Password, group and their images
Level: primary
Chris Walden (cmwalden-at-us.ibm.com) e-commerce architect, IBM Developer Relations 2004 January
IBM e-commerce architect Chris Walden will pass him
The nine series of articles published on DeveloperWorks guides you how to use your Windows operation skills in your Linux environment. In this section, we use the webmin interface and the command line to add, delete the user, and group, and introduce the image of the password and group file.
User management in Linux is similar to user management in Windows, but it is very different. Both systems are multi-user systems, based on user identity, control their access to resources. Both operating systems allow user grouping to simplify access control to avoid setting permissions for many users. However, the same is only this.
Super users are in Linux, superusers are called root. Root users can control all programs, access all files, using all the features on the system. There is no thing that is not available for root users. For management perspectives, root's permissions are so high. Therefore, the root account must be protected by secure passwords, this is very important. You should not use root identity to handle daily transactions.
Other users can also be given root privileges, but must act with caution. Usually you can configure some specific programs to run with root as root without having to give them root privileges.
Creating new users can create new users through tools such as command line or Webmin.
Add the user's command is useradd. For example, create a new user from the console:
UserAdd -c "normal user" -d / home / userid -g users / -g webadm, helpdesk -s / / bin / bash userid
This command creates a new user named "UserID". "Normal User" is a comment for this user. UserID's home directory will be "/ home / userid". UserID's primary group will be users, but he has also been added to "WebAdm" and "Helpdesk" two groups. UserId will use the "/ bin / bash" shell as his regular console environment.
Use Webmin to create new users simple and intuitive. Use your favorite browser to log in to Webmin and switch to the System Form. Select the "Users and Groups" tool and click Create a New User.
Figure 1. Webmin Create User Screen
Fill in the details of the user, then click Create. User creation is complete.
Add users in the "Basic Tasks for New Linux Developers" discussed.
Modifying passwords You can use the passwd command from the console to modify the user's password:
Passwd userid
Only root users can modify the passwords of other users with passwd. After entering the command, the system will prompt you to enter and confirm the password you want to set. If the input is consistent twice, the user's identity will be updated, and the password is modified successfully. Enter passwd from the console, the user can modify its own password; in this case, the system will ask the user to ask the original password, and verify that the new password can be entered.
The Password Cracker module is enabled when most Linux distribution is installed for modifying your password. This module will check if the password follows a good password set habit. If the user uses an unsafe password, it will automatically warn the user. You can configure the system to require the user to use a secure password. Root will also be warned when setting unsafe passwords, but can still be set up. In Webmin, you can use the "CHANGE Passwords" module in the System form to change your password. Select a user in the list and enter a new password at the blank.
Deleting users can use the userDel command from the console to delete the user.
Userdel -r userid
Use an optional -r switch to delete the user's home directory and all related information. If you want to keep your home directory, don't use the -R switch. This switch does not automatically delete all files belonging to this user in the system, just deleting his home directory.
How to organize user Linux configuration based on text. All users in Linux are stored in the / etc / passwd file. You can use more command to page this file:
More / etc / passwd
/ etc directory Don't forget, most of Linux's configuration files are in the / etc directory.
This file is very intuitive. Each line is a new user, the parameters are separated by colon.
UserID: x: 75000: 75000 :: / Home / Userid: / bin / bash
The first column is the username. The second column is the password of the user. The third column is the number ID of the user. The fourth column is the ID of the user's primary group. The fifth column is the full name of the user, or comment. The sixth column is the location of the user's home directory, which is usually located in the / home directory, the directory name is the same as the user ID. The seventh column is the user's default console shell.
Password file structure
Login IDPassworduser IDGroup IDcommentHome DirectoryDefault ShellUseridx7500075000 / Home / UserID / BIN / BASH
Note that the Password column is a "x" in the example above. This is not said that the user's password is "X". Previous passwords have been stored in this file in the form of a flat text. There is still such a configuration, but because the password is easy to disclose, there are very few people who have done this. The solution is to create Shadow Password. The location where the password stores in the / etc / passwd file is just a "X", and the encrypted password is stored in the / etc / shadow file. This technique improves security by separating user information with password data. The MD5 password encryption algorithm supports a more reliable password, thereby further improving security. Samples of an image password entry are as follows:
One of the features of the image password and user permissions Linux user management is that it follows the Unix style and uses the Passwd file. The logged in user must be able to read the / etc / passwd file to determine if his username is present. If you store the username and password in the same file, the potential attacker may get a password; they can download the / etc / passwd file, then get a password with a violent crack. Image files do not have to be read, so attackers will not get any form of password. This method is still not best, because the attack can also get some user information. A better way is to save users in a separate place, such as using LDAP.
Userid: $ 1 $ z2nxzr19 $ PZPYL84DMPKBXMEURAXXM.: 12138: 0: 186: 7 :::
All image passwords are done in the background, you only need to enable this feature, don't do anything else.
Group Linux is very similar to those in Windows. You can create a group and add a member to the list of this group. Resources can be allocated in groups. Members belonging to the same group can access the same resource.
Using the console command groupAdd creation group is simple: GroupAdd MyGroup
This will create a group called "newgroup" without any member. The group is stored in the / etc / group file. Each group is listed separately, as shown below:
MyGroup: x: 527:
The first column is the name of the group. The second column is a password. Similarly, "X" means that the true password is stored in the / etc / gshadow image file. The third column is a group's digital index. After the third column, it will be a user ID of a member of a group spaced apart.
