After studying linux user management for a long time, I would like to share with you that you have certainly gained a lot after reading this article. I hope this article will teach you more things.
I. Permission control mechanism
Linux is a multi-user system that allows different users to access different files at the same time. Therefore, you must have a File Permission control mechanism. The permission control mechanism in Linux is very different from that in windows. When a Linux file or directory is owned by a user, this user is called the file owner (or file master), and the file is also owned by the specified user group. This user group is called the file owner group. A user can be a member of different groups, which can be controlled by the Administrator. The permission of a file is determined by the permission flag. The permission flag determines the object owner, the object group, and the object access permissions of other users.
Users and permissions
1. Basic Concepts
(1) file master Linux assigns an owner for each file, called the file master, and assigns a unique registration name to the file master. File control depends on the file master or Super User (Root ).
The file ownership can be changed. You can transfer the ownership of the file or directory to other users. However, only the file owner or root has the right to change the file ownership. You can use the CHOWN command to change the ownership of a file or directory. For example, a Super User copies a file to user1. to allow user1 to access this file, the Super User (Root) should set the owner of this file to user1, otherwise, user user1. If the ownership of a file or directory is changed, the original file owner no longer has control of the file or directory.
(2) In a user group Linux, each file belongs to another user group. When creating a file or directory, the system will assign it a user group relationship. The chgrp command can change the group relationship of the file.
(3) access permission in Linux, each file and directory has access permission, and it is used to determine who can access and operate on files and directories.
2. access permission
In Linux, three different types of users are defined: file master (user), same group users (group), and other users (Others) who can access the system ).
Three methods for accessing files or directories are required: Read (R), write (W), executable or search (X)
(1) File Access Permissions
Read Permission (r) indicates that only the specified user is allowed to read the content of the corresponding file, and any changes to it are prohibited. Write Permission (W): allows the specified user to open and modify files. The execution permission (x) indicates that the specified user is allowed to use the file asProgramRun.
(2) Directory Access Permissions
Add the-D option after the LS command to understand the permission to use directory files. Read Permission (r) indicates that the files stored in this directory can be listed, that is, the content of the read directory. Write Permission (W): allows you to delete or create a new file or directory from the directory. Execute Permission (X) to allow you to search in the directory and use the CD command to switch the working directory to the directory. You can use the CHMOD command to change the access permissions of files or directories. For example:
1. chmod command
Function: the CHMOD command is used to change or set access permissions for files or directories.
Format: chmod [Option] mode file or directory name
Note: Only the file master or Super User Root has the right to use chmod to change the access permissions of files or directories.
Option parameters:
◆-C: if the file or directory permission has been changed, the change action is displayed.
◆-F: Do Not Display error messages if the file or directory permissions cannot be changed.
◆-V: displays detailed information about permission changes.
◆-R: Change the permissions of all files and sub-directories in the current directory in a recursive manner ).
When setting file permissions, the following letters are often used in the mode to represent the user or user group:
◆ U (User) indicates the object owner.
◆ G (Group) indicates the group to which the file belongs.
◆ O (Others) indicates other users.
◆ A (all) represents all users (namely U + G + O ).
The permission is represented by the following characters: R indicates the read permission; W indicates the write permission; X indicates the execution permission. Finally, specify whether to add (+) or cancel (-) permissions, or only grant (=) permissions ).
2. CHOWN command
Function: changes the owner and group of a file or directory.
Format: chown [Option] user or group file name
Note: Only file owners and superusers can use this command. When changing the group to which the file master and file belong, the user name and user group name are separated by colons. The file name can contain wildcards.
Parameter options:
◆-R recursively changes the file master of the specified directory and all its subdirectories and files.
3. chgrp command
Function: Change the group of a file or directory.
Format: chgrp [Option] group name file name
Note: If the user is not the file master or super user of the file, the owner Group of the file or directory cannot be changed. Chown can change the file owner and group at the same time. chgrp can only change the group.
Parameter options:
◆-R recursively modifies the user groups of all subdirectories and files under a specified directory.
4. umask command
Function: used to set the mask of the new file permission.
Format: umask [mode]
Description: The mode is the mask value of the new file permission.
You can use the CHMOD command to modify the file access permission. After a user creates a new file and does not use chmod to modify the permission, what is the permission for this file? The permission of this file is determined by the system default permission and the default permission mask, which is equal to the system default permission minus the default permission mask. In Linux, the default directory permission is 777, and the default file permission is 666. Therefore, there are the following formulas:
◆ Permission of the new directory = 777-default permission mask
◆ New File Permission = 666-default permission mask
◆ Note: For security reasons, the Linux system does not allow execution of files with default permissions. The umask command without any parameters displays the current default permission mask value. The following describes linux user management.
Ii. Linux User Management
Linux is a multi-task and multi-user operating system. Different users must be able to access different files at the same time and allow different users to log on locally or remotely, in this case, the user must have a valid account. In Linux, the user access is controlled through the account. Therefore, the user and group must be effectively managed. Users in Linux:
1. User
Users in Linux can be divided into three types: Super Users, system users, and common users. The Super User's username is root, which has all permissions. It only performs system maintenance (such as creating a user) or other necessary circumstances to log on to the Super User to avoid system security problems. System users are built-in users necessary for the normal operation of Linux systems. They are mainly created to meet the requirements of the corresponding system processes for file owners. system users cannot log on, such as bin, daemon, ADM, and LP.
