Linux Basics---Users

Source: Internet
Author: User
Tags asymmetric encryption

Users and Groups

I. Concepts of users and groups

The concept of users and groups is introduced as computers become more and more demanding for multiple users. The so-called user is the operating system used to identify the login system. Is that users and groups are the core elements that implement computer resource allocation. Group: is a collection of users with the same computer resources (mainly referred to as permissions).

In the computer kernel, users and groups are a number, which we call UID and GID. UID and GID have uniqueness in the system. Implementation of this process for name resolution to complete, in the Linux system using the GLib library system calls to complete.

Second, user identification

Identify user via 3A (authentication,authorization,audit)

Authentication: Using passwords to achieve

Authorization: Authorization

Audit: Auditing (implemented through the Operation log)

Iii. User and Group categories

User Category:

Admin User: Uid=0

System User: 1 <= UID <= 499

Normal User: UID >= 499

Group Category:

Administrators group: Gid=0

System Group: 1 <= GID <= 499

User group: GID >= 500

Iv. correspondence between users and groups

Single-to-one: a user exists in a group, that is, the user is the only member of the group

One-to-many: a user can exist in multiple user groups, and this user has common permissions for multiple groups

Many-to-one: multiple user groups can exist in a group that has the same permissions as the group

Many-to-many: multiple users can exist in multiple groups, that is, the extension of the above relationship

V. User and Group-related configuration files

1, relevant users of relevant documents

/ETC/PASSWD: User account information

/ETC/PASSWD-:/ETC/PASSWD backup (back up)

/ETC/PASSWD file Format:

Account:password:UID:GID:GECOS:directory:shell a user's information in one row

Specific meaning:

" TD width= "valign=" Top ">account
Field password uid< /td> gid gecos dire Ctory shell
meaning user account string Password locator (formerly password) user identification number is the UID of the user, usually the value range of the UID number is 0~65535 Note information
Root:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x : 3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/sync

Password Complexity policy:

    • Numbers, lowercase, uppercase, and special characters at least three classes

    • Minimum Length 5 bits

    • Don't use easy-to-guess passwords

    • Revise regularly and do not use passwords that have been used recently

Encryption method:

    • Symmetric encryption: Encryption and decryption use the same key; Key distribution is difficult

    • Public-Key Cryptography (Asymmetric Encryption): Encryption and decryption using a pair of child keys

    • One-way encryption: Extract the unique characteristics of the data, mainly for the integrity of the data-only one-way encryption characteristics are fixed-length output, irreversible; avalanche effect



/etc/shadow: User password and associated account settings

/etc/shadow-:/etc/shadow backup (back up)

/etc/shadow file Format:

Login name:password:date of last password change:minimum password age:maximum password Age:password warning PERIOD:PASSWO RD Inactivity Period:account expiration date:reserved field One user information in a row, the user encrypts the consultation file. Since the/etc/passwd file is readable by all users, so that the user's password is vulnerable to disclosure, so the user's password information is separated from the/etc/passwd, and placed in a separate file, this file is/etc/shadow, This file only has read access to the root user, thus guaranteeing the security of the user's password.

Specific meaning:

TD width= "Valign=" "Top" >account expiration date
field password date of last password change minimum password age maximum password age password warning period password inactivity period reserved field
Meaning User name, corresponds with/etc/passwd Password after encryption The last time the password was modified (from 1970-01-01 to the current number of days) Minimum password lifetime (days) Maximum password age (days) Password Expiration warning interval (days) Inactivity Time (days) Account expiration time, absolute time Reserved area
Centos:$6$x/hwvp5q$5quun33gwjfhalxij1e.9xveulseq1k6upmcdp.ry8h7y9bs7xvnqrdqsxihwciuueweqfw0re8utpk37zah91 : 16252:0:99999:7:::mandriva:!! : 16255:0:99999:7:::gentoo:$6$queamrzj$l8g8osdrr6lzm8kcuu9cienynbgs/ sutsvnjf2prd5idrsyama.jrkh2gi86b3qqfmqr1ozqwx.tqtlybocnj/:16255:2:60:3:7::openstack:!! : 16255:0:99999:7:::


2, relevant group of related documents

/etc/group: Group's account information

Backup of the/etc/group-:/etc/group file

/etc/group file Format:

Group_name:passwd:GID:user_list

Specific meaning:

Field Group_name passwd Gid User_list
Meaning Group name Group Password Locator Gruopid Comma-separated list of users belonging to this group (as a subordinate group)
Root:x:0:bin:x:1:bin,daemondaemon:x:2:bin,daemonsys:x:3:bin,admadm:x:4:adm,daemon

/etc/gshadow: Password information for the group

Backup of the/etc/gshadow-:/etc/gshadow file

/etc/gshadow file Format:

Field Group_name passwd Gid User_list
Meaning Group name Password after encryption User Group Manager Group member
Root:::bin:::bin,daemondaemon:::bin,daemonsys:::bin,admadm:::adm,daemon

Vi. other relevant configuration files

(1) Etc/login.defs file

Used to define the default settings for creating a user, such as specifying the scope of the user's UID and GID, the user's expiration time, whether to create a user home directory, and so on.

