document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2024-12-26 21:30:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #14713 from 0x996/master

Browse Source 
translated: 20190717 Mastering user groups on Linux
This commit is contained in:
Xingyu.Wang 2019-07-25 22:19:53 +08:00 committed by GitHub
commit 178056da57
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 225 additions and 225 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

225
sources/tech/20190717 Mastering user groups on Linux.md
View File

@ -1,225 +0,0 @@
[#]: collector: (lujun9972)
[#]: translator: (0x996)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (Mastering user groups on Linux)
[#]: via: (https://www.networkworld.com/article/3409781/mastering-user-groups-on-linux.html)
[#]: author: (Sandra Henry-Stocker https://www.networkworld.com/author/Sandra-Henry_Stocker/)
Mastering user groups on Linux
======
Managing user groups on Linux systems is easy, but the commands can be more flexible than you might be aware.
![Scott 97006 \(CC BY 2.0\)][1]
User groups play an important role on Linux systems. They provide an easy way for a select groups of users to share files with each other. They also allow sysadmins to more effectively manage user privileges, since they can assign privileges to groups rather than individual users.
While a user group is generally created whenever a user account is added to a system, theres still a lot to know about how they work and how to work with them.
**[ Two-Minute Linux Tips: [Learn how to master a host of Linux commands in these 2-minute video tutorials][2] ]**
### One user, one group?
Most user accounts on Linux systems are set up with the user and group names the same. The user "jdoe" will be set up with a group named "jdoe" and will be the only member of that newly created group. The users login name, user id, and group id will be added to the **/etc/passwd** and **/etc/group** files when the account is added, as shown in this example:
```
$ sudo useradd jdoe
$ grep jdoe /etc/passwd
jdoe:x:1066:1066:Jane Doe:/home/jdoe:/bin/sh
$ grep jdoe /etc/group
jdoe:x:1066:
```
The values in these files allow the system to translate between the text (jdoe) and numeric (1066) versions of the user id — jdoe is 1066 and 1066 is jdoe.
The assigned UID (user id) and GID (group id) for each user are generally the same and configured sequentially. If Jane Doe in the above example were the most recently added user, the next new user would likely be assigned 1067 as their user and group IDs.
### GID = UID?
UIDs and GIDs can get of out sync. For example, if you add a group using the **groupadd** command without specifying a group id, your system will assign the next available group id (in this case, 1067). The next user to be added to the system would then get 1067 as a UID but 1068 as a GID.
You can avoid this issue by specifying a smaller group id when you add a group rather than going with the default. In this command, we add a new group and provide a GID that is smaller than the range used for user accounts.
```
$ sudo groupadd -g 500 devops
```
If it works better for you, you can specify a shared group when you create accounts. For example, you might want to assign new development staff members to a devops group instead of putting each one in their own group.
```
$ sudo useradd -g staff bennyg
$ grep bennyg /etc/passwd
bennyg:x:1064:50::/home/bennyg:/bin/sh
```
### Primary and secondary groups
There are actually two types of groups — primary and secondary.
The **primary group** is the one thats recorded in the **/etc/passwd** file, configured when an account is set up. When a user creates a file, its their primary group that is associated with it.
```
$ whoami
jdoe
$ grep jdoe /etc/passwd
jdoe:x:1066:1066:John Doe:/home/jdoe:/bin/bash
^
|
+-------- primary group
$ touch newfile
$ ls -l newfile
-rw-rw-r-- 1 jdoe jdoe 0 Jul 16 15:22 newfile
^
|
+-------- primary group
```
**Secondary groups** are those that users might be added to once they already have accounts. Secondary group memberships show up in the /etc/group file.
```
$ grep devops /etc/group
devops:x:500:shs,jadep
^
|
+-------- secondary group for shs and jadep
```
The **/etc/group** file assigns names to user groups (e.g., 500 = devops) and records secondary group members.
### Preferred convention
The convention of having each user a member of their own group and optionally a member of any number of secondary groups allows users to more easily separate files that are personal from those they need to share with co-workers. When a user creates a file, members of the various user groups they belong to don't necessarily have access. A user will have to use the **chgrp** command to associate a file with a secondary group.
### Theres no place like /home
One important detail when adding a new account is that the **useradd** command does not necessarily add a home directory for a new user. If you want this step to be taken only some of the time, you can add **-m** (think of this as the “make home” option) with your useradd commands.