Common users are created to allow users to use Linux system resources. Most of our users belong to this type. Each user has a value called uid. The UID of the Super User is 0, and the UID of the System user is generally 1 ~ 499. The UID of a common user is 500 ~ Value Between 60000.
2. Account System Files
Linux uses plain text files to store various information about the account. The most important files are/etc/passwd,/etc/shadow, and/etc/group. We can use VI or other editors to change them, or use special commands to change them. In fact, account management is to add, modify, and delete record lines to the content of these files. No matter which form of account management is used, it is necessary to understand the content of these files.
(1)/etc/passwd file: The most important file in account management. It is a plain text file. Each registered user has a corresponding record row in the file, which records the necessary information of this user.
Example 1: display the/etc/passwd file.
# Cat/etc/passwd
Root: X: 0: 0: Root:/root:/bin/bash
Bin: X: 1: 1: Bin:/bin:
From the passwd file, we can see that the first line is the root user, followed by the System user, which is usually at the end of the file. Each row in the passwd file is composed of seven fields, which are separated by ":". The format is as follows:
◆ Account name: Password: uid: GID: Profile: Home Directory: Shell
Description:
◆ Account name: the name used by the user to log on to Linux.
◆ Password: the password here is an encrypted password, not a real password. If it is "X", it indicates that the password is protected by shadow.
◆ Uid: User ID, which is a numerical value used in Linux to distinguish different users.
◆ GID: ID of the user's group. It is a numerical value. It is used in Linux to distinguish different groups. The same group has the same GID.
◆ Personal data: the user's personal information, such as name and phone number, can be recorded (in the above example, the test user item is blank ).
◆ Main directory: Usually/home/username. Here username is the user name, and the user executes "CD ~" The current directory is switched to the personal main directory.
◆ Shell: defines the shell used after logon. The default value is Bash.
(2)/etc/shadow file: any user has the read permission on the passwd file. Although the password has been encrypted, it still cannot be prevented from obtaining the encrypted password. To ensure security, the Linux system provides more protection for passwords, namely, redirecting the encrypted password to another file/etc/shadow. If the password is shadow protected, in the/etc/passwd file, the password field of each record line will change to "X", and the file shadow exists in the/etc directory. Only the superuser can read the shadow content.
(3) pwconv and pwunconv files: when installing Linux, the system uses shadow by default to protect the password .? If shadow is not enabled during Linux installation, you can use the pwconv command to enable shadow. Note that the root user logs on to execute this command. The result is that the password field in the/etc/passwd file is changed to "X" and the/etc/shadow file is generated at the same time. To disable the shadow function, run the pwunconv command.
The preceding section describes linux user management.
Iii. Group Management
1. Linux Group
Linux groups include private groups, system groups, and standard groups. When an account is created, if no group is specified for the account, the system creates a group with the same user name. This group is a private group, which only contains one user. The standard group can accommodate multiple users, and all users in the group have the rights of the group. System groups are automatically created in Linux. A Linux User can belong to multiple groups, and the user group can be divided into basic groups and additional groups. The first group in the user's group is called the basic group. The basic group is specified in the/etc/passwd file. The other groups are additional groups, and the additional group is specified in the/etc/group file. The permissions of users in multiple groups are the sum of the permissions of the groups they belong.
In Linux, group information is stored in the file/etc/group.
For example, the/etc/group file is displayed.
# Cat/etc/group
Root: X: 0: Root, test
Bin: X: 1: Root, bin, daemon
......
Test: X: 500:
Group1: X: 1000:
User1: X: 501:
Each row in the group file records the information of a group. Each row contains four fields separated.
◆ Format: group name: group password: GID: group members.
◆ Field description:
◆ Group name: group name, such as root and bin.
◆ Group password: Set the password for joining the group. Generally, the group password is not used. This field is usually useless.
◆ GID: Group Identifier, which is a numerical value, similar to uid.
◆ Group members: users in the group are separated by commas.
2. Add, modify, and delete user groups
(1) Add a group
You can manually edit the/etc/group file to add a group, or use the groupadd command to add a group,
Command Format: groupadd group name
For example, add group group1.
# Groupaddgroup1
(2) Modify group attributes
Use the groupmod command to modify the group name or GID. Add the new ID and group name of the group to modify the GID after The groupmod-G command. Add the new group name and the original group name after the groupmod-N command to modify the group name.
3. delete a group
Use the groupdel command to delete a group.
◆ Format: groupdel group name
◆ Note: After a group is deleted, the CHOWN command should be used to change the directories and files of the deleted user group to the user group to which the Group belongs.
◆ Use the gpasswd command to change the user or password of a group.
◆ Format: gpasswd [parameter] [user name] group name
◆ If no parameter is provided, the group password is changed.
Parameter options:
◆-A: Add users to the group.
◆-D: delete a user from the group.
Iv. Linux User Manager
User Manager is a graphical management tool that allows you to conveniently Manage Users and user groups. Root User Root can choose "Main Menu"> "system settings"> "users and group" (or enter RedHat-config-users at a shell prompt ), open the RedHat User Manager window.
1. Create a user account
In the Linux User Manager window, click "Add User" to open the "create user" dialog box.
2. Modify user attributes
To modify user attributes, select an existing user account in the Linux User Manager window, and click "attributes". The "User attributes" window appears, there are four tabs in the window: "User Data", "account information", "password information", and "group. You can select corresponding tabs to modify relevant attributes.
3. Modify user group attributes
On the "Group" tab, select an existing user group and click "properties" to open the "group attributes" window. In this window, modify the attributes of the user group, add the users that need to be added to this group to the right signs respectively.