rw-r--r--. 1 root shaolin 0 7月  21 11:58 b.txt

10.1.4 Other groups

Except for the "owner" and "group" users of the file/directory, other users of the system are all other groups of the file/directory.

10.2 Linux permission management

10.2.1 Detailed explanation of rwx permissions

  The use of permissions is an important point in Linux, and it is relatively difficult. As mentioned in Section 10.1, members of a file's "current group" and "other groups" have different permissions on the file. How many kinds of permissions are there in Linux, and how are they allocated? This section will introduce. For example, log in to the root account to create the /home/a.txt file and write 6 characters - "hello~", and then use to llview the file list, as follows:

[root@CentOS76 home]# touch a.txt
[root@CentOS76 home]# echo "hello~" >> a.txt
[root@CentOS76 home]# ll
总用量 48
-rw-r--r--.  1 root  root       7 7月  21 19:05 a.txt
drwx------.  5 fox   monster 4096 7月  22 09:31 fox
drwx------.  3 jack  jack    4096 7月  20 11:09 jack
drwxrwxr-x.  5 judy  police  4096 7月  21 17:05 judy
drwx------.  3 king  king    4096 7月  20 11:09 king
drwx------. 15 lyl   lyl     4096 7月  13 17:38 lyl
drwx------.  3 milan milan   4096 7月  20 11:09 milan
lrwxrwxrwx.  1 root  root       5 7月  22 09:55 myroot -> /root
drwx------.  3 nick  police  4096 7月  21 16:21 nick
drwx------.  5 sheep bandit  4096 7月  21 17:05 sheep
drwx------.  5 tom   tom     4096 7月  21 11:06 tom
drwx------.  5 wolf  police  4096 7月  21 17:05 wolf
drwx------.  3 zwj   mojiao  4096 7月  20 11:10 zwj

Let's take the first line above a.txtas an example to explain the meaning of each column in detail:

• [Column 1] 10 characters: determine the permissions of different users on the file. The first character represents the file type (the common ones are -, b, c, d, l). The remaining characters are 9 characters, and each group of 3 (rwx) represents the read ® and write (w ), execute (x) permissions.

• [Bit 0]: Determine the file type (the common ones are -, b, c, d, l).

-It is an ordinary file; bit is a block device, such as /deva hard disk under a directory; cit is a character device file, such as /deva mouse, a keyboard, etc. under a directory; dit is a directory, which is equivalent to a folder in Windows; lit is a link, which is equivalent to a shortcut in Windows;

• [Bit 1, 2, 3]: "Owner" rwx permissions to the file. —User
• [Bit 4, 5, 6]: The rwx permissions of other users of the "group" on the file. —Group
• [bits 7, 8, and 9]: All users in the "other group" have rwx permissions to the file. —Other

• [Column 2] 1: Indicates the "hard link number" of the file, or the "subdirectory number + file number" of the directory. In this case a.txtit is an ordinary file, so it is 1.
• 【Column 3】root: File owner. The owner in this case a.txtis obviously root.
• 【Column 4】root: The group where the file belongs to. The group in this example a.txtis obviously the root user's same-named group root.
• 【Column 5】7: If it is a file, it will display the total number of bytes of the file (unit: Byte); if it is a folder, it will display 4096. In this example, although only a.txt6 characters "hello~" are written in, a string end mark will be automatically added at the end of the document \0, so there are 7 characters in total.
• [Columns 6, 7, 8] 7月 21 19:05: The last modification date of the file/directory.
• 【Column 9】a.txt: file/directory name.

So what exactly is rwx permission? The following is a detailed explanation of rwx permissions [difficulties]. The rwx permissions for "files" and "directories" in Linux have different meanings:

rwx permission of the file:

1. 【r】: You can read and view the file.
2. 【w】: Represents writable (write): can be modified, but it does not mean that the file can be deleted. The prerequisite for deleting a file is that the directory where the file is located has write permission to delete the file.
3. 【x】: Represents executable (execute): Indicates that the system can ./文件名execute the file. a.txtFor example, write in a file with execution permission ls -al, and then directly enter it in the terminal ./a.txt, then the command will be executed accordingly.
4. 【-】: Indicates that there is no corresponding permission.

