User and Rights Management for Linux

1. Linux operating system users and user groups

Linux operating system is multi-tasking (multi-tasks) multi-user (Multi-users) time-sharing operating system, the Linux operating system user is to let us log on to Linux permissions; whenever we log in to the operating system with a username, Linux authenticates the user , authorization audits, and other operations. In order to identify each user, the operating system defines an ID for each user, which is the UID. A user group is a container for multiple users, and in a Linux system, the user group also has a id,gid.

1.1 Linux Operating system users

In Linux, the user is divided into two categories: the administrator user and the ordinary user, among which the ordinary user is divided into the system user and the login user;
System users: In order to enable those background processes or service class processes to run as non-administrators, it is often necessary to create multiple ordinary users for this type of user, which is never logged into the system.
Logged-in User: We generally use users who log on to Linux.

UserID: User Id,uid
Typically using a 16bits binary representation (0-65535)
User ID of the administrator: 0
Normal Users: 1-65535
System users: 1-499 (CENTOS6), 1-999 (CENTOS7)
Login User: 500-60000 (CENTOS6), 1000-60000 (CENTOS7)

linux resolves the correspondence between user names and user IDs through the name resolution library "/etc/passwd" file.

/ETC/PASSWD: User Information base
Name:password:UID:GID:GECOS:directory:shell

1.2 Linux operating System user group

In Linux, there are three categories of user groups:
1. Admin group, Normal user group (System user Group, login user group)
2, user's basic group, user additional group
3. Private group, public group

User group ID: Group Id,gid
Typically using a 16bits binary representation (0-65535)
Administrator's user group ID: 0
Normal User group: 1-65535
System User group: 1-499 (CENTOS6), 1-999 (CENTOS7)
Logon user groups: 500-60000 (CENTOS6), 1000-60000 (CENTOS7)

linux resolves the correspondence between user names and user IDs through the name resolution library "/etc/group" file.

/etc/group: Information Base for groups
Group_name:passwd:GID:user_list
User_list: A member of the group of users; A list of users with this group as additional groups

1.3 Linux operating system password

When the user logs on to the Linux system, it compares the password with the password previously saved in the "/etc/shadow", "/etc/gshadow" file.

Encryption algorithm:
Symmetric encryption: Encrypt and decrypt using the same password
Asymmetric encryption: Encryption and decryption using a pair of keys
Key pair: Public key, private key
One-way encryption: can only encrypt, not decrypt; extract data signatures;
Fixed-Length output:
Avalanche effect: When a character in a password changes, the entire encrypted key will change

The password encryption method for Linux uses a one-way encryption algorithm and adds a random number (salt) to calculate.

system identification Algorithm ID	algorithm name
1	Md5:message digest,128bits
2	Sha:secure Hash Algorithm,160bits
3	sha224
4	sha256
5	sha384
6	sha512

/etc/shadow: User Password

User name: Encrypted password: The last time the password was modified: Minimum Age: Maximum Age: Warning Period: Inactivity period: Expiration period: Reserved field

[Email protected] ~]# head-1/etc/shadowroot:$6$mnelub3te/l9utia$ nvgyyr6kkpdfryrzc2q9hprngz8z3mdksqkrae1fy8.lbmqoldhk4ne1zzlolzg2362jgdrwmtrmsbi5pte.j0::0:99999:7:::1212

Encrypted password: Use $ delimited, the first segment represents the encryption algorithm used, and the second segment represents the added salt. The third paragraph represents the encrypted password.

2. Rights Management

Linux file Management permissions are divided into read, write, and execute

[Email protected] ~]# ls-l/bin/bash-rwxr-xr-x. 1 root root 960392 August 3 2016/bin/bash 1212

File permissions:
-rwxr-xr-x.
The total is divided into five parts:
-: Indicates file type
RWX: User owner's permissions
R-x: Permissions for user groups
R-x: Permissions for other users
.: Whether FACL is enabled

Permissions:
R:readable, read
W:wirteable, write
X:excuteable, Executive

The role of permissions on files:
R: Can obtain the data of the file;
W: Can modify the data of the file;
X: This file can be run as a process;

The role of permissions on the directory:
R: You can use the LS command to get a list of all the files under it;
W: You can modify the list of files in this directory; that is, create or delete files, including subdirectories.
X: Can be CD to this directory, and can use Ls-l to get all the file detailed property information;

Binary

Privilege Combination	number	decimal Number
-	000	0
–x	001	1
-w-	010	2
-wx	0	3
r–	100	4
r-x	101	5
rw-	110	6
rwx	111	7