Below is the centos6.4 under the/etc/login.defs, briefly introduced as follows:

[Email protected] ~]# Cat/etc/login.defs | Grep-v ^# | grep-v ^ $MAIL _dir/var/spool/mail# When creating a user, create a user MAIL file in the directory/var/spool/mail pass_max_days99999# Specify the maximum number of days that the password remains valid Pass_ min_days0# indicates how many days since the last password modification the user is allowed to modify the password pass_min_len5# the minimum length of the specified password pass_warn_age7# indicates how many day before the password expires the system notifies the user that the password is about to expire Uid_min 500# Specify a minimum UID of 500, that is, when adding a user, the user's UID starts at 500 uid_max60000# specifies that the maximum UID is 60000 gid_min 500# specifies a minimum GID of 500, that is, when the group is added, the group's GID starts with 500. gid_max60000# specifies that the maximum GID is 60000create_homeyes# This entry is to specify whether the user home directory is created, yes is created, and no is not created. UMASK 077# default Home directory mask Usergroups_enab yes######## #有待验证 ####################### #ENCRYPT_METHOD SHA512 #默认密码加密算法是SHA512

(2)/etc/skel catalogue

The/etc/skel directory defines the default profile for new users in the home directory, and changes the contents of the/etc/skel directory to change the profile information for the new user's default home directory, such as when a new user is created, and a similar. Bash_profile is seen in the new user's home directory. BASHRC,. Bash_logout, and so on, these files are present in the/etc/skel directory.

(3)/etc/default/useradd file

Useradd when adding a user's rule file, when we create a user through the Useradd command without any parameters, the user's default home directory is usually located under///, the default shell used is/bin/bash, which is/etc/default/ Defined in the Useradd file. Changing this file allows you to change the default configuration of the add user, which can be implemented through the parameters of the AddUser command in addition to this method.

[Email protected] ~]# Cat/etc/default/useradd # useradd defaults filegroup=100home=/home #把用户的家目录建在/Home Inactive=-1 # Whether to enable account expiration stop, 1 means not to enable expire= #帐号终止日期, not set to indicate that Shell=/bin/bash #所用SHELL的类型SKEL =/etc/skel is not enabled #默认添加用户的目录默认文件存放位置; When we add a user with AddUser, the files in the user's home directory are copied from this directory to the past Create_mail_spool=yes #当创建用户时, and a user MAIL file is created in the directory/var/spool/mail. Yes is created, no is not created.

Vii. management of users and groups

1) User's management commands

Useradd,adduser: Adding users

Command Common parameters Parameter meaning Example
Useradd or AddUser
-U Specify UID for user Useradd-u 506 Gentoo
-G Specify the user's GID Useradd-u 506-g-Gentoo
-G Specify additional groups for users, you can specify multiple additional groups Useradd-u 506-g Linux,centos Gentoo
-C Add comment information, do not specify empty by default Useradd-c ' This is a test user ' Ubantu
-D Specifies the user's home directory, if not specified, the default number of directories under the/hmoe/directory with the same name as the user name useradd-d/tmp/redhat Redhat
-S Specifies the user's default shell, which is not specified by default,/bin/bash Useaadd-s/sbin/nologin Slackware
-R Add a System User Useradd-r MySQL
-M Automatically created if the user does not have a home directory
-M Force not to create home directory
Useradd-m ArchLinux
-E Expire_date Account Termination Date USERADD-E 14/7/20 SuSE


Userdel: Deleting users

Usage: Userdel user_name

Common parameters:-R Delete User is to remove user's home directory such as Userdel-r Gentoo

passwd: Set a password for the user

common parameters parameter meaning example
--stdin avoid interactive setup password echo ' Acrhlinux ' | passwd archlinux
-l,-u
user lock, Solution Lock

passwd-l archlinux

Passwd-u archlinux

-n,-x,-w,-i set user's minimum use, maximum use, alarm, inactivity period

Usermod: Modify the user command, you can change the login name, the user's home directory through USERMOD, etc.

