保存下这个网站:http://www.yolinux.com/
Linux groups are a mechanism to manage a collection of computer system users.All Linux users have a user ID and a group ID and a unique numerical identification number called a userid (UID) and a groupid (GID) respectively. Groups can be assigned to logically tie users together for a common security, privilege and access purpose.It is the foundation ofLinux security and access. Files and devices may be granted access basedon a users ID or group ID. This tutorial attempts to show how this is used.
File, directory and device (special file) permissions are granted based on"user", "group" or "other" (world) identification status.Permission is granted (or denied) for read, write and execute access.
Group File, Directory and Device permissions: chmod
Set file, directory and device permissions:
File, directory and device permissions can be set to allow or deny access to members of their own group or all others.Modification of file, directory and device access is achieved with thechmod command.
The permissions can be assigned in octal notation or in the more easily recognized character format where the command form is:chmod [ugoa][+-=][rwxXst] fileORdirectoryName
u |
User access |
g |
Group access |
o |
Other system user's access |
a |
Equivilent to "ugo" |
|
+ |
Add access |
- |
Remove access |
= |
Access explicitly assigned |
|
r |
Permission to read a file Permission to read a directory (also requires "x") |
w |
Permission to delete or modify a file Permission to delete or modify files in a directory |
x |
Permission to execute a file/script Permission to read a directory (also requires "r") |
s |
Set user or group ID on execution. |
u |
Permissions granted to the user who owns the file |
t |
Set "sticky bit. Execute file/script as user root for regular user. |
|
Note: Other file systems can be mounted by Linux which support more file and directory options. This tutorial applies to the most popular Linus file systems:ext2, ext3, xfs and reiserfs
Examples:
- Grant read access (r) to a file to all members of your group (g):
chmod g+rfile-name
- Grant read access to a directory to all members your group:
chmod g+rx directory-name
Note that "execute" permission is required in order to read a directory.
- Grant read permissions to everyone on the system to a file which you own so that everyone may read it: (u)ser, (g)roup and (o)ther.
chmod ugo+r file-name
- Grant read permissions on a directory to everyone on the system:
chmod ugo+rx directory-name
- Grant modify or delete permissions to a file which you own for everyone in the group:
chmod ugo+rw file-name
Note: In order for modify and delete permissions to be useful, one must be able to modify the directory in which the file is located:chmod ugo+rwx ./
- Deny read access to a file by everyone except yourself:
chmod go-r file-name
- Allow everyone in your group to be able to modify the file:
chmod 660 file-name
See chmod man page for more info.
View file, directory and device permissions:
Permissions may be viewed by issuing the command: ls -l
file-name
- File can be written by youself and members of the group. Others may only view it.
-rw-rw-r-- user group file-size date file-name
- Directory is completely open for read/write:
drwxrwxrwx user group file-size date directory-name
- File can only be accessed by owner (user):
-rwx------ user group file-size date file-name
Where the first block of "rwx" represents the permissions for the user (u), the second is for the group (g) and the third is for others (o).The "-" represents no access for that access placeholder for user, group or other.
Permissions may be granted using human readable assignments "rwx" or octal codes.
-
Description |
Abreviation |
Octal code |
Read access |
r |
4 |
Write (change) permission |
w |
2 |
Execute script of binary executable |
x |
1 |
Read and Execute |
rx |
5 |
Read and Write |
rw |
6 |
Read, Write and Execute |
rwx |
7 |
Use of octal assignment does not add or remove permission, but assigns the permission explicitly.
