Users and user groups in Linux

ArticleDirectory

• 1. user categories in Linux
• 2. Concepts of user groups
• 3. Relationship between users and user groups
• 1. user and group configuration files
• 2. Other directories and files
• 1. User management commands
• 2. User Group Management commands
• 1. Concepts and importance of Super Users
• 2. Functions of Super Users in System Management
• 3. Super User authorization

I have been playing Ubuntu for a while and haven't noticed this problem. sudo, or chmod777, has no control over the role of these permissions. Recently, the instructor threw us a whole server. When centos is configured with servers, we have to face security issues and really understand the concepts of users and user groups. I read a lot of blog-related content and summarize it.

I. Users and user groups 1. user categories in Linux

• Super User: has the highest management permission on the system. The default is root user.
• Common users: users can only access and modify files in their directories, and have the permission to log on to the system.
• Virtual users: the biggest feature of such users is that they cannot log on to the system. They exist mainly to facilitate system management and meet the requirements of the corresponding system processes for file owners. For example, the default bin, ADM, and nobody users in the system. Generally, the running Web Service uses the nobody user by default, but the nobody user cannot log on to the system.

2. Concepts of user groups

A user group is a logical set of users with the same features, and multiple users must have the same permissions, such as viewing and modifying a file, one method is to authorize access to multiple users. If there are 10 users, 10 authorization is required. Obviously, this method is not reasonable. Another method is to create a group, this group has the permission to view and modify the file, and then put all users who need to access the file into this group, so all users have the same permissions as the group. This is a user group. Grouping users is a way to manage users and control access permissions in Linux. By defining user groups, the management work is greatly simplified.

3. Relationship between users and user groups

• One-to-one: a user exists in a group, that is, the user is the only member of the group.
• One-to-multiple: a user can exist in multiple user groups. This user has the permissions of multiple groups.
• Many-to-one: multiple user groups can exist in one group. These users have the same permissions as the group.
• Many-to-many: multiple users can exist in multiple groups, that is, the extension of the preceding relationship.

Ii. Configuration File 1. user and group configuration file (1)/etc/passwd file

The system user information file records the basic attributes of each user.

Format: "User name: Password: User ID: Group ID: Note Description: main directory: default shell"

Description:

• User name: A string representing the user account.
• Password: stores the encrypted user password. This field stores only the encrypted string of the user password, not the plain text. However, since the/etc/passwd file is readable to all users, therefore, this is still a security risk. Therefore, many Linux versions now use the Shadow technology to store the encrypted user password in the/etc/shadow file, the password field in the/etc/passwd file stores only one special character, for example, "x" or.
• User ID: indicates the UID of a user. each user has a UID and is unique. Generally, the value range of the UID is 0 ~ 65535,0 is the identification number of the Super User Root, 1 ~ 99 is retained by the system and used as the management account. The identification number of a common user starts from 100. In Linux, the UID of a common user starts from 500 by default. UID is a identifier for determining user permissions in Linux. The role and permission of a user are implemented by uid. Therefore, it is very dangerous for multiple users to share a uid, system permissions and management confusion may occur. For example, if the UID of a common user is set to 0, this common user has the root user permission, which is an extremely dangerous operation. Therefore, try to maintain the uniqueness of the user uid.
• Group ID: it is the group's GID, similar to the user's uid. This field records the user group to which the user belongs. It corresponds to a record in the/etc/group file.
• Annotation Description: a field describes a user, such as the user's address, phone number, and name.
• Main Directory: the default directory after the user logs on to the system.
• Default shell: The command interpreter used by default after the user logs on to the system. Shell is an interface between the user and the Linux kernel. Any operations performed by the user are transmitted to the system kernel through shell. Common shells in Linux include SH, Bash, and CSH. The administrator can set different shells for each user according to their habits.

Example:

Root: X: 0: 0: Root:/root:/bin/bash
Bin: X: 1: 1: Bin:/bin:/sbin/nologin
Admin1: X: 500: 500:/home/admin1:/bin/bash
Admin2: X: 501: 500:/home/admin2:/bin/bash
Ftp1: X: 502: 50:/var/FTP/ftp1:/sbin/nologin
Ftp2: X: 503: 50:/var/FTP/ftp2:/sbin/nologin

(2)/etc/shadow file

User encryption consultation file. The/etc/passwd file is accessible to all users, which leads to leakage of users' passwords. Therefore, in Linux, the user's password information is separated from/etc/passwd and separately stored in a file. The file is/etc/shadow, which only has the read permission of the root user, this ensures the security of the user password.

