Linux accounts and groups [transfer from Vbird]

Linux accounts and groups

An important part of the administrator's job is "Manage accounts"! Because the whole system is your management, and all the general user's account application, must be through your assistance! So you have to understand how to manage a server Host account! In managing the Linux host's account, we must first understand how Linux is to identify each user!

user identifier: UID and GID

Although we landed on the Linux host, the input is our account, but in fact, the Linux host does not directly know your "account name", he only know the ID AH (ID is a group of numbers). Since computers only know 0 and 1, the host has a concept for numbers, and the account is just for people to easily remember. The correspondence between your ID and account is in the/etc/passwd.

Does each file have an attribute of "owner and owning group"? That's right! Each logged-on user will get at least two IDs, one user ID (user ID, or UID), and one group ID (group ID, or GID). So how does the file identify his owners and groups? is actually using UID and GID! Each file will have the so-called owner ID and the group ID, when we have to display the requirements of the file attributes, the system will be based on the contents of/etc/passwd and/etc/group, find uid/gid corresponding account and group name to display again! We can do a small experiment, you can use root identity vi/etc/passwd, and then your general identity of the user's ID arbitrarily changed to a number, and then to your general status of the directory to see the original account owned files, you will find that the owner of the file has become a "number of" hehe! Does that make sense? Take a look at the example below:

# 1. First Look, is there a user named Dmtsai in the system? [[email protected] ~]# grep ' Dmtsai '/etc/passwddmtsai:x:503:504::/home/dmtsai:/bin/bash   <== There is this account Oh!  [Email protected] ~]# ll-d/home/dmtsaidrwx------4 Dmtsai dmtsai 4096 Feb  6 18:25/home/dmtsai# Look, the user's field is Dmtsai itself Oh! # 2. Modified, will just our Dmtsai's 503 UID changed to 2000 to see: [[email protected] ~]# vi/etc/passwd .... (omitted previously) .... Dmtsai:x:2000:504::/home/dmtsai:/bin/bash <== Modify the Special font section, changed from 503 [[email protected] ~]# ll-d/home/ DMTSAIDRWX------4 503 Dmtsai 4096 Feb  6 18:25/home/dmtsai# It's scary! How did it become 503? Because the file will only record numbers! # because we change, so that 503 can not find the corresponding account, so display numbers! # 3. Remember to change the 2000 just back! [Email protected] ~]# vi/etc/passwd .... (omitted in front) .... Dmtsai:x:503:504::/home/dmtsai:/bin/bash <== hurriedly change back!

You must understand that the above example is only in the description of the UID and account correspondence, in a normal running Linux host environment, the above actions can not be done casually, this is because there are already a lot of data on the system is created, arbitrarily modify the system on the UID of some accounts It is likely that some programs will not work, which will result in the system not running smoothly. Because of the permissions of the problem Ah! So, after understanding, please hurry back to/etc/passwd inside, change the number back Oh!

User Account

What does a user on a Linux system need to do if they need to log on to a host to get a shell environment to work? First, he must use the login interface provided by the Tty1~tty7 terminal in front of the computer, and enter the account number and password to be able to log in. If it is through the network, then at least users will have to learn the function of SSH (server chapter to talk about). So what did the system do for you after you entered your account password?

1. Find out if there is an account you entered in/etc/passwd? If not then jump, if any, then the account corresponding UID and GID (in/etc/group) read out, in addition, the account's home directory and Shell configuration is also read out;
   
   
2. And then it's the check list! Then Linux will go into the/etc/shadow to find the corresponding account and UID, and then check the password you just entered and the password in the match?
   
   
3. If everything is OK, go to the Shell control stage!

The general situation is like this, so when you want to log on to your Linux host, that/etc/passwd and/etc/shadow must have the system read (which is also a lot of attackers will write the Special Account in/etc/passwd), so, If you want to back up the Linux system account, then these two files must be backed up!

