Linux User Rights Management

Directory:

First, user-related

configuration files, commands (Groupadd, Groupmod, Groupdel, Useradd, Usermod, Userdel, passwd, GPASSWD, NEWGRP)

Second, the rights related

Commands (chmod, Chown, Chgrp, umask), Extra (ID, SU)

Iii. Miscellaneous

Essay Records

The user Rights Management form literally understands what it is, and that's roughly what it means. And as long as the computer is engaged in the work of the people are also used to, I think who do not want to manage the host is nothing more small things.

The user is simply the name of the system used to identify an identity, while identity is the right. The same is true for groups, except that this is a container that gives the user some additional privileges.

On our Linux hosts there are two categories of users, administrators and ordinary users. And ordinary users are divided into two categories, system users and users can log in.

system users are generally used by some service class programs, it can not be used to log on the system. A program uses a user, which ensures that the permissions of different service programs are minimal, preventing the program from reversing against ourselves.

And the login user is our own use.

and groups are divided into system groups and ordinary groups, but there is no difference, but the default configuration file for their GID number start and end of the different.

From the user's point of view, divided into basic groups and additional groups, the difference I personally know only when the file is created, the group is the basic group. And for permissions are the same, the user joins a group to have the permission of this group.

Before you say a variety of administrative authority commands, let's see how permissions are enforced. On Linux all files, so the permissions of the file is very important, then a process for the operation of the file can be effective depends on this (temporarily have not touched the user's friends can first slightly over, look back to this):

Process Security Context:

The owner of the process is the same as the owner of the file, and if the same, the application is the master permission;
Otherwise, check whether the owner of the process belongs to the genus Group of the file, and if so, the group permission is applied;
Otherwise, you can only apply other permissions;

Here are some of the personal understanding, if there are errors also ask friends or teachers to remind you, first thank you.

1, the running process also has its owner and the group (initiator and the basic group, the creation of the file is the owner and the group), you can use PS Ax-opid,user,group,command to view the command of the owner and the group

2. The owner and the group of the process are determined by the initiator of the process. such as: SST users to view a file with cat, the owner of the cat process and the group is the SST user and the basic group to belong to. However, the permission model is not the same when accessing this file.

3. The permissions that the process has on the file depend on the valid owner and owner of all groups.

5, when the process access to this file, the file system will run out to compare the permissions of both sides: the first process of the owner and the owner of the document is the same;

650) this.width=650; "style=" float:right; "src=" http://s3.51cto.com/wyfs02/M00/78/1E/ Wkiol1z2c0owingxaabnahhqzxk528.jpg "title=" 015.jpg "alt=" Wkiol1z2c0owingxaabnahhqzxk528.jpg "/>

If the same, the application is the master permission, otherwise, check whether the owner of the process belongs to the group of files, if it is, the group permission is applied, otherwise, only the permissions of other can be applied; (here I made an outrageous mistake: in the part of the group it is understood that the owner of the process is a group of files, a ' Yes ' It's a really different thing.

To prevent me from making this mistake again:

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/78/1F/wKiom1Z2c_SwWh2MAACDRYaQwBs325.jpg "title=" 014. JPG "alt=" wkiom1z2c_swwh2maacdryaqwbs325.jpg "/>

Star The owner of the initiating process, the star, is the group that star belongs to file abc123, and it is clear that star belongs to the ABCD group.

First, user-related:

configuration file :

/etc/passwd	User-related information
/etc/shadow	User security-related information, including passwords
/etc/group	Group related information
/etc/gshadow	Group security-related information, including passwords
/etc/login.defs	Create a user's default settings for some relevant information, user Uid/gid password parameters, and so on.
/etc/default/useradd	Default settings for environment variables when creating a user, such as home directory, Shell, Mail, Skel (this is the case below). The useradd-d setting will be written to this file
/etc/skel/	Newly created users, files that exist in the home directory are copied from this directory by default.
/etc/shells	A secure shell list on the current system.

