Linux users and groups, /etc/passwd, /etc/shadow, /etc/group, password management

Linux user and group and permission management

Basic commands

Documents

/etc/passwd file that stores user information
/etc/shadow is a file that stores user password information
/etc/group stores group information
/etc/sudoers sudo command configuration file

Group

  • Add group

    groupadd add group
    -g specifies group ID

  • Modify group properties

    groupmod modifies group attributes

  • Delete group

    groupdel delete group

Users

  • Add to

    useradd add user
    -u specifies uid number
    -g specifies the basic group
    -G specifies additional groups
    -s specifies the command interpreter for user login
                            -s /sbin/nologin
                            -s /bin/bash
    -M do not create a home directory

  • Update user information

    usermod updates user information

  • delete users

    userdel delete user
    -r When deleting a user, delete the home directory at the same time

  • User password/lock

    passwd changes user password
    -S View user password status
    -l lock user
    -u unlock user

chage Modify password expiration time
    -M Change the maximum number of days the password is valid for

  • root

    sudo executes commands as other users
su switches users

  • View information such as system processes and the users they belong to

    ps aux

File/Permissions

ln -s /tmp/ajest.txt /root/Desktop/ajest.txt
                            Create a shortcut from the /tmp/ajest.txt file to /root/Desktop/ajest.txt

chmod changes the permissions of a file or directory
    u-r revoke read permission
    u-w revoke write permission
    o=--- All other user permissions are revoked
    o-r revokes other users' permission to list directories
    o=rwx Modify other users’ permissions
    g=--- Modify the permissions of the group it belongs to
chmod 1777 /tmp/ sets the sticky bit on the directory
chmod 2777 /tmp/rootDir sets the sgid identifier for the directory

chown root /tmp/ajestDir/ajest.txt
                            Change the file owner to root

ls -ld /tmp/rootDir/ View the permissions of the directory

Users and Groups

Basic principles

  • A computer user (human, normal user, hacker) plays the role of an account (user, role) and has permissions
    To execute a program or open a file, you must act as a certain user and with certain permissions.

  • User must belong to a group

  • encryption

    • Symmetric encryption

      DES, 3DES, AES

    • asymmetric encryption

      RSA

    • hash one-way hash

      md5, sha-256, sha-512

User classification

User Classification UID
Ordinary User > 1000
Program user 1 – 1000
Super administrator user 0

  • program user

    Program users cannot log in, and are user accounts specifically used to run programs or services. They have lower permissions and can only access and execute files and resources related to their tasks.

    The role of the program user is to provide a safe, isolated and manageable environment to run the program to ensure system stability, security and performance

    like

    Root starts the apache httpd service. For security reasons, root will transfer the process to the daemon user.

Group

  • Divided into basic group and additional group

  • First there are groups, then users:

    • A user must have one and only one basic group.
    • When creating a user, if no basic group is specified, a group with the same name as the user will be created first, and then the user will be created.

  • A user can have multiple attached groups

  • The basic group can be deleted only if there are no users in it.

/etc/passwd file

  • Store username and other information

  • 7 fields

    Separated by colon :

    root x 0 0 root /root /user/bin /zsh(or/usr/sbin/nologin)
    Username Password, x is a placeholder (empty means no password) UID GID (group id) Remarks Home directory Login shell/command interpreter (command or shell (/bin/bash )

  • Super administrator UID=0, system user UID 1-999, ordinary user UID 1000 or later

  • Ordinary users can obtain root permissions after changing their UID to 0.

  • shell

    • /bin/bash
    • /bin/sh
    • zsh

    echo $0View command interpreter

/etc/shadow file

  • Store password information

  • 9 fields

  • Format

    root:$y$j9T$jOd7E6DLFdmgM3x6gciyA/$KHsDhTVufiVEc0ACIUAcrk9N8pPJpYv5ZGPOMtI3mY9:19404:0:99999:7:::
#Username:!! means this user has no password
#Username:* indicates that the password of this user is locked
# $Algorithm$Salt$Password ciphertext
    root

    y

    y

    yj9T~3mY9

    		 19404 3 90 7 10
    Username Password text Last password modification date Minimum password validity period Maximum password validity period Password expiration time Password inactivity period Account expiration time Reserved parameters
    hash encryption
    $Algorithm$Salt$Password ciphertext    		 How many days since 1970.1.1 It is not possible to change the password Time to modify again 99999 means no expiration Number of days to be reminded before the validity period 0 means it will expire immediately The total number of days since January 1, 1970 is the account expiration time. Outside this specified time, the account cannot be used regardless of whether it has expired or not. 
    | Log in to the system normally | You can still log in to the system | Unable to log in
0 User cannot change password 3 User can change password 83 Prompt to change password 90 Login 100 Password locked
|----------------------|------------------|------ --------|----------|-------------->
^ ^ ^ ^ ^
Password modification time Minimum password validity period Password expiration time Maximum password validity period Password inactivity period

    Show specific date

    date -d "1970-01-01 <number> days"

/etc/group file

  • Store group information

  • Format

    gjl:x:1000:gjl
    gjl x 1000 gjl
    Group name Password GID Group user
    The name of the user group, consisting of letters or numbers. x is the password identifier,
    The group password is saved in the /etc/gshadow file by default.     		Group ID

User and group management

Create groups and users

  • Create user

    useradd <username>
-u <uid>, specify uid number
-g <gid> or <group name>, specify the basic group
-G <gid> or <group name>, specify additional groups
-s, specify the command interpreter for user login, such as -s /sbin/nologin, -s /bin/bash
-M, do not create a home directory

    View log

    tail -10 /var/log/secure
-f View changes
# Automatically create groups first, then create users

    image-20230928092745868

  • Create group

    groupadd group name
-g <gid>
# -g specifies group id

    After creating a group, you can directly query the last line of the group file

    tail -1 /etc/group

Delete groups and users

  • delete users

    userdel <username>
-r
# -r Delete the home directory at the same time

  • Delete group

    groupdel group name

Modify groups and users

  • Modify user

    usermod
-u <uid> Modify uid

  • Modify group information

    groupmod
# For example, change the bk2304 group id to 2000
groupmod bk2304 -g 2000

Password management

  • View user password status

    passwd -S <username>

    image-20230928094516678

    User name Password status Password last modification time Minimum password validity period Maximum validity period Warning time Expiration time
    root PS 1969-12-31 0 99999 7 -1
    LK, password lock
    NP, no password
    PS, there is a password available    		 Creation time
    Password last modified time    		 Warning 7 days before password expiration -1 means no expiration time

  • Delete user password

    passwd -d <username>

  • Set user password

    passwd <username>
# Enter the password and confirm the password according to the prompts

  • User lock

    passwd -l <username>
# The user password status displays LK, and the password in /etc/shadow displays "!!"

    image-20230928102912388

  • Unlock user

    passwd -u <username>

  • Change the maximum password validity period

    passwd -x <username>