Analysis of Linux users, groups and rights management

I. Users and Groups

1. User

The system is used to authenticate (authentication), authorize (Authorization), Audit (autition) accounts. Log in to the system by logging in to the user. The operating system invokes a process or program that corresponds to a permission by logging in to different users, or it can be said that the user is a collection of permissions that can obtain system resources.

2. Classification of users

Linux users are divided into 2 categories, namely administrator users and ordinary users.

Administrator User: Root, the user with the greatest privileges, can invoke any resource of the system. Its uid is 0

Ordinary users: Ordinary users are also divided into 2 categories, respectively, the system users and users logged in.

System users: To ensure that the system starts the basic service normal operation of the user, generally cannot log in. Note that there are also system users who can log in to ensure that important programs run. Its UID is 1-499 (CentOS6) or 1-999 (centos7+)

Logged in User: General user, used to log in and use the system. Its UID is 500-60000 (CentOS6) or 1000-60000 (centos7+)

3. Group

A group is a collection or container of users who can inherit the permissions of a group using system resources.

4. Classification of groups

There are 3 ways to categorize groups.

Group Category 1:

Administrators group: Root group, the most privileged group, with GID of 0

Normal User group:

System Group: A group of system users whose GID is 1-499 (CentOS6) or 1-999 (centos7+

Logon group: A group of logged-in users whose GID is 500-60000 (CentOS6) or 1000-60000 (centos7+)

Group Category 2:

Basic Group: A group of the same user name generated when the user was created, with only one

Additional groups: In addition to groups outside the base group, you can have a number of

Group Category 3:(feeling is another term for basic groups and additional groups)

Private groups.

Public groups.

5. Password

Passwords are the credentials that users need to log on to the system or switch groups, which are stored in/etc/shadow and/etc/gshadow files.

Password recommends using a random password, the shortest length is not less than 8 bits, while using uppercase letters, lowercase letters, numbers, punctuation characters of at least 3 classes, and regularly replaced.

Linux uses one-way encryption, with md5,sha1,sha224,sha256,sha384,sha512 a total of 6 encryption algorithms.

6./etc/passwd,/etc/shadow,/etc/group,/etc/gshadow, documents

UID (UID), GID (GID): Because the computer hardware can recognize only binary code, the memory used to store users and groups of information is 16bits, so the total value is 0-65536. Uid,gid are user names and group names that are stored in computer memory, and they are parsed by configuration files/etc/passwd and/etc/group.

(1)/etc/passwd: User's information base

The format is:

Name:passwd:uid:gid:gecos:directory:shell

Name: User Name

passwd: Password, can be an encrypted password, or it can be a placeholder x

UID: User ID number

GID: The ID number of the primary group to which the user belongs

Gecos: Comment Information

Directory: User's home directory

Shell: Default shell for the user, default shell program at logon

(2)/etc/shadow: User's password Vault

Format is

Username: encrypted Password: The last time the password was modified: Minimum Age: Maximum Age: Warning Period: Password disable period: Expiration period: Reserved field

(3)/etc/group: Information base of the group

The format is:

Group_name:password:GID:user_list

Group_name: Group Name

Password: group password (used when different groups of users switch groups, CHGRP command)

GID: Group ID number

User_list: User member of this group, the user list of users with this group as a supplement

(4)/etc/gshadow: Password vault for the group

7. Related commands

(1) useradd: Add User

Format: useradd [options] Login

-u,--uid UID: Specify UID

-g,--gid Group: Specifies the base group ID, which must exist beforehand

-c,,--comment Comment: Specifying annotation information

-g,--groups group1[,group2, ... [, GROUPN]] : Indicates the additional group to which the user belongs, separated by commas between multiple groups

-d,--home Home_dir: The home directory of the user with the specified path, copy/etc/skel this directory and rename the implementation, if the specified home directory path exists beforehand, the environment profile will not be copied for the user

-s,--shell Shell: Specifies the user's default shell, and all available shell lists are stored in/etc/shells

-r,--system: Creating a System User

-M: Do not create user home directory

Note: Many of the default configuration files when creating a user are /etc/login.defs

Useradd-d: Displays the default configuration for creating users

Useradd-d Options: Modify the value of the default option

The modified results are saved in the /etc/default/useradd file

(2) Usermod: Modify user-related properties

Format: usermod [options] Login name

-u,--uid UID: Modify UID number

-g,--gid Group: Modify the base group to which the user belongs, must exist

-g,--groups group1[,group2, ... [, GROUPN]] : Modify the additional group to which the user belongs: The original additional group is overwritten

-a,--append: Used with-G to append a new additional group to the user

-c,--comment Comment: Modifying annotation information

-d,--home Home_dir: Modify the user's home directory

-m,--move-home: Can only be used with the-D selection to move the original home directory to a new home directory

-s,--shell Shell: Modifying the user's default shell

-l,--login new_login: Modify user Name

-l,--lock: Lock user password: That is, before the original password string to add a '! ’

