Linux - account and permission management

Posted by Percadan on Tue, 28 Dec 2021 23:11:19 +0100

preface

One of the best things about Linux is its multi person and multi task environment. If you are exposed to Linux for the first time, what is the meaning of so many directories and files under Linux? Let me make a summary.

1, Manage user accounts

Compared with windows operating system, the functions of user account and group account in Linux system are essentially the same. They also control the access to resources based on user identity, but there are some differences in manifestation and individual details.

1. User account

In Linux, according to the requirements of system management, user accounts are divided into different types with different permissions, mainly including super users, ordinary users and program users

  • Super user
    The root user is the default super user account in the Linux system and has the highest authority on the host, similar to the Administrator user in the Windows system (for security reasons, it is recommended to use only the ordinary user account for daily transaction processing)
  • Ordinary users
    Ordinary users are created by root users or other administrator users. Their rights are limited. Generally, they only have full permissions in their own host directory
  • Program user
    When installing the Linux system and some applications, some specific low authority user accounts will be added. These users are generally not allowed to log in to the system and are only used to maintain the normal operation of the system or a program, such as bin, daemon, ftp, mail, etc

1.1 UID number

Each user account in the Linux system has a digital identity mark called UID (user ID number)

  • For the system core, UID is the basic basis for distinguishing users. In principle, the UID number of each user should be unique
  • The UID number of the root user account is a fixed value of 0
  • The UID number of the program user account is 1 ~ 999 by default
  • The UID number of ordinary user account is 1000 ~ 60000

1.2 user account file

The user account, password and other information in the Linux system are saved in the corresponding configuration file. The user account can be managed by directly modifying these files or using the management command.

  • /etc/passwd
    /etc/passwd is used to save basic information such as user name, host directory, login Shell, etc

For example, execute the following command to view the first few lines of the / etc/passwd file

[root@localhost ~]#head -3 /etc/passwd            
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin

Each line of passwd file contains seven configuration fields separated by colon ":". The fields from left to right represent the following meanings respectively:

Paragraph 1: the name of the user account, which is also the identification name used when logging in to the system

Paragraph 2: encrypted user password string or password placeholder "x"

Paragraph 3: UID number of user account

Paragraph 4: GID number of the account number of the basic group to which it belongs

Paragraph 5: the full name of the user. You can fill in the description information related to the user

Paragraph 6: Host Directory, that is, the default working directory where the user logs in

Paragraph 7: login Shell and other information, the Shell used by the user after login

  • /etc/shadow
    /etc/shadow stores the user account password information, account validity and other information. The shadow file is also called "shadow file". Generally, only the root user can read the contents of the file by default, and it is not allowed to edit the contents of the file directly

For example, execute the following command to view the first few lines of the / etc/shadow file:

[root@localhost ~]#head -2 /etc/shadow
root:$6$y2pPNXfJJsH6drSA$nEiDLPIBr8rtJJpRsLj8PbpcJb.xDSMhcuwAQLp1QiQic9zzp7emfKM5g.n84k3ujEyguqH:99999:7:::
bin:*:17110:0:99999:7:::

Each line of the shadow file contains nine configuration fields separated by colons ":". The meaning from left to right is as follows:

Field 1: user account name.

Field 2: password string information encrypted with MD5, when it is "*" or "!" Indicates that this user cannot log in to the system.

Field 3: time of last password modification (from January 1, 1970)

Field 4: the minimum effective days of the password. After the password is modified this time, it must be at least this number of days before the password can be modified again. The default value is 0, which means no restriction.

Field 5: the longest valid days of the password. After the password is modified this time, the password must be modified again. The default value is 99999, which means no restriction.

Field 6: how many days in advance to warn the user that the password will expire. The default value is 7.

Field 7: how many days after the password expires to disable this user.

Field 8: account expiration time. This field specifies the number of days for the user to void (calculated from January 1, 1970). The default value is blank, indicating that the account is permanently available.

