Linux user and group and permission management
Basic commands
Documents
/etc/passwd file that stores user information /etc/shadow is a file that stores user password information /etc/group stores group information /etc/sudoers sudo command configuration file
Group
-
Add group
groupadd add group -g specifies group ID
-
Modify group properties
groupmod modifies group attributes
-
Delete group
groupdel delete group
Users
-
Add to
useradd add user -u specifies uid number -g specifies the basic group -G specifies additional groups -s specifies the command interpreter for user login -s /sbin/nologin -s /bin/bash -M do not create a home directory
-
Update user information
usermod updates user information
-
delete users
userdel delete user -r When deleting a user, delete the home directory at the same time
-
User password/lock
passwd changes user password -S View user password status -l lock user -u unlock user chage Modify password expiration time -M Change the maximum number of days the password is valid for
-
root
sudo executes commands as other users su switches users
-
View information such as system processes and the users they belong to
ps aux
File/Permissions
ln -s /tmp/ajest.txt /root/Desktop/ajest.txt Create a shortcut from the /tmp/ajest.txt file to /root/Desktop/ajest.txt chmod changes the permissions of a file or directory u-r revoke read permission u-w revoke write permission o=--- All other user permissions are revoked o-r revokes other users' permission to list directories o=rwx Modify other users’ permissions g=--- Modify the permissions of the group it belongs to chmod 1777 /tmp/ sets the sticky bit on the directory chmod 2777 /tmp/rootDir sets the sgid identifier for the directory chown root /tmp/ajestDir/ajest.txt Change the file owner to root ls -ld /tmp/rootDir/ View the permissions of the directory
Users and Groups
Basic principles
-
A computer user (human, normal user, hacker) plays the role of an account (user, role) and has permissions
To execute a program or open a file, you must act as a certain user and with certain permissions. -
User must belong to a group
-
encryption
-
Symmetric encryption
DES, 3DES, AES
-
asymmetric encryption
RSA
-
hash one-way hash
md5, sha-256, sha-512
-
User classification
User Classification | UID |
---|---|
Ordinary User | > 1000 |
Program user | 1 – 1000 |
Super administrator user | 0 |
-
program user
Program users cannot log in, and are user accounts specifically used to run programs or services. They have lower permissions and can only access and execute files and resources related to their tasks.
The role of the program user is to provide a safe, isolated and manageable environment to run the program to ensure system stability, security and performance
like
Root starts the apache httpd service. For security reasons, root will transfer the process to the daemon user.
Group
-
Divided into basic group and additional group
-
First there are groups, then users:
- A user must have one and only one basic group.
- When creating a user, if no basic group is specified, a group with the same name as the user will be created first, and then the user will be created.
-
A user can have multiple attached groups
-
The basic group can be deleted only if there are no users in it.
/etc/passwd file
-
Store username and other information
-
7 fields
Separated by colon
:
root x 0 0 root /root /user/bin /zsh(or/usr/sbin/nologin) Username Password, x is a placeholder (empty means no password) UID GID (group id) Remarks Home directory Login shell/command interpreter (command or shell (/bin/bash ) -
Super administrator UID=0, system user UID 1-999, ordinary user UID 1000 or later
-
Ordinary users can obtain root permissions after changing their UID to 0.
-
shell
- /bin/bash
- /bin/sh
- zsh
echo $0
View command interpreter
/etc/shadow file
-
Store password information
-
9 fields
-
Format
root:$y$j9T$jOd7E6DLFdmgM3x6gciyA/$KHsDhTVufiVEc0ACIUAcrk9N8pPJpYv5ZGPOMtI3mY9:19404:0:99999:7::: #Username:!! means this user has no password #Username:* indicates that the password of this user is locked # $Algorithm$Salt$Password ciphertext
root y
y
yj9T~3mY9
19404 3 90 7 10 Username Password text Last password modification date Minimum password validity period Maximum password validity period Password expiration time Password inactivity period Account expiration time Reserved parameters hash encryption $Algorithm$Salt$Password ciphertext
How many days since 1970.1.1 It is not possible to change the password Time to modify again 99999 means no expiration Number of days to be reminded before the validity period 0 means it will expire immediately The total number of days since January 1, 1970 is the account expiration time. Outside this specified time, the account cannot be used regardless of whether it has expired or not. | Log in to the system normally | You can still log in to the system | Unable to log in 0 User cannot change password 3 User can change password 83 Prompt to change password 90 Login 100 Password locked |----------------------|------------------|------ --------|----------|--------------> ^ ^ ^ ^ ^ Password modification time Minimum password validity period Password expiration time Maximum password validity period Password inactivity period
Show specific date
date -d "1970-01-01 <number> days"
/etc/group file
-
Store group information
-
Format
gjl:x:1000:gjl
gjl x 1000 gjl Group name Password GID Group user The name of the user group, consisting of letters or numbers. x is the password identifier,
The group password is saved in the /etc/gshadow file by default.Group ID
User and group management
Create groups and users
-
Create user
useradd <username> -u <uid>, specify uid number -g <gid> or <group name>, specify the basic group -G <gid> or <group name>, specify additional groups -s, specify the command interpreter for user login, such as -s /sbin/nologin, -s /bin/bash -M, do not create a home directory
View log
tail -10 /var/log/secure -f View changes # Automatically create groups first, then create users
-
Create group
groupadd group name -g <gid> # -g specifies group id
After creating a group, you can directly query the last line of the group file
tail -1 /etc/group
Delete groups and users
-
delete users
userdel <username> -r # -r Delete the home directory at the same time
-
Delete group
groupdel group name
Modify groups and users
-
Modify user
usermod -u <uid> Modify uid
-
Modify group information
groupmod # For example, change the bk2304 group id to 2000 groupmod bk2304 -g 2000
Password management
-
View user password status
passwd -S <username>
User name Password status Password last modification time Minimum password validity period Maximum validity period Warning time Expiration time root PS 1969-12-31 0 99999 7 -1 LK, password lock
NP, no password
PS, there is a password availableCreation time
Password last modified timeWarning 7 days before password expiration -1 means no expiration time -
Delete user password
passwd -d <username>
-
Set user password
passwd <username> # Enter the password and confirm the password according to the prompts
-
User lock
passwd -l <username> # The user password status displays LK, and the password in /etc/shadow displays "!!"
-
Unlock user
passwd -u <username>
-
Change the maximum password validity period
passwd -x <username>