Group and group administrators in Linux user systems

About groups: Effective vs. initial group, groups, NEWGRP

The code is as follows:

#/etc/group

This file is where the GID corresponds to the group name ~ My/etc/group content is a bit like this:

The code is as follows:

Root:x:0:root

Bin:x:1:root,bin,daemon

Daemon:x:2:root,bin,daemon

Sys:x:3:root,bin,adm

is also a colon ': ' as a separator for the field, divided into four columns, the meaning of each field is:

1. Group name: is the group name!

2. Group password: usually do not need to set, because we rarely use to the group login! However, similarly, the password is also recorded in the/etc/gshadow!

3. GID: Is the group ID AH ~

4. Supported account name: Join all the accounts in this group, we know that a user can join multiple groups. For example, if I want Dmtsai to join the root group, then add ', Dmtsai ' at the end of the first line, and be careful not to have spaces to make ' Root:x:0:root,dmtsai '.

The more important feature is the fourth column, because each user can have multiple support groups, which is like when we are in school, we can join a number of associations! ^_^. But here you may find it strange that: ' If I join multiple groups at the same time, then when I do my homework, what is the group? ' Let's talk about the concept of ' effective group '.

# Active Group (effective group) and initial group (initial group)

Remember that every user has the so-called GID in the fourth column of his/etc/passwd? That GID is the so-called ' initial group ' (initial group)! That is, when the user is logged into the system, immediately has the meaning of the group's relevant permissions. For example, we mentioned above that dmtsai this user's/etc/passwd is related to/etc/group and/etc/gshadow as follows:

The code is as follows:

[Root@linux ~]# grep Dmtsai/etc/passwd/etc/group/etc/gshadow

/etc/passwd:dmtsai:x:501:501::/home/dmtsai:/bin/bash

/etc/group:users:x:100:dmtsai

/etc/group:dmtsai:x:501:

/etc/gshadow:users:::d Mtsai

/etc/gshadow:dmtsai:!::

Carefully see the above table, in/etc/passwd, Dmtsai this user belongs to the group of gid=501, that is,/etc/group Dmtsai that group ~ because this is initial group, so, users will be active Obtained, do not need to write the account number in the fourth field of/etc/group!

But other groups that are not initial group can be different. For the above example, I will dmtsai join the Users group, because the users this group is not the Dmtsai of the initial group, so I have to/etc/group this file to find the user line, and will dmtsai this account plus Enter the fourth column so that Dmtsai can support the Users group.

So in this case, because my dmtsai this account also supports the two groups of Dmtsai and users, I dmtsai this user in the read/write/execute files for the group part, as long as the two groups of users and Dmtsai. You can have it! But this is for existing files, if today I want to create a new file or a new directory, I would like to ask, the new file is the group Dmtsai or users? It's going to have to check out the effective group at that time (effective group).

How do I know all of my supported groups if I log in as a Dmtsai user? Very simple ah, the direct input groups on it! Notice Oh, it's groups. The result is like this:

The code is as follows:

[Dmtsai@linux ~]$ groups

Dmtsai Users

In this output message, I know that I belong to the two groups of Dmtsai and users, and that the first output group is a valid group (effective group). In other words, my effective group is Dmtsai ~ at this point, if I touch to create a new file, such as: Touch test, then the owner of the file is Dmtsai, and the group is also Dmtsai. Is this a good way to understand what a valid group is?

So how do you change a valid group? There are two ways to do this, both of which are achieved by NEWGRP! In the above example, because my Dmtsai user has both Dmtsai and users two groups, Dmtsai of course can switch dmtsai/users to become a valid group at any time. So, I can give:

The code is as follows:

[Dmtsai@linux ~]$ NEWGRP users

[Dmtsai@linux ~]$ groups

Users Dmtsai

At this point, my active group becomes the users. Of course, to be able to successfully switch the effective group, but also need to/etc/gshadow assistance to do ~ This wait for a moment we will explain. OK, so if you start trying to build a file under/home/dmtsai's home directory, such as ' Touch test2 ', what's going to happen? That file group has become a users! Is this more clear about the meaning of effective groups?