Examples:
- Assign yourself full access to read and modify the file, allow members of the group to read it and do not allow any others access:
chmod 640 filename
- Assign execute status to a script with the same access as the previous example. (Without it, a script is like any other text file)
chmod 740 filename
Groups and Group Members: configuration files /etc/passwd, /etc/group |
Users are members of a default group. Red Hat Linux (also Fedora Core, CentOS, etc.) will add new users to a group of the same group name as the user name. The default group for a user is specified in the file/etc/passwd
-
Format:
user-name:x:user-number:group-number:comment section:/home-directory:default-shell
|
Example:
user1:x:500:500:Greg:/home/user1:/bin/bash
|
A new user may be created and assigned a group with the useradd command:
- Add a new user and assign them to be members of the group "accounting":
useradd -m -g accounting user2
- Add a new user and assign them to be members of the initial group "accounting" and supplementary group "floppy":
useradd -m -g accounting -G floppy user1
Command arguments for useradd:
-
Argument |
Description |
-m |
Create a home directory in /home/ |
-M |
No home directory created. |
-g |
Specify the initial group for the user. |
-G |
Specify the initial group for the user by using the group number. |
-s |
Specify the default shell for the user. If not specified set to /bin/bash |
-e |
Specify the expiration date. Format YYY-MM-DD |
-f |
Number of days after a password expires that an account is disabled. By default this feature is disabled (-1) |
-u |
Specify the user id number to be used. |
Defaults specified in /etc/login.defs
View group membership for a user with the command " groups". Example: groups user2
The user id has a user system number associated with it (uid) and this is defined in/etc/passwd.
The group has a group system number (gid) associated with it and this is defined in/etc/group
-
Format:
group-name:x:group-number:user1,user2
|
Example:
user1:x:500:
user2:x:501:
floppy:x:19:user1
accounting:x:600:user2
apache:x:48:
|
User "user1" is a member of default group "user1" and also a member of group"floppy".
Creating a new group: (3 methods)
- Manually add the group definition by aditing the file /etc/group
- Use the groupadd command. Example: groupadd accounting
- Use the GUI (Red Hat/Fedora/CentOS: system-config-users)
Group Commands:
- gpasswd: administer the /etc/group file
- groupadd: Create a new group
Format: groupadd [-g gid [-o]] [-f] [-K KEY=VALUE] group
Example: groupadd accounting
- groupmod: Modify a group
Format: groupmod [-g gid [-o ]] [-n new_group_name] group
Example - Change name of a group: groupmod -n accounting nerdyguys
- groupdel: Delete a group
Example: groupdel accounting
- vigr: Edit the group file/etc/group with vi. No arguments specified.
If using NIS, view the groups using the command: ypcat group
See the YoLinux NIS tutorial for more information on configuring and using a cetral NIS authentication server.
See the YoLinux LDAP authentication tutorial for more information on configuring and using a cetral LDAP authentication server.
Changing group ownership of files, directories, devices: chown / chgrp |
chown:
This command is used by root (system superuser) only.As root, the group ownership of a file, directory or device can be changed with the "chmod" command:
- Change the ownership of the file to the group "accounting":
chown :accounting filename
- Command format: chown user:group filename
Also see chown man page
chgrp:
This command is used by any system user who is a member of multiple groups.If the user creates a file, the default group association is the group idof user. If he wishes to change it to another group of which he is a memberissue the command: chgrp
new-group-id file-name
If the user is not a member of the group then a password is required.
Also see chgrp man page
Switching your default group: newgrp |
Use the command newgrpgroup-name to switch your default groupused in file creation or directory access.This starts a new shell. Exit to return to the previous group id. Use the pscommand to see if more than one shell is active.This only works if you are a member of multiple groups otherwise you have no group to switch to.
For example "user2" would like to create a file in the accounting directorywhich can be read my members of his group. First switch the default group with the command:newgrp accounting
To return to your default group issue the "exit" command. If confused, issuethe "ps" command. There should only be one instance of bash, else you are in the alternate group and not the default group.
Use the command newgrp group-name file-name to change thegroup associated with a file. You must be a member of the group to execute thecommand sucessfully. (or be root)
The newgrp command logs a user into a new group by changinga user's real and effective group ID. The user remainslogged in and the current directory is unchanged. The execution of newgrp always replaces the current shell with a newshell, even if the command terminates with an error (unknown group).
Any variable that is not exported is reset to null or itsdefault value. Exported variables retain their values. System variables (such as PS1, USER, PATH and HOME), arereset to default values unless they have been exported bythe system or the user.
With no operands and options, newgrp changes the user'sgroup IDs (real and effective) back to the group specifiedin the user's password file entry. This is a way to exit theeffect of an earlier newgrp command.
A password is demanded if the group has a password and theuser is not listed in/etc/group as being a member of thatgroup. The only way to create a password for a group is touse passwd(1), then cut and paste the password from/etc/shadow to /etc/group. Group passwords are antiquatedand not often used.
Gives new login as if logged in as group member: newgrp -
Users are assigned upon user creation, a User Private Group (UPG) which is a unique group ID of the same name as the user ID. This allows for a fine atomiclevel of group permissions to be assigned for tighter and simpler default security.
Group Interrogation and Verification: |
-
Check the group membership of a user: groups
user-id
This will list all the groups to which user-id is a member.
Verification Commands:
- pwck: verify integrity of password files
- grpck: verify integrity of group files
Example: grpck /etc/group
User admin and other commands: |
- useradd: Create a new user or update default new user information
- usermod: Modify a user account
- userdel: Delete a user account and related files
- chage: change user password expiry information
- pwconv: convert to and from shadow pass- words and groups.
- pwunconv: convert to and from shadow pass- words and groups.
- grpconv: creates gshadow from group and an optionally existing gshadow
- grpunconv: creates group from group and gshadow and then removes gshadow
- accton: turns process accounting on or off (Red Hat/Fedora/CentOS)
- ac: Prints stats about users connect time (Red Hat/Fedora/CentOS)
Pre-Configured system groups: |
The typical Linux installation will come with some exisitng standard groups:(See/etc/group)
Group IDs of less than 500 are reserved for user IDs employed by the operating system or its services.
-
Group ID |
GID |
root |
0 |
bin |
1 |
daemon |
2 |
sys |
3 |
adm |
4 |
tty |
5 |
disk |
6 |
lp |
7 |
mem |
8 |
kmem |
9 |
wheel |
10 |
mail |
12 |
man |
15 |
floppy |
19 |
named |
25 |
rpm |
37 |
xfs |
43 |
apache |
48 |
ftp |
50 |
lock |
54 |
sshd |
74 |
nobody |
99 |
users |
100 |
This is only a partial listing of the default groups. Therewill also be a default set of member user ID's associated with most ofthe groups. The "Linux Standard Base" defines three required user and group names. [see LSB chapter 21, Users & Groups]
Grant use of a device to system users: |
The first example will be of granting access to a device, the CD-ROM. This is generally not done for regular users on a server. Server access to a CD-ROM is limited to root by default.(This example may also be applied tothe diskette. Group: floppy, first floppy device: /dev/fd0)
- Grant mount privileges to system users
- Create group cdrom .
- Allow use of device by group cdrom .
- Add user to group cdrom .
- Grant privileges to system users to mount the device:
- Manual method: This requires a change to the file /etc/fstab.The fourth column defines mounting options. By default only root may mount the device (option owner ). To grant users the ability to mount the device, change the owner option to user . With the user option only the user who mounted the device can unmount the device. To allow anyone to unmount the device, use the option users .
- Gnome Nautilus (Gnome file browser: /usr/bin/nautilus):
- Filesystem Location: /dev
- Right click on device file "cdrom" and select option "Permissions".
- Linuxconf GUI method: (Note: Linuxconf is no longer included with Red Hat Linux 7.3 and later)
- RH 6.0: Select Gnome Start icon + System + Linuxconf .
- RH 5.2: Start + Programs + Administration + Linuxconf .
- Select Config + File systems + Access local drive .
- Select the device /dev/cdrom
- Select the tab Options.
- Add the option User mountable to allow users to mount the CD-ROM. The user who mounted the CD must also be the one to unmount the CD. OR Select the tab Misc. and add to Other options: users if you want to allow anyone to be able to unmount the CD regardless of who mounted it.
For more information see the man pages for mount and fstab.
- Create group cdrom :
- Manual method:
- Add the line cdrom::<unique group number>:root,<userid> to the file /etc/group where <user id> is the user to be granted use of the CD-ROM. (For example: cdrom::25:root,user1")
OR
- Add a group with the command: groupadd <group name> in this casegroupadd cdrom .
- Linuxconf GUI method: (Admin tool linuxconf is no longer included with Red Hat 7.3+.)
- Start linuxconf.
- Select Config + User Accounts + Normal + Group Definitions + Add .
- Group Name: cdrom
- Alternate Members (opt): root <user name> : (Add space delimited user ids here)
- Accept
For more information see the man pages for groupadd, groupmod and groupdel.
- Allow use of device by group cdrom .
