Centos7.1 easy management of basic user permissions

Centos7.1 easy management of basic user permissions

If it's just a personal PC, it doesn't make much sense for an individual to deliberately spend too much time managing users and permissions. However, if there are a large number of users in an enterprise or public institution, done is required if the security level of the information involved has a certain impact, and well done is required.

The significance of user permission management is security and convenience.

First, users are grouped by group. They are divided into multiple groups as needed, and each group has a unique group name ), and each groupname corresponds to a unique id called GID. Then there are different members in each group, called users. Similarly, each user has its own unique user name and corresponding unique id, called UID. If you want to specify a group name, you must first have a group and then have another user. If you create a user account without specifying a group name, it does not matter. The final group name will be the same as the account name.

I. user group classification: Administrator group and common group

Administrator group (root, gid is 0)

Common group: gid range: 1-65535, divided into system group and logon group,

System group (gid range: 1-999) and logon group (gid range: 6000-10000)

Ii. User Classification:

Users can be divided into: Manage Users and ordinary users.

(1) manage user root (uid: 0). The Administrator with the largest right has almost all permissions. It is designed to manage other users, therefore, common users must create them.

(2) common users include logon users and system users. The uid range is similar to that of the group. The uid range is 1-65535. The Login User (uid range: 1-999) can be used to log on. you can log on through different authentication methods, however, for new users, most of their initial contacts are password verification logon. System user (6000-10000 ).

3. Create a user as a user group:

The process for creating and using a user is as follows:

Create user group-user group password-create user-set password.

Translate into a command, that is:

Groupadd -- gpasswd -- useradd -- passwd.

However, as mentioned above, if you do not require a user group, you do not need to create a user group, but directly create a user group. In general, gpasswd is not necessary, so the simplest useradd-passwd can be used. Note that I use the root account:

Someone may ask, "Why?" how can I check that I have created a successfully? It's easy to use the id command. as follows, user1 has allocated the corresponding uid, indicating that it has been created successfully.

Generally, it is more customary to accept the use of users. I personally think this is the case, so group may be better understood by referring to the use of users, but the following is just a command explanation, remember to repeat the command. Let's talk about the use of user-related commands first;

1. User Creation

Useradd User Creation, passwd password setting, userdel deletion, usermod user-related attribute modification, and chage direct Password attribute modification.

Useradd: User Created

Syntax Rules:Useradd [options] username

Do not make it difficult for these words. The translation is to set the specified OPTION between useradd and username, while [] indicates that the parameter can be set or not set, that is to say, it can be omitted.

Option: You can have the following parameters:

-U, -- uid UID: Specify UID

-G, -- gid GROUP: specifies the basic GROUP id, which must exist in advance.

-G, -- groups GROUP1 [, GROUP2,... [, GROUPN]: Specifies the additional group to which the user belongs. Separate multiple groups with commas (,).

-C, -- comment COMMENT: Specifies the comment information.

-D, -- home HOME_DIR: Use the specified path as the user's home directory, copy the/etc/skel directory, and rename it. If the specified home directory path exists in advance, the environment configuration file is not copied for the user.

-S, -- shell SHELL: Specifies the user's default shell. All available shell lists are stored in the/etc/shells file.

-R, -- system: Create a system user

Useradd-D: displays the default configuration of the created user,

Useradd-D-s/bin/csh username

Useradd-D [OPTIONS] the result of modifying the default configuration of the created user is saved in the/etc/default/useradd file.

Eg1: specify an additional group. A user can have only one basic group, also called a valid group, or a primary group, but can belong to multiple additional groups, A group can have multiple users, which are many-to-many relationships. If you are not familiar with some commands, you can continue to view them below, how to specify an additional group (useradd-G) for the user, and append an additional group (usermod-aG) as follows ,:

Passwd: Change Password,

The syntax of passwd is too long to occupy space. You can view it by man passwd.

(1) passwd: Change the user's password

(2) passwd USERNAME: Modify the password of the specified user, but only root has this permission,

-L,-u: locking and unlocking users

-D: Clear the user password string

-E DATE: Expiration DATE

-I DAYS: inactive period

-N DAYS: Minimum Password Validity Period

-X DAYS: Maximum Password Validity Period

-W DAYS: Warning Period

In addition, passwd can also directly assign a password

Echo "passwd" | passwd -- stdin username

Chage command: change the password expiration information, mainly for modifying data in/etc/shadow

-L: list detailed Password parameters

-D: the number of seconds from the day 19700101 when the password is created. Set the last password to "last date" chage-d "487208" centos

-E: Modify the expiration time

-W: Specifies the warning time.

