user account: user account description Super User root user, For system administration use. Normal user created by administrator or root user, only has full permissions in the user's own host directory. program Users when installing the application, will add some low-privileged user accounts, not allowed to log on to the system, Used to maintain the normal operation of a system or a program. account: Define: to represent the accounts of all users in the group. Basic Group (Private group): each user account belongs to at least one group. Additional group (public group): the user is also in another group. uid (user identification number): Each user account has a digital form of identity token. Each user uid number is unique, the UID number of the root user:0 Program user account uid : 1~499. Ordinary user uid : 500~60000 gid (Group identification number) The: group account also has an identity token. root group account's GID number:0 program group account gid : 1~ 499. General group account gid : 500~60000 profile associated with user account:/etc/passwd : Save user name, host directory, login shell and other basic information. /etc/shadow : Save user password, account validity and other information. Configuration field meaning: user account name, password placeholder, user UID number, basic group GID number, user's full name, host directory (default working directory), login shell, and other information. Configuration line format in shadow file: Shadow file (Shadow file) : Save password information for each user account. User account name, password string information encrypted using MD5, * or!! Indicates that you cannot log on to the system, when the password was last modified, the minimum number of days of validity of the password, the maximum effective number of days of the password, the number of days in advance to warn the user that the password expires, the number of days after the password expires, the expiration date, and the reserved field. Add user account: useradd Set password for new user:  PASSWD Modify user account attribute: usermod Delete user account: userdel How to use: see more- Help and Man Handbook. The initial profile of the user account after the new user is added, some initial configuration files are automatically created in the user's host directory. From the account template file "/etc/skel", the commands in the more commonly used initial profile:.bash_logout file will be executed each time the user exits the login. .bash_profile : The commands in the file will be executed every time the user logs on. The commands in the .bashrc : file are executed every time the/bin/bash program is loaded, including the login system. /ETC/BASHRC and/etc/Profile: Add command programs that automatically run after login for all users, set variables automatically, and so on. Group account Management: group account file: /etc/group : Save group account name, GID number, team members and other information.   /ETC/GSHADOW&NBSP: Save information such as encrypted password string for group account. Add group account: groupadd command. Add, set, delete Group member:  GPASSWD command. The user member of the Management group account. Delete group account: groupdel command. Enquiry Account information: groups command: Query the group to which the user account belongs. Id command; to query the identity of the user account. Finger command: to query the login properties of the user account. The w command; query the current host's user login status. Manage directory and file properties: Access rights: Three basic types of read, write, executable, and so on. Belong to the: , belong to the group. File Type: d (directory),  B (block device file), c (character device file),-(normal file), letter "L" (linked file). Set permissions for directories and files: chmod command. Set the directory and file attribution: chown command. Special permissions for Linux: Centos7 system: Special Permissions: suid, sgid, sticky security Context : 1, the process runs as a user, and the process is the agent that initiates the user of the process, so that all operations are done as this user's identity and permissions.    2, permission matching model: (1) Determines whether the owner of the process is the owner of the file being accessed, and if so, the owner's permission; otherwise, enter the 2nd step. (2) Judgment of the owner of the process, whether it belongs to the text being accessedIf yes, the permissions of the group are applied, otherwise the 3rd step is entered. (3) Apply other permissions. suid :: a user-initiated process by default, the owner of the process is its initiator, so it runs as the initiator. function of SUID : when a user runs a program, if the program has SUID permissions, those programs run as processes, the owner of the process is not the initiator, but the program file's own owner. Special Permissions Suid,sgid Detailed: Manage file suid permissions: chmod u+ | - s file ..... Location: Owner's execution permission bit, if the owner has execute permission, Display as lowercase s; Otherwise, it is shown in uppercase s; sgid : function: When a directory belongs to a group that has write permissions and Sgid permissions, then all of the genus, belonging to this directory and creating a new file or directory in this directory as a group The genus Group of the new file is not the user's base group, but the Sgid permission for the, managed file for this directory: chmod g+ | - s file ..... Placement: the execution permission bit of the group, if the group originally has execute permission, is displayed as lowercase s; otherwise, it is shown in uppercase s; Special Permissions Sticky and Facl explain:sticky : function: For a group or global writable directory, All users in the group or all users on the system can create new files in this directory or delete all existing files; if you set sticky permissions for such a directory, each user can create new files and delete only their own files. manage sticky permissions for files: chmod o+ | -t file ...... Placements: other users ' execute permission bits if other users have execute permissions, they appear as lowercase t, otherwise, they are displayed in uppercase t; The/TMP and/VAR/TMP directories on the system have sticky permissions by default. another way to manage special permissions: based on the octal method, You can add an octal number to the left of the default three-bit octal digit; facl : file access control List (file access control lists) Additional empowerment mechanisms for documents: in the original U,g,o, The other layer allows ordinary users to control the mechanisms that empower other users or groups. getfacl command: getfacl file..... user : username:mode group:groupname:modesetfacl Command: Empower users to   &NBsp; setfacl -m u:username:mode file..... Empowering group: setfacl -m g:groupname:mode file.... to revoke the right: setfacl -x u:username file.... setfacl -x g:groupname file ....
Linux account permissions and special rights Management