Field 9: reserved field, which has no specific purpose at present.

2. User account management

2.1 add user account - useradd

The useradd command is used to add a user account. The command format is as follows

useradd [option] user name

Common options: - u, - d, - e, - G, - G, - M, - s

formatexplain
-uSpecifies the UID number of the user. It is required that the UID number is not used by other users
-dSpecifies the location of the user's hosting directory (not effective when used with - M)
-eSpecify the user's account expiration time. You can use the date format of yyyy-mm-dd 2021-0101
-gSpecify the user's base group name (or use GID number)
-GSpecify an additional group name for the user (or use a GID number)
-MDo not create a host directory, even if / etc / login The host directory to be established has been set in the defs system configuration
-sSpecifies the login Shell of the user
  • case

The simplest use is to use only the user name as an argument to the command without adding any options.
For example, you can create a user account named yjs by performing the following operations, and view the changes of the new user account by viewing the passwd, shadow file and / home directory:

root@localhost ~]#useradd yjs
[root@localhost ~]#tail -1 /etc/passwd
yjs:x:1011:1012::/home/yjs:/bin/bash
[root@localhost ~]#tail -1 /etc/shadow
yjs:!!:18847:0:99999:7:::
[root@localhost ~]#ls -A /home/yjs            
.bash_logout  .bash_profile  .bashrc  .mozilla

In account management, sometimes it is necessary to specify the validity period of the account, or it is required that the new account cannot log in to the system. At this time, you can use "- e" "-s" option
For example, you can create an FTP account named yjs (terminal login is prohibited) by performing the following operations, making the account invalid on August 8, 2021

[root@localhost ~]#useradd -e 2021-08-08 -s /sbin/nologin yjs

2.2 setting / changing user password - passwd

After adding a user account through the useradd command, you need to set a password for it to work normally.

The command format is as follows:

passwd [option]  user name

The password of the current account can be modified without specifying the user name

Common options are as follows:

formatexplain
-dClear the password of the specified user and only use the user name to log in to the system
-lLock user account
-SView the status of the user account (whether it is locked)
-uUnlock user account

case
Example ① change the login password of the user yjs

[root@localhost ~]#passwd yjs
 Change user yjs Your password.
New password:
Invalid password: the password did not pass the dictionary check - Oversimplification/systematization
 Re enter the new password:
passwd: All authentication tokens have been successfully updated.

Example ② lock and unlock the user account yjs through the passwd command

[root@localhost ~]#passwd -l yjs          #Lock account
 Lock user yjs Your password.                       
passwd: Operation succeeded
[root@localhost ~]#passwd -S yjs         #View user account status  
yjs LK 2021-08-08 0 99999 7 -1 (The password is locked.)
[root@localhost ~]#passwd -u yjs         #Unlock account
 Unlock user yjs Your password.
passwd: Operation succeeded
[root@localhost ~]#passwd -S yjs        #Check whether the user is unlocked
yjs PS 2021-08-08 0 99999 7 -1 (Password set, use SHA512 Algorithm.)

2.3 modify user account attribute - usermod

For user accounts that already exist in the system, you can use the usermod command to reset various properties

The command format is as follows:

usermod  [option]  user name

Common parameters are as follows:

formatexplain
-uModify user's UID number
-dModify the user's host directory location
-eTo modify the user's account expiration time, you can use the date format of YYYY-MM-DD
-sSpecifies the login Shell of the user
-lChange the user's account login name
-LLock user account
-UUnlock user account

When using the usermod command, most of the options correspond to the options of the useradd command, and the starting function is also similar. In general, the last three are used more.

case
Example ① transfer the host directory of admin user from / admin to / home/admin:

[root@localhost ~]#mv /admin/home                   #Migration directory
[root@localhost ~]#usermod -d /home/admin admin     #Specify host directory location

For example ②, change the login name of the admin user to webmaster, which will take effect the next time you log in

[root@localhost ~]#usermod -l webmaster admin             #Change user account login
[root@localhost ~]#grep "admin" /etc/passwd               #see
admin:x:1003:10::/admin:/bin/bash

2.4. Delete user account - userdel

At work, when an employee has resigned from the company and his user account no longer needs to be used, you can use the userdel command to delete the user account.

The command format is as follows:

userdel [-r]  user name 

When the - r option is used, the host directory can be deleted at the same time

case
Delete the user account named yjs and its host directory

[root@localhost ~]#userdel -r yjs
[root@localhost ~]#ls -ld /home/yjs
ls: cannot access/home/yjs: There is no such file or directory

2.5 initial configuration file of user account

After adding a new user account, the useradd command will create some initial configuration files in the user's host directory. These files come from the account template directory / etc/skel, which are basically hidden files.

Common initial configuration files include the following three:

  • ". bash_logout": executed every time the user logs out

  • ". bash_profile": executed every time the user logs in

  • ". bashrc": executed every time the "/ bin/Bash" program is loaded (login Shell)

[root@localhost /etc/skel]#ls -a
.  ..  .bash_logout  .bash_profile  .bashrc  .mozilla

2, Management group account

1. Group account

For user accounts, the corresponding group accounts can be divided into two types: basic group (private group) and additional group (public group).

1.1 basic group and additional group

Basic group: if no user group is specified, a group with the same name as the user name will be created by default when creating a user. This group is the basic group
Additional group: in addition to the basic group, other groups of users are additional groups, and users can be deleted from the additional group.

Whether a user is in a basic group or an additional group, he or she will have the permissions of this group. A person can belong to multiple additional groups, but a user can only have one basic group.

1.2 group account file

The group account file is similar to the user account file, namely / etc/group and / etc/gshadow

  • /etc/group: save the group account name, GID number, member and other basic information
  • /etc/gshadow: save the password information of the group account (rarely used)

Perform the following operations to view which user members are included in the root group and which groups contain root users:

[root@localhost /etc/skel]#grep "^root" /etc/group
root:x:0:admin
[root@localhost /etc/skel]#grep "root" /etc/group
root:x:0:admin

2. Group account management

2.1 add group account - groupadd

The command format is as follows:

groupadd [-g GID]  Group account name

case

Add a group account named yjs:

[root@localhost /etc/skel]#groupadd yjs
[root@localhost /etc/skel]#tail -1 /etc/group
yjs:x:1012:

2.2 adding and deleting group members - gpasswd

The command format is as follows:

gpasswd [option] Group account name 

Common options

formatexplain
-aAdd a user to the group
-dRemove a user member from the group
-MSpecify multiple member users of group accounts at the same time, separated by commas

case

[root@localhost /etc/skel]#gpasswd -a gulei1 yjs             #Add the guilei1 user to the yjs group
 Transferring user“ gulei1"Add to“ yjs"Group
[root@localhost /etc/skel]#groups gulei1                     #Confirm that the gulei1 user has joined the yjs group
gulei1 : gulei1 yjs
[root@localhost /etc/skel]#gpasswd -d gulei1 yjs             #Remove the guilei1 user from the yjs group
 Transferring user“ gulei1"From“ yjs"Delete from group
[root@localhost /etc/skel]#groups gulei1                     #Confirm that the gulei1 user has exited the yjs group
gulei1 : gulei1
[root@localhost /etc/skel]#gpasswd -M gulei1,gulei2,gulei3 yjs    #Add three users to the yjs group
[root@localhost /etc/skel]#grep "^yjs" /etc/group                 #Confirm whether to join successfully
yjs:x:1012:gulei1,gulei2,gulei3

2.3 delete group account - groupdel

The command format is as follows:

groupdel  Group account name

case

[root@localhost /etc/skel]#groupdel yjs

2.4 modify user account attribute - usermod

For an existing user account in the system, you can use the usermod command with options and user name to reset the group to which the account belongs.
The command format is as follows:

usermod [option]  user name

Common options:

formatexplain
-uModify user's UID number
-dModify the user's host directory location
-eTo modify the user's account expiration time, you can use the date format of YYYY-MM-DD
-gModify the user's basic group name (or use GID number)
-GModify the user's additional group name (or use GID number)
-sSpecifies the login Shell of the user
-lChange the login name of the user account
-LLock user account
-UUnlock user account

case

[root@localhost ~]#usermod -l GL gulei1        #Change login
[root@localhost ~]#tail -1 /etc/passwd         #see
GL:x:1006:1007::/home/gulei1:/bin/bash
[root@localhost ~]#usermod -L GL               #Lock user account



[root@localhost ~]#tail -2 /etc/shadow         #Check to see if it is locked
GL:!!:18846:0:99999:7:::                      
GL:!$6$owIlrMTP$4idHfFO2XScCT8E.sWVVP6apsPoNVX/NPAKlsPcxof/BIbgpSKtnaAZFNhYLS1XkClEIfzFaHbtyyxnicxYPD1:18847:0:99999:7:::                        #Added before string! Indicates locked
[root@localhost ~]#usermod -U GL               #Unlock user account
[root@localhost ~]#tail -1 /etc/shadow         #Check to see if it is unlocked
GL:$6$owIlrMTP$4idHfFO2XScCT8E.sWVVP6apsPoNVX/NPAKlsPcxof/BIbgpSKtnaAZFNhYLS1XkClEIfzFaHbtyyxnicxYPD1:18847:0:99999:7:::                         #! Removed and unlocked

From this, we can see the difference between passwd and usermod:

passwd -l add 2 "!" before the password
passwd -u remove the first two "!"
usermod -L adds 1 "!" before the password
usermod -U remove 1 "!" before password

Therefore, after locking the user with passwd -l, you need to execute usermod -U twice or passwd -u once

3, Query account information

In user management, although you can query relevant information by directly viewing the configuration files of user account and group account, it is not very intuitive. In Linux system, you can also use several common query command tools, such as id, groups, finger, w, last, etc.

1. Query the user account id

Use the ID command to quickly view the UID, GID and other identification information of the specified user account. For example, execute the "id root" command to view the user ID number, group ID number and additional group ID number of the root account:

[root@localhost ~]#id root
uid=0(root) gid=0(root) group=0(root)

2. Query the group to which the user account belongs - groups

Use the groups command to view which groups the specified user account belongs to. For example, view the group account information of the current user root and GL user:

[root@localhost ~]#groups 
root
[root@localhost ~]#groups GL
GL : gulei1

3. Query the login attribute of user account - finger

Use the finger command to query the login properties and other details of the specified user account, including login name, full name, host directory, login Shell, etc. For example, to view the details of the root account:

[root@localhost ~]#finger root
Login: root           			Name: root
Directory: /root                    	Shell: /bin/bash
On since August 8-11:07 (CST) on :0 from :0 (messages off)
On since August 8-11:07 (CST) on pts/0 from :0
   4 hours 35 minutes idle
On since August 8-11:10 (CST) on pts/1 from 192.168.24.1
   1 second idle
New mail received I. July 26-16:34 2021 (CST)
     Unread since I. July 26 12:53 2021 (CST)
No Plan.

4. Query the user login status of the current host - w, who, users

  • Use the w command to query the user login status in the current host, list the login account name, terminal, login time, source location and other information. The command output is as follows:
[root@localhost ~]#w
 15:45:23 up  4:38,  3 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     :0       :0               11:07   ?xdm?  57.65s  0.14s /usr/libexec/gnome-session-bin
root     pts/0    :0               11:07    4:38m  0.03s  0.03s bash
root     pts/1    192.168.24.1     11:10    3.00s  0.31s  0.00s w
  • who,users
[root@localhost ~]#who
root     :0           2021-08-08 11:07 (:0)
root     pts/0        2021-08-08 11:07 (:0)
root     pts/1        2021-08-08 11:10 (192.168.24.1)
[root@localhost ~]#users
root root root

5. Query the user information of the login system - last

This command is used to list the information related to the users who logged in to the system in the past. The path of its command is: / usr/bin/last.
When the last instruction is executed, it will read the file named wtmp located in the / var/log directory, and display the contents of the file and the list of users logged in to the system.
By default, wtmp records are displayed. btmp can display more details. You can display remote login, such as ssh login.

  • The utmp file stores the information of users currently in the system.

  • The wtmp file stores the information of users who have logged in to the system.

Common options are as follows:

formatexplain
-aThe host name or IP address of the login system is displayed in the last line
-dConvert IP address to host name
-fSpecify record file
-i-i displays the login status of a specific ip. Tracking displays the login of a specific ip with - i. Tracking
-oRead an old-type wtmp file (written by linux-libc5 applications).
-n-N < display rows > or - < display rows > sets how many rows of records are displayed
-wDisplay full user and domain names in the output
-RDo not display the host name or IP of the login system (omit the field of hostname)
-tDisplay information before YYYYMMDDHHMMSS
-xDisplays the history of system shutdown, user login and logout

case
Display the last 10 records logged into the system:

[root@localhost ~]#last -10
root     pts/1        192.168.24.1     Sun Aug  8 11:10   still logged in   
root     pts/0        :0               Sun Aug  8 11:07   still logged in   
root     :0           :0               Sun Aug  8 11:07   still logged in   
reboot   system boot  3.10.0-693.el7.x Sun Aug  8 11:06 - 16:01  (04:54)    
root     pts/0        192.168.24.1     Sat Aug  7 08:29 - crash (1+02:37)   
root     :0           :0               Sat Aug  7 08:29 - crash (1+02:37)   
reboot   system boot  3.10.0-693.el7.x Sat Aug  7 08:28 - 16:01 (1+07:32)   
root     pts/0        192.168.24.1     Fri Aug  6 08:56 - 00:42  (15:45)    
root     :0           :0               Fri Aug  6 08:56 - down   (15:46)    
reboot   system boot  3.10.0-693.el7.x Fri Aug  6 08:54 - 00:42  (15:48)    

wtmp begins Sat Jul 24 22:04:23 2021
[root@localhost ~]#

4, Manage the properties of directories and files

In the security model of Linux file system, two attributes are given to the files in the system: access permission and file owner, which are referred to as "permission" and "ownership". The Linux system controls the process of users accessing data according to the access rights and ownership of files or directories.

  • Access permissions include three basic types: read, write and executable.
  • Attribution includes owner (user account with the file) and group (group account with the file).

1. View the permissions and ownership of directories and files

When using ls command with "- l" option, the file details will be displayed in long format, including parameters such as permission and ownership of the file.
For example, list the details of the / etc/passwd file:

[root@localhost ~]#ls -l /etc/passwd
-rw-r--r-- 1 root root 2557 8 August 15:23 /etc/passwd

In the above output information, the data in the 3rd and 4th fields indicates that the file belongs to the master and array, and the / etc/passwd file belongs to the root user and root group; The data in the first field represents the access rights of the file, such as "- rw-r – R --". The permission field consists of four parts, with the following meanings:

  • The first character: indicates the type of the file. It can be d (directory), B (block device file), C (character device file), - (ordinary file), letter "l" (linked file), etc.
  • Characters 2 ~ 4: indicates the access right of the file's owner User to the file.
  • Characters 5 ~ 7: indicates the access rights of each member user (Group) in the group to which the file belongs.
  • Characters 8 ~ 10: indicates the access right of any Other user (Other) to the file.


Three different permission characters are mainly used when indicating the access rights of the owner, users in the group or other users to the file: r, w and x, which respectively represent readable, writable and executable. r, w and x permission characters can also be expressed as octal digits 4, 2 and 1 respectively. When indicating a permission combination, the digits need to be accumulated. If you need to remove the corresponding permission, use "-".

