Group and group administrator in Linux user system

Time:2020-10-18

On groups: valid and initial groups, groups, newgrp

Copy code

The code is as follows:

# /etc/group

This file records the correspondence between GID and group name – my / etc / group content is a bit like this:

Copy code

The code is as follows:

  root:x:0:root
  bin:x:1:root,bin,daemon
  daemon:x:2:root,bin,daemon
  sys:x:3:root,bin,adm

The colon ‘:’ is also used as the field separator, which is divided into four columns

1. Group name: it is the group name!

2. Group password: usually do not need to set, because we seldom use group login! However, the password is also recorded in / etc / gshadow!

3. GID: it’s the ID of the group

4. Supported account name: join all accounts in this group. We know that a user can join multiple groups. For example, if I want dmtsai to join the root group as well, add ‘dmtsai’ at the end of the first line, and be careful not to have spaces‘ root:x : 0: root, dmtsai ‘is OK

The more important feature is in the fourth column, because each user can have multiple support groups, which is just like when we are in school, we can join more than one community! Cubic meter ^。 However, you may find it strange that “if I join multiple groups at the same time, which group will prevail when I do my homework?” Let’s talk about the concept of “effective group”.

#Effective group and initial group

Remember that every user has a GID in the fourth column of his / etc / passwd? That GID is called “initial group”! In other words, as soon as a user logs into the system, he or she will have the relevant permissions of the group. For example, we mentioned above that / etc / passwd of dmtsai is related to / etc / group and / etc / gshadow

Copy code

The code is as follows:

  [[email protected]linux ~]# grep dmtsai /etc/passwd /etc/group /etc/gshadow
  /etc/passwd:dmtsai:x:501:501::/home/dmtsai:/bin/bash
  /etc/group:users:x:100:dmtsai
  /etc/group:dmtsai:x:501:
  /etc/gshadow:users:::dmtsai
  /etc/gshadow:dmtsai:!::

Look at the above table carefully. In / etc / passwd, the group of dmtsai to which the user belongs is GID = 501, that is, the dmtsai group in / etc / group. Because this is the initial group, the user will take the initiative to obtain it as soon as he logs in. There is no need to write the account in the fourth field of / etc / group!

But other groups that are not initial groups are different. For example, I add dmtsai to the users group. Since the users group is not the initial group of dmtsai, I have to find the users line in the file / etc / group, and add the account dmtsai to the fourth column, so that dmtsai can support the users group.

In this example, because my dmtsai account supports both dmtsai and users groups, when reading / writing / executing files, the user dmtsai can own all the functions owned by the users and dmtsai groups! This is it, huh? As far as the new file of tsais concerned, is it a new file or a new file created for the group? ha-ha! It is necessary to check the effective group at that time.

If I log in as the user of dmtsai, how can I know all the groups I support? It’s very simple. Just type groups directly! Pay attention, it’s groups plus s! It turns out like this:

Copy code

The code is as follows:

  [[email protected] ~]$ groups
  dmtsai users

In this output message, I know that I belong to both dmtsai and users groups, and the first output group is the effective group. In other words, my valid group is dmtsai – at this time, if I use touch to create a new file, such as touch test, then the owner of the file is dmtsai, and the group is also dmtsai. Is it possible to understand what effective groups are?

So how to change the valid group? There are two methods for this one. No matter which method is adopted, they are all achieved by newgrp! In the above example, since my dmtsai user has two groups, dmtsai and users, of course, dmtsai can switch dmtsai / users to an effective group at any time. Therefore, I can issue:

Copy code

The code is as follows:

  [[email protected] ~]$ newgrp users
  [[email protected] ~]$ groups
  users dmtsai

At this point, my active group becomes users. Of course, if you want to be able to switch effective groups smoothly, you need the help of / etc / gshadow. We will explain this later. OK, so what happens if you start trying to create a file in the home directory of / home / dmtsai, such as’ touch test2 ‘? ha-ha! The file group turned into users! This is more clear about the meaning of effective groups, right?!

Let’s talk about the newgrp instruction. This instruction can change the current user’s valid group, and it provides login with another shell. Therefore, in the above example, the user of dmtsai is currently logged in as another shell, and the new shell gives dmtsai a valid GID as users. When “newgrp groupname” is directly executed, the user’s valid group will become groupname. In this case, although the user’s environment settings (such as environment variables and other data) will not affect, the user’s “permissions” will be recalculated. For example, the new file group created by dmtsai is users

In the example of bird brother, it should be noted that the user dmtsai originally belongs to the users and dmtsai groups, so he can directly use newgrp to switch the effective group, and to leave the new effective group, type “exit”. If there is another group in my Linux system, named vbird, can dmtsai log in to vbird? It is possible under certain conditions:

* vbird this group is legal in the password column of / etc / gshadow! );
* dmtsai must allow root or group administrator to join the vbird group.

One of these two premises is indispensable! Well, suppose that I have established the password of vbird group using gpasswd, and dmtsai has been added to the group members, then when dmtsai enters “newgrp vbird”, haha! Dmtsai, the effective group of users, can become vbird
  # /etc/gshadow
I just talked about a lot about the concept of “effective group”. In addition, we also mentioned the usage of the newgrp instruction. However, if the / etc / gshadow setting is not understood, then newgrp cannot act! My / etc / gshadow has something like this:

Copy code

The code is as follows:

  root:::root
  bin:::root,bin,daemon
  daemon:::root,bin,daemon
  sys:::root,bin,adm

The colon is as like as two peas, and you will find that the file is almost the same as /etc/group. Yes, that’s right ~ however, we should pay attention to the second field – the second field is the password field. If the password column is’! ‘, it means that the group can’t use the password to log in! As for the fourth field, which is the name of the supported account

1. Group name
2. Password field, the same, beginning with! Means unable to log in;
3. Account number of group administrator (related information will be introduced later)
4. Account number of the group (same as / etc / group! )

However, in terms of system operation, in fact, the most important function of the / etc / gshadow password is to “let those members who are not in the group join the group temporarily.” In fact, the usage of newgrp is rare. If you want to operate such an environment, you must be familiar with the usage of newgrp! Moreover, it is hard to manage the password of a group. If the user wants to join a group, it is better to let the other user join the group directly! Save trouble ~

Linux group administrator
Why do you need a group administrator
Let’s assume a scenario where there are many departments in a company, and different employees need to join different groups. If an employee is added to one of the departments, the administrator needs to be informed and added to the corresponding group. If every department has to add more staff, the administrator may be tired of handling requests every day.
At this time, we can set the group leader for each group, and allow the group leader to add or delete group members, which can not only improve the efficiency, but also reduce the work of the administrator.
How to assign group management
Grammar:

Copy code

The code is as follows:

gpasswd -A USERNAME GROUPNAME

effect:
20151210113518270.png (727×600)

When adding group management, you can specify multiple users, which need to be separated by English commas.
How to delete group management
Grammar:

Copy code

The code is as follows:

gpasswd -A “” GROUPNAME

effect:
20151210113617279.png (727×600)

Gpasswd has no specific parameters for deleting group management. We can specify an empty string. If there are multiple administrators in the group, you can specify the reserved user.
Group management add members
Grammar:

Copy code

The code is as follows:

gpasswd -a USERNAME GROUPNAME

effect:
20151210113708921.png (727×600)

Group management delete member
Grammar:

Copy code

The code is as follows:

gpasswd -d USERNAME GROUPNAME

effect:
20151210113734079.png (727×600)