By the above process we also know that with the user account has two very important files, one is to manage the user Uid/gid important parameters of the/etc/passwd, one is specifically to manage password-related data/etc/shadow! The contents of these two files are worth studying! Below we will briefly introduce these two files, detailed instructions can refer to man 5 passwd and man 5 shadow

/etc/passwd File Structure

The structure of this file is this: each line represents an account, and a few lines represent a few accounts in your system! However, the need to pay special attention is that many of the accounts in the system is the normal operation of the necessary, we can simply refer to him as a system account, such as bin, Daemon, ADM, nobody and so on, these accounts please do not arbitrarily kill him! The content of this file is somewhat like this:

[Email protected] ~]# head-n 4/etc/passwdroot:x:0:0:root:/root:/bin/bash  <== wait for the bottom of the instructions with bin:x:1:1:bin:/bin:/ Sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologin

Let's take a look at the first line that every Linux system will have, root is the system administrator that line, you can clearly see, each line uses ":" separated, a total of seven,

There are a total of seven drums, respectively:

2. Account Name:
   It's an account! Used to correspond to the UID. For example, root UID corresponds to 0 (third field);
   
   
4. Password:
   The password for the early Unix system is placed on this field! But because this file is characterized by all the programs can be read, so it is easy to cause the password data to be stolen, so then the password data of this field to his/etc/shadow. So here you will see an "x", hehe!
   
   
5. UID:
   This is the user identifier! Linux usually has several limitations on UID that you need to know:
   
   

   	the ID consumer attribute
   0 (System administrator)	when UID is 0 o'clock, this account is "system administrator"! So when you want other account names to have root privileges, change the UID of the account to 0. That is to say, the system administrator on a system is not the only root! However, it is not recommended to have multiple account UID is 0 ~
   1~499 (System account)	reserved for the system to use the ID, in fact other than 0, the UID permissions are not the same as the features. The default of 500 below the number of the system as a reserved account is just a habit. Because the services started on the system want to run with smaller permissions, you do not want to use root to run these services, so we have to provide the owner account of these running programs. These system accounts are usually not logged in. According to the origin of the system account, usually the system account is also roughly divided into two types: 1~99: The system account created by distributions, 100~499: If the user has the system account requirements, you can use the account UID.
   500~65535 (can login account)	for general users. In fact, the current Linux core (2.6.x version) has been able to support the 4294967295 (2^32-1) Such a large UID number Oh!

   
   Do you understand the above explanation? Yes, the UID is 0 when it is root yo! So please pay special attention to your/etc/passwd file!
   
   
7. Gid:
   This is related to/etc/group! In fact, the concept of/etc/group and/etc/passwd almost, but he is used to standardize the group name and GID of the corresponding only!
   
   
9. User Information Description Bar:
   This field basically doesn't have any important purpose, just to explain the meaning of this account! However, if you provide the ability to use finger, this field can provide a lot of information! The CHFN command later in this chapter explains the instructions here.
   
   
11. Home directory:
    This is the user's home directory, for example, root home directory in/root, so when the root login, will immediately run to the/root directory! Oh! If you have an account with a very large space, you want to move the home directory of the account to the other hard drive to do? No mistake! Can be modified in this field yo! Default User home directory in/home/youridname
    
    
13. Shell:
    We have mentioned many times in the 11th chapter BASH, when the user logs into the system, it will get a Shell to communicate with the core of the system to carry out the user's operation task. So why is the default shell using bash? is specified in this field! It is important to note here that there is a shell that can be used to replace the login action that prevents the account from getting the shell environment! That's/sbin/nologin this thing! This can also be used to create pure POP mail account of the data of the person!

/etc/shadow file Structure

We know that many programs run with permissions, and permissions are related to Uid/gid! Therefore, each program will of course need to read/etc/passwd to understand the permissions of different accounts. so the/etc/passwd permissions need to be configured to-rw-r--r--, although the earlier password has been encrypted, but placed on the second field of/etc/passwd! This is easy to be stolen by the conscientious, encrypted password can also be through the brute force to try and error (trial error) to find out!

