Shulou(Shulou.com)05/31 Report--

This article mainly explains "how is the account file of linux system formed". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn how the account file of the linux system is formed.

The account file consists of five parts: 1, "/ etc/passwd", the system user profile, which stores the basic information of all users in the system; 2, "/ etc/shadow", which stores the password information of users in the system; 3, "/ ect/group", the user group profile, stores all the information of the user group, and so on.

The operating environment of this tutorial: linux5.9.8 system, Dell G3 computer.

The account file of the linux system has five components:

/ etc/passwd file

/ etc/shadow file

/ ect/group file

/ etc/gshadow file

/ etc/login.defs file

1. / etc/passwd file

/ etc/passwd file, which is the system user profile, stores the basic information of all users in the system, and all users can read this file.

First, let's open the file and see what it contains. Execute the command as follows:

[root@localhost ~] # vi / etc/passwd# check the contents of the file root:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologin... Omit part of the output.

As you can see, the content in the / etc/passwd file is very regular, with one user per line of records.

Readers may ask why there are so many users by default in the Linux system. The vast majority of these users are necessary for the normal operation of the system or service, which are often referred to as system users or pseudo-users. System users cannot be used to log in to the system, but they cannot be deleted, because once deleted, services or programs that rely on these users cannot be executed properly, resulting in system problems.

Not only that, each line of user information is separated by ":" and is divided into seven fields, each of which has the following meaning:

User name: password: UID (user ID): GID (group ID): descriptive information: home directory: default Shell

Next, I will introduce these fields one by one.

User name

A user name is a string that represents the identity of the user.

As mentioned earlier, the user name is only for the convenience of the user's memory, and the Linux system identifies the user's identity and assigns user rights through UID. The correspondence between the user name and UID is defined in the / etc/passwd file.

Password

"x" means that the user has a password, but not the real password, which is stored in the / etc/shadow file (described in more detail in the next section).

In the early days of UNIX, what was saved here was the real encrypted password string, but because all programs could read this file, it was very easy to cause user data to be stolen.

Although the password is encrypted, it can also be cracked by brute force.

Therefore, the Linux system now places the real encrypted password string in the / etc/shadow file, which only root users can browse and manipulate, thus maximizing the security of the password.

It should be noted that although "x" does not mean the real password, it cannot be deleted. If "x" is deleted, the system will assume that the user does not have a password. As a result, you can log in only by entering a user name without entering a password (you can only log in without a password, which is not allowed remotely), unless there are special circumstances (such as cracking the user's password), which is certainly not feasible.

UID

UID, that is, user ID. Each user has a unique UID,Linux system that identifies different users through UID.

In fact, UID is a number between 0,65535, and different ranges of numbers indicate different user identities.

GID

The full name "Group ID", or "group ID" for short, represents the group ID number of the user's initial group. The concepts of initial groups and additional groups need to be explained here.

The initial group means that the user has the relevant permissions of this user group when he or she logs in. There can be only one initial group for each user, usually with the same group name as the user's user name. For example, if we manually add the user lamp, when we create the user lamp, we will establish the lamp group as the initial group for the lamp user.

Additional groups, which means that users can join multiple other user groups and have permissions for these groups. Each user can only have one initial group, in addition to the initial group, the user joins other user groups, these user groups are the additional groups of this user. There can be multiple additional groups, and users can have permissions for these additional groups.

For example, in addition to the initial group lamp, I added the lamp user to the users group, then the lamp user belongs to both the lamp group and the users group, where lamp is the initial group and users is the additional group.

Of course, the identity of the initial group and the additional group can be modified, but we do not modify the initial group in our work, only the additional group, because modifying the initial group can sometimes confuse the administrator logic.

Note that the ID you see in the fourth field of the / etc/passwd file is the initial group for this user.

Descriptive information

This field does not serve any important purpose, but is used to explain the meaning of the user.

