[Linux 004]--users and user groups and Linux Rights Management (II)

Source: Internet
Author: User
Tags aliases md5 encryption openssl readable

to the permission. In the previous section on Linux Users and user master management, in fact, their nature (or the user and user groups appear in the original intention) are convenient rights management. The importance of rights management for computers is self-evident, and permissions allow each user to use the computer settle down without worrying about other users destroying their resources. If Lao Wang has a key to your home, you are not very egg pain, if the neighbors in addition to the old king, and Lao Zhao, Lao Li, Lao Zhang ... You have the key to your home, you are not more egg pain. As a multi-user Linux, rights Management is critical.

1.Linux file Permission provisions

As mentioned earlier, Linux stipulates that a file must have three permissions: the master permission for the file, the permissions of the group in which the file belongs, and the permissions of other users. You can view the permissions information for a directory or individual file through the LL command:

  

The area marked with the red box above, except for the first bit, is the permission information for the file. The first digit indicates the type of file, such as directory, normal file, link, etc. Permissions are grouped for each of the three, representing the main permissions the file belongs to, the group permissions that the file belongs to, and other user rights (I don't want to hit these words anymore).

2. How permissions are represented

Each file has three permissions: Read (r), write (w), and execute (x), if no permissions are used-indicates that each user's permission to a file is an arrangement of the above four identities:

      • ---: No permissions

      • --x: Executable only

      • -w-: can only be written

      • -WX: Writable and executable only

      • r--: Read-only

      • R-x: Readable and executable only

      • rw-: can only read and write

      • RWX: Readable, Write, execute

If you use binary 1 and 0 to indicate that there are corresponding permissions and no corresponding permissions, the above permissions can be expressed as:

      • 000: No Permissions

      • 001: Executable only

      • 010: Writable only

      • 011: Writable and execute only

      • 100: Read-only

      • 101: Readable and executable only

      • 110: Read/write only

      • 111: Readable, Write, execute

Witty you may say: What a ghost Ah, play Kay Kai, I think the decimal is the standard number of kinky class language, can you change it to decimal? Ok:

      • 0: No Permissions

      • 1: Executable only

      • 2: Writable only

      • 3: Writable and execute only

      • 4: Read-only

      • 5: Readable and executable only

      • 6: Read/write only

      • 7: Readable, write, execute

This is always OK! But witty you said: A total of only eight numbers ah, why write a decimal, as we write octal! :)。 Fine, I will not write here, because the above decimal to eight binary result is the same.

Now that we know that all permissions can be represented by an octal number between 0~7, is it more convenient than using R, W, X, and.

At this time, witty you put forward a question: So many numbers, each number represents a different meaning, remember too much trouble! The key is also may remember wrong ah, want to know our program ape but lazy sex! Is there any way to be happier?

Let me tell you the truth: No! Now, let's just say a few more happy ways to memorize permission numbers:)

If we extract read-only, write-only, execute-only, and no-permission numbers, we can get:

      • 0: No Permissions
      • 1: Execute only
      • 2: Write only
      • 4: Read-only

Did you find it? Whether 3, 5, or 6, and so on, these permission numbers are given in addition operations above the 0,1,2,4, where the minimum value is 0 and the maximum value is 7. So 3 = 1 + 2, which means write-only and execute only; 5 = 4 + 1, which means read-only and execute only ....

Finally remember the permission has the wood has, then now we come happy chmod 777. Huh, huh? What the hell is chmod? chmod is our ultimate command to modify permissions, before we say this command, we should first say the owner of the file and the group it belongs to (yuck!). )。

3. The owner of the file

Back, let's take a look at the file details in the directory that LL lists:

  

The part of the box that contains the owner and the group to which the file belongs. To avoid such a mouthful, we change the file owner to the owner of the file, and the group that owns the file belongs to the group of the file owners, so it's easier to call them. By default, the owner of the file is the user who created the file, and the owner group of the file is the base group for the file owner. Since there is no basic group when creating Charley Users, its basic group is the default Charley, if Charley's basic group is changed to handsome, then the box should be: Charley Handsome.