Briefly describe the content format of several of these files:

1,/etc/passwd

Sst:x:4004:4004::/home/sst:/bin/bash

User name: Password placeholder: uid:gid: Comment Information: Home directory: Shell

2,/etc/shadow

Abc:!! : 16778:0:99999:7:::

User name: Password after encryption: Last modified: password minimum Age: Password maximum age: Warning Time: Inactivity Duration: Expiration: Reserved field

1. If this paragraph is to! The beginning indicates that the user is locked out. The encrypted password consists of three parts, separated by $:

• The 1-6 number represents the encryption algorithm (MD5,SHA1,SHA224,SHA256,SHA384,SHA512), from left to right 1-6. CentOS5 above seems to be MD5, and 6 and 7 use of the sha512.

• Salt, add some salts. Add a case that prevents two users from being the same password, so the encrypted string is the same, and one user sees another user with his or her own string and knows the user's password.

• The password is combined with the salt to encrypt the resulting string.

2. Last modified: Is the number of days from January 1, 1970 to the time the password was last modified, or 0 indicates that the user must change the password at the next logon. Generally too create a new user, let the user log in successfully after the password change.

3. Minimum password Age: Indicates the minimum interval of two password changes, which may be to prevent the password from being changed. Turn the password history around and reuse the original password. 0 means no limit.

4. Maximum password Age: Indicates the maximum interval of two password changes.

5. Warning Time: Indicates how many days before the password expires to warn the user to change the password.

6. Inactivity Duration: It can also be called a grace time. Indicates the time that the user is allowed to log on after the password expires, except that the password must be changed to use the system after the system has been logged in for a period of time.

7. Expiry time: Indicates the expiration time of a user. Used primarily for temporary users, such as a temporary user to use the system up to 1 months, you can set the expiration time, to automatically disable the user.

3,/etc/group

SST:X:4004:

Group name: Password placeholder: GID: Additional member list.

The additional members list refers to users with this group as additional groups, which are not displayed here.

4,/etc/gshadow

Sst:!::

Group name: Password after encryption: User Group Manager: Additional member list.

5,/etc/default/useradd

1 # useradd defaults file 2 group=100 #创建组, GID starting from 100 3 home=/home # default home directory creation path 4 inactive=3 #用户非活动时间, which means you can log in to the system within 3 days of expiration.  Just can't use the system, to change the password. 5 expire= #默认用户过期时间.  Useradd-d-E can modify the expiration time.  6 Shell=/bin/bash #用户默认shell 7 Skel=/etc/skel #新创建的用户, user home directory copy data from this directory, environment variable file. 8 Create_mail_spool=yes #是否会新用户自动创建mail文件.

user-related commands :

The parameters may be a bit more, but some of them are generic, follow.

1.groupadd: Create Group

Groupadd[options] Group

Common options:

-ggid: Specifies GID, which is calculated by default based on the GID number of the previous group.

-r: Create a system group.

Example: Create a MARIADB system group with a GID of 306.

[Email protected]~]# groupadd-r-G 306mariadb

[Email protected]~]# tail-1/etc/group

mariadb:x:306:

2.groupmod: Modify Group Properties

Groupmod[options] GROUP

Common options:

-ggid: Modify GID;

-nnew_name: Modify the group name;

Example: Found the system has MySQL group, want to change the above MARIADB group to Apache Group, GID also changed to 80.

[Email protected]~]# groupmod-n apache-g mariadb

3.Groupdel: Delete Group

Groupdel[options] GROUP

The command is simple enough to write.

4.useradd: Create user

Common options:

-U,--UID UID: Specify UID;

-G,--GID Group: Specifies the base group ID, which must exist beforehand;

-G,--Groups group1[,group2,... [, GROUPN]] : Indicates the additional group to which the user belongs, separated by commas between multiple groups;

-C,--Comment Comment: annotation information;

-D,--Home home_dir: Specify home directory, copy/etc/skel this directory and rename implementation; The specified home directory path will not replicate the environment profile for the user if it exists beforehand;

-S,--Shell shell: Specifies the user's default shell, and all available shell lists are stored in the/etc/shells file;

-R,--System: create user;

-F,--Inactive inactive: Non-active time, wide duration.

