Linux User and Group permissions

User and Group permissions

On Linux systems, the permissions that a process has to access resources depend on the identity of the process runner. In order to secure the system resources and easy to manage, the system needs to have different rights of users. In order to facilitate the user's own classification and management, so the concept of the group appeared.

1.Linux Users

Linux users have their own name, username, and a code uid that is the same as our identity card number, which is the only code for the system identification user.

Linux users are divided into two categories: Administrators and ordinary users, and the general user is divided into system users and logged-in users.

Administrator Username=root,uid=0

uid:1-65535 for ordinary users

System User: 1-499 (CENTOS6), 1-999 (CENTOS7) is used to identify the daemon and its available

Source

Login User: CENTOS6, 1000+ (CENTOS7) for interactive login

Attention: Multiple users can use the same UID, but the system recognizes that the user just looks at the UID and encounters the same UID

, the system thinks it is the same user

After logging in, the user's username is now displayed before the prompt, which username to use for the same UID system

It? The system will query the mapping relationship of username and UID in/etc/passwd, and find the first and the current user

The entries with the same UID are exited, and the corresponding username in this entry is the username to be displayed. So

The mappings in front of the file take effect.

2.Linux Group

Linux groups have their own names and numbers as well as users, GroupName and GID

The Linux group is divided into: The Administrator group and the General Group, the General group is divided into the system group and the general group

Administrators group: Groupname=root,gid=0

Normal Group:

System Group: 1-499 (CentOS6), 1-999 (CentOS7)

General group: CentOS6, 1000+ (CentOS7)

3.Linux relationships between users and groups:

For users:

The user must have only one primary group (primary group), also called a private group, with the same group name and user name

Auxiliary groups (secondary group), a user can have 0 or more secondary groups

A group can have multiple members or multiple group Administrators, and group administrators can change the group password to add or remove

Group member

4. Two profiles related to users

/etc/passwd/etc/shadow

Note: 1): These two files one is to store user information, one is to store the password, early is put together, it is conceivable that this practice is not safe, but the use of commands can also be used to merge the two files:

#pwunconv

Fill in the/etc/passwd x position, rename the/etc/shadow file to/etc/shadow-, and the associated password policy will not be displayed in/etc/paaawd

#pwconv

Restore to two files

2): View information for a specific user in/etc/passwd and/etc/shadow:

#getent passwd User Name

#getent Shadow user name

/ETC/PASSWD is used to store information about the user, which is divided into 7 fields, with the meanings of each field as follows:

1) Login Name: Login user Name

2) passwd: Password (x, representing placeholder; its contents in the/etc/shadow file)

3) UID: User ID

4) GID: Basic Group ID

5) Comment: User's full name or comment

6) Home directory: User Home

7) Shell: User's default shell

/etc/shadow is used to store the user's password information, the same as: The delimiter is divided into 9 fields, the meanings of the fields are as follows:

1) User name

2) user password after encryption; sha512 encryption is now generally used

3) Last modified: from January 1, 1970 to the most recently changed time

4) Minimum usage time: The password can be changed after a few days (0 means it can be changed at any time)

5) Maximum usage time: Password expiration time (99999 means never expires)

6) Password warning time: A few days before the password expires the system prompts the user (default is one week)

7) Password Expiration Time: Number of days after the password expires the account will be locked

8) Account expiry date: From January 1, 1970 onwards, the number of days after the account expires

9) Reserved fields (reserved field)

5. Two configuration files related to a group

/etc/group and/etc/gshadow

To view information for a specific user in/etc/group and/etc/gshadow:

#getent Group user Name

#getent Gshadow User Name

/etc/group stores information about a group to: as a delimiter:

1) Group name

2) group password, usually do not need to set, password is recorded in/etc/gshadow

3) GID: Group ID

4) List of users with the current group as additional groups (secondary groups) (separated by commas)

/etc/gshadow stores information about a group password

1) Group name

2) group password; the same as/etc/shadow's password structure.

3) group administrator; comma-delimited list of users who are Group admins

4) Group members; comma-delimited list of users, which are groups

6. Tools specifically designed to modify/etc/passwd and/etc/group:

Modified with syntax check: VIPW and VIGR

Only grammar check functions: Pwck and GRPCK

7. User Management commands

1) Create user

useradd [option] Username

-U UID UID range defined in/etc/login.defs

-u-o does not check the uniqueness of the UID

-G GID indicates the base group to join, and if not specified, creates a group with the same user name as the user's base group

-C "Comment" User's comment information

-D Home_dir The path specified in the home directory specified here must not be a directory that already exists

-S shell indicates the user's default shell

-G GP1[GP2,...] Specify additional groups for the user, the group must exist beforehand

-N Do not create private group as, use the Users group (GID=100) as the base group

-R Create System user

-M do not create home directory

-D Show Default configuration

-d-s Modifying the user's default shell information

2) Create user password

passwd [Options] Username

-L lock specified user (password Plus!!)

-U unlocks the specified user (before the password is removed!!)

