Linux Users and Administrative privileges

Source: Internet
Author: User
Tags asymmetric encryption

Linux users are broadly divided into two types: one is: The administrator user, the second is the ordinary user, the ordinary user can also be divided into the system users and users logged in. Because Linux is a multi-user multi-tasking system, every user who wants to use the system resources should request an account from the administrator and log in to the system using this account. Each user has a name and password to log in to the user.

Each user has a unique user ID (USERID,UID), which is represented as a 16bits binary number 0-65535. Take CentOS as an example the UID of the Admin user is 0, the UID of the normal user is 1-65535, the UID of the system user is in CENTOS6 and earlier version is 1-499, in CentOS7 1-999. The logged-on user is in CentOS6 and earlier versions of 500-60000, and 1000-60000 in CentOS7.

Sometimes users need to be unified, so they can create groups of users. Similarly, the user group is divided into the Administrators group and the normal user group, they also have their group identification (GID), their allocation method and UID is exactly the same. Sometimes a user needs multiple identities to work in the system, so the user group can be divided into the user's primary group and additional groups. Also because the permissions can be divided into private groups and public groups, as the name implies that private groups belong to the user's own private, so the private group with the name of the user name and only one user, the public group can have more than one member.

when the user logs on to the Linux system, because Linux does not know the account name, it will first go to find a file named/etc/passwd, by identifying the UID for name resolution, user group name also needs to be resolved, but it is through/etc/ Group's file for name resolution . The user's password is stored under the/etc/shadow file, and the user group's password is stored under/etc/gshadow. In order to prevent account loss, passwords are stored by encryption, encryption algorithms usually have the following three categories: symmetric encryption, asymmetric encryption and single-entry encryption.

Symmetric encryption is the use of encryption and decryption of the same key, characterized by the fast encryption and decryption, the defect is the key distribution difficulties, need to remember too many keys;

Asymmetric encryption uses a pair of keys, and the key pair can be divided into public and private keys. The feature is that encryption and decryption use different keys, the flaw is the slow encryption speed;

Single encryption is only encryption can not be decrypted, its characteristics are fixed-length output, no matter how long the password, through its encrypted output is fixed-length, so some small changes are prone to avalanche effect. The main algorithms are MD5,SHA1 and so on.



User management of some common commands


Add User's command: Useradd format: useradd [options] Login name

Common options are:

-U 、--UID: Specify UID

-G 、--GID: Specifies the base group ID, which must exist beforehand

-G--groups: Indicates the additional group to which the user belongs, with multiple groups separated by commas

-C,--comment: Specify annotation information

-D: The home directory of the user with the specified path; Copy/etc/skel this directory and rename the implementation; The specified home directory path does not replicate the environment profile for the user if it exists beforehand

-S 、--Shell: Specifies the user's default shell, and all available shell lists are stored in/etc/shells

-R--system: Creating a System User

Create user Yes many default settings profile is/etc/login.defs


Useradd-d: Create a user's default configuration

useradd-d "Options": Modify the default option values and the modified results are saved in the/etc/default/yseradd file

Usermod command: Modify user Properties

command format usermod [options] Login name

Common Options-u: Modify UID

-G: Modify GID

-G: Modify the additional group to which the user belongs, and the original additional group will be overwritten

-A: Used with-G to append a new additional group to the user

-C: Modify annotation information

-D: Modify the user's home directory, the user's original file will not be transferred to the new location

-M: can only be used with the-D option to move the original home directory to the new home directory

-L: Modify user Name

-S: Modify the user's default shell

-L: Lock the user's password, which is added before the user's original password string! "

-U: Unlocking the user's password


Userdel command: Delete user

command format Userdel [options] Login name

Common Option-r: Delete User's home directory when deleting users


passwd command:

①PASSWD: Modify the user's own password

②PASSWD USERNAME: Modifies the password of the specified user, by default only the root has this permission

Common Options-L,-u: Locking and unlocking users

-D: Clear user password

-e Date: Expiration period, date;

