Linux basic knowledge of users and user groups and Linux rights Management

Source: Internet
Author: User
Tags md5 hash

has started to contact Linux User Management, user group management, and Rights management These are a few of the full of keywords. These key words for the front-end program Ape I really is very tall on the wood there, before trying to learn Linux when you see these nouns are always subconsciously skip dare to look at the wood has, a mention of these several nouns immediately in mind always rise up the infinite worship has wood! Today, adjusting supervised adjusting supervised these concepts, hope to have some gains.

1. Speaking from/etc/passwd

In the previous basic command learning, we described using the passwd command to modify the user password. For the operating system, where is the user name and password stored? We all know that a site's user name and password is stored in the database, the database is used to save record data, our common database has mysql,oracle,mongodb and so on. In fact, we call MySQL as a database is not rigorous, because they are only database management software, broadly speaking, any can save the data can be called database. such as text.

The database is used to hold the data, the user name and password in the operating system should also be stored in the database, what is this database? Under Linux, it is a file called passwd under/etc. We might as well take a look at the contents of this file.

  

Most people who see this kind of stuff will say: what? Are you sure this is not a heavenly book? What do you have in here? To tell the truth, I don't know anyone except the line number!

Well, take a closer look and find the rules. After your careful observation, you may notice the following messages:

      • Each line of text has a number of colons (:), which divide each line of text in English format.
      • Carefully count the number of colons in each line of text as the same
      • The number of fields in each line of text is the same (including empty fields) if we call the field before and after the colon.
      • The first line of the root and the tail line of the Charley, is not our two account?

So your bold guess: right! This is our user table, which also contains fields that are used to hold some information about the user! As a matter of fact,/etc/passwd stores user-related information, including user names, passwords, groups, and so on. Perhaps you still have questions: Obviously we only have two users, an administrator account root, one is the ordinary user Charley, what is the other thing? Why do they also appear in this table? Don't worry, just start with the group form.

2. Some common forms of grouping

Below, we will discuss the user, user group and some of the above questions. First of all, some of the user or user groups in the way, stand at different angles, you can make different distinctions.

      • By grouping user types, we can divide the user into:
        • Administrator
        • Normal User
      • Group by user group type, we can divide the user group into:
        • Administrators group
        • General user groups
      • From the user's point of view, we can divide the user group into:
        • Basic group (default group)
        • Additional groups (additional groups)
      • For ordinary users, we can also be divided into:
        • System users
        • Normal User
      • Therefore, for ordinary user groups, we can also be divided into:
        • System User Group
        • General user groups

The above grouping method is not to see you dazzled? It doesn't matter, in fact, the user or user groups, itself is a multi-solution, but because the station angle is different, produced a different result just. In another way, we can also come up with N groups, which is just the conventional method. Since the forms of these groupings can be reflected in our create user or user Group command options, it is natural to understand these concepts easily after learning the commands to create users and create groups of users.

3. Understand the user

We know that/etc/passwd is the equivalent of a database where the operating system holds user information, so that each row of data in the table represents a specific user, but there are many other things besides the root user of the system and a normal user Charley we create. What are these things? Are they also users? Yes, these things we do not know, but also users, but not we create, but created by the operating system, so called system users.

If someone wants to use certain features of the operating system, then he must be a user on the system (the guest user is also the user). After the user logs on to the operating system, the operating system can be assigned permissions by the user's signature in order to use the operating system functionality.

We use the computer, the operating system, so that they can help us accomplish certain tasks, specifically, by invoking the software on the operating system to complete, so that the software to help us do things. When the operating system starts, there are some necessary applications, services, etc. to start, and following the simple logic mentioned earlier, the software must be started by the user on the operating system. According to this logic, the Linux system creates some system users for us to execute the corresponding files when the operating system starts. Visible system users do not need to log on, also known as non-logged-on users, please remember this first.

The above describes the user signature, the operating system through the user identity code to identify the user. For the kinky class, we recognize that the user is through the user name, because the user name (string) is good to remember. The computer thinks the number is better to remember, so when the user is created, the system assigns a unique signature to identify the user, which is also called the UID. Similarly, the user group also has the signature code, called GID.