Because of this kind of relationship, so later developed to move the password to/etc/shadow this file separate technology, but also add a lot of password restrictions in/etc/shadow! Here, let's take a look at the structure of this file! Brother Bird's/etc/shadow file is a bit like this:

[Email protected] ~]# head-n 4/etc/shadowroot:$1$/30qpe5e$y9n/d0bh6raacbez.hqo00:14126:0:99999:7:::  <== Below description with Bin:*:14126:0:99999:7:::d aemon:*:14126:0:99999:7:::adm:*:14126:0:99999:7:::

Basically, shadow the same as ":" As a delimiter, if you count, you will find a total of nine fields Ah, the purpose of these nine fields is this:

2. Account Name:
   Because the password also need to correspond with the account AH ~ Therefore, the first column of this file is an account, must be the same as/etc/passwd!
   
   
4. Password:
   The data in this field is the real password, and it is encoded password (encryption)! You'll only see the letters with some special symbols! It should be noted that although these encrypted passwords are difficult to solve, the "hard" is not equal to "no", so the default permission for this file is "-RW-------" or "-R--------", that is, only root can read and write! You have to pay attention, do not accidentally change the permissions of this file!
   
   In addition, because of the different techniques of password coding, various coding systems will cause this field to be of varying lengths. For example, legacy DES encoding systems generate a different password length than the current MD5 (Note 2)! MD5 's password length is significantly longer. Since a fixed encoding system must produce a consistent password length, " when you change the length of this field, the password will expire (not be counted)". A lot of software through this function, in front of this field Plus! or * change the password field length, will let the password "temporarily expire".
   
   
6. Date the password was last altered:
   This field records the date of the day when the password was changed, but it's strange! How can it be 14126 in my case? Oh, this is because the time to calculate the Linux date is January 1, 1970 as 1 and the cumulative date, January 1, 1971 is 366! Have to pay attention to this data yo! The 14126 above refers to the day of 2008-09-04! What do you know? If you want to know the date, you can use the Chage command later in this chapter to help! For the cumulative number of days you want to know a date, you can use the following procedure to calculate:

8. [[email protected] ~]# echo $ (($ (Date--date= "2008/09/04" +%s)/86400+1)) 14126

   In the above command, 2008/09/04 is the date you want to calculate, 86400 is the number of seconds per day, and%s is the cumulative total number of seconds since 1970/01/01. Since bash only supports integers, it will eventually need to add 1 to the day of 1970/01/01.

10. Number of days the password cannot be changed: (Compared to the 3rd field)
    The fourth field is recorded: the password for this account will be changed after a few days after the last change! If it is 0, it means that the password can be changed at any time. The limit is to be afraid of the password by some people to change and redesign! If configured for 20 days, then after you configure the password, within 20 days can not change the password yo!
    
    
12. Number of days the password needs to be re-changed: (Compared to the 3rd field)
    Changing passwords often is a good habit! In order to force the user to change the password, this field can specify the number of days after the most recent password change password to be changed. You must reconfigure your password within this number of days, otherwise the password for this account will "become outdated". And if like the above 99999 (calculated as 273 years), it means that, hehe, the change of password is not mandatory meaning.
    
    
14. Number of warning days before the password change period is required: (compared to the 5th field)
    When the password expiration date of the account is approaching (the 5th field), the system will issue "warning" statements to this account according to the configuration of this field, reminding him that "your password will expire in another n days, please reconfigure your password as soon as possible!" ", as in the above example, the system warns the user within 7 days before the password expires.
    
    
16. Account Grace time after password expires (password expiration date): (Compared to the 5th field)
    The password valid date is "Upgrade date (3rd field)" + "Re-change date (5th field)", after which the user still does not have the upgrade password, the password even expires. Although the password expires but the account can be used for other tasks, including the login system to get bash. However, if the password expires, then when you log into the system, the system will be forced to require you to reconfigure the password to log on to continue to use Oh, this is the password expiration feature.
    
