5-2 Users and Groups

Users and Groups

Security 3A

Resource allocation:

• Authentication: Authentication
• Authorization: Authorization
• Accouting | Audition: audit

User user

Token token, the Identity
Linux users: Username / UID

• Administrator: root, 0
  
• Average user: 1-60000 automatically assigned
  • System users: 1-499, 1-999 (CentOS7)
    • Access to resources for the daemon assign permissions
      
  • Login User: 500+, 1000+ (CentOS7)
    • Interactive logon

Group group

Linux Group: Groupname / GID
Administrators group: root, 0
Normal Group:

• Systems Group: 1-499, 1-999 (CENTOS7)
• Normal Group: 500+, 1000+ (CENTOS7)

Users must have a primary group, root user uid 0, otherwise who uid 0 Who is the administrator privileges

Security Context

Linux security context

• Running program: Process (process) run as the initiator of the process:
  • root: /bin/cat
  • mage: /bin/cat

Run's rights to access the resources of the process depends on the process

Group Category

Linux group category

• User's primary group (primary group)
  • The user must belong to one and only one primary group
  • Group name with the user name, and contains only a user private group
• Additional groups of users (supplementary group)
  • A user may belong to zero or more auxiliary groups

User and group profiles

Linux users and groups the main configuration file:

• / Etc / passwd: users and their attribute information (name, UID, primary group ID, etc.)
• / Etc / group: Group attribute information and
• / Etc / shadow: user passwords and their associated properties
• / Etc / gshadow: group password and their associated properties

passwd file format

• login name: login with a name (wang)
• passwd: password (x)
• UID: user identification number (1000)
• GID: Log in default where the group number (1000)
• GECOS: Full name or comment
• home directory: the user's home directory (/ home / wang)
• shell: User default shell (/ bin / bash)

shadow file format

• Login with name
• Password: general use sha512 encryption
• From January 1, 1970 play time password was last changed
• In a few days the password can be changed (0 indicates may be changed at any time)
• In a few days the password must be changed (99999 represents never expires)
• A few days before the password expires system to alert the user (the default one week)
• A few days after the account password expiration will be locked
• From January 1, 1970 date, number of days accounts fail

Password Encryption

Encryption mechanisms:

• Encryption: plaintext -> ciphertext
• Decryption: ciphertext -> plaintext

One-way encryption:

• Hash algorithms, different text, different ciphertext will
• Fixed-length output of the same algorithm to obtain the original ciphertext data irreversibly Release
• Avalanche effect: small changes in initial conditions lead to enormous changes in the results
  • md5: message digest, 128bits
  • sha1: secure hash algorithm, 160bits
  • sha224: 224bits
  • sha256: 256bits
  • sha384: 384bits
  • sha512: 512bits

Change the encryption algorithms:

• authconfig --passalgo=sha256 --update

Password complexity policy:

• Long enough
• Numbers, uppercase letters, lowercase letters and special characters in at least three
• Use random password
• Regular replacement, do not ever use recently used passwords

Password Age:

group file format

• Group Name: group name is
• Group Password: usually no need to set the password is recorded in the / etc / gshadow
• GID: is the group's ID
• In an additional group of the current group list of users (a comma-separated)

gshadow file format

• Group Name: is the name of the group
• Group Password:
• Group administrator list: list to change the password and group members of a group of administrators
• In an additional group of the current user group list: a plurality of users separated by commas between

File Operations

• vipw and vigr
• pwck and grpck

User and group management commands

User management commands:

• useradd
• usermod
• userdel

Group Account Maintenance command:

• groupadd
• groupmod
• groupdel

User-created: useradd

useradd [options] LOGIN

• -u UID
• Uniqueness with -o -u option, do not check the UID
• -g GID specified user belongs basic group, the group may be a name, you may be GID
• -c comment information "COMMENT" users
• -d HOME_DIR specified path (not present) to the home directory
• -s SHELL specified user's default shell program that you can list in / etc / shells file
• -G GROUP1 [, GROUP2, ...] for the user to indicate the additional group, the group must preexisting
• -N does not create a private group group call the shots, group shots using the users group
• -r Create System User CentOS 6: ID <500, CentOS 7: ID <1000
• -m Create a home directory for users of the system
• -M do not create home directories for non-system users

