2017-11-13linux Basics (11) User, group, and Rights management

In the previous chapters, we described the basic features of bash and other functional programs such as IO redirection and piping, followed by some of its related commands, such as the TR and tee commands, and then we introduced here document, in which we started to tell the user, Group and Rights Management as part of the first we say users and groups.

First, the user

Linux operating system is a multi-user Multi-Users and multi-tasking Multi-tasks operating system, that is, multiple users can simultaneously log on to the system to perform their respective tasks, mutual interference between users and users, which was at that time to solve the host resources provided an effective means, then the host in the center, the price is more expensive, Ordinary people can not do the same as the present, so in order to solve this problem, there is a multi-user and multi-tasking concept, from the UNIX host to the current operating systems, the server supports this feature.
So what is a user? In Linux there is no user concept, but to the system, the user is a means of isolating resources, such as Zhang San a new file to let John Doe Delete, this kind of thing is absolutely not allowed, and vice versa is still so, in addition to root this super user.
Each user is logged on to the system with a userid and password, the user identity is to specify the uniqueness of the user, and the password is to verify that the user is the user, the verification succeeds, then start to authorize, assign their corresponding resources and permissions, and finally the system to monitor the authority, the results of the implementation of the Authority is consistent with the regulations, That's what we call 3A certification.

Authentication Certification Authorization Authorized to assign the appropriate resources Audition audit oversight authority, whether the support of the authority of the results of compliance with the regulations

Second, the group

Group is actually the user group, is also the user's container, a group can have multiple users, while a user can belong to more than one group, its main role is to the user's resources for a consolidation, the directory or file can have unified permissions.

Iii. Types of users

The user category is usually divided into two categories, one is the administrator user, the other is a normal user, management is undoubtedly, the most privilege, and ordinary users, although the permissions are not so large, but also divided into two small classes, one is the system user, the other is logged in user, the former is not allowed to login, usually to the service program set users The program starts at the start of the user, so the login is not allowed, because it is likely that the program will be a series of security issues, which we can manually create a terminal login.

3.1 User ID

For users, the user ID is that they detect whether the user is unique, like the identity card, you call Zhang San, he also called Zhang San, the name is the same, the same appearance, but the system will not let you create a user of the same type, what is different? is the identity card number and fingerprint is not the same, so that the user ID we call the UserID as UID, it is composed of 16 binary digits of the total of 65,536, starting from 0, to 65535 end, 0 belongs to the administrator, the remaining 1-65535 belong to the ordinary user, then just now we said, Ordinary users are divided into two categories, one is the system user, the other is the login user, in the system users, CentOS 6 assigned ID good from 1-499, the login user from 5,001 to 60000 end, and CentOS 7 is not the same, the system users from 1 to 999, The average user ends from 1000 to 60000.
Each user has a UID corresponding to it, when the user entered the user name and password, will be resolved to the corresponding user ID number, after the completion of the resolution, the results of feedback. That is, the result of successful login, they are actually based on the name resolution library, its path in the/etc/passwd directory.

Iv. Categories of groups

Group category, also becomes the group identity. Called GroupID, the GID, and the user category, but also divided into two categories, but there are many types of groups, we now slowly introduce the Group Category 1: Group Category 1 and the user class is almost the same, divided into the Administrator group and the ordinary user group, the Administrator ID number or 0, The normal user group is also starting from 1 to 65535. Also divided into two categories, one is the system user group, in CentOS 6, the assigned group ID number is 1-499, from 500-60000 assigned to the login user group, and in CentOS 7, the System user group ID number is 1-999, and the logon user group is 1000-60000.
Each group name will have a GID corresponding to it, the group name (groupname) resolves to the group ID (GID), which is also based on the name of the resolution library is resolved only, and the group's resolution library path is:/etc/group.
The above is the Group Category 1, we'll talk about Group Category 2, Group Category 2 is divided into two groups, one is the user's basic group, and the other is the user's additional group. User's basic group is to create the user at the same time to create the group, we also known as the user's initial group, a group can not have users, but the user cannot not have this group, and the user's additional group is, can exist beforehand, will be attached to this group of multiple users, and we can users, You can assign a basic group to this additional group.
The last one is group Category 3, Category 3 is divided into two categories, one is a private group, one is a public group, in a private group, the group name is the same as the user, and can only contain one user, and the public group contains multiple users within the group.

