Linux Beginner--management of users and groups

Linux system can support multiple users to use different terminal equipment login system, users are divided into different groups according to different attributes, in order to system security needs to set different permissions for different users, so it involves the management of users and groups.

Management of users and groups

User account

Group accounts

Assignment of permissions

AAA Certified system developed by Cisco

Authentication: Certification, verify the identity is correct

Authorization: Authorization to allocate resources for authenticated users

Accounting: Audit, monitoring of the use of resources

Multi-user multitasking operating system:

The subject of being able to use resources and accomplish tasks is: the process of the application

Security contexts: Secure context

A process is run as its initiator, as the owner of the process can be understood to be the initiator, and the initiator's information is marked on the process;

When a process attempts to access a resource, the security context is more than the owner of the process and the owner of the resource

First, see if the owner of the process is the owner of the resource, and if so, use the resource as a master-owned permission;

If not, determine whether the owner of the process belongs to the group to which the resource belongs.

If yes, it is used in accordance with the permissions of the group,

If not, use resources directly with other people access to the resource

User account: The identity map of the computer operator in the operating system, and the identity mapping after satisfying the authentication condition;

User Category:

Super User (Administrator): root

Normal User:

System users:

In order to ensure security, the process or service class processes running in the background must be run as non-administrators, and such users do not typically need to log on to the system

Login User:

Users who can use the entire system resource normally

User's identity:

User's login name:

A simple and easy-to-remember string identifier for the operator;

User's ID:

A digital identification for a computer system;

Super User ID Number: 0

System users:

CENTOS5, 6:1~499

centos7:1~999

Login User:

CENTOS5, 6:500~60000

centos7:1000~60000

More than 60000 of identifiers are user-defined identities

Name resolution: Name <--> ID

Analytic Library:/etc/passwd

The system uses the analytic library to complete the authentication: Verify that the user is the person you are claiming to be

Certification Library

User's certification information base:/etc/shadow

Certification information base for groups:/etc/group

Password-based authentication mechanism:

General policy for setting passwords:

1, try to use random string as password

2, the length of the password is generally not less than 8 characters

3. Try to include at least three classes of four characters in uppercase, lowercase letters, numbers, and punctuation in the password.

4, irregular replacement, every time you change a password

In Linux, the password information that is saved to the authentication library is encrypted;

Hash one-way encryption algorithm: Extract the original data characteristic information, data fingerprint;

One-way cryptographic algorithm features:

1, as long as the data is the same, its encryption results must be the same

2, regardless of the size of the data, its encryption results fixed-length output

3. Avalanche effect

4, non-reversible

One-way encryption common algorithms:

1, Md5:message Digest, Message Digest, 128bit fixed-length output;

2, Sha1:secure hash algorthm, Secure hash algorithm, 160bit fixed-length output

3, sha224:

4, SHA256:

5, sha384:

6, sha512:

Salt: Random number

Dev/random: Only random numbers are returned from the entropy pool, and if the entropy pool random number is exhausted, the process is blocked

Dev/urrandom: First try to return the random number from the entropy pool, if the entropy pool is exhausted, the pseudo-random number produced by the pseudo-random number generator is used

Final authentication string: algorithm +salt+ password

Information stored in the following certification library: $6$salt$crytped_passeord

User groups: Connect users with some of the same or similar attributes to centralize authorized containers;

Group Category:

Administrators group

Normal User group:

System Group

Login Group

Identification method for the group:

Group name: Easy to use by operators

Group ID (GID): Provides group identification for the system

Administrator group ID: 0

System Group:

CENTOS5, 6:1~499

centos7:1~999

Login Group:

CENTOS5, 6:500~60000

centos7:1000~60000

Analytic Library:/etc/group

The group also needs to be certified, as well as the Certification library:/ETC/GPASSWD

Groups also require password protection:

If the group does not have password protection, it can not be added at any time;

To classify the ancestors by the user as the core:

User's primary group (Basic Group): Primary group, for users, such a group must have and only one

User's subordinate groups (additional groups, additional groups): Addition group, such groups can be either not for the user, or there can be multiple

According to the user that the group accommodates:

Private group: The group name is the same as the user logon name, and only this user in the group

Public groups: Groups can contain multiple different users

Note: By default, the user's primary group is their private group

Management of users and groups:

The main use of commands to complete:

Group management-related commands:

Groupadd

Groupdel

Groupmod

User-related commands: Useradd Userdel usermod

Certificate Management related commands: passwd gpasswd chage

Other related management commands: Chsh finger su ID

ETC/PASSWD:

Name:password:UID:GID:GECOS:direstory:shell

Name: Login Name

Password: password fields, which are now used in systems with the shadow mechanism, typically use "X" as a placeholder

UID: User's ID

GID: ID of this user's primary group

Gecos:comment, annotation class information, now generally used to store user's descriptive information or full name

Direstory: Absolute path to the user's home directory

Shell: The absolute path of the user's default login shell

/etc/group:

Group_name:password:GID:user_lise

Group_name: Group Name

Password: group password placeholder, default is empty

GID: ID of the group

User_list: List of users with this group as additional groups

/etc/shadow:

Login name:encrypted password:date of last password change:minimum password age:maxinum password Age:password warning Peri Od:password inactivitty period:account Expiration date:reserved field

Login Name: User's login name

Encrypted Password: encrypted password

Format: $ algorithm $salt$ true meaning of encrypted password

If the location is! , it indicates that the user's password is disabled

If the location is *, it indicates that the user is a system user and cannot log on

If the field is empty, it indicates that the user can log on without a password and does not recommend using

Date of last password change:

Relative time concept, the number of days relative to the day of the last password change from January 1, 1970

Minimum password Age:

How long the password cannot be changed, the default value is 0, that is: can change the password at any time, if it is a non-0 transaction other numbers, meaning that the number of days in the singing can not change the password

Maxinum Password Age:

How long after the password expires, the default is 99999, meaning that it is permanently valid

Password Warning Period:

Friendly reminder of password expiration, reminder days default value is 7 days;

Password Inactivitty period

The grace period after the password expires, which is not enabled by default, means that the grace period is permanent

Account Expiration Date

A user account password expires on the date, which is an absolute expiration period, xxxx/xx/xx

Reserved field:

Reserved fields for later use

/etc/gpasswd

Group Name:encrypted Password:administrators:members

Group Management Commands:

Groupadd: New group account, add Group # groupadd option group

-G GID: Specify the GID of the group account when creating the group account; If you do not use this option, the system chooses to appear in the group resolution file with no more than 60000 maximum GID plus one;

-R: Creating a system group is creating a group of GID between 1~999 (1~499)

Groupmod: Modifying related property information for a group # groupadd option group

-G GID: Modify the ID of the group account

-N new_groupname: Modify Group name

Groupdel: Delete group account Groupdel option GROUPNAME

Note: If a group is the primary or private group of a user, the group cannot be deleted

Groupmems: Commands for managing Group members

User-managed Commands:

Useradd:useradd Option Login Name: Add user account

/etc/default/useradd

/etc/login.defs

/etc/skel

The above three files and directories can help administrators create users without specifying any options, and give users default properties

Options:

-C,--comment ' comment ': Adds comment information to the user when creating the user, typically full name

-D,--home/path/to/home_dir: Specifies the absolute path to the home directory for the user when creating the user, and the specified directory should be a directory that does not exist

-G,--gid Geoup: Specifies the primary group for the user when the user is created

-G,--groups group1[,group2, ... [, GROUPN]]

Add additional groups to users when they are created

-M,--creat-home: Forces the user to create a home directory when creating a user

-M, the user home directory is not created when the user is created, even if the value of Creat_home in/etc/login.defs is not created

-R,--system create a system user

-U,--uid uid: Specify UID for user when creating user, this UID can exceed 60000 limit

-S,--shell/path/to/shell: Specify the default shell for the user when creating the user, using the absolute path

-D,--defaults: Display or modify user default values

-S,--shell: Modify the default value of the shell in/etc/default/useradd

Usermod: Modify user account information

-C,--comment ' comment ': Modify user's comment information

-G,--gid GROUPNAME: Modify the user's primary group

-G,--groups group1[,group2, .... [, GROUPN]]: Modify the user-attached group as a group in the list

