Linux users user, group detailed

First, user

Linux users are divided into administrators and ordinary users, and ordinary users are divided into system users and custom users. You can view/etc/passwd to see it. as follows: (partial)

Root:x:0:0:root:/root:/bin/bashpulse:x:497:496:pulseaudio System daemon:/var/run/pulse:/sbin/nologinsshd:x:74:74 :P rivilege-separated ssh:/var/empty/sshd:/sbin/nologintcpdump:x:72:72::/:/sbin/nologinlilei:x:500:500::/home/ Lilei:/bin/bashwangcai:x:502:503::/home/wangcai:/bin/bash

1, system Administrator : That is, the root account, the UID number is 0, has all system permissions, it is similar to the Windows system Administrator account, is the entire system owner.
2, system users : Linux to meet their own system management built-in account, usually in the installation process automatically created, not used to log on the operating system. The UID is between 1-499 (Centos7 is 1-999). Such users as the sshd, pulse, and so on above. It is similar to the system account in Windows, and of course the permissions are far from being high for the system account.
3, custom user : By the root administrator to create the user login system for operation of the account, the UID is above 500 (Centos7 is more than 1000). It is similar to an account in the Users user group in Windows systems.

In this file, the individual data segments of each row of user records are separated by ":", and each aspect of the user's attributes is defined separately. The order and meaning of each field are as follows:

We take this wangcai as an example of ordinary users

Wangcai:x:502:503::/home/wangcai:/bin/bash

Registration Name: Password: User identification number (UID): Group identification Number (GID): annotative Description: Home directory: User Login Shell Type

(1) Registration name (LOGIN_NAME): Used to distinguish between different users. The registration name is unique in the same system. On many systems, this field is limited to a length of 8 characters, and it is important to note that the letter case is usually sensitive to the Linux system, and the login name cannot have a colon (:), because the colon is the delimiter here. For compatibility purposes, it is best not to include the dot character (.) in the login name, and to begin with a hyphen (-) and a plus sign (+). This is not the same as msdos/windows.

(2) password (passwd): Some systems, stored in the encrypted user password Word. Although this field contains only the user password of the encrypted string, not clear text, but because the/etc/passwd file is readable to all users, so this is still a security risk. As a result, many Linux systems (such as SVR4) now use Shadow technology to store real encrypted user passwords into/etc/shadow files, while storing only a special character, such as "X" or "*", in the password field of the/etc/passwd file. Superuser root can use the system command passwd to change passwords for all users in the system, and regular users can use the passwd command to change their passwords after logging on to the system.

(3) User identification Number (UID): is an integer that is used internally by the system to identify the user. In general, it corresponds to a user name of one by one. If several user names correspond to the same user ID number, the system will treat them as the same user, but they can have different passwords, different home directories, and different login shells. The value range is 0-65535. 0 is the root of the Super User identification number, 1-99 is reserved by the system, as a management account, the identification number of ordinary users starting from 100. In a Linux system, this limit is 500.

(4) Group identification Number (GID): This is the workgroup identity for the current user. Multiple users with similar attributes can be assigned to the same group, each with its own group name and distinguished by its own group identification number. Like the UID, the user's group identification number is also stored in the passwd file. In modern Unix/linux, each user can belong to more than one group at a time. In addition to specifying the base groups for which they belong in the passwd file, the users in a group are indicated in the/etc/group file.

(5) annotative Description (Users): The field records some of the user's personal circumstances, such as the user's real name, phone, address, etc., this field does not have any practical use. In different Linux systems, the format of this field is not uniform. In many Linux systems, this field holds an arbitrary annotated descriptive text that is used as the output of the finger command.

(6) User home directory (home_directory): The user's starting working directory, which is the directory where the user logs on to the system. In most systems, each user's home directory is organized under the same specific directory, and the user's home directory name defaults to the user's login name. Each user has read, write, execute (search) permissions on his or her home directory, and other users ' access to this directory is set according to the specific circumstances.