Exercise: rw-rw-r--664rwxrwxr-x 775rwxr-x---750rw-------rwxr-xr-x 755123456123456

3. Related commands 3.1 user management commands

useradd command: Create user
useradd [Options] Login name
-u,–uid UID: Specifies UID, default is uid+1 of previous user
-g,–gid GID: Specifies the base group ID, which must exist beforehand;
-g,–groups group1[,group2,...... [, GROUPSN]] : Indicates the additional group to which the user belongs, separated by commas.
-c,–comment Comment: Specifying annotation information
-d,–home Home_dir: A home directory that specifies the path for the user,/etc/skel this directory and renaming the implementation by copying it, and if the specified home directory path exists beforehand, the environment profile will not be copied for the user.
-s,–shell Shell: Specifies the user's default shell, and all available shell lists are stored in the/etc/shells file;
-r,–system: Creating a System User
-M: Do not create a home directory for users
-f,–incative INACTIVE: After the password expires, the number of days before the account is completely disabled, 0 is immediately disabled, 1 means disable the feature.
Note: Many of the default configuration files when creating a user are/etc/login.defs

Useradd-d: Displays the default option configuration for creating a user;
useradd-d option: Modifies the value of the default option;
The result of the modification is saved in the/etc/default/useradd file, and can be modified directly by the file.

usermod Command : Modify user Properties
usermod [Options] Login name
-u,–uid UID: Modifies the user's ID to the new UID specified at this point;
-g,–group Group: Modify the basic group that the user belongs to; This group must exist beforehand;
-g,–groupsgroup1[,group2,... [, GROUPN]] : Modify the additional group to which the user belongs, and the original additional group will be overwritten;
-a,–append: Used together with-G for the user to append new additional groups;
-c,–comment Comment: Modify the annotation information;
-d,–home Home_dir: Modify the user's home directory, the user's original files will not be transferred to the new location;
-m,–move-home: can only be used with the-D option to move the original home directory to a new home directory;
-l,–login new_loging: Modify user name;
-s,–shell Shell: Modifies the user's default shell;
-l,–lock: Lock the user password, i.e. add a "!" before the user's original password string. ”；
-u,–unlock: Unlock user password,

userdel command: Delete user,
Userdel [Options] Login name
-R: Delete the user's home directory and user mailbox;

ID Command: Displays the user's true and valid UID and GID
ID [OPTION] ... [USERNAME]
-U: Displays only valid UID;
-G: Displays only the ID of the user's base group;
-G: Displays only the IDs of all groups to which the user belongs;
-N: Display name instead of ID; generally used with G:-ng

**SU command: **switch user
Logon switching: Re-initialized by re-reading the target user's profile
Su-username
Su-l USERNAME

Non-logon switchover: Initialization of the target user's profile is not read
Su USERNAME

Note: Administrators can switch to any other user without a password, and other users must enter a password when switching users.

-C "command": Run the commands specified here only as a specified user
Example: Su-username-c "WhoAmI"

3.2 User Group Management commands

groupadd command: adding a group
Groupadd [Options] Group_name
-G GID: Specifies GID, default is gid+1 of previous group
-r: Create a system group;

groupmod Command: Modify Group Properties
groupmod [Options] GROUP
-G GID: modifying GID
-N new_name: Modify Group name

groupadd command: Delete a group
Groupdel [Options] GROUP

3.3 User and user group exercises

Exercise 1: Create a user gentoo,uid of 4001, the basic group is Gentoo, the additional group is distro (GID 5000) and Penguin (GID is 5001); Groupadd-g distrogroupadd-g 5001 Penguinuseradd-u 4001-g Distro,penguin Exercise 2: Create a user fedora with the annotated message "Fedora Core", the default shell is/bin/tsch;useradd-c "Fedora Core"- S/bin/tsch Fedora Exercise 3: Modify the Gentoo user's home directory as/var/tmp/gentoo, requiring its original file holder to still be accessible by the user; Usermod-d/var/tmp/gentoo-m Gentoo Exercise 4: Add additional group Netadmingroup netadminusermod-a-G for Gentoo netadmin1234567891011121314151617181912345678910111213141516171819

