Operation and Maintenance Foundation--linux User and Group management

Management of users and groups

In the system, the purpose of creating users and groups is to manage the uniform allocation of permissions for system resources. It is like saying that in a company's resources, different levels of employees on the use of resources need to be distributed uniformly;

How to avoid abuse after permission assignment?

Users must comply with the AAA authentication system developed by Cisco Corporation when they use the rights, namely:

Authentication: Certification, verify the identity is correct

Authorization: Authorization to allocate resources for authenticated users

Accounting: Audit, supervision of the use of resources;

The necessity of resource certification is mainly derived from the limitation of computer system resources; In the system, the main body that can realize the resource use and complete the task is: program process; Linux, as a multiuser, multitasking operating system, runs as its initiator: it can be understood that the owner of the process is the initiator ; The initiator is flagged on the process;

When a process attempts to access a resource, the security context goes over the relationship to the owner of the process and the owner of the resource;

First, see if the owner of the process is the owner of the resource:

If yes, use resources in accordance with the authority of the owner;

If not, determine whether the owner of the process belongs to the group to which the resource belongs:

If the resource is used in accordance with the permissions of the group;

If not, access resources directly to other people accessing the resource;

So here's the concept of the user:

First, the user

1. User account: Is the computer operator in the operating system identity mapping,//After satisfying the authentication conditions of identity mapping;

2. Classification:

Super User (Administrator): root

Normal User:

System users: In order to ensure security, you must let those running in the background process or service class process, as a non-administrator to run, generally do not need to log on to the system

Logged-on User: Users who can use the entire system resources normally;

3. Identification of the user

1) User Login name: A simple and easy-to-remember string identifier prepared for the operator

2) User id: Digital identification for the computer system;

Super users: 0;

System users: CentOS 5, 6:1-499;centos 7:1-999;

Logged-in User: CentOS 5, 6:500-60000;centos 7:1000-60000 6w+ identifiers are user-defined identities;

3) Name resolution: Name <--->uid; Analytic Library:/etc/passwd

The system uses the analytic library to complete the authentication mechanism: To verify whether the logged-in user is the input user;

Certification Library:

User's authentication information base;/etc/shadow

The earnest information Bank of the group:/etc/group

Using the password authentication mechanism

General policy for setting passwords;

1. Try to use random string as password;

2. Password length not less than 8 characters;

3. At least include: uppercase and lowercase letters, numbers, punctuation, three categories of four categories;

4. Changing the password on an irregular basis;

In Linux, the password information saved to the authentication library is stored in an encrypted manner:

Hash one-way encryption algorithm; Extracting raw data is characteristic information, data fingerprint;

Characteristics of one-way cryptographic algorithms:

1. As long as the data is the same, the encryption results must be identical

2. No matter how large the data, the encryption result is fixed long output

3. Avalanche (butterfly) Effect: The original information changes the slightest, the result of encryption is very different

4. Non-reversible

Common one-way encryption algorithm:

MD5 (Message Digest 5): 128bit fixed-length output;

Shal (Secure Hash algorithm) 160bit fixed-length output; sha224\256\384\512

Salt: Random number

/dec/random: Only the random number is returned from the entropy pool, and if the random number in the entropy pool is exhausted, the process is blocked;

/dev/urandom: First try to return the random number from the entropy pool, if the entropy pool is exhausted, the pseudo random number generator is used to generate pseudorandom number;

And the final authentication string is: algorithm +salt+ password

Second, the group

User groups: A container that can associate users with some of the same or similar attributes for centralized authorization;

Categories of groups:

Administrators group

Normal User group:

System Group:

Login Group:

Identification method for the group:

Group name: Identification of the group that is convenient for the operator to use

Group ID (GID): Provides group identification for the system

Administrators group: 0

System Group: CentOS 5, 6:1-499;centos 7:1-999;

Login Group: CentOS 5, 6:500-60000 CentOS 7:1000-60000;

Analytic Library:/etc/group Certification library:/ETC/GPASSWD

Groups also require password protection;

If the group does not have password protection, you cannot join it at any time

The group is categorized by the user as the core:

User's primary group (Basic Group): Primary group, for users, such a group must have and only one;

Additional groups for users (secondary groups, additional groups): addition Group. Such a group for the user, can have no, can have multiple;

According to the group of users to be divided into: private groups and public rental;

Private group: The group name and user logon name are the same, and only this user in the group;

Public Rental: Organizations can contain many other different users;

Note: By default, the user's primary group is their private group;

Management of users and groups (primarily with command completion):

Group Management Related:

Groupadd Groupdel groupmems groupmod groups

User management:

Useradd Userdel usermod userhelper users

Certification Management Related:

passwd gpasswd Chage

Other related management:

CHSH finger su ID

/etc/passwd file:

Format:Name:password:UID:GID:GECOS:directory:shell

Name: Login Name

Password: password field, now using the shadow mechanism of the system, with the common "X" as a placeholder;

UID: User's ID

GID: The ID of the user's primary group

Gecos:comment, the information of the annotation class is now generally used to store user's descriptive information or full name;

Directory: The user's home directory path (typically an absolute path);

Shell: The absolute path of the user's default login shell

/etc/group file:

Format: group_name:password:GID:user_list

Group_name: Group name;

Password: group password placeholder, default is empty;

GID: ID of the group

User_list: A list of users with this group as additional groups;

/etc/shadow file:

Format: Login name:encrypted password ...

