请教：root,bin,daemon,adm这些用户的权限有什么区别？

akuma

root,bin,daemon,adm这些用户的权限有什么区别？

    我试验的对象是adm，此用户的默认shell是/sbin/nologin,主目录是/var/adm.
      我给adm用户设置密码,并改为shell是/bin/bash,建立/home/adm并更改主目录为/home/adm.
      但是,我发现这个用户的权限好像和ID500以上的普通用户一样啊,这是这么回事??敬请大虾赐教,谢谢!!

troll

1. root
   
2. 
   
3.     Root is (typically) the superuser.
   
4. 
   
5. daemon
   
6. 
   
7.     Some unprivileged daemons that need to be able to write to some files on
   
8.     disk run as daemon.daemon (portmap, atd, jabberd, lambdamoo, mon, and
   
9.     others). Daemons that don't need to own any files sometimes run as
   
10.     nobody.nogroup instead; it is generally better practice to use a dedicated
    
11.     user, and more complex or security-conscious daemons certainly do this. The
    
12.     daemon user is also handy for locally installed daemons, probably.
    
13. 
    
14.     LSB 1.3 lists daemon as legacy, and says: "The 'daemon' UID/GID was used as
    
15.     an unprivileged UID/GID for daemons to execute under in order to limit
    
16.     their access to the system. Generally daemons should now run under
    
17.     individual UID/GIDs in order to further partition daemons from one
    
18.     another."
    
19. 
    
20. bin
    
21. 
    
22.     HELP: No files on my system are owned by user or group bin. What good are
    
23.     they? Historically they were probably the owners of binaries in /bin? It is
    
24.     not mentioned in the FHS, Debian Policy, or the changelogs of base-passwd
    
25.     or base-files.
    
26. 
    
27.     LSB 1.3 lists bin as legacy, and says: "The 'bin' UID/GID is included for
    
28.     compatibility with legacy applications. New applications should no longer
    
29.     use the 'bin' UID/GID."
    
30. 
    
31. sys
    
32. 
    
33.     HELP: As with bin, except I don't even know what it was good for
    
34.     historically.
    
35. 
    
36.     I'm told that /var/spool/cups is owned by group sys, dunno why.
    
37. 
    
38. sync
    
39. 
    
40.     The shell of user sync is /bin/sync. Thus, if its password is set to
    
41.     something easy to guess (such as ""), anyone can sync the system at the
    
42.     console even if they have no account on the system.
    
43. 
    
44. games
    
45. 
    
46.     Many games are sgid to games so they can write their high score files. This
    
47.     is explained in Debian Policy.
    
48. 
    
49. man
    
50. 
    
51.     The man program (sometimes) runs as user man, so it can write cat pages to
    
52.     /var/cache/man and update its databases there.
    
53. 
    
54. lp
    
55. 
    
56.     The lp* devices are writable by this group so that users in it can access
    
57.     the parallel ports directly. Traditionally this job is taken by a printer
    
58.     daemon instead which will only need to run in this group.
    
59. 
    
60.     The lpr system keeps its spool directories owned by lp/lp. Its daemon and
    
61.     frontend tools (through setuid) run as user root.
    
62. 
    
63.     HELP: what do other print systems (rlpr, cupsys, lprng, ...) do?
    
64. 
    
65. mail
    
66. 
    
67.     Mailboxes in /var/mail are owned and writeable by group mail, as is
    
68.     explained in Debian Policy. The user and group is used for other purposes
    
69.     as well by various MTAs and MUAs.
    
70. 
    
71. news
    
72. 
    
73.     Various news servers and other associated programs (such as suck) use user
    
74.     and group news in various ways. Files in the news spool are often owned by
    
75.     user and group news. Programs such as inews that can be used to post news
    
76.     are typically sgid news.
    
77. 
    
78. uucp
    
79. 
    
