This is the fifth day of my participation in the August More text Challenge. For details, see: August More Text Challenge

A lifelong learner, practitioner, and sharer committed to the path of technology, an original blogger who is busy and sometimes lazy, and a teenager who is occasionally boring and sometimes humorous.

Welcome to search “Jge’s IT Journey” on wechat!

Account and Permission Management in Linux

preface

In Linux, user accounts are classified into different types based on system management requirements. They have different permissions and play different roles, including superusers, common users, and program users.

I. User account

  • Superuser: The root user is the default superuser in Linux, similar to the Administrator user in Windows. You are advised to log in to the system as user root only when performing system management and maintenance tasks. You are advised to log in to the system as a common user only when performing routine tasks.

  • Common user: A common user account must be created by the root user or other administrators and has limited permissions. Generally, a common user account has full permissions only in its own host directory.

  • Program users: During the installation of the Linux system and some applications, certain low-permission users are added. These users are not allowed to log in to the system and are used to maintain the normal running of the system or a certain program.

Ii. Group account

A user group is a collection of users based on a specific association. The accounts of all users in the group are called group accounts. Each user account belongs to at least one group, which is called the basic group of the user. If the user is also included in another group, the group is called an additional group for the user.

UID and GID numbers

In Linux, each user account has a numeric identifier, called a UID. The UID is the basic data that distinguishes users. In principle, the UID number of each user should be unique. The UID number of the root user account is 0, and the UID number of the program user account is 1 to 499 by default. The UID numbers from 500 to 60000 are assigned to common users by default.

Similar to UID, each group account has a numeric id, called GID. The GID number of the root group account is a fixed value of 0, while the GID number of the program group account ranges from 1 to 499 by default. The GID numbers of 500 to 60000 are assigned to common groups by default.

Iv. User account file

There are two configuration files related to the user account: /etc/passwd and /etc/shadow. The former is used to save basic information such as user name, host directory, and login shell, while the latter is used to save user password, account validity period, and other information. In the two configuration files, each line corresponds to a user account. Different configuration items are separated by colons (:).

4.1 passwd Format of the configuration line in the file

The basic account information of all users in the system is saved in the /etc/passwd file. This file is a text file, and any user can read the contents of the file.

[root@localhost ~]# head -2 /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin [root@localhost  ~]# tail -1 /etc/passwd ftpadmin:x:502:503::/home/ftpadmin:/bin/bashCopy the code

At the beginning of the passwd file, the account information of the super user root and each program user is included, and the newly added user account information will be saved to the end of the passwd file. Each line of the passwd file contains seven configuration fields separated by colons (:).

  • Field 1: The name of the user account. It is also the identifying name used to log in to the system.

  • Field 2: encrypted user password string, or password placeholder “x”.

  • Field 3: the UID number of the user account.

  • Field 4: GID number of the basic group account.

  • Field 5: Full user name.

  • Field 6: Host directory, which is the default working directory where the user logs in.

  • Field 7: login shell and other information.

4.2 Format of the configuration line in a Shadow file

Shadow files are called “shadow files” and contain the password information of each user account. Therefore, access to shadow files should be strictly restricted. By default, only the root user can read the contents of the file, and is not allowed to edit the contents of the file directly.

[root@localhost ~]# head -2 /etc/shadow root:$1$zvbfAo4p$mg5k7oNqxBxzDyQYd.dB3/:17307:0:99999:7::: bin:*:15980:0:99999:7::: [root@localhost ~]# tail -1 /etc/shadow ftpadmin:$6$xf828o4R$ApMz8RE4mV43E7JAsgr9d63B3jEapVqYBpSc7aPTkvcnL8lRGaJhTP.OVI2pq1kHJRGFdqMIvHpTLQgzGT0El0:17308:0:9999 The daughter: : :Copy the code

Each line of the shadow file contains nine configuration fields separated by colons (:).

  • Field 1: User account name.

  • Field 2: MD5 encrypted password string information, when “*” or “!!” “Indicates that the user cannot log in to the system. If this field is empty, the user can log in to the system without a password.

  • Field 3: The last time the password was changed.

  • Field 4: The minimum valid number of days for the password. The default value is 0, indicating no restriction.

  • Field 5: Maximum valid days for the password. The default value is 99999, indicating no restriction.

  • Field 6: How many days in advance the user is warned that the password will expire. Default is 7.

  • Field 7: How many days after the password expires to disable the user.

  • Field 8: Expiration time of the account. The default value is null, indicating that the account is permanently available.

  • Field 9: Reserved field, currently for no specific purpose.

Summary of commands for adding, deleting, and modifying user accounts

View the properties of directories and files

In the Security model of the Linux file system, files or directories in the system are given two properties: access permission and file owner, referred to simply as “permission” and “ownership.” The access permission includes three basic types: read, write, and execute. The owner includes owner (user account that owns the file) and owner group (group account that owns the file). The Linux system controls data access based on the access permissions of files or directories.

When you run the ls command with the -l option, the detailed information about a file or directory is displayed in a long format, including the permission and owning parameters of the file.

[root@localhost ~]# ls-ld /etc//etc/passwd DRWXR -xr-x. 130 root root 12288 10月 19 16:03 /etc/rw -r--r-- 1 root root 1876 May 22 2017 /etc/passwdCopy the code

The /etc/passwd directory and the /etc/passwd file belong to the root user and root group. The “drwxr-xr-x” and “-rw-r–r–” permission fields are composed of four parts.

  • The first character: it means the type of the file, can be d (directory) and b (block device file), c (character device files), “-” (normal files), the letters “|” (link files), etc.;

  • Characters 2 to 4: indicates the permission of the owner user (user) to access the file.

  • Characters 5 to 7: indicates the access permission of each member user (Group) in the user Group of the file.

  • Characters 8 to 10: Indicates the permission of any Other user (Other) to access the file.

The permission characters R, W, and x are used to indicate that a file is readable, writable, and executable.

The r, W, and X permission characters can be expressed as octal digits 4, 2, and 1, respectively, indicating that a combination of permissions needs to add numbers. For example, RWX is represented as an accumulated number 7, and rwxr-xr-x consists of three permission segments, so it is represented as 755.

chmod [ugoa…] [+-=] [RWX] File or directory… Or chmod NNN file or directory…

  • Ugoa indicates the user type for which the permission is set. U indicates the file owner, G indicates the user in the file owner group, o indicates any other user, and a indicates all users.

  • +-= indicates the action for setting the permission. “+” means to add the corresponding permission, “-” means to reduce the corresponding permission, “=” means to set only the corresponding permission.

  • RWX is a combination of permission characters. It can also be split.

The -r option of the chmod command recursively changes the ownership of all subentries in the specified directory.

Using the chown command, you can set only the owner and owner group or both.

Chown owner [:[owner group]] File or directory…

When both owner and owner group are set, separate the user name and group name with colons (:). If only the owner group is specified, the value must be: group name.

If you only need to set the owner of a directory or file, use the user name to indicate the owner. You can also use the -r option to recursively change the owner of a directory.

Recommended reading

99% of Linux operation and maintenance engineers must master the command and use

Common commands of the Oracle database in Linux

Common commands of the vi/vim editor in Linux

Install and manage programs in Linux (basic process of package encapsulation, RPM command, source code compilation and installation)

In this paper, to the end.

Original is not easy, if you think this article is a little useful to you, please give me a like, comment or forward for this article, because this will be my power to output more quality articles, thanks!

By the way, dig friends remember to give me a free attention yo! In case you get lost and you can’t find me next time.

See you next time!