Main directory

That is, the access directory to which the user has operation permission after logging in, which is usually called the user's home directory.

For example, the home directory of the root Super Admin account is / root, and the home directory of an ordinary user is / home/yourIDname, that is, the same directory as the user name is established under the / home/ directory as the home directory, for example, the home directory of the lamp user is the / home/lamp/ directory.

Default Shell

Shell is the command interpreter of Linux and a bridge between users and the Linux kernel.

We know that after logging in to the Linux system, the user completes the operation task by using the Linux command, but the system only knows the machine language similar to 0101, so we need to use the command interpreter here. In other words, the function of the Shell command interpreter is to convert the commands entered by the user into a machine language that the system can recognize.

In general, the default command interpreter used by Linux systems is bash (/ bin/bash), as well as other command interpreters, such as sh, csh, and so on.

2. / etc/shadow file

/ etc/shadow file, which is used to store the password information of users in Linux system, also known as "shadow file".

The / etc/passwd file was introduced earlier, and because it allows all users to read, it can easily lead to the disclosure of the user's password, so the Linux system separates the user's password information from the / etc/passwd file and puts it in this file separately.

Only root users have read rights to the / etc/shadow file, and other users do not have any permissions, which ensures the security of the user's password.

Note that if the permissions of this file are changed, you need to pay attention to whether it is a malicious attack.

Before introducing this file, let's open it and execute the following command:

[root@localhost ~] # vim / etc/shadowroot: $6 $9w5Td6lg$bgpsy3olsq9WwWvS5Sst2W3ZiJpuCGDY.4w4MRk3ob/i85fl38RH15wzVoom ff9isV1 PzdcXmixzhnMVhMxbvO:15775:0:99999:7:::bin:*:15513:0:99999:7:::daemon:*:15513:0:99999:7:::... Omit part of the output.

Like the / etc/passwd file, each line in the file represents a user, using ":" as the delimiter, except that each line of user information is divided into nine fields. Each field has the following meaning:

User name: encrypted password: last modification time: minimum modification time interval: password validity period: warning days before password needs to be changed: grace time after password expiration: account expiration time: reserved field

Next, I will introduce these nine fields to you.

User name

The user name in the / etc/passwd file has the same meaning.

Encrypted password

What is stored here is the truly encrypted password. At present, the password of Linux uses the SHA512 hash encryption algorithm, and the original encryption algorithm is MD5 or DES. The SHA512 hash encryption algorithm has a higher encryption level and is more secure.

Note that the garbled code generated by this string of passwords cannot be modified manually. If manually modified, the system will not be able to recognize the password, resulting in the password invalidation. Through this function, many software add "!", "*" or "x" to the password string to temporarily invalidate the password.

The passwords of all pseudo users are "!!" Or "*", which means you can't log in without a password. Of course, if the newly created user does not set a password, then its password entry is also "!", which means that the user does not have a password and cannot log in.

Last modified time

This field indicates when the password was last changed, but why does the root user display 15775?

This is because the time Linux calculates the date is based on January 1, 1970 as the cumulative time, and up to January 1, 1971, it is 366 days. The 15775 days, that is, the root password changed by this root account on the 15775 day after January 1, 1970, is shown here.

So, which day does 15775 represent? You can use the following command for conversion:

[root@localhost] # date-d "1970-01-01 15775 days" Monday 11 March 2013 00:00:00 CST

As you can see, through the above command, it can be converted to the system date we are used to.

Minimum modification interval

Minimum modification interval, that is, this field specifies how long the password cannot be changed from field 3 (the date when the password was last changed). If it is 0, the password can be changed at any time; if it is 10, it means that the password cannot be changed again within 10 days after the password change.

This field is designed for some people to change account passwords frequently.

Password validity period

It is a good habit to change the password frequently. In order to force the user to change the password, this field can specify how long it takes to change the password again from Field 3 (the last time to change the password), otherwise the account password will expire.

