Linux User and Rights management

The best thing about Linux is that it's a multi-user, multitasking environment. However, in the same kernel system, multi-user presence is a risk, because each user may have their own private files, so this time you need to set the permissions of the file a series of access rights settings policy, to ensure that the user ordered the kernel call. For example, at the same time, some brothers in the use of FTP upload files, some brothers browsing the web, some brothers need to maintain the forum, some brothers need to maintain the Linux system, they use the account may be different ordinary account or Super Boss-root, Different users or collections of users (user groups) have different permissions to accomplish different tasks.

Therefore, we need to understand the user and user groups, first of all users and user groups to differentiate.

I. Differentiation of user roles

The user in the system is through the UID, this is the user identification, so divided into the following types:

1. Administrator (Root): The system is unique, with the highest privileges;

2. General Account

• System users:

  • In order to enable the background process or the service class process to run as a non-administrator, it is often necessary to create a number of ordinary users, such users do not have to login system, it is said that system users do not have a home directory

• Login User

  
  

Two. Distinction of user Group roles

The user group also has its own identity, the GID. The categories are as follows:

1. Administrators group (Root)

2. General user groups

• System User Group

• Login User Group

  
  

In addition, according to the group category, can also be divided into:

Private group: (There is only one user in the group, the group name is the same as the user name) a department has only one person; a common group (with multiple users in a common group) is similar to having more than one employee in a department.

Three. The corresponding relationship between user and user group is: one-to-many, one or one-to-many or many-to-many;

1. Single: A user can be the only member of a group;

2. Many-to-one: multiple users can be members of a unique group, not belonging to other user groups, such as Fedora and Gentoo two users only belong to the Beinan user group;

3. One-to-many: a user can be a member of more than one user group, for example, Fedora can be a member of the Gentoo group, or it can be a member of the Fedora User group or a CentOS user team;

4. Many-to-many: multiple users correspond to multiple user groups, and several users can belong to the same group; in fact, many-to-many relationships are the extensions of the previous three.

   
   

Four. Profiles related to users and user groups

1. User profile: The user's repository exists:/etc/passwd

2. Format: Name:password:UID:GID:GECOS:directory:shell, meaning:

• Name: User name;

• Password: Can be an encrypted password, but also a placeholder

• UID: User's identity;

• GID: The ID number of the primary group to which the user belongs;

• GECOS: User's comment information;

• Directory: The user's home directory;

• Shell: Default shell for user, default shell program when logging in

User password file, saved in/etc/shadow

• Format: User name: encrypted password: The last time the password was changed: The shortest period of use, the maximum period of use;

User group profile, user group information persists:/etc/group format: group_name:password:GID:user_list, meaning

• Group_name: Group Name

• Group_name: Group Password

• GID: Group ID

• User_list: A user member of the group, and a list of users with this group as additional groups.

User group password file, saved in/etc/gshadow

Five. Creation, modification and deletion of user and user groups:

With that in view, how do you create a delete user (user group) and change the user's properties? The following commands can be implemented:

1. Create User: Useradd [options] Login with the following options:

-u--uid uid: Specify UID number;

• -g--gid Group: Specifies the base group ID, which is to be implemented;

• -c--comment Comment: indicates annotation information;

• -g--groups GROUP1: Indicates the additional group to which the user belongs, separated by commas

• -D Specify home directory: Create a home directory with the specified path for the user: Copy the/etc/skel secondary directory and rename the implementation: Specifies the home directory path and does not copy the Environment profile for the user if it exists beforehand;

• -S--shell Shell: Specifies the user's default shell, all available shell lists are stored in/etc/shells;

• -R--system: Creating system users

• -D: Displays the default configuration for creating users:

  • Useradd-d options: Modify the value of the default option

Note: Creating a user is a lot of the default settings files are:/etc/login.defs

2. After creating a good user, modify the user's properties: usermod [Options] Login, Options:

• -U--uid UID: Modifies the user's ID to the new UID specified at this point;

• -G--gid Group: Modifies the basic group to which the user belongs;

• -G--groups GROUP1: Modifies the additional group to which the user belongs: The original additional group will be overwritten;

• -a--append: used in conjunction with-G to append new user groups to the user;

• -C--comment Comment: Specify the annotation information;

• -D--home Home_dir: Modify the user's home directory, the user's original files will not be transferred to the new location;

• -M,--move-home: can only be used with the-D option to move the original home directory to the new home directory;

• -L--login new_name: Modify user name;

• -s,--shell Shell: Modifies the user's default shell;

• -L--lock: Locks the user password, that is, before the user's original password string to add a "! ”；

• -U--unlock: Unlocks the user's password.

