User information in Linux systems is stored in the /etc/passwd file
Group information is generally placed in /etc/group
[root@localhost home]# cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin
Use : as separator
First column: username
Second column: password
The third column: user identifier, 0 is the identifier uid of the super user root
Column 4: gid
Column 5: Description information
Column Six: Home Directory
The seventh column: is the first command for users to log in to the interface; those followed by bash can log in to the system, and those followed by nologin cannot log in to the system.
Create user group
1. Create a user useradd username -g group name
Adding -g means to add a group to this user,
Without -g, the user becomes a group and the group name is the user name.
If you want to generate a user without generating user files under /home, you can add -M
Check if the user is created successfully, you can id + username
2. Create a user group groupadd group name.
View group information /etc/group
root:x:o:groupname:grouppassword:groupid:groupmember
Creating a user will leave traces in 5 places.
/etc/passwd Check whether there is a file in the account, the password field cannot be modified, and others can be modified
/etc/group group with the same name
/home home directory
/var/mail System mailbox There is information in the mailbox
/etc/shadow, also known as shadow file, stores user passwords
Example:
Create a user and specify his uid
[root@localhost ~]# useradd user02 -u 520 [root@localhost ~]# id user02 uid=520(user02) gid=1004(user02) group=1004(user02)
Modify the uid of an existing user
[root@localhost ~]# id user02 uid=520(user02) gid=1004(user02) group=1004(user02) [root@localhost ~]# usermod -u 521 user02 [root@localhost ~]# id user02 uid=521(user02) gid=1004(user02) group=1004(user02)
Example: I want to create a user, but he cannot log in to the system
[root@localhost ~]# useradd xiaodaidai -s /sbin/nologin [root@localhost ~]# su - xiaodadai This account is currently not available.
Example:
1….I create a user05
useradd user05
At this time his group is user05
id user05 uid=1004(user05) gid=1004(user05) group=1004(user05)
2….I create a user06 and want his group to be user05
useradd user06 -g user05 id user06 uid=1005(user06) gid=1004(user05) group=1004(user05)
3….I create a user07, and want his main group to be user07, and the subordinate group to be user05
useradd user07 -G user05 id user07 uid=1006(user07) gid=1006(user07) group=1006(user07),1004(user05)
4…..I want to add a wheel group to user07’s affiliated group.
usermod -aG wheel user07 id user07 uid=1006(user07) gid=1006(user07) group=1006(user07),10(wheel),1004(user05)
Delete user group
Delete existing users userdel -r + username. Without -r, the deletion will not be clean. Without -r, although the user group is deleted, it will still be found under /var/mail and /home.
Delete the existing user group groupdel + user group name; but the user’s main group cannot be deleted.
Change user password
Root changes other user passwords: passwd + username
User login Change password yourself $ passwd
Normally root management changes the password of ordinary users interactively.
[root@localhost ~]# passwd user01
Change the password of user user01.
New password:
Invalid password: The password is a palindrome
Re-enter new password:
passwd: All authentication tokens have been successfully updated.I want the root user to change the password without interaction.
