Linux system user and user group introduction

One: Linux multi-user multi-tasking introduction

Linux/unix is a multi-user, multi-tasking operating system; Before introducing the Linux account and Account group management, the basic concepts of multi-user and multi-task operating system should be understood.

Single-user multitasking for Linux

Given that you are familiar with Windows, take the Windows system as an example first. When we administrator a user to the Windows system with an administrator account, you may need to edit the Word document content, but while you are editing the file, you may also open the music player to listen to music, and some programs such as MSN/QQ may open. Where you edit Word documents, open players, and open msn/qq, each of these operations is a task. As a result, several tasks are performed at the same time in the above process. A user, such as a administrator user, executes several services or processes in order to complete work and related tasks, and Linux is an operating system that, when you log in, you can also open many service tasks and processes at the same time. and the respective services will run very well but no impact on other tasks, such as landing a user and perform multiple service tasks and processes, is called single-user multitasking.

Multi-user multitasking for Linux

Sometimes it may be that many users use the same system at the same time, such as a company dozens of operations personnel, each machine can be a number of operations personnel landing deployment or solve related problems, but not all operations and maintenance personnel to do the same thing, so this is a multi-user, multi-tasking situation.

For example: madsale.cn server, which has the administrator root user, Apache users, regular users and so on. At the same time, there may be people uploading packages to deploy Apache services, some view server logs, some people are logging on to write shell programs, different maintenance personnel to the system maintenance or view, can be different ordinary account or super account root, different users have different permissions, Different tasks are performed by different maintenance personnel, and can be said to be different users.

Noteworthy is: Multi-user, multi-tasking is not everyone at the same time together in a machine keyboard and display to operate the machine, multi-user may be through the SSH client tools such as Telnet server, such as remote control of the server, as long as the relevant user's rights, Anyone can go up and operate the access server.

Linux System User Role Division

Users in the system are part of the role, in the Linux system, due to different roles, permissions and tasks completed are different; Humane note is that the user's role is identified through the UID and GID, especially the UID, in operations, a UID is uniquely identify a system user's account, The name of the user's system account (for example: gin) is actually shown, the server can identify only the UID and GID numbers.

Super users:

The default is the root user, whose UID and GID are all 0. In each Unix/linux operating system is unique and real, through it can log on to the system, the operating system can be any file and command, with the highest administrative rights. In a production environment, the root account is generally blocked from remote SSH connections to the server to enhance system security.

Normal User:

This type of user is typically added by an OPS person with administrator root privileges. For example, GINVIP users can log in to the system, but only have access to files and directories in their home directory.

Virtual User:

And real ordinary users, the biggest feature of this type of users is the default will exist after installing the system, and by default, they are not able to log on to the system, they are indispensable to the normal operation of the system, their existence is mainly to facilitate system management, to meet the corresponding system process of the file attributes requirements. For example, the system default bin, ADM, nobody, mail users, and so on. Due to the role of the server, some of the system services are not allowed to boot execution, so in the system security optimization, the disabled boot-initiated services corresponding to the virtual user can also be disposed of (delete or comment).

Security for multi-user operating systems

Multi-user system from the practical point of view to make system management more convenient, from the security perspective, multi-user system is also more secure, such as the ordinary user Ginvip under a file do not want to let other users see, Just set the permissions of the file for only ordinary users ginvip a user-readable writable edit (the following will be detailed permission) on the line, so that only ordinary users ginvip a user can operate their private files, thus achieving the protection of each user's private data security.

accounts (user) and Account groups (group)

User Introduction

Through the above understanding of the multi-user characteristics of the Linux system, we know that Linux is a multi-user, multi-tasking time-sharing system, if you want to use system resources, you must apply to the system administrator an account, and then enter the system through this account. This account and user is a concept, through the establishment of different attributes of the user, on the one hand, can reasonably use and control system resources, on the other hand can help users organize files, provide security protection of user files.

Each user has a unique user name and user password, when logged into the system, only the correct input user name and password, to log into the system and the corresponding directory.

In a production environment, we typically assign a separate regular user account and 8-bit passwords (including numbers, letters) to each operator with a rights Management server, such as GINVIP. The personnel can be maintained through the establishment of this account login system, when the need for superuser privileges, you can use the "sudo command name" method to perform only root permissions to allow the execution of permissions. Of course, sudo permissions should be as small as possible. Also, when the number of operations, such as 2-3, can also be directly SU-switch to Super User root, in the implementation of the corresponding maintenance work, here special reminders, maintenance, if you do not need root privileges, do not enter the root user operation, to reduce the damage caused by misoperation to the system, remember.

