Linux is a multi-tasking multi-user system that allows multiple users to log on to the same host at the same time. In order to consider everyone's privacy and work space, this time the owner of the file (owner) is the role of the user becomes particularly important, while for users and users to facilitate cooperation, sharing some public resources, in order to achieve rapid allocation of resources, we put multiple users in a public space, They are given different permissions for operations such as read and write execution, and these users are collectively composed of the so-called user groups (group).
Primary profiles for users and groups
1/ETC/PASSWD: User and its attribute information file format
User name: Password bit: xuid:gid: Description bit: Home directory: Shell:
2/etc/group Group and its attribute information file format
Group name: Group password: Group ID: Additional Group member list
3/etc/shadow user passwords and their associated property file formats
User name: Password (encrypted): Password Last modified: password minimum survival: Password maximum survival: How many days before the password expires reminder User: How many days after password expires account Expires: Account Expires: Reserved bit:
4/etc/gshadow: group password and its associated properties file format
Group name: group password (encryption): Group administrator: Attach group member list
User and Group Management command IDs
ID User name Displays information for the specified user
Useradd
-U UID Specifies UID
-O with-u, does not check UID uniqueness
-G Gid/Group name specifies the user's primary group
-G Gid/Group name specifies the user's additional group
-s/sbin/nologin the default shell for the specified user
Useusermod
-G Gid/Group name Modify the user's primary group (the group must first exist)
-G Gid/Group name set User's additional group
Usermod-g ' Zhangsan Remove all additional groups
-S shell modifies the user's default shell
Userdel
Userdel User name Delete user does not delete home directory (can be viewed under/etc/home)
Userdel-r User name Delete user, together with home directory and mail file deleted
Su
su– user name in the root switch does not require a password, other users need to switch passwords
Groupadd
Groupadd Group Name
Groupmod
Group-n New group name current group name modify group name
Group-g new ID Current group name modify GID
Groupdel
Groupdel Group name Delete Group
gpasswd
GPASSWD-A User Name Group name specifies that the user joins the specified group as an additional group
GPASSWD-D User Name Group name specifies that the user is removed from the specified group
GPASSWD-A User name Group name Settings Group Administrator (Administrator can fix the group password and modify team members)
Gpasswd-m ' Group name Delete all members composed of
Groupmems
GROUPMEMS-G Group-A user name add members to the group
GROUPMEMS-G Group name-D user name remove a member from a group
GROUPMEMS-G Group name-L List Group members (does not contain a primary group)
GROUPMEMS-G Group name-p clears all members of the group
Summary: Add a group of users to an additional group
1.USERMOD-G Group name User name
2.GPASSWD-A User Name Group name
3.GROUPMEMS-G Group name-a user name
to understand each user has and can have only one primary group, but the user can have 0 to multiple additional groups each file can have only one owner, and one owning group
Practice
1 Create group Weiguo,shuguo, create user Liubei for Shuguo Group Administrator, Caocao for Wei group administrator
2 Create user Kongxiuxiu,guanyu whose additional group is Weiguo, create user Zhangfei whose primary group is Shuguo
3 Delete User Kongxiu completely, change Guanyu additional group Weiguo to Shuguo
Understanding and Setting File permissions
We have to keep in mind that when users access files, the order of permissions is owner > group >other
That is, when a user accesses a file, first determine whether the current user is the owner of the file, if it is owner, the permissions of the owner bit is applied, if not owner, then determine whether the user belongs to the group, if there is a group of the same file, if there is, Apply the permissions of the group bit, if none, then apply the other bit permission
With ll you can see a file (if the file does not have ACL set) permission
-: Type of File:-,d,l,b,c,p,s
Rw-:owner
R--:group
R--:other
. Indicates whether the file has SELinux context value
R Read file (list directory file)
W Write permission (can modify create or delete files in the directory requires X permission)
X Excute Execute permissions (directory basic permissions, only execute permissions to have other actions)
Chgrp
CHGRP group name File/directory name (modify user's group) (owner can modify the file belonging to the group, but owner must belong to the target group)
Chgrp-r recursion
Chown
Chown User name File/directory name modify owner of user
Chown-r recursively modifies sub-file subdirectories in the directory at the same time
Chmod
Symbol mode
chmod u/g/o +-= rwx file name
Example: chmod o+w a adds W permission to the other bit of file a
Digital mode
1 for x 2 on behalf of W 4 for R
1:x 2:w 3:wx 4:r 5:rx 6:rw 7:rwx
Example: chmod 777 A set the permissions for file A to rwxrwxrwx
Practice
1 Create directory/app/house, ask owner for Liubei, only Liu shut down the directory has full permissions, others do not have any permissions
Note: I have joined Liu Shuguo in front of the group.
2 respectively use Liu closure three users in house to create their own house directory, called Xxx_room, require their own house can only have full permissions, others do not have any permissions
3 Create a shared directory for/app/house/common, ask Liu to shut down the files created in this directory, can read and write to each other, no one else has any permissions.
Special Permissions Suid
chmod u+s
When a suid is executed for an executable binary, anyone who executes the file temporarily has the permissions of its owner
Sgid
chmod g+s
1. When a sgid is executed for an executable binary, anyone who executes the file temporarily has permission for all of its groups
2. When Sgid permissions are in effect for a directory, the owning group of the files created by anyone in that directory is the same as the owning group for that directory
Sticky
For a directory to function sticky permissions, the files in this directory only the owner and the directory of the owner and root can be deleted.
Acl
How ACLs are turned on
Centos7 default ACL support
CENTOS6 and before, the operating system installation of the file system created by default support ACL, and operation after installation using MKFS formatted file system default ACL is not turned on, you need to manually open the method as follows:
1.tune2fs-o Acl/dev/sda5
2.mount-o Acl/dev/sda5/app
ACL Permissions Judgment Order
owner> ACL user > Group > Other
Set ACL
Setfacl-m u:liubei:rwx TestDir
Set default Permissions
SETFACL-RM u:liubei:rwx testdir/to set current permissions
SETFACL-RM d:u:liubei:rwx testdir/setting permissions for future files
Remove all permissions, empty the ACL structure
Setfacl-b TestDir
ACL Extended Properties The Packaging tool does not support storage
Practice
1, the new files created in the/app/dir automatically belong to the Shuguo group, the group Weiguo members such as: Caocao can have read and write access to these new files, group Wuguo members such as: Sunquan can only have read access to new files, other users can not access this folder
2. Back up all files in/app/dir, delete/testdir/dir, then restore/testdir/dir, and restore all ACL permissions in/testdir/dir.
Getting Started with Linux-users, groups, permissions