Zero, an overview of
| File location | content | format |
|---|---|---|
| /etc/passwd | Storing user Information | User name: Password Placeholder: User ID (UID) : Home group ID (GID) : User description (empty) : Home directory: shell path |
| /etc/shadow | Stores user password information | Username: Encrypted password: Last changed Password Date: Password policy (four digits) : Account expiration date: Reserved digit |
| /etc/group | Stores user group information | Group name: Password bit: Group number: member of the group |
| /etc/gshadow | Specifies the password of the storage group | Group name: Password: Group administrator: a member of the group |
| /etc/sudoers | Configure command execution permission | User name: Permission Definition: permission (sudo) |
A, / etc/passwd
This file is a user information configuration file that stores basic user information. All users have read permission on this file.
Part of the content is as follows:
Each row represents a user, and each user has seven fields in the following format:
User name: Password Placeholder: User ID (UID) : Home group ID (GID) : User description (empty) : Home directory: shell pathCopy the codeAmong them,
User number:
System users: 0-999 (0 indicates the root user)
Common users: 1000-65535 (before 2.6.x kernel), 1000-232 {2^{32}}232-1 (after 2.6.x kernel)
Password placeholder: In the previous system, the encrypted password was in the file. However, since all users could read the file, there was a risk of password leakage. Therefore, the encrypted password was stored separately in the /etc/shadow file, and only the root user could read the file, ensuring password security. This position in /etc/passwd is occupied by “x”, indicating that the user has a password.
Second, the/etc/shadow
Only the root user has the read permission on the file, which ensures that the password cannot be seen by other users.
The file reads in part as follows:
Each row represents a user, and each user has nine fields in the following format:
Username: encrypted password: Last changed Password Date: Password policy (four fields) : Account expiration date: Reserved digitCopy the codeAmong them,
Encrypted password: If the user does not have a password, use * or!! Indicates that the account cannot be logged in
Date of last password change: Days from 1970-01-01. Run the following command:
Date -d “1970-01-01 <num_of_days> day” can be queried, for example:
Date -d “1970-01-01 18755 days”
Password policy: Contains four fields, which are
Number of days that the password cannot be changed: Number of days that the password must be changed: Number of days before the password expires: Number of days before the password expiresCopy the codeAmong them,
Days in which the password cannot be changed: After the password is changed, the password cannot be changed again within the days
Number of days to change the password: After the password is changed, change the password again. If no, the group expires
Number of days before the password expires: A message is displayed indicating that your password has n days to expire. Please change the password.
Grace Period after the password expires: After the password expires, a user can still log in to the system and change the password within the grace period. After the grace period, the user cannot log in to the system.
Expiration date: No matter whether the password expires or not, the user cannot log in after this date.
Reserved bits: reserved for subsequent new functions.
Third, / etc/group
Part of the content is as follows:
Each row represents a group, and each group has four fields in the following format:
Group name: Group password Placeholder: Group ID: Users in the group (multiple users are separated by commas (,))Copy the codeAmong them,
Group password placeholders: Like user password placeholders, encrypted passwords are stored separately in the /etc/gshadow file.
Users in a group: If the group is the initial group of a user, the change user is not listed here
Four, / etc/gshadow
Only the root user has the read permission on the file, which ensures that the password cannot be seen by other users.
Part of the content is as follows:
Each row represents a group, and each group has four fields in the following format:
Group name: encrypted group password: group administrator: users in the group (multiple users are separated by commas (,))Copy the codeAmong them,
Encrypted group password: If no password is available, use “!” Said.
Group administrator: Specifies the user name of the group administrator. The value can be empty.
Five, the/etc/sudoers
Because sudo permission is involved, only root and users in the same group have read permission on the file.
The contents of the file are as follows:
Translation and explanations are as follows:
#
# This file MUST be edited with the 'visudo' command as root.
This file must be edited by 'root' using the 'visudo' command
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
# Consider adding local content to /etc/sudoers.d/ instead of modifying the file directly.
#
# See the man page for details on how to write a sudoers file.
For more information on how to write sudoers files, see the man page. (use the man sudoers command)
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# Host alias specification
# User alias specification
User alias specification
# Cmnd alias specification
Driver command alias specification
# User privilege specification
User rights specification
# grammar:
# Host the user or user group is logged in to =(can change the identity) can execute the command
# description:
# add "%" to represent user group
The command part (after the equal sign) can have other formats, as shown in the following example:
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, LOCATE, DRIVERS
Allow users in the sys user group to use all the commands configured in the alias specification above, such as NETWORKING
#
# %wheel ALL=(ALL) NOPASSWD: ALL
Allow users in the wheel user group to use all commands without entering the user's password
#
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
Allow users in the Users user group to use the mount, unmount, and chrom commands like the root user
Allow user root to execute any command in any path
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
Members of the admin group can have the root permission
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
Allows members of the sudo group to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
Copy the code