Linux Users and Permissions

Concepts related to resources, users, and user groups:

Resources: Computer computing power, memory space and so on can be collectively referred to as the resources of the computer.

User: Used to identify whether there is permission to use computer resources

User groups: Equivalent to the concept of containers, easy to assign permissions.

Permissions:

R W X

The permissions of the file are divided into three parts: The owner's permission, the permission of the group, and the other person's permission.

When the user accesses a file, the system will first compare whether the user is the owner, not the case will be compared to whether the user is in the group of files, not the words of other people to use the rights.

Common Files:

R: Readable, can use the cat and other commands to view the contents of the file

W: writable, can use the command to modify the contents of the file, you can also delete the file

X: Executable, exacutable, can be submitted to the kernel at the command prompt as a command to run

Directory:

R: can display files in the directory

W: can create files in directory

X: You can use the CD to switch to this directory, or you can use Ls-l to view the details of the internal files.

0---No permissions

1--x Executable

2-w-can write

3-wx Writable, executable

4 r--Readable

5 R-x readable, executable

6 rw-can read and write

7 rwx writable and read-write execution

User: UID,/etc/passwd

User group: Gid,/etc/group

Shadow Password:

Users:/etc/shadow

Group:/etc/gshadow

User Category:

Admin User: 0

Normal Users: 1-65535

System users: 1-499

General Users: 500-63535

User Group Category:

Administrative group: Root

Normal Group:

System Group:

General Group:

Another sub-method of the user Group Category: (This is more commonly used)

Basic group: Default group for users

Private group: When the system creates a user, if the user does not specify a default group, a private group with the same name as the user is created

Additional groups: Users can have multiple groups at the same time, except for groups outside the base group called additional groups.

Example:

Suppose a user Tom, whose genus is also Tom, when it uses command LS to display the/tmp directory, the system's permission comparison process.

First, the system will look at the permission properties of the LS command:-rwxr-xr-x root root/bin/ls, then Tom is not root, so it is not the owner, Then compare whether Tom is in the user group root (note: This is not the comparison between the Tom Group and the root group is the same, but compared to the Tom user is in the root group), found that no, so look for other people permissions r-x, readable executable, and then have the use of LS permissions. Then, when the/TMP is displayed, it is not comparing the permissions of/tmp and LS, but still comparing the permissions of Tom and/TMP, that is, when Tom obtains the use of LS, its permissions do not switch because LS is the root owner. /tmp/permissions are: DRWXRWXRWT root root, one after the other to have permissions, the permissions include R, give the display:

[Email protected] ~]# Ls-al/bin/ls

-rwxr-xr-x 1 root root 112664 Oct 2014/bin/ls

[Email protected] ~]# ls/tmp

14AHHS1 534 71233BBC A a B kkll568 sadsa*787sdd

[Email protected] ~]# ls-d/tmp

/tmp

[Email protected] ~]# ls-dl/tmp

DRWXRWXRWT. 3 root root 4096 Dec 14:45/tmp

passwd configuration file Format:

Account: Login Name

Passwd:mima

UID: User ID

GID: Group ID

Comment: Comment information

Home dir: Home directory

Shell: Default shell

/etc/shadow configuration file Format:

Account: Login Name

Encrypted password: Password after encryption

Date Password change: The last time the password was changed

Minimum password Age: Minimum password lifetime

Maximum password Age: Maximum password lifetime

Password warning Period: Warning time before password expires

Password Inactivity Period: can still use time after password expires

Account Expiration Date: User Expiration time

Reserved field: Reserved area

Encryption algorithm:

Symmetric encryption: Both encryption and decryption are unified passwords

Public Key cryptography: encryption and decryption in pairs, public key cryptography, private key decryption

One-way encryption: Hash encryption, extract data signatures, to verify the integrity of the data

Avalanche effect: One character is different, the generated password is not the same as most characters

Fixed-Length output:

Md5:message Digest 128-bit fixed-length output

Sha1:secure Hash algorithm 160 bit

An example of one-way encryption:

The file that holds the user's password in Linux is called Shadow, if we cat/etc/shadow we will find that the first few formats in the ciphertext are similar: $8 bit ciphertext $ fixed length cipher

The reason for this is that Linux uses one-way encryption to encrypt the user's password, when the user logs in, the system encrypts the password entered by the user, and then compares it with the password fragment inside the/etc/shadow file to determine if the password is correct. But because the shadow file is readable to some users, the same cipher ciphertext is the same, that is, if it happens that shadow someone's password fragment is the same as yours, then can infer its password, which is not in line with the Linux security standards, The system then randomly added a character when encrypting the password, which is called ' salt ' because of the avalanche effect of one-way encryption, so even if your passwords are identical, the ciphertext stored in shadow is mostly different. According to the algorithm, the $$ inside that 8 bits is encrypted after the ' salt ' word redaction.

User Management related commands:

Useradd

useradd [option] USERNAME

-U UID

-G GID (Basic Group)

-G GID,... (Additional groups)

-C "COMMENT"

-d/path/to/homedir

-S Shell

-m-k-M represents the creation of a home directory, and-K represents the file under the/etc/skel directory (. bashrc.). Copy Home Catalogue

-M do not create home directory

/etc/login.defs: Specify default values for user management commands, such as whether to create home directories by default when Useradd or not

Note: The specified group must exist before the user specifies the group, otherwise the command execution fails, and the user does not generate

/etc/shells: Specifies the security shell that is available for the current system

Userdel:

Userdel [option] USERNAME

-r: Delete User's home directory at the same time

ID: View user's account attribute information

-U UID

-G

-G

-N

Finger: View user account information

Finger USERNAME

Usermod:

-U UID

-G GID

-a-g GID: Do not use the-a option to overwrite previous additional groups

-C

-d-m:-d represents a new home directory,-m means to copy the contents of the original home directory to the new home directory (this is because after the new home directory is specified, the user has lost access to the original home directory files)

-L: Change the user's login name

-L: Lock account

-U: Unlock Account

CHSH: Modifying the user's default shell

CHFN: Modifying annotation information

Password management

passwd [USERNAME]

--stdin: read password from standard input

-L: Lock account

-U: Unlock Account

-D: Remove user password

Example:

[[email protected] html]# echo ' 123456 ' |passwd root--stdin

Changing password for user root.

Passwd:all authentication tokens updated successfully.

PWCK: Checking user account Integrity

Group Management:

Create Group: Groupadd

Groupadd

-G GID

-R: Added as System group

Groupmod

-G GID

-N GROUPNAME

Groupdel GROUPNAME

GPASSWD: Setting a password for a group

Newgrp GRPNAME <--> Exit

Note: The NEWGRP command is a temporary switch base group, you can use Exit exit, when NEWGRP switch to any of its own additional group is not required password, when switching to a new group, if the new group does not have a password to join, When using gpasswd as root to create a group password for the user, the user can use the Newgrp grpneme to enter the password after switching

Example:

[Email protected]gstach linzb]# su linzb

[[email protected] ~]$ touch a

[Email protected] ~]$ Ls-l a

-rw-rw-r--1 linzb linzb 0 Dec 16:50 A

[Email protected] ~]$ NEWGRP root

Password:

Invalid password.

[[Email protected] ~]$ exit

Exit

[Email protected] linzb]# GPASSWD root

Changing the password for group root

New Password:

Re-enter new password:

[email protected] linzb]# su linzb

[Email protected] ~]$ NEWGRP root

Password:

[[email protected] ~]$ Touch b

[Email protected] ~]$ Ls-alh b

-rw-r--r--1 linzb root 0 Dec 16:51 b

This article from "Single Season rice" blog, declined reprint!

Linux Users and Permissions