Linux Users and Groups

Linux users and Groups

Security 3 A:

Authentication: Certification

Authorization: Authorization

Accouting| Audition: Audit

User:

User Category:: Administrator and regular user

Ordinary users are divided into: System Users and login users

User's identity: UID

Admin: 0

Normal Users: 1-65535

System User: 1-499 (CENTOS6) 1-999 (CENTOS7)

Login User: 500-60000 (CENTOS6) 1000-60000 (CentOS)

Group Category 1: Administrators group and normal group

Administrators group: Root 0

Normal User group: 1-65535

System User group: 1-499 (CENTOS6) 1-999 (CENTOS7)

Login User group: 500-60000 (CENTOS6) 1000-60000 (CentOS)

Group Category 2:

User's primary group, basic group, primary group:

The user must belong to one and only one primary group

Additional groups for users, secondary groups:

A user can belong to 0 or more secondary groups

Group Category 3:

Private group: The group name is the same as the user name and contains only one user

Public groups: Groups contain multiple users

Security context:

Running the program ==> process

Root:/bin/cat

Qiuwei:/bin/cat

When two users run the above program, the permissions of the process to access the resource depend on the identity of the process's runner,

How large a user's permissions are to access the resources

passwd

Use the man command to see the passwd format

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/85/50/wKioL1ef_afg1SnTAACOuFd_j34353.png "title=" Picture 1.png "alt=" Wkiol1ef_afg1sntaacoufd_j34353.png "/>

Name: Login user name (Qiuwei)

passwd: Password (X)

UID: User's identity number (1000)

GID: User Default group number (1000)

GECOS: User's full name or comment

Dierctory: User's home directory (/home/qiuwei)

Shell: The shell that the user uses by default

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/85/50/wKiom1ef_szD4V8DAAAyVceh9zA127.png "title=" Picture 1.png "alt=" Wkiom1ef_szd4v8daaayvceh9za127.png "/>

Take Sarah's user as an example:

Name: Login user name (Sarah)

passwd: Password (X)

UID: User's identity number (1241)

GID: User Default group number (1241)

GECOS: User's full name or comment (No comment information)

Dierctory: User's home directory (/home/sarah)

Shell: Shell==>/sbin/nologin used by the user by default

From the above can see passwd is not, the user's password is not stored in the/etc/passwd, but in the special store in/etc/shadow, and only the administrator user can view, because is the password, if the ordinary user can see that there is a problem

Shadow file format:

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/85/50/wKioL1egAE7xkGzoAABrRvM28Ks349.png "title=" Picture 1.png "alt=" Wkiol1egae7xkgzoaabrrvm28ks349.png "/>

Or take the Sarsh user as an example:

Login User name: Sarah

User Password code: $6$wmpzucds$g9lv.f1ktfhuyzyglygpckhr7kvzcxi7q.

B8vymzm8osfafkqwmtiyuguftdhutliqdzxiqjzxw5dzww8ckz0. (now generally using SHA512 encryption)

Date of January 1, 1970 password last changed: 17014

Minimum password usage period: 0

The maximum age of the password; 9999

Days before password expiration reminder time: 7

Password expiration days The account will be locked:

From January 1, 1970 onwards, the number of days after the account expires

Password Duration:

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/85/51/wKioL1egCoWBTQCLAAEVW854fLA157.png "title=" Image 3.png "alt=" wkiol1egcowbtqclaaevw854fla157.png "/> Password encryption:

Encryption mechanism:

Encryption: Clear-and redaction

Decryption: ciphertext-to-plaintext

Single encryption: hash algorithm, different text, different ciphertext

The same as the legal long output, get ciphertext irreversible push the original data

Avalanche effect: Small changes in initial conditions, resulting in a dramatic change in results

Symmetric encryption: Encrypt and decrypt using the same password

Asymmetric encryption: Encrypt and decrypt a useful pair of keys

Key pair:

Key: Public key

private key:

Types of cryptographic algorithms:

md5:128 bit

sha1:160 bit

sha224:224 bit

sha256:256 bit

sha384:384 bit

sha512:512 bit ==> is now commonly used

Change the encryption algorithm: Authconfig--passalgo=sha256--update

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/85/51/wKioL1egB4PAXcQmAACejzkqfqg835.png "title=" Picture 1.png "alt=" Wkiol1egb4paxcqmaacejzkqfqg835.png "/>

