User and Rights Management in Linux

Linux is a multi-user, multitasking operating system: Multiple users can use system resources at the same time, while multitasking means running multiple processes at the same time.

A user is a collection of permissions that can gain access to system resources, and Linux is separated by a user-implemented resource.

A user group is a logical collection of users with the same characteristics and is a container for users.

1. User:

(1) User category

Administrator: Root

Normal User:

System User: Used only to start the service process.

Logged-on User: used for consumer interaction and is a consumer of system resources

(2) The user is identified by UID in the operating system:

The UID is a binary number of 16bits, so the range is: 0-65535. The Linux system provides the user uid:

Admin: 0
Normal Users: 1-65635
System User: 1-499 (CentOS 5,6), 1-999 (CentOS7)
Login User: 500-60000 (CentOS 5, 6), 1000-60000 (CentOS7)

The operating system and the user tag system resources in different ways, both of which need to be identified by name resolution, that is, name translation. Linux is converted by/etc/passwd file as the Analytic library;

The same concept used in the concept of the 2.Linux group in the same set of concepts:

(1) GID Identification Group

(2) using the file as a group and GID parsing library:/etc/group as the group name and GID of the analytic library.

(3) Groups are divided into categories from different angles:

1. From the role to be divided into: The Administrator group and the ordinary user group, the ordinary user group also contains the System user group and the ordinary user group.

2. From the user's point of view: Linux sets up basic groups for the user, and additional groups. Linux sets the base group name to be the same as the user name when the user is created.

3. From the member component of the group is divided into: private group: The same as the corresponding user group, the group has only one user, the public group is a multi-person group, the user in the group has a coincident set of permissions.

Linux through authentication, authorization, statistics management user, the user mainly through/etc/shadow to authenticate certification.

Resource permission mechanism:

Security context for the user:

Process: Runs as a user, and the process's permissions on the resource depend on the user it represents;
file permission Model in the operating system
Master: Owner
Genus: Group
Others: Others

Mechanisms for the permissions model to take effect:
Process Runner: Whether it is the same as the owner of the file, if it is the owner of the file to access the file, otherwise belong to the file belongs to the group, if it is a group of files to access this file, otherwise a file of the identity of other users to access this file. As shown in the following:

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/7C/FB/wKiom1bdmMLRABm5AAC731rkvMI283.jpg "title=" File permissions effective mechanism. jpg "alt=" wkiom1bdmmlrabm5aac731rkvmi283.jpg "/>

Management of users and groups:

The main commands in Linux are:

Group: Groupadd,groupdel,groupmod

Users: Useradd,userdel,userdel
Certification: PASSWD,GPASSWD

Group Rights Management Commands:

1.groupadd: Add a group
Groupadd [Options] Group_name
OPTIONS:

-G gid: Specify GID; # default is the gid+1 of the previous group;
-r: Create a system group;

For example: ~] #groupadd-R-G 336 testgrp
~] #tail-1/etc/group

testgrp:x:336:

Description:/etc/group file format:
Groupnmme:gpasswd:gid:user1,user2,user3 ...

where user1,user2,user3...: A list of other users within the group, separated by ",";

2.groupmod
groupmod [Options] GROUP
-G GID: Modify GID;
-N new_name: Modify group name;

3.groupdel command: Delete a group
Groupdel [Options] GROUP

User Management

1.useradd command: Create user
useradd [Options] Login name
-U,--uid uid: Specifies UID;
-G,--gid Group: Specifies the base group ID, which must exist beforehand;
-G,--groups group1[,group2,... [, GROUPN]] : Indicates the additional group to which the user belongs, separated by commas between multiple groups;
-C,--comment Comment: Specify the annotation information;
-D,--home Home_dir: The user's home directory with the specified path,/etc/skel this directory by copying and renaming the implementation; The specified home directory path does not replicate the environment profile for the user if it exists beforehand;
-S,--shell Shell: Specifies the user's default shell, and all available shell lists are stored in the/etc/shells file;
-R,--system: Create System user;

Note: Many of the default settings profiles when creating a user are/etc/login.defs, which define the default definitions that users add

The USERADD-D option allows you to display or modify the default configuration of the created user;

useradd-d [Doption]

Example: useradd-d-s/bin/tcsh # Modified results are saved in/etc/default/useradd