Common parameters Parameter meaning Example
-u,-g,-s,-c Modify the user's Uid,gid, default shell, annotation information Usermod-u 800-g 6666-s/bin/zsh-c ' Beijing Zhongguancun ' Gentoo
-g-a When you modify a user's additional group, you want to keep the original additional group, and you need to use the-A and otherwise overwrite the original additional group Usermod-a-G Gentoo,centos,linux Ubantu
-d-m Modify the home directory, if you want to save all the files in the original home directory, then use with-M usermod-d/tmp/linux-m Gentoo

-l,-u

Locking and unlocking users

Usermod-l Redhat

Usermod-u Redhat

Chown: The genus group that changed the file

common parameters example
-r,-r change this directory and all the files in this directory belong to the main group

1, modify/tmp/ The genus Group for the Mylinux file is Gentoo

Chown gentoo:gentoo/tmp/mylinux

or chown gentoo.gentoo/tmp/mylinux

2, modify/ The owner of the Tmp/mylinux file is Gentoo

Chown gentoo/tmp/mylinux

3, modify/tmp/mylinux file belong to Gentoo

4, modify/ The main genus of the files under the tmp/test/directory is the Gentoo

PWCOVN: Synchronizing users from/etc/passwd to/etc/shadow

PWCK:PWCK is verifying that the contents of the user profile/etc/passwd and/etc/shadow files are legitimate or complete

Pwunconv: Is Pwcov the reverse operation, is to create/etc/passwd from/etc/shadow and/etc/passwd, and then delete the/etc/shadow file

Finger: Viewing the user Information tool

[email protected] ~]# finger centoslogin:centos name:directory:/home/centos Shell:/bin/bashon sin Ce Sat Jul 5 11:21 (CST) on PTS/2 from 172.16.9.17 8 hours minutes Idleno mail. No Plan.

ID: View the UID, GID, and user group belonging to the user

[email protected] ~]# ID centosuid=500 (CentOS) gid=500 (CentOS) groups=500 (CentOS), (magedu)

CHFN: Change user Information tool

SU: User Switching tool

Common parameters:

Su-l usename or su-username full switch

SU-C executes the command as a switch user, for example:

[Email protected] ~]# su-centos-c ' WhoAmI ' CentOS

Sudo:sudo is executed by another user (execute a command as another user), SU is used to switch the user, and then to complete the task by switching to the user, but sudo can execute commands directly, such as sudo does not need root The password can perform the root assignment and only root can execute the corresponding command, but you have to edit the/etc/sudoers through Visudo to achieve

Visudo:visodo is the command to edit the/etc/sudoers, or you can edit the/etc/sudoers directly with VI without this command.

Sudoedit: Same as sudo function

2) Group Management commands

Groupadd: Adding user groups

Common parameters:

-G: Specify the group ID for example: groupadd-g CentOS

-r: Specify a system group

Groupdel: Deleting a user group

Groupmod: Modifying user group information

CHGRP: Changing the group to which the user belongs

Groups: Displays the user group to which the user belongs

GRPCK: Check the/etc/group file and/etc/gshadow file to check that the data is stored correctly

GRPCONV: Synchronize or create/etc/gshadow with file contents of/etc/group and/etc/gshadow, if/etc/gshadow does not exist create

Grpunconv: Synchronize or create/etc/group by/etc/group and/etc/gshadow file contents, then delete gshadow file

Eight, manually create a user

1, manually add a line in the/etc/passwd (of course, the user name, UID can not use already exist)

Test1:x:2222:2222::/home/tes1t:/bin/bash

2. Generate Password information

echo ' Redhat ' | Sha512sum

20641bd9d93708c844f59bf5f5d5bfb16fd5c3cece84127f56072579f778e6aca04ca7985eb4a7f555bd9532115205884d11fc5323534618da7596c30 0b4666d

and add this line in/etc/shadow

test1:$6$brfe2dsw$ 20641bd9d93708c844f59bf5f5d5bfb16fd5c3cece84127f56072579f778e6aca04ca7985eb4a7f555bd9532115205884d11fc5323534618da7596c30 0b4666d:16255:0:99999:7::::

3. Manually add a line to the/etc/group

test1:x:2222:

4, copy the relevant documents to the home directory

Cp-r/etc/skel//home/test1

5. Modify Home Directory Permissions

Chown-r test1.test1/home/test1/

This completes the creation of a user, which can be landed.


This article is from the "After Dark" blog, be sure to keep this source http://guoting.blog.51cto.com/8886857/1434957

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.