Linux User and Rights Management look, you're going to use it.

Objective

Only a bald head can become stronger.

Review Front:

• After reading this Linux basic operation will be

Did not think of the last one can be in the knowledge of the thousand praise Ah, Linux is also the final exam, and half a month did not write the article. This article mainly on the Linux users and Permissions knowledge point to clean up again.

Then let's start, if the article has the wrong place please forgive me, not hesitate to comment on the area Oh ~

First, the user under Linux

Linux is a multi-user system that allows multiple users to log in at the same time linux~

• The account is essentially a user's identity on the system.

The accounts in Linux include

• User account
  • Normal user account : The task on the system is to do normal work
  • Superuser Account (or Administrator account): The task on the system is to manage the general user and the entire system.
• group Accounts (Group is a collection of users)
  • Standard Group: A standard group can accommodate multiple users
  • Private group: Only users in private groups

When a user belongs to more than one group , the groups are divided into

• Primary Group (initial group): the group when the user logs on to the system.
• additional groups : Other groups that can be toggled after logging in

It also says that the account is essentially the user's identity on the system, which is saved with a file :

• User name and UID are saved in /etc/passwd file, file permissions(-rw-r--r--)
• Groups and GID are saved in the /etc/group file, file permissions(-r--------)
• User password (password) is saved in /etc/shadow file, file permissions(-rw-r--r-- )
• The group password is saved in the /etc/gshadow file, the file permissions(-r--------)

That is to say: we create the user, the user's information is saved by different files .

With the above knowledge point, let me briefly describe what happens when you create a user:

• The user name and UID are stored in /etc/passwd this file, and the user's password is usually shadow passwords protected
• When the user logs in, they are assigned a home directory and a running program (usually the shell)
• If you do not specify the group to which he belongs, Rhel/centos creates a private group with the same name as the user, and the user is assigned to this private group

Again, the account is essentially the user's identity on the system, which is saved with a file . In other words: we can Edit and modify the system account file directly to maintain the account .

• However, it is not recommended to do this, and if you explicitly want to do this, it is a good idea to use commands to check your editing syntax for problems:
  • pwck: Verify the integrity of user account files and authentication information. This command detects the “/etc/passwd” “/etc/shadow” correct format and value of the field in each line of the file and
  • grpck: Verify the integrity of the group account files and authentication information. This command detects the “/etc/group” “/etc/gshadow” correct format and value of the field in each line of the file.

Since we do not recommend the way to directly edit the file to manage users, then Linux is sure to have ready-made commands for us to use:

1.1 Commands for managing Linux users

User Management :

• useradd
• usermod
• userdel

Group Management :

• groupadd
• groupmod
• groupdel

managing users in bulk :

• Batch Add/update a group of accounts:newusers
• Batch update user's password:chpasswd

Group member Management :

• Add users to a standard group
  • gpasswd -a <用户账号名> <组账号名>
  • usermod -G <组账号名> <用户账号名>
• Remove a user from a standard group
  • gpasswd -d <用户账号名> <组账号名>

Password Maintenance (Disable, recover, and delete user passwords):

• Set User password :
  • passwd [<用户账号名>]
• Disable user account password
  • passwd -l <用户账号名>
• View user account password status
  • passwd -S <用户账号名>
• Restore user account password
  • passwd -u <用户账号名>
• Clear user account password
  • passwd -d <用户账号名>

Password aging Settings :

• Modification /etc/login.defs of related configuration parameters

Set password aging for existing users :

• chageCommand

User Switch Command :

• su
  • Switch directly to Super User
• sudo
  • Execute system administration commands directly using the sudo command prefix. Do not need to know the superuser password when executing the system administration command, use the ordinary user's own password

More Information Enquiry:

• Https://www.cnblogs.com/slgkaifa/p/6852884.html--linux the difference between the Su and sudo permissions

user-related commands :