```
$ sudo useradd -m -g devops -c "John Doe" jdoe2
```
The options in this command:
* **-m** creates the home directory and populates it with start-up files
* **-g** specifies the group to assign the user to
* **-c** adds a descriptor for the account (usually the persons name)
If you want a home directory to be created _all_ of the time, you can change the default behavior by editing the **/etc/login.defs** file. Change or add a setting for the CREATE_HOME variable and set it to “yes”:
```
$ grep CREATE_HOME /etc/login.defs
CREATE_HOME yes
```
Another option is to set yourself up with an alias so that **useradd** always uses the -m option.
```
$ alias useradd=useradd -m
```
Make sure you add the alias to your ~/.bashrc or similar start-up file to make it permanent.
### Looking into /etc/login.defs
Heres a command to list all the setting in the /etc/login.defs file. The **grep** commands are hiding comments and blank lines.
```
$ cat /etc/login.defs | grep -v "^#" | grep -v "^$"
MAIL_DIR /var/mail
FAILLOG_ENAB yes
LOG_UNKFAIL_ENAB no
LOG_OK_LOGINS no
SYSLOG_SU_ENAB yes
SYSLOG_SG_ENAB yes
FTMP_FILE /var/log/btmp
SU_NAME su
HUSHLOGIN_FILE .hushlogin
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
TTYGROUP tty
TTYPERM 0600
ERASECHAR 0177
KILLCHAR 025
UMASK 022
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
UID_MIN 1000
UID_MAX 60000
GID_MIN 1000
GID_MAX 60000
LOGIN_RETRIES 5
LOGIN_TIMEOUT 60
CHFN_RESTRICT rwh
DEFAULT_HOME yes
CREATE_HOME yes <===
USERGROUPS_ENAB yes
ENCRYPT_METHOD SHA512
```
Notice the various settings in this file determine the range of user ids to be used along with password aging and other setting (e.g., umask).
### How to display a users groups
Users can be members of multiple groups for various reasons. Group membership gives a user access to group-owned files and directories, and sometimes this behavior is critical. To generate a list of the groups that some user belongs to, use the **groups** command.
```
$ groups jdoe
jdoe : jdoe adm admin cdrom sudo dip plugdev lpadmin staff sambashare
```
You can list your own groups by typing “groups” without an argument.
### How to add users to groups
If you want to add an existing user to another group, you can do that with a command like this:
```
$ sudo usermod -a -G devops jdoe
```
You can also add a user to multiple groups by specifying the groups in a comma-separated list:
```
$ sudo usermod -a -G devops,mgrs jdoe
```
The **-a** argument means “add” while **-G** lists the groups.
You can remove a user from a group by editing the **/etc/group** file and removing the username from the list. The usermod command may also have an option for removing a member from a group.
```
fish:x:16:nemo,dory,shark
|
V
fish:x:16:nemo,dory
```
### Wrap-up
Adding and managing user groups isn't particularly difficult, but consistency in how you configure accounts can make it easier in the long run.
**[ Now see: [Must-know Linux Commands][3] ]**
Join the Network World communities on [Facebook][4] and [LinkedIn][5] to comment on topics that are top of mind.
--------------------------------------------------------------------------------
via: https://www.networkworld.com/article/3409781/mastering-user-groups-on-linux.html
作者:[Sandra Henry-Stocker][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://www.networkworld.com/author/Sandra-Henry_Stocker/
[b]: https://github.com/lujun9972
[1]: https://images.idgesg.net/images/article/2019/07/carrots-100801917-large.jpg
[2]: https://www.youtube.com/playlist?list=PL7D2RMSmRO9J8OTpjFECi8DJiTQdd4hua
[3]: https://www.networkworld.com/article/3391029/must-know-linux-commands.html
[4]: https://www.facebook.com/NetworkWorld/
[5]: https://www.linkedin.com/company/network-world

225
translated/tech/20190717 Mastering user groups on Linux.md Normal file
View File

@ -0,0 +1,225 @@
[#]: collector: (lujun9972)
[#]: translator: (0x996)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (Mastering user groups on Linux)
[#]: via: (https://www.networkworld.com/article/3409781/mastering-user-groups-on-linux.html)
[#]: author: (Sandra Henry-Stocker https://www.networkworld.com/author/Sandra-Henry_Stocker/)
掌握 Linux 用户组
======
在 Linux 系统中管理用户组并不费力,但相关命令可能比你所知的更为灵活。
![Scott 97006 \(CC BY 2.0\)][1]
在 Linux 系统中用户组起着重要作用。用户组提供了一种简单方法供一组用户互相共享文件。用户组也允许系统管理员更加有效地管理用户权限,因为管理员可以将权限分配给用户组而不是逐一分配给单个用户。