Format: "User name: encrypted password: last modification time: minimum interval: maximum interval: warning time: inactive time: expiration time: reserved field"

Description:

• User name: it has the same meaning as the user name in the/etc/passwd file.
• Encrypted password: stores the encrypted user password string. If this field is "*" or "!", And "X" characters, the corresponding user cannot log on to the system.
• Last modification time: indicates the number of days from a certain time point to the last password change period. You can use passwd to modify the user's password and view the changes in this field in/etc/shadow.
• Minimum interval: The minimum interval between two password changes.
• Maximum time interval: indicates the maximum time interval between two password changes. This setting enhances the timeliness of administrator management users.
• Warning time: indicates the number of days from when the system warns the user to when the password is officially invalid.
• Inactive time: this field indicates how many days after the user's password is voided, the system will disable this user, that is, the system will not allow this user to log on, nor will the user be prompted to expire, it is completely disabled.
• Expiration time: indicates the user's account survival time. If the specified time is exceeded, the account becomes invalid and the user cannot log on to the system. If the field value is blank, the account is permanently available.
• Reserved field: reserved field of Linux. It is currently blank for future development of Linux.

Example:

Root: $6 $ i7qdsp4rrr2ptx3n $ response.: 15445: 0: 99999: 7 :::
Bin: *: 15240: 0: 99999: 7 :::
Admin1: $6 $ kbsnbizw $ yd2/. eej7mvfbka/samples/lkgsqnavqoefs8d7rpegf/: 15446: 0: 99999: 7 :::

(3)/etc/group file

User Group information file to save user group information

Format: "Group name: Password: Group ID: group user list"

Description:

Group name: the name of the user group, which consists of letters or numbers. Same as the username in/etc/passwd, the group name cannot be repeated.
Password: stores the password string encrypted by the user group. The password is set in the/etc/gshadow file by default, and "X" is used here, in Linux, the default user group does not have a password. You can use gpasswd to add a password to the user group.
Group ID: GID, which corresponds to the group ID in/etc/passwd.
Group user list: displays all users in this group. Multiple users are separated by commas.

Example:

Root: X: 0: Root
Bin: X: 1: Root, bin, daemon
Administrator: X: 500:

(4)/etc/gshadow

The user group encrypts information files and stores information such as user group passwords .. /Etc/gshadow and/etc/group are complementary files. For large servers, you can customize some permission models with complex relational structures for many users and groups, it is essential to set the user group password. For example, we do not want some non-user group members to have the permissions and features of the user group permanently. In this case, we can use password verification to allow some users to temporarily have some user group features. In this case, we need to use the user group password.

Format: "Group name: Password: Group Administrator: group member"

Description:

Group Name: User Group Name

Password: stores the encrypted password of the user group password. If it is empty or! No password.

User Group Manager: it can also be empty. If there are multiple management items, they are separated by commas.

Group members: if multiple members are separated by commas.

Example:

Bin: Root, bin, daemon
Admin :! ::

2. Other directories and files (1) etc/login. defs File

Defines the default settings when creating a user, such as specifying the user's UID and GID range, the user's expiration time, whether to create the user's main directory, and so on.

The/etc/login. defs file under rhel5 is as follows:

Mail_dir/var/spool/mail
When creating a user, create a user mail file in the directory/var/spool/mail.
Pass_max_days 99999
# Specify the maximum number of days the password remains valid
Pass_min_days 0
Indicates the number of days since the last password change before the user is allowed to change the password
Pass_min_len 5
Minimum Password Length
Pass_warn_age 7
Indicates the number of days before the password expires when the system starts to notify the user that the password is about to expire.
Uid_min 500
The minimum uid is 500. That is, when a user is added, the UID starts from 500.
Uid_max 60000
The maximum uid is 60000.
Gid_min 500
Specify the minimum GID as 500, that is, when a group is added, the GID of the group starts from 500.
Gid_max 60000
Specify a maximum gid of 60000
Create_home Yes
This option specifies whether to create the user's home directory. Yes indicates creation, and no indicates creation.

