preface

Only a bald head can be strong

To recap:

  • After reading this article Linux basic operation will be

I didn’t expect my last article to get thousands of likes on Zhihu. Linux is coming to the final exam, and I haven’t written an article for half a month. This article will be under the Linux user and permission knowledge points to sort out.

So let’s get started. If there are any mistakes in this article, please feel free to correct them in the comments section

First, Linux users

Linux is a multi-user system. We can have multiple users log in to Linux at the same time

  • An account is essentially a user’s identity on the system.

Accounts in Linux include

  • The user account
    • Ordinary user account: the task on the system is to perform ordinary work
    • Super user account (or administrator account) : The task on the system is to manage common users and the entire system.
  • Group accounts(A group is a collection of users)
    • Standard group: A standard group can hold multiple users
    • Private group: A private group contains only the user

When a user belongs to multiple groups, these groups are divided into

  • Primary group (initial group) : specifies the group for logging in to the system.
  • Additional group: Other groups that can be switched after login

As mentioned above, an account is essentially a user’s identity on the system, which is stored in a file:

  • The username and UID are saved in/etc/passwdFile, file permissions(-rw-r--r--)
  • Groups and Gids are saved in/etc/groupFile, file permissions(-r--------)
  • The user password (password) is saved in/etc/shadowFile, file permissions(-rw-r--r-- )
  • The group password is saved in/etc/gshadowFile, file permissions(-r--------)

In other words, we create a user whose information is stored in a different file.

With that in mind, here’s a quick overview of what happens when you create a user:

  • The username and UID are saved in/etc/passwdIn this file, the user’s password is usually usedshadow passwordsTo protect the
  • When users log in, they are assigned a home directory and a program to run (usually a shell)
  • If no group is specified, RHEL/CentOS creates a private group with the same name as the user, and the user is assigned to this private group

To recap: An account is essentially a user’s identity on the system, which is stored in a file. That is to say: we can directly edit and modify system account files to maintain accounts.

  • butThis is not recommendedIf you do, it’s a good idea to use the command to check if the syntax you edited is wrong:
    • pwck: Verifies the integrity of user account files and authentication information. This command detects files"/ etc/passwd"and"/ etc/shadow"Is the format and value of the fields in each row of
    • grpck: Verifies the integrity of the group account file. This command detects files"/ etc/group"and"/ etc/gshadow"Is the format and value of the fields in each row of.

Since it is not recommended that we edit files directly to manage users, Linux certainly has a ready-made command for us to use:

1.1 Commands used to Manage Linux Users

User management:

  • useradd
  • usermod
  • userdel

Group management:

  • groupadd
  • groupmod
  • groupdel

Batch management users:

  • Batch add/update a group of accounts:newusers
  • Update user passwords in batches:chpasswd

Group member management:

  • Add users to a standard group
    • Gpasswd -a < user name > < group name >
    • Usermod -g < group id > < user id >
  • Delete a user from a standard group
    • Gpasswd -d < user id > < group id >

Password maintenance (disabling, restoring, and deleting user passwords) :

  • Setting a User password:
    • Passwd [< username >]
  • Disable user account passwords
    • Passwd -l < username >
  • View the user account password status
    • Passwd -s < username >
  • Restore the user account password
    • Passwd -u < username >
  • Clear the user account password
    • Passwd -d < username >

Password aging setting:

  • Modify the/etc/login.defsThe related configuration parameters of

Set the password validity period for existing users:

  • chageThe command

User switchover command:

  • su
    • Switch to super user
  • sudo
    • Execute system administration commands directly using the sudo command prefix. When running system management commands, you do not need to know the password of the super user. You can use the password of a common user

For more information:

  • www.cnblogs.com/slgkaifa/p/… The difference between Su and sudo for Linux permissions

User-related commands:

  • id: Displays the current UID, GID, and group list of the user
  • groups: Displays the group list to which the specified user belongs
  • whoami: Displays the name of the current user
  • w/who: Displays the login user and related information
  • newgrp: Converts the current group of a user to the specified group account. The user must belong to the group to execute this command

1.2 Exercises for Linux Users

Run the cat command to view the following files: /etc/passwd, /etc/shadow, /etc/group,/etc/gshadow; Displays the default values for the useradd command to add users

Set up the Linux account jkXX (XX is the last two digits of the student ID), set the user group to Users, and set the password; Observe the changes in the /etc/passwd and /etc/shadow files. Log out of the root account, log in as jkXX, create a myFirst file in its home directory, and list the myFirst files in long format

Log in as user root. Add group JSJ; Set user jkXX to the JSJ group user, and observe the changes in the /etc/passwd, /etc/group, and /etc/gshadow files

Add a new user airXX (XX is the last two digits of the student id) and check the user ID and group ID of the new user airXX. Then delete the user, do not add options to the command, and observe the changes of user files and group files. Check whether the airXX user directory exists.

Shadow file password is * and!! What does it stand for?

A: * indicates that the account is disabled. !!!!! Indicates password lock.

What is the airXX user group ID? What type of group is this? What’s the good of that?