尽管通常只要在系统中添加用户账户就会创建用户组,关于用户组如何工作以及如何运用用户组还有很多需要了解的。
**[ 两分钟 Linux 技巧:[ 观看这些 2 分钟视频学习如何精通一大批 Linux 命令 ][2] ]**
### 一个用户,一个用户组?
Linux 系统中多数用户账户被设为用户名与用户组名相同。用户 "jdoe" 会被赋予一个名为 "jdoe" 的用户组,且成为该新建用户组的唯一成员。如本例所示,该用户的登录名,用户 id 和用户组 id 在新建账户时会被添加到 **/etc/passwd** 和 **/etc/group** 文件中:
```
$ sudo useradd jdoe
$ grep jdoe /etc/passwd
jdoe:x:1066:1066:Jane Doe:/home/jdoe:/bin/sh
$ grep jdoe /etc/group
jdoe:x:1066:
```
这些文件中的配置使系统得以在文本jdoe和数字1066这两种用户 id 形式之间互相转换—— jdoe 就是 1006且 1006 就是 jdoe。
分配给每个用户的 UID用户 id和 GID用户组 id通常是一样的并且顺序递增。若上例中 Jane Doe 是最近添加的用户,分配给下一个新用户的用户 id 和用户组 id 很可能都是 1067。
### GID = UID
UID 和 GID 可能不一致。例如,如果你用 **groupadd** 命令添加一个用户组而不指定用户组 id系统会分配下一个可用的用户组 id在本例中为 1067。下一个添加到系统中的用户其 UID 会是 1067 而 GID 则为 1068。
你可以避免这个问题,方法是添加用户组的时候指定一个较小的用户组 id 而不是接受默认值。在下面的命令中我们添加一个用户组并提供一个 GID这个 GID 小于应用于用户账户的 GID 取值范围。
```
$ sudo groupadd -g 500 devops
```
创建账户时你可以指定一个共享用户组,如果这样对你更合适的话。例如你可能想把新来的开发人员加入同一个 DevOps 用户组而不是一人一个用户组。
```
$ sudo useradd -g staff bennyg
$ grep bennyg /etc/passwd
bennyg:x:1064:50::/home/bennyg:/bin/sh
```
### <ruby>主要用户组<rt>primary group</rt></ruby><ruby>次要用户组<rt>secondary group</rt></ruby>
用户组实际上有两种——主要用户组和次要用户组
**主要用户组**是保存在 /etc/passwd 文件中的用户组,该用户组在账户创建时配置。当用户创建一个文件,用户的主要用户组与此文件关联。
```
$ whoami
jdoe
$ grep jdoe /etc/passwd
jdoe:x:1066:1066:John Doe:/home/jdoe:/bin/bash
^
|
+-------- 主要用户组
$ touch newfile
$ ls -l newfile
-rw-rw-r-- 1 jdoe jdoe 0 Jul 16 15:22 newfile
^
|
+-------- 主要用户组
```
用户一旦拥有账户之后被加入的那些用户组是**次要用户组**。次要用户组成员关系在 /etc/group 文件中显示。
```
$ grep devops /etc/group
devops:x:500:shs,jadep
^
|
+-------- shs 和 jadep 的次要用户组
```
**/etc/group** 文件给用户组分配组名称(例如 500 = devops并记录次要用户组成员。
### 首选的准则
每个用户是他自己的主要用户组成员并可以成为任意多个次要用户组成员这样一种准则允许用户更加容易地将个人文件和需要与同事分享的文件分开。当用户创建一个文件时,用户所属的不同用户组的成员不一定有访问权限。用户必须用 **chgrp** 命令将文件和次要用户组关联起来。
### 哪里也不如自己的<ruby>家目录<rt>/home</rt></ruby>
添加新账户时一个重要的细节是 **useradd** 命令并不一定为新用户添加一个家目录。若你只有某些时候想为用户添加家目录,你可以在 useradd 命令中加入 **-m**选项(可以把它想象成“安家”选项)
```
$ sudo useradd -m -g devops -c "John Doe" jdoe2
```
此命令中的选项如下:
* **-m** 创建家目录并在其中生成初始文件
* **-g** 指定用户归属的用户组
* **-c** 添加账户描述信息(通常是用户的姓名)
若你希望总是创建家目录,你可以编辑 **/etc/login.defs** 文件来更改默认工作方式。更改或添加 CREATE_HOME 变量并将其设置为 "yes"
```
$ grep CREATE_HOME /etc/login.defs
CREATE_HOME yes
```
另一种方法是用自己的账户设置别名从而让 **useradd** 一直带有 -m 选项。