(2)/etc/skel directory

The/etc/skel directory defines the default configuration file of the new user in the main directory. You can change the configuration file information of the new user in the/etc/skel directory, for example, after you create a new user, you can see the following in the new user's home directory. bash_profile ,. bashrc ,. bash_logout and other files, which exist in the/etc/skel directory.

(3)/etc/default/useradd file

The rule file when useradd adds a user. When we create a user using the useradd command without any parameters, the default home directory of the user is usually located in/home, the default shell is/bin/bash, which are defined in the/etc/default/useradd file. You can change the default configuration of the added user by modifying this file. In addition, you can also use the parameters of the adduser command.

The content is as follows:

Group = 100
Home =/Home: Create the Home Directory of the user in/home
Inactive =-1: whether to enable account expiration and suspension.-1 indicates not to enable
Expire =: end date of the account. If this parameter is not set, it indicates that the account is not enabled.
Shell =/bin/Bash: Shell Type Used
SKEL =/etc/skel: by default, the default file storage location is added to the user's directory. That is to say, when adduser is used to add users, the files in the user's home directory are, all of them are copied from this directory.

3. User and User Group Management 1. User management commands

• Useradd: Add a user
• Adduser: Add a user
• Passwd: set a password for the user
• Usermod: Modify user commands. You can use usermod to modify the login name, user's home directory, and so on.
• Pwcov: Synchronize users from/etc/passwd to/etc/shadow
• Pwck: pwck verifies whether the content of the user configuration file/etc/passwd and/etc/shadow is legal or complete.
• Pwunconv: it is the vertical reverse operation of pwcov. It creates/etc/passwd from/etc/shadow and/etc/passwd, and then deletes the/etc/shadow file.
• FINGER: tool for viewing user information
• ID: view the UID, GID, and user group of the user.
• Chfn: tool for changing user information
• Su: User Switching Tool
• Sudo: The sudo command is executed by another user (execute a command as another user), Su is used to switch users, and then the user to complete the corresponding task through the switch, however, sudo can directly execute the following commands. For example, sudo can execute root authorization without the root password. Only root can execute the corresponding commands; however, you must edit/etc/sudoers through mongodo.
• Except do: visodo is the command for editing/etc/sudoers. You can also use VI to edit/etc/sudoers.
• Sudoedit: similar to sudo

2. User Group Management commands

• Groupadd: Add a user group
• Groupdel: delete a user group
• Groupmod: Modify user group information
• Groups: displays the user group to which the user belongs.
• Grpck: Check the/etc/group file and/etc/gshadow file to check whether the data is properly stored.
• >/Etc/group: Synchronize or create/etc/gshadow through the file content of/etc/group and/etc/gshadow. If/etc/gshadow does not exist, create
• Grpunconv: Synchronize or create/etc/group through the/etc/group and/etc/gshadow file content, and then delete the gshadow File

Iv. Linux Super Users 1. Concepts and importance of Super Users

In all Linux systems, uid is used to differentiate user permission levels. Users with UID 0 are deemed to have super permissions. Super Users have the highest permissions agreed by the system, so super users can complete all the work of system management. We can check through/etc/passwd that the user with UID 0 is root, and only the UID corresponding to root is 0. From this point of view, root users are irreplaceable in the system and have unlimited permissions. Root users are super users in the system.

In the system, every file, directory, and process belongs to a user. Other common users cannot operate without user permission, except root users. The Root User Privilege is also manifested in the fact that root can read, modify, or delete files or directories (within the normal scope of the system) beyond any user or user group.ProgramTo add, create, and remove hardware devices. You can also modify the owner and permissions of files and directories, to meet the needs of system management (because root is the privileged user with the highest permissions in the system ).

Compared with superusers, common users and virtual users (also known as disguised users) are restricted. However, in order to complete specific tasks, common users and disguised users are also required. Linux is a multi-user, multi-task operating system. Multiple users are mainly reflected in the diversity of user roles, and different users have different permissions, this is the essence of a Linux system that is more secure than a Windows system.

