File permissions, users, and user group management in Linux

1. File Permissions

2. File and directory rwx permission description

• File rwx permissions:

R: Readable, with permission to read the contents of the file (), if no R,vi/vim editor prompts cannot be edited (can be forced to edit), echo can be appended or redirected.

W: writable, with permission to modify the contents of the file

X: Executable with permission to execute the file.

Need to satisfy: The file itself has the executable permission, the ordinary user also must have the R permission, the root user as long as x permission can execute. Executable files in Linux: *.sh *.py *.perl and so on.

• Directory rwx permissions:

R: Readable, view the directory under the file and sub-directory permissions, namely LS dir

If there is no X, you cannot enter the directory, that is, CD dir is not available, and if no x,ls can see all the file names, you will be prompted not to have access to the files in the directory.

W: writable, with the ability to modify, add, delete file names within the directory (requires X permission to mate)

X: Executable with permission to enter the directory. For example CD dir, but no r cannot list file or directory, no w cannot be modified, added, deleted

3, delete files (or modify the file name) is controlled by the permissions of the parent directory, and the permissions of the file itself, delete the file (or modify the file name) is in the upper directory of the operation of the file name and inode associated with the data, and therefore related to the parent directory permissions.

4, the process of reading/data/test

5. Common commands

Change file or directory user rights: chmod [numeric permission or character permission] [file name or directory name].

The Plus-R (recursive) means changing the permissions of files or subdirectories in the directory.

Digital permissions: R:4 w:2 x:1-:0

Character permissions: U: Owning primary g: Owning group O: Other person A: equivalent to Ugo +: Add permission-: Cancel Permission =: Cancel Other permissions add only given permission

Change file or directory owner: chown [option] [owner] [filename or directory name]

Option:-R to change the owner of the file or subdirectory in the specified directory.

Change a file or directory belongs to group: Chown: [Genus] [filename or directory name]

Change the owner and owning group of the file or directory: Chown user. user group [filename or directory name]

Change a file or directory belongs to group: chgrp [Options] [genus] [filename or directory name]

Option:-R to change the owning group of a file or subdirectory in the specified directory.

6. Default permission Assignment command: umask

Each Linux system terminal has a umask that can be used to determine the default permissions for newly created files or directories. Due to the creation of a file default permission in the System 666, create a directory default permissions 777, the permissions to open up a large, so after setting the Umask permission mask, the default file directory permissions minus the Umask value is the actual file directory permissions.

Umask altogether 4 digits, the first is used to define special permissions, and the second three bits represent the permission mask.

For Superuser, the default value for Umask is 0022, the superuser (user root and user group root) creates the directory default permissions: 777-022=755, creates the file default permissions: 666-022 = 644, is relatively secure permission.

For ordinary users, the default value of Umask is 0002, the normal user creates directory default permissions: 777-002=775, create file default permissions: 666-002=664.

Umask Set Value If there is an odd digit,777 (666)-umask, the corresponding odd bit plus 1, is the default permission to create a directory or file .

Umask Set value if all is even, 777 (666)-umask is the default permission to create a directory or file.

View umask values: umask

Change umask value: Umask-s [SetPoint] (temporary setting, invalid restart)

If it needs to be permanent, modify the/etc/profile or/ETC/BASHRC file and add umask [setpoint] to the end of the file. Both/etc/profile and/ETC/BASHRC can be used to automatically perform certain actions when a user logs on, except that/etc/profile is performed only when the user logs on for the first time, and/ETC/BASHRC is executed every time the user logs on to the bash shell. As a result, modifying/etc/profile can only take effect for newly created users,/ETC/BASHRC for all logged-in users.

7. Special privileges

• Special permissions for Linux files are used to compensate for the inability of general permissions to be implemented and are a special feature for file settings.

• Special permissions for Linux files:

SUID: Allows the performer to temporarily own the owner's permission (valid only for binaries that have execute permission x). s (with X), S (without x).

SGID: Allows the performer to temporarily have permissions for the group (for binary programs that have execute rights x set). s (with X), S (without x).

Mainly used in the directory, when a directory is set Sgid, the newly created file in the directory has the group permissions of the directory, making it easy to share directories among multiple users.

Sbit (Sticky Bit): Can only manage its own data and cannot delete other files (only valid for the directory). T (with X), T (when x is not).

• Settings for special permissions for Linux files:

SUID:4 SGID:2 sbit:1

Set Suid:chmod 4755 [filename or directory name] or chmod u+s [filename or directory name]

Set Sgid:chmod 2755 [filename or directory name] or chmod g+s [filename or directory name]

Set sbit (Sticky bit): chmod 1755 [directory name]

8. User and User group management

• User management:

  
  

Useradd: Creating users often involves changing the/etc/passwd/etc/shadow/etc/group/etc/gshadow file.

Userdel: Delete the user, often involves the change/etc/passwd/etc/shadow/etc/group/etc/gshadow file, Enterprise environment in cautious use userdel-r!!! .

USERMOD: Modifying user information often involves changing the/etc/passwd/etc/shadow/etc/group/etc/gshadow file.

PASSWD: Set or modify the password to change the/etc/shadow file.