Note: sudo and su are commands for two important switching roles, which are explained in detail later in this article.

User groups (Group) Introduction

To put it simply, a user group in a Linux system is a set of users (user) with the same characteristics: a company, a family is a collection, similar to the user groups here, the company's employees and members of the family is the equivalent of the users here.

Sometimes we need to have multiple users with the same permissions, such as viewing, modifying a file or directory, and without a user group, this requirement is difficult to implement when authorized. If the user group is more convenient, only need to add the authorized users to the same user group, and then by modifying the file or directory of the corresponding user group permissions, so that the user group has the permissions to meet the requirements, so that all users under the user group to the He file or directory will have the same permissions, which is the purpose of the user group.

Grouping users is a means of managing and controlling access to a user in a Linux system (which is the same in Windows), and by defining user groups, it simplifies operations management to a large extent.

In fact, in daily life, the grouping of human beings is ubiquitous, big to the country, small to company, family, school, class, etc. are similar to the concept of user groups in Linux, and the members of which are similar to the concept of users in the Linux user group.

The correspondence between users and user groups

The user and user groups correspond to: one-to-many, many-to-many, and many to more, please see:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/75/4E/wKiom1Y1q5bhIYVgAAHN3jZGloI368.jpg "title=" Linux User group relationship "alt=" Wkiom1y1q5bhiyvgaahn3jzgloi368.jpg "/>

Introduction to User and user group profiles

The main account files under Linux system are/etc/passwd,/etc/shadow,/etc/group,/etc/gshadow four files

user-related configuration files

/etc/passwd→ Profile for user

/etc/shadow→ User Shadow password file

/etc/passwd profile for user

/etc/passwd file Each row defines a user account, how many lines to indicate how many accounts, in a row can be clearly seen, each content through the ":" Number divided into several fields, a total of 7 parts, the 7 sections respectively defined the different attributes of the account, passwd the actual contents of the file as follows:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/75/4E/wKiom1Y1rLyykC3OAADdphQi_g0289.jpg "title=" 02.jpg "alt=" Wkiom1y1rlyykc3oaaddphqi_g0289.jpg "/>

Hint: There are many virtual accounts in passwd file, such as bin, daemon, etc., in general, these accounts are necessary for the normal operation of the system, in the uncertain circumstances, please do not arbitrarily remove such accounts.

In the passwd file, the first line is the superuser root row, we can see its UID and GID are 0, for the convenience of understanding, we put the passwd file content in the description of the fields in a table as follows:

the individual fields of a row in the passwd file are briefly described:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/75/4C/wKioL1Y1rfHTE1tAAACigdduzzw084.jpg "title=" 03.jpg The individual fields in the alt= "wkiol1y1rfhte1taaacigdduzzw084.jpg"/> passwd file are described in detail:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/75/4E/wKiom1Y1rgnywk1ZAAJAaZZHxZM118.jpg "title=" 04.jpg "alt=" Wkiom1y1rgnywk1zaajaazzhxzm118.jpg "/>650) this.width=650; src=" http://s3.51cto.com/wyfs02/M02/75/4E/ Wkiom1y1rhvc9ewzaamwyogdc0q897.jpg "title=" 05.jpg "alt=" Wkiom1y1rhvc9ewzaamwyogdc0q897.jpg "/>

restrictions on UID fields in passwd

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/75/4E/wKiom1Y1roiwDh4SAAJbp5X1OGU105.jpg "style=" float: none; "title=" 06.jpg "alt=" Wkiom1y1roiwdh4saajbp5x1ogu105.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/75/4C/wKioL1Y1rsLhLCEqAAC05lOXQ9I224.jpg "style=" float: none; "title=" 07.jpg "alt=" Wkiol1y1rslhlceqaac05loxq9i224.jpg "/>

Finally, let's look at the/etc/passwd permissions:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/75/4E/wKiom1Y1uySBKC33AABF1MtazHQ505.jpg "title=" 08.jpg "alt=" wkiom1y1uysbkc33aabf1mtazhq505.jpg "/> because each user needs to obtain the UID and GID to determine the permissions problem, so the permissions of/etc/passwd is 644, This has led to a security issue where all users can read/etc/passwd files. Even if the password inside the file is encrypted, there is a certain security risk of being hacked. Therefore, there is the/etc/shadow file.

