Shulou(Shulou.com)06/01 Report--

This article mainly introduces the example analysis of account management and ACL permission settings in linux, which has certain reference value. Interested friends can refer to it. I hope you will gain a lot after reading this article. Let Xiaobian take you to understand it together.

==== Account Management Profile ====

vim /etc/passwd, displays all account contents in the system, each line represents an account, such as:

yidao:x:1000:1000:fedora17:/home/yidao:/bin/bash

Explain the meaning of these seven fields:

1: Account Name| 2: Password| 3：UID | 4：GID |5: User information description| 6: Home folder| 7：shell

vim /etc/shadow, display password information, each line represents an account password information, such as:

yidao:$1$Bylot.Y3$kMjNj1.KyW9lS3TUuAIPd/:15614:0:99999:7:::

Explain the meaning of these 9 fields (separated by: )

1: Account Name| 2: Password| 3: Date of last password change, days compared to January 1, 1970| 4: Number of days the password cannot be changed (compare with the third field)| 5: Number of days the password needs to be re-updated (compare with the third field)| 6: Number of warning days before password needs to be re-updated (compare with fifth field)| 7: Account grace days after password expiration (password expiration date)(compare with fifth field)| 8: Account expiration date, also days compared to January 1, 1970| 9: Reserved

/etc/group file:

yidao:x:1000:

User group name: user group password (has been moved to/etc/gshadow, usually x): GID: the name of the account supported by this user (only write the account that is not the original user group)

The groups command displays all user groups to which the user belongs. The first one is a valid user group. Useful when creating a new file.

The newgrp command switches valid user groups, opens a new subshell, and returns with exit.

/etc/gshadow file:

root:::

User group name: password column (begins with! No valid password, no user group administrator): user group administrator account: account under user group

==== New useradd====

# useradd [-u UID] [-g GID] [-G secondary user group] [-mM] [-c description] [-d home folder] [-s shell] [-r] user account

-M: Force not to create user home folder (default value of system account)

-m: Forcefully create user home folder (default for general accounts)

-r: Create a system account

Creating an account using useradd will refer to at least:

/etc/default/useradd

/etc/login.defs

/etc/skel/* These files.

Detailed password display and modification command chage:

# chage [-ldEImMW] account name

-l: List password details

-d: followed by date, modify the third field of shadow (latest modification date), format Y-MM-DD

-E: followed by date, modify the eighth field of shadow (account expiration date), format Y-MM-DD

-I: followed by days, modify the seventh field of shadow (password expiration date)

-m: followed by days, modify the fourth field of shadow (minimum number of days to keep password)

-M: followed by days, modify the fifth field of shadow (maximum number of days to keep password)

-W: followed by days, modify the sixth field of shadow (warning starts a few days before password expires)

==== Account related data to fine-tune usermod===

# usermod [-cdegGlsuLU] username

-c: followed by account description, i.e./etc/passwd fifth column description

-d: Account home folder,/etc/passwd column 6

-e: followed by date, Y-MM-DD format, eighth field of/etc/shadow (account expiration date)

-f: followed by days, shadow seventh field (password expiration date)

-g: followed by the initial user group, the fourth field of/etc/passwd, i.e. the GID field

-G: followed by secondary user groups, modify the user groups that this user can support, modify/etc/group (the meaning of assignment, you understand)

-a: Shared with-G to add support for secondary user groups instead of settings

-l: followed by the account name, i.e. modify the account name,/etc/passwd first column

-s: followed by the actual shell file, such as/bin/bash,/bin/csh, etc.

-u: followed by UID,/etc/passwd third column

-L: Temporarily freeze the user's password so that he cannot log in. In fact, only change the password column of/etc/shadow.

-U: Put the/etc/shadow password in the column! Remove the unlock code.

A few small commands:

# finger [-s] username: similar to fingerprint function, lists user-related attributes

# chfn [-foph] username: modify the finger attribute, that is, personal information

# chsh [-ls]: modify shell

# id username: check the ID information

==== User Group Management Command ====

# groupadd [-g gid] [-r] user group

-g: followed by GID

-r: Create a new system user group

# groupmod [-g gid] [-n group_name] User group name

-g: Modify GID

-n: modify group name

This stuff is generally useless, it is best not to use.

