Shulou(Shulou.com)06/01 Report--

This article introduces the knowledge of "how to understand groups and group administrators in Linux user systems". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

About groups: valid and initial groups, groups, newgrp

The code is as follows:

# / etc/group

This file is recording the correspondence between GID and group name ~ my / etc/group content is a bit like this:

The code is as follows:

Root:x:0:root

Bin:x:1:root,bin,daemon

Daemon:x:2:root,bin,daemon

Sys:x:3:root,bin,adm

The colon':'is also used as the separator of the field, which is divided into four columns. The meaning of each field is:

1. Group name: that's the group name!

two。 Group password: usually does not need to be set, because we rarely use group login! However, again, the password is also recorded in / etc/gshadow!

3. GID: it is the ID of the group.

4. Supported account name: join all the accounts in this group, we know that a user can join multiple groups. For example, if I want dmtsai to join the root group, add', dmtsai','at the end of the first line without spaces, just make it 'root:x:0:root,dmtsai''.

The more important feature is the fourth column, because each user can have multiple supporting groups, just like when we are in school, we can join multiple clubs! ^ _ ^. But you may find it strange here:'if I join multiple groups at the same time, which group will prevail when I do my homework?' Next, let's talk about the concept of "effective group".

# effective group (effective group) and initial group (initial group)

Remember that each user has a so-called GID in the fourth column of his / etc/passwd? That GID is the so-called 'initial group'! In other words, as soon as the user logs in to the system, he or she immediately has the relevant permissions for this group. For example, we mentioned above that the user / etc/passwd of dmtsai is related to / etc/group and / etc/gshadow as follows:

The code is as follows:

[root@linux ~] # grep dmtsai / etc/passwd / etc/group / etc/gshadow

/ etc/passwd:dmtsai:x:501:501::/home/dmtsai:/bin/bash

/ etc/group:users:x:100:dmtsai

/ etc/group:dmtsai:x:501:

/ etc/gshadow:users:::dmtsai

/ etc/gshadow:dmtsai:!::

If you take a closer look at the above table, in / etc/passwd, the group to which the dmtsai user belongs is GID=501, that is, the dmtsai group in / etc/group. Because this is initial group, the user will take the initiative to get it as soon as he logs in, and there is no need to write the account in the fourth field of / etc/group!

But other groups that are not initial group are different. To take the above example, I added dmtsai to the users group. Since the users group is not the initial group of dmtsai, I have to find the users line in the / etc/group file and add the dmtsai account to the fourth column, so that dmtsai can support the users group.

So in this example, because my dmtsai account supports both dmtsai and users groups, when reading / writing / executing files, I, dmtsai, can have all the functions of the groups as long as they have the functions of users and dmtsai. Like this? However, this is for existing files, if I want to create a new file or a new directory today, will the group of the new files be dmtsai or users? He he! It is necessary to check the valid group (effective group) at that time.

If I log in as dmtsai, how do I know all the groups I support? It's very simple, just enter groups directly. Pay attention, it's groups plus s! The result is something like this:

The code is as follows:

[dmtsai@linux ~] $groups

Dmtsai users

In this output message, I know that I belong to both dmtsai and users groups, and that the first output group is a valid group (effective group). In other words, my valid group is dmtsai ~ at this point, if I use touch to create a new file, such as touch test, then the owner of the file is dmtsai, and the group is also dmtsai. Can you understand what an effective group is?

So how do you change the valid group? There are two ways to do this, no matter which method it is, which is achieved by newgrp! In the above example, because my dmtsai users have both dmtsai and users groups, of course dmtsai can switch dmtsai/users to a valid group at any time. So, I can issue:

The code is as follows:

[dmtsai@linux ~] $newgrp users

[dmtsai@linux ~] $groups

Users dmtsai

At this point, my valid group becomes users. Of course, to be able to switch valid groups smoothly, you still need the help of / etc/gshadow. We'll explain this later. Okay, so what happens if you start trying to create a file under the / home/dmtsai home directory, such as' touch test2'? He he! The group of that file has become users! Does this make the meaning of effective groups clearer?!

In addition, let's discuss the newgrp directive, which can change the valid group of current users and provide login with another shell, so, in the above example, the user dmtsai is currently logged in with another shell, and the new shell gives dmtsai a valid GID as users. When the 'newgrp groupname' is executed directly, the valid group of the user becomes groupname, and although the user's environment settings (such as environment variables and other data) will not be affected, the user's' permissions' will be recalculated. For example, the new file group established by dmtsai at this time is users.

In Bird's example, it is important to note that the user dmtsai already belongs to the two groups users and dmtsai, so he can directly use newgrp to switch valid groups, and to leave the new valid group, enter 'exit'. Suppose there is another group in my Linux system, whose name is vbird, can dmtsai log into the group vbird? It is possible under certain conditions:

* the group vbird is legal in the password field of / etc/gshadow (no! The beginning!)

* dmtsai must have root or group administrator (group administrator) join the vbird group.

These two major premises are indispensable. Well, suppose I have used gpasswd to establish the password for the vbird group, and dmtsai has been added to the group members, so when dmtsai enters' newgrp vbird', hey! Dmtsai, a valid group of users, can become vbird.

# / etc/gshadow

I just talked a lot about the concept of 'valid group'. In addition, I also mentioned the use of the newgrp directive, but if I don't understand the setting of / etc/gshadow, then newgrp won't work! The content of my / etc/gshadow is a bit like this:

The code is as follows:

Root:::root

Bin:::root,bin,daemon

Daemon:::root,bin,daemon

Sys:::root,bin,adm

Also use the colon':'to separate the field, and you will find that this file is almost exactly the same as / etc/group! That's right. However, what you should pay attention to is the second field ~ the second field is the password field, if the password column is'!' Indicates that the group cannot use a password to log in! As for the fourth field, which is the name of the supported account.

1. Group name

two。 The password field, again, begins with! Indicates that you cannot log in

3. The account number of the group administrator (related information will be introduced later)

4. The account of the group (same as / etc/group!)

However, as far as the operation of the system is concerned, in fact, the greatest function of this / etc/gshadow password is to allow members who are not in the group to join the group temporarily. In fact, it is rarely used ~ and if you really want to operate such an environment, you have to be familiar with the use of newgrp! But also to provide the password of a certain group, which is really difficult to manage. So, if you really want a user to take advantage of the group's features, just add the other person to the group's support! Save trouble ~

Linux group administrator

Why do you need a group administrator

Let's assume a scenario where there are many departments in a company and different employees need to join different groups. If one of the departments adds staff, it needs to notify the administrator and add it to the corresponding group. If each department has to add staff, the administrator may be busy processing requests every day.

At this time, we can set up a group leader for each group, and allow the group leader to add and delete group members, which can not only improve efficiency, but also reduce the work of administrators.

How to assign group management

Syntax:

The code is as follows:

Gpasswd-A USERNAME GROUPNAME

Effect:

When adding group management, you can specify multiple users, which need to be separated by English commas.

How to delete group management

Syntax:

The code is as follows:

Gpasswd-A "" GROUPNAME

Effect:

Gpasswd has no specific parameters for deleting group management, so we can specify an empty string. If there are more than one administrator in the group, you can specify that the user is retained.

Group Management add members

Syntax:

The code is as follows:

Gpasswd-a USERNAME GROUPNAME

Effect:

Group Management Delete member

Syntax:

The code is as follows:

Gpasswd-d USERNAME GROUPNAME

Effect:

This is the end of the content of "how to understand groups and group administrators in Linux user systems". Thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.