This is the second article in the linux series. I thought Shell would be OK after writing it. But after careful combing, I found that I either knew a little about Linux or forgot it. In that case, you'd better review what you encounter. This paper attempts to solve the following problems
- How to do user management in Linux
- Relationship between users and permissions
- After a user installs the software, how does it decide whether other users can use it?
- How commands related to this are used
overview
Linux's permission management is closely related to two important features: everything is a file; Multi user operating system. Multi-user operating system means that the resources between users need to be isolated, so it is necessary to have permissions; Everything is a file, which means that the goal of permission management is only a file.
Linux has two rights management mechanisms
- The native permission management mechanism (DAC) is the permission control of UGO+RWX/ACL. UGO identifies User, Group and Other; RWX means Read, Write and Execute; ACL means Access Control List, that is, permission control list. This is the default control mode, and it is also the mode we need to pay attention to.
- SELinux's Mandatory Access Control, that is, label based access control, labels all resources. Programs can only access labeled resources, not unlabeled resources. This is beyond the scope of this article.
User role based management mechanism
Users, groups
Linux manages accounts and groups through IDS, not user names. User and group IDs correspond to UID and GID respectively. A user can belong to multiple groups, but can only belong to one basic group or multiple additional groups. Users are used for precise authorization and groups are used for batch authorization. It can be understood as the relationship between users and roles in RBAC.
Difference between basic group and additional group
Basic group: if no user group is specified, a group with the same name as the user name will be created by default when creating a user. This group is the basic group and users cannot be deleted from the basic group. When creating a file, the group to which the file belongs is the user's basic group.
Additional group: in addition to the basic group, other groups of users are additional groups. Users can be deleted from additional groups.
useradd
# Create an account useradd guodong # Create the account guodong, set the description information as Administrator, home directory as / home/guodong, set the expiration date as 03-04, basic group as root and additional group as mail useradd -c administrator -d /home/guodong -e 2022-03-04 -g root -G mail guodong
After creation, you can view the newly created user in the / etc/passwd file. Its meaning is described later.
guodong:x:1002:1002::/home/guodong:/bin/sh
All parameters are described below. The parameters it can set include home directory, group, whether to create home directory at the same time, password (encoded), specified UID, specified shell, etc.
root@VM-20-5-ubuntu:~# useradd --help
Usage: useradd [options] LOGIN
useradd -D
useradd -D [options]
Options:
--badnames do not check for bad names
-b, --base-dir BASE_DIR base directory for the home directory of the
new account
--btrfs-subvolume-home use BTRFS subvolume for home directory
-c, --comment COMMENT GECOS field of the new account
-d, --home-dir HOME_DIR home directory of the new account
-D, --defaults print or change default useradd configuration
-e, --expiredate EXPIRE_DATE expiration date of the new account
-f, --inactive INACTIVE password inactivity period of the new account
-g, --gid GROUP name or ID of the primary group of the new
account
-G, --groups GROUPS list of supplementary groups of the new
account
-h, --help display this help message and exit
-k, --skel SKEL_DIR use this alternative skeleton directory
-K, --key KEY=VALUE override /etc/login.defs defaults
-l, --no-log-init do not add the user to the lastlog and
faillog databases
-m, --create-home create the user's home directory
-M, --no-create-home do not create the user's home directory
-N, --no-user-group do not create a group with the same name as
the user
-o, --non-unique allow to create users with duplicate
(non-unique) UID
-p, --password PASSWORD encrypted password of the new account
-r, --system create a system account
-R, --root CHROOT_DIR directory to chroot into
-P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files
-s, --shell SHELL login shell of the new account
-u, --uid UID user ID of the new account
-U, --user-group create a group with the same name as the user
-Z, --selinux-user SEUSER use a specific SEUSER for the SELinux user mapping
--extrausers Use the extra users database
If you do not add any options, the following things will be done by default
- Create user
- Create user's home directory
- Create a group with the same name as the user and put the user in it
groupadd
add group
# Create gg group groupadd gg # Create the user guodong with gg as its primary group. useradd guodong -g gg
After adding the / etc/group document, the meaning will be described later
guodong:x:1002:
Order details
ubuntu@VM-20-5-ubuntu:~$ groupadd --help
Usage: groupadd [options] GROUP
Options:
-f, --force exit successfully if the group already exists,
and cancel -g if the GID is already used
-g, --gid GID use GID for the new group
-h, --help display this help message and exit
-K, --key KEY=VALUE override /etc/login.defs defaults
-o, --non-unique allow to create groups with duplicate
(non-unique) GID
-p, --password PASSWORD use this encrypted password for the new group
-r, --system create a system account
-R, --root CHROOT_DIR directory to chroot into
-P, --prefix PREFIX_DIR directory prefix
--extrausers Use the extra users database
id
Viewing the details of a user will print uid, group gid, group, etc.
ubuntu@VM-20-5-ubuntu:~$ id guodong uid=1002(guodong) gid=1002(guodong) groups=1002(guodong),0(root)
Command details, adding parameters can only print part of the content
ubuntu@VM-20-5-ubuntu:~$ id --help
Usage: id [OPTION]... [USER]
Print user and group information for the specified USER,
or (when USER omitted) for the current user.