The default value is set: / etc / default / useradd

• Display or change the default settings
  • useradd -D
  • useradd –D -s SHELL
  • useradd –D –b BASE_DIR
  • useradd –D –g GROUP

supplement:

• useradd -D: View / etc / default / useradd file, is useradd defaults, view the files with cat can
  
• Use newuser command to create a batch file users
  • Username: password ways to create the file, and cat pass.txt | chpasswd can change your password batch

New user related files and commands

• /etc/default/useradd
• /etc/skel/*
• /etc/login.defs
• newusers passwd file format batch create user
• chpasswd bulk modify user password

Modify User Properties

usermod [OPTION] login

• -u UID: 新 UID
• -g GID: new main group -G GROUP1 [, GROUP2, ... [, GROUPN]]]: Additional new group, the original group will be additional coverage; if you keep the original, will have to use the -a option
• -s SHELL: SHELL new default
• -c 'COMMENT': new annotations
• -d HOME: home directory is not automatically created; To create a new home directory and mobile home original data while using the -m option
• -l login_name: new name
• -L: lock the user specified in / etc increase / shadow password bar!
• -U: unlock specified user, the / etc / shadow the password field is removed!
• -e YYYY-MM-DD: specified user account expiration date
• -f INACTIVE: set period of inactivity

delete users

userdel [OPTION]... Login

• -f, --force mandatory
• -r, --remove delete the user's home directory and mailbox
• When a user is logged can not be deleted, but add the -f option to delete, delete after landing still there, but times have been deleted

View information related to the user ID

id [OPTION]... [USER]

• -u: display UID
• -g: show GID
• -G: displaying a user ID belongs to a group of
• -n: display name, you need to use with ugG

Switch User or execute commands as another user

su [options...] [-] [user [args...]]

• User switching manner:
  • su UserName: nonlogin type switch that does not read the target user's profile, does not change the current working directory
  • su - UserName: Log type switch, reads the target user's profile, switch to the home directory, complete switch
• SU to another user without root password; password is required to switch the non-root
• A change in the identity of the command:
  • su [-] UserName -c 'COMMAND'
• Options: -l --login
  • su -l UserName equivalent Yu su - UserName

set password

passwd [OPTIONS] UserName: modify the specified user's password

• -d: delete the specified user password
• -l: Specifies the user lock
• -u: To unlock a specific user
• -e: force users to change password at next logon
• -f: Force operations
• -n mindays: specifying a minimum lifetime
• -x maxdays: maximum lifespan
• -w warndays: How many days in advance began warning
• -i inactivedays: inactive period
• --stdin: receiving a user password from the standard input
  • 示例：echo "PASSWORD" | passwd --stdin USERNAME

Modify the user password policy

chage [OPTION]... LOGIN

• -d LAST_DAY
• -E --expiredate EXPIRE_DATE
• -I --inactive INACTIVE
• -m --mindays MIN_DAYS
• -M --maxdays MAX_DAYS
• -W --warndays WARN_DAYS
• -l displays password policy

Example:

• Single sign-force password resets at chage -d 0 tom
• chage -m 0 –M 42 –W 14 –I 7 tom
• chage -E 2016-09-10 tom

Other user-related commands

• chfn specify personal information
• chsh specified shell
• finger

Create Group

groupadd [OPTION]... group_name

• -g GID GID number specified; [GID_MIN, GID_MAX]
• -r Create a system group
  • CentOS 6: ID<500
  • CentOS 7: ID<1000

Modify and delete groups

Group Properties Modify: groupmod

• groupmod [OPTION]... group
  • -n group_name: new name
  • -g GID: new GID
• Group Delete: groupdel
  • groupdel GROUP

Change Group Password

Group Password: gpasswd

• gpasswd [OPTION] GROUP
  • -a user will be added to the specified user group
  • -d specified user to remove the user from the user group
  • -A user1, user2, ... to set a list of users with administrative privileges
• newgrp command: temporary switch main group
  • If the user does not belong to this group, you need to set a password

Change and view group members

groupmems [options] [action]

• options：
  • -g, --group groupname change to the specified group (only root)
• actions:
  • -a, --add username specified user to join the group
  • -d, --delete username delete users from a group
  • -p, --purge remove all members from the group
  • -l, --list display a list of group members

groups [OPTION]. [USERNAME] ... view the list of groups the user belongs