Change the encryption algorithm to SHA256, and then change back to sha512, by contrast, sha512 password complexity far more than sha256

In the second $ and the third $ middle there are a few characters, called Salt, is a random number, so even if you two users set the same password but the home salt, shadow reality password is completely different

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/85/51/wKiom1egCWnxipfiAACoghywL6Q650.png "title=" Picture 2.png "alt=" Wkiom1egcwnxipfiaacoghywl6q650.png "/>

Set the password for a,b,c users CentOS, but shadow show the password is completely different

Password Usage Policy:

1. Using random passwords

2. Minimum length not less than 8 bits

3. Should use capital letters, lowercase letters, numbers and punctuation characters in at least three classes

4. Regular replacement

Set random number:

OpenSSL rand-base64 20

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/85/52/wKiom1egDX6R6PWUAAAp5ONXue8880.png "title=" Picture 3.png "alt=" Wkiom1egdx6r6pwuaaap5onxue8880.png "/>

Group file Format:

Group Name: Group name

Group password: usually do not need to set the password, password in/etc/gshadow

GID: The ID of the group

List of users with the current group as additional groups (comma-delimited)

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/85/51/wKiom1egC-_wJd2TAAAUGo-V7sE849.png "title=" Picture 3.png "alt=" Wkiom1egc-_wjd2taaaugo-v7se849.png "/>

Group Name: Admins

Password: X

gid:503

Users with admins as additional groups: Natasha,harry

Gshadow file Format:

Group Name: Group name

Group password: usually do not need to set the password, password in/etc/gshadow

Group Admins list: List of group admins, change groups passwords and members

List of users with the current group as additional groups (comma-delimited)

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/85/51/wKiom1egDMHC7KpbAAALlI-Wp14327.png "title=" Picture 3.png "alt=" Wkiom1egdmhc7kpbaaalli-wp14327.png "/>

Group Name: Admins

Password: X

List of group administrators:

Users with admins as additional groups: Natasha,harry

VIPW: Edit User Password file

VIGR: Editing a group file

PWCK: Checking the integrity of user passwords

GRPCK: Checking the integrity of user groups and password files

User and Group Management commands

User:

Useradd: Create User

-u: Specify UID for user

-O: With the-u option, do not check UID uniqueness (i.e. two users can use the same UID)

-G GID: Indicates the user's basic group, group name or GID.

-C: User's comment information

-G: Indicates the user's added value, can be multiple, separated by commas

-D: Home directory with specified path (not present)

Note: When the-D option is present, the parent directory must exist, and the subdirectories do not have

-S: Indicates the user's default shell program

In the/etc/shells file

-N: Do not create private group master group, use the Users group

-r: Create System User CENTOS6 id<500 Centos7 id<1000

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/85/52/wKioL1egEq2gkQ5UAABMl6otRD0862.png "title=" Picture 3.png "alt=" Wkiol1egeq2gkq5uaabml6otrd0862.png "/>650) this.width=650; src=" Http://s4.51cto.com/wyfs02/M00/ 85/52/wkiol1ege2rbhzp3aabml6otrd0224.png-wh_500x0-wm_3-wmp_4-s_1328763679.png "title=" image 3.png "alt=" Wkiol1ege2rbhzp3aabml6otrd0224.png-wh_50 "/>

Description

User name: Bietianshen

uid:5000

Basic Group: Root

Additional group: Bin Qiuwei

Note Information: Yongrenzirao

Default Shell:/bin/csh

Home directory:/qiuwei

Default Value setting:/etc/default/useradd

useradd-d Display or change the default settings

Useradd-d-S/BIN/CSH: When creating a new user, the default shell is CSH

Practice:

1, create user Gentoo, additional group is bin and root, the default shell for

/BIN/CSH, Annotated message "Gentoo distribution"

Useradd-g bin,root-s/bin/csh-c "Gentoo distribution" gentooid gentoogetent passwd Gentoo

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/85/53/wKiom1egHWjCrE9AAAAxUHHxaU4388.png "title=" Picture 3.png "alt=" Wkiom1eghwjcre9aaaaxuhhxau4388.png "/>

2. Create the following user, group, and group memberships

A group with a name of admins

User Natasha, using admins as a subordinate group

User Harry, also use admins as a subordinate group

User Sarah, cannot log on to the system interactively, and is not a member of admins,

Natasha, Harry, Sarah, the code's all CentOS.

