After a long learning Linux user management, so share with you, after reading this article you must have a lot of harvest, hope this will teach you more stuff.
First, the access control mechanism
Linux system is a multi-user system, can do different users can simultaneously access different files, so there must be a file access control mechanism. Has a very different access control mechanism Linux systems and access control mechanisms of Windows. When Linux files or directories owned by a user, the user called the owner of a file (or file owner), it has also simultaneously file specified user group, the user group is called the group the file belongs to. A user can be a member of different groups, which can be controlled by the administrator. Permissions of the file is determined by the permission flags, flags decide the privilege belongs to the group owner of the file, the file permissions to other users on file access.
Users and Permissions
1. Basic Concepts
(1) master file: Linux for each file is assigned an owner, called the master file, the master file and give only the registered name. Depending on the file control file owner or super user (root).
Ownership document can be changed, you can transfer ownership of a file or directory to other users, but only the file owner or root have the right to change their ownership documents. You can change the ownership of a file or directory with the chown command. For example, the super user to own a copy the file to the user user1, user1 in order to allow the user to access the file, superuser (root) should be the owner of the file to user1, otherwise, users can not access the file user1. If you change the ownership of a file or directory, the file is Lord no longer has control over the file or directory
(2) user group: In Linux, every file belongs to a user group. When you create a file or directory, the system will give it a user group relations, chgrp command to change the relationship between the group file.
(3) Access: Linux system, each file and directory has access to, and use it to determine who can file and directory access and manipulate what way.
Linux system provides three different types of users: other users (others) files on your primary (user), the same group of users (group), you can access the system.
Access provisions of three kinds of access to the file or directory ways: read (r), write (w), or find the executable (x)
(1) file access
Read permission (r) indicates that only allow specified users to read the contents of the file, it is prohibited to make any changes to the operation. Write permissions (w) Permits the specified user to open and modify the file. Execute permission (x) denotes allows the user to specify the file as a program execution.
(2) access to the directory
After the ls command with the -d option, you can understand the catalog file permissions. Read permission (r) means that you can list the files stored in the directory, that is, read directory contents. Write permissions (w) represents allow you to delete or create new files or directories from the directory. Execute permission (x) denotes allows you to find in the directory, and can use the cd command to switch the working directory to the directory. With the chmod command to change the access permissions for the file or directory. E.g:
Function: chmod command is used to access or change the settings file or directory.
Format: chmod [options] mode file or directory name
Note: Only the file owner or super user root have the right to use chmod to change the file or directory access.
-c: If the file or directory permissions have changed indeed, it shows the change action.
-f: If a file or directory permissions can not be changed and do not display an error message.
-v: Show details privileges change.
-R: All files and subdirectories under the current directory will be the same permission to change (that is, one by one change to recursive manner).
When setting file permissions, commonly used in the following modes letter on behalf of a user or group of users:
u (user) indicates that the owner of the file.
g (group) represents the owning group of the file.
o (others) represent other users.
a (all) on behalf of all users (ie u + g + o).
Authority represented by the following characters: r for read permission; w represents write permission; x indicates execution permission. Finally, indicate an increase (+) or canceled (-) authority, or only give permission (=).
Function: change a file or directory owner and group belongs.
Format: chown [options] user or group file name
Note: Only file owners superuser can use this command. At the same time change the file owners and group the file belongs to, user names and user group names separated by colons. In the file name can contain wildcards.
-R Recursively change all files in the specified directory and its subdirectories master, file.
Function: Change to your group of files or directories.
Format: chgrp [options] group name filename
Note: If the file owner or super user who is not the file, you can not change the file or directory belongs to the group. chown can also change the file owner and owning group, chgrp only with the function to change belongs.
-R Recursively change the specified directory and all subdirectories below the user group and files.
Function: to set the new file permissions mask.
Format: umask [Mode]
Explanation: The value of the new mode mask file permissions.
