Management knowledge points for Linux users and groups

Linux is a real, complete multi-user multitasking operating system, multi-user multitasking is the ability to build multiple users on the system, and multiple users can log on to the same system at the same time to perform their own different tasks, without affecting each other. Users are divided into user accounts and group accounts, because of their multi-user multi-tasking characteristics, in order to prevent the damage of resources, so must have permission to assign.

The subject that enables the use of resources and the completion of tasks is the application process, which runs as its initiator or is understood to be the initiator of the process owner. When a process accesses a resource, the security context is compared to the owner of the process and the owner of the resource: first to see if the owner of the process is the owner of the resource, and if so, to use the resource in accordance with the owner's permissions, if not, to determine whether the owning group of the process is entered, if so, Use resources in accordance with the permissions of the group, or if not, by other people's permissions.

Users are divided into super-users and ordinary users, and ordinary users are divided into system users and logged-in users. The system user is used to ensure security, let some run in the background of the process or service class run, as a non-administrator, such users can not log on to the system generally. The logged-on user is the user who can use the entire system resource normally.

The

     user is identified as the user logon name (string ID) and user ID. The user ID can also be understood as a digital ID for the computer, the Super User ID number is 0, the system User ID number is 1~499 in Centos5/6, 1~999 in Centos7, and the login user is CENTOS5/6 in 500~ 60000, in Centos7 for 1000~60000, note that more than 60000 of identifiers are custom-defined for the user. Name resolution is the user name and user ID one by one corresponding to the string stored in the parsing library (/ETC/PASSWD), the system uses the analytic library to complete the authentication mechanism, to verify whether the login user is the person you claim. Authentication Library (/etc/shadow and/etc/group) using password Authentication mechanism authentication login password is correct, saved to the authentication library password is encrypted save, hash single encryption algorithm, can only encrypt data, can not decrypt the data, extract the original data characteristic information, Similar to the data fingerprint. The characteristics of one-way encryption algorithm: As long as the data is the same, its encryption result is necessarily the same, no matter how large the data, its encryption results fixed long output; avalanche effect (if one data is changed, its encryption result is completely changed), irreversible. Note The first feature, if the encryption results are the same, the data must be the same, so the encryption process to add salt (random number) on the encrypted data. Random numbers have two random number generator tools, random and urandom. Random numbers are returned from the entropy pool (the random number from the interrupt return), and if the entropy pool is exhausted, the process is blocked; Urandom first attempts to return a random number from the entropy pool, and if the entropy pool is exhausted, the pseudo-random number generator is used to produce pseudorandom numbers. The common algorithms for one-way encryption are MD5 ($), SHA1 ($), sha224 ($), sha256 ($4), sha384 ($), sha512 ($6). The final validation string stored in the authentication library is therefore $6$salt$cryteped_passwd.

User group: A container that links users with some of the same or similar attributes to centralize authorization. Divided into the Administrator group, the ordinary user group, the general user group is divided into system groups and landing groups. Groups are also identified by group name and group ID, the group ID is similar to the user ID, the Administrator group ID is 0, the system group ID is 1~499 in CENTOS5/6, the ID is 1~999 in Centos7, and the login group is CENTOS5/6 in 500~ 60000, the ID is 1000~60000 in CENTOS7. The Analytic Library of the group is/etc/group and the authentication library is/etc/group. Groups also require password protection and cannot be added at any time if the group is not password protected. The user as the core to classify the group can be divided into the user's main group and the user's additional group, the main group must have and only one, the additional group to the user can have or not, according to the group can be divided into private groups and public groups, the private group group name is the same as the user logon name, the group only this user, Public groups contain many other different users. By default, the user's primary group is their private group.

Parsing the field analysis of library/etc/passwd: Account:password:UID:GID:GECOS:directory:shell

account login name;

Password password field, now in a system using the shadow mechanism, X is usually used as a placeholder;

UID User ID;

GID This user primary group ID;

GECOS Comment Annotation class information is now generally used to store user's descriptive information or full name;

Directory Home Directories path (absolute path);

The shell default login to the absolute path of the shell;

Parsing the field analysis of library/etc/group: group_name:passwd:GID:user_list

Group_name group name;

passwd group Password (default is empty);

Identification of the group in which GID is digitized;

User_list List of users with this group as additional groups;;

Field analysis for the Certification library/etc/shadow:

postfix:!! : 17230::::::