3. If we want to delete a user, you can use the Userdel [options] Login name, options:

• -R Delete a user's home directory while deleting it

4. For users, create user groups, Groupadd [options] group_name, Options:

• -G GID: Manually specify GID, default is the gid+1 of the previous group;

• -r: Create a System group:
  

5. Delete user group, Groupdel: Delete group.

Six. Special configuration Files

1./etc/skel Directory

• /etc/skel directory is usually a directory of user startup files, this directory is controlled by root permissions, when we add users, the files in this directory are automatically copied to the newly added user's home directory, the files under the/etc/skel directory are hidden files, It is similar to the. file format; We can provide users with a unified, standard, Default user environment by modifying, adding, and deleting files in the/etc/skel directory;

• /etc/skel directory of files, generally we use the Useradd command to add Users (user), the system is automatically copied to the new Add users (user) in the home directory, if we modify the/etc/passwd to add users, we can create the user's home directory ourselves, Then copy the files under the/etc/skel to the user's home directory, and then use Chown to change the owner of the new user's home directory;

2./etc/login.defs configuration file

• /etc/login.defs files are some planning when creating a user, such as when creating a user, whether the home directory, the UID and GID ranges are required, the user's duration, and so on, which can be defined by root and configured as follows:

  • Pass_max_days 99999 Note: The user's password is the maximum number of days;

  • Pass_min_days 0 Note: Minimum number of days between password modifications;

  • Pass_min_len 5 Note: Minimum password length;

  • Uid_min 1000 Note: The minimum UID is 1000, that is, when adding a normal user, the UID is starting from 1000;

  • Uid_max 60000 Note: The maximum UID is 60000;

  • Sis_min 201 System User Minimum UID

  • Sis_max 999 System User Maximum UID

  • Gid_min 1000 Note: GID is starting from 1000;

  • Gid_max 60000

  • Create_home Yes Note: Create a user's home directory, the request is created;

3./etc/default/useradd file;

• Rule files when users are added via Useradd

  • group=100

  • Home=/home Note: The user's home directory is built in/house;

  • Inactive=-1 Note: Whether to enable account expiration, 1 means not enabled;

  • Expire= Note: Account termination date, do not set the indication is not enabled;

  • Shell=/bin/bash Note: The type of shell is used by default;

  • Skel=/etc/skel Note: By default, add the user's directory default file location, that is, when we add users with AddUser, the files in the user's home directory are copied from this directory in the past;

Seven. Understanding and modification of authority

1. Understanding of permissions:

• Linux philosophy is all documents, and files, we can be seen as the Linux kernel management of various resources, then the authority is the user to call the kernel resources of the power level. So when we open a process, it is the user in the exercise of their own rights to invoke the power of the resource, at this time, this power to be in some kind of allowed rules to invoke, uncontrolled and disorderly call is allowed, then this rule is what, that is, the following rules:

1) The owner of the process is the same as the owner of the file, if the same, the application is the master permission, the owner of the process is the same as the owner of the file, if the same, the application is the master permission;

2) If the master of the process is not the same as the owner of the document, then it is divided into two branches:

2.1) Continue to check whether the owner of the process is a file belonging to the group of files, if it belongs to, then the application file is a group of permissions;

2.2) If the owner of the file does not belong to a group of files, then only the other permission is applied.

2. Use authentication: In the current user environment, a process is run with the permissions of the owner and the group to which the process belongs;

For example:

2.1

[Email protected] ~]$ ls-l.

Total dosage 0

-rw-rw-r--. 1 gentoo gentoo 0 December 03:12 A

-rw-rw-r--. 1 gentoo gentoo 0 December 03:12 b

-rw-rw-r--. 1 gentoo gentoo 0 December 03:12 C

I now look at the properties of all the files in the current directory, then running Ls-l is running a process, at this time, who is the user of this process, look at:

[Email protected] ~]$ WhoAmI

Gentoo

At this time is Gentoo users, then run the ls-l process is the Gentoo launch run, so at this time the owner of the process, process owners are gentoo, and then compared to the directory of a file of the master, also Gentoo, then this will be the main Gentoo access to use, Gentoo's master permission is rw-, so we can read and write at this time;

Validation is readable:

[email protected] ~]$ Cat A

Teat

We can see the contents of a file;

Verify writable:

[Email protected] ~]$ echo "Test1" >>a

[email protected] ~]$ Cat A

Teat

Test1

Similarly, we can also add content to the file.