A: The AIR08 user group ID is 501, which is a private group. Each user who does not specify a group will create a group with the same name. Such a group is called a private group and has only one user. This helps prevent information leakage and unreasonable authorization. In short, it is conducive to safety management.

What is the advantage of deleting a user by default, but keeping the user’s home directory?

A: Keep the user directory to prevent valuable data from being mistakenly deleted.

Run the cat command to check the /etc/passwd file. The file name is userXX (XX is the last two digits of the student id). The file contains three records. The user names are jkXX (XX is the last two digits of the student ID), Peter and Jason, and their user IDS are greater than 1000 and their group IDS are greater than 1000. Ask Peter and Jason to work together. Use the newusers command to generate users in batches according to the content of the file userXX. Observe the changes in the /etc/passwd file.

Run the cat command to observe the /etc/shadow file. Use vi to edit a new file. The file name is mimaXX (XX indicates the last two digits of the student id), and the file contains three records. The user name of each record is the same as the previous step. Run the chpasswd command to generate passwords in batches based on the mimaXX file. Observe the change in /etc/shadow; Run the chpasswd -m command to generate passwords in batches again and observe the changes in the /etc/shadow file.

Log out of the root account and log in as user jkXX. Exit the jkXX account, return to the root account, and observe the /etc/shadow file. Run the passwd command to lock user jkXX and observe the changes in the /etc/shadow file. Then log out of the root account and log in as jkXX account. Is the login successful?

Run the chage command to check Peter’s account time Settings. Reset the time of Peter account, requiring that the password cannot be changed within two days, and the maximum lifetime of the password is 90 days. Notify the user 5 days before the password expires, and the password will be invalid 7 days after the password expires. Use the chage command to review Peter’s account time Settings again

Log in as user root. Su to Jason account; Enter user’s home directory with CD; Create a new file ABC and list the ABC files in long format. Observe the user and group properties of the file

What happens to the shadow file after the account is locked?

A: The password of the locked account will be locked before the flag!!

Which user does the new file belong to after su is used to switch users?

A: The new file belongs to the user after the switch.

Is the result the same after the chpasswd command is executed twice? Which encryption algorithm is more secure, MD5 or SHA512?

A: The result of running the chpasswd command twice is different. By default, the sha512 encryption algorithm is used. If -m is selected, the MD5 encryption algorithm is used. Sha512 is more secure because the encrypted message is longer and requires more computation to crack.

Establish three common user accounts, the requirements are as follows: the user names are jkXX (XX is the last two students’ student id), Peter and Jason, among which jkXX and Jason are members of the same common group; Observe the changes in the /etc/passwd file. Add root group for jkXX account;

Practice id, groups, whoami, who commands respectively to display the current account information; Switch to jkXX account with su command, practice id, groups, whoami, who command respectively, display the current account information. Switch the jkXX account group with newgrp, practice id, groups, whoami, who command respectively, display the current account information

2. Permission management

Linux is a multi-user operating system that allows multiple users to log in and work on the system at the same time. To ensure system and user security, Linux naturally has its own set of permissions management mechanism!

I believe that the students who have used Linux in the retrieval of folder files often use ls -L command, will come out a large string of data. Can you read these figures?

Such as:


	drwxr-xr-x   3  osmond   osmond    4096  05-16 13:32   nobp

Copy the code

It’s really simple:

Drwxr-xr-x = drwxr-x = drwxr-x = drwxr-x = drwxr-x = drwxr-x = drwxr-x = drwxr-x = drwxr-x = drwxr-x Let’s break it down:

These nine characters are grouped in groups of three to form three sets of permission controls

  • The first controls the access rights of the file owner
  • The second controls access to other members of the owner’s user group
  • The third set controls access to other users of the system

RWX stands for:

Drwxr-xr-x = drwxR-x = drwxR-x = drwxR-x = drwxR-x = drwxR-x = drwxR-x

  • D is for folder, followed by nine letters in groups of three,-Sign means no. The permissions for this folder are:
    • It is readable and writable for the current user, readable and executable for the same group of users, and readable and executable for other users

Isn’t it easy? R-read, W-write,x-execute, easy to understand.

These RWX commands can also be represented in octal numbers for convenience, which I’m sure you can see from the following demo:

Priority order of permissions:

  • If the UID matches, the user owner privilege is applied
  • Otherwise, group privileges are applied if the GID matches
  • If none match, the other permissions are applied
  • The root user has all permissions. No special description is required

2.1 Common Commands for Managing Linux Permissions

  • chmod
    • Change the permission of a file or directory
  • chown
    • Changing the owner of a file or directory
  • chgrp
    • Changes the group to which a file or directory belongs
  • umask
    • Sets the default generation mask for the file

Example:

2.2 Permission Extension knowledge

The umask attribute mentioned above is used to do something like this: the default generation mask tells the system what permissions should not be assigned to a file or directory when it is created.

  • The default umask value is 022, which should be understood by looking at the following example:

In addition to the permissions described above, Linux provides three special permissions:

  • SUID: Run with the permission of the user of the command, not the executor of the command
  • SGID: Runs with the group permissions of the command.
  • Sticky-bit: files in a directory can be deleted only by the user who owns the file and the root user.