-u,--unlock: Unlocking the user's password

(3) Userdel: Delete User

Format: Userdel [options] Login

-R: Delete the user's home directory while deleting it

(4) Groupadd: Add Group

Format: groupadd [options] Group_name

-G GID: Specifies GID, default is gid+1 of previous group

-R: Creating a System Group

(5) Groupmod: Modifying the related properties of a group

Format: groupmod [options] GROUP

-G GID: modifying GID

-N new_name: Modify Group name

(6) Groupdel: Deleting a group

Format: Groupdel GROUP

(7) passwd: Modify user Password

Format: passwd [-K] [-l] [-u [-f]] [-d] [-e] [-N mindays] [-X Maxdays] [-W warndays] [-I inactivedays] [-S] [--stdin] [Username]

1, passwd Modify the user's own password

2, passwd USERNAME: Modify the password of the specified user, but only root has this permission

-l,-u: Lock, unlock user password

-D: Clear user password

-e Date: Expiration period, date

-I days: inactivity period

-N days: Minimum period of use

-X days: Most frequently used period

-W Days: Warning period

--stdin:echo "PASSWORD" | passwd--stdin USERNAME

(8) gpasswd: Adding a password to a group

Format: gpasswd [options] Group

-A USERNAME: adding users to a group

-D USERNAME: Removing users from a group

(9) NEWGRP: Temporarily switch the specified group to the base group

Format: newgrp [-] [group]

-: Impersonate the user to log back in to initialize their working environment

(Ten) ID: Displays the user's true and valid ID

Format: ID [OPTION] ... [USER]

-U: Show only valid UID

-G: Displays only the user's base group ID

-G: Displays only the IDs of all groups to which the user belongs

-N: Display name instead of ID

(one) su:switch user

Logon switching: Re-initialized by reading the user's configuration file

Su-username

Su-l USERNAME

Non-logon switchover: Initialization of the target user's profile is not read

Su USERNAME

Common methods:-C ' COMMAND ': run the command specified here only as the specified user

II. Rights Management

1. Permissions

As mentioned earlier, users log on to the system to invoke the process to implement the system, based on security considerations, not every user can call the same process or important system background process, which requires permissions to manage. At the same time, one of the principles of liunx, everything is a file, so in essence is the right management of the file.

And the process applies the model to the access rights of the file

Whether the owner of the process and the owner of the file Same, if you want to, apply Master permissions

Otherwise, check whether the owner of the process belongs to the genus Group of the file, and if so, apply the group permissions

Otherwise, you can only apply other permissions

2. Combination of permissions

Display mode for permissions: rwxrwxrwx

Top three: Represents the permissions of a master user

Medium Three-bit: represents permissions for group users

Post three-bit: Indicates permissions for other users

The conversion of the combination and the 8 binary to

---0

--x 1

-w-2

-WX 3

r--4

R-x 5

Rw-6

RWX 7

3 . Permissions for Files

take/etc/passwd as an example , execute ll/etc/passwd
-rw-r--r--. 1 root root 1801 December 10:36/etc/passwd

R:readable, which represents the data that can be obtained from a file

W:writable, which represents the data of a modifiable file

X:excutable, which indicates that this file can be run as a process

4 . Permissions for the directory

Take/etc/rc.d as an example, perform ll-d/etc/rc.d

Drwxr-xr-x. Root root 4096 March 6 2015/etc/rc.d/

R:readable, which means you can use the LS command to get a list of all the files under it

W:writable, which means that you can modify the list of files in this directory, that is, create or delete files

X:excutable, which means you can CD to this directory, and you can use Ls-l to get detailed property information for all files

5. Related Commands

(1)chmod: Modify file Permissions

Format: chmod [OPTION] ... Mode[,mode] ... FILE ...
chmod [OPTION] ... Octal-mode FILE ...

chmod [OPTION] ...--reference=rfile FILE ...

3 Types of user shorthand: U: Owner, G: Group, O: Other, A: all

1. chmod [OPTION] ... Mode[,mode] ... FILE ...

Mode notation:

Empowerment notation: Direct manipulation of the ownership limit for a class of users

u=

g=

o=

A=

Authorization notation:

u+,u-

g+,g-

o+,o-

a+,a-

2. chmod [OPTION] ... Octal-mode FILE ...

(Octal is 0-7)

3. chmod [OPTION] ...--reference=rfile FILE ...

(citation modified)

Options:

-R,--recursive: Recursive modification (authorization notation used more)

(2) Chown: The owner and the group

Format: chown [OPTION] ... [OWNER] [: [GROUP]] FILE ... (or the.)

chown [OPTION] ...--reference=rfile FILE ...

Options:

- R: Recursive modification

(3) chgrp: Change Group

format: chgrp [OPTION] ... GROUP FILE ...

CHGRP [OPTION] ...--reference=rfile FILE ...

(4) umask: File permissions reverse mask, mask code

File:

666-umask

Directory:

777-umask

Note: The file is reduced by 666 because the file cannot have Execute permission by default: Add 1 if the number minus has execute permission.

Format: umask: View current Umask

Umask MASK: Set umask

Note: This type of setting is only valid for the current shell process

Reference: http://linuxme.blog.51cto.com/1850814/347086/

This article is from the "give me a piece of two-foil" blog, please be sure to keep this source http://theneverland.blog.51cto.com/10714090/1722615

Analysis of Linux users, groups and rights management