Linux User Management and permissions

First, user management

1. User

1) Token token,identity

2) Linux Users: Username/uid

3) Administrator: root,0

4) Normal Users: 1-65535

System User: 1-499 (CentOS6), 1-999 (CentOS7) Assign permissions to the daemon to get resources

Login User: CENTOS6, 1000+ (CentOS7) Interactive Login

2 Group

1) Linux Group: Groupname/gid

2) Administrators group: root,0

3) General Group:

System Group: 1-499 (CentOS6), 1-999 (CentOS7)

General group: CentOS6, 1000+ (CentOS7)

3. Categories of Groups

Categories of Linux groups:

User's primary group (primary group):

The user must belong to one and only one primary group

The group name is the same as the user name and contains only one user: private group

Additional groups for users (supplementary group):

A user can belong to 0 or more secondary groups

4. Configuration files for user sessions and groups

Primary configuration files for Linux users and groups:

1)/etc/passwd: User and attribute information (name, UID, primary group ID, etc.)

Pwconv maps the passwords in the passwd to the/etc/shadow

Pwunconv de-mapping, password still in/etc/passwd

2)/etc/group: Group and its attribute information

3)/etc/shadow: User password and its related attributes

User Name Login name

Password bit passwd

The last modification time of the password

Minimum duration of password survival

Maximum lifetime of a password

How many days in advance before the password expires to remind users that they will expire

The number of days after the password expires after the user still does not change the password, triggers an account expiration

Account Expiration Time

Reserved bits

4)/etc/gshadow: group password and its related attributes

vipw=vim/etc/passwd

Vipw-s=vim/etc/shadow

Vigr-s = Vim/etc/gshadow

Pwck //check/etc/passwd syntax

GRPCK //check/etc/group syntax

5. group file Format

1) Group name: is the group name

2) group password: usually do not need to set, password is recorded in/etc/gshadow

3) GID: Is the ID of the group

4) List of users with the current group as additional groups (comma delimiter)

6. Set the password

1) passwd [OPTIONS] UserName: Modify the password of the specified user, only the root user rights

2) passwd: Change your password

3) Common options:

-L //Lock the specified user

-U //unlock specified user

-e //force user to change password at next logon

-N mindays //Specify minimum lifespan

-X maxdays //maximum age of Use

-W warndays //Start warning for how many days ahead

-I inactivedays //Inactivity period

--stdin //Receive user password from standard input

7. User and group management commands

1) User management commands Useradd, Usermod, Userdel

2) Group account maintenance Commands Groupadd, Groupmod, Groupdel

8. Switch users or execute commands as other users

1) SU username //indicates non-login switch

2) Su-username //sign-in Switch

3) Su- //indicates login root

when the current user is root, switch to another user without a password

Ii.. File permissions

1. File Permissions

1) The permissions of the file are mainly defined for three types of objects:ower(owner, u),group(genus, G) , Other (Others, O).

2) Each file has three permissions defined for each type of visitor: r:readable, W:writeable, x:excutable

3) File:

R: Use the File View class tool to get its contents

W: can modify its contents

X: This file can be brought to the kernel to start as a process

4) Catalogue:

R: You can use LS to view the list of files in this directory

W: You can create files in this directory or delete files in this directory

X: You can use Ls-l to view a list of files in this directory, and you can enter this directory by CD

X: Only the directory and some X-permission files with x permission, do not give three permission bits completely without x file plus X

5) for documents

When only R permissions are on the file, the user can read the contents of the file: Cat less more head tail

Users can modify the contents of a file when only W permissions are on the file:>>

When only x permission is used on the file, no action is taken.

When RW permissions are on the file, the user can read and modify: Cat less more head tail vim nano > >>

When the RX permission is on the file, the user can execute the file

When WX permissions are applied to a file, permissions are equivalent to W permissions only.

Note: Common permissions for files are r--rw-rwx

6) for the catalogue

When only R permissions are in the directory, the user can list the file names in the directory in short.

When only W permissions function on the directory, nothing is used.

When only x permissions are in the directory, the user can access the directory, and the child file can be accessed if the specific file name is known and has relevant permissions.

When the RW permission is applied to the directory, the permissions are equivalent to the R permission only.

When the RX permission functions on the directory, the user enters, long lists.

When WX permissions are in the directory, users can enter and can create and delete files. But you cannot use the file name wildcard character

Note: Common Permissions for Directories r-x rwx

7) file Permissions octal digit representation

---000 0 (no permissions)

--x 001 1 (only execute permission)

-w-010 2 (Write access only)

-WX 011 3 (Read and write access)

r--100 4 (Read access only)

R-x 101 5 (read execute permission)

Rw-100 6 (Read and write access)

RWX 111 7 (Read and write Execute permission)

For example: 640:rw-r-----(owner has full permissions, the owning group has only read permissions, and others do not have any permissions)

2. Modify File Permissions

1) chmod [OPTION] ... Octal-mode FILE ...

-R: Recursive Modify permissions

2) chmod [OPTION] ... Mode[,mode] ... FILE ...

MODE:

To modify all permissions for a class of users:

u= g= o= ug= a= u= g=

Modify a class of users or some bit permissions

u+ u-g+ g-o+ o-a+ A-+-

3) chmod [Option]...--reference=rfile FILE ...

Refer to the permissions of the Rfile file to modify it to the same rfile

3. Special permissions on Linux file Systems

1) SUID: When SUID permissions are enforced on an executable binary, anyone who executes the file temporarily has the permissions of its owner.

2) SGID: When SGID permissions are enforced on an executable binary, anyone who executes the file temporarily owns the permissions of the group to which it belongs.

When Sgid permissions are in effect for a directory, anyone who creates a file in that directory has the same group as the owning group for that directory.

3) Sticky: When the Sticky permission is assigned to a directory, the files in that directory are only deleted by the owner of the file or the owner and root of the directory.

4) Special Permission modification

chmod u+ or-s FILE ... 4/0xxx

chmod g+ or-s DIR ... 2/0xxx

chmod o+ or-t DIR ... 1/0xxx

Both Suid and Sgid 6xxx

Both suid and sticky 5xxx

Both Sgid and sticky 3xxx

All 7xxx

Note: The permission bit originally has X, plus special permissions, the display is lowercase, originally no x, displayed as uppercase.

4. Access Control List

1) acl:access control List for flexible rights management

2) In addition to the owner of the file, the owning group and others, you can set permissions on more users

3) CentOS7 the XFS and Ext4 file systems created by default have ACL capabilities

4) prior to CentOS7 version, the default manually created Ext4 file system has no ACL functionality and needs to be manually incremented.

Tune2fs-o ACL/DEV/SDB1

Mount-o Acl/dev/sdb1/mnt/test

5) ACL Effective order:

owner > ACL user > Group with ACL group who has more privileges, who overrides > other

6) Access Control List

Grant access to files and directories for multiple users or groups rwx

Mount-o acl/directory

Getfacl file |directory

Setfacl-m u:wang:rwx File |directory

SETFACL-RM g:sales:rwx Directory

Setfacl-m File.acl File|directory

Setfacl-m G:SALESGROUP:RW file| Directory

Sesetfacl-x U:wang File |directory

Setfacl-x File.acl Directory

Setfacl-m m:r-x file |directory set upper threshold or chmod g=r-x

setfacl-d-M u/g:username/groupname file |directory Set default permissions

Setfacl-k file |directory Clear default permissions

Setfacm-b file |directory Clear ACL properties

Linux User Management and permissions