Linux users, groups, and Rights Management (i)

Linux is a multi-tasks (multi-tasking), Multi-users (multi-user) system

Each login or user has a userid, password (so-called 3A)

The so-called 3 A:

Authentication (authentication mechanism)

Authorization (Authorization mechanism)

Audition (Audit)

Group concept: User groups, user containers, for ease of user rights assignment

User Category :

Administrator: Root

Normal User:

System users

Logged in user

User ID userid in Linux system, referred to as UID

Scope of use of user identity:

16bits binary number: 0-65535 (default 16-bit, expandable 32-bit)

Admin: 0

Normal Users: 1-65535

System User: 1-499 (Cenots6), 1-999 (CENTOS7)

Login User: 500-60000 (CENTOS6), 1000-60000 (CENTOS7)

Name resolution:

Each username corresponds to a UID number, which is parsed according to the name resolution library:/ETC/PASSWD

Group :

Group Category 1:

Administrators group

Normal User group:

System Group

Login Group

Group ID: GroupID, GID

Administrators group: 0

Normal User group: 1-65635

System User group: 1-499 (CentOS6), 1-999 (CentOS7)

Login User group: 500-60000 (CentOS6), 1000-60000 (CentOS7)

Name resolution: GroupName <--> gid; Analytic library:/etc/group

Group Category 2:

User's basic group: each user has their own group

Additional groups for users: join another group

Group Category 3:

Private group: The group name is the same as the user name and contains only one user;

Public group: Multiple users are included in the group;

Certification information:

Whether the information provided by the login is consistent with the prior storage of the data;

Password Store file location:

Users:/etc/shadow

Group:/etc/gshadow

Password Usage Policy:

1, the use of random password;

2, the shortest length is not less than 8 bits;

3, should use uppercase letters, lowercase letters, numbers and punctuation characters of at least three classes;

4, regular replacement;

Encryption algorithm:

Symmetric encryption: Encryption and decryption using the same password;

Asymmetric encryption: A pair of keys used for encryption and decryption;

Key pair:

Key: Public key

Private key:

Asymmetric encryption is a pair, using the public key encryption, you need to use the corresponding private key decryption;

One-way encryption: can only encrypt, cannot decrypt; Extract data signature; (fixed-length output)

Algorithm:

Md5:message Digest, 128bits

Sha:secure hash Algorithm, 160bits

sha224

sha256

sha384

SHA512 (512 is the length)

Example:

[Email protected] ~]# echo "Nihao" | Md5sum

0A34A9366D438E6AC5AE3480D024C4EF-

[Email protected] ~]# echo "ABCDEFG" | Sha512sum

9ab216d2cf3d89df5ba18cd3e3eb390d4ed30a9a0349b71680cc244c7e22cdddabb5a042481b2c6c8d6fabee4f3cb280f02c0c3f27ee66929aa2342f2 142750C-

/ETC/PASSWD: User's information base

Name:password:UID:GID:GECOS:directory:shell

Explanation:

Name: User Name

Password: Can be encrypted password, but also placeholder X;

UID: User ID number

GID: The ID number of the primary group to which the user belongs;

GECOS: Comment Information

Directory: The user's home directory;

Shell: The default shell of the user, the default shell program when logging in;

/etc/shadow: User password (same as Gshadow)

User name: Encrypted password: The last time the password was modified: Minimum Age: Maximum Age: Warning Period: Expiration period: Reserved field

/etc/group: Information Base for groups

Group_name:password:GID:user_list

User_list: The user member of the group; the user list of users with this group as an additional group;

Related commands: Useradd, Userdel, Usermod, passwd, Groupadd, Groupdel, Groupmod, gpasswd, Chage, Chsh, id, su

useradd command : Create user

[Email protected] ~]# Useradd test

useradd [Options] Login name

-U,--uid uid: Specifies UID;

[Email protected] ~]# Useradd-u Docker

Docker:x:1500:1500::/home/docker:/bin/bash

-G,--gid Group: Specifies the basic group ID, this group must exist, otherwise error;

[Email protected] ~]# useradd-g Yunwei test2

-G,--groups group1[,group2,... [, GROUPN]] : Indicates the additional group to which the user belongs, separated by commas between multiple groups;

[Email protected] ~]# useradd-g Docker test

Docker:x:1500:test

-C,--comment Comment: Specify the annotation information;

-D,--home Home_dir: The user's home directory with the specified path,/etc/skel this directory by copying and renaming the implementation; The specified home directory path does not replicate the environment profile for the user if it exists beforehand;

[Email protected] sh]# useradd-d/sh/test2 test2

Test2:x:1502:1502::/sh/test2:/bin/bash

-S,--shell Shell: Specifies the user's default shell, and all available shell lists are stored in the/etc/shells file;

[Email protected] sh]# useradd-s/bin/sh test2

Test2:x:1502:1502::/home/test2:/bin/sh

-R,--system: Create System user;

-M: Do not create user home directory

-F: Inactivity period (user completely disables time after password expires)

Note: The default setting profile for user creation is/etc/login.defs (global configuration)

Useradd-d: Displays the default configuration of the created user;

[Email protected] ~]# useradd-d

group=100

Home=/home

Inactive=-1

Expire=

Shell=/bin/bash

Skel=/etc/skel

Create_mail_spool=yes

useradd-d option: Modifies the value of the default option;

[Email protected] ~]# useradd-d-s/bin/sh

Shell=/bin/sh

The result of the modification is saved in the/etc/default/useradd file;

usermod Command : Modify user Properties

Usermod-modify a user account

Format:

usermod [Options] User name

usermod [Options] Login

-U,--uid UID: Modifies the user's ID to the new UID specified at this point;