-M: minimum number of days for password Modification

-M: the maximum number of days the password must be modified.

Userdel command: delete a user

Userdel [Option] username

-R: Delete the home directory when deleting a user.

Usermod command; modify user attributes

Usermod [option] username

-U, -- uid UID: Specify the new UID

-G: -- gid GROUP: Modify the basic GROUP to which the user belongs:

-G, -- groups GROUP1 [, GROUP2,... [, GROUPN] modify the additional group. The original additional group will be overwritten.

-A: -- append, used together with-G, to append a new additional group to the user

-C, -- comment COMMENT: Specifies the comment information-d, -- home HOME_DIR: modifies the user's home directory, the user's original file is not moved to a new location. By default, the user does not create a new file location.

-M, -- move-home, which can only be used with the-d option to move the original home directory to the new home directory

-L, -- login NEW_LOGIN: Modify the user name

-S, -- shell SHELL: Modify the user's default shell

-L; -- lock: lock the User Password

-U, -- unlock; unlock the user's password

Eg2: Modify the username (usermod-l), modify the user's home directory, and remove the original directory (usermod-md) as follows:

2. Create a user group

Commands involved: groupadd, groupdel, groupmod, and gpasswd

Groupadd command: Add Group

Groupadd [option] group_name

-G GID: Specifies the GID. The default value is the GID + 1 of the previous group.

-R: creates a system group.

Groupmod command: Modify group attributes

Groupmod [option] groupname

-G GID: Modify gid

-N newname: Modify groupname

Groupdel command:

Groupdel [option] group

Gpasswd: Change the group password and set the user

Gpasswd [option] group

-A USERNAME: Add a user to the group

-D USERNAME: Remove a user from the group

3. Check and view users as user groups

We know that after the system is shut down, the data in the memory will not exist, and the important data such as the account and password must be written to the disk, it should be written to a fixed document, right. The following describes two methods to view users and user groups: View by command and view by document

(1) view: id through the command

Id command: displays the real and valid user IDs.

Id [option]... [user]

-U: only valid UID is displayed.

-G: displays only the user's basic group.

-G: only show all user groups

-N: Display name rather than ID, which can be used with the preceding parameters.

(2) view the document: tail-n/etc/passwd |/etc/shadow |/etc/group

What is the relationship between this login document? When we log on to the system and enter the account and password, the system will search for this account based on your input to the/etc/passwd, that is, name in/etc/passwd. If no name exists, exit. If yes, check the password in/etc/shadow.

/Etc/passwd: the database that stores user information.

Name: password: UID: GID: GECOS: directory: shell

/Etc/shadow: Password for storing the user separately

User name: encrypted password: The last time the password was modified: shortest life: maximum life: Warning life: expiration time: reserved field

/Etc/group: the database that stores group information.

Group_name: password: GID: user_list

Note that user_list only displays the Attached Group

Tip: Of course there are also/etc/gpasswd, but it depends on the requirement settings. I will not elaborate on it here.

Summary:

1. view the supported shells: cat/etc/shells.

2. There are three methods for adding an additional group: First: usermod-aG username, second: gpassword-a username groupname, and third: vi/etc/group. Add username in the last item.

Delete additional group: gpasswd-d USERNANME, vi/etc/group

3. The default setting of/etc/passwd,/etc/shadow and/etc/group is in/etc/login. defs.

4. I want to know which encryption algorithm is used for passwd encryption in the system. The second field in/etc/shadow is traceable, separated by three $ characters in total, the first and second $ represent the encryption algorithm. 6 represents sha512, and the second $ and third $ represent salt. The last section is the real encrypted data.

Passwd -- status USERNAME, or passwd-s username, you can also view the attributes of the account and the encryption algorithm used.

Encryption algorithms can be found everywhere. You can remember the following parts as a reminder:

Symmetric and asymmetric encryption algorithms

Formula: s = {p, c, k, e, d}, p = Ek (c), c = Dk (p)

Symmetric DES, 3DES, RC2 RC4

Asymmetric RSA DSA

One-way encryption md5 sha base64 hmac

Encryption algorithm code:

1 md5: message digest, 128 bits message digest

2 sha: secure hash algorithm, 160 bits

3 shares'

4 sha256

5 sha384

6 sha512

Passwd