LFCS Series eighth: Managing Users and user groups, file permissions and attributes, and enabling account sudo access rights

Since Linux is a multi-user operating system (allowing multiple users to access a standalone system through different hosts or terminals), you need to know how to effectively manage users: How to Add, edit, disable, and delete user accounts, and give them the necessary permissions to complete their tasks.

(LCTT: The original chapters in this article are in the wrong order and are adjusted according to understanding.) ）

Add user account

To add a new user account, you need to run any of the following two commands as root:

# adduser [new_account]# useradd [new_account]

When a new user account is added to the system, the following actions are performed automatically:

1. Automatically create user home directory (default is/home/username).

2. Automatically copies the following hidden files to the new user's home directory, which is used to set the environment variables for the new user session.

   .bash_logout.bash_profile.bashrc

3. Automatically create the message cache directory/var/spool/mail/username.

4. Automatically create user groups with the same user name.

Understand what's in/etc/passwd

The/etc/passwd file stores information about all user accounts, and each user has a corresponding record in it, in the format (separated by a colon) as follows:

[username]:[x]:[UID]:[GID]:[Comment]:[Home directory]:[Default shell]

• fields [Username] and [Comment] are self-explanatory.
• In the second field, x indicates that the login system via username username is password protected and the password is stored in the/etc/shadow file.
• The [UID] and [GID] fields are represented by integers, representing the user identifier of the person and the group designator of the corresponding group.
• field [Home directory] is the absolute path to the username user home directory.
• field [Default shell] Specifies the shell that is used by default when a user logs on to the system.

Understand what's in/etc/group

The/etc/group file stores information for all user groups. The format of each row of records is as follows:

[Group name]:[Group password]:[GID]:[Group members]

• [Group name] is the user group name.
• If the field [group password] is x, then the user group password is not used.
• [GID] is the same as the GID saved in/etc/passwd.
• Users in the [group members] user group are separated by commas.

Add user account

Modify user Information

After adding a user account, you can use the Usermod command to modify some of the fields in the user information, which have the following basic syntax:

# usermod [options] [username]

Set the expiration time for an account

Mark the date following the year-month-day format by –expiredate, as follows:

# usermod --expiredate 2014-10-30 tecmint

Add a user to another group

Use the-ag or –append–groups option, followed by the user group, and if there are multiple groups of users, separate each user group with commas.

# usermod --append --groups root,users tecmint

Change the default location of the user home directory

Using the-D or –home option, follow the absolute path to the new home directory.

# usermod --home /tmp tecmint

Change the user's default shell

Using the –shell option, follow the path of the new shell.

# usermod --shell /bin/sh tecmint

Below, we run the above command at once:

# usermod --expiredate 2014-10-30 --append --groups root,users --home /tmp --shell /bin/sh tecmint

Usermod Command Example

Extended Reading

• Useradd Command Examples in Linux[1]
• Usermod Command Examples in Linux[2]

Lock and Unlock accounts

For existing user accounts, we can also:

Disabling accounts by locking passwords

Use the-l (capital L) or –lock option to lock the user's password.

# usermod --lock tecmint

Unlock user Password

Use the –u or –unlock option to unlock our previously locked accounts.

# usermod --unlock tecmint

Lock user Account

Delete a user account

You can delete a user account by Userdel the--remove command. This removes all files from the home directory and home directory that the user owns, as well as the message cache directory.

# userdel --remove [username]

User Group Management

Each time a new user is added, a user group with the same name is created for that user, and the user group has only new users, and other users can add them later. One of the purposes of establishing a user group is to control access to these resources and files by setting permissions on the specified resources.

For example, you have the following users:

• User1 (primary group User1)
• User2 (primary group User2)
• User3 (primary group User3)

They all need to read and write to the Common.txt file in a location in your system, or user1 the share that the user just created. You may run the following command:

# chmod 660 common.txt或# chmod u=rw,g=rw,o= common.txt [注意最后那个 = 号和文件名之间的空格]

However, this provides read and write access only to the user and user group (in this case, User1) that the file belongs to. You also need to add user2 and User3 to the User1 group, and doing so will also open the permissions for other files in the User1 user and user groups to User2 and User3.

At this point, the user group comes in handy, and the following shows how.

Show user groups to which the user belongs

# groups tecmint# id tecmint

Set up user groups for multiple users who need to read and write to a specified file

Run the following commands to complete:

# groupadd common_group # 添加新用户组# chown :common_group common.txt # 将 common.txt 的用户组修改为 common_group# usermod -aG common_group user1 # 添加用户 user1 到 common_group 用户组# usermod -aG common_group user2 # 添加用户 user2 到 common_group 用户组# usermod -aG common_group user3 # 添加用户 user3 到 common_group 用户组

Delete a user group

Delete the user group by using the following command:

# groupdel [group_name]

Files belonging to this Group_name user group are not deleted, only the user group is deleted.

Linux file Permissions

In addition to our third lecture in the LFCS series: Archive/Compress files and directories, set file properties and search for Files [3] mentioned in the basic read, write and Execute permissions, files also have some infrequently but very important permission settings, sometimes it as "special permissions."

Just like the basic permissions we discussed before, it also uses an octal number or a letter (symbolic symbol) to represent the permission type.