2.2 The validation process belongs to the owner if it is not the same as the owner of the file.

• If the user switches to non-gentoo users, that is, the non-file owner, how to do?

2.2.1

[Email protected] gentoo]$ WhoAmI

Fedora

At this point the process user is Fedora, and then the user group information:

[Email protected] gentoo]$ Cat/etc/group |grep Fedora

Mageedu:x:1000:mageedu,gentoo,fedora

FEDORA:X:1003:

We can tell that Fedora belongs to user group with user group ID 1003 fedora;

Then view the file permissions under the directory:

[Email protected] gentoo]$ ls-l

Total Dosage 8

-rw-rw-r--. 1 Gentoo gentoo 11 December 04:01 A

-rw-rw-r--. 1 Gentoo Fedora 6 December 04:00 b

-rw-rw-r--. 1 gentoo gentoo 0 December 03:12 C

At this point, we can see that the user group Fedora has the rw-permission to the B file, can read writable full Write permission, that is, the user who opened the process fedora belongs to the user group and the user group of file B is consistent, this means that Fedora has the user Group B files belong to the rights-readable writable, Test it;

[email protected] gentoo]$ Cat B

Teat3

Can read the contents of the B file;

[Email protected] gentoo]$ echo "Test3" >>b

[email protected] gentoo]$ Cat B

Teat3

Test3

You can append to the B file that Fedora has write access to file B. This verification 2.1) principle, that is, continue to check whether the owner of the process is a file belonging to the group of files, if it belongs to, then the application of the file group permissions;

2.2.2 Verification 2.3) principle

• below we see that the Group D file is Roo, and the root user group does not contain Fedora

[Email protected] gentoo]$ ls-l

Total Dosage 12

-rw-rw-r--. 1 Gentoo gentoo 11 December 04:01 A

-rw-rw-r--. 1 Gentoo Fedora 12 December 04:13 b

-rw-rw-r--. 1 gentoo gentoo 0 December 03:12 C

-rw-r-----. 1 root root 5 December 04:39 D

[Email protected] gentoo]$ Cat/etc/group |grep Root

root:x:0:

At this point the attempt to read the D file, because Fedora belongs to the group Fedora Gentoo is not corresponding to the group D belongs to, so only to the other group, at this time other

Group does not have any permissions;

[email protected] gentoo]$ Cat D

CAT:D: Insufficient Authority

[[email protected] gentoo]$ echo "Cdef" >>d

-BASH:D: Insufficient Authority

2.3) principle, that is, if the owner of a file does not belong to a group of files, then only other permissions can be applied.

3. Modification of permissions:

• In the Linux kernel, the basic is to follow this policy to set the user and user groups on the file permissions, which allows each user under a system, a eaves in order to manage their own files, have an orderly sky. So what if we need to change the permissions of a user or user group on a directory or a file? This requires the rights Management tool to implement the Usermod command.

• To define the modification situation:

  • U: Owner of the user

  • G: User's genus Group

  • O: Other conditions

  • A: All

• Modification Method:

  • Empowering notation: All permissions for the direct operation of a class of users are rwx, as shown in the following example:

    • [[email protected] ~]# ll

      Total usage 8

      -rw-------. 1 root root 1998 December  7 05:57 anaconda-ks.cfg

      -RW -r--r--. 1 root root  595 December 03:31 fstab

      [[email protected] ~]# chmod g=rw fstab

      [[email protected] ~]# ll

      Total usage 8

      -rw-------. 1 root root 1998 December  7 05:57 anaconda-ks.cfg

      -rw-rw-r--. 1 root root &nb sp;595 December 03:31 fstab

      Enables the group of fstab files to have writable permissions to manipulate the genus of the files directly.

      
      

    • [[email protected] ~]# chmod ug=r fstab 

      [[email protected] ~]# ll

      Total usage 8

      -rw-------. 1 root root 1998 December  7 05:57 anaconda-ks.cfg

      -r--r--r--. 1 root root  595 December 03:31 fstab

      The owner of a file that modifies Fstab has only Read permissions.

