"Linux" user management of Linux

         Today, I learned Linux user management and recorded it here.

1, Significance of users and user groups

1) Meaning of user existence

System resources are limited. How to allocate system resources reasonably?

1. Identity account

2. Authorize author

3. Certification auth

The above three 'a' are called 3A mechanism, which constitutes the lowest security architecture in the system.

2) Significance of user group existence

A user group is a logical container that classifies and uniformly authorizes users.

In short, the user group is like our class or community organization in school. What rights are given to your class and what rights are given to your department in the community, then you have what rights. This facilitates the unified decentralization of power.

2, How users and user groups exist in the system

Because computers are sensitive to numbers and we are sensitive to names, we can use this feature to store users in the form of numbers and strings.

We know that in Linux, everything is a file, so users are no exception. What we call users and user groups is actually a string in the file.

The user is in/etc/passwd A line of characters in a file
 User group is in/etc/group A line of characters in a file
vim /etc/passwd   Use this command to view passwd File content, and then know the user information
vim /etc/group    Use this command to view group File content, and then know the user group information

However, it is troublesome to view the id information of users or user groups in the file. Linux provides us with such commands to facilitate us to view the relevant information of users:

whoami  View current user name
id  [parameter][user name]  View user's id Information. The default user name is to view the current user

    -u View users of users id
    -g View user's primary group id
    -G View all user groups id
    -n The display name cannot be used alone. It needs to be connected with the above command to display information

user id Range:
    0: Super user id
    1-999: Linux System self use id
    1000-65535: User level id
            above id The information is recorded in/etc/login.defs

3, System configuration files involved by users

/etc/passwd          User identity information file

passwd String meaning in
 User name:User password:user id:User master group id:User description:User home directory:User default shell

/etc/group         Group identity file

Group name:Group password:group id:Additional members of the group

/etc/skel/.*         User environment profile template

/etc/shadow         User authentication information file

/home/username         User home directory

/var/spool/mail/username         User mailbox file

4, User related operations

1) User and user group creation and deletion

We can use the watch command to monitor the creation and deletion of users

watch -n 1 "tail -n 4 /etc/passwd /etc/group;echo =======;ls -l /home"

User creation command useradd:

useradd username    ##User establishment
        -u id username        ##Specify user uid
        -g id username        ##Specify primary group id
        -G id username        ##Specify additional group id
        -d dir username       ##Specifies the user's home directory
        -M     username       ##Home directory is not automatically created when creating users
        -c word username      ##Specify user description when creating user
        -s shell username     ##Specify shell
userdel username    ##User delete
        -r username           ##Deleting a user also deletes the home directory and system profile
groupadd groupname  ##Group establishment
         -g id groupname      ##Specify group id
groupdel groupname  ##groups deleting

2) Information management of users and user groups

Sometimes we need to change the user's related attributes during the use of the server, although we know that the user is stored in the form of string in the / etc/passwd file, and we know the meaning of string:

User name:User password:user id:User master group id:User description:User home directory:User default shell

Of course, we can use the root user to modify these fields to change the user information, but in practical application, we will not do so, but use some related commands:

usermod [option] [parameter] [username]

        -l    #Modify user name
        -u    #Modify user's uid
        -g    #Modify user primary group id
        -G    #Modify user attached group identity
        -aG   #Add user additional group identity
        -c    #Change user description text
        -d    #Change the user's home directory to
        -md   #Change the home directory pointer and home directory name at the same time
        -s    #Change default shell
        -L    #Frozen account
        -U    #Unlock account

Our password information is stored in the shadow file. The shadow content:

User name: encryption password: last modification time: minimum modification interval: password validity: warning days before password change: Grace time after password Expiration: account expiration time: reserved field

We can use the passwd command to modify the password related attribute information

passwd [option] [parameter] [username]
If the options and parameters are default, modify them'username'Password for

        -S    #View password status
        -l    #Frozen account authentication
        -u    #Unlock account authentication
        -d    #Delete user password
        -e    #Modify the default usage time to 0
        -n    #Set minimum usage time
        -x    #Set password expiration time
        -w    #Set expiration warning time
        -l    #Set inactive days
change -d 0 [username]    #You must change your password to log in
change -E "xxxx-xx-xx" [username]    #Set freeze date

5, User decentralization

In practice, we use the server and often use decentralization, which allows us to execute some commands with higher permissions. For example, we can use decentralization to enable ordinary users to run some commands as root, so that we do not need to log in to the root account, which not only ensures the system security, but also achieves our purpose.

Authorization method:

We can use the visudo command to modify the / etc/sudoers file (of course, we can also use vi or vim to modify it, but vi and vim do not provide syntax detection. It is not convenient to find errors after we modify the file incorrectly)

For convenience, it is customary to add delegation of authority around 100 lines of the document:

username        hostname=(newusername)        [NOPASSWD:] /command, /command1

6, File permissions viewing and reading

1) Permission view

ls -l file        #View file permissions
ls -ld dir        #View directory permissions

The information of file permissions is divided into three categories ugo

u representative user That is, the owner of the file
g representative group That is, the owning group of the file
o representative other That is, others who have nothing to do with the ownership of the document
 The flag bit of power in each large type, that is rwx
r representative read That is, read permissions
w representative write That is, write permission
x Delegate Execution Authority

We can use the chmod command to modify the file related permission information

chmod [ugo][+-=][rwx] [filename/dirname] #Granting permissions through expressions

chmod [xxx] [filename/dirname]    #Give permissions by number

Through the understanding of Boolean quantity, we can rwx Three bits for binary to octal conversion

S authority

You can set S permission in the form of string expression. The functions of S permission are as follows:

When on file u Bit setting s Permission means that the file executor will obtain the owner identity of the file during execution. It can only be used on binary files
 When on file g Bit setting s Permission means that the executor of the file will obtain the identity of the group to which the file belongs. If it is used in the directory, the group of the file created in the directory will become this directory
Sticky Bit The effect is that only the owner of the file can delete his own file in the current directory

Tags: Linux

Posted on Wed, 01 Dec 2021 06:47:37 -0500 by dreamline