Linux User and Rights management

User Management related commands
The management of user and file rights on the system is often used in the work, this article introduces the commands related to user and rights management in detail.
Related knowledge:
For the computer, each user is a user, each users have a user ID and password, user login system is divided into authentication (authentication), Authorization (Authorization), Audit (Audition) three steps, Any one-step error the user will not log on the system;
In the Linux system users are divided into administrative users and ordinary users, the general is divided into system users and login users; where each user has an ID number to uniquely identify this user, this ID number is also called UID; the UID in the Linux system is made up of 16bits binary digits with a range of ( 0-65535), wherein:
The administrator's UID number is 0
1-65535 for normal users
System User is 1-499 (CENTOS5/6), 1-999 (CentOS7)
Login user is 500-60000 (CENTOS5/6), 1000-60000 (CentOS7)
When the user login to the system needs to enter the user name, the user entered the user name after the name resolution, the user's user name into the system UID to uniquely identify the user, in this case, the system according to the name resolution library/etc/passwd in line resolution, where/etc/ The contents in passwd are separated by colons into seven segments:
Account:password:UID:GID:GECOS:directory:shell
Account: Represents the user name
Password: Represents an encrypted password, or it can be a placeholder; the user's real password is stored in/etc/shadow
UID: Indicates user ID
GID: Represents the ID number of the primary group to which the user belongs
GECOS: Indicates comment information
Directory: Represents the user's home directory path
Shell: Represents the user's default shell, the default shell program at logon
Just mentioned that the user's real password is stored in the/etc/shadow file, where the contents of the/etc/shadow file are separated by a colon into nine paragraphs:
Sp_namp:sp_pwdp:sp_lstchg:sp_min:sp_max:sp_warn:sp_inact:sp_expire:sp_flag
Sp_name: Account name, because the password also need to correspond with the account. Therefore, the first column of this file is the account number, must be the same as/etc/passwd;
SP_PWDP: Indicates user-encrypted password
SP_LSTCHG: Last time the password was changed
Sp_min: Indicates the minimum age of password (the number of days the password cannot be changed)
Sp_max: Indicates the maximum age of the password (the number of days the password needs to be re-altered)
Sp_warn: Indicates the duration of the password for the maximum period of time after the expiration of the warning period, the user can also use the password in normal time period
Sp_inact: Inactive Time (account Grace time after password expires), however, if the password expires, then when you log in to the system, you will be forced to reset the password to log in and continue to use.
Sp_expire: The account expiration date, which is the same as the third field, is used for the total number of days set since 1970 years. This field indicates that the account will no longer be available after the date specified in this field.
Sp_inact: Reserved Fields
In the Linux system group is divided into the Administrator group and the ordinary user group, the ordinary user group is divided into the system group and the login group, the same as the user ID, the group also has the ID called Gid,gid and the UID is also composed of the 16bits bit binary number, the range is (0-65535), wherein:
The Administrator group ID number is 0
The ID number of the normal user group is 1-65535
The System logon group ID number is 1-499 (CENTOS5/6), 1-999 (CentOS7)
The ID number of the logged-on user group is 500-60000 (CENTOS5/6), 1000-60000 (CentOS7)
The name library for the storage group information is/etc/group and this file is separated by a colon as four paragraphs:
Roup_name:passwd:GID:user_list
Group_name: Indicates the group name
passwd: Group password placeholder, the real password is stored in the/etc/gshadow, described later.
GID: Group ID number
User_list: A list of users that represents a list of users with this group as additional groups.
The group password is stored in/etc/gshadow, which is separated by a colon as four paragraphs
Group Name:encrypted Password:administrators:members
Group name: username, same as group name in/etc/group
Encrypted Password: password column
Administrators: User group Administrator's account number
Members: Account number of the user group
User-managed commands in a detailed:
Useradd command:
Function: Create user
Usage: useradd[options] LOGIN
Parameters:
-u: Specify user uid
-G: Specifies the base group ID, which must exist beforehand
-G: Specifies the additional group to which the user belongs, separated by commas between multiple groups;
-C: Specify annotation information
-D: Specifies the user home directory, by replicating the/etc/skel directory and renaming the implementation, the specified home directory path will not replicate the environment profile for the user if it exists beforehand
-S: Specifies the user's default shell, and all available shell lists are stored in the/etc/shells file;
-R: Indicates that a system user was created
-M: Creating a home directory for users when creating a user, creating a home directory by default when creating a user
-M: Indicates that no home directory is created for users when creating a user
-D: Displays the default configuration when creating a user, the user's default profile is/etc/login.defs;
-E: followed by a date, formatted as "YYYY-MM-DD", this option can be written to shadow eighth field, that is, the expiration date of the account;
-F: The Seventh field option followed by shadow to specify whether the password will be invalidated;
Usermod command:
Features: Modifying user properties
Usage: usermod[options] LOGIN
Parameters:
-U: Modify UID of user
-G: Modify the base group to which the user belongs
-G: Modifies the additional group to which the user belongs, the original additional group is overwritten, and if you do not want to overwrite the-a option
-C: Modify annotation information
-D: Modify the user's home directory, the user's original files will not be transferred to the new location, if you want to transfer the original files, you need to add-m option;
-L: Modify user Name
-S: Modify the user's default shell
-L: Lock the user account, that is, before the user's original password string to add a "! ", unlock the exclamation mark is removed;
-U: Unlocking user lock
Userdel command:
Function: Delete User
Usage: userdel[options] LOGIN
Parameters:
-r: Delete User home directory when deleting user, default not delete
passwd command:
Function: (1) Modify the user's own password (2) modify the user's password, only Root has this permission
Usage: passwd/passwdusername
Parameters:
-l,-u: Locking and unlocking users
-D: Clear user password
-e:date Expiration period, date
-i:days non-active period
-N: Minimum password usage period
-X: Maximum password lifetime
-W: Warning period
--stdin:
echo "PASSWORD" |passwd--stdin username user name Password modified
Groupadd command
Features: Adding user groups
Usage: groupadd[options] GroupName
Parameters:
-G GID: Specifies GID, default is the gid+1 of the previous group;
-r: Create system group with ID number 1-499 (CentOS6) or 1-999 (CentOS7)
Groupmod command:
Function: Modify group information
Usage: groupmod[options] GroupName
Parameters:
-G GID: modifying GID
-N new_name: Modify Group name
Groupdel command:
Features: Deleting groups
Usage: Groupdel Group name
GPASSWD command:
Function: Set password for group
Usage: gpasswd[option] Group
Parameters:
-a USERNAME: adding users to a group
-D USERNAME: Removing users from a group
NEWGRP command:
Function: Temporary switch User's basic group for other groups, if the switch group is not the user's additional group needs to enter a password;
Usage: newgrp[-] [Group]
Parameters:
-: Will impersonate the user to re-login in order to re-initialize their work environment;
Chage command:
Function: Modify user's password expiration information
Usage: chage[options] [LOGIN]
Parameters:
-D: Modify the date the password was last changed
-E: Modify account expiration date
-W: Change Password expiration warning time
-M: Change password minimum retention days
-M: How long it takes to change the password
-L: Lists the detailed password parameters for this account
-I: Change Password expiration date
ID Command:
Function: Displays the user's real and valid ID
Usage: id[option] ... [USERNAME]
Parameters:
-U: Displays only valid UID;
-G: Displays only the user's base group ID;
-G: Displays only the IDs of all groups to which the user belongs
-N: Display name instead of ID
-R: Show Real ID
SU command: Switchuser
Function:
Logon switching: Re-initialized by re-reading the target user's profile
Non-logon switchover: The target user's profile is not read for initialization
Note: The administrator can switch to any other user without password, the password must be given to the target user when the switch is not administrator, otherwise, cannot switch;
Parameters:
-C ' command ' only runs the command specified here as the specified user;
Su-woniu-c ' WhoAmI ' indicates that the Woniu user executes the WhoAmI command, after the execution is complete or the current user
Chown command:
Function: Change the owner or group of a file
Usage: chown[option] ... [OWNER] [: [GROUP]] FILE ...
chown [OPTION] ...--reference=rfile FILE ...
Parameters:
-R: Recursive modification

Rights Management Knowledge and commands
In the result of the command ls-l, the previous column is the file type and permission description, as follows:
[[Email protected]/]# ls-l
Total 106
Dr-xr-xr-x. 2 root root 4096 Dec 09:43 bin
where d means that the file is a directory, and the next character, in 3 groups, is a combination of 3 parameters that are "rwx". where R stands for readable, W for writable, and X for executable. Note that the location of the 3 permissions does not change, and if there is no permission, a minus sign-instead.
The first group is the permission of the file owner, denoted by u
The second group is the permissions for the file user group, denoted by g
The third group is the rights of other non-user groups, using O to indicate
The process applies the model to the access rights of the file:
First check whether the owner of the process is the same as the owner of the file, if the same, the application is the master permission;
Otherwise, check whether the owner of the process belongs to the genus Group of the file, and if so, the group permission is applied;
Otherwise, you can only apply other permissions;
In the case of a file:
R: Can get the data of the file
W: can modify the data of the file
X: This file can be run as a process
For catalogs:
R: You can use the LS command to get a list of all the files under it
W: You can modify the list of files in this directory; that is, create or delete files
X: Can be CD to this directory, and can use Ls-l to get all the file detailed property information;
Rights Management Commands:
chmod command:
Function: Modify permissions for a file or directory
Usage: chmod[option] ... Mode[,mode] ... FILE ...
Mode notation:
Empowerment notation: Direct manipulation of the ownership limit for a class of users
u=
g=
o=
A=
Authorization notation: A permission bit for direct operation of a class of users
u+,u-
g+,g-
o+,o-
a+,a-
chmod [OPTION] ... Octal-mode FILE ...
chmod 755/etc/fstab
Chmod[option] ...--reference=rfile FILE ...
Chmod--reference=/var/log/message/etc/fstab modifies the permissions of/etc/fatab to be the same as/var/log/message permissions.
Parameters:
-r: Indicates recursive modification
Umask: File Permissions reverse mask, mask code, file default permissions
For a file, the default permission is 666 because the file does not have execute permissions by default: While the directory default permission is 777, and Umask is "take" the corresponding bit from the permission
So the default permissions to create files are: 666-umask; When you create a directory, the permissions are 777-umask
In the case of a file, if the result of the reduction has execute permission, it needs to be added 1, and the directory will not change.
For example, if the Umask value is 023, the permissions for the created file are
666-023+1=644
Umask command:
Umask: View current Umask
Umask MASK: Set umask
Note: This type of setting is only valid for the current shell process;

Linux User and Rights management