# groupdel User group name

# gpasswd groupname: Give a group password

# gpasswd [-A user1, ...] [-M user3, ...] groupname

-A: Leave the groupname master to a later user (administrator of the user group)

-M: Add certain accounts to this group

# gpasswd [-rR] groupname

-r: delete groupname password

-R: disable groupname password field

Here are the group administrator commands:

# gpasswd [-ad] user groupname

-a：add

-d：delete

==== Access Control List ===

Check if ACL is supported.

# sudo dumpe2fs -h /dev/sda5 | grep acl

Set acl permissions:

# setfacl [-bkRd] [{-m|-x} acl parameter] destination file name

Parameters:

-m: Set subsequent acl parameters for file use, not shared with-x

-x: delete subsequent acl parameter, cannot be used with-m

-b: delete all acl parameters

-k: remove default acl parameters, about so-called default parameters, etc.

-R: recursively set acl, also includes subdirectories also

-d: Set default acl parameter! Valid only for directories, where new data references this default

Set user rules: u:[user account list]:rwx

# touch text.txt

# setfacl -m u:yidao:rx text.txt

# setfacl -m u::rx text.txt ==> Represents the user setting for the file

# getfacl text.txt ==> View acl settings

There is a mask in it: it means that the permissions of the user or user group must exist within the permission scope of the mask before they will take effect, that is, the meaning of effective permission.

Set user group rules: g:[user group list]:rx text.txt

# setfacl -m g:yidao:rx text.txt

Rules for setting mask: m:[rwx] text.txt

# setfacl -m m:rx text.txt

If the ACL permission settings for a directory can be inherited from a child directory, set the specification:

d:[u| g]:[User| User groups] list:[rwx]

To switch to root use:

==== User Identity Switching ====

# su -

# su--c 'head -n 3 /etc/shadow'==> Automatically returns the current user after executing the root command

# sudo [-b] [-u new user account] command

-b: Subsequent commands allow the system to execute automatically, without affecting the current shell environment

-u: followed by user name, no root

# sudo -u sshd touch /tmp/mysshd

# sudo -u testuser sh -c "mkdir ~testuser/www; cd ~testuser/www; echo ‘fuck you’ > index.html"

visudo Edit the/etc/sudoers file:

yidao ALL=(ALL) ALL

User Account Logged-in Source Host Number =(Switchable Identity) Executable Commands

%yidao ALL=(ALL) ALL ==> Note % represents settings for user groups

%yidao ALL=(ALL) ALL NOPASSWD: ALL ==> Password-free

Set visudo by alias:

# visudo

User_Alias ADMUSERS = myuser1, myuser2

Host_Alias www.springzoo.com, www.google.com.hk

Cmnd_Alias ADMCMD = !/ usr/bin/passwd, /usr/bin/passwd [A-Za-z]*, !/ usr/bin/passwd root

ADMUSERS ALL=(Host_Alias) ADMCMD

sudo with su Enter your password to become root user, and then you don't have to enter sudo anymore

# visudo

User_Alias ADMINS = yidao, test…

ADMINS ALL=(root) /bin/su -

PAM Pluggable Authentication Modules ===

You can edit/etc/nologin.txt to have the shell display messages to users who log in to/sbin/nologin

PAM authenticates each command by calling the file in the directory/etc/pam.d/command, the file name is the same as the program name

==== Query User: ====

w/who/last/lastlog not explained

User conversations: write, mesg, wall

First use w to view current users

# write User account [user terminal interface]

# write yidao [pts/2]

Press CTRL + D to finish typing.

# mesg [-n| y] ==> View your own messages, -n Disable pop-up messages from others

# wall "Hello everybody..." ==> Broadcast

==== User mail ====

# mail username@localhost -s "mail header"

At the end of the text, enter a. can

==============================END==============================

Thank you for reading this article carefully. I hope that Xiaobian's "Example Analysis of Account Management and ACL Permission Settings in Linux" will help everyone. At the same time, I hope that everyone will support you a lot and pay attention to the industry information channel. More relevant knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.