    What is the function of this field? After a few days after the password expires, if the user still does not login change password, then the password of the account will be "invalid", that is, the account can no longer use the password login. Be aware that password expiration is not the same as password invalidation.
    
    
18. Account Expiration Date:
    This date is the same as the third field, which is configured with the total number of days since 1970 years. This field indicates that the account will no longer be available after the date specified in this field. The so-called "account Failure", this time regardless of whether your password has expired, this "account" can no longer be used! This field will usually be used in the "paid service" system, you can specify a date so that the account can no longer be used!
    
    
20. Keep:
    The last field is reserved to see if any new features are added later.

As an example, if my dmtsai this user's password bar looks like this:

dmtsai:$1$vyuuj.ex$omt6lkjvmcizhx4h7ri1v.:14299:5:60:7:5:14419:

What does that mean? The first note is that 14299 is 2009/02/24. So the dmtsai of this user's password is:

Since the password can almost only one-way operation (by the plaintext to become a password, can not be reversed by the password), so the data from the above table we can not know the actual password plaintext Dmstai;

The last time the password was changed in this account is 2009/02/24 (14299);

The time to change the password again is 5 days later, that is, until 2009/03/01 Dmtsai can not modify their password, if the user still try to change their password, the system will appear this message:

You must wait longer to the change your passwordpasswd:authentication token manipulation error

The picture tells us: you have to wait longer time to change the meaning of the password!

Since the password expiration date is defined as 60 days, that is, the cumulative number of days is: 14299+60=14359, calculated to represent the date of the day is 2009/04/25. This means: "The user must be within the 60-day limit between 2009/03/01 and 2009/04/25 to modify their own password, if there is no change after 2009/04/25, the password is declared expired"!

The warning date is set to 7 days, which is 7 days before the password expires, and in this case it represents the seven days of 2009/04/19 ~ 2009/04/25. If the user has not changed the password, then in these 7 days, as long as the Dmtsai login system will find the following information:

Warning:your password'll expire in 5 days

If the account has not changed the password until 2009/04/25, then the password expires. However, due to the 5 days grace period, Dmtsai can also use the old password to log on to the host until 2009/04/30. However, the login will be forced to change the password situation, the screen is a bit like the bottom:

You is required to change your password immediately (password aged) warning:your password have expired. You must change your password now and login again! Changing password for user Dmtsai. changing password for Dmtsai (current) UNIX password:

You must enter an old password and two new passwords before you can start using the system's resources. If you are trying to land in Dmtsai after 2009/04/30, then the following error message will appear and cannot be logged in, because your password will expire at this time!

Your account has expired; Please contact your system administrator

If the user changed the password before 2009/04/25, then the 14299 days of the 3rd field will change, so all the constraint dates will be changed as well! ^_^

No matter how the user moves, the account expires at 14419 (around 2009/07/24).

In this way, you should be more easily understood? Because the shadow has such importance, so can not be arbitrarily modified! But in some cases you have to use a variety of methods to deal with this file! For example, often hear people say: "My password Forgot", or "My password do not know who changed, and the original is not the same", this time how to do?

General user Password Forget: This is the most easy to solve, ask the system administrator to help, he will reconfigure your password and do not need to know your old password! Use the passwd command as root to process it.