File access permissions can be modified by the chmod command. When a user creates a new file, if you do not use the chmod modify permissions, the permissions of the file what is it? Access to this file by default permissions and the default permission mask jointly determined, which is equal to the system default permissions minus the default permissions mask code. The default permissions Linux system directory is 777, the default file permissions are 666. Therefore, the following formula:
The new directory permissions default permission mask = 777-
New file permissions default permission mask = 666
Note: For security reasons, Linux file system does not allow the default permissions have executive powers. umask command without any parameters to display the current default permission mask values. Here to explain the Linux User Management.
Second, Linux User Management
Linux is a multitasking, multi-user operating system, to be able to do different users can simultaneously access different files, allows different users to log on locally or remotely, then the user must have a valid account, Linux systems are by the user's account to achieve access control, and therefore, the need for users and groups for effective management. Linux operating system users:
Under Linux users can be divided into three categories: superuser, system users and ordinary users. Superuser named root, it has all the permissions, only for system maintenance (such as setting up users, etc.) or under other circumstances it is necessary to use super-user login system to avoid security problems. Users of the system is built-in user Linux system to work are necessary, mainly to meet the appropriate system to process the file owner requirements established, the system can not be used to log the user, such as bin, daemon, adm, lp user, etc. .
The average user is to allow users to use Linux system resources and established most of our users fall into this category. Each user has a value, called the UID. Super-user's UID is 0, the system user's UID is generally 1 to 499, the average user's UID value between 500 to 60,000.
2. Account System Files
Linux system uses plain text files to store all kinds of information the account, one of the most important documents have / etc / passwd, / etc / shadow, / etc / group a few. We can use vi or another editor to change them, you can also use a special command to change them. Account management is actually the contents of this file to operate several add, modify and delete rows, no matter what form account management, understand the contents of these documents is necessary.
(1) / etc / passwd file: account management is the most important document, which is a plain text file. Each registered user has a file in the corresponding rows, the rows record the necessary information for this user.
Example 1: The / etc / passwd file.
# Cat / etc / passwd
root: x: 0: 0: root: / root: / bin / bash
bin: x: 1: 1: bin: / bin:
You can see from the passwd file, the first line is the root user, the users of the system immediately, the average user is usually at the end of the file. passwd file for each line consists of data consisting of seven fields, between fields with ":" separated, in the following format:
Account name: password: UID: GID: Profile: Main directory: Shell
Account name: name of the user login Linux system.
Password: This password is encrypted password after, rather than the real password, if it is "x", explained after the shadow password protection.
UID: The user ID, a value, Linux internal system used to distinguish between different users.
GID: Identifies the user's group, is a number, Linux internal system used to distinguish between different groups, the same groups have the same GID.
Profile: You can record the user's personal information, such as name, telephone and other information (in this case the user of the test item is empty).
Home directory: usually / home / username, where username is the user name, the user performs "cd ~" command will switch the current directory to the home directory.
Shell: define the user log in to use the Shell, the default is bash.
(2) / etc / shadow file: any user has read access passwd file, although the password has been encrypted, but still can not avoid some people will get the encrypted password. For security, Linux system password provides an extra layer of protection that is password encrypted redirected to another file / etc / shadow. If, after shadow password protection, in / etc / passwd file, each record of the password field will become "x", and there is a shadow file in the / etc directory. Only super user can read the contents of the shadow.
(3) pwconv and pwunconv file: When installing Linux system, the system uses the default shadow to protect the password. ? Shadow not enabled when you install Linux, you can use the command to enable pwconv shadow. Note that with the root user to execute the command execution result is / etc / passwd file password field is changed to "x", while producing / etc / shadow file. Conversely, if you want to cancel the shadow function, use pwunconv command.
Third, the management group
Linux group have a private group, the system group and the standard group of points. When you create the account, if the account does not belong to the specified group, the system will create a user name and the same group, this group is a private group, the group holds only one user. The standard group can accommodate multiple users, groups of users have rights group have. Linux system group is automatically created. A Linux user can belong to multiple groups, but also groups the user belongs to the group of basic and additional group of points. In the first group the user belongs to the group known as the base group, basic group is specified in the / etc / passwd file; the other group additional groups, additional groups specified in the / etc / group file. User has permission to belong to more than one group is the competence of its group and.