• id: Displays the user's current UID, GID, and list of groups to which the user belongs
• groups: Displays a list of groups to which the specified user belongs
• whoami: Displays the name of the current user
• w/who: Displays logged in user and related information
• newgrp: Used to convert the user's current group to the specified group account, the user must belong to the group to execute the command correctly

1.2Linux User's Exercises

Using the Cat command, observe the following files:/etc/passwd,/etc/shadow,/etc/group,/etc/gshadow; show useradd command Add default values for user parameters

Set up Linux account Jkxx (xx is the last two students), ask the user group for users, and set the password, observe the changes of/etc/passwd and/etc/shadow files; exit the root account, log in with the JKXX account, Create a Myfirst file in its home directory and list the Myfirst file in a long format

Log in with root account, add group JSJ, set user jkxx as JSJ group user, observe/etc/passwd,/etc/group and/etc/gshadow file changes

Add a new user Airxx (xx is the student number at the end of two), observe the user ID and group ID of the new user airxx, and then delete the user, take care not to add the option in the command, observe the changes of user files and group files, observe the Airxx user's directory exists;

The password in the shadow file is * number and!! What does it mean?

A: On behalf of the * account is disabled, on behalf of the ！！ password lock.

What is the AIRXX user group ID? What type of group is this group? What is the benefit of doing this?

A: The AIR08 user group ID is 501 and this group belongs to the private group. Each user who does not specify a group creates a group with the same name, which is called a private group, and only one user can help prevent information disclosure and also help prevent unreasonable authorization. In short, it is beneficial to safety management.

What is the benefit of deleting a user by default but retaining the user's home directory?

A: Keep the user directory, prevent the user directory of valuable information mistakenly deleted.

With the cat command, observe the file/etc/passwd; In the format of the passwd file, edit a new file with VI, the file name is Userxx (xx is the last two students), the file includes 3 records, the user name is Jkxx (XX for the students to study number two), Peter, Jason, whose user ID is greater than 1000 and the group ID is greater than 1000, requires Peter and Jason to be in the same group; Use the command newusers to generate users in batches based on the contents of the file Userxx; observe changes in/etc/passwd files.

Using the Cat command, observe the file/etc/shadow; Edit a new file with VI, the file name is Mimaxx (xx is the student number two), the file contains 3 records, each record user name and previous step requirements of the same, password self-set, user name and password by colon: separated Using command chpasswd to generate passwords in batches based on the contents of the file Mimaxx, observing/etc/shadow changes of the files, and using the command chpasswd-m batch generate passwords again to observe file/etc/shadow changes;

Exit the root account and log in with the JKXX account. Exit the JKXX account, return to the root account, observe the/etc/shadow file, lock the user jkxx with the passwd command, observe the/etc/shadow file changes, and then exit the root account and log in with the JKXX account, is it successful?

Use the Chage command to view the time settings of the Peter account, reset the time of the Peter account, require that the password cannot be changed within two days, and the maximum lifetime of the password is 90 days, and notify the user 5 days before the password expires, password expiration 7 days To view the time settings of the Peter account again with the Chage command

Log in with the root account, switch to the Jason account with Su, enter the user's home directory with a CD, create a new file ABC, list the ABC file in a long format, and observe the properties of the user and group of the file

What happened to the shadow file after the account was locked?

A: Lock the account's password before it locks the logo!!

After switching users with Su, which user does the new file file belong to?

A: The new file belongs to the user after the switch.

Two times Execute CHPASSWD command, is the result the same? Encryption algorithm MD5 and SHA512 which is more secure?

A: Two execution chpasswd command results are different, the default is the SHA512 encryption algorithm, the-m option, the use of MD5 encryption algorithm, sha512 more secure, because the length of the encryption information longer, crack calculation is large.

The establishment of three ordinary user accounts, the requirements are as follows: The user name is Jkxx (XX for the students at the end of the two), Peter,jason, where Jkxx and Jason are the same ordinary group members; observe/etc/passwd file changes. Add the root group to the JKXX account;

Practice the id,groups,whoami,who command separately, display the current account information, switch to the JKXX account with the SU Command, practice the id,groups,whoami,who command separately, and display the current account information. Use NEWGRP to switch the group of JKXX account, practice the id,groups,whoami,who command respectively, display the current account information

II. Rights Management

Linux is a multi-user operating system that allows multiple users to log on and work on the system at the same time. In order to ensure the security of the system and users, Linux naturally has its own set of rights management mechanism!

