Linux account permissions and special rights Management

Source: Internet
Author: User
Tags chmod

   user account:          user account            description          Super User     root user, For system administration use.          Normal user      created by administrator or root user, only has full permissions in the user's own host directory.          program Users      when installing the application, will add some low-privileged user accounts, not allowed to log on to the system, Used to maintain the normal operation of a system or a program.       account: Define:   to represent the accounts of all users in the group. Basic Group (Private group):  each user account belongs to at least one group. Additional group (public group):  the user is also in another group.  uid (user identification number):          Each user account has a digital form of identity token.                   Each user uid number is unique, the UID number of the         root user:0          Program user account uid : 1~499.         Ordinary user uid :  500~60000        gid (Group identification number) The:       group account also has an identity token.       root group account's GID number:0       program group account gid : 1~ 499.       General group account gid : 500~60000  profile associated with user account:/etc/passwd :   Save user name, host directory, login shell and other basic information. /etc/shadow :  Save user password, account validity and other information.   Configuration field meaning:  user account name, password placeholder, user UID number, basic group GID number, user's full name, host directory (default working directory), login shell, and other information. Configuration line format in  shadow file: Shadow file (Shadow file)  :  Save password information for each user account. User account name, password string information encrypted using MD5, * or!! Indicates that you cannot log on to the system, when the password was last modified, the minimum number of days of validity of the password, the maximum effective number of days of the password, the number of days in advance to warn the user that the password expires, the number of days after the password expires, the expiration date, and the reserved field.   Add user account:   useradd Set password for new user:  PASSWD Modify user account attribute:  usermod Delete user account:  userdel How to use: see more- Help and Man Handbook.   The initial profile of the user account after the new user is added, some initial configuration files are automatically created in the user's host directory. From the account template file "/etc/skel", the commands in the more commonly used initial profile:.bash_logout  file will be executed each time the user exits the login. .bash_profile :  The commands in the file will be executed every time the user logs on. The commands in the .bashrc  :  file are executed every time the/bin/bash   program is loaded, including the login system. /ETC/BASHRC and/etc/Profile: Add command programs that automatically run after login for all users, set variables automatically, and so on.   Group account Management:   group account file:    /etc/group :  Save group account name, GID number, team members and other information.   /ETC/GSHADOW&NBSP: Save information such as encrypted password string for group account.   Add group account:  groupadd command.   Add, set, delete Group member:  GPASSWD command. The user member of the Management group account.    Delete group account:  groupdel command.   Enquiry Account information:     groups command:  Query the group to which the user account belongs.   Id  command;  to query the identity of the user account. Finger command:  to query the login properties of the user account. The   w command;  query the current host's user login status.    Manage directory and file properties: Access rights:  Three basic types of read, write, executable, and so on. Belong to the: , belong to the group.   File Type:  d (directory),  B (block device file),  c (character device file),-(normal file),   letter "L"   (linked file). Set permissions for directories and files:  chmod command. Set the directory and file attribution:  chown command. Special permissions for Linux: Centos7 system: Special Permissions:  suid,   sgid,   sticky security Context  :     1, the process runs as a user, and the process is the agent that initiates the user of the process,  so that all operations are done as this user's identity and permissions.    2, permission matching model:      (1)   Determines whether the owner of the process is the owner of the file being accessed, and if so, the owner's permission; otherwise, enter the 2nd step.       (2)   Judgment of the owner of the process, whether it belongs to the text being accessedIf yes, the permissions of the group are applied, otherwise the 3rd step is entered.       (3)   Apply other permissions.  suid  ::  a user-initiated process by default, the owner of the process is its initiator, so it runs as the initiator. function of  SUID :     when a user runs a program, if the program has SUID permissions, those programs run as processes, the owner of the process is not the initiator, but the program file's own owner.        Special Permissions Suid,sgid Detailed: Manage file suid permissions:    chmod u+ | -  s  file .....  Location: Owner's execution permission bit,        if the owner has execute permission, Display as lowercase s;        Otherwise, it is shown in uppercase s; sgid :        function:  When a directory belongs to a group that has write permissions and Sgid permissions, then all of the genus,       belonging to this directory and creating a new file or directory in this directory as a group The genus Group of the new file is not the user's base group, but the Sgid permission for the,   managed file for this directory:      chmod g+ | -  s   file  .....           Placement:  the execution permission bit of the group, if the group originally has execute permission, is displayed as lowercase s; otherwise, it is shown in uppercase s;                Special Permissions Sticky and Facl explain:sticky :    function: For a group or global writable directory, All users in the group or all users on the system can create new files in this directory or delete all existing files;    if you set sticky permissions for such a directory, each user can create new files and delete only their own files.    manage sticky permissions for files:  chmod   o+ | -t   file  ......  Placements:  other users ' execute permission bits        if other users have execute permissions, they appear as lowercase t, otherwise, they are displayed in uppercase t;  The/TMP and/VAR/TMP directories on the    system have sticky permissions by default.           another way to manage special permissions:     based on the octal method, You can add an octal number to the left of the default three-bit octal digit;     facl  :   file access control List   (file  access  control  lists)   Additional empowerment mechanisms for documents:    in the original U,g,o, The other layer allows ordinary users to control the mechanisms that empower other users or groups.  getfacl   command:     getfacl  file.....    user  : username:mode    group:groupname:modesetfacl  Command:     Empower users to   &NBsp; setfacl  -m  u:username:mode   file.....     Empowering group:    setfacl  -m  g:groupname:mode  file....  to revoke the right:    setfacl  -x  u:username  file....   setfacl   -x  g:groupname   file ....


Linux account permissions and special rights Management

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.