echo ‘123’ | passwd –stdin + username
View the current account
who whoami w can be
[root@localhost a]# w 18:23:17 up 6:48, 3 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root tty1 221 20:21 0.02s 0.02s -bash root pts/0 192.168.231.1 18:03 5.00s 0.10s 0.00s w root pts/1 192.168.231.1 18:03 20:16 0.00s 0.00s -bash
Group member management
View the user’s original information: id + username (the user belongs to more than one group, and can also have additional groups)
Append the user to a group usermod -aG group name user name
Remove user from group gpasswd -d username groupname
Example: Add a user to the group. I want to add the existing user01 to the zhuzhuxia group
[root@localhost ~]# gpasswd -a user01 zhuzhuxia Adding user "user01" to the "zhuzhuxia" group
[root@localhost ~]# id user01 uid=250(user01) gid=1003(user01) group=1003(user01),1001(zhuzhuxia)
Example: Add multiple users to a group -M
Add user user02, mihulaoshi, to the zhuzhuxia group
[root@localhost ~]# gpasswd -M user02,mihulaoshi zhuzhuxia
Example: Remove user from group -d
gpasswd -d user group
Want to remove user user02 from zhuzhuxia group
[root@localhost ~]# gpasswd -d user02 zhuzhuxia Removing user "user02" from group "zhuzhuxia" [root@localhost ~]# cat /etc/group | grep zhuzhuxia zhuzhuxia:x:1001:mihulaoshi
Used to view file status information
[root@localhost ~]# stat /etc/passwd File: "/etc/passwd" Size: 1153 Blocks: 8 IO Blocks: 4096 Normal File Device: fd00h/64768d Inode: 34073266 Hard Link: 1 Permissions: (0644/-rw-r--r--) Uid: (0/root) Gid: (0/root) Environment: system_u:object_r:passwd_file_t:s0 Last visit: 2023-08-30 16:03:15.593649649 + 0800 Last changed: 2023-08-30 16:03:15.575649526+0800 Last modified: 2023-08-30 16:03:15.577649540+0800 Created:-
Basic permissions ugo
u is the user owner, master. Owner
g is the group to which the group belongs, and members in the same group as him also have the same permissions. Genus group
o is other.
a is all people.
ll -d a drwxr-xr-x 2 root root 20 August 18 18:41 a
rwx is the owner’s permissions. r-x is the permission of the group it belongs to. r-x is the permissions of others.
r is read ——->4 read cat vim more less head tail grep ls
w is write——–>2 write
x is exec———>1 execute cd
to the file:
r —-cat vim tail head more less
w —vi, vim echo > >>
x —- bash /dir/file Note: Without x permissions, the root user cannot execute chmod a-x file ./fileWhen others only have write permissions on the file
For directories:
r —–ls If you only have r permission, you can see the contents of the directory, but there will be an error message.
w —–touch, rm can create and delete files in the directory but must have execution permissions
x —- cd enter directory
Change the owner and group of a file chown
Syntax chown owner.group file name
For example, the current owner and group of my /home/12.txt file is root root
[root@zyq home]# ll -d 12.txt -rw-r--r-- 1 root root 157 August 16 22:51 12.txt
I want to change the owner of 12.txt to tom
[root@zyq home]# chown tom 12.txt [root@zyq home]#ll -d 12.txt -rw-r--r-- 1 tom root 157 August 16 22:51 12.txt
I want to change the attribute group of 12.txt to jack (remember to add . before changing the group!!!!!!!!!!!!)
[root@zyq home]# chown .jack 12.txt [root@zyq home]#ll -d 12.txt -rw-r--r-- 1 tom jack 157 August 16 22:51 12.txt
I want to change the owner and group of 12.txt to alices
[root@zyq home]# chown alices.alices 12.txt [root@zyq home]#ll -d 12.txt -rw-r--r-- 1 alices alices 157 August 16 22:51 12.txt
Examples
I have a folder under /aaa/bbb/ccc. I want to change the group and owner of this directory and the folders below it to tom.
solution
[root@zyq ccc]# chown -R tom.tom /aaa/bbb/ccc
-R is the function of recursive modification
Change file permissions chomd
Assignment operator + – =
The file permissions created by the root user are generally 644
Use symbols
Example: I want to add group write permissions to /12.txt.