We have an extra discussion about the NEWGRP directive, which can change the current user's active group and provide login with a shell, so, in the above example, the user is currently logged in with another shell, and the new shell gives the Dmtsai To Dmtsai effective GID for users. When the "newgrp groupname" is executed directly, the user's active group becomes groupname, while the user's environment settings (such as environmental variables, etc.) will not be affected, but the user's ' permissions ' will be recalculated. For example, the new file group that Dmtsai is setting up at this time is users.

In this example of Brother Bird, it should be noted that the Dmtsai user is originally owned by the users and dmtsai two groups, so he can directly use NEWGRP to switch effective groups, and to leave the new active group, enter ' exit '. Assuming that there is another group in my Linux system with the name Vbird, can dmtsai log into the Vbird group? It is possible to do so under certain conditions:

* Vbird This group is valid in the/etc/gshadow password bar (not with!);

* Dmtsai must have root or group Administrator (Group Admins) join the Vbird group.

These two prerequisites are indispensable. OK, let's say I've built the password for the Vbird group using GPASSWD, and Dmtsai has been added to the group membership, so when Dmtsai input ' newgrp vbird ', hey! Dmtsai This user's effective group will be able to become Vbird Hello ~

#/etc/gshadow

Just talked a lot about ' effective group ' concept, in addition, also mentions newgrp this instruction usage, but, if/etc/gshadow this set does not have the understanding words, then NEWGRP is unable to move! The content of my/etc/gshadow is a bit like this:

The code is as follows:

Root:::root

Bin:::root,bin,daemon

Daemon:::root,bin,daemon

Sys:::root,bin,adm

Also use the colon ': ' as the separator character for the field, and you'll find that the file is almost exactly the same as/etc/group! Yes, that's right. However, the attention is probably the second field bar ~ The second field is the password bar, if the password bar above is '! ' , it means that the group cannot use the password to log in! As for the fourth field, which is the name of the supporting account.

1. Group name

2. Password bar, the same, the beginning for! Indicates that it cannot be logged in;

3. Group Administrator's account number (related information in the following introduction)

4. The group's account number (same as the/etc/group content!)

However, as a matter of system operation, in fact, this/etc/gshadow password provides, the biggest function is to "let those who are not in the group, temporarily joined the group." ' In fact, the use of the situation is very small ~ and if you really want to operate such an environment, it must be familiar with the use of NEWGRP! and also to provide a group of passwords out, really bad management. So, if you really want to allow a user to take advantage of the group's capabilities, or directly to join the group's support is good! Save Trouble ~

Linux Group Administrators

Why do I need a group administrator

Let's assume a scenario where there are a lot of departments in a company and different employees need to be involved in different groups. If one of the departments adds an employee, you need to notify the administrator to add it to the corresponding group. If every department has to increase its staff, the administrator may be on a daily basis to handle each request.

At this point we can set the leader for each group, and allow the team leader to add delete group members, not only to improve efficiency, but also reduce the administrator's work.

How to assign group management

Grammar:

The code is as follows:

Gpasswd-a USERNAME GroupName

Effect:

When you add group management, you can specify multiple users, which need to be separated by commas between multiple users.

How to delete group management

Grammar:

Copy Code

The code is as follows:

Gpasswd-a "" GroupName

Effect:

GPASSWD no specific parameters are used to delete group management, we specify an empty string. If there are multiple administrators in the group, you can specify that the user is reserved.

Group Management Add Members

Grammar:

Copy Code

The code is as follows:

Gpasswd-a USERNAME GroupName

Effect:

Group Management Delete Member

Grammar:

Copy Code

The code is as follows:

gpasswd-d USERNAME GroupName

Effect: