First, users and groups
1, the basic concept
- User Name: the name that identifies the user, can be letters, digits string, case sensitive
- Password: authenticating users special code
- A user identifier (UID): the user's digital identifier
- User's home directory: the user's home directory, but also after the user logs system where the default directory
- Login shell: After the user logs in using the default shell program defaults to / bin / bash
- Group: a user having the same attribute belong to the same group
- The group identifier (GID): numeric identifier of the group
2, the user
- Administrator (root) UID 0: system administrator user. (The reason why Linux system administrator is root, not because its name is root, but because the value of the user identification number that is UID 0)。
- User UID is 1 ~ 999: Linux system in order to avoid a loophole in a service program is to provide the right to hackers entire server, the default service program will be responsible for running the stand-alone system users, thus effectively control the extent of damage. (Least privilege, can not log in).
- Average user UID from the beginning of 1000: the user is created by the administrator for daily work.
PS: In the Linux system, UID is equivalent to our having the same identity card numberUniqueness, It can be determined by a user identity of the user UID value. UID is not a conflict, ordinary users created by the administrator of the UID default from the beginning of 1000 (even in front of idle number).
3, the group
- Facilitate the management of the administrator and users to work easily.
- A user logic set having the same characteristics.
- The permissions granted to a group, the group members automatically get this permission.
- When you create each user in a Linux system will automatically create a basic user group with the same name, and this is only the basic user groups a user person. (GID's default group is numbered starting with 1000)
- If the user later be grouped into other user groups, the user groups that other users extended group call.
PS: a user has only a basic user group, but can have multiple extension user groups.
Second, the user and group files
1, the user account file
①, / etc / passwd file: Store extremely user account information (except passwords)
- Users have read access to the passwd file
- Passwd file with each line ":" separated domain 7
----------------------------------
Username: encrypted password: UID: GID: user description information: Main Contents: command interpreter (the
shell) ----------------------------------
(a first user root, back the users of the system)
(normal user system administrator created)
| Field | Explanation |
|---|---|
| username | User account name |
| Encrypted password | User passwords, consider the security of the system, do not use this field holds the password, but with the letter "x" to fill the fields change, the real password is stored in / etc / shadow file |
| UID | User number, unique representation of a user's digital identity |
| GUIDE | No private group the user belongs |
| User description information | Optional user's full name, telephone and other descriptive catalog users |
| Main directory | The user's home directory, the user successfully logs in the default directory |
| Command interpreter | shell used by the user, the default is "/ bin / bash" |
②, / etc / shadow file: After a user to store encrypted passwords
-
shadow file readable only by the root user
-
shadow file ":" separated domain 9
| Field | Explanation |
|---|---|
| 1 | User login name |
| 2 | User password encrypted, * represents a non-logged-on user, indicates no password !! |
| 3 | The number of days since January 1, 1970, to the user's password last modified |
| 4 | From January 1, 1970, the user can change the number of days a password, a password that is the shortest survival |
| 5 | From January 1, 1970, the user can change the number of days a password, a password that is the longest survival |
| 6 | A few days before the password expires to remind users to change passwords |
| 7 | Password expired a few days after the account is disabled |
| 8 | Specific dates password is disabled (relative date, number of days from January 1, 1970 to disable) |
| 9 | Domain reserved for extensions |
Some options will be based on the configuration settings in this file user account when establishing user accounts: ③, / etc / login.defs file
| MAIL_DIR / var / spool / mail | // user's mailbox directory |
| MAIL_FILE .mail | |
| PASS_MAX_DAYS 99999 | // You can use the maximum number of days a password. |
| PASS_MIN_DAYS 0 | The minimum number of days allowed between password changes //. |
| PASS_MIN_LEN 5 | // the acceptable minimum password length. |
| PASS_WARN_AGE 7 | // number of days warning before password expiration. |
| UID_MIN 1000 | The minimum value of the UID // use useradd command automatically generated when you create a user |
| UID_MAX 60000 | UID // maximum value with the useradd command automatically generated when you create a user |
| GID_MIN 1000 | // minimum GID value using the groupadd command automatically generated when you create a user |
| GID_MAX 60000 | // maximum GID value using the groupadd command automatically generated when you create a user |
| USERDEL_CMD /usr/sbin/userdel_local | // if defined, will be performed when deleting a user to delete a user's scheduled jobs and print jobs |
| CREATE_HOME yes | Whether to create a home directory for users when // Create a user account |
2, the group file
①, / etc / group file: Store the user's group account information
- Contents of the file can be read by any user
- Each account one row group in the group file with ":" separated 4 domain
------------------------------
group name: password group (typically empty, occupying with x): the GID: group members list
------------------------------
- Members of Communities list if there are multiple user accounts belong to the same group, with among members "," separated
(root GID of 0, no other group members)
②, / etc / gshadow files: an encrypted password storage group, the group administrators and other information
- Only the root user can read the file
- Each group accounts occupation line in the file, with ":" separated into four domains
----------------------------------
ethnic name: group encrypted password (do not use it!): administrators group: the group membership list
----------------------------------