Before increasing
[root@zyq ~]# ll -d file.txt -rw-r--r--. 1 root root 34 August 15 16:12 file.txt
After increasing
[root@zyq ~]# chmod g + w file.txt [root@zyq ~]# ll -d file.txt -rw-rw-r--. 1 root root 34 August 15 16:12 file.txt
Example: I want to add write and execute permissions to others in 12.txt
solution:
[root@zyq ~]# chmod o + wx file.txt [root@zyq ~]# ll -d file.txt -rw-rw-rwx.1 root root 34 Aug 15 16:12 file.txt
Example: I want to add read, write and execute permissions to everyone in 12.txt
solution:
[root@zyq ~]# chmod a=rwx file.txt [root@zyq ~]# ll -d file.txt -rwxrwxrwx. 1 root root 34 Aug 15 16:12 file.txt
Example: Let everyone in 12.txt have no read and write permissions
solution:
[root@zyq ~]# chmod a-rw file.txt [root@zyq ~]# ll -d file.txt ---x--x--x. 1 root root 34 Aug 15 16:12 file.txt
Example: Let the owner of the group have read and write permissions, and others have execution permissions
solution:
[root@zyq ~]# chmod ug=rw,o=x file.txt [root@zyq ~]# ll -d file.txt -rw-rw---x. 1 root root 34 Aug 15 16:12 file.txt
Use numbers
Example:
[root@zyq ~]# chmod 741 /file.txt [root@zyq ~]# ll /file.txt -rwxr----x 1 root root 0 Aug 19 14:14 /file.txt
[root@zyq ~]# chmod 647 /file.txt [root@zyq ~]# ll /file.txt -rw-r--rwx 1 root root 0 Aug 19 14:14 /file.txt
Case 1:
The impact of rwx on files
The permission to view 1.txt is 644. And its owner and group are both root. Ordinary users only have read permissions for him!
[root@zyq ~]# vim /home/a/1.txt [root@zyq ~]# ll /home/a/1.txt -rw-r--r-- 1 root root 6 Aug 19 14:26 /home/a/1.txt
Switch to normal user and find that it can be viewed/read.
[root@zyq ~]# su - zhouyq Last login: on Tue Aug 15 21:50:38 CST 2023:0 [zhouyq@zyq ~]$ cat /home/a/1.txt date
not executable
[zhouyq@zyq ~]$ /home/a/1.txt -bash: /home/a/1.txt: Insufficient permissions
Increase execution permissions and find that you can enter
[root@zyq ~]# chmod o + x /home/a/1.txt [root@zyq ~]# ll /home/a/1.txt -rw-r--r-x 1 root root 6 Aug 19 14:26 /home/a/1.txt [root@zyq ~]# su - zhouyq Last login: Sat Aug 19 14:27:19 CST 2023pts/2 [zhouyq@zyq ~]$ /home/a/1.txt Saturday, August 19, 2023 14:29:33 CST
Check to see if it can be written. Unable to operate . no write permission
[zhouyq@zyq ~]$ vim /home/a/1.txt
"/home/a/1.txt" "/home/a/1.txt" E212: cannot open and write to the file
Increase write permissions. You can enter the vim editor to edit and save.
[root@zyq ~]# chmod o + w /home/a/1.txt [root@zyq ~]# ll /home/a/1.txt -rw-r--rwx 1 root root 6 Aug 19 14:26 /home/a/1.txt
Case 2:
There is no w for directories, but rwx for files
[root@zyq ~]# ll -d /dir10 drwxr-xr-x 2 root root 19 August 19 16:03 /dir10
[root@zyq ~]# ll /dir10 Total usage 0 -rwxrwxrwx 1 root root 0 August 19 16:03 file1
Now ordinary users have full permissions to files, switch users to see if ordinary users can view, operate, and execute folders?
[root@zyq ~]# su - zhouyq Last login: Sat Aug 19 14:31:51 CST 2023pts/2 [zhouyq@zyq ~]$ cat /dir10/file1 date [zhouyq@zyq ~]$ /dir10/file1 Saturday, August 19, 2023 16:08:56 CST
You can see it and you can enter it.
Cannot be deleted.
[zhouyq@zyq ~]$ rm -rf /dir10/file1 rm: cannot delete "/dir10/file1": insufficient permissions
The contents of the file can be edited and then saved.
Unable to create new file.
[zhouyq@zyq ~]$ touch /dir10/file2 touch: cannot create "/dir10/file2": insufficient permissions
Case 3:
There is w for the directory, but no permission for the file
[root@zyq ~]# chmod 777 /dir10 [root@zyq ~]# chmod 000 /dir10/file1
Now the directory is full of permissions, switch to ordinary users, check whether you can view and perform operations.