You can add a member to the group using the gpasswd command. To use the -A switch, follow the username you want to add:
gpasswd -a userid mygroup
Deleting a member of the group or using this command, but the switch used is -d instead of -A:
gpasswd -d userid mygroup
Groups can also be modified by directly editing / etc / group files.
The real risk of editing / etc / passwd files and / etc / group files when editing Passwd files is that there may be a repetition of the ID number. All resources are identified by ID numbers rather than the name of the user or group. If you accidentally causing the ID number repetition, there may be some unexpected things happening. For example, if you set a user ID number to 0 (the root user ID), the user's identity will be root !. Also, if you delete a user line or group line in a file, the corresponding user or group is deleted. These are all artificial errors. Use tools to avoid these errors. However, sometimes editing / etc / group files directly is the fastest way to solve the problem. You must remember that when you edit those files, you manage the actual power. must be careful.
In Webmin, you can create, edit, and remove the group using the tools for the management user used in front.
Although the association of users and groups is here we cannot discuss access control in detail, you should have a preliminary understanding of the user and group access. If you list files in a directory in a long format, you will see it as follows.
-rw-r - r - 1 userid mygroup 703 jun 23 22:12 Myfile
Now temporarily ignore other columns, just look at third, fourth and last columns. The third column is the name of the file owner, UserId. The fourth column is associated with the group, MyGroup. The last list is the file name. Each file can only belong to a master and a group. Permissions can be set for other users who cannot be attributed to these two categories. Other can be considered equivalent to the Everyone in Windows.
A file can only belong to a master, which is very common in the operating system, but the file can only belong to a group, and the administrator of the initial use of this rule may feel restriction. It is not the case. Since the user can be a member of multiple groups, it is only necessary to create a new group. In Linux, the group is often defined based on the required resource access rather than the business unit. If the resource logic of the system is organized, more groups can be created to better control access to resources.
At the last reference section of this article, you can find more details about related users and groups. View Man Chmod How to change the details of file permissions.
Conclusion The way to manage users and groups in Linux is the same as in Windows, but only the only group in Linux can be associated with a system resource. You should know the group management in Linux: Don't surely use the use of the group, in a complex environment, don't be afraid to create a lot of groups. Groups should be created based on resource access rather than business units.
User and group information are stored in the / etc / passwd file and / etc / group file, respectively. Your system may have / etc / shadow and / etc / gshadow files, which are stored for secure passwords. Edit these files directly to manage users and groups, but you must act with caution. All users and group management can be completed in the console, and can be written as a script. You can also manage users and groups in a graphical manner using WEBMIN.
Reference
Read the other parts of Windows to Linux Tour Series (DeveloperWorks, November 2003). The Linux System Administrator's Guid, Chapter 11. Managing User Accounts is still a more old document, but it is still worth reading because the technique of managing users and groups is common. This guide will help you learn about the console based in Linux. The Linux Headquarters site gives the basic tutorials and tips about many topics. Those labels are often "I have installed Linux ... What should I do now?" You may be very interested in these tutorials. Linux Documentation Project also provides a list of HOWTOs to help you find the appropriate documentation quickly and easily. In the "Basic Tasks for Newcomers to Linux," also introduced using the GUI system tools. DeveloperWorks Tutorial "LPI Certification 101 Exam PREP, PART 3: Intermediate Administration" also involves user management content. IBM Directory Server implements lightweight Directory Access Protocol, LDAP, which is used to access directory services, especially those based on X.500-based directory. For more details, please read "Use IBM Directory Server for Linux User Verification". Document permissions and security are described in Chapter 3 of the Introduction to Linux Guide for Linux Documentation Project. Read more of the Users and Logins information, please refer to the relevant chapters of Linux Unleashed (Macillan Computer Publishing, 1998), as well as the Managing Accounts and Groups of The Official Red Hat Linux System Administration Primer (Red Hat, 2002). Maryland University shared their ideas and techniques for the choice of security passwords. The Red Hat Linux Manual document has details on using Shadow Passwd File. Linux Shadow Password Howto introduces the background history and related materials of the image system, as well as the implementation of step-by-step guidelines. System security is a broad and complex topic, but in the world of the Internet, it will affect everyone. Fortunately, as long as you start aware of this problem, it is not too late. The following two articles will help you, an additional security to Common Linux Distributions, and the other is Strategies for Keeping A Secure Server (from Chapter 12, which is previously referenced Linux Administration Made Easy Guide. IBM DeveloperWorks Articles "Addressing Security Issues in Linux" will take you to implement preliminary security. "Linux User Technology FAQ" (DEVELOPERWORKS, July 2001) can also help you transition from Windows to Linux smoothly.
To start using IBM software products on Linux, develop refueling for your Linux application will provide you with the best reference. You can find installation prompts and reference information about DB2, Lotus Domino, WebSphere Application Server, WebSphere Studio, etc. You can also log in to get the free Linux Software Evaluation Kit, with trial software and training materials. More reference materials for Linux developers can be found in the developerWorks Linux zone. About the author Chris Walden is an e-commerce architect in IBM Developer Relations Technical Consulting (also known as Dragonslayers) in Austin, Texas, which provides education, implementation and consulting for IBM business partners. He is committed to Linux related work, and an opportunity to promote the benefits of Linux from people around you. In addition to completing his architect's responsibilities, he is also proficient in various fields of Linux infrastructure servers, including files, prints, and other application services in a hybrid platform user environment. Chris has 10 years of experience in computer industry, supporting Web application development and consultants from site, and he has been involved in various fields. You can contact CHRIS with CMWALDEN-AT-us.ibm.com.