User and Rights Management

Linux users and groups, in the Linux system can have multiple users and multiple tasks, Linux is a multi-user multi-tasking system, non-interference between different users.

In the Linux system, each user has a unique UID, each user login system will be in/ETC/PASSWD under the login system, only correctly entered the user name and password, to enter the system and its own home directory.
1. Classification of users
In Linux, users can be divided into three categories:
Administrative users: In the system has the supremacy of the right to perform arbitrary operations, access to any resource.
System User: This kind of user can not log into the system, it is owned by the system, in order to run smoothly for the system process.
Normal User: You can log into the system and access only the resources under your own directory.


2. Classification of groups
In Linux, groups can be categorized into three categories:
1. Admin group and Normal user group.
2, basic groups and additional groups: a user can belong to more than one group, such as Kim Basic Group is a, but also can belong to B,c, is a pair of more.
3. Private groups and public groups: Private groups are just one user in a group.


3. User ID and Group ID
In Linux each user and group has its own ID, user id=uid, group Id=gid. The ID of the Admin user in Linux6 is 0, the system user's ID is 1-499, and the login user's ID is 500-60000. In Linux7, the system user ID is 1-999, the login user ID is 1000-60000, administrative user, or 0.


4. File paths saved by user and group information:
User information saved in/etc/passwd
Group information saved in/etc/group
User password saved in/etc/shadow
The password for the group is saved in/etc/gshadow
/etc/passwd the meaning of each field:
User: Shadow Password: uid:gid: Comment Information: User's home directory: Shell used by user
/etc/group
Group name: Group password: Group ID: User with this group as an additional group
/etc/shadow
User: Encrypted password: The last time the password was modified: Minimum Age: Maximum Age: Warning Period: Expiration Date: Reserved field
/etc/gshadow
Group name: Group Password: Group Manager: Group member

5. Group Management commands:
Groupadd,groupmod,groupdel

1, the use of Groupadd:
GROUPADD-G group specifies the ID of the groups
-R Group Create System group

2, the use of Groupmod:
GROUPMOD-G Group Change ID
-N Group Modify the name

3, the use of Groupdel
Groupdel Group Delete Groups

4. GPASSWD usage Create a group password

-A User: Add user to the specified group

-D User: Removes additional groups of users from the current group as a group

-A User1,user2,... : Set up a list of users with administrative rights

Where the NEWGRP command is temporarily switched to an encryption group, the group password is required if the user does not belong to this group












6. User Management commands:
useradd,usermod,userdel,passwd

1, the use of Useradd:
Useradd-u Specifying a User ID
USERADD-G Group username basic groups for specified users
USERADD-G Group username additional groups for specified users
USERADD-C username Specify user's comment information
Useradd-d Specify the user's home directory
Useradd-s the shell type of the specified user
Useradd-r Creating a System User



2, the use of usermod
Usermod-u Specifying a User ID
USERMOD-G group Username Modifying the user's base groups
USERMOD-G Group Username Modifying additional groups for users
USERMOD-C Username Modify User's comment information
Usermod-d Modifying the user's home directory
Usermod-s Modifying the user's shell type
Usermod-r System Users
USERMOD-E indicates the user account expiration date Yyyy-mm-dd
Usermod-f Set Inactivity Period
USERMOD-L Username Lock User
Usermod-u username Unlocking user
Usermod-i username change its login name

Note:Usermod does not allow you to modify information for users who are on-line, only the user who confirms that they want to be modified is not online.

7, the relevant configuration file :/etc/login.defs,/etc/login.defs,/etc/skel

/etc/login.defs: Used to define the default settings when creating a user, such as specifying the scope of the user's UID and GID, the user's expiration time, whether a user's home directory needs to be created, and so on.

The contents are as follows:

Pass_max_days 99999
Pass_min_days 0
Pass_min_len 5
Pass_warn_age 7

#
# Min/max values for automatic uid selection in Useradd
#
Uid_min 500
Uid_max 60000

#
# Min/max values for automatic gid selection in Groupadd
#
Gid_min 500
Gid_max 60000

#
# If defined, this command was run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# The user to be removed (passed as the first argument).
#
#USERDEL_CMD/usr/sbin/userdel_local

#
# If Useradd should create home directories for users by default
# on RH systems, we do. This option was overridden with THE-M flag on
# useradd command line.
#
Create_home Yes

# The permission mask is initialized to this value. If not specified,
# The permission mask is initialized to 022.
UMASK 077

# This enables Userdel to remove the user groups if no members exist.
#
Usergroups_enab Yes

# Use SHA512 to encrypt password.
Encrypt_method SHA512

/etc/login.defs file
When we create a user with the Useradd command without any parameters, the user's default home directory is usually located under///and the default shell used is/bin/bash.

group=100
Home=/home means that the home directory of the newly created user is placed in the/a directory.
Inactive=-1 indicates whether to enable account expiration disabled, 1 means not enabled.
Expire= indicates that the account expiration date is not set to not be enabled.
SHELL=/BIN/BASH Specifies the default shell type for the new user.
Skel=/etc/skel Specifies the source of the default file for the home directory, which means that the files under the new user master directory are copied from this directory.

