May 23, 2021 That's what Linux should learn
One of the original intents of Linux systems was to meet the needs of multiple users working at the same time, so Linux systems must have good security. C hapter 1 When installing the RHEL 7 operating system, it is specifically required to set the root administrator password, which is a superuser that exists in all class UNIX systems. I t has the highest system ownership and is able to manage system functions such as adding/removing users, starting/shutting down service processes, turning hardware devices on/off, and so on. A lthough working as a root administrator is not subject to system restrictions, the saying goes, "The greater the capability, the greater the responsibility", so using this high-powered root administrator to execute the wrong command can directly destroy the entire system. Whether to use it or not, you really need to weigh it up.
Do you want to use root administrator rights to control the entire system while learning? F aced with this problem, there are many articles on the web suggesting that you should operate as an ordinary user - a safer and more "responsible" answer. Today, Mr. Liu Wei is going to risk the world to give their own experience - highly recommended that you use root administrator rights in learning!
This decisive attitude for root administrators should still be rare in the network, I recommend root administrator rights, the reason is very simple. B ecause in the learning process of Linux, if you use the ordinary user identity to operate, it is difficult to determine whether the system itself is a problem or due to insufficient permissions when there is an error after the configuration of the service; What's more, our lab environment is built using VMware virtual machine software to set up an installed system as a snapshot, which allows you to quickly restore a completely new system in 5 seconds without fear of data loss, even if the system crashes completely.
In summary, Mr. Liu recommends that each student use root administrator rights to learn about linux systems during training, and then decide which user rights to use based on the production environment when working;
In addition, many teachers at book or training institutions will say that the administrator in a Linux system is root. T his is actually wrong, and the administrator of the Linux system is rooted not because his name is root, but because the user's identity number, user IDentification, has a value of 0. I n Linux, the UID is as unique as our ID number, so the user's UID value can be used to determine the user's identity. In the RHEL 7 system, the user identity has the following.
The administrator UID is 0: the administrator user of the system.
System user UID is 1 to 999: Linux system in order to avoid a service program vulnerability by hackers to the entire server, the default service program will have a separate system user responsible for running, and thus effectively control the scope of destruction.
The average user UID starts at 1000: a user created by an administrator for day-to-day work.
It is important to note that the UID cannot conflict, and the UID for the average user created by the administrator starts at 1000 by default (even if there are idle numbers in front of it).
To facilitate the management of users who belong to the same group, the concept of user groups has also been introduced into Linux systems. B y using user group numbers (GIDs, Group IDentification), we can join multiple users into the same group, making it easier to unify planning permissions or specify tasks for users in the group. S uppose you have multiple departments in a company, and there are many employees in each department. I f you only want employees to have access to resources within your department, you can set permissions for departments, not specific employees. For example, you can set permissions on the technical department so that only employees in the technical department can access the company's database information, and so on.
In addition, when each user is created in a Linux system, a basic user group with the same name is automatically created, and the base user group is only that user. I f the user is later grouped into another user group, that other user group is called an extended user group. A user has only one base group of users, but can have multiple extended user groups to meet the daily needs of the job.
The useradd command is used to create a new user in the format "useradd user name".
You can use the userrad command to create a user account. W hen you use this command to create a user account, the default user directory is stored in the /home directory, the default Shell interpreter is /bin/bash, and by default a basic user group with the user's name is created. These default settings can be modified according to the userad command parameters in Table 5-1.
Table 5-1 useradd commands the user parameters and the role
Parameter Action -d specifies the user's home directory (default /home/username) -e Account expiration time in YYYY-MM-DD. -u specifies the user's default UID -g specifies an initial user base group (must already exist) -G specifies one or more extended user groups - N does not create a base user group with the user's name -s specifies the user's default Shell interpreter
Let's create a normal user and specify the path to the home directory, the user's UID, and the Shell interpreter. I n the following command, note /sbin/nologin, which is a member of the terminal interpreter and is very different from the Bash interpreter. Once the user's interpreter is set to nologin, the user cannot log on to the system:
[root@linuxprobe ~]# useradd -d /home/linux -u 8888 -s /sbin/nologin linuxprobe [root@linuxprobe ~]# id linuxprobe uid=8888(linuxprobe) gid=8888(linuxprobe) groups=8888(linuxprobe)
The groupad command is used to create a user group in the format "groupadd (options) group name."
In order to assign permissions to individual users in the system more efficiently, several users are often added to the same group at work, so that permissions can be arranged uniformly for a class of users. The steps for creating a user group are simple, such as creating a user group with the following commands:
[root@linuxprobe ~]# groupadd ronny
The usermod command is used to modify the user's properties in the format "usermod ( options ) user name".