-I days: non-acquisition period

-N Days: Minimum password usage period

-X days: Maximum password lifetime

-W Days: Warning period



Groupadd command: Adding a group

Groupadd "Options" groupname

Common Option-G: Specify GID; default is gid+1 of previous group

-r: Create a system group;

Groupmod Command: Modify Group properties

groupmod [Options] GroupName

Common Option-G: Modify GID

-N: Modify Group name

Groupdel: Deleting a group

Groupdel [Options] Group


GPASSWD command:

Group Password file:/etc/gshadow

GPASSWD [Options] Group

-a USERNAME: adding users to a group

-D USERNAME: Removing users from a group

NEWGRP command: Temporarily switch the specified group to a basic group

NEWGRP [-] [group]

-: Impersonate the user to re-login for reinitialization of working status

Chage command: Change user password expiration information

chage [Options] User name

Common option -M: The minimum number of days the password can be changed. At zero, the password can be changed at any time.

-M: The maximum number of days the password remains valid.

- W: The number of days before the user's password expires before the warning message is received.

-E: The date when the account expires. This account will not be available after this day.

-D: The date of the last change.

-I: Stasis period. If a password has expired these days, then this account will not be available.

-L: Example the current setting. By non-privileged users to determine when their password or account expires


ID Command: Displays the user's true valid ID

ID [Options] ... User

-U: Display only UID

-G: Displays only the user's base group ID

-G: Displays only the IDs of all groups to which the user belongs

-N: Display name instead of ID

SU command: Switch user

Logon switching: Su-username will be reinitialized by reading the target user's profile, su-l USERNAME

Non-logon switchover: does not read the target user's profile for initialization su USERNAME

Administrators can switch to any other user without a password

-C ' command ': Run the command specified here only as the specified user


Rights Management:

users play a role in the system do not use, the permissions are different, the permissions are basically divided into R (read), W (write), X (execute) Three kinds of permissions. The model is: the rwxrwxrwx owner is the user or user group But the same permissions are different for the object and the meaning differs. The r=4,w=2.x=1 can also be used as a digital representation

File: R: Can get the data of the file, W: can modify the data of the file, X: The process that can run this file;

Table of Contents: R: You can use the LS command to get a list of all the files under it, W: can modify the list of files in this directory, x: Can be CD to this directory, and can use Ls-l to get all the file detailed property information

Files are typically data records and do not require (x) permission, i.e.-rw-rw-rw-, up to 666

The x permission of the directory indicates whether the user can enter, the default should be all permissions open, that is, drwxrwxrwx, 777 permissions.

Rights Management Commands:

chmod command: Change permissions

①chmod [OPTION] ... Mode[,mode] ... FILE ...

②chmod [OPTION] ... Octal-mode FILE ...

③chmod [OPTION] ...--reference=rfile FILE ...

Three types of users: U: belong to the main G: Group O: Other A: All

Options:-R,--recursive: recursive modification of the change files and directories recursively

Chown command: Change the genus Master Group

chown [OPTION] ... [OWNER] [: [GROUP]] FILE ...

chown [OPTION] ...--reference=rfile FILE ...

-R,--recursive: Recursive modification             

CHGRP command: Change the genus Group

chgrp [OPTION] ... GROUP FILE ...

CHGRP [OPTION] ...--reference=rfile FILE ...

The permissions that the process has to access the file:

Whether the owner of the process is the same as the owner of the file, and if it is the same, the master permission is applied

Otherwise, check whether the integrated owner belongs to the genus Group of the file, or, if so, the permissions of the belonging group.

Otherwise, the permission to apply other

normally user-created normal file and directory permissions are different, this is because there is a umask exists, umask for the file default permissions, is the file permissions of the reverse mask. By executing the umask command can see four digits,umask returns 4 digits, the first bit is special permission, you can see only the latter three bits, the general root user umask 0022 means----w--w-, The average user's umask of 0002 means-------W

Calculation of default permissions: File permissions: 666-umask, directory permissions: 777-umask

Umask command: View current umask

Umask MASK: Set umask But such settings are only valid for the current shell process




This article is from the "11448219" blog, please be sure to keep this source http://11458219.blog.51cto.com/11448219/1791350

Linux Users and Administrative privileges

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.