-E,--expiredate expire_date: Expiry time

Example: Create Apache user, group Apache, System user, specify UID as 80,shell to/sbin/nologin.

[Email protected]~]# useradd-g apache-r-s/sbin/nologin-u Apache

[[Email protected]~]# ID Apache

Uid=80 (Apache) gid=80 (Apache) groups=80 (Apache)

Note: The default setting when creating a user is in the configuration file/etc/login.defs

useradd-d: Displays the default configuration of the created user;

useradd-d [Options]: Modify the value of the default option;

The result of the modification is saved in the/etc/default/useradd file;

[[Email protected]~]# useradd-d

group=100

Home=/home

Inactive=-1

Expire=

Shell=/bin/csh

Skel=/etc/skel

Create_mail_spool=yes

I changed the shell when I was doing the experiment here, and now I want to change back to/bin/bash, and turn off the inactivity time, which is a value of 3 days.

[[Email protected]~]# useradd-d-s/bin/bash-f 3

[[Email protected]~]# useradd-d

group=100

Home=/home

Inactive=3

Expire=

Shell=/bin/bash

Skel=/etc/skel

Create_mail_spool=yes

[Email protected]~]# useraddrt #我这里创建一个用户看看.

[Email protected]~]# grep "^rt\>"/etc/passwd

Rt:x:4006:4006::/home/rt:/bin/bash #shell为/bin/bash.

[Email protected]~]# grep "^rt\>"/etc/shadow

Rt:!! : 16781:0:99999:7:3:: #非活动时间为3

5.usermod: Modify User Properties

Common options:

-U,--UID UID: Modifies the user's ID to the new UID specified at this point;

-G,--GID Group: Modify the basic group to which the user belongs;

-G,--Groups group1[,group2,... [, GROUPN]] : Modifies the additional group to which the user belongs; The original additional group is overwritten and is generally used with-a.

-A,--append: Used together with-G to append new additional groups to the user;

-C,--Comment Comment: Modify the annotation information;

-D,--Home Home_dir: Modify the user's home directory, the user's original files will not be transferred to the new location, usually with-M.

-M,--move-home: can only be used with the-D option to move the original home directory to a new home directory;

-L,--Login new_login: Modify user name;

-S,--Shell shell: Modifies the user's default shell;

-L,--Lock: Lock the user password, i.e. add a "!" before the user's original password string ；

-U,--unlock: Unlock the user's password;

Example: To add some comment information for Apache users, and add additional group MySQL.

[[Email protected]~]# usermod-c "Thisis a system user"-a-g MySQL Apache

[[Email protected]~]# ID Apache

Uid=80 (Apache) gid=80 (Apache) groups=80 (Apache), (MySQL) #附加组mysql, Apache originally did not have additional groups, the-a option can not be used.

[[Email protected]~]# grep ' ^apache\> '/etc/passwd

Apache:x:80:80:thisis a systemuser:/home/apache:/sbin/nologin #注释信息

Note: The UID normally does not change, except the home directory of the main group of files will not be modified with the user.

Some modifications need to be modified by the user to log out.

6.Userdel: Delete User

Userdel[options]login

Common options:

-R: Delete the user's home directory;

7,passwd: User Password Related Settings

passwd [-k][-l] [-u [-f]] [-d] [-e] [-N mindays] [-X Maxdays] [-W warndays][-iinactivedays] [-S] [--stdin] [username]

How to use:

(1) passwd: Modify the user's own password;

(2) Passwdusername: Modify the password of the specified user, but only root has this permission;

Common options:

-l,-u: Locking and unlocking the user;

-D: Clear the user password string;

-E: To expire a user password, that is, the next time the user login must change the password;

-idays: non-active period;

-ndays: The minimum period of use of the password;

-xdays: The maximum age of the password;

-wdays: Warning period;

--stdin: Can get standard input, such as: echo "Password" | passwd user name--stdin. Typically used in scripts.

General operation I think friends will, not much to say. Let's end this command with an example that is not commonly used.

