From this post, I would write a series of posts about preparing for the CKS (Certified Kubernetes Security Specialist) exam. I would write my own notes about the exam, and you can refer to these articles to prepare your own.
List of the series of posts:
3. The linux user/group management
3.1 Linux user types
There are four types of user accounts in Linux Systems.
- Normal User Account which is normally created by root users.
- Root super user UID=0, unlimited access
- System Account system user, created automatically by the system when the system is installed
- Service Account service user, created when some applications are installed, such as nginx service account
3.2 Commonly used Linux user management commands
id #look at user id/group id, etc. who #See users who are online at the same time last #look at recent online users
3.3 Key user management files
- /etc/passwd #Store user’s basic information and home directory, shell and other information
- /etc/shadow #store encrypted user password
- /etc/group #Which users are in the user group
Let’s dig the /etc/group file:
[root@drbd1 boot]# cat /etc/group | head -5 root:x:0:root bin:x:1:root,bin,daemon daemon:x:2:root,bin,daemon sys:x:3:root,bin,adm adm:x:4:root,adm,daemon
Group password: This configuration is usually used by group administrators, and the same password is rarely stored in /etc/gshadow
GID: The group name corresponding to the GID used in the fourth field of /etc/passwd is the corresponding group name here
Other users supported by this group: If you know that a user can join multiple groups, when an account wants to join this group, fill in the account in this field.
3.4 How to disable user in linux system?
Modify user permissions to not allow login:
usermod -s /bin/nologin xxxuser
3.5 Add user to a group and remove a user from a group
Add user to a group:
usermod -a -G xxxGroup xxxUser
Remove users from a group:
deluser bob admingroup
3.6 Create user and delete user
Set password for user:
3.7 Set user id/group id/home directory etc.
$ vi /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
There are five lines of code above, there are seven or seven paragraphs in each line, separated by:, Let’s talk about the meaning of each paragraph! They are user name, password, UID, GID, user description information, home directory, and default shell. Let’s talk about the detailed meaning separately below!
Username: This is the account we use to log in to the system, where the username corresponds to the UID
Password: Needless to say, but here is an X, to prevent it from being stolen, put it in another file /etc/shadow
UID: Corresponds to our username, the host can identify our username through this
GID: As we said in the previous blog, each user corresponds to a user group. The GID here identifies the group name, in another file /etc/group
User description information: There is no important purpose, just to explain the meaning of this account
Home Directory: The user’s home directory. Take the above as an example, root’s home directory is in /root, so when root logs in, it will immediately go to the /root directory
Default shell: When the user logs in to the system, a Shell will be obtained to communicate with the core of the system to perform user operation tasks
You can then edit the file to change his(her) user id/group id/home directory etc.
3.8 Manage user groups
You can use the following commands to manage groups.
groupadd, groupmod, groupdel
4. The theory about Linux User/Group Management
Linux is a multi-user and multi-task operating system. In other words, the Linux system supports multiple users logging in at the same time, and different users can perform different tasks without affecting each other.
For example, there are 4 users on a Linux server, namely root, www, ftp, and mysql. At the same time, the root user may be viewing system logs, managing and maintaining the system; www users may be modifying their own web programs; ftp The user may be uploading software to the server; the mysql user may be executing his own SQL query, each user does not interfere with each other, and conducts his own work in an orderly manner. At the same time, unauthorized access is not allowed between each user. For example, the www user cannot execute SQL query operations of the mysql user, and the ftp user cannot modify the web program of the www user.
Different users have independent permissions, and each user completes different tasks within the scope of permissions. It is through this division and management of permissions that Linux realizes a multi-user and multi-task operation mechanism.
Therefore, if you want to use the resources of the Linux system, you must apply for an account from the system administrator, and then enter the system through this account (account and user are the same concept). By establishing users with different attributes, on the one hand, system resources can be reasonably used and controlled, and on the other hand, users can organize files and provide security protection for user files.
Each user has a unique user name and password. When logging in to the system, only the correct user name and password can enter the system and your home directory.
A user group is a logical collection of users with the same characteristics. Simple understanding, sometimes we need to allow multiple users to have the same permissions, such as viewing and modifying a file. One way is to authorize file access for multiple users separately. If there are 10 users, authorization is required. 10 times, what if there are 100, 1000 or more users?
Obviously, this method is not reasonable. The best way is to create a group, let this group have the permission to view and modify this file, and then put all users who need to access this file into this group. Then, all users have the same permissions as the group, which is the user group.
Grouping users is a way to manage users and control access rights in the Linux system. By defining user groups, many programs simplify the management of users. The relationship between Linux users and groups There are four types of correspondence between users and user groups:
- One-to-one: A user can exist in a group and is the only member of the group;
- One-to-many: A user can exist in multiple user groups, and this user has the common permissions of these multiple groups;
- Many-to-one: Multiple users can exist in a group, and these users have the same permissions as the group;
- Many-to-many: Multiple users can exist in multiple groups, which is an extension of the above three relationships.
In this post, I write some commands to to the user/group management in linux systems, especially the commands that secure the user/groups in linux.