Believe that the use of Linux students in the Search Folder files often used ls -l by the command, will come out a large string of data. Can you read the data?

For example:

    drwxr-xr-x   3  osmond   osmond    4096  05-16 13:32   nobp

It's actually very simple:

In fact, we look at the authority is to see drwxr-xr-x such a string of things, it seems very complex, but not, a bit can be understood. Let's break it down:

Each of these 9 characters is set in 3 groups and consists of 3 sets of permission controls

• First set of control access rights for file owners
• Second set of control access rights for other members of the user group that owns the owner
• Third set of control system access rights for other users

rwx stands for the meaning of the distinction:

See here, if you understand the front, drwxr-xr-x so a bunch of things I think you can easily understand:

• D is a folder, followed by 9 letters, each 3 is divided into a group, the - number indicates No. Then the permissions for this folder are:
  • Readable and writable for the current user, readable executable for the same group of users, readable executable for other users

Isn't it simple?? r-read,w-write,x-execute, very well understood.

For these rwx commands for convenience can also be converted to octal data to express, I believe that you read the following demo also know that this is actually the case:

priority order of permissions :

• If the UID matches, the user's owner permission is applied
• Otherwise, if the GID matches, the group permission is applied
• If they do not match, apply other user (other) permissions
• Superuser Root has all the privileges without special instructions

2.1 Common commands for managing Linux permissions

• chmod
  • Change permissions for a file or directory
• chown
  • Change the owner of a file or directory
• chgrp
  • Change the group to which a file or directory belongs
• umask
  • Set the default build mask for a file

Example:

2.2 Permissions Extension Knowledge

The Umask attribute is mentioned above, which is used to do something like this: The default build mask tells the system what permissions should not be given to a file or directory when it is created.

• The default value of Umask is 022, so let's take a look at the following example to understand:

In addition to the permissions described above, Linux provides three special privileges :

• SUID: Run with the permissions of the owning user of the command, not the command performer's permissions
• SGID: Use the group permissions of the command to run .
• Sticky-bit: Files in the directory can only be deleted by the owning user and root user of the file .

They are expressed in the following way:

• Suid and Sgid are represented by S; sticky-bit is denoted by t
• The suid is occupied by the owner's x position to represent
• Sgid is the x position of the occupied group to represent
• Sticky-bit is the x position of the other person to represent

For example, drwxrwxrwt 5 root root 4096 06-18 01:01 /tmp it has sticky-bit permissions. -rwsr-xr-x 1 root root 23420 2010-08-11 /usr/bin/passwdit has suid permissions.

Suid,sgid,sticky-bit also have the representation of numbers:

Examples of Use:

There are a number of security features in the Linux kernel. The extended properties of the Ext2/3/4 file system (Extended Attributes) can protect the system to some extent

Common Extended Properties:

• A (Atime): tells the system not to modify the last access time for this file.
  • using the A property can improve some performance .
• S (Sync): Once the application has written to this file, the system immediately writes the result of the modification to the disk.
  • using the S attribute maximizes the integrity of the file .
• A (Append only): The system only allows appending data after this file, and does not allow any process to overwrite or truncate the file. If the directory has this attribute, the system will only allow the file to be created and modified in this directory, and no files are allowed to be deleted.
• I (immutable): The system does not allow any modifications to this file. If the directory has this attribute, then any process can only modify files under the directory, not allow the creation and deletion of files.
  • The a attribute and the I attribute have great advantages in improving the security of the file system and ensuring the integrity of the file system .