- Manual method:
- Use the command: chown owner:group <device> to assign the device to a user and group. For example: chown root.cdrom/dev/hdd . (Use hdd if cdrom is the slave device on the 2nd IDE controller.)
- Allow group access to the device: chmod 660 /dev/hdd
- GUI method:
- Start the File Manager and right click the file representing the cdrom device. Select Properties . Then select the tab Permissions . Set the Owner to root and the Group to cdrom. Allow Read and Write privileges for the user and group by selecting the appropriate buttons.
- Add user to group cdrom : At this point, adding users to the group cdrom will grant them access to the device.
- Manual method: The user id s specified in /etc/group is a comma separated list.
- Use the command usermod -G <comma separated group list> <user id> . Be sure to list all groups as this is an absolute list and not an addition. To list all groups to which a user is a member use the command groups <user id> .
- Linuxconf GUI method: Step two allowed you to assign users to the group. If users still need to be assigned use the following method:
- After starting Linuxconf, select options Config + User Accounts + Normal + User Accounts .
- Next to supplementary groups add the group cdrom. Groups should be delimited by spaces.
OR for a completely different method that steps 1 to 4, use the one step approach:
- chmod 664 /dev/hdd : Allow read use to all users of theCD-ROM device (hdd is just the example, your devicename can vary). This method is quick, unelegant and can be used for your own desktop system but definitely don tdo this on a server.
Using CD-ROM:
You must mount and un-mount each CD-ROM individually. Do not switch CDs without un-mounting andre-mounting the new CD. (The GNOME desktop interface hasfeatures to do this for you. Covered later)
Command method:
- mount -t iso9660 /dev/hdd /mnt/cdrom: This generates amount point for CD-ROM (or mount -t iso9660 /dev/cdrom /mnt/cdrom . The device name /dev/cdrom is a symbolic link to the actual device)
Note: Only root user may execute the mount command. Usersmust use the tool usermount.
Desktop GUI method:
- RH 5.2: Start + Programs + Administration + Disk Management .
- RH 6.0/6.1: Select Gnome icon (located lower left corner) + System + Disk Management .
- The gui tool can also be started using the shell command /usr/bin/usermount.
After mounting the CD-ROM one can view its contents from the directory /mnt/cdrom.
- Use the command: cd /mnt/cdrom
OR
- GNOME toollbar Start icon File manager and select theappropriate folders.
Ubuntu and sound card access:
By default, Ubuntu installations do not allow users to utilize the sound card(device /dev/snd/*). This makes sense for a server installation but not for the desktop. To allow user access to the sound card, add the user to the "audio" group in file /etc/group:
-
...
...
audio:x:29:root,user4
...
...
|
Access Control Lists (ACL): |
Access Control Lists (ACLs) are applied to files and directories. ACL behavior is defined by IEEE's POSIX 1003.1e draft and supports control/access of signals, TCP/IP ports (below 1024), raw sockets, ... ACLs are an addition to the standard Unix file permissions (r,w,x,-) for User, Group, and Other for read, write, execute and deny permissions. ACLs give users and administrators flexibility and direct fine-grained control over who can read, write, and execute files.
The Linux 2.6 kernel (beginning with Fedora Core 2) supports ACLs for EXT2, EXT3, XFS, JFS, and ReiserFS file systems.
Support may not be available on your version of NIS and may only work on local file systems.
Configuration for allowing the use of ACL on a filesystem:
-
File: /etc/fstab
...
...
LABEL=/home /home ext3 rw,acl 1 2
...
...
|
Note:
- Note the addition of the attribute "acl" for the filesystem "/home/".
- Issue the following commands:
- umount /home
- Edit the file /etc/fstab and add the directive "acl".
- mount /home
or remount the command: mount -v -o remount /home which works on a drive even if in use.
ACL commands:
- Assign ACL group permission read/write (rw) to a single group: setfacl -m g:groupname:rw-filename
Option -m : Modify the ACL
- Assign ACL group permission read/write (rw) to a single user: setfacl -m u:userid:rw-filename
- List ACL permissions: getfacl filename
- Remove ACL from a file: setfacl --remove-all filename
Man pages:
- getfacl - get file access control lists
- setfacl - set file access control lists
- ls - show files which have acces control lists applied ("+" sign in last collumn)
Example: -rw-rw-r--+