Analysis of user and permission management in Linux

Analysis of user and permission management in Linux

Linux, as a multi-user multi-task operating system, is inevitably divided into a role concept in daily use to manage and use computers. This role is associated with every computer user, in Linux, this role is called a user. In the process of using computers by every user, there must be restrictions on the use of limited computer resources, therefore, the operating system must provide a way to ensure that each user can use the computer independently and reasonably.

1. User and User Group Management

(1) Basic concepts related to users and user groups

User: a computer user. It is identified by the user id (UID, user id) that can be recognized by the computer.

User Group: a user container that combines multiple users into a single logical component. The user group ID (GID, group id) that can be recognized by the computer.

UID and GID: both are 16-bit binary numbers in the range of 0-65535, totaling 2 ^ 16 = 65536.

User Type:

(1) administrator user: known as root, UID is 0.

(2) system users: Non-login users who provide services for system operation. UID is allocated from the range of 1.

(3) login users: ordinary users who actually use computers, UID allocated from 500-60000.

Group type: in Linux, user groups can be divided into three types:

1. Classification with similar users

(1) Administrator group: the group where the Administrator is located. The GID is 0.

(2) System User Group: Group where the System user is located. The GID is 1-999.

(3) logon user group: the group in which the login user belongs. The GID is 1000-60000.

2. classification from the user perspective

(1) Basic user group: the main group of each user.

(2) additional user group: other groups that each user joins.

3. classification from the user group perspective

(1) private group: the Group name is the same as the user name and only contains one user.

(2) Public group: the Group name contains multiple users.

Authentication information: the user name and password are used to authenticate the user by comparing the information stored in advance with the information provided by the user during login.

So follow the philosophy of "Everything is a file" in Linux, and the authentication information is stored in the file. The three files are/etc/passwd,/etc/group, and/etc/shadow, the three files respectively store the user information, group information, and password information. When the user logs on, the authentication is achieved by comparing the information in the three files. Next, we will explain the content formats of these three files.

(1) Description of fields in the/etc/passwd file

Name: password: UID: GID: GECOS: directory: shell

① Name: User name

② Password: it can be an encrypted password or a placeholder x:

③ UID: User ID

④ GID: ID of the basic group to which the user belongs

⑤ GECOS: (optional) user comments

⑥ Directory: the user's home directory

7. shell: the user's default shell (at login)

(2) Description of fields in the/etc/shadow file

① Name: user name.

② $ Encryption algorithm $ salt $ encryption password: salt is called an impurity and is added during encryption.

③ Last password change time: indicates the number of days since January 1, January 1, 1970 (the first year of unix). 0 indicates that the password should be changed upon next login. A blank field indicates that this function is disabled.

④ Minimum validity period: the number of days after which the password can be changed.

⑤ Maximum validity period: the number of days from which the password can be used legally.

⑥ Warning period: the number of days the warning password should be changed before the maximum validity period expires.

7. inactive duration: The validity period after which the password can be used.

Renewal Account Expiration date: the number of days that an account can be used since January 1, 1970.

Reserved Field

(3) Description of fields in the/etc/group file

Group_name: password: GID: user_list

① Group_name: User Group Name

② Passwd: group password

③ GID: User Group ID

④ User_list: list of users who use this group as its additional group;

(2) user and user group management commands

Command Overview: useradd, userdel, usermod, passwd, groupadd, groupdel, groupmod, gpasswd, chage, id, su, chown, chgrp

1. Add groupadd Group

Format: groupadd [options] group

-G, -- gid GID specifies the GID. If this parameter is not specified, the GID of the previous existing group is added with 1 by default.

-R, -- system: Create a system group

# Group add mygroup

# Groupadd-r mygroup

2. Modify group attributes using groupmod

Format: groupmod [options] GROUP

-G GID: Modify GID

-N new_name: modifies the group name.

# Groupmod-g 1002 mygroup

# Groupmod-n mynewgroup mygroup

3. Delete groupdel

Format: groupdel [options] group

# Groupdel mynewgroup

4. Create a user using useradd

Format: useradd [options] LOGIN

-U, -- uid UID: Specify UID;

-G, -- gid GROUP: specifies the basic group id, which must exist in advance.

-G, -- groupsGROUP1 [, GROUP2,... [, GROUPN]: Specify the additional group to which the user belongs.

Separated by commas

-C, -- comment COMMENT: Specifies the comment information.