In Linux, we say that everything can be changed, then the owner of the file and the owner of the file can be modified? Next, we can change the air or even commit suiside's root king.

4. Modify the owner and owner group of the file (root only)

The root user changes the owner and owner group of the file to use two commands: Chown and CHGRP.

      • Chown USERNAME File1,file2,file3 ... : Change the owner of a file to modify multiple files at once
      • Chown-r USERNAME DIR: Recursively change the owner of all files under the directory
      • Chown--reference = PATH file1,file2 ... : Change the file owner information to match PATH
      • Note:--reference will modify the owner and owner group together
      • Chown--reference = path-r DIR: Recursive reference
      • Chown Username:groupname/chown USERNAME. GROUPNAME: Change owner and owner groups at the same time
      • Chown:groupname/chown. GROUPNAME: Changing the owner Group

OK, we're done. What the? There's another chgrp didn't say? The goods actually use the same as chown, but only to modify the owner group, using Chown can change the owner and owner group at the same time, so I personally used more chown.

5.chmod: Modify file Permissions

Chmod the way to modify file permissions is simple: chmod MOD file1,file2 ..., general usage and chown consistent.

      • chmod u=rx FILE: Modify the owner's permissions
      • chmod g=rwx FILE: Modify the permissions of the owner group
      • chmod u=rx,g=x FILE: Colleague modifies permissions for owner and owner groups
      • chmod o= FILE: Modify permissions for other users
      • chmod [u|g|o][+|-] MOD FILE: Bit A class of users add or remove permissions
        • chmod u+x,g-w FILE
      • chmod MOD FILE: Modify permissions with octal permission values
        • chmod 775 FILE
        • chmod FILE

Personally prefer the last way to modify permissions.

6. Create a user by modifying the configuration file

Do you remember Useradd-m USERNAME? This line of command is used to create a user, but does not create a user's home directory. If we want to manually create a user's home directory, we need to copy the files in the/etc/skel to the corresponding directory, and then assign the permissions for that directory to the user. Take a look at what's in/etc/skel:

  

The box is the part that we need to copy when we manually create the directory, and Jue tells us that these files are related to bash. It will be explained in more detail later.

In addition, we know that/etc/passwd and/etc/shadow contain information related to the user, so it is also necessary to manually write to these two files when adding a user (the same is the creation of groups). Here are the brief steps:

      • # NANO/ETC/PASSWD

      • # Nano/etc/group

      • # Nano/etc/shadow

      • # Cp-r/etc/skel/home/fish

      • # Chown-r Fish:fish/home/fish

      • # chmod-r go=/home/fish

The creation user is basically complete, and the password is created:

      • # passwd Fish---This password is not a hash value, we should use the encrypted password
      • OpenSSL passwd, then enter the password. The resulting result is the encrypted value, but no salt, no
      • OpenSSL passwd-1-salt ' Memeda ' (1 for MD5 encryption),-salt for adding salt
      • Paste the upper generated string into the/etc/shadow

Done! You see, the root user is not very handsome and very coquettish.

There's one more question.

/etc/shadow is to save the user password information, then what is the permissions of this file? ll can see after: 400. Even if the root user, also only read permission, this to nothing, after all, root to change the air. What about other users? If other users do not have permission to write, how do you change the password? --Ordinary users use passwd, to open a passwd process, the owner of the process is a normal user, it is not possible to modify/etc/shadow. But ordinary users can obviously change their own password, which needs to start from the passwd command itself.

ll ' which passwd ', visible passwd command permissions are: Rwsr-xr-x. s exists so that ordinary users can change the password. S is a special privilege, whereby users can modify their own passwords by using passwd.

7. See Permissions again

There is a question we have not been thinking about: What is the difference between a file created by a normal user and a file permission created by an administrator? Let's look at the command line. The first is the average user:

    

Next is the root user:

  

Visible, the normal user creates the file default permission is: 664, and the administrator creates the file default permission is: 644. The two are different.

Is there anything else that dominates the default permission values for file creation?

It has to be. This value is the umask mask (reverse mask), which can be viewed in bash, and the default umask for ordinary users is 0022 for 0002,root users. The default permission for user-created files is equal to the maximum system acquiescence-umask.