Understanding Setuid Bit

When the setuid bit is set for an executable file, the user runs the program and inherits the valid privileges of the program owner. Because this can cause security risks, the files and programs that set SETUID permissions must be as few as possible. You will find that when a user needs access to a file belonging to the root user, the program is running with setuid permissions.

In other words, the user can not only run the executable file, but also run with root privileges. For example, let's take a look at the permissions of/BIN/PASSWD, which is used to change the password of the account and modify the/etc/shadow file. Superuser can change the password of any account, but other users can only change the password of their own account.

passwd Command Example

As a result, all users have permission to run/BIN/PASSWD, but only the root user can specify the password to change the specified user account. Other users can only change their own passwords.

Modify User Password

# chmod o+u [filename]

Set the setuid bit in eight binary form, and add the number 4 before the current basic permission (or the permission you want to set).

# chmod 4755 [filename]

Understanding Setgid Bit

After setting the Setgid bit, the valid GID of the real user becomes the gid of the genus Group. As a result, any user can access the file with the privileges of the group user. Also, when the directory has a setgid bit, the newly created file inherits the GID of the directory to which it belongs, and the new subdirectory inherits the Setgid bit of the parent directory. In this way, you can access the files inside the directory as a specified user group, without having to control the master group of the file.

# chmod g+s [filename]

Set the Setgid bit in eight binary form, and add the number 2 before the current basic permission (or the permission you want to set).

# chmod 2755 [filename]

Set Setgid bit for directory

Set the setgid bit for the command

Understanding the sticky sticky bit

The file has no meaning to set the sticky bit, and Linux ignores that bit. If you set it to a directory, it will prevent its files from being deleted or renamed, unless you are the owner of the directory or file, or the root user.

# chmod o+t [directory]

To set the sticky bit in eight binary form, add the number 1 before the current basic permission (or the permission you want to set).

# chmod 1755 [directory]

Without a sticky bit, any user with permission to read and write to the directory can delete and rename the file. As a result, sticky bits usually appear in directories such as/TMP, where everyone has write permissions.

To set a sticky position for a directory

Linux Special file attributes

The file also has some other properties that can be used to further restrict the operation. For example, prevent renaming, moving, deleting, or even modifying files. You can set it by using the chattr command [4] and you can use the Lsattr tool to view these properties. Settings are as follows:

# chattr +i file1# chattr +a file2

After you run these commands, File1 becomes immutable (that is, it cannot be moved, renamed, Modified, or deleted), and File2 enters append only mode (open only in append content mode).

To include a file by using the Chattr command

Access the root account and enable sudo

One way to access the root account is by typing:

$ su

Then enter the root account password.

If the authorization is successful, you will be logged in as root and the working directory is where you were before you logged in. If you want to enter the root user's home directory automatically when you log in, please run:

$ su -

Then enter the root account password.

User Switching via Su

Performing the last step requires a normal user to know the password of the root account, which can cause very serious security problems. As a result, the system administrator typically configures the sudo command to allow ordinary users to execute commands in a tightly controlled environment as other user identities (usually root). Therefore, the user can be strictly controlled under the circumstances, but also allow him to run one or more privileged commands.

• Extended reading: Difference between Su and sudo User[5]

The normal user uses his own user password to complete sudo authorization. A prompt to enter a password (not a superuser password) will appear after the command is entered, and the specified command will run if the authorization is granted (as long as the user is given permission to run the command).

The system administrator must edit the/etc/sudoers file to give sudo the appropriate permissions. It is generally recommended to use the Visudo command to edit this file instead of using a text editor to open it.

# visudo

This will use VIM (you can follow LFCS Series II: How to install and use the Plain text editor Vi/vim[6] to edit the file) to open the/etc/sudoers file.

The following are the related lines that need to be set:

Defaults    secure_path="/usr/sbin:/usr/bin:/sbin"root        ALL=(ALL) ALLtecmint     ALL=/bin/yum updategacanepa    ALL=NOPASSWD:/bin/updatedb%admin      ALL=(ALL) ALL

To gain a deeper understanding of these items:

Defaults    secure_path="/usr/sbin:/usr/bin:/sbin:/usr/local/bin"

This line specifies the directory that sudo will use, which prevents certain user-specified directories from being used, which can compromise the system.

The next line is used to specify permissions:

root        ALL=(ALL) ALL

• The first all keyword indicates that this rule applies to all hosts.
• The second all keyword indicates that the user specified in the first field can run the command with the permission of any user.

• The third all keyword indicates that you can run any command.

tecmint ALL=/bin/yum update

If no user is specified behind the = sign, sudo defaults to the root user. In this example, the Tecmint user can run the Yum Update command as root.

gacanepa    ALL=NOPASSWD:/bin/updatedb

NOPASSWD keyword indicates that the GACANEPA user does not need a password and can run the/bin/updatedb command directly.

%admin      ALL=(ALL) ALL

The% symbol indicates that the row applies to the Admin user group. The meaning of the other parts is the same as for the user. This example indicates that members of the Admin user group can run any command through any host connection.

With the Sudo-l command, you can see what permissions your account has.

Sudo access rules

Summarize

For system administrators, high-performance user and file management skills are essential. This article has covered these things and we want you to start with them as one, and then progress slowly. Feel free to comment or ask questions below, and we will respond as soon as possible.

Original link

LFCS Series eighth: Managing Users and user groups, file permissions and attributes, and enabling account sudo access rights