Differences between Linux privileged accounts and normal accounts

Article Title: differences between a Linux privileged account and a common account. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

What do you know about the Linux operating system's privileged accounts and common accounts? Do you know the differences between the two? This article explains the differences between privileged Linux accounts and normal accounts. In Linux, there are only two types of users. As a Linux system administrator, you must understand the differences between the two accounts. And precautions for future use.

Generally, after the Linux system is installed, the system automatically creates a privileged account, namely, root. If you need to deploy other applications on the Linux operating system, I suggest you recreate an account. If you want to deploy a mailbox server on a Linux operating system, you 'd better create a mail account. Use this account to log on to the system and perform related operations. This is definitely not a single action. This is mainly because the root account is very different from the ordinary account. This is mainly reflected in the following aspects.

　　I. Restrictions on disk space.

Generally, the root account has the highest permissions for the operating system, and there is usually no disk space limit. Even if the disk quota is set for other users, the root account is not limited in this regard. By default, normal users can only have the permission to store files in their home directories. Therefore, you can limit the disk space by means of disk quotas. In some cases, it is very important to limit the disk space.

Because Linux is a multi-user operating system. Multiple application services may be deployed simultaneously on the same Linux operating system. Deploy the email server and file server at the same time. They use two different account names for deployment. Then the system administrator can set disk quotas for them separately to prevent all hard disk space from being eroded by an application due to viruses or other reasons, and thus another service is also on the machine. If both services are deployed with the root account or one of the services runs with the root account, the disk space cannot be limited. For example, if you deploy the email server with a root account, if the email server is infected with viruses (or some clients have viruses) and spam is sent, it is very likely that the system management is not aware of the problem, the disk space is exhausted. This causes the server to crash. If the sub-account is used for deployment, the mailbox server will crash at most, without affecting the operation of the file server and the root account, and there is room for saving.

Therefore, no matter how many applications are deployed on the Linux operating system, it is best to separate the root account from the common account. Generally, the Root account is only used for management, rather than for other purposes. Only in this way can the disk quota be realized.

　　2. Ensure relatively independent environment variables.

The Linux operating system is similar to the Windows operating system. environment variables include user environment variables and general environment variables. USER environment variables are only valid for current users, while general environment variables are valid for users in the entire operating system. Sometimes, when deploying network applications, you must make the environment variables relatively independent. The environment variable (user environment variable) created under a user is invalid when it reaches another account. Therefore, you can create multiple accounts to ensure the independence of environment variables between different accounts. For example, to deploy an ERP application in a Linux operating system, the database server and the ERP application server are composed of two parts, which are mutually independent and interrelated. The system administrator usually sets two common accounts to deploy the two applications. This method saves personal environment variables for each application. Therefore, when multiple applications are deployed on the same computer, they can work independently without mutual interference.

If you deploy these applications under the same account, you need to set many environment variables. If you set them in one account, errors may occur and conflicts may occur. To create a relatively independent working environment for some applications, we recommend that you do not use the root account to deploy these applications. In addition, it is best to create a common account for each application for management to ensure the independence of environment variables.

　　3. Convenient backup of user files.

The Root Account and the Common Account have different home directories. The Master Directory of the privileged user root is/root, while that of the common user is/home/account name. This setting is very useful in Linux. For example, in Linux, there are two users: privileged users and ordinary employees. Generally, a normal account can only save its files, emails, and so on in its home directory. You only need to back up the home directory of this employee account to back up your private files. By backing up the user's home directory, even if the operating system is paralyzed or the employee changes the computer, only the files in the home directory need to be restored, then the user can have the same working environment. Therefore, it is very useful to separate the directories of privileged users from those of normal users.

In addition, the home directories of different users are relatively independent. For example, A and B are created in the system. In the/home/directory under the root directory of the operating system, there will be two directories, A and B. By default, user A only has the permission to manipulate directory A, and user B only has the permission to operate on directory B. That is to say, each account can only operate files in its own directory. Therefore, when multiple users share the same host, each user has a private folder to prevent files from being accidentally modified or deleted by others.

If an employee leaves, or forgets the password, will the employee's file be unreadable? Isn't this causing great losses to enterprises? Actually not. Because privileged user root has unparalleled permissions, the root account can access and modify the Home Directory of any common account. That is to say, if an employee leaves, and his/her agent needs a file in the employee's home directory, the system administrator can log on to the system with the root account and copy the relevant file to his/her agent. It can be seen from this that the root account has a very large permission. By default, it is best to separate the root account from a common account. To ensure that each user can have a relatively independent personal home directory.

　　4. Different file-related permissions.

Generally, only the object owner can change the object ACL. For example, if user A creates another file, it can set whether other Users have the right to read or modify the file. User A is the owner of this file, so he has the right to set this. This is the most basic principle of permission control in Linux. However, the root privileged user will break this rule. By default, the root account can read and modify all files and directories in the system, and modify the permissions of all files. That is to say, the root account does not impose any restrictions on the ownership of files and directories. Even if the root account is not the file owner, it can grant some permissions to other users.

In daily work, the system administrator should restrict other common users to use this account. As the saying goes, the heart of the victim cannot exist, and the heart of the Defender cannot. If some employees who are dissatisfied with the company use the root account to view the files they do not have permission to view, or modify or delete the files, the loss may occur. Because the root account can perform similar operations on any user's files. Therefore, in daily work, the system administrator must manage the password of the root account and cannot disclose the password. At the same time, when assigning accounts to employees, do not simply give the root account to employees for ease of use. Not only will it not worry, but it will also make the system administrator more worried.

In short, the root account and the Common Account are two fundamentally different accounts. In other words, the root account was originally set up for the administrator, rather than for common users. For this reason, I strongly recommend that you set up an independent common user for the Linux operating system for whatever purpose. Even if the system administrator is using the Linux operating system, it is best to create a common account for it. When they need administrator privileges, they can easily switch to privileged mode using the su command. In addition, try to set different accounts for different employees and applications. Different accounts provide them with a relatively independent working environment to reduce mutual interference. This is a common principle in Linux operating system deployment.

This article introduces the differences between privileged Linux accounts and common accounts.