Shulou(Shulou.com)06/01 Report--

This article mainly explains "what authority management does Linux have". Friends who are interested may wish to have a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn "what rights management does Linux have?"

Authority management of files and directories

The first part briefly introduces some simple operations of the following files and directories, and then introduces the management of users and file permissions. First understand the configuration files of user and group accounts, then manage user and group accounts, and finally set file and directory permissions and attribution.

Linux controls access to resources based on the user's identity. User accounts are divided into superuser root (equivalent to Administrator under windows), followed by ordinary users. It is not recommended to use root to log in to the system to perform administrative tasks in Linux because it is not secure. If you delete an important file in the system by mistake, it's over.

User account file-passwd

Used to save the basic information of the user's account, file location: / etc/passwd, each line corresponds to a user's account record. The following is to take out the account information of the last two lines, and then analyze the meaning of each field (separated by a colon).

Field 1 jzhou: the name of the user account

Field 2 x: password placeholder

Field 3500: the UID number of the user account (starting from 500by default in RedHat and CentOS)

Field 4500: the GID number of the primary account to which the user belongs (which also starts from 500 by default)

Field 5 zhoujie: user's full name

Field 6 / home/jzhou: user's host directory, that is, home directory

Field 7 / bin/bash: login shell information

Based on system operation and management needs, all users can access the contents of the passwd file, but only root users can change

User password file-shadow

Used to save password string, password validity and other information, file location: / etc/shadow, each line corresponds to a user's password record. The following lists the last two lines of records and explains the meaning of each field:

Field 1: the name of the user account

Field 2: encrypted password string information (encrypted with MD5)

Field 3: time when the password was last changed

Field 4: the minimum valid days of the password. The default is 0.

Field 5: the longest valid days of the password. The default value is 99999.

Field 6: how many days in advance warn the user that the password is about to expire? the default is 7.

Field 7: how many days after the password expires to disable this user (the default is empty)

Field 8: account expiration time (default is empty)

Field 9: reserved field (not used)

By default, as long as the root user can read the contents of the file, and root is not allowed to edit the contents of the file directly. So how do you specify options to implement these functions when adding users? The following is a brief description of how to add users and groups.

Add user account-useradd

The initial configuration file of the user account

File source-when creating a new user account, it is copied from the / etc/skel directory

The main user initial profiles are:

The code is as follows:

~ / .bash_profile: executes each time the user logs in

~ / .bashrc: executed every time you enter a new Bash environment, aliases for some commands are set by default

~ / .bash_logout: executes each time the user logs out

You can view the contents of the above file through the cat command.

Set / change user password-passwd

Generally speaking, I do not and do not need to explain the parameters of each command, but passwd I will introduce the meaning and usage of its parameters, because I think it will be commonly used in system maintenance.

The code is as follows:

[jzhou@localhost ~] $su-root

Password:

[root@localhost ~] # passwd-l jzhou = = > Lock user jzhou's account

Locking password for user jzhou.

Passwd: Success

[root@localhost ~] # passwd-S jzhou = = > View user status

Jzhou LK 2013-02-03 99999 7-1 (Password locked.) = > is locked

[root@localhost ~] # tail-2 / etc/shadow = = > after the account is locked, have you found that there are two more!! in front of the password, indicating that the password is not available?

1 $XRmjIBM9 $SgXA00pPfvhjvxt/9..Lh.:15739:0:99999:7::: for JzhouVuGou

User1:!!:15771:0:99999:7:::

[root@localhost ~] # passwd-u jzhou = = > unlock the account jzhou

Unlocking password for user jzhou. = = > has been unlocked successfully

Passwd: Success.

[root@localhost ~] # passwd-S jzhou = = > View user status again

Jzhou PS 2013-02-03 99999 7-1 (Password set, MD5 crypt.)

[root@localhost ~] # tail-2 / etc/shadow = = > observe the password bit change. There are no two!!, indicating that the password is available.

Jzhou:$1 $XRmjIBM9 $SgXA00pPfvhjvxt/9..Lh.:15739:0:99999:7:::

User1:!!:15771:0:99999:7:::

[root@localhost ~] # passwd-d jzhou = = > clear the password of the user jzhou

Removing password for user jzhou. The password has been cleared successfully

Passwd: Success

[root@localhost ~] # tail-2 / etc/shadow = = > check for any change in password bit

The jzhou::15771:0:99999:7::: = = > password bit is empty.

User1:!!:15771:0:99999:7:::

[root@localhost ~] # passwd jzhou = = > reset the password for the user

Changing password for user jzhou.

New UNIX password:

BAD PASSWORD: it is based ona dictionary word

Retype new UNIX password:

Passwd: all authentication tokens updated successfully. = > OK, the password has been set successfully

[root@localhost ~] #

Note that the user account with "no password" has not been initialized and cannot be logged in. Unlike the case of "empty password", ordinary users can use the passwd command, but can only change their own password. In addition, locked accounts cannot log in to the system.

Modify the attributes of a user's account-usermod

Its commands have several functions the same as passwd. For example, the L and U parameters lock and unlock the account, but in uppercase. The other options are the same as those in useradd, which is to change uid,gid and so on.

Delete user account-userdel

Delete the account directly with the "userdel user name" on the line, but such deletion, the user's home directory still exists, then you want to establish another account with the same name that is not possible, so I am used to take-r option, delete thoroughly, that is, along with the home directory to delete, anyway, delete the account after the home directory is useless.

There are also two files related to domain group accounts, / etc/group and / etc/gshadow, which are less commonly used, especially the latter.

Add a group account-groupadd

Add a group account. When creating a new user, to specify the user's gid and group name, you must first ensure that the group exists, so you need to create the group first. The simple operation is as follows:

The code is as follows:

[root@localhost ~] # groupadd-g 1000 test = = > create a group with a gid of 1000

[root@localhost] # tail-3 / etc/group

Jzhou:x:500:

User1:x:504:

Test:x:1000:

[root@localhost ~] #

Delete group account-groupdel

Very simple, directly take the user name as a parameter, after deleting the group account, the corresponding record will not be found in the / etc/group file.

Query for user and group accounts:

Id command-query user identity

Groups command-query the group to which the user belongs

Finger command-query the details of the user

Users, w, who commands query the information of users who have logged in to the host

Permissions and attribution of files / directories

Take ls with the parameter l or type the ll command directly, and you can view the user's right to use the file.

The first list of permission bits consists of 10 bits (such as d rwx rwx RMX), where the first bit represents the file type, d for the directory, l for the linked file, b for the block file, c for the character file, and-for the normal file. With regard to rwx- for read, write, execution and no permission, the four permission characters of rwx- can be represented as octal digits 4, 4, 2, and 1, respectively, that is, the permission of rwx rwx rmerx can also be expressed as 775, where the first three digits rwx (7) represent the permissions of the file owner (owner) to the file, and the middle three digits rwx (7) represent the permissions of the group (group) to which the file belongs. The last three characters, rmurx (5), denote the permissions of other users (other) on the file, that is, ugo permissions.

Set permissions for files / directories-chmo

The code is as follows:

[jzhou@localhost dirtest] $ll

Total 36

Drwxrwxr-x 2 jzhou jzhou 4096 03-05 22:43 dirtest1

Lrwxrwxrwx 1 jzhou jzhou 8 03-05 22:45 linkfile-> testfile

-rw-rw-r-- 1 jzhou jzhou 67 03-05 22:40 testfile

[jzhou@localhost dirtest] $chmod gcopyright testfile = = > set the group permissions and other permissions of the file testfile, and pay attention to the changes of permissions.

[jzhou@localhost dirtest] $ls-l

Total 36

Drwxrwxr-x 2 jzhou jzhou 4096 03-05 22:43 dirtest1

Lrwxrwxrwx 1 jzhou jzhou 8 03-05 22:45 linkfile-> testfile

-rw-r--r-x 1 jzhou jzhou 67 03-05 22:40 testfile = = > look, permissions have changed

[jzhou@localhost dirtest] $chmod 644 dirtest1/ = = > change the permissions of directory dirtest1, that is, read and write | read | read

[jzhou@localhost dirtest] $ll

Total 36

Drw-r--r-- 2 jzhou jzhou 4096 03-05 22:43 dirtest1 = > notice that it has changed

