Today, I learned Linux user management and recorded it here.
1, Significance of users and user groups
1) Meaning of user existence
System resources are limited. How to allocate system resources reasonably?
1. Identity account
2. Authorize author
3. Certification auth
The above three 'a' are called 3A mechanism, which constitutes the lowest security architecture in the system.
2) Significance of user group existence
A user group is a logical container that classifies and uniformly authorizes users.
In short, the user group is like our class or community organization in school. What rights are given to your class and what rights are given to your department in the community, then you have what rights. This facilitates the unified decentralization of power.
2, How users and user groups exist in the system
Because computers are sensitive to numbers and we are sensitive to names, we can use this feature to store users in the form of numbers and strings.
We know that in Linux, everything is a file, so users are no exception. What we call users and user groups is actually a string in the file.
The user is in/etc/passwd A line of characters in a file User group is in/etc/group A line of characters in a file vim /etc/passwd Use this command to view passwd File content, and then know the user information vim /etc/group Use this command to view group File content, and then know the user group information
However, it is troublesome to view the id information of users or user groups in the file. Linux provides us with such commands to facilitate us to view the relevant information of users:
whoami View current user name
id [parameter][user name] View user's id Information. The default user name is to view the current user
-u View users of users id
-g View user's primary group id
-G View all user groups id
-n The display name cannot be used alone. It needs to be connected with the above command to display information
user id Range:
0: Super user id
1-999: Linux System self use id
1000-65535: User level id
above id The information is recorded in/etc/login.defs
3, System configuration files involved by users
/etc/passwd User identity information file
passwd String meaning in User name:User password:user id:User master group id:User description:User home directory:User default shell
/etc/group Group identity file
Group name:Group password:group id:Additional members of the group
/etc/skel/.* User environment profile template
/etc/shadow User authentication information file
/home/username User home directory
/var/spool/mail/username User mailbox file
4, User related operations
1) User and user group creation and deletion
We can use the watch command to monitor the creation and deletion of users
watch -n 1 "tail -n 4 /etc/passwd /etc/group;echo =======;ls -l /home"
User creation command useradd:
useradd username ##User establishment
-u id username ##Specify user uid
-g id username ##Specify primary group id
-G id username ##Specify additional group id
-d dir username ##Specifies the user's home directory
-M username ##Home directory is not automatically created when creating users
-c word username ##Specify user description when creating user
-s shell username ##Specify shell
userdel username ##User delete
-r username ##Deleting a user also deletes the home directory and system profile
groupadd groupname ##Group establishment
-g id groupname ##Specify group id
groupdel groupname ##groups deleting
2) Information management of users and user groups
Sometimes we need to change the user's related attributes during the use of the server, although we know that the user is stored in the form of string in the / etc/passwd file, and we know the meaning of string:
User name:User password:user id:User master group id:User description:User home directory:User default shell
Of course, we can use the root user to modify these fields to change the user information, but in practical application, we will not do so, but use some related commands:
usermod [option] [parameter] [username]
[option]
-l #Modify user name
-u #Modify user's uid
-g #Modify user primary group id
-G #Modify user attached group identity
-aG #Add user additional group identity
-c #Change user description text
-d #Change the user's home directory to
-md #Change the home directory pointer and home directory name at the same time
-s #Change default shell
-L #Frozen account
-U #Unlock accountOur password information is stored in the shadow file. The shadow content:
User name: encryption password: last modification time: minimum modification interval: password validity: warning days before password change: Grace time after password Expiration: account expiration time: reserved field
We can use the passwd command to modify the password related attribute information
passwd [option] [parameter] [username]
If the options and parameters are default, modify them'username'Password for
[option]
-S #View password status
-l #Frozen account authentication
-u #Unlock account authentication
-d #Delete user password
-e #Modify the default usage time to 0
-n #Set minimum usage time
-x #Set password expiration time
-w #Set expiration warning time
-l #Set inactive days
change -d 0 [username] #You must change your password to log in
change -E "xxxx-xx-xx" [username] #Set freeze date5, User decentralization
In practice, we use the server and often use decentralization, which allows us to execute some commands with higher permissions. For example, we can use decentralization to enable ordinary users to run some commands as root, so that we do not need to log in to the root account, which not only ensures the system security, but also achieves our purpose.
Authorization method:
We can use the visudo command to modify the / etc/sudoers file (of course, we can also use vi or vim to modify it, but vi and vim do not provide syntax detection. It is not convenient to find errors after we modify the file incorrectly)
For convenience, it is customary to add delegation of authority around 100 lines of the document:
username hostname=(newusername) [NOPASSWD:] /command, /command1
6, File permissions viewing and reading
1) Permission view
ls -l file #View file permissions ls -ld dir #View directory permissions
The information of file permissions is divided into three categories ugo
u representative user That is, the owner of the file g representative group That is, the owning group of the file o representative other That is, others who have nothing to do with the ownership of the document The flag bit of power in each large type, that is rwx r representative read That is, read permissions w representative write That is, write permission x Delegate Execution Authority
We can use the chmod command to modify the file related permission information
chmod [ugo][+-=][rwx] [filename/dirname] #Granting permissions through expressions chmod [xxx] [filename/dirname] #Give permissions by number Through the understanding of Boolean quantity, we can rwx Three bits for binary to octal conversion part r-4 w-2 x-1
S authority
You can set S permission in the form of string expression. The functions of S permission are as follows:
When on file u Bit setting s Permission means that the file executor will obtain the owner identity of the file during execution. It can only be used on binary files When on file g Bit setting s Permission means that the executor of the file will obtain the identity of the group to which the file belongs. If it is used in the directory, the group of the file created in the directory will become this directory Sticky Bit The effect is that only the owner of the file can delete his own file in the current directory