-N mindays: Specifying the shortest period of use

-X maxdays: Maximum lifespan

-W Warndays: How many days in advance to start warning

-I inactive-days: Inactivity period

--stdin receive the user password from the standard input; Eg:echo "123456" | passwd--stdin username

3) batch create user and modify user password

#newusers files to create users in bulk; file is a document that satisfies the/etc/passwd format

#chpasswd to bulk Modify user passwords by reading multiple lines of text in USER:PASSWD format from standard output

Vim BATCHPASSWD

User1: PlainText Password

User2: PlainText Password

...

Cat BATCHPASSWD | chpasswd

4) User Property modification

#usermod [option] Username

-U UID: Specifies the user's new UID

-G GID: Indicates the user's new basic group

-G gp1[gp2 ...] indicates a new additional group, the original additional group will be overwritten (to retain the original additional group, use-AG)

-G "" Empties the additional group

-S Shell: Indicates the new default shell

-C ' COMMENT ': New annotation information

-D Home: New home directory, files in the original home directory will not be moved to the new home directory at the same time, to move, you want to use the-M option

-L login_name: New user name

-L: Lock the user (add before/etc/shadow password!)

-U: Unlocking the user

-E YYYY-MM-DD: Indicates the expiration date of the user account

-F INACTIVE: Set inactivity Period

-r: Delete User home directory

5) View information about the user

#id [Options] [user] To view information about users, not to indicate that the user is viewing the current user

-u:uid

-g:gid

-g:group additional Groups

-N: Displays the name corresponding to the ID, usually with-u and-g

Id-un [user] or is-gn [user]

#finger Print information for all users who log on to the system

Finger user to view some user-related information, such as home directory, Shell type, mail, etc.

6) in/etc/passwd The home directory field must not be empty

If it is empty, when you log in to this user, after you type the user and password, the prompt does not appear, you cannot enter any commands, wait for the timeout (hint:/usr/bin/xauth:timeout in Locking Authority File/. xauthority), enter/

If Su-user completely switches or does not switch the SU user completely, the Su:user user does not exist is displayed

If it is not empty, but the directory does not exist, then login to this user, will directly enter/,

If the su-user is completely switched, it will enter directly/

If the SU user is not completely switched to the directory where SU user is executed

7) switch users or execute commands as other users

su [Options] [-] [user [args ...]]

How to switch users:

SU User: Non-logon switch, does not read the target user's profile, does not change the current working directory, also known as incomplete switching

Su-user login switch, will read the target user's profile, switch to their home directory, also known as the full switch

Attention:root performs SU to other users without a password and requires a password for non-root user Switching

Switch Identity execution commands

Su [-] user-c ' cmd '

Option-L--login

Su-l user equivalent to Su-user

8) Other commands to modify user-related information

CHFN Specify personal information

Chsh specifying the shell

9) Modify the user password policy

chage [option] User

-D Last_day Modify the last modified time corresponding to the 3rd field of/etc/shadow

-M--mindays min_days Modify the minimum usage time corresponding to the 4th field in/etc/shadow How much time can be modified

-M--maxdays max_days Modify the maximum usage time corresponding to the 5th field of/etc/shadow

-W--warndays warn_days Modify warning time corresponds to 6th field in/etc/shadow

-I--inactive inactive modify account expiration time corresponds to the 7th field in/etc/shadow

-E--expiredate expire_date Modify the account expiration time corresponds to the 8th field in/etc/shadow

-L Display Password policy

Next Login Force Reset Password

Chage-d 0 Tom is equivalent to passwd-e Tom

e.g. Chage-m 0-m 42-w 14-i 7 Tom

CHAGE-E 2016-09-10 Tom

10) Delete User

Userdel user does not delete the home directory

-R user deletes the home directory while deleting the users

In/etc/login.defs, there is such a description

# This enables Userdel to remove the user groups if no members exist.

#

Usergroups_enab Yes

8. Group Management Commands

1) Create a group

groupadd [option] GroupName

-G GID indicates that the GID range is specified in/etc/login.defs

-R Creating a system group

2) Modify the group

Groupmod [OPTION] Group

-N groupname: new name for group

-G GID: New GID

3) Group deletion

Groupdel Group

4) Change Group password

GPASSWD [option] Group

-A user joins the user to the specified group

-M User1,user2 ... Specify list of group members

-D user removes the user from the specified group

-A User1,user2,... Set up a list of users with administrative privileges, that is, set up Group admins

NEWGRP command: Temporarily switch base Group

If the user does not belong to this group, a group password is required

Attention: See the/etc/gshadow section of this document for details

5) Change Group members

groupmems [options] [action]

Options

-G/--group groupname changed to specified group (only root available)

Action

-a/--add username specifies the user to join the group

-D/--delete username Specifies the user to remove from the group

-P/--purge clears all members from the group

-L/--list show members in group

e.g. Groupmems-g peng-a Wang joins the Wang user to the Peng Group

Groupmems-g peng-l View all members in the Peng group appears to be a list of members that view the group as additional to the Peng

Groupmems-g Peng-p clears members from all Peng groups

6) View Group members

Groups User1 User2. Usern lists the group relationships that specify one or more users, format: primary group:secondary group1 Secondary Group

Groups if no user is specified, then the group relationship of the current process is printed, usually without the concept of basic groups and additional groups

Linux User and Group permissions