Login Name: User's login name;

Encrypted Password: encrypted password

Format: $ algorithm $salt+$ the true meaning of the cryptographic cipher;

If that location! , it indicates that the user's password is disabled;

If the location * indicates that the user is a system user cannot log on

If the location is empty: Indicates that the user can log in as many passwords as possible, and does not recommend

Date of last password change:

Relative time concept, 1970.1.1 to the last time the password was changed

Mimimum Password Age:

How long the password cannot be changed, the default is 0, meaning that you can change the password at any time,

Maximum password Age:

How long after the password expires, default 99999; meaning to be permanently valid;

Password Warning Period:

Friendly reminder days before password expires, default 7 days;

Password Inactivity Period

The grace period after the password expires, which defaults to-1, meaning permanent grace

Account Expiration Date:

A user account password expires on the date that is an absolute term;

Reserved field

Keep The fields for later use;

/etc/gpasswd

Management commands for groups:

1.groupadd: Create a new group account.

-G GID: When creating a group account, specify the GID of the group account, if you do not use this option, the system will choose to appear in the group resolution file is not greater than 60000 of the maximum GID plus 1;

-r: Create a system group that means creating a group of GID between 1-999/1-499;

2.groupmod: Modify the relevant property information of the group;

-G GID: Modify Group ID

-N Modify Group name

3.groupdel: Delete a group account

Note: If a group is a user's primary or private group, the group cannot be deleted;

User Management commands:

1.useradd: Add user account;

/etc/default/useradd

/etc/login.defs

/etc/ske1;

The above three files and directories can help administrators create users when no options are specified, and give users the default properties

Options

-C,--Comment ' comment ' adds annotation information to the user when creating the user, generally

-d,--home/path/to/home_dir: When creating a user, the absolute path of the home directory specified by the user, the specified directory should be a directory that does not exist;

-g,--gid Group: When creating a user, specify the primary group for the user;

-G,--groupsgroup1[,group2,... [, GROUPN]] : Each group is separated by commas, with no intervening spaces. Add additional groups to the user when creating the user;

-m,--create-home: Mandatory creation of home directories for users when creating users

-M: When creating a user, the user's home directory is not created, even if the value of Create_home in/etc/login.defs is not created;

-r,--system: Create system users;

-u,--uid: When creating a user, assign UID to user, this UID can exceed 60000;

-s,--shell/path/to/shell: When creating a user, specify the default shell for the user;

-d,--default Display or modify user default property values;

-s,--shell/path/to/shell: Modify the default value of the shell in the/etc/default/useradd file;

2.usermod: Modify user account information:

Options:

-c,--comment ' comment ' Modify user's comment information

-g,--gid GROUPNAME Modifying a user's primary group

-g,--groupsgroup1[,group2,... [, GROUPN]] : Modify the user's additional group as a group in the list (overwrite)

-a,--append: Use with the-G option to add additional groups of hearts to the user;

-d,--homehome_dir: Modify the user's home directory;

If the-m option is given, the old home directory data is moved to the new home directory;

-L: Change the user's login name

-S,--shellshell: Modify the user's login shell

-U,--uiduid modify UID

-l,--lock Lock User Password

-u,--unlock unlock user password;

3.userdel: Delete user accounts

-R,--remove

Files in the user's home directory are deleted along with the user's home directory and the user's mailbox. Files in other file systems must be manually searched and deleted.

User Authentication Related:

1.PASSWD: Set and view user's password information-password;

passwd [-K] [-l] [-u [-f]] [-d] [-e] [-N mindays] [-X Maxdays] [-W warndays] [-I inactivedays] [-S] [--stdin] [username]

If you omit the user name, it means to modify the password of the current logged-on user, and if you specify a user name, change the password for the specified user and only root;

"Options":

-l,--lock

-u,--unlock

Compared to the-l-u in Usermod, its priority is higher.

If you use a usermod-l locked user password, you can unlock it with passwd-u

and use passwd-l lock user password, can not be unlocked with usermod-u;

-d,--delete: Delete the user password and empty the second field in the/etc/shadow file!

-s,--status: View the status of a user's password

--stdin: Using pipelines to send input data streams as standard input information to the passwd command

echo "PASSWORD" |passwd--stdin USERNAME

Group Certification Related:

GPASSWD:

GPASSWD "Options" groupname

-a,--adduser adding users to groups named group

-d,--deleteuser Remove user users from a group named groups.

Other commands:

SU: Switch user identity;

Su USERNAME

Partial switch, half switch, that is, when the user is switched, the target user's profile is not re-read, so the user does not have login behavior, so the working environment is not initialized;

Su-username = = Su-l USERNAME

Login switch, completely switch, that is, when switching users, the target user's profile will be re-read, and initialize the working environment;

-C: Does not switch user identities, but executes a command as the target user

When switching from root to a normal user with the SU command, no password is required, in turn, the correct password must be given to the target user or the switchover fails;

Do not switch continuously after the switch, but to use the Exit command to return to the previous user;

NEWGRP: Temporarily change the primary group of the currently logged on user; exit returns to the previous state;

ID: Displays the ID of the real valid user and group;

The so-called real: is the user's uid&gid defined in/etc/passwd

The so-called valid: refers to the uid&gid of the user currently in force

Options

-U,--user, showing only valid UID

-G to display only the user's GID

-G displays GID for all groups of users

-N Displays the name of the user and group instead of the ID number

Operation and Maintenance Foundation--linux User and Group management