-A,--append: use with the-G option to add a new additional group to the user

-D,--home/path/to/home--dir: Modify user home Directory

-M,--move-home: Used in conjunction with the-D option to move data from the old home directory to the new home

-L,--login new_login: Change the login name of the user account

-S,--shell/path/to/shell: Modify user account Login Shell

-U,--uid uid: Change the UID of the user

-L, Lock user password

-U, unlocking the user's password

Userdel: Deleting user accounts

Userdel Option Login Name

Options

-r: Delete User's home directory while deleting users

User authentication related commands

passwd: Set and view password information for a user

1. If the user name is omitted, it means changing the password of the currently logged on user

2, if the user name is specified, change the password of the specified user name, only the root user use

Options

-L,--lock: Lock user Password

-U,--unlock: Unlock user password

Compared to usermod-l|-u, its priority is higher, if using usermod locked password can use passwd unlock, and vice versa

-D,--delete: Remove the user password and delete the second field in the/etc/shadow file

-S,--status; View password status

--stdin: Sending input data streams as standard input information to the passwd command with the help of pipelines

echo "PASSWD" | passwd--stdin USERNAME

Group Authentication Related commands

GPASSWD:

GPASSWD option GroupName

-A: Add user users to groups named group

-D: Remove users from groups named group

Other commands

Su:switch User, switch users identity

Su USERNAME:

Partial switch, half switch, the target user's profile is not re-read when the user is switched, so the user does not have logon behavior, so the working environment is not initialized

Su-username:

Login switch, full switch, when switching users, re-read the target user's profile and initialize the working environment; equivalent to Su-l USERNAME

-C command: Does not switch user identities, but instead executes commands as the target user

When using the SU command

NEWGRP GROUPNAME: Temporarily change the primary group of the currently logged on user, using exit to return to the previous state

ID: Displays the ID of the real valid user and group

Real ID: The UID and GID of the user defined in/etc/passwd

Valid ID: UID and GID of the user currently in effect

Options

-G: Displays only the user's valid ID

-U: Show only user active GID

-G: Outputs all group ID numbers

-n,--name: Displays the name of the user, group or additional group to which they belong

Chage: Change user password expiration information

-D: The date the password was last changed

-E: Date when the account expires. After this day, the account will no longer be used

-M: The minimum number of days the password can be changed. At zero, the password can be changed at any time.

-M: Maximum number of days the password remains valid

-W: The number of days before the user's password expires with a warning message in advance

CHSH: Modifying the user's default shell is equivalent to Usermod-s

Finger:finger [Options] [users] [user @ host]

-S: Displays information such as the user's registered name, actual name, terminal name, write status, stall time, logon time, etc.

-L: In addition to the information with the-s option, the user's home directory, login shell, message status, and other information are displayed, as well as the contents of the. Plan project and. fowward files in the user's home directory.

-P: The same as the-l option except that the. plan file and the. project file are not displayed

The CHFN:CHFN directive can be used to change the information displayed when the finger instruction is executed. If no parameters are specified, the CHFN instruction will enter the question-and-answer interface

Function Description: Change the information displayed by the finger instruction

Grammar:chfn[-f< real name >][-h< home phone >][-o< Office Address >][-p< Office phone >][-uv][account name]

-f< real name > or--full-name< real name > Set real name.

-h< Home Phone > or--home-phone< home phone > set the phone number in your home.

-o< Office Address > or--office< Office Address > Set the address of the office.

-p< Office Phone > or--office-phone< office phone > set the office phone number.

PWCK: Check the integrity of user password files (/etc/passwd and/etc/shadow)

Usage: pwck [-q][-s] [passwd [Shadow]]

PWCK [-q][-r] [passwd [Shadow]]

Parameters:

-Q: Only error messages are displayed and warnings are not displayed

-S: Sort by ID

-R: Read-only mode check

QRPCK:

Check the integrity of user groups and password files (/etc/group and/etc/gshadow files)

Usage: GRPCK [-R] [Group[shadow]]

GRPCK [-S] [group [shadow]]

Parameters: Same as Pwck

Linux Beginner--management of users and groups