Linux System Information about the group is stored in the file / etc / group in.
Example: display the file / etc / group content.
# Cat / etc / group
root: x: 0: root, test
bin: x: 1: root, bin, daemon
test: x: 500:
group1: x: 1000:
user1: x: 501:
Each line in the file group recorded message to a group, each row comprises between four fields Field ":" separator.
Format for the group name: Password group: GID: group members.
Group name: The name of the group, such as root, bin, etc.
Group Password: set a password to join the group, in general, do not use the group password, the field is usually useless.
GID: Group identifier is a number, similar to UID.
Group Membership: User group included, among with the user "," separated.
2. Add the user group, edit, delete
(1) Add a group
You can manually edit the / etc / group file to add the complete group, can also be used to add group groupadd command,
Format: groupadd group name
Example: Add a group group1.
(2) Modify Group Properties
Use groupmod command to change the group name or GID. After groupmod-g command with the new ID number and the name of the group to modify the group GID. After groupmod-n command with the name of the new group and the original group name to modify the group name.
3. Delete Group
Use groupdel command to delete groups.
Format: groupdel group name
Description: The group is deleted, use the chown command will be deleted files and directories user groups into its membership of the user group.
To change the members of the group or the user to change the password using gpasswd group command.
Format: gpasswd [parameters] [username] group name
Used without parameters, modify the group password.
-a: Adding a user to the group.
-d: remove the user from the group.
Fourth, Linux User Manager
Manager is a graphical user interface in the form of management tools, use User Manager can easily manage users and user groups. Root root user can select the "Main Menu" -> "System Settings" -> "Users and Groups" (or type RedHat-config-users at Shell prompt), open the "RedHat User Manager" window.
1. Create a user account
In Linux User Manager window, click the "Add User" button to open the "Create New User" dialog.
2. Modify User Attributes
To modify user properties, first select an existing Linux user account in the User Manager window, and then click "Properties" button, then the "User Properties" window, the "user data", "account information in the window "," password information "and" group "of four tabs. The user can select the appropriate tab to modify the relevant attributes.
3. Modify User Group Properties
In the "Groups" tab, select an existing user group, and click "Properties" button to open the "Group Properties" window, modify the settings of the user group properties in this window, the user will need to join this group were marked with check mark can be.
User management commands:
useradd NOTE: Adding a user
adduser NOTE: Adding a user
passwd NOTE: Set a password for the user
usermod Note: modify user command, you can modify the login name by usermod, the user's home directory, and so on;
pwcov Note: The Sync user from the / etc / passwd to / etc / shadow
pwck NOTE: pwck is to check user profiles / etc / passwd and / etc / shadow file content is legitimate or complete;
pwunconv NOTE: The stand is pwcov reverse operation, from the / etc / shadow and / etc / passwd to create / etc / passwd, then deletes / etc / shadow file;
finger NOTE: To view the user information Tools
id NOTE: To view the user's UID, GID and user group belongs
chfn NOTE: Changing User Information Tools
su Note: The user switcher
sudo NOTE: sudo is performed by another user commands (execute a command as another user), su is used to switch the user, and then switch to the user to accomplish the task, but behind the sudo command can be executed directly, such as sudo without knowing the root password can be assigned to perform root and only root can execute the implementation of the appropriate command; but have to edit / etc / sudoers visudo achieved through;
visudo Note: visodo is to edit / etc / sudoers command; this command also can not directly use vi to edit the / etc / sudoers the effect is the same;
sudoedit NOTE: sudo and similar functions;
Group Management Command:
groupadd NOTE: Adding a user group;
groupdel Note: Deleting a user group;
groupmod NOTE: modify user group information
groups Note: Displays the user groups the user belongs
grpck NOTE: check the legality and group profiles complete
grpconv NOTE: The / etc / group and etc / file content / gshadow to synchronize or create / etc / gshadow, if the / etc / gshadow does not exist it is created;
grpunconv NOTE: The / etc / group and / etc / gshadow file to synchronize content or create / etc / group, and then delete gshadow file.