Linux user management and file permissions

Users and user groups

Three user UIDs

In Linux systems, users can be divided into three main types:

1. Superuser: The super user, also called the root user, is the administrator account of the system. The super user has the highest authority of the system and can access and modify any files and configurations of the system. Superusers need to be cautious when performing sensitive operations and are required to provide the administrator password for verification.

2. System User: A system user is a user account automatically generated by the system or during installation. These user accounts are used exclusively to run system processes or services and do not allow logging into the system for interaction. System users do not have permission to log into the system and therefore cannot interact with the system directly.

3. Regular User: A regular user is a general user account created by the system administrator or super user. After logging into the system, ordinary users can perform general tasks and run applications, but do not have privileges to access critical system files and configurations. Ordinary users usually can only access their own user directories and some shared resources.

Each type of user has different permissions and roles in the system, which ensures system security and management flexibility. Super users are used to manage the entire system, while system users and ordinary users are used to achieve more fine-grained permission control and user management.

User group GID

One-to-one, one-to-many, many-to-one, many-to-many

In Linux systems, user groups are a mechanism for logically grouping users. User groups can be used to authorize and manage users in the group to access files, directories, and other system resources.

The following are common user groups in Linux systems:

1. Primary Group: Each user has a primary group in the system, which is the default user group assigned when the user is created. The primary user group is usually the same as the user's username and is /etc/passwddefined in the user's configuration file (such as a username).

2. Supplementary Group: In addition to the main user group, users can also join one or more auxiliary user groups. Additional permissions can be obtained from these secondary user groups so that users can access resources owned by other users in the group.

User groups play an important role in permission management, access control, and ownership of files and directories. By placing users into specific user groups, you can easily grant or revoke access to certain resources to users in the group. At the same time, user groups can also be used to set permissions on files and directories to allow users in the group to share access or restrict access.

In Linux systems, you can use groupaddthe command to create a user group, use groupmodthe command to modify a user group, and use groupdelthe command to delete a user group. Use usermodthe command to add or remove users to or from user groups.

three important documents

etc/passwd
/etc/passwd is a file located in the Linux system and is used to store user account information in the system.

Specifically, /etc/passwdthe file contains the following information for each user account (separated by colons):

1. Username: The login name of the user account.
2. Password placeholder: In the past, passwords were stored in encrypted form /etc/passwd, but now it is common to use a placeholder (such as xor *) to indicate that the password is stored in /etc/shadowthe file.
3. User ID (UID): is a unique numeric identifier used to identify a user account.
4. Primary Group ID (GID): Identifier of the primary group associated with the user.
5. User account description information: generally the user's full name or other relevant information.
6. User home directory: The home directory path of the user account, usually the location where the user logs in.
7. Login Shell: The default shell started after the user logs in.

Modern Linux systems often use /etc/shadowfiles to store cryptographic hashes of user passwords to improve password security. /etc/passwdThe file still exists, but only contains basic information about the user's account.

Linux recognizes that the UID is not the user name. If the UID of an ordinary user is etc/passwdchanged to 0, the ordinary user will have root permissions.

/etc/shadow
/etc/shadow is an important file in Linux systems that is used to store encrypted password hashes of user accounts and other password-related security information.

Specifically, /etc/shadowthe file contains the following information for each user account (separated by colons):

1. Username: The login name of the user account.
2. Password Hash: The hash of the user's password processed by an encryption algorithm. The actual password is not stored in clear text in this file.
3. Last Password Change: The last time the user changed their password, expressed as the number of days since January 1, 1970.
4. Password expiration time: The time when the user's password expires, expressed in the number of days since January 1, 1970. If it is 0, it means that the password will never expire.
5. Warning days before password expiration: The number of days before the password expires that the system sends a password expiration warning to the user.
6. Grace time after password expiration: The grace time that users are allowed to log in after the password expires. After the grace time, users will not be able to log in.
7. Password expiration: The time the user account was disabled, expressed as the number of days since January 1, 1970.
8. Reasons for user account expiration: Contains reasons for disabling or locking a user account.

/etc/shadowThe permissions of the file are very important. Only the system administrator (root user) can read and modify the file to ensure the security of the password information.

It should be noted that directly editing /etc/shadowfiles is not recommended. Special commands (such as passwd) should usually be used to manage user passwords and related settings to ensure password security and consistency.

/etc/group
/etc/group is a file in the Linux system that stores user group (Group) information.

Specifically, /etc/groupeach line in the file represents a user group, and the fields in the line are separated by colons and typically contain the following information:

1. Group name: The name of the user group.
2. Group password placeholder: In the past, the group password was stored in encrypted form /etc/group, but now it is common to use a placeholder (such as xor *) to indicate that the group password is stored in /etc/gshadowthe file.
3. Group ID (GID): is a unique numeric identifier used to identify a user group.
4. Group members: A comma-separated list of user accounts that belong to this group.

/etc/groupFiles are used to manage and organize users. Access to files, directories, and other system resources can be easily managed by adding users to specific user groups. User groups can also be used to share files and set permissions on files and directories.

Note that, again, editing /etc/groupthe file directly is not recommended. Special management commands (such as groupadd, groupmod, groupdel) should be used to create, modify, and delete user groups to ensure data consistency and security.

File Permissions

In a Linux system, each file and directory has corresponding file permissions to control access and operation permissions to them. File permissions consist of three aspects: owner permissions, group permissions, and other user permissions.

1. Owner permissions: Indicates the permissions that the owner of a file or directory has on it. Owner permissions include read permission (r, value is 4), write permission (w, value is 2), and execute permission (x, value is 1).

2. Group permissions: Indicates the permissions that the user group to which the file or directory belongs has. Group permissions are set in the same way as owner permissions.

3. Other user permissions: Indicates the permissions that other users other than the owner and group have on the file or directory, also known as "other" permissions.

Each file or directory can be assigned a three-digit permission pattern by adding the numerical values ​​of the different permissions. For example, a permission mode of 755 means that the owner has read, write, and execute permissions (7), while groups and other users have read and execute permissions (5).

The following are common file permission patterns and their meanings:

• rwx: Has read, write and execute permissions.
• rw-: Has read and write permissions, but no execute permissions.
• rx: Has read and execute permissions, but no write permissions.
• r–: Only has read permissions, no write and execution permissions.
• -wx: Have write and execute permissions, but no read permissions.
• -w-: Only has write permissions, no read and execute permissions.
• –x: Only execution permissions, no read and write permissions.
• —: No permissions.

File permissions can chmodbe changed using the command. For example, use chmod 755 file.txtthe command to change the permissions of file file.txtto 755.

It should be noted that modifying file permissions may require sufficient permissions, and usually requires the root user or a user with superuser permissions to perform this operation.