Chage: Modify the password validity period and change the/etc/shadow file.

ID: View the user's uid,gid and the user group to which they belong.

W: View the logged in user and show what you are doing

Who: View logged in user

Last or Lastb: View logged in user history

Lastlog: View all users ' recent sign-in status

SU: Switching users

sudo: followed by a command that does not require a root password to perform permissions that can only be performed by Root. This permission can be achieved through the Visudo command ( recommended usage ) or by editing the/etc/sudoers directly (after configuring it with the Visudo-c check syntax).

Visudo: Edit sudo configuration file and perform visudo-c check after configuration.

In/etc/sudoers: The relationship between aliases and specific authorization configurations, generally applied to multiple system users, requires classification, hierarchical management, the following should be noted:

(1) The member under the command alias must be the absolute path of the file or directory;

(2) Alias name contains uppercase letters, numbers, underscores;

(3) A member under an alias must be separated by a semi-angular state "," and the member shall be valid;

(4) The alias member should correspond with alias one by one;

(5) Alias rules are in each unit of behavior, such as to be used to change lines to continue the line;

(6) Specify the user to switch to () in (), such as No () default root user, (all) represents the switch to all users;

(7) command without password to run directly, should add nopasswd: parameter;

(8) Prohibit some kind of command or program to run, add in front! , placed at the back of the command that is allowed to execute;

(9) The user group before the addition%;

• User Group Management:

  
  

Groupadd: Creating user groups often involves changing the/etc/group/etc/gshadow file.

Groupdel: Deleting a user group often involves changing the/etc/group/etc/gshadow file.

Groupmod: Changing user group information often involves changing the/etc/group/etc/gshadow file.

• User and group relationships: one-to-many, a-to-many, many-to-many.

• User Category:

Super User: Uid=0,root

Virtual User: uid=1-499, to meet the needs of file or service startup, generally cannot log on to the system.

Normal User: uid=>=500, created by a superuser or a user with superuser privileges.

• User-related files:/etc/passwd (requires familiarity with content)/etc/shadow/etc/group/etc/gshadow

/etc/skel: The directory used to store the new user profile, when the user is added, the new user's profile will be copied to the new Add user home directory, by default, all files in this directory are hidden files, by modifying, adding, deleting/etc/ Files under Skel: Provides a unified user environment for new users, and adds user logon information notifications.

For example, the terminal prompt displays the-bash-4.1

The reason is: the user home directory under the configuration file is missing. Root in/root below several configuration files are missing, missing files are as follows:

1,. bash_profile

2,. BASHRC These two files are user-required files.

Fix to re-copy these two files to/root:

cp/etc/skel/.bashrc/root/

cp/etc/skel/.bash_profile/root/

Log out of root and re-login to return to normal.

/etc/login.defs: Used to define some user configuration information needed to create a user, such as: Create a user's home directory, the scope of the UID and GID, the expiration date of the user's password. (generally no modification required)
/etc/default/useradd: The default configuration information when adding a user.

Enterprise Environment:

(1) password requires more than 8 alphanumeric special characters complex combination; Large enterprise user password using LDAP (equivalent to Active Directory, OPENLDAP) for Linux users unified authentication, batch management , dynamic password, dynamic passwords.

(2) The enterprise environment to delete users, if not sure if there is no important data do not delete the user home directory (with caution with userdel-r), generally through the vi/etc/passwd commented out to delete the user, observe one months, no exception to delete; or change the login shell to/sbin/ Nologin, or openldap management, delete the user in the LDAP library.

9, Chattr, lsattr

• chattr: Commands are used to change file or directory properties, modifying a property with the chattr command can improve the security of the system, but it is not suitable for all directories. The CHATTR command cannot protect/,/dev,/tmp,/var directories.

These two commands are used to view and change the file, directory properties, compared to chmod this command, chmod just change the file read and write, execute permissions, the more underlying property control is changed by Chattr.

        such as:     chattr +i    /etc/resolv.conf      # Use the chattr command to prevent a key file in the system from being modified:

Parameters:

-R                    : recursive processing, all the text in the specified directory and sub-directories are processed together.

-v< version number >: Set the file or directory version.

v                  : Show instruction execution process.

+< properties >          : Opens the Item property of the file or directory.

-< properties >          : Close the Item property of the file or directory.

=< properties >         &NBSP;: Specifies the property of the file or directory.

1. A: You can only append content to a file or directory.

2. B: Do not update the last access time of the file or directory.

3. C: Compress the file or directory and store it.

4. D: Exclude files or directories from dumping operations.

5. I: Do not alter the file or directory arbitrarily.

6. S: Privacy delete files or directories.

7. S: Update files or directories instantly.

8. U: Prevent accidental deletion.

• Lsattr: Displays the file properties set by the Chattr command.

lsattr [-adlrvv][file or directory ...]

Parameters:

• -a displays all files and directories, including "." Additional built-in for the name of the beginning character, current directory "." With the upper directory "...".

• -D Displays the directory name, not its contents.

• -L This parameter does not currently have any effect.

• -R recursively handles all files and subdirectories under the specified directory.

• -V Displays the file or directory version.

• -V Displays version information.

File permissions, users, and user group management in Linux