The rwx permission of the directory:

1. 【r】: Represents readable (read): Represents the list of files that can be read in this directory, such as using lsinstructions.
2. 【w】: Represents writable (write): Indicates that the file list of this directory can be modified, that is, delete, create, and rename the directory/file under it.
3. 【x】: Represents executable (execute): Indicates that the directory can be entered, which is very different from the x permission of the file . If you only have x permissions, you can also read and write files with read and write permissions, but it's like looking for something in the dark, it all depends on memory.
4. 【-】: Indicates that there is no corresponding permission.

Example a.txt: So -rw-r--r--it means that a.txtit is an ordinary file, the "owner" has "read" and "write" permissions but cannot "execute", other users in the "group" only have "read" permissions, and all users in "other groups" also Only have "read" permission.

Note: In Linux, use BCD8421 code to indicate the corresponding authority: r=4, w=2, x=1. Therefore, the use of numbers 0~7 can represent any combination of permissions.

10.2.2 Modify permissions -chmod

  As can be seen from the above description, a file/directory is assigned default permissions just after it is created, but sometimes this permission is not appropriate, for example, I want all users in the "group" to have the rw of the file Permissions, at this time you need to use chmodinstructions to modify permissions. Here are two chmodways to use it, and give some examples:

# 基本语法-chmod
# 【方式一】+、-、=变更权限，u:所有者 g:所有组 o:其他人 a:所有人(u、g、o的总和)
chmod u=rwx,g=rx,o=x 文件/目录名    # 给文件/目录的u用户rwx权限、g用户rx权限、o用户x权限
chmod o+w 文件/目录名               # 给文件/目录的o用户添加w权限
chmod a-x 文件/目录名               # 剥夺文件/目录的a用户的x权限

# 【方式二】r=4,w=2,x=1
chmod 751 文件/目录名    # 等价于chmod u=rwx,g=rx,o=x 文件/目录名

Four application examples are shown below:
[Case 1-Using ±=] Give the owner of the abc file read/write/execute permissions, give read/execute permissions to the group, and give read/execute permissions to other groups.

[root@CentOS76 home]# touch abc
[root@CentOS76 home]# chmod a-rwx abc
[root@CentOS76 home]# ll
总用量 28
----------.  1 root  root       0 7月  21 11:15 abc
# 其余的文件/目录就不展示了

[root@CentOS76 home]# chmod u=rwx,g=rx,o=rx abc
[root@CentOS76 home]# ll
总用量 28
-rwxr-xr-x.  1 root  root       0 7月  21 11:15 abc
# 其余的文件/目录就不展示了

[Case 2-Using ±=] Remove the execute permission for the owner of the abc file, and increase the group write permission.

[root@CentOS76 home]# chmod u-x,g+w abc
[root@CentOS76 home]# ll
总用量 28
-rw-rwxr-x.  1 root  root       0 7月  21 11:15 abc
# 其余的文件/目录就不展示了

[Case 3 - Using ±=] Add read permission to all users of the abc file.

[root@CentOS76 home]# chmod a+r abc
[root@CentOS76 home]# ll
总用量 28
-rw-rwxr-x.  1 root  root       0 7月  21 11:15 abc
# 其余的文件/目录就不展示了

[Case 4 - Using Numbers] Modify the permission of the abc file to ---------:rwxr-xr-x

[root@CentOS76 home]# chmod 000 abc
[root@CentOS76 home]# ll
总用量 28
----------.  1 root  root       0 7月  21 11:15 abc
# 其余的文件/目录就不展示了

[root@CentOS76 home]# chmod 755 abc
[root@CentOS76 home]# ll
总用量 28
-rwxr-xr-x.  1 root  root       0 7月  21 11:15 abc
# 其余的文件/目录就不展示了

10.2.3 Exercises after class - Zootopia

Figure 10-2 Schematic diagram of grouping cases

  This section takes "Zootopia" as the background and demonstrates how to change the user's group and modify file permissions. Specifically, do the following:

1. Create two groups ( police, bandit), two police users ( nick, judy), and two bandit users ( sheep, wolf). Their grouping relationship is shown in the figure above.
2. Log in as root and record that wolf has defected to the police.
3. Judy logs in, creates a file judy.txt, and sets the permissions to read and write for himself, and for this group to read and write, and for users in other groups to read and write.
4. Log in with wolf to verify that people in the same group can read and write.
5. Sheep login, people in other groups who verify can only read.

