当前位置：网站首页>Users, groups, and permissions

Users, groups, and permissions

2022-07-07 12:56:00 【LC181119】

1.Linux Security model

resource allocation ：

Authentication： authentication , Verify user identity
Authorizaation： to grant authorization , Different users set different permissions
Accounting | Audition： Audit

1.1 user

Linux Each user in is through User Id (UID) To uniquely identify

Administrators ：root,0
Ordinary users ：1-60000 Automatically assigned
- System users ：1-499（CentOS 6 before ）,1-999（CentOS 7 in the future ）

Allocate permissions to the resources obtained by the daemon

The logged in user ：500+ （CentOS 6 before ）,1000+ （CentOS 7 in the future ）

Interactive login for users

1.2 User group

Linux You can add one or more users to a user group , The user group is through Group ID（GID） To uniquely identify .

Administrators group ：root, 0
The normal group ：
- System group ：1-499（CentOS 6 before ）, 1-999（CentOS7 in the future ）, Divide the permissions of the daemon to obtain resources with
- The normal group ：500+（CentOS 6 before ）, 1000+（CentOS7 in the future ）, For users

1.3 The relationship between users and groups

The primary group of users (primary group)： Users must belong to one and only one main group , By default, users will be created automatically A group with the same name as the user name , As the primary group of users , Because there is only one user in this group , Also known as private group
Additional groups for users (supplementary group)： A user can belong to zero or more secondary groups , Affiliate group

1.4 Security context

Linux Security context Context： Running program , Process (process), Run as the process initiator , Process can

Access to resources depends on the identity of the operator of the process

such as ： Respectively by root and wang The identity of running /bin/cat /etc/shadow , The results are different , Can resources

To be accessed , It is determined by the identity of the carrier , Not the program itself

2. User and group profiles

2.1 Primary profiles for users and groups

/etc/passwd： User and its attribute information ( name 、UID、 The main group ID etc. ）
/etc/shadow： User password and its associated attributes
/etc/group： Group and its attribute information
/etc/gshadow： Group passwords and their associated attributes

2.2passwd File format

passwd： password (x)

UID： User id (1000)

GID： Login default group number (1000)

GECOS： User full name or comment

home directory： User home directory (/home/wang)

shell： User default use shell (/bin/bash)

2.3shadow File format

User password : It's usually used sha512 encryption

from 1970 year 1 month 1 From the date of the last password change

The password can be changed in a few days （

0 Can be changed at any time ）

The password must be changed in a few days （99999 Never expire ）

The system reminds the user a few days before the password expires （ Default to one week ）

A few days after the password expires, the account will be locked

from 1970 year 1 month 1 Day count , How many days later the account will be invalid

Change password encryption algorithm ：

authconfig   --passalgo=sha256 --update

Password security policy

Long enough
Using a digital 、 Capital 、 At least... In lowercase letters and special characters 3 Kind of
Use random passwords
Replace regularly , Don't use passwords that have been used recently

2.4group File format

The name of the group ： That's the group name

Group password ： Usually no setting is required , The password is recorded in /etc/gshadow

GID： It's the group ID

List of users with the current group as an additional group ( The separator is a comma )

2.5gshdow File format

The name of the group ： It's the name of the group

Group password ：

Group administrator list ： List of group Administrators , Change group password and membership

List of users with the current group as an additional group ： Multiple users are separated by commas

2.6 Document operation

vipw and vigr
pwck and grpck

3. User and group management commands

User management command

useradd
usermod
userdel

Group account maintenance command

groupadd
groupmod
groupdel

3.1 The user to create

useradd Command can create new Linux user

Format ：

useradd [options] LOGIN

Common options ：

-u UID
-o coordination -u Options , Do not check UID Uniqueness
-g GID Specifies that the user belongs to the base group , A group name , It's fine too GID
-c "COMMENT“ User's comment information
-d HOME_DIR In the specified path ( non-existent ) Catalog for home
-s SHELL Indicate the user's default shell Program , The available list is /etc/shells In file
-G GROUP1[,GROUP2,...] Specify additional groups for users , The group must exist in advance
-N Do not create private group as master group , Use users Group is the main group
-r Create system user CentOS 6 Before : ID<500,CentOS7 in the future : ID<1000
-m Create a home directory , For system users
-M Do not create a home directory , For non system users
-p Specify the encrypted password