Root password forgot: This is the trouble! Because you can't log in with root! But we know that Root's password is in/etc/shadow, so you can use a variety of possible methods to boot into Linux and then modify. For example, after restarting into the single-player maintenance mode, the system will give the root privileges of the Bash interface, and then change the password with passwd, or to mount the root directory after the Live CD boot to modify the/etc/shadow, the root password field inside to empty, and then restart Root will login without a password! Log in and then quickly use the passwd command to configure the root password.

about groups: Effective with initial groups, groups, NewgrpAfter you know the two files associated with your account/etc/passwd and/etc/shadow, you may still find it strange, so where are the group profiles? Also, in/ETC/PASSWD's fourth column is not the so-called GID? What is that again? Hehe ~ At this time need to understand/etc/group and/etc/gshadow Hello ~/etc/group file structure This file is in the record GID and group name corresponding to the/etc/group of the bird test machine content a bit like this:

[Email protected] ~]# head-n 4/etc/grouproot:x:0:rootbin:x:1:root,bin,daemondaemon:x:2:root,bin,daemonsys:x:3: Root,bin,adm

Each row of this file represents a group, and also a colon ":" as the delimiter for the field, divided into four columns, each of which has the meaning:

1. Group Name:
   It's a group name!
   
   
2. Group Password:
   Usually no configuration, this configuration is usually used for "group manager", there is little chance to configure the group administrator now! Similarly, the password has been moved to/etc/gshadow, so there is only one "X" in this field;
   
   
3. Gid:
   Is the ID of the group. We/etc/passwd the fourth field to use the GID corresponding to the group name, is the corresponding out of this!
   
   
4. Name of the account supported by this group:
   We know that an account can be added to multiple groups, and when an account wants to join this group, the account is populated with this field. For example, if I want to let Dmtsai also join the root of this group, then in the first line to add ", Dmtsai", note that there is no space, so that the "Root:x:0:root,dmtsai" can be

We're done./etc/passwd,/etc/shadow,/etc/group after that, we can use a simple diagram to understand the relationship between Uid/gid and the password, as shown below. In fact, the focus is/etc/passwd, other relevant data are based on the field of this file to find out. , Root UID is 0, and GID is also 0, to find/etc/group can know the GID is 0 o'clock the group name is root. As for the password search, will find/etc/shadow and/etc/passwd within the same account name of the line, is the password-related data.

As for the more important feature in/etc/group is the fourth column, because each user can have a number of support groups, it is like in school, we can join a number of community like! ^_^. But here you may find it strange, that is: "If I join multiple groups at the same time, when I am on the job, which group will be the most accurate? "Let's talk about the concept of this" effective group ". Active Group (effective group) and initial group (initial group)Remember that every user in the fourth column of his/etc/passwd had so-called GID? That GID is the so-called "initial Group" (Initial group)! In other words, when a user logs on to the system, it immediately has the meaning of the group's relevant permissions. For example, we mentioned above that dmtsai this user's/etc/passwd and/etc/group also have/etc/gshadow related content as follows:.

[[email protected] ~]# usermod-g users Dmtsai  <== Configure secondary groups first [[email protected] ~]# grep dmtsai/etc/passwd/etc/group /etc/gshadow/etc/passwd:dmtsai:x:503:504::/home/dmtsai:/bin/bash/etc/group:users:x:100:dmtsai  <== Secondary group configuration/etc/group:dmtsai:x:504:       <== because it is the initial group, the fourth field does not need to fill in the account/etc/gshadow:users:::d mtsai    <== Secondary Group configuration/ etc/gshadow:dmtsai:!::

Carefully see the above table, in/etc/passwd, Dmtsai this user belongs to the group for gid=504, search for/etc/group get 504 is the group named Dmtsai! This is initial group. Because it is the initial group, the user will take the initiative when landing, do not need to write the account in the fourth field of/etc/group!

But other groups that are not initial group can be different. For the above example, I will add Dmtsai to the Users group, because the Users group is not the initial group of Dmtsai, so I have to find the users line in/etc/group this file, and Dmtsai this account to add Enter the fourth column so that Dmtsai can join the Users group.