2. Set file and directory permissions - chmod

The command format is as follows:

chmod    [ugoa]    [+-=]    [rwx]    File or directory 

or

chmod   nnn   File or directory
  • "ugoa" means master, group, other users and all users respectively
  • "± =" indicates adding, removing and setting permissions respectively
  • "nnn" refers to the specific permission value to be set, such as "777"

Common options: - R recursively modify the permissions of all children in the specified directory

case
For example ①, copy the mkdir command program as mymkdir, and verify the change of executable permission by removing the "x" permission of mymkdir file:

[root@localhost ~]#cp /bin/mkdir mymkdir
[root@localhost ~]#ls -l mymkdir 
-rwxr-xr-x 1 root root 79768 8 August 16:57 mymkdir
[root@localhost ~]#./mymkdir dir01                    #new file
[root@localhost ~]#ls -ld dir01/
drwxr-xr-x 2 root root 6 8 August 16:58 dir01/
[root@localhost ~]#chmod ugo-x mymkdir                #Remove all "x" permissions
[root@localhost ~]#ls -l mymkdir 
-rw-r--r-- 1 root root 79768 8 August 16:57 mymkdir    #The operation cannot be performed because the "x" permission is removed
[root@localhost ~]#./mymkdir dir02
-bash: ./mymkdir: insufficient privilege

For example ②, when the permissions of different categories of users on files are set to different values, commas can be used to separate them; In addition, we can express permissions in digital form, which is more convenient:

[root@localhost ~]#chmod u+x,o-r mymkdir 
[root@localhost ~]#ls -l mymkdir 
-rwxr----- 1 root root 79768 8 August 16:57 mymkdir
[root@localhost ~]#chmod 777 mymkdir 
[root@localhost ~]#ls -l mymkdir 
-rwxrwxrwx 1 root root 79768 8 August 16:57 mymkdir

3. Set the ownership of files and directories - chown

The command format is as follows:

chown    Owner[:[Genus group]]   File or directory
  • Common option - R: recursively modify all files in the specified directory and the ownership of subdirectories
  • When the owner and group are set at the same time, the user name and group name are separated by colon ":
  • If you only set a group, you need to use the form of ": group name"
  • If you need to set the owner of a directory or file, you can directly indicate the ownership by user name.

case

4.umask application

umask is the default value that specifies the permissions of the current user when creating a new file or directory

  • To directly execute the "umask" command is to view the default permissions of the current system
  • Execute "umask 022" to set the default permissions of the current user
    Note: the score of umask refers to the "permission to be subtracted from the default value". r, w and x are 4, 2 and 1 respectively. If "umask 022" is executed, the permission "2" of group and other is removed, that is, the permission "write" is removed.

The cases are as follows:

[root@localhost ~]#umask
0022
[root@localhost ~]#umask 000                        #Executing umask 000 means that the default permission is "777", and the highest permission is
[root@localhost ~]#mkdi
mkdict  mkdir   
[root@localhost ~]#mkdir /umask1
[root@localhost ~]#ls -ld /umask1/
drwxrwxrwx 2 root root 6 8 August 17:29 /umask1/
[root@localhost ~]#umask 022                        #Executing umask 022 means that the default permission is "755" and there is no "write" permission
[root@localhost ~]#mkdir /umask2
[root@localhost ~]#ls -ld /umask2/
drwxr-xr-x 2 root root 6 8 August 17:29 /umask2/

summary

  • Linux operating system resources can be used by different users. Each user has specific permissions on his own resources and does not affect each other.
  • When we use the command, there are many things in common. For example, the option - R of the find command ls and the option - R of the set permission command chmod mean to perform some operation in a recursive manner. Therefore, in Linux system, there is no absolute method. There are many solutions to a problem.

Topics: Linux Unix CentOS cloud computing