-a ignore, for compatibility with other versions
-Z, --context print only the security context of the process
-g, --group print only the effective group ID
-G, --groups print all group IDs
-n, --name print a name instead of a number, for -ugG
-r, --real print the real ID instead of the effective ID, with -ugG
-u, --user print only the effective user ID
-z, --zero delimit entries with NUL characters, not whitespace;
not permitted in default format
--help display this help and exit
--version output version information and exit
passwd
Change a user's password
ubuntu@VM-20-5-ubuntu:~$ sudo passwd guodong New password: Retype new password: passwd: password updated successfully
usermod
Modify user information, such as password, home directory, group information, etc. The information that can be modified is similar to useradd
# Modify the description of guodong ubuntu@VM-20-5-ubuntu:~$ usermod guodong -c jelly ubuntu@VM-20-5-ubuntu:~$ cat /etc/passwd | grep guodong guodong:x:1002:1002:jelly:/home/guodong:/bin/sh
userdel,groupdel
delete user
# delete user userdel guodong # delete group groupdel guodong
Related documents
-
/etc/passwd
Store user problems
root@VM-20-5-ubuntu:~# cat /etc/passwd | grep ubuntu ubuntu:x:1000:1000:ubuntu:/home/ubuntu:/bin/bash
The total is divided into seven sections. From left to right, user name: Password: uid: GID: Description: Home Directory: login shell
Note that the password field stores only an x, which only indicates that there is a password. The real password is in / etc/shadow
Pseudo users: there are many users in the passwd file who have not logged in to the shell. They are called pseudo users and cannot log in. They exist only for the convenience of system management.
-
/etc/group
File for storage group
root@VM-20-5-ubuntu:~# cat /etc/group | grep ubuntu adm:x:4:syslog,ubuntu cdrom:x:24:ubuntu sudo:x:27:ubuntu dip:x:30:ubuntu plugdev:x:46:ubuntu lxd:x:116:ubuntu ubuntu:x:1000: root@VM-20-5-ubuntu:~# id ubuntu uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)
There are 4 fields in total, group name: group password: GID: list of users in the group. In the above command, you can just match the groups obtained by id ubuntu with the groups containing ubuntu users in / etc/group above.
Group password, used for authentication when non group users switch to this group
-
/etc/shadow
File for storing user password
root@VM-20-5-ubuntu:~# cat /etc/shadow | grep ubuntu ubuntu:$6$jljvtYI5RLrh6ZwE$C/s2cHElV8XZ./cWGEV09ICjEavrLivzkpa0T/Sil1Xjv5rFTGAmSzOVDlBx8a8zUnvMlMNFcqrWt8k.F1ZHF0:18979:0:99999:7:::
There are 9 fields in total, user name: encryption password: last modification time: minimum modification interval: password validity: warning days before password change: Grace time after password Expiration: account expiration time: reserved field
The SHA512 hash algorithm is used to encrypt the password.
The password of the pseudo user is!! Or *, representative cannot log in
-
/etc/gshadow
root@VM-20-5-ubuntu:~# cat /etc/gshadow | grep ubuntu adm:*::syslog,ubuntu cdrom:*::ubuntu sudo:*::ubuntu dip:*::ubuntu plugdev:*::ubuntu lxd:!::ubuntu ubuntu:!::
There are 4 fields in total, group name: group password: group administrator Name: supported account name
-
/etc/login.defs
A file for setting user account restrictions. The configuration of this file is invalid for root user. When creating users in Linux, it makes some default settings for users, such as UID range, user expiration time, etc.
file right
Elaborate
Look at a file
root@VM-20-5-ubuntu:~# ls -l /etc/login.defs -rw-r--r-- 1 root root 10550 Feb 7 2020 /etc/login.defs
From left to right
- File type: - indicates file, d indicates directory, c indicates character file, and l indicates linked file
- UGO permissions: the permissions of the file owner, the group to which the file owner belongs, and others, which are read, write, and execute, i.e. RWX
- Connection count: connection count - 2 = total number of subdirectories and files directly contained in this directory; File is 1
- File owner
- Group to which the file belongs
- Size in bytes
- modification date
- file name
rwx, the file is different from the directory. The of the directory is as follows
| rwx permissions | Effect on Directory |
|---|---|
| Read pe r missions | Indicates that you have permission to read the directory structure list, that is, you can see which files and subdirectories are in the directory. Once you have r permission on the directory, you can execute ls command in this directory to view the contents of the directory. |
| Write permission | For a directory, w permissions are the highest permissions. Having w permission on the directory means that you can do the following operations on the directory: create a new file or subdirectory in this directory; Delete existing files and directories (regardless of the permissions of sub files or sub directories); Rename existing files or directories; Move the location of files and directories in this directory. Once you have w permission on the directory, you can execute touch, rm, cp, mv and other commands in the directory. |
| Execute permission (x) | The directory cannot be run directly. Giving x permission to the directory means that users can enter the directory, that is, users or groups with X permission can use the cd command. |
If you don't know about rwx, you can search online and search a lot
chmod
Modify file or directory permissions
chmod +x hello.sh # For Hello SH add execution permission
All possible permissions are [ugoa] * ([- + = ([rwxxst] * | [Ugo])) + | [- + = [0-7]+
chown
Modify the file owner and paste two examples to feel it
chown root /u Change the owner of /u to "root". chown root:staff /u Likewise, but also change its group to "staff". chown -hR root /u Change the owner of /u and subfiles to "root".