Can’t view, can’t enter, page can’t be written because ordinary users don’t have any permissions.
[zhouyq@zyq ~]$ cat /dir10/file1 cat: /dir10/file1: Insufficient permissions [zhouyq@zyq ~]$ /dir10/file1 -bash: /dir10/file1: insufficient permissions
[zhouyq@zyq ~]$ vim /dir10/file1
"/dir10/file1" [insufficient permissions]
Can be operated. That is, although the folder does not have any permissions, the folders under the directory can still be deleted. The directory has write permissions and can also add folders under the directory.
[zhouyq@zyq ~]$ rm -rf /dir10/file1 [zhouyq@zyq ~]$ ls public template video picture document download music desktop
[zhouyq@zyq ~]$ touch /dir10/file1 [zhouyq@zyq dir10]$ ls file1
But folders cannot create new folders under him
[zhouyq@zyq dir10]$ touch /dir10/file1 /file2 touch: cannot create "/file2": Insufficient permissions
#Summary
With w permission on the directory, new files can be created in the directory, and files in the directory can be deleted (it has nothing to do with file permissions)
limit mask umask
The default umask is 0022
[root@ggbond ~]# umask 0022
The default highest authority of the root user is directory: 777 file: 666
#umask
0022 root account default
0002 Default for ordinary users
By calculation, the default permissions for the root user to create directories and files are:
Catalog:755
The file is: 644
The default permissions created by ordinary users are
Catalog:775
Folder:664
You can also modify the umask, directly follow the umask with 4 digits, but the original 0022 will be restored after shutdown and restart
Advanced permissions
suid
suid only takes effect on binary file commands such as cat rm and the like. Their permissions are all 755.
[root@ggbond bin]# ll -d cat -rwxr-xr-x. 1 root root 54080 August 20 2019 cat
[root@ggbond bin]# ll -d rm -rwxr-xr-x. 1 root root 62872 August 20 2019 rm
For example: I created a file named 123 under /opt under the root user. At this time, I switched the user zyq and tried to delete the file 123, but found that it did not work.
[root@localhost ~]# su zyq [zyq@localhost root]$ cd /opt [zyq@localhost opt]$ ls 123 [zyq@localhost opt]$ rm -rf 123 rm: cannot delete "123": insufficient permissions
Return to the root user, elevate the rights to rm, and then try again to see if file 123 can be deleted. It works.
[root@localhost ~]# ll -d /usr/bin/rm -rwxr-xr-x. 1 root root 62872 August 20 2019 /usr/bin/rm [root@localhost ~]# chmod u + s /usr/bin/rm [root@localhost ~]# su zyq [zyq@localhost root]$ cd /opt [zyq@localhost opt]$ rm -rf 123 [zyq@localhost opt]$ ls [zyq@localhost opt]$ ll Total usage 0
At this time, once suid permission is added to rm, the ordinary user is equivalent to the root user. (i.e. escalation of rights)
Remove the rights and chmod u-s /usr/bin/rm.
sgid
SGID is mainly used in the directory —– if the user has w permission in this directory, and the user creates a new file in this directory, the group of the created file is the same as the group of this directory.
[root@ggbond opt]# mkdir dir1 [root@ggbond opt]# chown .hr /opt/dir1 only changes the ownership group of directory dir1 [root@ggbond opt]# touch /opt/dir1/2 The group of the created file remains unchanged [root@ggbond opt]# ll -d dir1/2 -rw-r--r--. 1 root root 0 Aug 31 22:50 dir1/2 [root@ggbond opt]# chmod g + s dir1 set sgid [root@ggbond opt]# touch dir1/3 [root@ggbond opt]# ll -d dir1/3 -rw-r--r--. 1 root hr 0 August 31 22:51 The files created in the dir1/3 directory belong to the same group as the directory
SBIT
Currently, it is only valid for directories. The effect on directories is: when a user creates a file or directory under this directory, only he and root have the right to delete it.