-G,--gid Group: Modifies the base group to which the user belongs (the group must first exist);

-G,--groups group1[,group2,... [, GROUPN]] : Modify the additional group to which the user belongs, and the original additional group will be overwritten;

-A,--append: can only be used with-G to append a new additional group to the user;

-C,--comment Comment: Modify the annotation information;

-D,--home Home_dir: Modify the user's home directory, the user's original files will not be transferred to the new location;

-M,--move-home: can only be used with the-D option to move the original home directory to a new home directory;

[Email protected] sh]# usermod-m-d/sh/test6-u 10005 Test6

Note: To add-u option, followed by UID and user name, otherwise error

-L,--login new_login: Modify user name;

-S,--shell Shell: Modifies the user's default shell;

-L,--lock: Lock the user password, i.e. add a "!" before the user's original password string. ；

-U,--unlock: Unlocks the user's password;

userdel command : Delete user

Userdel [Options] Login

-R: Delete the user's home directory;

groupadd Command : Adding a group

Groupadd [Options] Group_name

[Email protected] ~]# Groupadd mylist

-G GID: Specifies GID; default is the gid+1 of the previous group;

[Email protected] ~]# GROUPADD-G 10000 kklist

-r: Create a system group;

groupmod Command : Modify Group Properties

groupmod [Options] GROUP

-G GID: Modify GID;

[Email protected] ~]# groupmod-g 10010 kklist

-N new_name: Modify group name;

[Email protected] ~]# groupmod-n kwlist kklist

groupdel command : Delete a group

Groupdel [Options] GROUP

[Email protected] ~]# Groupdel mylist

passwd Command :

Implementation features:

(1) passwd: Modify the user's own password;

(2) passwd USERNAME: Modify the password of the specified user, but only root has this permission;

Options:

-L,-u: Lock and unlock users;

-D: Clear the user password string;

[Email protected] ~]# passwd-d Kwang

-e Date: Expiration period, date;

-I days: inactivity period;

-N days: The minimum period of use of the password;

-X days: The maximum age of the password;

-W days: Warning period;

--stdin: (usually script used)

echo "PASSWORD" | passwd--stdin USERNAME

GPASSWD command:

Group Password file:/etc/gshadow

Set Password for group:

[[email protected] ~]# GPASSWD Group name

GPASSWD [Options] Group

-a USERNAME: adding users to a group

[Email protected] sh]# gpasswd-a test1 mylist

-D USERNAME: Removing users from a group

[Email protected] sh]# gpasswd-d test1 mylist

newgrp command : Temporarily switch the specified group to the base group;

NEWGRP [-] [group]

-: Will impersonate the user to re-login in order to re-initialize their work environment;

Do not join "-" just temporarily switch to the specified group

Example:

[Email protected] sh]# gpasswd-a test1 mylist

[Email protected] sh]# Su-test1

[Email protected] mylist]$ Newgrp mylist

[[email protected] mylist]$ Touch 2

-rw-r--r--1 test1 mylist 0 Mar 20 14:27 2

chage command : change user password expiration information

Chage-change User Password expiry information

Format:

chage [Options] Login name

Options:

-D: The date of the last change; 0 indicates the first login force change password

[Email protected] home]# chage-d 0 Kwang

-E: Date the account expires; 0 means immediate expiration, 1 means never expires

[Email protected] home]# CHAGE-E 0 Kwang

[Email protected] home]# CHAGE-E-1 Kwang

-L: List user password expiration information

[Email protected] home]# Chage-l Kwang

-M: The minimum number of days the password can be changed, and 0 means that the password can be changed at any time

[Email protected] home]# chage-m 1 Kwang

Minimum number of days between password change:1

-M: Maximum number of days the password remains valid

[Email protected] home]# Chage-m 7 Kwang

Maximum number of days between password Change:7

-W: Number of days to receive warning messages before user password expires

[Email protected] home]# chage-w 5 Kwang

Number of days of warning before password expires:5

-I: Number of days to lock an account after password expiration time

ID Command: Displays the user's true and valid ID;

ID [OPTION] ... [USER]

-U: Displays only valid UID;

-G: Displays only the user's base group ID;

-G: Displays only the IDs of all groups to which the user belongs;

-N: Displays the name instead of the ID;

su command : Switch user

Logon switching: Re-initialized by reading the target user's configuration file

Su-username

Su-l USERNAME

Non-logon switchover: Initialization of the target user's profile is not read

Su USERNAME

Note: The administrator can switch to any other user without password;

-C ' command ': The command specified here is only run as the specified user;

[Email protected] ~]# su-test-c ' ls-l/etc/passwd '

Exercise 1: Create a user gentoo,uid of 4001, the basic group is Gentoo, the additional group is distro (GID 5000) and Peguin (GID 5001);

Exercise 2: Create a user fedora with the annotated message "Fedora Core", the default shell being/bin/tcsh;

Exercise 3: Modify the Gentoo user's home directory to/var/tmp/gentoo, and request that its original files still be accessible to users;

Exercise 4: Add additional group netadmin for Gentoo;

Answer 1:

[Email protected] ~]# groupadd-g distro

[Email protected] ~]# groupadd-g 5001 Peguin

[Email protected] ~]# useradd-g distro,peguin-u 4001 Gentoo

This article from "Disguised geek" blog, declined reprint!

Linux users, groups, and Rights Management (i)