      
      

  • Authorization notation: direct operation of a permission bit for a class of users, R,w,x

    • [[ Email protected] ~]# chmod ug=rw fstab 

      [[email protected] ~]# ll

      Total usage 8

      -RW-------. 1 Root root 1998 December  7 05:57 anaconda-ks.cfg

      -rw-rw-r--. 1 root root  595 December 03:31 fstab

      [[email& Nbsp;protected] ~]# chmod g-w fstab

      [[email protected] ~]# ll

      Total usage 8

      -rw-------. 1 root root 1998 12 Month  7 05:57 anaconda-ks.cfg

      -rw-r--r--. 1 root root  595 December 03:31 fstab

    • Remove user group Write permissions directly.

      [[email protected] ~]# chmod o-r fstab 

      [[email protected] ~]# ll

      Total usage 8

      - RW-------. 1 root root 1998 December  7 05:57 anaconda-ks.cfg

      -rw-r-----. 1 root root  595 December 03:31 fstab

      Remove other users The Read permission.

      
      

  • Direct number 8 binary

    • [[email protected ] ~]# chmod 664 fstab 

      [[email protected] ~]# ll

      Total usage 8

      -rw-------. 1 root root 1998 December   7 05:57 anaconda-ks.cfg

      -rw-rw-r--. 1 root root  595 December 03:31 fstab

    • Make the owning group of the Fstab file have writable and readable permissions , others have only Read permissions

      
      

  • Referential modifications

    • [email protected] ~]# LL

      Total Dosage 8

      -RW-------. 1 root root 1998 December 7 05:57 anaconda-ks.cfg

      -rw-rw-r--. 1 root root 595 December 03:31 fstab

      -rw-r--r--. 1 root root 0 December 04:58 test

      [Email protected] ~]# chmod--reference=./fstab test

      [email protected] ~]# LL

      Total Dosage 8

      -RW-------. 1 root root 1998 December 7 05:57 anaconda-ks.cfg

      -rw-rw-r--. 1 root root 595 December 03:31 fstab

      -rw-rw-r--. 1 root root 0 December 04:58 test

      Enables test to have the same genus group and other permissions as Fstab.

      
      

  • You can use the-r recursive parameter if we want to have the same permissions for a file in which the directory is extremely subdirectory, but it is generally used when authorizing and empowering notation, and 8 is not recommended in order to prevent the file from having executable permissions.

4. Amendments to the documents and directories belonging to the principal and the genus:

• Implementation mode: Chown [OPTION] ... [OWNER] [: [GROUP]] FILE

  • [Email protected] ~]# chown Gentoo:fedora test

    [email protected] ~]# LL

    Total Dosage 8

    -RW-------. 1 root root 1998 December 7 05:57 anaconda-ks.cfg

    -rw-rw-r--. 1 root root 595 December 03:31 fstab

    -rw-rw-r--. 1 gentoo Fedora 0 December 04:58 test

    Drwxr-xr-x. 2 root root 30 December 05:01 test1

    You can see that the owner of Test becomes Gentoo and the group becomes Fedora. Of course, we can add the-r parameter to make its subdirectories also have the same genus belonging to the main group.

5. Modify the default creation permissions;

• We know the definition of permissions and how to modify permissions, we will think of a problem, when we create a new file, what is his default permissions? Then he had something to do with umask.

• Umask: The current user permissions default value when creating new directories and files. We call this a reverse mask of permissions.

  • View current umask values

    • [Email protected] ~]# umask

      0022

  • Modify Umask Value: Umask number

    • [Email protected] ~]# Umask 23

      [Email protected] ~]# umask

      0023

  • Note: Modifying umask in this way is only valid for the current shell process.

• How to use:

  • Catalog: 777-umask

  • Files: 666-umask

    • The file is reduced by 666, which means that the file cannot have execute permissions by default: If there are execution permissions in the resulting result, it needs to be added 1.

Summary: User groups and permissions can allow different users and groups of users to have different permissions in the same working scenario to use kernel resources in an orderly manner. This is very important for us to standardize the security and robustness of the system and to meet the different needs of different users.

This article is from the "10917621" blog, please be sure to keep this source http://10927621.blog.51cto.com/10917621/1722332

Linux User and Rights management