Brother Bird's Linux private cuisine 7-------14 Chapter Linux account management and ACL permissions settings

Source: Internet
Author: User
Tags stdin

1. User identifier UID and GID/etc/passwd articlePiece structure: There are several lines that represent a few accounts in your system with each line: Split, altogether 7 fields.               1. Account name 2. Password: Get up early Unix, now put the password data in the/etc/shadow file, where x means that 3.uid:0 represents the system administrator.     1-499: System account 500-65535: General users with 4.GID:/etc/group about 5. User Information description, this field can provide a lot of information when using finger. 6. Home folder 7.Shell: A Shell obtained after the user logs into the system.
/etc/shadow articlePiece structure: Total 9 fields 1. account name 2. Password 3. Date of recent password change: the date of accumulation starting in 1970/1/1. echo $ ((date--date= "2008/09/04" +%s)/86400+1) View the number of days added to a date 4. Non-modifiable days: not allowed to change again in a few days 5. Number of days to modify: Change 6 after setting the password. Password modification                              Days before deadline 7. Grace time after password expires (password expiration period) 8. Account expiration Date 9. Keep root forgotten password: Restart into user maintenance mode, the system actively gives the root privileges of the Bash interface; Mount the root directory after booting to the live CD to modify the/etc/shadow, empty the password inside; 2. Valid with initial user group Groups,newgrp/etc/group articlePiece structure four fields 1. User group name 2. User group password: often used for user group administrators, the same password has been moved to/etc/gshadow, currently using X instead of 3.GID 4. The user that the user group supports, if you want to add a user to the user group, add     In: usr the GID for each user in the fourth column of/etc/passwd is the initial user group.     When a user supports a multi-user group, the user group to which the file is created depends on the active user group (effective group) groups: Viewing the active user group with the groups Directive, the first output is a valid user group.               NEWGRP: Use the NEWGRP instruction to switch the active user group, the user group that you switch must be the user group that you support. Using NEWGRP to change the currently active user group is to provide this functionality with a different shell. If you want to return to the original environment, you can use Exit to return to the original shell.
/etc/gshadowFile Structure four fields: 1. User group name 2. Password column, start with!          Indicates no legal password, so there is no user group administrator. 3. User group Admin Account number 4. Account number of the user group: same as in/etc/group
3. New and deleted users: Useradd useradd:useradd [-u uid] [-G initgrp] [-G secondary GRP] [-mm] [-C info] [-D homedir] [-s Shell] Usern          AME-E: After the date, format yyyy-mm-dd, can write shadow eighth, account expiration date-F: followed by Shadow 7th, specify whether the password will expire, 0 for immediate failure, 1 for the user to never fail to create the modified file:     /ETC/PASSWD:/etc/shadow:/etc/group: Create a directory with the same master folder as the account.     If the user specifies a user group when the user is created, the user group with the same name as the account is not actively created in/etc/group. Useradd Reference file: useradd-d: List useradd default values, this default value data from:/etc/default/useradd.GROUP=100: Initialize user group for new account use GID as 100 private user mechanism: The system creates an account-like user group as the initial user group.          Public user mechanism: use gid=100 as the initial user group for the new account.          Home=/home: Use the home folder base directory. Inactive=-1: Password Setting Value: Shadow 7th field expire=: Account Expiration Date: Shadow 8th field Shell=/bin/bash:ske L=/etc/skel: Home folder Reference Base directory: All data in the master folder is copied by/etc/skel, including. BASHRC Create_mail_spoll=yes: Create a user's mailbox additionally, the UID /gid also has the password parameter reference:/etc/login.defsMailbox directory; Shadow password 4,5,6 field content udi/gid specified value; Set value with home folder; user delete and password settings; use Useradd When you create a user, you will see:/etc/default/useradd/etc/login.defs/etc/skel*
4.PASSWD command Create password: Default user created, blocked, unable to sign in           echo "AFDFGDGF" |passwd--stdin vbird1          passwd [-l] [-u] [--stdin] [-S] [-N days] [-X days] [w days] [--date] account   #root功能                -l:lock meaning, will be added before shadow second column! , the password is invalid.                -u: In contrast to lock, unlock meaning                -s: List password-related parameters, and most content in shadow                -N: Number of days, 4th field, how many days are not modifiable                -x: 5th, how many days must be modified                -W: First 6 segment, password expiration warning days                -i: 7th, password expiration date           passwd Not with the account is to modify their own password, with the account is to modify others password. 5.chage Displays the detailed password parameters.      chage [-LDEIMMW] account name          -L: List Account Details password parameters         &NBSP ; -D: Modify shadow third field, change password recently, set 0, force user to change password   &NBSp      -E: Modify shadow eighth field, account expiration date, set 0 then the account cannot be used          -I: Modify shadow seventh field, password expiration date   & nbsp      -M: Modify the Shadow fourth field, Minimum password retention days          -M: Modify Shadow Fifth field, how long the password needs to be modified     & nbsp    -W: Modify shadow Sixth field, password warning date  usermod: Fine-tune the account information      USERMOD [-cdegglsulu] username  & nbsp      -C:/ETC/PASSWD Fifth Column Description field          -d:/etc/passwd Sixth Column main folder       &N Bsp  -e:/etc/shadow eighth field, account expiration Date           -f:shadow seventh field, Password expiration date          -g:passwd fourth field, i.e. gid         -G:     Group file, secondary User groups          -L:     Edit account name, passwd first column          -S:   &NBS P Next shell actual file          -u:     Modify passwd third column,uid         -L: &nbs P   Freeze password in shadowPassword column Plus!          -u:     Remove password before!  userdel: Delete password       Delete user data:/etc/passwd,/etc/shadow                             /etc/group,/etc/gshadow            & nbsp                /home/username,/var/spool/main/username      Userdel [-R] username         -R: Deleted together with the user's home folder.    6. User features      finger: View user information, mostly/etc/passwd file information           finger [-S ] username               -S: List only user account, full name, terminal code and login time         &NBSP ;      -M: List the same person as the next account,        CHFN: A little change finger meaning          -F:     Next full name          -o:     Office room no         &NBSP ; -P: Office Phone &nbsP        -H: Home phone        chsh:change shell abbreviation.          -L: List system available shell         -S: Modify your shell      &NB Sp   CHFN, Chsh permissions when suid, so that ordinary users can use it.      id: Query for uid/gid information about someone or yourself           ID username7. New and deleted users      gro upadd:          Groupadd [-G GID] [-r] User group name               &NBSP ;-g:                    -R: New System user group, with/etc/ Gid_min in Login.defs about           Add File data:/etc/group  /etc/gshadow      Groupmod: Similar to usermod          -G:     Modify GID numbers (don't change gid)         &NBS P -N: Modify existing group name      groupdel: Delete user group      GPASSWD: User group admin function           GPASSWD groupname        &NBsp GPASSWD [-A username,...] [-M User2] groupname          GPASSWD [-RR] groupname         -A: Group Name control to a user after-a          -M: Add some accounts to the reorganization          -r: Remove the groupname password and nbsp        -r: GroupName password Bar expires           GPASSWD [-ad] User groupname  &nbsp ;            -A: Add a user to GroupName                -d: A Users removed from groupname      CHGRP: Modify group 8. Specific permissions for the host: ACL Usage (access control list)      ACL related to file system support, ACLs are supported by the vast majority of file systems.      dumpe2fs-h/dev/hda2 See if acl  is turned on in superblock    mount-o remount,acl/    &NB Sp     Open acl      Long-term modification support ACL, modify/etc/fstab file, add           LABEL=/1   & nbsp;/  ext3   defaults,acl          acl Setup tips: GETFACL,SETFACL&NBsp    SETFACL [-BKRD] [{-m|-x} ACL parameters] target file name          -M: set subsequent ACL parameters and cannot be combined with-X     &NB Sp     x: Remove subsequent ACL parameters, cannot be combined with-M          -B: Remove all ACL settings parameters          -K: Delete default ACL parameters          -r: Recursive settings acl         -D: Set default ACL parameters, only valid for directory The data created in this directory references this default value!
Setfacl-m u:vbird1:rx acl_test1 #acl_test1文件加入vbird1用rx权限 setfacl-m u::rwx acl_test1 #不加用户代表该文件的所有者 Setfacl-m g::rwx Acl_test1 #不加组名, which represents the user group for the file
9. User identity Switch  su     SU-    read to loginshell     SU     No-toggle, read variable set to No N-login Shell Way,          sudo [-b]  [-u new user account]         -B: After The continuation of the command allows the system to execute itself, does not affect the current shell          -u: After the user to switch, if there is no such item, for root status       when executing sudo, The system determines whether the user has permission to execute sudo in the/etc/sudoers file.       If the user has sudo permission, let the user enter their own password to confirm;      If the password succeeds, then execute sudo command          & nbsp; modify/etc/sudoers file with visudo command      sudoers content with four fields      root     all= (All)      ALL     1. User account: Used to indicate that those users can execute sudo commands      2. login host, default root for any network host      3. switchable identity,     4. Executable commands      %groupname    all= (All)   & nbsp All     #加% indicates that users of this user group can perform sudo     %groupname     all= (All)     Nopasswd:all & nbsp  #免密码执行      myuser1      all= (root)      /USR/BIN/PASSWD     #务必使用绝 To paths      myuser1      all= (root)      !/USR/BIN/PASSWD,!/USR/BIN/PASSWD ROOT,!/USR/BIN/PASSWD [[: alpha:]*]     #务必使用绝对路径       by alias visudo:     user_ Alias  ADMPW=pro1,pro2,pro3     cmnd_alias admpwcom=!/usr/bin/passwd,!/usr/bin/passwd root,!/ USR/BIN/PASSWD [[:alpha:]*]     ADMPW all= (All) admpwcom
Cmnd_alias (Command alias) Host_alias (host alias)
10. User Special shell and Pam module           PAM module invoke process:               1. User When you execute passwd, and enter a password                2.PASSWD call the PAM module for validation;        &NB Sp The      3.pam module looks for a profile with the same name as passwd according to/etc/pam.d/               4. Based on/ The settings within the ETC/PAM.D/PASSWD, referencing the relevant PAM module for validation analysis.                5. Pass the result of the validation (unsuccessful or otherwise) back to the passwd program.                6.PASSWD the next action based on the return information of Pam. (ref. P437) 11. User's information transfer            query:w,who,last,lastlog      User talk:write,mesg,wall          Write user account  [user's terminal port]          Write Root tty2               infomation   crtl-d end input         & nbsp When you do not want to have a message immediately interrupted, can execute MESG N, will not receive any messages, except the root user.           View current status with MESG,          wall for broadcast 12. User mailbox Mail13. Manually added user      PWCK: Check/etc/ passwd the account information and the actual home folder exists, and/etc/passwd and/etc/shadow information is consistent      PWCONV: Mainly to move the account number and password in/etc/passwd to/etc/ The shadow. This is due to the lack of shadow design in the early UNIX.      PWUNCONV: Break the password in/etc/shadow to/etc/passwd and remove/etc/shadow     CHPASSWD: Read in unencrypted password, and writes the encrypted password to the shadow. Often used to create users in batches.

Brother Bird's Linux private dishes 7-------14 Chapter Linux account management and ACL permissions settings

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.