The default value for this field is 99999, that is, 273 years, which can be considered permanent. If it is changed to 90, it means that the password must be changed again 90 days after it is modified, otherwise the user is about to expire. When managing the server, use this field to force the user to change the password periodically.

The number of warning days before the password needs to be changed

Compared with field 5, when the account password is about to expire, the system will send a warning message to the account to remind the user that "your password will expire in n days. Please reset your password as soon as possible!" .

The default value for this field is 7, that is, each login system issues a "change password" warning to the account starting from the seventh day of the password validity.

Number of days of grace after password expiration

Also known as "password expiration date", the simple understanding is that after the password expires, if the user still does not change the password, the user can still log in to the system within the grace number of days specified in this field; if the grace period has passed, the system will no longer allow this account to log in, nor will it prompt the account to expire, which is completely disabled.

For example, a grace period of 10 days specified in this field means that the password expires 10 days after it expires. If 0, the password expires immediately after it expires. If it is-1, the password will never expire.

Account expiration time

As with the third field, the total number of days since January 1, 1970 is used as the expiration time of the account. This field indicates that your account cannot be used outside the time specified in this field, regardless of whether your password expires or not.

This field is typically used in systems with paid services.

Keep

This field is not currently in use, waiting for new features to be added.

3. / ect/group file

The / ect/group file is a user group profile, that is, all information about the user group is stored in this file.

This file is the file corresponding to the record group ID (GID) and the group name. As mentioned earlier, the fourth field of each line of user information in the etc/passwd file records the user's initial group ID, so what is the group name of this GID? You need to look in the / etc/group file.

The contents of the / etc/group file can be seen through Vim:

[root@localhost] # vim / etc/grouproot:x:0:bin:x:1:bin,daemondaemon:x:2:bin,daemon... Omit part of the output. Lamp:x:502:

As you can see, each line in this file represents a user group. In the previous section, we created the lamp user, and the system generates a lamp user group by default. Here you can see that the GID of this user group is 502, which is currently only the initial group for lamp users.

In each user group, the ":" is still used as the separator between the fields, which is divided into four fields. The corresponding meaning of each field is:

Group name: password: GID: list of users in this user group

Next, the specific meaning of each field is introduced respectively.

Group name

That is, the name of the user group, consisting of letters or numbers. Like the user name in / etc/passwd, the group name cannot be duplicated.

Group password

Like the / etc/passwd file, the "x" here is just the password ID, and the really encrypted group password is stored in the / etc/gshadow file by default.

However, the user sets the password to verify the user's identity, so what is the user group used to set the password for? The user group password is mainly used to specify the group administrator. As there may be a large number of accounts in the system, root users may not have time to adjust the user's group. You can assign a group administrator to the user group. If a user needs to join or exit a user group, the group administrator of the group can replace root for management. But this feature is rarely used at present, and we seldom set group passwords. If you need to give a user permission to adjust a user group, you can use the sudo command instead.

Group ID (GID)

It is the ID number of the group. The Linux system distinguishes user groups through GID. Like the user name, the group name is only for the administrator to remember.

The group GID here corresponds to the GID of the fourth field in the / etc/passwd file. In fact, the group name corresponding to GID in the / etc/passwd file is obtained through this file.

Users in the group

This field lists all users contained in each group. It is important to note that if the user group is the initial group for this user, the user will not write to this field, and it can be understood that the users shown in this field are additional users to this user group.

For example, the group information for the lamp group is "lamp:x:502:", and you can see that the fourth field is not written to the lamp user because the lamp group is the initial group for the lamp user. If you want to query the initial groups of these users, you need to first look at the GID (the fourth field) in the / etc/passwd file, and then compare the group names in the / etc/group file.

Each user can join multiple additional groups, but can only belong to one initial group. So in our actual work, if we need to add users to other groups, we need to add them in the form of additional groups. For example, if we want lamp to join the root group, we just need to add lamp, root:x:0:lamp, in the last field of the first line.

