[Linux] User Group & Permission

User & Group

 

User와 Group은 파일과 리소스를 제어하기 위해 사용된다.
유저명,UID는 /etc/passwd Password는 /etc/shadow에 암호화 형태로 저장됨

유저 Type 예)
root 0 0 /root /bin/bash

regular 1000~60000 1000~60000 /home/username /bin/bash

service ftp,ssh.. 1~999 1~999 /var/ftp etc.. /sbin/nologin


#유저 확인
[root@localhost ~]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
vagrant:x:1000:1000:vagrant:/home/vagrant:/bin/bash
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
vboxadd:x:997:1::/var/run/vboxadd:/bin/false

#shadow 파일 확인
[root@localhost ~]# cat /etc/shadow
root:$6$nV1WQD7jnhjZrkbv$mg/3/f2Ghkki5FmLvVNOIJDJpllDe2IXLMoQ7wvnURvU63Vc36stB/D86dqbv/XU3T4IljiCb3N8HuLhrEJQt.::0:99999:7:::
bin:*:18353:0:99999:7:::
daemon:*:18353:0:99999:7:::
adm:*:18353:0:99999:7:::
lp:*:18353:0:99999:7:::
sync:*:18353:0:99999:7:::
shutdown:*:18353:0:99999:7:::
halt:*:18353:0:99999:7:::
mail:*:18353:0:99999:7:::
operator:*:18353:0:99999:7:::
games:*:18353:0:99999:7:::
ftp:*:18353:0:99999:7:::
nobody:*:18353:0:99999:7:::
systemd-network:!!:18786::::::
dbus:!!:18786::::::
polkitd:!!:18786::::::
sshd:!!:18786::::::
postfix:!!:18786::::::
chrony:!!:18786::::::
vagrant:$6$7wleb192MItfwHer$lQrBBwAX/qF5mXOkKzEKrltkAoBHJwm/u/7Szdzg18P5SZEhmtG9CXK6qGL1eZPX6T3Cdr56SR3o.X1efxiaR.::0:99999:7:::
rpc:!!:18786:0:99999:7:::
rpcuser:!!:18786::::::
nfsnobody:!!:18786::::::
tss:!!:18786::::::
vboxadd:!!:18786::::::

#그룹 목록 확인
[root@localhost ~]# cat /etc/group
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mem:x:8:
kmem:x:9:
wheel:x:10:vagrant
cdrom:x:11:
mail:x:12:postfix
man:x:15:
dialout:x:18:
floppy:x:19:
games:x:20:
tape:x:33:
video:x:39:
ftp:x:50:
lock:x:54:
audio:x:63:
nobody:x:99:
users:x:100:
utmp:x:22:
utempter:x:35:
input:x:999:
systemd-journal:x:190:
systemd-network:x:192:
dbus:x:81:
polkitd:x:998:
ssh_keys:x:997:
sshd:x:74:
postdrop:x:90:
postfix:x:89:
chrony:x:996:
vagrant:x:1000:vagrant
rpc:x:32:
rpcuser:x:29:
nfsnobody:x:65534:
printadmin:x:995:
tss:x:59:
vboxsf:x:994:

#계정 및 그룹 추가 후 확인
[root@localhost ~]# useradd ansible
[root@localhost ~]# useradd jenkins
[root@localhost ~]# groupadd devops
[root@localhost ~]# usermod -aG devops ansible
[root@localhost ~]# id ansible
uid=1001(ansible) gid=1001(ansible) groups=1001(ansible),1003(devops)
[root@localhost ~]# grep devops /etc/group
devops:x:1003:ansible

#디렉토리 경로
[root@localhost ~]# su - ansible
[ansible@localhost ~]$ pwd
/home/ansible
[ansible@localhost ~]$ exit
logout

#유저 접속 확인 
[root@localhost ~]# last
vagrant  pts/0        10.0.2.2         Fri Jan 14 11:56   still logged in
reboot   system boot  3.10.0-1160.25.1 Fri Jan 14 11:55 - 14:15  (02:19)
vagrant  pts/0        10.0.2.2         Fri Jan 14 10:54 - 10:54  (00:00)
reboot   system boot  3.10.0-1160.25.1 Fri Jan 14 10:51 - 14:15  (03:23)
reboot   system boot  3.10.0-1160.25.1 Mon Jun  7 21:43 - 02:17  (04:33)

#lsof - 유저가 열어놓은 파일 목록 확인
[root@localhost ~]# lsof -u ansible

#user 제거( 수동 삭제 시 /home 디렉토리 내에서 수행)
[root@localhost ~]# userdel -r ansible
[root@localhost ~]# userdel jenkins
[root@localhost ~]# groupdel devops
[root@localhost ~]# ls /home
jenkins  vagrant
[root@localhost ~]# userdel -r jenkins
userdel: user 'jenkins' does not exist
[root@localhost ~]# cd /home
[root@localhost home]# ls
jenkins  vagrant
[root@localhost home]# rm -r jenkins/

 

Permission

 

#파일 퍼미션은 ls -l 명령어로 확인할 수 있음
#4개의 심볼로 구성되어 있음

#r -> 읽기 권한 #w -> 쓰기 권한 #x -> 실행 권한 #-> 퍼미션 없음
#rwxrwxrwx (User)(Group)(Other)
[root@localhost home]# ls -l /bin/login
-rwxr-xr-x. 1 root root 37248 Feb  2  2021 /bin/login

#User 및 Group 변경
[root@localhost opt]# chown ansible:devops /opt/devopsdir/
[root@localhost opt]# ls -alh
total 0
drwxr-xr-x.  4 root    root    56 Jan 14 14:23 .
dr-xr-xr-x. 18 root    root   239 Jan 14 13:09 ..
drwxr-xr-x.  2 ansible devops   6 Jan 14 14:23 devopsdir

#Group 퍼미션에 쓰기 권한 부여
[root@localhost opt]# chmod g+w devopsdir/
[root@localhost opt]# ls -alh
total 0
drwxr-xr-x.  4 root    root    56 Jan 14 14:23 .
dr-xr-xr-x. 18 root    root   239 Jan 14 13:09 ..
drwxrwxr-x.  2 ansible devops   6 Jan 14 14:23 devopsdir

#퍼미션 Numeric
# r -> 4 w -> 2 x -> 1 총 7
#777로 변경시 rwxrwxrwx 확인 가능
[root@localhost opt]# chmod -R 777 devopsdir/
[root@localhost opt]# ls -alh
total 0
drwxr-xr-x.  4 root    root    56 Jan 14 14:23 .
dr-xr-xr-x. 18 root    root   239 Jan 14 13:09 ..
drwxrwxrwx.  2 ansible devops   6 Jan 14 14:23 devopsdir

 

sudo 권한

#sudo는 일반 유저에게 root 유저가 소유한 권한을 실행시킬 수 있도록 한다.
#해당 설정 파일은 /etc/sudoers에 확인 가능

[root@localhost ~]# ls -l /etc/sudoers
-r--r-----. 1 root root 4328 Jun  8  2021 /etc/sudoers
[root@localhost ~]# cat /etc/sudoers
...
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
...

#sudoers.d에 계정이나 그룹 추가 가능
[root@localhost sudoers.d]# cat /etc/sudoers.d/vagrant
vagrant        ALL=(ALL)       NOPASSWD: ALL

[root@localhost sudoers.d]# cat /etc/sudoers.d/devops
%devops         ALL=(ALL)       NOPASSWD: ALL