Lrwxrwxrwx 1 jzhou jzhou 8 03-05 22:45 linkfile-> testfile

-rw-r--r-x 1 jzhou jzhou 67 03-05 22:40 testfile

[jzhou@localhost dirtest] $chown jzhou:root testfile = = > ordinary users do not have permission to change

Chown: changing owner of "testfile": disallowed operation

[jzhou@localhost dirtest] $su root = = > switch to root user

Password:

[root@localhost dirtest] # ll

Total 36

Drw-r--r-- 2 jzhou jzhou 4096 03-05 22:43 dirtest1

Lrwxrwxrwx 1 jzhou jzhou 8 03-05 22:45 linkfile-> testfile

-rw-r--r-x 1 jzhou jzhou 67 03-05 22:40 testfile

[root@localhost dirtest] # chown root:root testfile = = > change the owner and subordinate group of the file testfile to root

[root@localhost dirtest] # ll

Total 36

Drw-r--r-- 2 jzhou jzhou 4096 03-05 22:43 dirtest1

Lrwxrwxrwx 1 jzhou jzhou 8 03-05 22:45 linkfile-> testfile

-rw-r--r-x 1 root root 67 03-05 22:40 testfile = = > look, its file owner and group have become root

[root@localhost dirtest] #

When you modify the permissions and groups of a directory, you can specify the-R option so that the files or directories in the directory can also be changed recursively. If you only modify the file / directory owner, you only need to specify the former, that is, chown root testfile. If you only modify the permissions of the group to which the file / directory belongs, the previous user can not write, that is, chown: root testfile.

With weighted limit

Ordinary users do not have permission to modify the "/ etc/shadow" file, so why can they change their login password? Because the passwd command program is set with SUID permissions, the average user is temporarily granted the same permissions as belonging to the primary user (root) when executing the command.

The main uses of set bit permissions are:

Set for executable (x-authorized) files with the permission character "s"

When other users execute the file, they will have the permissions of the owner or group user.

Set bit permission type:

SUID: indicates that the SET bit permission is added to the primary user

SGID: means to increase the SET bit permission for users in the group.

The code is as follows:

[root@localhost ~] # ls-l / usr/bin/passwd

-rwsr-xr-x 1 root root 19876 2006-07-17 / usr/bin/passwd

Ordinary users, as root users, indirectly update their passwords in the shadow file

Note: do not easily set SET bit permissions for executable files, especially for those executable programs whose owners and subordinate groups are root, you should be more careful when using SET bit permissions. For example, setting SUID permissions for a vim editor program will cause ordinary users to use the vim editor to modify any configuration file in the system

Sticky position (Sticky)

Main uses:

Set for a public directory (for example, with a permission of 777) with the permission character "t"

Users cannot delete files of other users in this directory

Due to the needs of the operation of the system and service programs, Linux provides temporary directories such as / tmp and / var/tmp, which allow any user or program to write data. however, imagine what will happen if any ordinary user can delete temporary files used in the operation of system services. After setting the stickiness bit, you can maintain a dynamic balance: allow each user to write and delete data in the directory at will, but it is forbidden to delete other users' data at will.

The code is as follows:

[root@localhost ~] # ls-ld / tmp / var/tmp

Drwxrwxrwt 8 root root 4096 09-09 15:07 / tmp = = > is to replace the execution bit x with the t bit

Drwxrwxrwt 2 root root 4096 09-09 07:00 / var/tmp

In fact, these special permission bits are not used much. I think it is just an explanation for those special documents. There is no need to delve into it, just know what to send.

Use additional permissions

Set permissions for SET bit and sticky bit

Use permission characters

The code is as follows:

Chmod ug ±s executable file.

Chmod o ±t directory name.

Number of permissions:

The code is as follows:

Chmod mnnn executable file...

When m is 4, SUID,2 corresponds to SGID,1 corresponding to viscous potential, which can be superimposed.

The SET bit mark character is "s". If the octal numeral form is used, the SUID corresponds to "4" and the SGID corresponds to "2". When the permission mode can be in the form of "nnnn", such as "4755" means to set SUID permissions, "6755" means to set SUID and SGID permissions at the same time.

At this point, I believe you have a deeper understanding of what rights management Linux has, you might as well come to the actual operation of it! Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.