(7) Login Shell: After the user logs in, to start a process, responsible for the user's actions to the kernel, the process is the user log on to the system after the command interpreter or a specific program, the Shell. The shell is the interface between the user and the Linux system. There are many types of Linux shells, each of which has different characteristics. Commonly used are sh (bourneshell), CSH (Cshell), Ksh (KornShell), tcsh (Tenex/tops-20typecshell), Bash (Bourneagainshell), etc. System administrators can assign a shell to a user based on system conditions and user habits. If you do not specify a shell, then the system uses SH as the default login shell, that is, the value of this field is/bin/sh. When the user shell type is/sbin/nologin, the user cannot log on to the system.

A user's login shell can be specified as a specific program (this program is not a command interpreter). With this feature, we can restrict the user from running only the specified application, and the user exits the system automatically after the application has finished running. Some Linux systems require only those programs that are registered in the system to appear in this field

Group B

Each user in Linux must belong to a group and cannot be independent of the group. In Linux, each file has the concept of owner, group, and other groups. The same user group information we can view in/etc/group. As shown below (partial)

root:x:0:bin:x:1:bin,daemonstapdev:x:158:tcpdump:x:72:screen:x:84:lilei:x:500:admins:x:502:wangcai:x:503: sysadmins:x:504

Here I also only show a part of the same data between each of the same: separate, each data represents a different meaning

We also use the bin group as an example

Bin:x:1:bin,daemon

Group name: Group Password: Group identification number (GID): Additional group member

Categories of Linux groups:

User's primary group (primary Group): The user must belong to one and only one group

User's additional groups (supplementary group): one user can belong to one or 0 additional groups

And the document is generally divided into

-Owner

-Group

-Other groups

Owner

Typically the creator of the file, who created the file, becomes the owner of the file naturally

You can see the owner of the file with the Ls‐ahl command

You can also use the Chown user name file name to modify the file owner

The group where the files are

When a user creates a file, the group where the file is located is the group that the user is in

All groups of files can be seen with the Ls‐ahl command

You can also use the CHGRP group name file name to modify the group in which the file resides

Other groups

Other users of the system are other groups of files, except for the owner of the file and the user in the same group

Primary configuration files for Linux users and groups

-/ETC/PASSWD: User machine attribute information (name, UID, primary group ID, etc.)

-/etc/group: Group and its attribute information

-/etc/shadow: User password and related information

-/etc/gshadow: group password and related information

The first two configuration files we have introduced, here we talk about the/etc/shadow file,/etc/shadow is the/etc/passwd of the password map of the past generated files, because/etc/passwd for all users are readable files so will cause the user password is not safe, The/etc/shadow file can only be viewed by root and cannot be accessed by other users.

Pwconv Maps the passwords in the passwd to the/etc/shadow

pwunconv de-mapping, password still in/etc/passwd

The files in the/etc/shadow are as follows (part)

postfix:!! : 17539::::::gdm:!! : 17539,:::::p ulse:!! : 17539::::::sshd:!! : 17539::::::tcpdump:!! : 17539::::::lilei:$6$upmj3vzy$ Xxeir7ssxj9r.sjbki3pfqdjnmdjavplq5hxzjcgtulliyenlv1vlhe.6cdidi1wqnjekijidfbfxwqc0plss0:17544:0:99999:7::: wangcai:!! : 17547:0:99999:7:::

Here is also the following: delimiter, the meaning of the separate fields are as follows

Login User name:

User password (!! Indicates that no password is set):

From January 1, 1970 to the time the password was last changed:

The password can be changed in a few days (0 means it can be modified at any time):

The password must be changed in a few days (99999 means expire after 99,999 days, which is equivalent to never expiring):

The system reminds the user a few days before the password expires (the default is one week):

The account will be locked after a few days after the password expires:

From January 1, 1970 onwards, the number of days after the account expires:

The/etc/gshdow file is also a password mapping file in the/etc/group file

Grpconv mapped the group password to the/etc/gshadow

Grpunconv to cancel the mapping of a group password

The files in the/etc/gshadow are as follows: (partial)

stapdev:!::tcpdump:!::screen:!::lilei:!::admins:!::wangcai:!::sysadmins:!::

Group name: Group Password: List of group Administrators: List of users with the current group as additional groups (comma delimiter)

Linux users user, group detailed