Instructions:

Groupadd adminsuseradd-g Admins natashauseradd-g admins harryuseradd-s/sbin/nologin sarahecho CentOS |passwd--stdin N Atashaecho CentOS |passwd--stdin harryecho CentOS |passwd--stdin Sarah

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/85/53/wKioL1egHp2iDYiVAAB1qs5jjNA745.png "title=" Picture 3.png "alt=" Wkiol1eghp2idyivaab1qs5jjna745.png "/>

User Property Modification

Usermod:

Options:

-U: New UID

-G GID: New Basic Group

-G group1[group2,....]: New additional group, the original group will be overwritten, if the original. You must also

Use the-a option to indicate append, append

-S shell: new default shell

-C: New annotation information

- D: The new home directory is not created automatically, and the files in the home directory are not moved to the new home directory at the same time, to create a new home directory and move the original home data, using the-m

-L: New name

-l:lock Specify the user, add in the/etc/shadow password bar!

-u:unlock, will/etc/shadow the password bar! Take it off.

-E YYYY-MM-DD: Specify user account expiration date

-F 10: Set inactivity period 10 days

Instructions

Usermod-u 4567-g root-ag qiuwei-s/bin/bash-l DJ Gentoo

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/85/53/wKioL1egItmBqHsLAAAwmzInHTA667.png "title=" Picture 3.png "alt=" Wkiol1egitmbqhslaaawmzinhta667.png "/> Changed as follows:

uid:4567

Basic group: Root

Additional group: Bin,qiuwei

Default Shell:/bin/bash

User name: DJ

Delete User

Userdel:

-R option: Delete User home directory

View user-related ID information: ID

Options:

-U: View UID

-G:

-G:

-n:name

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/85/53/wKioL1egJIDC3EFHAAAuqZ0_4IE556.png "title=" Picture 3.png "alt=" wkiol1egjidc3efhaaauqz0_4ie556.png "/> User dj's

uid:4567

gid:0

Group: Basic group Root (0), additional group bin (1) and Qiuwei (500)

SU: User Switching

Su usernam: switch when not logged on, that is, the target user's profile is not read and the current working directory is not changed

Su-usernam: Switch at login, will read the target user's profile, switch to home directory, switch completely

Login shell, config file and order:
/etc/profile--/etc/profile.d/*.sh--and ~/.bash_profile--~/.BASHRC--/ETC/BASHRC

Non-logon Shell:
~/.BASHRC--/ETC/BASHRC-/etc/profile.d/*.sh

Set Password

passwd [options]username: Modify the password of the specified user, only the root user rights

passwd: Change your password

Options:

-L: Lock the specified user

-U: Unlock the specified user

-E: Force user to change password at next logon

-N mindays: Specifying the shortest period of use

-X maxdays: Maximum lifespan

-W Warndays: How many days in advance to start warning

-I inactivedays: Inactivity period

--stdin: Accept user password from standard input

echo "CentOS" |passwd-stdin username

Create a group

Groupadd [Options]...groupname

-G: Indicates GID

-R: Creating a System Group

centos6:id<500

centos7:id<1000

Modify and delete a group

Groupmod [Option]...group

-N groupname: Change group name

-G GID: Change Group ID

Groupdel: Deleting a group

Groupdel groupname: Deleting a specified group

Change the group password:

Group Password: gpasswd

GPASSWD [Option]group

-A User: Adds user to the specified user

-D User: Remove users from the specified user

-A User1,user2, ...: Set up a list of users with administrative privileges

newgrp: temporarily switch Base Group

If the user does not belong to this group, a group password is required

groupmems: List Group members

Groupmems-a User_name | -D user_name | [-G group_name] | -L | -P

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/85/55/wKiom1egPDmyTTb-AAA5yxgoJHI954.png "title=" Picture 1.png "alt=" Wkiom1egpdmyttb-aaa5yxgojhi954.png "/>

List group members Groupmems-l-G Qiuwei Add Group member groupmems-a root-g qiuwei Remove Group member groupmems-d root-g Qiuwei

Linux Users and Groups