Example: SST user's work security is very important, to let SST users next logon must change the password, and the maximum age is set to 10 days, warning to expire 4 days before the start.

The original information:

[[Email protected]~]# grep ' ^sst\> '/etc/shadow

sst:$6$winnkgmb$uwopj5oenrzk.quibmvpig1b4wc9ebfcy8tswk1t0bjsmnnwxupfwu1w7/ptvlmm46olam9sq9mm545l2/xal/ : 16781:0:99999:7:3::

Modification: Many genera cannot be set at the same time, so the following are set separately.

[Email protected]~]# passwd-e SST

Expiringpassword for user SST.

Passwd:success

[Email protected]~]# passwd-x SST

adjustingaging data for user SST.

Passwd:success

[Email protected]~]# passwd-w 4 SST

adjustingaging data for user SST.

Passwd:success

[[Email protected]~]# grep ' ^sst\> '/etc/shadow

sst:$6$winnkgmb$uwopj5oenrzk.quibmvpig1b4wc9ebfcy8tswk1t0bjsmnnwxupfwu1w7/ptvlmm46olam9sq9mm545l2/xal/:0:0 : 10:4:3::

#最近一次修改 (0) indicates that the user must change the password under this login, followed by the minimum period (0), the maximum age (10), the Warning (4), and the Inactivity (3) here because we changed the default value to 3.

8,gpasswd: Group management commands (can be replaced with the usermod command, so generally not available):

Gpasswd[option] Group

Gpasswdgroup set the password for the group.

Common options:

-ausername: Adding users to a group

-dusername: Remove the user from the group, which may be used.

-R,--Remove-password: Remove the group password.

Example: Add a user SST to the test group.

[Email protected]~]# gpasswd-a SST Test

Addinguser SST to group test

[[Email protected]~]# ID SST

UID=4007 (SST) gid=4007 (SST) groups=4007 (SST), 5004 (test)

To remove:

[Email protected]~]# gpasswd-d SST Test

Removinguser SST from Group test

[[Email protected]~]# ID SST

UID=4007 (SST) gid=4007 (SST) groups=4007 (SST)

9,newgrp: Temporary switch The specified group is a basic group:

newgrp[-] [Group]

-: Will impersonate the user to re-login in order to re-initialize their work environment;

Sometimes it may be used, temporarily changing your basic group to something else. The above to set the password for the group function, in this can be used.

If the group is already an additional group of users, a password is not required to switch to a basic group. If the user does not have a relationship with a group and wants to use this group as the base group. You will need to enter the group password for this group. If the group does not have a password is not able to switch, of course, except root.

[[Email protected]~]$ ID

UID=4007 (SST) gid=4007 (SST) groups=4007 (SST) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[[Email protected]~]$ newgrp-test

Password:

[[Email protected]~]$ ID

UID=4007 (SST) gid=5004 (test) groups=4007 (SST), 5004 (test) Context=unconfined_u:unconfined_r:unconfined_t:s0-s0: c0.c1023

[[Email protected]~]$ Touch AAA

[[Email protected]~]$ ll AAA

-rw-r--r--. 1 SST Test 0 DEC 21:55 AAA

Here directly with the ID view of the current environment, if the ID SST to see the SST user Base group or SST. Exit will be directly with exit.

[Email protected]~]$ exit

Logout

[Email protected]~]$ touch ABCD

[Email protected]~]$ ll ABCD

-rw-rw-r--. 1 SST SST 0 DEC 21:49 ABCD

Second, the Rights management:

650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M01/78/1F/wKiom1Z2dHjBHdB2AAA3hmRTjN4766.jpg "title=" 016. JPG "alt=" wkiom1z2dhjbhdb2aaa3hmrtjn4766.jpg "/>

The authority is divided into three parts, respectively, for the owner (Owner/user), the genus Group and other users (other), and each part is 3 bits, which are read, write and execute respectively.

The part that draws the line above is the representation of the permission. From left to right are the 3-bit permissions for the master, group, and other users.

Each symbol that represents a permission, either empty or that symbol, will not become anything else.