other
Decide whether users can sudo
Controlled by the file / etc/sudoers. The file is not long. You can have a complete look
# # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # # When using sudo, the environment variables are reset Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges # All users under the admin group can sudo %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command # All users in the sudo group can sudo %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d lighthouse ALL=(ALL) NOPASSWD: ALL # The user ubuntu can switch to all users and groups on all hosts and execute all commands without entering a password ubuntu ALL=(ALL:ALL) NOPASSWD: ALL
Configure sudo permissions of users: authorized users / groups host = [(which users or groups to switch to)] [whether password authentication is required] command 1, command 2
Combined with the Defaults of this file, we can see that when using sudo to execute a command, the environment variables of the current user's shell will be reset.
Determines whether users can ssh remotely
What if you need to disable a user from ssh login. There are two types of methods
-
Log in to this user
- Lock account usermod -L guodong
- Modify the user shell to / sbin/nologin
-
Modify / etc/ssh/sshd_config
# Disable root login PermitRootLogin no # Reject user DenyUsers guodong
Add a knowledge point: we can restrict ssh account password login
# It is forbidden for guodong and root to log in with the account and password, and others are allowed Match User guodong,root PasswordAuthentication no Match all PasswordAuthentication yes
Permission control and software installation
In essence, software installation is to put all parts of the software package in an appropriate position, that is, to create files or directories in different directories. There are several important points
-
Will the installation location of the software be installed in the user's home directory?
-
Who is the owner and all groups of the newly created file or directory? This determines who can access the newly installed software
Software installation location
apt insall, yum insall, dpkg -i, freely installed software. Which directory did they end up in? There are two points about this
- There are many linux directories, but some directories generally have special purposes
- When installing software such as apt and yum, the location of software files is not determined by the installer itself, but by the software maintainer, so it can not be generalized
For the first point, first understand the PATH of your operating system
root@VM-20-5-ubuntu:~# env | grep PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
The function of PATH. The default operation provides the search command in the directory specified by PATH
About folder management, in fact Linux has another standard.
Common directories related to software installation are
| route | effect |
|---|---|
| /usr/local/sbin | Self compiled commands that can only be accessed by the root user |
| /usr/local/bin | Self compiled commands that everyone can access |
| /usr/sbin, / sbin (just links to / usr/sbin, at least ubuntu) | System or installed commands that are accessible to the root user |
| /usr/bin, / bin (it's just a link to / usr/bin, at least for ubuntu) | System or installed commands that everyone can access |
| /usr/share | Store some shared data, such as documents, etc |
| /usr/lib | Library files required for storing software |
| /etc | Store configuration files |
| /opt | Some optional software will be installed here. Optional are some insignificant applications installed by the user that have nothing to do with the system Like tomcat |
Point 1: distinguish between bin and sbin, / usr and / usr/local. You can see Know
Point 2: we can check the permissions of the directory under usr. We can see that everyone is root and only root can write, but other users have read and execute permissions. You can guess that you need root permission to install the software into these directories.
ubuntu@VM-20-5-ubuntu:~$ ls -l /usr total 136 drwxr-xr-x 2 root root 57344 Dec 18 11:26 bin drwxr-xr-x 2 root root 4096 Dec 18 10:56 config drwxr-xr-x 2 root root 4096 Apr 15 2020 games drwxr-xr-x 10 root root 16384 Dec 18 10:33 include drwxr-xr-x 94 root root 4096 Dec 18 11:26 lib drwxr-xr-x 2 root root 4096 Apr 23 2020 lib32 drwxr-xr-x 2 root root 4096 Jun 5 2021 lib64 drwxr-xr-x 4 root root 4096 Dec 18 12:29 libexec drwxr-xr-x 2 root root 4096 Apr 23 2020 libx32 drwxr-xr-x 12 root root 4096 Dec 18 10:33 local drwxr-xr-x 2 root root 20480 Jan 12 10:50 sbin drwxr-xr-x 159 root root 4096 Dec 18 11:09 share drwxr-xr-x 4 root root 4096 Nov 9 21:41 src
Influence of installer
Why do some installations need sudo? Sudo executes this command as root. For the execution of all partial commands, sudo is required if you need to access the files or directories that the root user has permission to modify.
Another question is, can an ordinary user use the software installed by another ordinary user? It depends. If the software is normally installed in the above directory, all users can access it. However, in theory, non-standard operations can be carried out. If the software is installed in the user's own home directory and PATH is added, other users cannot access it.
Therefore, this is still a problem of file permission management.
summary
Linux permissions, in the final analysis, manage files, understand the relationship between file permissions, users and groups, master several key commands, and deal with daily maintenance problems.