-D, -- homeHOME_DIR: uses the specified path as the user's home directory. By copying the/etc/skel directory and

Rename: if the specified home directory path exists beforehand, the Environment configuration file will not be copied for the user;

-S, -- shell SHELL: Specifies the user's default shell, and all available shell lists are stored in/etc/shells

Items;

-R, -- system: Create a system user;

-M: do not create the user's home directory

-F indicates the number of days after the password expires. 0 indicates disabled, and-1 indicates never disabled.

-D: displays the default settings of the user to be created.

Note: Many default settings when creating a user are in the/etc/login. defs file.

# Useradd myuser

5. Change User attributes using usermod

Format: usermod [options] LOGIN

-U, -- uid UID: Modify the user ID

-G, -- gid GROUP: Modify the basic GROUP to which the user belongs,

-G, -- groups GROUP1 [, GROUP2,... [, GROUPN]: modifies the additional group to which the user belongs. The original

The additional group will be overwritten.

-A, -- append: used with-G to append an additional group to the user;

-C, -- comment COMMENT: Modify comments

-D, -- home HOME_DIR: Modify the user's home directory. the user's original files will not be transferred to the new location;

-M, -- move-home: can only be used with-d, used to move the user's main directory to a new location

-L, -- login LOGIN: Modify the User login Name

-S, -- shell SHELL: modifies the user's default shell

-L, -- lock: lock the User Password

-U, -- unclock: Unlock the user's password;

# Change the home Directory of myuser to/tmp/home/user, and the original user configuration remains unchanged, and change the default shell to tcsh.

# Usermod-s/bin/tcsh-d/tmp/home/user-m myuser

6. delete a user using userdel

Format: userdel [option] login

-R: Delete the home directory when deleting a user.

Note: when a user is deleted, the basic group is also deleted.

# Deleting a user myuser

# Userdel myuser

7. passwd password management

Format: passwd [-k] [-l] [-u [-f] [-d] [-e] [-n mindays] [-x maxdays] [-w warndays] [-I

Inactivedays] [-S] [-- stdin] [username]

(1) passwd: Change the user's password

(2) passwd USERNAME: Modify the password of the specified user, but only the root user has this permission and does not need to know

Original password;

-L,-u: locking and unlocking users

-D: Clear the user password string

-E DATE: Set the expiration time;

-I DAYS: inactive period;

-N DAYS: Minimum Password Validity Period

-X DAYS: Maximum Password Validity Period

-W DAYS: Warning Period

-- Stdin: Read the password from the standard input.

Generally, echo "PASSWORD" | passwd -- stdin USENAME is used in scripts.

# Changing the user Password

# Passwd myuser

8. gpasswd: Change the user group password

Format: gpasswd [option] group

-A USERNAME: Add a user to the group

-D USERNAME: Remove a user from the group

# Change User Group Password

# Gpasswd mygroup

# Add myuser to the mygroup group to make mygroup an additional group for myuser.

# Gpasswd myuser

9. Change the Password Expiration information in the chage

Format: chage [options] LOGIN

-D: change the password change period.

-E: Change the Account expiration time

-I: change the password's inactivity Period

-W: Change the warning period

-M: Minimum Password Use Period

-M: maximum validity period of Password Change

10. id: displays the real and valid user id information.

Format: id [OPTION]... [USER]

Id: Display your ID information

-U: only valid UID is displayed.

-G: only valid basic group IDs are displayed.

-G: displays the IDs of all groups to which a user belongs.

-N: Display name without displaying the ID (used together with the above options)

11. su switching users

Switch upon login: the configuration file of the target user will be re-read for re-initialization

Su-USERNAME

Su-l USERNAME

Non-login switch: Does not read the configuration file of the target user for initialization

SuUSERNAME

-C 'command': run the COMMAND specified here only as the specified user.

Note: The administrator can switch to any other user without a password. Non-administrators must provide the login password of the target user.

12. chown: Change the file owner or group or owner and group

Format: chown [OPTION]... [OWNER] [: |. [GROUP] FILE...

You can use OWNER: GROUP or OWNER. GROUP.

Chown [OPTION]... -- reference = rfile file...

Option:

-R, -- recursive: recursive Modification

Note: You can only modify the permissions of the owner

# Change the group and owner of file file1 to mygroup and myuser

# Chown myuser: mygroup file1

13. chgrp only changes the group

Format: chgrp [OPTION]... group file...

Chgrp [OPTION]... -- reference = rfile file...

Note: Only Administrators can modify the file group.

For more details, please continue to read the highlights on the next page:

1 2 Next Page