Contents of the/etc/skel directory:

.  .. . bash_logout. Bash_profile BASHRC. gnome2 Mozilla (all hidden files, to be listed with the LS-A command)

Userhome, which is generated by copying this file. This file includes the. bash_profile,. BASHRC,. Bash_logout.




Useradd command with "-D" parameter, you can modify the configuration file/etc/default/useradd, using the general format is:
useradd-d [-G Group] [-B base] [-s Shell] [-F inactive] [-e expire]
Each option has a detailed meaning:

-G indicates the starting group name or GID for the new user, the group name must be the name of the user group that already exists, and the GID must be a user group GID that already exists.

-b Specifies the parent directory of the new user's home directory, which means that all new users will create their own home directory under this directory.

-s Specifies the shell that the new user uses by default.

-f Specifies how long the user account expires before it is permanently deactivated.

-e Specifies the expiration time of the user account.


3, the use of Userdel
Userdel Username Delete the user
Userdel-r username together with home directory delete

4, passwd

passwd username Change Password

-K Keep the authentication token not expired
-L close the account password. The effect is equivalent to usermod-l, which only the root has permission to use.
-U Recover account password. The effect is equivalent to Usermod-u, and only root is allowed to use it.
-G to modify the group password. The equivalent command for the GPASSWD.
-F Changes the user information accessed by the finger command.
-D Turn off the user's password authentication function, the user will be able to log in without entering the password, only the user with root privileges to use.
-S Displays the type of password authentication for the specified user, which can only be used by a user with root privileges.

ii. Rights Management

In Linux, for the security of resources and security of the system has permissions, different users have different permissions to different files.

File is not



-rw-r--r--1 root root 0 Dec 8 10:24. autofsck


1, the right to simple understanding:
The authority is generally composed of 10 bits;-rwx rwx rwx
The first column represents the type of file:
-: Indicates an ordinary file
D: Indicates a directory
L: Indicates a link
C: Indicates a character device (linear access)
B: Indicates a block device (random access)


R: that is read only
W: that is, write indicates writable
X: Execute means executable
Readable: means we can read

Writable: Indicates that we can add changes to the content

Executable: Indicates that this is a program

The first three bits represent the owner's permission
The three-bit representation is a group-owned permission
The latter three bits represent the permissions of other users


The second column 1: Indicates the number of links to the file,
Third column Root: Represents the owner of the master file
Fourth column root: Represents a group
Fifth Column 0: representing size
Sixth Column 8 10:24: Time of last modification
Seventh column. Autofsck: Indicates hidden files


2, the significance of the rights to the file:

R: The contents of the file can be read.

W: can edit, add or modify file contents.

X: The file has permission to execute.

2. The meaning of permissions to the directory:

R: You can use the LS command to view a list of files in the directory.

W: Indicates a permission to change the list of this directory structure.

X: You can use the LS command to view a list of files in the directory, and you can use the CD to convert to this directory.


3. Modify Permissions
u= owner
Group of the genus G=
o= other users
chmod u=rwx g+r o-r file name
U represents the owner of the file or directory.
G denotes a group, which is the user group to which the file or directory belongs.
O indicates other (others) users.
A represents all users (all).
Operation Symbols:
+ means to add a permission.
-Indicates that a permission is canceled.
= means giving the given permission, while canceling all previous permissions for the document.



Number Change permission: chmod 777 file name The first 7 represents the owner's permission the second 7 represents the permission of the group the third 7 represents the permissions of the other user
---000 0

--x 001 1

-w-010 2

-WX 011 3

r--100 4

R-x 101 5

RW-110 6

RWX 111 7
From above you know r=4 w=2 x=1
R=4
w=2
X=1

Change permissions
chmod 777/tmp/vitest
DRWXRWXRWX 2 root root 4096 Dec 8 16:39/tmp/vitest


Change the Owner
Chown can modify both the owner and the genus Group
Chown username File
Chown op/tmp/vitest/
Drwxrwxrwx 2 op root 4096 Dec 8 16:39/tmp/vitest/
Chown-r username/group Directory: Recursive permission changes, that is, all files and subdirectories under the directory are updated to the specified user group permissions.



Change the genus Group
CHGRP Group File
Chgrp as/tmp/vitest/
Drwxrwxrwx 2 op as 4096 Dec 8 16:39/tmp/vitest/

Masking code when a file or directory is created: Umask
Umask default is 0002 or 0022
Rights when creating a file: 666-umask
The file may not have X permissions, and the system will automatically subtract one or more if the 666-umask has X permissions.
Catalog: 777-umask
View Umask code: Enter directly on the command line
Change umask code: Umask 0002

User and Rights Management