The file created in Linux does not have permission to execute by default, so its maximum permission is 666, which knows why the administrator created the file permission is 644, the normal user creates the file permission is 664.

Moreover, what if it is a catalogue? The maximum default permission for a directory in Linux is 777. As a result, normal users create directories with default permissions of 775, and administrators create directories with default permissions of 755.

8. Modify Umask

Since Umask has a default value, can we modify it? Must be able. Just umask newval on the go. This modification is only valid for the current login. Look at the changes in the results after the changes:

  

Yes, it's done!

Witty you again called back to turn me: wait ah hello, seems a bit of a problem. Permission or 644 Ah, did not change success Ah! In fact, it was changed successfully, but the system has helped us to change it once.

Theoretically our permissions should be this: 666-023 = 643, but why still 644? Because Linux is a dead mind, it always think that the newly created file can not have execute permission by default, so it sees that the file created after we modify Umask has execute permission, silently add 1, deep work and name.

In this context, we have already said the right part, and we have the last drop.

As mentioned above, modify umask only valid for the current login, log back in after exiting, Umask reset to the default value. How do you make this change work?

9.Linux Sign-in mechanism

Let's pull out the two battalion commander of the Italian cannon, the last piece of content friction friction. We can divide the Shell into the following two types:

      • Log-in Shell
      • Non-sign-on Shell

The following scenario belongs to the logon Shell:

      • Normal User Login via terminal
      • Administrator login to normal user
        • Su-username
        • Su-l USERNAME

The following scenario belongs to a non-logon Shell:

      • Open Command Window under graphics terminal
      • Shell scripts that are executed automatically
      • Su USERNAME (note no-or-L)

The main difference between a signed-in Shell and a non-logon shell is that the configuration file is read differently at logon. There are two kinds of configuration files, one is a global profile and one is a personal profile. As the name implies, the global profile takes effect for all users, and the personal profile only takes effect for a specific user. The global configuration file in/etc, the personal profile is stored in the ~, of course, there is also a copy of/etc/skel, the new user will default from the/etc/skel to copy the configuration file to their home directory, so all users default configuration file is the same.

Global configuration file:

      • /etc/profile
      • /etc/profile.d/*.sh
      • /etc/bashrc

Personal Profile:

      • ~/.bash_profile
      • ~/.bashrc

Visible profiles are divided into two main camps: the profile camp and the BASHRC camp. Let's see what they do for a different purpose:

Profile configuration file:

      • Setting environment variables
        • If we want to create global variables for all users, modify/etc/profile or create any file that ends with. SH under/etc/profile.d/, where the environment variable is written.
        • If you configure environment variables for a single user: Edit ~/.bash_profile
        • If two are available, whichever is ~/.bash_profile
      • Run commands or scripts (such as boot start or login greeting)

BASHRC configuration file:

      • Setting Local Variables
      • Defining command aliases

Logon Shell Read configuration:/etc/profile,/etc/profile.d/*.sh, ~/.bash_profile, ~/.BASHRC-/ERC/BASHRC

Non-logon Shell read configuration: ~/.BASHRC-/ETC/BASHRC-/etc/profile,d/*.sh

Visible: The non-logon Shell does not read/etc/profile and ~/.bash_profile, so Su and Su-the user reads to the configuration is inconsistent. Su is also called half switch, Su-(su-l) is called full switch.

Now we understand that the command aliases that we define, local variables, etc., need to be written to the configuration file (global or personal), and if you want to differentiate between the login shell and the non-logon shell, you need to write the configuration to/etc/profile or ~/.bash_ Profile.

10. Summary

This article mainly introduces Linux rights Management, including Linux rights representation, modify permissions, modify the file owner and owner group, and Umask mask code. Finally, the Linux configuration files, including the global configuration and personal configuration, as well as the difference between the login shell and the non-login shell are introduced.

Thank you for watching.

Please indicate the source of the fried meatballs: http://www.cnblogs.com/charleylla/p/5980300.html

[Linux 004]--users and user groups and Linux Rights Management (II)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.