2.usermod [Options] User
-U,--uid UID: Modifies the user's ID to the new UID specified at this point;
-G,--gid Group: Modifies the basic group to which the user belongs;
-G,--groups group1[,group2,... [, GROUPN]] : Modify the additional group to which the user belongs, and the original additional group will be overwritten;
-A,--append: used in conjunction with-G to append new additional groups to the user;
-C,--comment Comment: Modify the annotation information;
-D,--home Home_dir: Modify the user's home directory, the user's original files will not be transferred to the new location;
-M,--move-home: can only be used with the-D option to move the original home directory to a new home directory;
-L,--login new_login: Modify user name;
-S,--shell Shell: Modifies the user's default shell;
Note: The shell program for which the user is logged on must be in/etc/shells, otherwise it cannot log on.
-L,--lock: Lock the user password, i.e. add a "!" before the user's original password string. ；
-U,--unlock: Unlocks the user's password;
-E,--expiredate expire_date: Use and set the user password expiration time.
-F,--Inactive inactive: Inactivity time after password expires.

3.userdel command: Delete user
Userdel [Options] Login
-R: Delete the user's home directory;

Description 1. /ETC/PASSWD Parse the Library field, parse the library for each behavior one record , the InfoBar is separated by ":":

Take the newly added user 's analytic library entry for the storm user as an example:

Storm:x:5001:5001::/home/storm:/bin/bash

The meanings of each field are as follows;
Name:passwd:uid:gid:comment:home_directory::shell

Description 2. /etc/shadow the password library resolves the library field, parsing the library for each behavior one record , the InfoBar is delimited by ":":

take the newly added user storm user-resolved library entry as an example:

storm:!! : 16867:0:99999:7:::

Login_name: Login Name

Encripted_password: Encrypted password

Date of last password change: The time of the previous and new password (where time is the number of days from 1970-01-01);

Minimum password Age: Minimum password change cycle days, do not expire, want to change the password also can not be replaced;

Maximum password Age: the longest password change cycle days , the expiration does not change, there will be measures;

Password warning Period: Password expiration warning date, will be prompted to change the password warning before expiry;

Password Inactivity Period: The password expires after the grace time, in the grace period can only reset the password, before the system can be used;

Account expiration Date: The mandatory expiration time will not be able to log in;

Reserved field: Keep him with

Note 3: The user password is encrypted with a one-way encryption algorithm such as md5,sha64,sha248,sha512, in order to prevent temptation, each encryption string added salt to prevent the test out password, salt is a random string, the random device in Linux is/dev/randow (random tree , the default use of hard disk entropy , depletion is blocked, no longer output) and/dev/urandom (pseudo-random number, the default use of hard disk entropy, exhaustion is software simulation and re-output)

Note 4: Password expiration mechanism:

4.PASSWD command:
passwd [-K] [-l] [-u [-f]] [-d] [-e] [-N mindays] [-X Maxdays] [-W warndays] [-I inactivedays] [-S] [--stdin] [username]

(1) passwd: Modify the user's own password;
Normal User (1) requires the old password (2) to match the complexity of the password
Password complexity: Can not be less than 8 bits, the complexity of the use of more than three classes in 4, can not approximate the old password and so on
(2) passwd USERNAME: Modify the password of the specified user, only root has this permission;
-L,-u: Lock and unlock users;
-D: Clear the user password string;
-e Date: Expiration period, date;
-I days: inactivity period;
-N days: The minimum period of use of the password;
-X days: The maximum age of the password;
-W days: Warning period;


(3) passwd--stdin: Enter the password by standard input;
echo "PASSWORD" | passwd--stdin USERNAME

SU command: Switch user


5. User Switching

(1) Do not read the target user's personal profile, half switch
Su USERNAME
(2) Read the target user's personal profile, log-in switch
Su-[l] USERNAME
options:-c,--command command: Only after executing the command with the target user and returning the result without actually performing the identity switch
Note: Root switch to other users do not require a password, the normal user to switch to any user needs a password;
6.GPASSWD: Add a password to a group
/etc/gshadow:
GPASSWD [option] Group
-a USERNAME: adding users to Groups
-D USERNAME: Removing users from a group
7.newgroup command: Log in to another group, switch to the existing group is not required password, and change the genus Group as the target group, when switching to the new group, the new group password is required.
8.chage:chage-change User Password expiry information

This article is from the "Guo Wan blog" blog, make sure to keep this source http://guowang.blog.51cto.com/9130940/1748602

User and Rights Management in Linux