3.2 User property modification

usermod Commands can modify user properties

Format ：

usermod [OPTION] login

Common options ：

-u UID: new UID
-g GID: New main group
-G GROUP1[,GROUP2,...[,GROUPN]]]： New additional group , The original additional group will be covered ; If you keep the original , At the same time
use -a Options
-s SHELL： New default SHELL
-c 'COMMENT'： New notes
-d HOME: The new home directory will not be created automatically ; To create a new home directory and move home data , Use at the same time -m Options
-l login_name: New name
-L: lock Designated user , stay /etc/shadow The addition of password column !
-U: unlock Designated user , take /etc/shadow Code bar ! Remove
-e YYYY-MM-DD: Specify the expiration date of the user account
-f INACTIVE: Set an inactive period , That is, the grace period

3.3 Delete user

userdel Deleting Linux user

Format ：

userdel [OPTION]... Login

Common options ：

-f, --force mandatory
-r, --remove Delete user home directory and mailbox

3.4 View user related ID Information

id Command to view the user's UID,GID Etc

id [OPTION]... [USER]

Common options ：

u: Show UID
-g: Show GID
-G: Displays the... Of the group to which the user belongs ID
-n: The display name , Need to cooperate ugG Use

3.5 Switch users or execute commands as other users

su: namely switch user, Command can switch user identity , And execute the command as the specified user

Format ：

su [options...] [-] [user [args...]]

Common options ：

-l --login su -l UserName amount to su - UserName
-c, --command <command> pass a single command to the shell with -c

How to switch users ：

su UserName： Non login switch , That is, the configuration file of the target user will not be read , Do not change the current working directory , That is, incomplete switching
su - UserName： Login switch , Will read the profile of the target user , Switch to your home directory , That is, complete switching

explain ：root su To other users without password ; Not root The user needs a password to switch

Be careful ：su After switching to a new user , Use exit Return to the old user identity , Instead of using su Switch to old user , Otherwise, it will generate very Much of the bash Subprocesses , The environment may be chaotic .

Change your identity and execute the order ：

su [-] UserName -c 'COMMAND'

3.6 Set the password

passwd You can change the user password

Format ：

passwd [OPTIONS] UserName

Common options ：

-d： Delete the specified user password
-l： Lock the specified user
-u： Unlock the specified user
-e： Force user to change password next time login
-f： Force operation
-n mindays： Specify the minimum service life
-x maxdays： Maximum service life
-w warndays： How many days in advance to start warning
-i inactivedays： Period of inactivity
--stdin： Receive user password from standard input ,Ubuntu No such option

3.7 Change user password policy

chage You can modify the user password policy

Format ：

chage [OPTION]... LOGIN

Common options ：

-d LAST_DAY # Time to change password
-m --mindays MIN_DAYS
-M --maxdays MAX_DAYS
-W --warndays WARN_DAYS
-I --inactive INACTIVE # Grace period after password expiration
-E --expiredate EXPIRE_DATE # User's validity period
-l Show password policy

3.8 Other user related commands

chfn Specify personal information
chsh Appoint shell, amount to usermod -s
finger You can view the user's personal information

3.9 Create group

groupadd Implement creating groups

Format

groupadd [OPTION]... group_name

Common options ：

-g GID To specify GID Number ;[GID_MIN, GID_MAX]
-r Create system group ,CentOS 6 Before : ID<500,CentOS 7 in the future : ID<1000

3.10 Modify the set of

groupmod Group property modification

Format ：

groupmod [OPTION]... group

Common options ：

-n group_name: New name
-g GID: new GID

3.11 groups deleting

groupdel You can delete groups

Format

groupdel [options] GROUP

Common options ：

-f, --force Mandatory deletion , Even the user's primary group is forced to delete the group , However, users without a primary group will be unavailable and unable to log in