Common Commands :

• Show Extended Properties:lsattr [-adR] [文件|目录]
• To modify an extended property:chattr [-R] [[-+=][属性]] <文件|目录>

2.3 Rights Management Exercises

Log in with the root account, create a file Aaaxx (xx for the student number of the last two), with a long format to view the permissions of the file, with the chmod command, the text setting method, to Aaaxx files in the same group to add write properties, observation results; with chmod command, digital setting method, Set permission to Aaaxx file to 766, observe the result;

Switch to the Peter account to see what the current umask is, observe the results; Create a directory foldxx (xx is the last two students), view its permissions; Create a new file BBB, view its permissions, change the unmask to 066, create a new file CCC, view its permissions

Switch to the JKXX account, create a file myfile, observe its properties, change the file MyFile group attribute to root with chgrp, and try to change the file myfile the main attribute to root, OK? Switch to root account, change file MyFile main attribute to root, observe the result

What does the digital setting 766 mean for file permissions?

A: 766 represents the file permissionrwx-rw-rw-

Why is the owner of the JKXX account changing the file myfile failed?

Answer: Because Chown can only be used with the root account

Does umask have the same effect on the newly created file attributes as 022 and 066? Why?

A: Of course, the impact is different, umask defines the default should not get permission, 066:022 converted into a binary number, more than two limit bit.

Log in as root account, copy the/usr/bin/dir file to the user's home directory, in a long format, set the file Suid and Sguid to 1, in a long format; switch the account to JKXX, run the copied file Dir (note that the files under the current path are taken with the path, for example. DIR);

Switch to the JKXX account, go to the/tmp directory, set up the folder Myfold, the folder Myfold permissions is 777, and Sgid and Sticky-bit are 1, listed in long format, observe myfold properties; Enter Myfold, create new file AAA, Set properties for anyone readable and writable, listed in long format; switch to Jason Account, go to/tmp/myfold directory, delete AAA file, can delete?

Root account, enter the user home directory, create a file BBB file, view the extended properties of the file, add extended attribute I to the file BBB, and then try to delete the file, whether it succeeds, how to delete it, create a CCC file, add extended attribute A to the file CCC, use a long format list/ Bin directory and redirect output to CCC file, observe the change of CCC file length, use the long format list/etc directory, and redirect output to CCC file, whether successful

Switch to JKXX account, create a directory in the/tmp directory myshare, getfacl view myshare directory file access control table; Set MyShare folder for Jason User Rights rwx, view file access control table changes; switch to Jason account , enter the MyShare file to create the file yyy, whether successful; switch to the Peter account, enter the MyShare file to create the file zzz, is it successful, why?

Myfold directory, why can't Jason account delete a file that anyone can read and write?

A: Because the file is located in the folder Myfold by its owner jk08 set the Stickybit bit, all the files under the folder, only the file owner, and the root user can be deleted.

Why is the Peter account not able to create files in the MyShare folder?

A: Because the MyShare folder belongs to the jk08 user, only jk08 has rwx permissions on the directory. In addition, Facl is used to give Jason users rwx access to the directory; Peter is neither the owner of the folder nor the RWX permission in Facl, and according to the permission settings, Peter has only the RX permission for that folder. Therefore, the file cannot be created.

After adding the extended attribute A, the output to the CCC file with redirection may fail, how can the output be successful?

A: You should use an append-mode redirect >>, and you can add content at the end of the file to conform to the security requirements of file extension attribute a.

Iii. Summary

This article mainly summarizes the Linux operating user and permissions Knowledge ~ ~ ~ These two points of knowledge in Linux is also very important, is to learn the foundation of Linux ~

continue to refine your last thought map :

If the article is wrong, welcome to correct, we communicate with each other. Accustomed to looking at technical articles, want to get more Java resources of students, can pay attention to the public number: Java3y. For everyone's convenience, just new QQ Group: 742919422, we can also go to exchange. Thanks for the support! I hope to introduce more to other needy friends.

Directory navigation for articles :

• Https://zhongfucheng.bitcron.com/post/shou-ji/wen-zhang-dao-hang

Linux User and Rights Management look, you're going to use it.