They are expressed like this:

  • SUID and SGID are denoted by s; Sticky-bit is represented by t
  • SUID is represented by occupying the owner’s X position
  • SGID is represented by the X position of the occupying group
  • Sticky -bit is represented by occupying someone else’s X position

For example, DRWXRWXRWT 5 root root 4096 06-18 01:01 / TMP has the sticky-bit permission. – RWSR -xr-x 1 root root 23420 2010-08-11 /usr/bin/passwd It has SUID permission

SUID, SGID, sticky-bit also have numeric representations:

Examples of use:

There are a number of security features in the Linux kernel. The Extended Attributes of ext2/3/4 file systems can protect the system to some extent

Common extended attributes:

  • A (Atime) : tells the system not to change the last access time to this file.
    • Using the A attribute can improve performance.
  • S (Sync) : Once the application performs a write operation to this file, the system immediately writes the modified result to disk.
    • Using the S attribute can ensure the integrity of the file to the maximum extent.
  • A (Append Only) : the system Only allows data to be appended to the file. No process is allowed to overwrite or truncate the file. If the directory has this property, the system will only allow the creation and modification of files in the directory, not delete any files.
  • I (Immutable) : the system does not allow any modification of this file. If the directory has this property, then any process can only modify files under the directory, not create or delete files.
    • Attributes A and I are beneficial for improving file system security and ensuring file system integrity.

Common commands:

  • Display extended attributes:Lsattr [-] (adR [file | directory]
  • Modify extended attributes:Chattr [-r] [[- + =] [properties]] > | < file directory

2.3 Permission Management Exercises

Log in as root, create a file aaaXX (XX is the last two digits of the student id), and view the file permissions in long format. Chmod command, text setting method, add write attributes to the aaaXX file group, observe the results; Use chmod command, numerical setting method, set the aaaXX file permission to 766, observe the results;

Switch to Peter account, check the current umask, observe the result; Create a directory foldXX (XX is the last two digits of student id) and check its permissions. Create a new file BBB and check its permissions. Change unmask to 066, create a new file CCC, and check its permissions

Switch to jkXX account; Create a file myFile and observe its properties; Change myfile group attribute to root with CHGRP; Can you change the main property of myfile to root? Switch to the root account, change the main property of the file myfile to root, and observe the result

What is the number 766 for file permissions?

Answer: 766 indicates that the file permission is rwX-RW-rw-

Why failed to change the owner of myfile with jkXX account?

A: Only the root account can use chown

Does Umask 022 and 066 have the same effect on newly created file attributes? Why is that?

A: The impact is different, of course. Umask defines permissions that should not be granted by default. 066 has two more restricted bits than 022 when converted to binary.

Log in as user root, copy the /usr/bin/dir file to the user home directory, and list the file in long format. Set the suID and sguID of the file to 1, and list the file in long format. Change the account to jkXX and run the copied file dir (note that files under the current path should be run with a path, such as./dir);

Change to jkXX account, go to/TMP directory, create folder myfold, set folder myfold permission to 777, sgid and sticky-bit to 1, list them in long format, check the properties of myfold; Go to myfold, create a new file aaa, set the properties to be readable and writable by anyone, and list them in long format; Switch to Jason, go to/TMP /myfold and delete aaa files. Can I delete aaa files?

The root account goes to the main directory of the user. Create a file BBB file, view the extended properties of the file; Add extended attribute I to file BBB, then try to delete the file, whether successful, how to delete; Create a CCC file, add extended attribute A to the CCC file, use the long format list /bin directory to redirect the output to the CCC file, and check whether the CCC file length changes. Use the long format list /etc directory to redirect the output to the CCC file

Switch to jkXX account, create a directory myshare under/TMP, use getfacl to check myshare file access control table; Set the myshare folder to RWX for Jason user, check the file access control table changes; Switch to Jason account and enter myshare file to create file YYy. Switch to Peter account and enter myshare file to create file ZZZ. Is it successful? Why?

In myfold, why can’t Jason delete a file that anyone can read and write?

A: Because the myfold folder is set to “stickybit” by its owner jK08, all files in this folder can be deleted only by the owner and the root user.

Why can’t Peter account create files in myShare folder?

A: Because the myshare folder belongs to user Jk08, only JK08 has RWX permission for this directory. In addition, facL is adopted to give Jason users RWX access to the directory. Peter is neither the folder owner nor does he have RWX permissions open in FACL; Depending on the permission Settings, Peter only has RX permissions for the folder. Therefore, files cannot be created.

After adding extended attribute A, use redirection to output content to CCC file, may fail, how can output success?

A: You should use append redirection. You can add content to the end of the file to comply with the safety requirements of the file extension ATTRIBUTE A.

Third, summary

This article mainly summarizes the Linux operating user and authority knowledge ~~~ these two knowledge points in Linux is also very important, is the foundation of learning Linux ~

Continue to improve the last mind map:

If the article has the wrong place welcome to correct, everybody exchanges with each other. Students who are used to reading technical articles on wechat and want to get more Java resources can follow the wechat public account :Java3y

Article table of Contents navigation:

  • Zhongfucheng.bitcron.com/post/shou-j…