R:readable, read

W:writable, write

X:excutable, Executive

The effect of various permissions for a file:

R: Can obtain the data of the file;

W: can modify the data of the file;

X: This file can be run as a process;

Directory:

R: You can use the LS command to get a list of all the files under it;

W: Can modify the list of files in this directory, that is, create or delete files;

X: Can be CD to this directory, and you can use Ls-l to get the detailed properties of all files.

Let's take a look at the following two files.

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/78/1F/wKiom1Z2dJqg6GU8AABLewFRll4958.jpg "title=" 017. JPG "alt=" wkiom1z2djqg6gu8aablewfrll4958.jpg "/>

The first file permission is the master can read and write, belong to the group readable, other users can read. The second file is the master can read and write execution, belong to the group readable writable, other users can read and write.

Because this permission has only two states, there is or is not. So it can be expressed in binary 1 or. The above permissions are arranged in binary order:

First file: 11_1__1__

Second file: 1111_11_1

And that is, each part is made up of 3 bits and does not conflict. We can use a 8 binary number to represent the permissions of each part more succinctly.

R is located at the location of 4,w where the location of 2,x is 1, I think as long as the binary conversion is known, this does not have to explain. Permissions can also be expressed as:

First file: 644

Second file: 755

command-related :

1 , chmod: Modifying file Permissions

Chmod[option] ... Mode[,mode] ... FILE ...

Chmod[option] ... Octal-mode FILE ...

Chmod[option]...--reference=rfile FILE ...

Note: Users can only modify the permissions of those files that belong to the owner;

Common options:

-R recursively changing subdirectories and all files

(1) MODE notation:

In this usage, each part of the visitor is represented by a letter:

A represents all users, u represents the owner, G is a group, and O represents another user. You can add permissions (r,w,x) to a file directly with +-=.

such as: chmod g+w,o+wfile1 file2 to belong to the group and other users to add write permissions on File1 and file2 files.

For example: A group of users can read and write, other users do not have permissions. I am here because the original other users have only r permission, so it is directly subtracted.

[Email protected]]# chmod g=rw,o-rindex.html

[Email protected]]# ll

Total0

-RW-RW----1 root root 0 Dec 23:58index.html

If you want other users to have Read permissions, then o+r.

(2) numerical notation (octal notation)

This is where we say the octal.

Such as:

chmod 777file owner, group and other users are read and write execution rights,

chmod 755file is a master read and write execution, belonging to the group and other user-readable executable.

Cases:

[Email protected]]# chmod 644 index.html

[Email protected]]# ll

Total0

-rw-r--r--1 root root 0 Dec 23:58index.html

(3) permission to refer to other documents

Chmod[option] ...--reference=rfile FILE ...

There's no need to explain this much. Directly on the example.

[Email protected]]# ll

Total0

-rwxr-xr-x1 root root 0 Dec 00:29dex.html

-rw-r--r--1 root root 0 Dec 23:58index.html

Example: to index.html for reference, modify the permissions of dex.html.

[Email protected]]# chmod--reference=index.html dex.html

[Email protected]]# ll

Total0

-rw-r--r--1 root root 0 Dec 00:29dex.html

-rw-r--r--1 root root 0 Dec 23:58index.html

2 , Chown: The file belongs to the main group modification.

Chown[option] ... [OWNER] [: [GROUP]] FILE ...

Chown[option] ...--reference=rfile FILE ...

Note: Only administrators can modify the owner and owner group of the file;

Common options:

-R Recursive modification

Use:

such as: The Home and all subdirectories and the owner of the file group are changed to SST.

Chown-r Sst:sst/home

Change only the owner of a file:

Chownstarfile_name

To change only the genus Group of a file:

Chown:star file_name

Middle: A colon can also be changed to a. Period (punctuation in English)

and--reference and chmod are the same way of use.

3 , Chgrp: Modify the genus Group

Chgrp[option] ... GROUP FILE ...

Chgrp[option] ...--reference=rfile FILE ...

Common options:

-R recursive modification.