[root@ggbond opt]# mkdir 12 -----Create directory 12
[root@ggbond opt]# chmod 757 12 ------Give directory permissions
[root@ggbond opt]# chmod o + t 12 ------Give directory sbit
[zyq@ggbond opt]$ touch 12/123 ------Log in as user zyq and create file 123 in directory 12
[ml@ggbond opt]$ rm -rf 12/123 ------Log in user ml, delete 123 under directory 12
rm: Unable to delete "12/123": Operation not allowed ------This operation is prohibited
Compared:
[root@ggbond opt]# mkdir 14 --Create directory 14 [root@ggbond opt]# chmod 757 14 [zyq@ggbond opt]$ touch 14/145 ----Switch normal to create a file [ml@ggbond opt]$ rm -rf 14/145 --- switch another normal user [ml@ggbond opt]$ ls ----- found that it can be deleted 12 14
Access control permissions
setfacl Set permissions for individuals One person can view the permissions of a file
getfacl view permissions
In the next file under opt, I only hope that zyq’ can operate the file
[root@ggbond opt]# touch 123.txt [root@ggbond opt]# ll Total usage 0 -rw-r--r--. 1 root root 0 Aug 31 23:15 123.txt ---- create file
[root@ggbond opt]# setfacl -m u:zyq:rwx 123.txt [root@ggbond opt]# getfacl 123.txt # file: 123.txt # owner: root # group: root user::rw- user:zyq:rwx --------You can see that zyq has the rwx permission to this file group::r-- mask::rwx other::r--
Withdraw authority
[root@ggbond opt]# setfacl -m u:zyq:--- 123.txt [root@ggbond opt]# getfacl 123.txt # file: 123.txt # owner: root # group: root user::rw- user:zyq:--- -----User zyq has taken back the permission of the file group::r-- mask::r-- other::r--
Exercise:
If you set the chmod permission to 000 under the root user, can you continue to set permissions for other files or directories again? If not, what should you do?
[root@ggbond ~]# ll -d /usr/bin/chmod -rwxr-xr-x.1 root root 58592 Aug 20 2019 /usr/bin/chmod [root@ggbond ~]# chmod 000 /usr/bin/chmod ----Set the permission of chmod to 000 [root@ggbond opt] # touch 123 [root@ggbond opt]# ll -d 123 -rw-r--r--. 1 root root 0 Sep 1 08:31 123 [root@ggbond opt]# chmod 444 123 -bash: /usr/bin/chmod: Insufficient permissions ---- set 000 permissions and found that the file permissions cannot be changed again [root@ggbond opt]# setfacl -m u:root:rwx /usr/bin/chmod ---- Set permissions for the root user personally [root@ggbond opt]# getfacl /usr/bin/chmod ---- Check whether the permission is set successfully getfacl: Removing leading '/' from absolute path names # file: usr/bin/chmod # owner: root # group: root user::--- user:root:rwx group::--- mask::rwx other::--- [root@ggbond opt]# chmod 755 /usr/bin/chmod -----Change root's permissions to the original permissions [root@ggbond opt]# chmod 444 123 [root@ggbond opt]#ll -d 123 -r--r--r--. 1 root root 0 September 1 08:31 123 ----chmod can change permissions again
Note:
Ordinary users can view and execute under root, but cannot create directories or files under root.
Check where the system commands are which whereis
[root@ggbond ~]# whereis cat cat: /usr/bin/cat /usr/share/man/man1/cat.1.gz [root@ggbond ~]# whereis rm rm: /usr/bin/rm /usr/share/man/man1/rm.1.gz [root@ggbond ~]# whereis mv mv: /usr/bin/mv /usr/share/man/man1/mv.1.gz [root@ggbond ~]# whereis cp cp: /usr/bin/cp /usr/share/man/man1/cp.1.gz
Switch user
su – user name After this switch, the home directory under /home
su username Where was the path before the switch? Where is the path still after the switch?