3.12 Change group password

gpasswd command , You can change the group password , You can also modify the membership of additional groups

Format

gpasswd [OPTION] GROUP

Common options ：

-a user take user Add to specified group
-d user Removes the user from the specified additional group user
-A user1,user2,... Set the list of users with administrative rights

3.13 Temporarily switch main group

newgrp The command can temporarily switch the main group , If the user does not belong to this group , Group password is required

Format ：

newgrp [-] [group]

If you use - Options , You can initialize the user environment

3.14 Change and view group members

groupmems You can manage the membership of additional groups

Format

groupmems [options] [action]

Common options ：

-g, --group groupname # Change to the specified group ( Only root)
-a, --add username # Specify the user to join the group
-d, --delete username # Remove user from group
-p, --purge # Clear all members from the group
-l, --list # Displays a list of group members

groups You can view user group relationships

Format

# View the user's group list 
groups [OPTION].[USERNAME]...

4. File permission management

4.1 File owner and group attribute operation

4.1.1 Set the owner of the file chown

chown Command can modify the owner of the file , You can also modify the file group

Format

chown [OPTION]... [OWNER][:[GROUP]] FILE...
chown [OPTION]... --reference=RFILE FILE...

instructions ：

OWNER # Only modify the owner
OWNER:GROUP # Modify the owner and group at the same time
:GROUP # Modify only the group , Colons are also available . Replace
--reference=RFILE # Refer to the specified properties , To modify the
-R# recursive , Use this option with caution , Very dangerous ！

4.1.2 Set the group information of the file chgrp

chgrp The command can modify only the group of the file

Format

 chgrp [OPTION]... GROUP FILE...
 chgrp [OPTION]... --reference=RFILE FILE...

-R recursive

4.2 File permissions

4.2.1 File permission description

File permissions are mainly defined for three types of objects

owner Belong to , u
group Generic group , g
other other , o

Be careful ：

The final authority of the user , It's order matching from left to right , namely , owner , Subordinate to the group , others , Once the permissions are matched, they take effect immediately , No more to
Right view its permissions
r and w Permission pair root Invalid user
As long as the owner , Group or other One of the three is x jurisdiction ,root You can execute

Each file defines three common permissions for each type of visitor

Each file defines three permissions for each type of visitor

r Readable
w Writable
x eXcutable

Permissions on files ：

r You can use file view class tools , such as ：cat, You can get its content
w It can be modified
x You can request the kernel to start this file as a process , That is, it can be executed （ function ） This file （ The contents of this file must be executable ）

Permissions on directories ：

r have access to ls View in this directory
File list
w You can create files in this directory , You can also delete files in this directory , It has nothing to do with the permission of the deleted file
x Sure cd Enter this directory , have access to ls -l View the file metadata in this directory （ Must cooperate with r jurisdiction ）, Minimum accessible permissions belonging to the directory
X Just give the catalog x jurisdiction , Do not give files without execution permission x jurisdiction

4.2.2 Modify file permissions chmod

Format

chmod [OPTION]... MODE[,MODE]... FILE...
chmod [OPTION]... OCTAL-MODE FILE...
# Reference resources RFILE File permissions , take FILE It is the same as RFILE
chmod [OPTION]... --reference=RFILE FILE...

4.3 Default permissions for new files and directories

umask The value of can be used to retain the permission to create files

Realization way ：

Default permissions for new files : 666-umask, If a bit of the result exists, execute （ Odd number ） jurisdiction , Then its permissions +1, accidentally The number remains the same
Default permissions for new directories : 777-umask

Non privileged users umask The default is 002

root Of umask The default is 022

see umask

umask
# Display in mode 
umask –S 
# The output can be called 
umask –p

modify umask

umask #

Long term preservation umask

Global settings ： /etc/bashrc
User Settings ：~/.bashrc

4.4 Linux Special permissions on the file system

Three common permissions were introduced earlier ：r, w, x There are also three special permissions ：SUID, SGID, Sticky