Five, certification information

When we log on to the system, we must enter the user name and password, if the password error will be prompted please enter or exit, if the correct input will give you the prompt to enter the system, and the password is you can understand to enter the user's authentication information, it is to store information beforehand, The information provided at login is exactly the same. The password storage path is/etc/passwd, but this is stored in CentOS 5, which maps the passwords in/etc/passwd to/etc/shadow in CentOS 6 and 7.
Although the password is a kind of authentication information, provides an effective security means, but there is no privacy under the sun, long time does not change the password is easy to be cracked, so we want to understand the use of password policy, the strategy is as follows:

1, the use of random password, 2, the shortest length is not less than 8 digits; 3, should use uppercase letters, lowercase letters, digital punctuation characters of at least three classes, 4, regular replacement;

5.1 Encryption algorithm

In CentOS 7 we open the/etc/shadow file, to: For the delimiter, we can see the second is a very long character, not the rule, then these are the password through an algorithm to form the result of encryption, we call it encryption algorithm, The main function of encryption algorithm is to hide the original password characters, to prevent people from stealing and tampering. There are several types of cryptographic algorithms, namely:

Symmetric encryption: Encryption and decryption using the same password; Asymmetric encryption: Encryption and decryption using a pair of keys; generate two key pairs: Public key: Private key: One-way encryption: can only encrypt, cannot decrypt; Extract data signatures Fixed-length output: Avalanche effect: The change of smile of raw data will cause great change of later data result; algorithm: Md5:message Digest, 128bitssha:secure hash algoithm, 160BITSSHA224SHA256SHA384SHA512 at the time of calculation, add salt, the random number added;

Vi./etc/passwd and/etc/shadow documents

Let's start with the/etc/passwd, which is the user's repository, is also a user name and UID Mutual parsing of an important file, each function is separated by a colon, the format information is as follows:

Name:password:UID:GID:GEDS:directory:shell

The above is the format of the/etc/passwd file, the specific interpretation is as follows:

Name: username Password: can be an encrypted password, or it can be a placeholder x; UID: The ID number of the owner to which the user belongs; GID: ID number of the primary group to which the user belongs; GECOS: annotation information; directory: User's home directory; Shell: User's Default shell, login default shell program;

There is also a file for the/etc/shadow file, which we call a shadow file, any ordinary user does not have permission to view the file, because it holds the user's password and the specified date, each function is also separated by a colon, with the format information as follows:

User name: Encrypted password: The last time the password was modified: Minimum Age: Maximum Age: Warning Period: Expiration period: Reserved field

The above is also known as the name, the user name and encrypted password we all know, but the last time to change the password is from your 1970 to now the number of days passed, of course, this is the original password has not changed,
The shortest period of time is the number of days elapsed between the last password change.
The maximum lifespan is also the number of days that the password was last changed.
The warning time is the number of days that elapse before the longest usage period is returned.
The inactivity period is a few days after the maximum number of days after the password has elapsed, and if not changed, it is disabled (expiration period).
Then the modified password is the longest time minus the minimum period of days, before the password expires before the warning, if the longest time, will give you grace period, the password is inactive, but can change, if the grace period, or do not change the password, it will be disabled.
The difference between warning and inactivity is that the warning is to prompt you, but it can be used instead of an activity that requires a password change, during which the user cannot log on.

Vii../etc/group file

The/etc/group file is a repository of user groups that are used to resolve the user's belonging to that group and are separated by colons, as shown in the following example:

Group_name:password:GID:user_list

The first three above are also known as the famous, but User_list is also very simple, it is a user list of this group for additional groups of users.
Well, that's the concept of the user and group described above and its related files, and in the following chapters we'll cover the commands of the user's group, for example:

Useradd, Userdel, Usermod, passwd, Groupadd, Groupdel, Groupmod, gpasswd, Chage, Chsh, id, su

This article from "Scorpio" blog, reproduced please contact the author!

2017-11-13linux Basics (11) User, group, and Rights management