In Linux systems, the UID is divided in the following way:

      • 0 means administrator (root)
      • 1-500 indicates the system user
      • 501-65535 for normal users
      • Different Linux distributions, these numbers may not be the same
4. Field analysis in/etc/passwd

The fields in/etc/passwd represent the following information (the field name is my own):

      • Account: User Name
      • PASSWORD: Password placeholder
      • UID: User ID
      • GID: User Group ID
      • COMMAND: Comment Information
      • Home dir: User home Directory
      • Shell: User's default shell

The password placeholder, whose value is X, is obviously not a true password. Where is the true password saved? In the/etc/shadow file, this file is not a plaintext password, but a password that has been encrypted after processing. Let's take a look at the content in/etc/shadow (root only):

  

It can be seen that the/etc/shadow is also a data table, and this table is related to the user. Remember the man command you talked about the next day? The fifth chapter of the Man Handbook is a special document, let's try it for a person:

 

For the meaning of each field in/etc/shadow, instructions are given in the manual, which we can refer to (only a part of this is given here). Similarly, for/etc/passwd, we can also see the meaning of each field represented by the man 5 passwd.

Okay, back to the PASSWORD field, we'll look at the value of this field for root user and Charley, and you can see that there are some rules in this value:

      • $1$xxxxxxxx$xxxxxxxxxx .....

We can use this field to obtain the following information:

      • The number 1 in the first two dollar sign means that encryption is MD5
      • The string between the second and third dollar signs is the encrypted cipher salt value
      • The string after the third dollar sign is the signature after the cipher plaintext is encrypted

Now that we've talked about encryption and salt values, let's review the basics of cryptography. There are several encryption methods that we typically use:

      • Symmetric encryption: Use the same set of passwords for encryption and decryption

      • Public Key cryptography: each password is paired with the private key (secret key) and the public key, and the public key is encrypted with the private key it is pairing with, and vice versa, is very slow compared to symmetric encryption and is generally not used for encryption, but for secret key exchange
      • One-way encryption (hash encryption): Only encryption cannot be decrypted. In other words, ciphertext can only be obtained by plaintext, but not plaintext. Through one-way encryption is a unique signature, each data signature is unique, so also known as fingerprint encryption. If the two-time algorithm obtains the same signature, then it is the same?? Data. One-way encryption can be used to do data verification, if the data passive hands and feet, then the data signature is not the same. Commonly used hashing encryption methods are:

        • MD5: Fixed-length 128-bit output feature code
        • SHA1: Fixed-length 160-bit output feature code
        • There are other ways, mainly reflected in the difference in the output length of the signature code
      • Features of one-way encryption:
        • Non-reversible
        • Avalanche effect: Small changes in data can cause significant changes in signature patterns
        • Fixed-length output: The signature length of the output is the same regardless of the length of the encrypted content
      • Add Salt: If two users use the same password, then after the MD5 hash encrypted signature is consistent, if a user accidentally found another user's signature and his own is the same, then you can infer another user's password. This is not very safe. For security reasons, we need to use the avalanche effect in the hash encryption feature to add additional impurities (content) to the password, so that the encrypted signature will be very diverse. This process is called adding salt.
5.useradd command: Add user

Say so much, finally come to some earnest, Linux use the Useradd command to add a user. This command is simple enough to add a user only if you use Useradd USERNAME.

We create a new user, MIKE, and then look at the corresponding content in/etc/passwd:

  

In the last line of/etc/passwd, we saw the user just added, and the system automatically set some properties of the user, such as Uid,gid,home dir. We can also manually specify information for new users:

      • Useradd-u UID: Specifies UID, this UID must be greater than or equal to 500, and no other user occupies the UID
      • Useradd-g gid/groupname: Specifies the default group, either GID or GROUPNAME, and must also be true
      • USERADD-G GROUPS: Specifying additional groups
      • Useradd-c COMMENT: Specify user's comment information
      • useradd-d PATH: Specify the user's home directory
      • Useradd-s Shell: Specifies the user's default shell, preferably a path that exists in the/etc/shells
      • Useradd-s/sbin/nologin: The user can not log in, remember we said above the system users can not login it? We can see that the shell field of the system user is also/sbin/nologin
      • echo $SHELL: View the SHELL type of the current user
      • Useradd-m USERNAME: Creating a user without creating a home directory
      • USERADD-MK USERNAME: Create a home directory while creating a user, and copy the contents of the/etc/skel in the home directory. About the/etc/skel directory will be explained again in the next Linux rights management.
      • If the user does not have a home directory, you cannot switch to that user
6.userdel command: Delete user
      • Userdel USERNAME: Deleting users
      • Userdel-r USERNAME: Delete User's home directory while deleting users
7.id command: Display account attribute information
      • Id-g USERNAME: Show default group ID
      • Id-g USERNAME: Show additional group ID
      • Id-u USERNAME: Display UID
      • Id-n-g/-g/-u: Displays the name of the default group/additional group/user
8.finger command: Retrieving user information is more friendly than using the ID command 9.usermod commands: modifying user information
      • Basic usage is similar to Useradd, here are the points to note
      • Usermod-g GROUPS USERNAME: Changing the user's additional group will completely replace the existing additional group
      • Usermod-g-A GROUPS USERNAME: Append additional groups based on existing additional groups
      • usermod-d PATH USERNAME: Modifies the home directory. Files in the original home directory cannot be accessed since they were modified because they do not exist in the current home directory.
      • Usermod-l NEWNAME USERNAME: Change user name
      • USERMOD-E USERNAME: Specify the expiration time for this user
      • Usermod-l USERNAME: Lock user
      • Usermod-u USERNAME: Unlocking the user
10. Shortcut commands
      • CHSH Shell USERNAME: Changing the default shell
      • CHFN USERNAME: Modify the annotation information to increase the user's details, such as company, address, etc. The corresponding changes can be viewed by the finger.
11.passwd
      • passwd--stdio: Standard input read password passwd-l: Lock user account (root only)
        • echo "NewPassword" | passwd--stdio MIKE
      • Passwd-u: Unlock user account (root only)
      • passwd-d: Delete the user password. You cannot log on after a user password is deleted.
12.pwch (password check): Check the integrity of the password file to get some warning information 13.groupadd command: Add Group
      • Groupadd-g gid GROUPNAME: Specify GID
      • Groupadd-r GROUPNAME: Add a System User group (-R also applies to Useradd)
        • Groupadd-r Apache
13.groupmod Command: Modify Group
      • Groupmod-g newgid GROUPNAME: Modifying GID
      • Groupmod-n newgroupname GROUPNAME: Modify Group name
14.groupdel command: Delete a group
      • Groupdel GROUPNAME
15.GPASSWD command: Add password to Group
      • GPASSWD GROUPNAME

16.NEWGRP: Temporarily specify a basic group, as described below. 17. The role of adding a password to a group

Why do I need to add a password to a group? may wish to say first the user's basic group, seems to now we have not talked about the basic group situation, hehe. The basic group is simple, Linux mandates that each user needs to be in a group, so when creating a user, we can specify the user's base group (default group): Useradd-g GROUPNAME USERNAME. If we do not manually specify a user's base group, a group that is consistent with the current user name is created by default, and the group is set to the user's base group. The GID of the basic group is the same as the user UID (if not occupied).

Why do users have to have a group? Because Linux rules, a file needs to have three kinds of permissions: The permissions of the owner of the file, the permissions of the group to which the file belongs, and the permissions of other users. So the main thing is that there is no basic group, it is not very embarrassing. This question comes first here.

Look back at the role of GPASSWD, generally we do not need to set the password for the group. Now ask a requirement: When performing an action, to use permissions to other groups, you need to temporarily switch to another group, and do not want to change the existing group, then you need to use the NEWGRP command, the NEWGRP command is used to temporarily switch the user base group, note that this operation is only valid for the current login. When using NEWGRP, we may need to enter a group password. Why is it possible? Because the password is not required when the extra group is temporarily set to the user's base group. A password is only required if a group that was previously unrelated to the user is temporarily set as a base group. To restore a basic group: Exit or Logout.

18. Summary

This article mainly introduced the Linux user management and user group management, and introduced the/etc/passwd and/etc/shadow these two files related to the user. Files related to user groups are located in/etc/group and/etc/gshadow. It also describes common forms of encryption: Symmetric encryption, public key cryptography, and hash encryption. About the user and user groups introduced here, on this basis we will describe the Linux rights management in the next article, and this article belongs to the same series.

Linux basic knowledge of users and user groups and Linux rights Management

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.