[Email protected]]# chgrp testindex.html

[Email protected]]# ll

[Email protected]]# ll index.html

-RWXR-XR-X1 root test 117616 Dec 00:43index.html

4 , Umask: Display and modify the Umask permission mask

umask The file's permission mask, masking code;

When you create a file, the file permissions that are generated are the permissions of the default highest privilege minus the permission mask.

The default maximum permission for a normal text file is 0666 readable and writable, and the file is not executable by default. If the result of the reduction has EXECUTE permission, you need to add 1, the directory is 0777 readable writable executable, not executable will not open the directory.

Umask: View current Umask

Umask MASK: Set umask

For example:

[[Email protected]]# umask

0022

[[Email protected]]# umask 007

[[Email protected]]# umask

0007

The first bit of 0 is a special privilege, not to mention it.

Note: This type of setting is only valid for the current shell process, and if you want to put it into an environment variable for permanent use,/etc/profile this environment file has settings for umask.

Let's try Umask's role.

[[Email protected]]# umask

0007

[[Email protected]]# Touch A]

[Email protected]]# ll A

-RW-RW----1 root root 0 Dec 01:30 a

666 of the permission to remove 007, notice that the permission can not be said negative. This is only a form that means removing read and write execution permissions from other users. The file created with this mask should be 660. Therefore, a file is the master group can read and write permissions.

Then let's try to change this umask.

[[Email protected]]# umask 035

[[Email protected]]# umask

0035

Now this situation 666 minus 035 results is 631, but the result of the group and other users have execute permissions, so the group and other users will add 1. The result is 642.

[[Email protected]]# Touch b

[Email protected]]# ll b

-rw-r---w-1 root root 0 Dec 01:40 b

(We have a bit of a trick here, other users can write but not readable, but we are just doing experiments, the actual environment can not be so strange.) ）

In fact, the function of the mask is to remove certain permissions, so the above 5 will indicate the read and execute permissions. And after the removal of reading and execution, only left to write.

If your friends look dizzy, just remember to have executive permission to add 1.

Additional commands:

ID command: Displays the user's true and valid ID;

Id[option] ... [USER]

-U: Displays only valid UID;

-G: Displays only the user's base group ID;

-G: Displays only the IDs of all groups to which the user belongs;

-N: Displays the name instead of the ID;

su command: Switch User

Logon switching: Re-initialized by reading the target user's configuration file

Su-username

Su-l USERNAME

Non-logon switchover: Initialization of the target user's profile is not read

Suusername

Note: The administrator can switch to any other user without password;

Common options:

-C ' command ': The command specified here is only run as the specified user;

Example: here-equivalent to the SST re-login, if directly touchfile5, the file will be created to the SST home directory.

[Email protected]]# su-sst-c "Touch/tmp/file5"

[Email protected]]# ll File5

-rw-rw-r--1 SST SST 0 DEC 02:02 file5

Here are some important things not written, such as: Facl, SELinux, SUID SGID sbit, chattr and so on.

You'll have a chance to join later.

Iii. Miscellaneous

1, the implementation of permissions, if not execute permissions, the directory is not open.

2, the directory has write permission, the file does not have permission to write, with VIM can be forced to overwrite, equivalent to the original file deleted and then set up a new file. (belong to the main group will become new users)

If the original file is readable, vim reads the file and the data is already in memory. Forcing the overwrite of the original file without permission is equivalent to creating the original file with the data.

But with Echo redirection is not possible, because it is directly to the original file operation.

3, in the context of the directory only execute permissions, directly specify the Open directory under the full path of the file, it can be opened.

First of all, there is no deep thing, is the command more points, but the parameters are also part of the common use, the other used when the man can be a bit.

If there is any problem, we can learn together, even if we ask for it. Some of the wrong places, if found also hope that friends can guide, a little advice is also a great help. Thank you so much.

Word copy up, typesetting a bit poor 650) this.width=650; "src=" Http://img.baidu.com/hi/jx2/j_0016.gif "alt=" J_0016.gif "/>

This article is from the "Big Tomato" blog, be sure to keep this source http://fanqie.blog.51cto.com/9382669/1726567

Linux User Rights Management