In general, the initial group of a user is a group that is the same as the user name while the user is established.

4. / etc/gshadow file

The group user information is stored in the / etc/group file, while the password information for the group user is stored in the / etc/gshadow file.

First, let's look at the contents of this file with the help of the Vim command:

[root@localhost ~] # vim / etc/gshadowroot:::bin:::bin, daemondaemon:::bin, daemon... Omit part of the output... lampVOLING:

In the file, each line represents the password information of a group of users, and each line of information is divided into four fields with ":" as a separator. The meaning of each field is as follows:

Group name: encrypted password: group administrator: group additional user list

Group name

Corresponds to the group name in the / etc/group file.

Group password

For most users, the group password is usually not set, so this field is often empty, but sometimes "!", which means that the group does not have a group password and does not have a group administrator.

Group administrator

From the system administrator's point of view, the greatest function of this file is to create a group administrator. So, what is a group administrator?

Considering that there are too many accounts in the Linux system, and the Super Admin root may be busy, when a user wants to join a group, root may not be able to respond in time. In this case, if there is a group administrator, he can add users to the group he manages, eliminating the trouble of root.

However, due to the availability of tools such as sudo, this feature of group administrators is rarely used.

Additional users in the group

This field shows which additional users are in this user group, the same as the additional group display in the / etc/group file.

5. / etc/login.defs file

The / etc/login.defs file is used to set some basic attributes of the user by default when creating a user, such as specifying the scope of the user's UID and GID, the user's expiration time, the maximum length of the password, and so on.

It should be noted that the default user configuration for this file is not valid for root users. Also, when the configuration in this file conflicts with the user information in the / etc/passwd and / etc/shadow files, the system will prevail with / etc/passwd and / etc/shadow.

Readers can use the vim / etc/login.defs command to view the contents of the file, and the options in the file are explained in Table 1.

Table 1 / etc/login.defs file content setting item meaning MAIL_DIR / var/spool/mail when you create a user, the system creates a user mailbox in the directory / var/spool/mail, for example, the lamp user's mailbox is / var/spool/mail/lamp. The PASS_MAX_DAYS 99999 password is valid. 99999 is the number of days the password has been valid since January 1, 1970, equivalent to 273 years, which can be understood to mean that the password is always valid. PASS_MIN_DAYS 0 indicates the minimum number of days before the user can change the password again since the password was last changed. The default value is 0. PASS_MIN_LEN 5 specifies the minimum password length, which is no less than 5 digits by default, but now the user login authentication has been replaced by the PAM module, so this option does not take effect. PASS_WARN_AGE 7 specifies how many days before the password expires, the system begins to pass that the user password is about to expire, and the default is 7 days. UID_MIN 500 specifies a minimum UID of 500, that is, when adding users, the default UID starts at 500. Note that if the UID of a user is specified manually, the UID of the next created user will start at 551, even if the UID between 500 and 549 is not used. UID_MAX 60000 specifies that the maximum UID for the user is 60000. GID_MIN 500 specifies a minimum GID of 500, that is, when adding a group, the GID of the group starts at 500. GID_MAX 60000 users GID up to 60000. CREATE_HOME yes specifies whether to create a user's home directory at the same time when creating a user. Yes means to create a user, but no does not. The default is yes. The permissions for the UMASK 077 user home directory are set to 077 by default. USERGROUPS_ENAB yes specifies whether to delete the user group when you delete the user, which, to be prepared, refers to the deletion of the user's initial group, and the default value for this item is yes. ENCRYPT_METHOD SHA512 specifies the encryption rules for the user's password, which defaults to SHA512, which is the new password encryption mode, and the original Linux can only be encrypted with DES or MD5. At this point, I believe that everyone on the "linux system account file is how to form" have a deeper understanding, might as well to the actual operation of it! Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.