Linux Account Management and ACL permission settings

Linux Account Management and ACL permission setting 1 Linux Account and Group 1.1 UID and GIDUID: User ID; GID: Group ID; permissions for a file, identified by UID and GID, the correspondence between UID and account is stored in the/etc/passwd www.2cto.com 1.2/etc/passwd structure $ head-n 4/etc/passwd root: x: 0: 0: root: /root:/bin/bashdaemon: x: 1: 1: daemon:/usr/sbin:/bin/shbin: x: 2: bin:/bin: /bin/shsys: x: 3: 3: sys:/dev:/bin/sh $ cat/etc/passwd | grep minix007minix007: x: 1000: 1000: minix007 ,,, :/home/minix007:/bin/bash account name and password (This field is x, the real password is stored in/ Etc/shadow) UID0: System Administrator 1 ~ 499: system account 500 ~ 65535: you can log on to the account www.2cto.com GID to describe the Home Directory Shell1.3/etc/shadow structure # cat/etc/shadow | grep minix007minix007: $6 $ Uk9abd2a7z. qWQQW0CNBsqeZvpx9UcyQ1: 15597: 0: 99999: 7 ::: password after account name encryption date of the last Password Change Password days password needs to change the number of days password needs change warning days before password expiration after account Grace days account expiration date keep 1.4/ etc/group structure $ head-n 4/etc/grouproot: x: 0: daemon: x: 1: bin: x: 2: sys: x: 3: group name group password GID this group supports some concepts of the account 1.5 group initial group: the account becomes a member of this group upon login. the GID of this attribute in/etc/passwd determines non-initial group: in addition to the initial group, an account also belongs to other groups, this is caused by/etc /Group: one account in the group to which the account belongs. If the account creates a file, the group of this file is determined by the effective group of the current account: you can use this command to know which groups the current user account belongs to. The first group is the valid group newgrp: The valid group is switched to the 1.6/etc/gshadow structure # head-n 4/etc/gshadowroot: *: daemon: *: bin: *: sys :*:: group name password Group Administrator Account account of this group 2 account management 2.1 create account useradd $ useradd minix006 # create a common account by default $ useradd-r matrix007 # create a system account $ useradd -D # display useradd default value $ useradd-DGROUP = 100 HOME =/homeINACTIVE =-1 EXPIRE = SHELL =/bin/shSKEL =/etc/skelcres ATE_MAIL_SPOOL = no2.2 change the password passwd # passwd minix006 # change the password of another root account $ passwd # change your own password $ passwd-S # list the Password parameters (modification date, expiration date, etc .) usermod # usermod-e "2013-10-10" minix006 # Set the expiration date of the minix006 account. 2.3 forget the password. Common users forget the password: Log On with the root account, and use the passwd command to handle root user forgetting: start Live CD, mount the root directory, modify/etc/passwd, clear the root password field, and then run the root command to log on without a password, and then use passwd to change the root password. 2.4 modify account data userdel: delete account data chsh: Modify shell2.5 check account information finger: Check Information id in/etc/passwd: Check UID, GID Information 2.6 group management new group: groupadd modify group information: groupmod Delete group information: groupdel create Group Administrator: Detailed permission planning for gpasswd3 HOST: ACL 3.1 What is ACLACL short for Access Control List, the main purpose is to provide detailed permission settings beyond the read, write, and execute permissions of the traditional owner, group, and others. The ACL can be r for a single user, a single file, or a directory, the setting of permissions w and x is very helpful for users who need special permissions. 3.2 enable ACL check if ACL is enabled $ mount/dev/sda7 on/type ext4 (rw, errors = remount-ro )... /dev/sda10 on/home type ext4 (rw )... no acl is displayed in the brackets, indicating that acl is not enabled # mount-o remount, ACL/home, and then check whether acl is enabled, you will get $ mount | grep home/dev/sda10 on/home type ext4 (rw, acl) 3.3 ACL settings getfacl $ touch testacl $ ll testacl-rw-r -- 1 minix007 minix007 0 February 4 16:42 testacl $ getfacl testacl # file: testacl # owner: minix007 # group: m Inix007user: rw-group: rw-other :: r -- setfacl Set permissions for specific users $ ll testacl-rw-r -- 1 minix007 minix007 0 February 4 16:42 testacl # setfacl-m u: minix007: rx testacl $ ll testacl-rw-rwxr -- + 1 minix007 minix007 0 February 4 16:42 testacl * can be seen, the permission information of testacl is different from the previous four-user identity switching 4.1 why should I use a common account for identity switching, and I need to use the root account in particular to avoid damage to the system when running the software, for this reason, a low-permission account is set for the software, so that even if the software is broken, it will not affect the system's 4.2 identity switching method su: Switch all identities to the new identity: su-username only uses root to execute the command once: su-c "command string" by ro When ot is switched to another user, the special shell of the sudo5 user and the special shell of the PAM module 5.1 are not required./sbin/nologinnologin is a special shell. If the shell of an account is nologin, therefore, it cannot log on through shell, but it can use system resources, thus limiting the account's right to use shell. Because some accounts do not need to use shell, assigning them puts the system in danger. 5.2 PAM www.2cto.com a host may have to be verified in many places. They have different verification mechanisms, which may cause some confusion, such as consistency problems. PAM is a set of application programming interfaces, he provides a series of verification mechanisms that allow PAM to return verification results as long as the user informs PAM of the authentication. 5.3 passwd working principle the user uses the passwd program and enters the password passwd to call the PAM module to verify the PAM module to/etc/pam. d/find the configuration file with the same name as passwd according to the configuration file settings, reference the PAM module Verification Analysis to return the verification results to passwdpasswd. Based on the results, determine the following action 6. Pass the user information on the Linux host to who: users logging on to the system in the directory $ whominix007 tty7 2013-02-04 14: 52minix007 pts/2 2013-02-04 (: 0.0) lastlog: User conversations during the last logon time of all accounts: write, mesg, mail