Linux account and group: effective and initial group, groups, Newgrp__linux

About groups: Effective vs. initial group, groups, NEWGRP
After you know the two files associated with your account/etc/passwd and/etc/shadow, you may still find it strange that the group's settings are there. Also, the fourth column in/etc/passwd is not the so-called GID. What is that again? Oh ~ now need to understand/etc/group and/etc/gshadow Hello ~

　　 #/etc/group

This file is where the GID corresponds to the group name ~ My/etc/group content is a bit like this:

Root:x:0:root
Bin:x:1:root,bin,daemon
Daemon:x:2:root,bin,daemon
Sys:x:3:root,bin,adm

is also a colon ': ' as a separator for the field, divided into four columns, the meaning of each field is:

1. Group name: is the group name.

2. Group password: usually do not need to set, because we rarely use to the group login. However, similarly, the password is also recorded in the/etc/gshadow.

3. GID: Is the group ID AH ~

4. Supported account name: Join all the accounts in this group, we know that a user can join multiple groups. For example, if I want Dmtsai to join the root group, then add ', Dmtsai ' at the end of the first line, and be careful not to have spaces to make ' Root:x:0:root,dmtsai '.

The more important feature is the fourth column, because each user can have multiple support groups, which is like when we are in school, we can join a number of associations. ^_^. But here you may find it strange that: ' If I join multiple groups at the same time, then I am in the job, in the end is the group. ' Let's talk about the concept of a ' valid group '.

# Active Group (effective group) and initial group (initial group)

Remember that every user has the so-called GID in the fourth column of his/etc/passwd. The GID is the so-called ' initial group ' (initial group). That is, when the user is logged into the system, immediately has the meaning of the group's relevant permissions. For example, we mentioned above that dmtsai this user's/etc/passwd is related to/etc/group and/etc/gshadow as follows:

[Root@linux ~]# grep Dmtsai/etc/passwd/etc/group/etc/gshadow
/etc/passwd:dmtsai:x:501:501::/home/dmtsai:/bin/bash
/etc/group:users:x:100:dmtsai
/etc/group:dmtsai:x:501:
/etc/gshadow:users:::d Mtsai
/etc/gshadow:dmtsai:!::

Carefully see the above table, in/etc/passwd, Dmtsai this user belongs to the group of gid=501, that is,/etc/group Dmtsai that group ~ because this is initial group, so, users will be active Obtained and does not need to be written to the account in the fourth field of the/etc/group.

But other groups that are not initial group can be different. For the above example, I will dmtsai join the Users group, because the users this group is not the Dmtsai of the initial group, so I have to/etc/group this file to find the user line, and will dmtsai this account plus Enter the fourth column so that Dmtsai can support the Users group.

So in this case, because my dmtsai this account also supports the two groups of Dmtsai and users, I dmtsai this user in the read/write/execute files for the group part, as long as the two groups of users and Dmtsai. can have OH. So understand. However, this is for existing files, if today I want to create a new file or a new directory, I would like to ask, the new file is the group of Dmtsai or users. Oh. It's going to take a look at the effective group at the time (effective group).

How do I know all of my supported groups if I log in as a Dmtsai user? Quite simply, just enter the groups. Look, it's groups with S. The result is like this:

[Dmtsai@linux ~]$ groups
Dmtsai Users

In the message of this output, I know I belong to the two groups of Dmtsai and users, and the first output group is a valid group (effective group). In other words, my effective group is Dmtsai ~ at this point, if I touch to create a new file, such as: Touch test, then the owner of the file is Dmtsai, and the group is also Dmtsai. Whether or not you can understand what a valid group is.

So how do you change a valid group? There are two ways to do this, both of which are achieved by NEWGRP. In the above example, because my Dmtsai user has both Dmtsai and users two groups, Dmtsai of course can switch dmtsai/users to become a valid group at any time. So, I can give:

[Dmtsai@linux ~]$ NEWGRP users
[Dmtsai@linux ~]$ groups
Users Dmtsai

At this point, my active group becomes the users. Of course, to be able to successfully switch the effective group, but also need to/etc/gshadow assistance to do ~ This wait for a moment we will explain. OK, so if you start trying to build a file under/home/dmtsai's home directory, such as ' Touch test2 ', what happens. Oh. The group of files turned into users. It's better to know the meaning of an effective group.

　　 We're going to have to discuss the NEWGRP directive, which can change the current user's active group,And it's a shell that provides the login, so, in the example above, Dmtsai This user is currently logged in with another shell, and the new shell gives Dmtsai a valid GID for users. When the "newgrp groupname" is executed directly, the user's active group becomes groupname, while the user's environment settings (such as environmental variables, etc.) will not be affected, but the user's ' permissions ' will be recalculated. For example, the new file group that Dmtsai is setting up at this time is users.

In this example of Brother Bird, it should be noted that the Dmtsai user is originally owned by the users and dmtsai two groups, so he can directly use NEWGRP to switch effective groups, and to leave the new active group, enter ' exit '. Assuming that there is another group in my Linux system with the name Vbird, then Dmtsai can log into the Vbird group. It is possible to do so under certain conditions:

* Vbird This group is valid for the/etc/gshadow password bar (does not have!). )；
* Dmtsai must have root or group Administrator (Group Admins) join the Vbird group.

These two prerequisites are indispensable. OK, let's say I've used gpasswd to build the password for the Vbird group, and Dmtsai has been added to the group membership, so when Dmtsai input ' newgrp vbird ', hey. Dmtsai This user's effective group will be able to become Vbird Hello ~
#/etc/gshadow
Just talked a lot about the concept of ' effective group ', in addition, also mentioned newgrp the use of this instruction, but, if/etc/gshadow this setting does not understand words, then NEWGRP is unable to move. The content of my/etc/gshadow is a bit like this:

Root:::root
Bin:::root,bin,daemon
Daemon:::root,bin,daemon
Sys:::root,bin,adm

Also use the colon ': ' as the separator character for the field, and you'll find that the file is almost exactly the same as/etc/group. Yes, that's right. However, the attention is probably the second field bar ~ The second field is the password bar, if the password bar above is '! ' Indicates that the group cannot use the password to log in. As for the fourth field, which is the name of the supporting account.

1. Group name
2. Password bar, the same, the beginning for! Indicates that it cannot be logged in;
3. Group Administrator's account number (related information in the following introduction)
4. The group's account number (same as the/etc/group content). )

However, as a matter of system operation, in fact, this/etc/gshadow password provides, the biggest function is to "let those who are not in the group, temporarily joined the group." ' In fact, the situation is very small ~ and if you really want to operate such an environment, you have to be familiar with the use of NEWGRP. and also to provide a group of passwords out, really bad management. So, if you really want a user to take advantage of the group's capabilities, it's better to just add the other group's support. Save Trouble ~