```
$ alias useradd=useradd -m
```
确保将该别名添加到你的 ~/.bashrc 文件或类似的启动文件中以使其永久生效。
### 深入了解 /etc/login.defs
下面这个命令可列出 /etc/login.defs 文件中的全部设置。**grep**命令会隐藏所有注释和空行。
```
$ cat /etc/login.defs | grep -v "^#" | grep -v "^$"
MAIL_DIR /var/mail
FAILLOG_ENAB yes
LOG_UNKFAIL_ENAB no
LOG_OK_LOGINS no
SYSLOG_SU_ENAB yes
SYSLOG_SG_ENAB yes
FTMP_FILE /var/log/btmp
SU_NAME su
HUSHLOGIN_FILE .hushlogin
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
TTYGROUP tty
TTYPERM 0600
ERASECHAR 0177
KILLCHAR 025
UMASK 022
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
UID_MIN 1000
UID_MAX 60000
GID_MIN 1000
GID_MAX 60000
LOGIN_RETRIES 5
LOGIN_TIMEOUT 60
CHFN_RESTRICT rwh
DEFAULT_HOME yes
CREATE_HOME yes <===
USERGROUPS_ENAB yes
ENCRYPT_METHOD SHA512
```
注意此文件中的各种设置会决定用户 id 的取值范围以及密码使用期限和其他设置(如 umask
### 如何显示用户所属的用户组
出于各种原因用户可能是多个用户组的成员。用户组成员身份给与用户对用户组拥有的文件和目录的访问权限,有时候这种工作方式是至关重要的。要生成某个用户所属用户组的清单,用 **groups** 命令即可。
```
$ groups jdoe
jdoe : jdoe adm admin cdrom sudo dip plugdev lpadmin staff sambashare
```
你可以键入不带任何参数的“groups”来列出你自己的用户组。
### 如何添加用户至用户组
如果你想添加一个已有用户至别的用户组,你可以仿照下面的命令操作:
```
$ sudo usermod -a -G devops jdoe
```
你也可以指定逗号分隔的用户组列表来添加一个用户至多个用户组:
```
$ sudo usermod -a -G devops,mgrs jdoe
```
参数 **-a** 意思是“添加”,**-G** 指定用户组列表
你可以编辑 **/etc/group** 文件将用户名从用户组成员名单中删除从而将用户从用户组中移除。usermod 命令或许也有个选项用于从用户组中删除某个成员。
```
fish:x:16:nemo,dory,shark
|
V
fish:x:16:nemo,dory
```
### 提要
添加和管理用户组并非特别困难,但长远来看配置账户时的一致性可使这项工作更容易些。
**[ 延伸阅读:[必会的 Linux 命令][3] ]**
加入 Network World 的 [Facebook][4] 和 [LinkedIn][5] 社区,对最重要的话题发表你的评论。
--------------------------------------------------------------------------------
via: https://www.networkworld.com/article/3409781/mastering-user-groups-on-linux.html
作者:[Sandra Henry-Stocker][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/0x996)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://www.networkworld.com/author/Sandra-Henry_Stocker/
[b]: https://github.com/lujun9972
[1]: https://images.idgesg.net/images/article/2019/07/carrots-100801917-large.jpg
[2]: https://www.youtube.com/playlist?list=PL7D2RMSmRO9J8OTpjFECi8DJiTQdd4hua
[3]: https://www.networkworld.com/article/3391029/must-know-linux-commands.html
[4]: https://www.facebook.com/NetworkWorld/
[5]: https://www.linkedin.com/company/network-world