So in this example, because my Dmtsai account supports both the Dmtsai and users two groups, I dmtsai this user when reading/writing/running a file for the group part, as long as it is a function owned by users and Dmtsai two groups. Have Oh! You know that? However, this is for existing files, if I want to create a new file or a new directory today, may I ask if the group of new files is Dmtsai or users? Oh! This will have to check the effective group at that time (effective group).

groups: Effective and supportive group observations

How do I know all of my supported groups if I am logged in as a Dmtsai user? Very simple, direct input groups on it! Note Oh, it's groups. The result looks like this:

[Email protected] ~]$ Groupsdmtsai users

In this output information, you can know that dmtsai this user belongs to both Dmtsai and users this two group, and the first output of the group is a valid group (effective group). That is, my effective group is Dmtsai ~ at this time, if I use touch to create a new file, for example: "Touch Test", then the owner of the file is Dmtsai, and the group is also Dmtsai.

[[email protected] ~]$ Touch Test[[email protected] ~]$ ll-rw-rw-r--1 dmtsai dmtsai 0 Feb 17:26 Test

Do you know what a valid group is? The function of a valid group is to create a new file! Can the effective group be transformed?

NEWGRP: Switching of active groups

So how do you change the active group? Just use NEWGRP! However, there is a limit to the use of NEWGRP, which is that the group you want to switch must be a group that you already have support for. For example, Dmtsai can switch active groups between the two groups in Dmtsai/users, but Dmtsai cannot switch the active group into SSHD! Use the following methods:

[[email protected] ~]$ newgrp users[[email protected] ~]$ groupsusers dmtsai[[email protected] ~]$ Touch Test2[[email Prot Ected] ~]$ ll-rw-rw-r--1 dmtsai dmtsai 0 Feb 17:26 test-rw-r--r--1 Dmtsai users  0 Feb 17:33 test2

At this point, Dmtsai's active group becomes users. We're going to talk about NEWGRP This command, which can change the current user's active group, and is another shell to provide this function, so, in the above example, Dmtsai This user is currently landing with another shell, and the new The shell gives Dmtsai effective GID as users. If you look at the diagram, it looks like this:

Although the user's environment configuration (such as environment variables and other data) will not affect, the users ' group permissions will be recalculated. Note, however, that because a new shell is being acquired, if you want to return to the original environment, please enter exit to return to the original shell!

In this case, that is, as long as my users have a supported group is able to switch to become a valid group! Okay, so how to get an account to join a different group is the problem. You want to join a group there are two ways, one is through the system administrator (root) to help you usermod, if Root is too busy and your system has a configuration group administrator, then you can use the group administrator to GPASSWD to help you join the group he managed! The detailed practice is left to the next section to introduce!

/etc/gshadow

Just said a lot about the concept of "effective group", in addition, also mentioned newgrp the use of this command, but, if/etc/gshadow this configuration does not understand the words, then NEWGRP is unable to move! The/etc/gshadow content of the bird's test machine is a bit like this:

[Email protected] ~]# head-n 4/etc/gshadowroot:::rootbin:::root,bin,daemondaemon:::root,bin,daemonsys:::root,bin, Adm

This file also uses the colon ":" as the separator character of the field, and you will find that this file is almost identical to/etc/group! That's right ~ However, it is probably the second field to note that the second field is the password bar, if the password bar above is "!" , it means that the group does not have a group administrator! As for the fourth field, which is the supported account name, the meaning of these four fields is:

1. Group name
2. The password bar, the same, starts with! Indicates no legal password, so no group administrator
3. Group Administrator's account (relevant information is described in GPASSWD)
4. The group's account number (same as/etc/group content!) )

As a system administrator, the biggest function of this gshadow is to create a group administrator! So what is a group administrator? Because the system above the account may be many, but we root may be too busy, so when there are users want to join some groups, root may not be empty management. At this point, if you can create a group administrator, then the group administrator can add that account to the group you manage! You can eliminate the root of the busy! However, because there are tools like sudo, the functionality of this group administrator is rarely used. We will introduce this practice in a follow-up gpasswd.

Transfer from http://vbird.dic.ksu.edu.tw/linux_basic/0410accountmanager_1.php

Linux accounts and groups [transfer from Vbird]