First exclamation mark, password is locked, second exclamation mark, no password

Login Name: User name login;

Encrypted Password: encrypted password

Format: $ algorithm $salt$ true meaning of encrypted password

If the location is "! "Indicates that the user's password is disabled;

If the location is "*", it indicates that the user is a system user and cannot log on

If the location is empty, it indicates that the user can log into the system without entering a password, and it is not recommended;

Date of last password change:

Relative time concept, relative to the number of days from January 1, 1970 to the date the password was last modified;

Minimum password Age:

How long the password cannot be changed, the default value is 0, meaning: At any time can change the password, if it is not 0 of the other numbers, meaning that in such a long period of days can not change the password;

Maximum password Age:

After how long the password expires, the default is 99999, meaning permanently valid;

Password Warning Period:

The number of friendly reminders before the password expires; The default value is 7 days;

Password Inactivity Period:

The grace period after the password expires, the default is-1, meaning the permanent grace period;

Account Expiration Date:

A user account password expires on the date, which is an absolute expiration period, xxxx/xx/xx

Reserved field:

Keep The fields for later use;

Some commands about users and groups:

Group management-related commands:

Groupadd Groupdel Groupmod

User management-related commands:

Useradd Userdel Usermod

Authentication Management-related commands:

passwd gpasswd Chage

Other related management commands:

CHSH finger su ID

Group Management Commands:

Groupadd New Group account

-G GID sets the GID of the group account when creating the group account, if not using this option, the system

Select the maximum gid+1 that appears in the group resolution file that is not greater than 60000

-R to create a system group: meaning to create a group of GID between 1~999

Groupmod to modify information about a group

-G GID Modify the ID of the group account

-N newname Modify group name

Groupdel Deleting a group account

Note: If a group is the primary group of a user, the group cannot be deleted

Useradd New user account: Useradd [Options] Login

These three files (/etc/default/useradd,/etc/login.defs,/etc/skel) are also available when the administrator has not set any options Create the user and give the user the default properties.

-c,--comment Add comment information to the user when creating a user, typically full name

-D, when creating a user, specifies the path to the user's home directory, and the specified directory should be a pre-

Nonexistent directory, otherwise the user's home cannot be created normally

-g,--gid GROUPNAME When creating a user, specify a primary group for the user

-G adds multiple additional groups to the user when creating the user

-M does not create a user's home directory when creating a user

-M mandatory to create home directory for users

-R Create a system user

-U--uid assigns uid to user when creating user, this UID can exceed 60000 limit

-s--shell when creating a user, indicate the user's login shell

-D--defaults Display or modify user default property values

-s,--shell/path/to/shell: Modifying the shell defaults in the Etc/default/useradd file

Usermod: Modify user account information

usermod [Options] Login name

-C,--commentcomment Modify user annotation information

-G,--gid Group modifies user primary group

-G,--groups group1[,group2,... [, GROUPN]] Modify the user's additional group as a group in the list

-a,--append add a user to an additional group, only with-G

-D,--homehome_dir modify the user's home directory (just move the home directory, the file does not move)

-M,--move-home this option only works when combined with the-D (or--home) option

, moving data from the old home directory to a new home

-L change user account login name

-S to modify the login shell of the user account

-U Modify user uid

-L Lock User Password

-U Unlock user password

Userdel Deleting a user account

-R clears the user's home directory while deleting the user

User Authentication Related commands:

passwd: Set and view password information for a user

-L Lock Password Lock

-U unlock password unlock

Note: Compared to usermod-l|-u, it has a higher priority,

-d--delete, deleting the user password will/etc/shadow the second field (password after encryption) empty

-s,--status to view the user's password status

--stdin the input data stream as a standard input message to the passwd command with the help of a pipeline.

Group Authentication Related commands

gpasswd

-a--adduser Adding user users to groups named group

-d--delete

Other commands

Su

Su USERNAME

Half-switch, the user's profile is not re-read when the user is switched, so the user does not log in to the line

For, therefore, the working environment is not initialized.

Su-username=su-l USERNAME

When switching users, the target user profile is re-read and the initial

Work environment.

-C does not switch user identities, but executes a command as a target

Newgrp GROUPNAME, temporarily change the primary group of the currently logged-on user; use Exit to return

Id:

-G Displays the user's active GID only

-U displays only the user's valid UID

-G Show user all group ID

-N Display as name instead of ID

Management knowledge points for Linux users and groups