3.4 Password Management commands

passwd Command:
passwd [-K] [-l] [-u [-f]] [-d] [-e] [-N mindays] [-X Maxdays] [-W warndays] [-I inactivedays]
[-S] [–stdin] [Username]
(1) passwd: Modify the user's own password;
(2) passwd USERNAME: Modify the password of the specified user, but only root has this permission;
-l,-u: Locking and unlocking the user;
-D: Clear user password;
-e Date: Expiration period, date;
-I days: Inactive period, time range;
-N days: The minimum period of use of the password;
-X days: The maximum age of the password;
-W days: Warning period;
–stdin:

echo "PASSWORD" | Passed–stdin USERNAME

[Email protected] ~]# echo "Hadoop" | passwd--stdin Hadoop Changes the user's password for Hadoop.                PASSWD: All the authentication tokens have been successfully updated. 123123

gpasswd Command:
User group password file:/etc/gshadow

GPASSWD [Options] Group
-a USERNAME: adding users to groups as additional groups
-D USERNAME: Remove a user from a group

newgrp command: temporarily switch the specified group to the base group;
NEWGRP [-] [group]
-: Impersonate the user to re-login to enable reinitialization of their working environment
Attention:
If a password is set for the specified group:
(1) If the user's additional group is the group name to switch to, then no password is required to switch directly to the specified group.
(2) If the user's additional group does not contain the group name to switch, the password needs to be entered to switch to the specified group.
If the specified group does not have a password: All users are not allowed to switch directly to the specified group, except the root user.

chage Command:change user password expiration information
[[email protected] ~]# chage list root
Usage: chage [options] Login
Options:
-d,–lastday Last Date set the most recent password setting time to "Last Date"
-e,–expiredate Expiration date set account expiration to "Expiration date"
-H,–HELP displays this help information and launches
-i,–inactive inacitve expired inactive days, password is disabled
-l,–list Show account Age information
-m,–mindays the minimum number of days to change the minimum number of days between passwords two to "minimum days"
-m,–maxdays maximum number of days will change two times the maximum number of days between passwords is set to "Maximum days"
-r,–root Chroot_dir CHROOT to the directory
-w,–warndays warning days set expiration warning days to "warning days"

Several other command user management commands:
Chsh: Modify Shell
Chfn: Modify user profile
Finger: Show user basic information

[[email protected] ~]# fingerlogin     name        Tty      Idle  Login Time    office     office phone   hostroot       root       pts/0   20:33  May 17  14:47                             (192.168.126.1) root       root       pts/1           May 18 12:56                             (192.168.126.1) 12341234

PWCK: Check the user's password for problems

[[email protected] ~]# pwck User "ftp": Directory/var/ftp does not exist user "pulse": directory/var/run/pulse does not exist PWCK: no change 12341234

GRPCK: Checking the integrity of a file

3.5 Rights Management Commands

chmod command:
chmod [OPTIONS] ... Mode[,mode] ... FILE ...
chmod [OPTIONS] ... Octal-mode FILE ...
chmod [Options]...–reference=rfile FILE ...

Three types of users: U: belong to the main G: Group O: Other A: All

(1) chmod [OPTIONS] ... Mode[,mode] ... FILE ...
Mode notation:
Empowerment notation: Direct operation of a class of user's ownership limit;
The permissions assigned to the three categories of users are separated by commas and, if they are the same, can be combined.
u=
g=
o=
A=
Authorization notation: Direct operation of a class of user's ownership limit r,w,x:
The permissions assigned to the three categories of users are separated by commas and, if they are the same, can be combined.
u+,u-
g+,g-
o+,o-
a+,a-
(2) chmod [OPTIONS] ... Octal-mode FILE ...
Use decimal digits for authorization

(3) chmod [Options]...–reference=rfile FILE ...
Reference file permission authorization;

Options:
-r,–recursive: Recursive modification, which is valid for all files (including subdirectories) under the directory.
Note: Users can only modify the permissions of those files that belong to the owner;

Subordinate Management administration commands: CHOWN,CHGRP
chown Command:
chown [Options] ... [OWNER] [: [GROUP]] FILE ...
chown [Options] ... [OWNER] [. [GROUP]] FILE ...
chown [option]...–reference=rfile FILE ...
Options:
-R: Recursive modification, which is valid for all files (including subdirectories) under the directory.

chgrp Command:
chmod [Options] ... Greoup FILE ...
chmod [option]...–reference=rfile FILE ...

Note: Only administrators can modify the owner and owner group of the file;

Think 1: Can you modify the contents of a directory if the user has write access to it, but does not have write access to the files in the directory? Can I delete this file? Cannot modify the contents of a file, but can delete this file think 2: You can use the MV command when the user has permission to the directory. Execute Permissions 12341234

umask: File permissions reverse mask, mask code;
File:
666-umask
Directory:
777-umask
Note: The file is reduced by 666, which means that the file cannot have Execute permission by default, and if there is execution permission in the result, it needs to be added 1;

Umask command:
Umask: View current Umask
Umask MASK: Set umask;

Note: This type of setting is only valid for the current shell process.

User and Rights Management for Linux