Linux Account Management and ACL permission settings

Article Title: Linux Account Management and ACL permission settings. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

1. linux Account and User Group Identifier: UID and GID. Although we entered our account when logging on to the Linux host, the Linux host does not actually know the "account name, he only knows ID. The account is only used to make it easy to remember. The User ID corresponds to the account in/etc/passwd.

What are the IDs?

The User obtains at least two IDs, one being the User ID (UID) and the other being the Group ID (GID ).

How does a file determine its owner and user group? In fact, UID and GID are used. When we need to display file attributes, the system will follow the/etc/passwd and/etc/group content, find the account and group name corresponding to UID/GID and display it again!

2. What should I do if a user on Linux needs to log on to the host to obtain a shell environment?

Tty1 ~ must be used before the computer ~ Tty6 terminal provides the login interface, and enter the account and password before you can log on.

1. First find/etc/passwd to see if you have entered the account. If yes, read the UID and GID corresponding to the Account (in/etc/group). In addition, read the home directory and shell settings of the account. the next step is to check the password table. In this case, Linux will enter/etc/shadow to find the corresponding account and UID, and then check whether the password you just entered matches the password in shadow.

3. if everything is OK, go to the Shell control stage. We can see from the above process that there are two very important files related to the user account, one is to manage the user's UID/GID important parameters/etc/passwd, one is the/etc/shadow/etc/passwd file structure dedicated to managing password-related data. Each line represents an account, and several lines represent several accounts in your system, many of the accounts are required for the normal operation of the system. We can refer to them as system accounts for short. Each row is separated by a comma (:), with a total of seven accounts. user name:

2. Password: If this domain is empty, it indicates that the user does not need a password during logon. 3. UID4. GID:

5. User Information Description:

6. Home directory:

7. shell:/sbin/nologin can be used to prevent the account from obtaining the shell environment. The/etc/shadow file structure has nine fields. account name: 0 (System Administrator), 1 ~ 499 (SYSTEM account), 500 ~ 65535 (login account) 1 ~ 99: system accounts created by different release versions; 100 ~ 499: The Account UID that can be used if you have SYSTEM account requirements. Linux Kernel (2.6.x) supports UID numbers up to 4294967295 (2 ^ 32-1). 2. Password:

3. date of last password change: January 1, January 1, 1970 is the date accumulated as 1, and January 1, January 1, 1971 is 366 echo $ (date? Date = "2010/11/24" + % s)/86400 + 1) 2010/11/24 the date you want to calculate, 86400 is the number of seconds per day, and % s is the total number of seconds since. Bash only supports integers, so we need to add 1 to the end of the day 1970/01/01.

4. days when the password cannot be changed: (compared with the 3rd Field) the password of this account must be changed several days after the last change! If it is 0, the password can be changed at any time. This restriction is designed to prevent the password from being changed by some people. If it is set to 20 days, the password cannot be changed within 20 days after you set the password.

5. the number of days the password needs to be changed again: (compared with the 3rd Field) to force the user to change the password, this field can be specified after the last password change, the number of days in which the password needs to be changed again. You must reset your password within the specified number of days. Otherwise, the password of this account will become "expired 』. If it is like the above 99999 (calculated as 273), it means that the password change is not mandatory.

[1] [2] [3] Next page