Special privileges

SUID Act on binary executables , The user will inherit the rights of the owner of this program
SGID

Act on binary executables , Users will inherit the permissions of all groups in this program

On the catalogue , The group of newly created files in this directory will automatically inherit from this directory

STICKY Act on the directory , Files in this directory can only be deleted by the owner

4.4.1 Special privileges SUID

Premise ： Processes have owners and groups ; The file has the owner and the group

Can any executable program file be started as a process , It depends on whether the initiator has execution rights to the program file
After starting as a process , The owner of the process is the initiator , The group of the process is the group of the initiator
Permissions for a process to access a file , It depends on the initiator of the process

Binary executable SUID Authority function ：

Can any executable program file be started as a process ： It depends on whether the initiator has execution rights to the program file
After starting as a process , The owner of the process is the owner of the original program file
SUID Valid only for binary executables
SUID Setting on the directory makes no sense

SUID Permission setting ：

chmod u+s FILE...
chmod 4xxx FILE
chmod u-s FILE...

4.4.2 Special privileges SGID

Binary executable SGID Authority function ：

Can any executable program file be started as a process ： It depends on whether the initiator has execution rights to the program file
After starting as a process , The process belongs to the original program file

SGID Permission setting ：

chmod g+s FILE... 
chmod 2xxx FILE
chmod g-s FILE...

On the catalog SGID Authority function ：

Silent In case of recognition , When a user creates a file , Its group is the primary group to which the user belongs , Once a directory is set SGID, This directory has The group of the file created by the user with write permission in this directory is the group of this directory , Usually used to create a collaboration Directory

SGID Permission setting ：

chmod g+s DIR...
chmod 2xxx DIR
chmod g-s DIR...

4.4.3 Special privileges Sticky position

A directory with write permission. Usually, the user can delete any file in the directory , Regardless of the permission or ownership of the file

Set... In the directory Sticky position , Only the owner of the document or root You can delete the file

sticky Setting doesn't make sense on the file

Sticky Permission setting ：

chmod o+t DIR...
chmod 1xxx DIR
chmod o-t DIR...

4.4.4 Special authority digital method

SUID SGID STICKY

000 0
001 1
010 2
011 3
100 4
101 5
110 6
111 7

Permission bit mapping

SUID: user, Occupy the execution permission bit of the owner

s： The owner owns x jurisdiction

S： The owner did not x jurisdiction

SGID: group, Occupy the execution permission bit of the group

s： group Have x jurisdiction

S：group No, x jurisdiction

Sticky: other, occupy other The execution permission bit of

t：other Have x jurisdiction

T：other No, x jurisdiction

4.5 Set file special properties

Set the special properties of the file , You can visit root The user mistakenly deletes or modifies the file

Can't delete , Change of name , change

chattr +i file

Can only add content , Can't delete , Change of name

chattr +a file

Show specific properties

lsattr

4.6 Access control list ACL

4.6.1 ACL Authority function

ACL：Access Control List, Realize flexible permission management

Except for the owner of the file , Group and others , You can set permissions for more users

CentOS7 Created by default xfs and ext4 The file system has ACL function

CentOS7 The previous version , It is created manually by default ext4 The file system has no ACL function , It needs to be added manually

ACL The order of entry into force ：

owner , Custom user , Subordinate to the group | Custom groups , others

4.6.2 ACL Relevant command

setfacl Can be set up ACL jurisdiction

getfacl You can view the settings ACL jurisdiction

mask jurisdiction

mask Only affect owners and other Maximum permissions for people and groups other than
mask After logical and operation with the user's permission , To become a limited authority (Effective Permission)
User or group settings must exist in mask It will take effect only when the permission is set

4.6.3 Backup and restore ACL

Main file operation commands cp and mv All support ACL, It's just cp The order needs to add -p Parameters . however tar And other common backup tools are not Will keep directories and files ACL Information

原网站

版权声明
本文为[LC181119]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/02/202202130616434278.html