# 1.root登录，创建组和用户，并设置所有用户的密码与用户名相同。
[root@CentOS76 home]# groupadd police
[root@CentOS76 home]# groupadd bandit
[root@CentOS76 home]# useradd -g police nick
[root@CentOS76 home]# useradd -g police judy
[root@CentOS76 home]# useradd -g bandit sheep
[root@CentOS76 home]# useradd -g bandit wolf
[root@CentOS76 home]# passwd judy
更改用户 judy 的密码 。
新的 密码：
无效的密码： 密码少于 8 个字符
重新输入新的 密码：
passwd：所有的身份验证令牌已经成功更新。
[root@CentOS76 home]# passwd nick
更改用户 nick 的密码 。
新的 密码：
无效的密码： 密码少于 8 个字符
重新输入新的 密码：
passwd：所有的身份验证令牌已经成功更新。
[root@CentOS76 home]# passwd sheep
更改用户 sheep 的密码 。
新的 密码：
无效的密码： 密码少于 8 个字符
重新输入新的 密码：
passwd：所有的身份验证令牌已经成功更新。
[root@CentOS76 home]# passwd wolf
更改用户 wolf 的密码 。
新的 密码：
无效的密码： 密码少于 8 个字符
重新输入新的 密码：
passwd：所有的身份验证令牌已经成功更新。


# 2.root登录，标记wolf已投靠警察
[root@CentOS76 ~]# id wolf
uid=1010(wolf) gid=1011(bandit) 组=1011(bandit)
[root@CentOS76 ~]# usermod -g police wolf
[root@CentOS76 ~]# id wolf
uid=1010(wolf) gid=1010(police) 组=1010(police)


# 3.judy登录，创建文件/home/judy/judy.txt，设置权限为自己可以读写，本组人可以读写，其它组的用户只能读。
[judy@CentOS76 ~]$ touch judy.txt
[judy@CentOS76 ~]$ ll
总用量 0
-rw-r--r--. 1 judy police 0 7月  21 16:26 judy.txt
[judy@CentOS76 ~]$ chmod g=rw,o=r judy.txt          # 修改文件权限
[judy@CentOS76 ~]$ ll
总用量 0
-rw-rw-r--. 1 judy police 0 7月  21 16:26 judy.txt
[judy@CentOS76 ~]$ chmod g=rwx,o=rx /home/judy      # 修改目录权限
[judy@CentOS76 ~]$ ll /home
总用量 44
drwxrwxr-x.  5 judy  police  4096 7月  21 16:26 judy
# /home中其他的目录/文件就不显示了。
# 注意目录权限也要更改，否则当前组的其他成员也无法访问文件夹。


# 4.wolf登录，发现可以对judy.txt进行读写。
[wolf@CentOS76 ~]$ ll /home/judy
总用量 0
-rw-rw-r--. 1 judy police 0 7月  21 16:26 judy.txt
[wolf@CentOS76 ~]$ vim /home/judy/judy.txt 
[wolf@CentOS76 ~]$ echo "i am wolf" >> /home/judy/judy.txt 
[wolf@CentOS76 ~]$ cat /home/judy/judy.txt 
i am wolf


# 5.sheep登录，只能读不能写。
[sheep@CentOS76 ~]$ ll /home/judy
总用量 4
-rw-rw-r--. 1 judy police 10 7月  21 16:57 judy.txt
[sheep@CentOS76 ~]$ echo "i am sheep" >> /home/judy/judy.txt 
-bash: /home/judy/judy.txt: 权限不够
[sheep@CentOS76 ~]$ cat /home/judy/judy.txt 
i am wolf

in conclusion:

1. If you want to perform operations such as reading and writing files in a certain directory, you need to have the execute permission on the directory first.
2. At least two permissions, read and execute, are required for the directory to allow other users to enter and view the directory.
3. Xshell will detect the user's environment variables (that is, the group and other settings) when the user logs in. If the root user modifies the group of a user, the easiest way is to log in the user again to detect the change of the group.

---

1. "Bird Brother's Linux Private Kitchen Basic Learning Chapter 4th Edition" ↩︎

2. "Bird Brother's Linux Private Kitchen Server Setup Third Edition" ↩︎

3. "Han Shunping_2021 Illustrated Linux Comprehensive Upgrade" ↩︎