User's shadow password file/etc/shadow

As mentioned earlier, because the passwd file must be read by all users, it poses a security risk. The shadow file is added to address this security risk. Let's take a look at the permissions for the/etc/shadow file:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/75/4C/wKioL1Y1vNyTtuFOAABC79kzg68896.jpg "title=" 09.jpg "alt=" wkiol1y1vnyttufoaabc79kzg68896.jpg "/> can find/etc/shadow is only the root read-only permission, its file content is:650) this.width=650;" Src= "Http://s3.51cto.com/wyfs02/M01/75/4C/wKioL1Y1vSrzK9ZjAACmhS0nqAU604.jpg" title= "10.jpg" alt= " Wkiol1y1vsrzk9zjaacmhs0nqau604.jpg "/> and/etc/passwd, the contents of each line in the shadow file are also delimited by a colon (:), with a total of 9 fields, with the meanings of each field as follows:

the individual fields of a row in the shadow file are described in detail:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/75/4C/wKioL1Y1vaSzhVz5AABWfDGSFpw232.jpg "title=" 11.jpg "alt=" Wkiol1y1vaszhvz5aabwfdgsfpw232.jpg "/>650) this.width=650; src=" http://s3.51cto.com/wyfs02/M01/75/4C/ Wkiol1y1vcbbeqyfaakavmrca60513.jpg "title=" 12.jpg "alt=" wkiol1y1vcbbeqyfaakavmrca60513.jpg "/>

configuration files related to user groups

/etc/group→ User group configuration file

/etc/gshadow→ shadow files for user groups

/etc/group→ User group configuration file

The/etc/group file is a user group profile that includes users and user groups, and can show which user group the user belongs to, because one user can belong to one or more different groups of users, and users of the same user group have similar characteristics. For example, if we add a user to the root user group, then the user can browse the root user's home directory files, if the root user to open the read and write permissions of a file, all users of the root user group can modify the file, if it is executable files (such as scripts), Users of the root user group can also be executed, the user group's characteristics in the system management for the system administrator to provide a great convenience, but the security is also worth attention, such as a user under the system management has the most important content, it is best to let the user have a separate user group, or the user under the permissions of the file is set to fully private In addition, the root user group is generally not easy to add ordinary users.

The/etc/group file is the previously mentioned record GID with the user group name. /etc/group files are similar to/etc/passwd, and their file permissions are also 644;

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/75/4C/wKioL1Y1v6zC9Z-pAAA_rdU-dfA568.jpg "title=" 13.jpg The contents of the "alt=" wkiol1y1v6zc9z-paaa_rdu-dfa568.jpg "/> /etc/group file are:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/75/4F/wKiom1Y1v7bCaOtrAAB9YuK9esw785.jpg "title=" 14.jpg Detailed description of each field in the "alt=" wkiom1y1v7bcaotraab9yuk9esw785.jpg "/> Group file

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/75/4C/wKioL1Y1waWj4r_BAABXNoK8UuA622.jpg "title=" 15.jpg "alt=" Wkiol1y1wawj4r_baabxnok8uua622.jpg "/>650) this.width=650; src=" http://s3.51cto.com/wyfs02/M01/75/4C/ Wkiol1y1wczimz8oaaev5vatxm0577.jpg "title=" 16.jpg "alt=" Wkiol1y1wczimz8oaaev5vatxm0577.jpg "/>

shadow file for user group/etc/gshadow

/etc/gshadow is a/etc/group encrypted information file, such as user group management password is stored in this file. /etc/gshadow and/etc/group are complementary two files; for large servers, for many users and groups, custom some relational structure more complex permissions model, set user group password is very necessary. For example, we do not want to allow some non-user group members to permanently own the user group's permissions and characteristics, we can use password authentication in order to let some users temporarily have some user group features, then we need to user group password:/etc/gshadow format as follows:

Exclusive row per user group:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/75/4C/wKioL1Y1xenxPZpcAAC4nPwG3eA801.jpg "title=" 17.jpg "alt=" wkiol1y1xenxpzpcaac4npwg3ea801.jpg "/>

the individual fields of a row in the Gshadow file are described in detail:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/75/4F/wKiom1Y1xeejbY2GAAGMeiOylfY847.jpg "title=" 18.jpg "alt=" Wkiom1y1xeejby2gaagmeioylfy847.jpg "/>

This article is from the "Gin Network" blog, please be sure to keep this source http://pcn01.blog.51cto.com/8092345/1708542

Linux system user and user group introduction