As super permissions play an indispensable role in system management, we must use super permissions to complete system management tasks. In general, for system security, for general applications, the root user is only used to manage and maintain the system. For example, you can view and clean system logs, user addition and deletion.

In an environment that does not involve system management, common users can do this, for example, writing a file and listening to music; processing an image with gimp ...... most common users can call common applications.

When we log on to the system as a user with normal permissions, some system configurations and system management must be completed by a super-Permission user, such as managing system logs, adding and Deleting Users. But how can we not directly log on to the root user, but switch from a common user to the root user to perform the work required for operating system management involves the issue of super permission management.

The process of obtaining super permissions is to switch normal user identities to Super User identities. This process is mainly solved through Su and sudo.

2. Functions of Super Users in System Management (1) operations on any files, directories, or processes

However, this operation is performed within the maximum permitted range of the system. Some operations cannot be performed even if they are root users with super permissions. For example, in the/proc directory,/proc is used to reflect the real-time status information of system running, so even root cannot perform write operations on it.

(2) Global System Management

Hardware Management, file system management, user management, and global system configuration ...... if you are prompted to have no permissions when executing a command or tool, most of them require super permissions. For example, you can only use adduser to add users.

3. Super User authorization (1) su command

The su command is a tool for switching users. For example, if we log on as a normal user beinan, but want to add a user task and execute useradd, The beinan user does not have this permission, and this permission is exactly owned by the root user. There are two solutions. One is to log out of the beinan user and log in again as the root user, but this method is not the best. The other is that we do not need to log out of the beinan user, you can use Su to switch to the root directory to add users. After the task is completed, exit root. We can see that, of course, the su switchover is a good method. You can switch between users through Su. If the root user of the Super permission switches to a common or virtual user, no password is required. If the root user switches to another user, password verification is required.

Su switches to the root user by default without adding any parameters, but does not go to the root user's home directory. That is to say, it is switched to the root user, however, the root logon environment is not changed. You can find the default logon environment in/etc/passwd, including the Home Directory and shell definition.

(2) sudo command

Su is indeed convenient for management. By switching to root, all system management tools can be completed, as long as the root password is handed over to any common user, he can switch to the root to complete all system management, but there are also insecure factors after su switches to the root. For example, the system has 10 users who are also involved in management. If these 10 users are involved in the use of super permissions, if the administrator wants other users to switch to the super-Permission root through Su, the root permission password must be told to these 10 users; if all 10 users have the root permission and can do anything through the root permission, the security of the system will be affected to a certain extent, we absolutely cannot ensure that these 10 users can manage the system according to the normal operation process. Any major mistake made to system operations by one of them may cause system crash or data loss, therefore, the su tool is not the best choice in system management involving multiple people. Su is only applicable to systems where one or two people participate in management. After all, Su cannot be used by common users, in this case, it is best to assign specific permissions to the technical expertise and management scope of each administrator, and specify the tools used by the Administrator to complete their work. In this case, we need to use sudo.

Through sudo, We can delegate certain super permissions to specific users without requiring common users to know the root password. Therefore, sudo is safer than Su with unrestricted permissions, therefore, sudo can also be called restricted Su. In addition, sudo requires authorization, so it is also called the Su for authorization.

The sudo command execution process is that the current user switches to the root (or another specified user), and then runs the command as root (or another specified user). After the command is executed, return directly to the current user, and the premise is that the sudo configuration file/etc/sudoers must be used for authorization.

(3) Compile the/etc/sudoers file

The sudo configuration file is/etc/sudoers. We can use its dedicated editing tool visodu. The advantage of this tool is that when adding rules is not accurate, when saving and exiting, an error message is displayed. After configuration, you can switch to the authorized user and use Sudo-L to view which commands can be executed or disabled.

In the/etc/sudoers file, each row counts as a rule. The rule with the # sign in front can be treated as a description and is not executed. If the rule is too long and cannot be listed in one row, you can use the \ number to continue rows. In this way, a rule can also have multiple rows.

/Etc/sudoers rules can be divided into two categories; one is alias definition, the other is authorization rules; the alias definition is not mandatory, but authorization rules are required.

For more information, see man sudoers.

Refer to blog:

Http://ixdba.blog.51cto.com/2895551/531787

Http://blog.sina.com.cn/s/articlelist_1462904252_1_1.html