It has been repeatedly emphasized that everything in a Linux system is a file, so creating a user in the system is the process of modifying a profile. T he user's information is saved in the /etc/passwd file, and the user parameter items can be modified directly with the text editor, or the user information that has been created can be modified with the usermod command, such as the user's UID, basic/extended user group, default terminal, etc. The parameters of the usermod command and its function are shown in Table 5-2.
The parameters and functions in the Table 5-2 usermod command
Parameter Function -c Fill in the user account's comment information -d -m parameter-m is connected with the parameter -d, can re-specify the user's home directory and automatically transfer the old data past -e account expiration time, format YYYY-MM-DD-g change belongs to the user group -G change extended user group -L lock the user to prevent their login system -U unlock the user, allow their login system - s change the default terminal - u U U
Don't be frightened by so many parameters. Let's first look at the default information for the account linuxprobe:
[root@linuxprobe ~]# id linuxprobe uid=1000(linuxprobe) gid=1000(linuxprobe) groups=1000(linuxprobe)
The user linuxprobe is then added to the root user group so that the word root user group appears in the list of extension groups, and the base group is not affected:
[root@linuxprobe ~]# usermod -G root linuxprobe [root@linuxprobe ~]# id linuxprobe uid=1000(linuxprobe) gid=1000(linuxprobe) groups=1000(linuxprobe),0(root)
Try modifying the UID number value of the linuxprobe user with the -u parameter. In addition, we can modify the user's basic group ID with the -g parameter and the user extension group ID with the -G parameter.
[root@linuxprobe ~]# usermod -u 8888 linuxprobe [root@linuxprobe ~]# id linuxprobe uid=8888(linuxprobe) gid=1000(linuxprobe) groups=1000(linuxprobe),0(root)
The passwd command is used to modify the user's password, expiration time, authentication information, and so on in the format "passwd ( options ) ( user name ) " .
Ordinary users can only use the passwd command to modify their own system passwords, while root administrators have permission to modify everyone else's passwords. E ven cooler, root administrators don't need to verify old passwords when modifying their or someone else's passwords on a Linux system, which is especially convenient. S ince the root administrator can modify another user's password, it means that the user has full administrative rights. The parameters available in the passwd command and their function are shown in Table 5-3.
The parameters and effects in the 5-3 passwd command
Parameter Function - l Lock users, prevent them from logging in -u unlock, allow users to log on - Stdin allows you to modify a user's password with standard input, such as the echo "NewPassWord" | passwd --stdin Username -d enables the user to log on to the system with an empty password -e forces the user to modify the password the next time they log on -S shows whether the user's password is locked and the name of the encryption algorithm used for the password
Next, Mr. Liu will demonstrate how to modify the user's own password, and how to modify someone else's password (you need root administrator rights when you change someone else's password):
[root@linuxprobe ~]# passwd Changing password for user root. N ew password: Enter the password value here Retype new password: enter again to confirm passwd: all identity tokens updated successfully. [ root@linuxprobe ~]# passwd linuxprobe Changing password for user linuxprobe. New password: Enter the password value here Retype new password: enter again to confirm passwd: all identity tokens updated successfully.
Assuming you have a colleague on vacation and the vacation is long, you can use the passwd command to prevent the user from logging on to the system, and then use that command to allow the user to log on to the system instead of deleting it when the holiday ends and returns to work. This ensures the security of the system during this time and avoids the hassle of adding and deleting users frequently:
[root@linuxprobe ~]# passwd -l linuxprobe Locking password for user linuxprobe. p asswd: Success [root@linuxprobe ~]# passwd -S linuxprobe linuxprobe LK 2017-12-26 0 99999 7 -1 (Password locked.) [ root@linuxprobe ~]# passwd -u linuxprobe Unlocking password for user linuxprobe. passwd: Success [root@linuxprobe ~]# passwd -S linuxprobe linuxprobe PS 2017-12-26 0 99999 7 -1 (Password set, SHA512 crypt.)
The userdel command is used to delete the user in the format "userdel (option) user name".
If we confirm that a user will no longer log on to the system, we can delete all of that user's information through the userdel command. W hen you delete, the user's home directory remains by default, and it can be deleted using the -r parameter. The parameters of the userdel command and its function are shown in Table 5-4.
Table 5-4 the parameters of the userdel command and its effect
Parameter Action -f Force the deletion of the user -r while deleting the user and the user's home directory
Here's how to remove the linuxprobe user using the userdel command:
[root@linuxprobe ~]# id linuxprobe uid=8888(linuxprobe) gid=1000(linuxprobe) groups=1000(linuxprobe),0(root) [root@linuxprobe ~]# userdel -r linuxprobe [root@linuxprobe ~]# id linuxprobe id: linuxprobe: no such user