80.     The uucp user and group is used by the UUCP subsystem. It owns spool and
    
81.     configuration files. Users in the uucp group may run uucico.
    
82. 
    
83. proxy
    
84. 
    
85.     Like daemon, this user and group is used by some daemons (specifically,
    
86.     proxy daemons) that don't have dedicated user ids and that need to own
    
87.     files. For example, group proxy is used by pdnsd, and squid runs as user
    
88.     proxy.
    
89. 
    
90. majordom
    
91. 
    
92.     Majordomo has a statically allocated uid on Debian systems for historical
    
93.     reasons. It is not installed on new systems.
    
94. 
    
95. postgres
    
96. 
    
97.     Postgresql databases are owned by this user and group.
    
98. 
    
99. www-data
    
100. 
     
101.     Some web servers run as www-data. Web content should not be owned by this
     
102.     user, or a compromised web server would be able to rewrite a web site. Data
     
103.     written out by web servers, including log files, will be owned by www-data.
     
104. 
     
105. backup
     
106. 
     
107.     Presumably so backup/restore responsibilities can be locally delegated to
     
108.     someone without full root permissions?
     
109. 
     
110.     HELP: Is that right? Amanda reportedly uses this, details?
     
111. 
     
112. operator
     
113. 
     
114.     Historically, the operator user account was used by system operators with
     
115.     low privilege to dump filesystem backups to tape, and was in the root group
     
116.     so that it could do this. In Debian, the use of a utility such as sudo to
     
117.     gain privilege is preferred over such highly-special-purpose accounts, and
     
118.     the operator user is no longer created by default. It had uid 37.
     
119. 
     
120.     The operator group is used by dump -n to notify logged-in operators via
     
121.     wall when it requires operator attention. This is a historical use, and new
     
122.     applications should not behave this way. (If nothing else, the group should
     
123.     be configurable.)
     
124. 
     
125. list
     
126. 
     
127.     Mailing list archives and data are owned by this user and group. Some
     
128.     mailing list programs may run as this user as well.
     
129. 
     
130. irc
     
131. 
     
132.     Used by IRC daemons. A statically allocated user is needed only because of
     
133.     a bug in ircd: it setuid()s itself to a compiled-in user id on startup.
     
134. 
     
135. gnats
     
136. 
     
137.     HELP: Evidently used by gnats. And it needs a static set why?
     
138. 
     
139. nobody, nogroup
     
140. 
     
141.     Daemons that need not own any files sometimes run as user nobody and group
     
142.     nogroup, although using a dedicated user is far preferable. Thus, no files
     
143.     on a system should be owned by this user or group.
     
144. 
     
145.     (Technically speaking, it does no harm for a file to be owned by group
     
146.     nogroup as long as the ownership confers no additional privileges, that is
     
147.     if the group and other permission bits are equal. However, this is sloppy
     
148.     practice and should be avoided.)
     
149. 
     
150.     If root-squashing is in use over NFS, root access from the client is
     
151.     performed as user nobody on the server.
     
152. 
     
153. Other groups have no associated user.
     
154. 
     
155. adm
     
156. 
     
157.     Group adm is used for system monitoring tasks. Members of this group can
     
158.     read many log files in /var/log, and can use xconsole.
     
159. 
     
160.     Historically, /var/log was /usr/adm (and later /var/adm), thus the name of
     
161.     the group.
     
162. 
     
163.     HELP: Perhaps policy should state the purpose of this group so users may be
     
164.     safely added to it, in certainty that all they'll be able to do is read
     
165.     logs. Wouldn't hurt to rename it 'log' either ...
     
166. 
     
167. tty
     
168. 
     
169.     Tty devices and /dev/vcs* are owned by this group. This is used by write
     
170.     and wall to enable them to write to other people's ttys.
     
171. 
     
172. disk
     
173. 
     
174.     Raw access to disks. Mostly equivalent to root access.
     
175. 
     
176.     HELP: Well, I have some disk devices in /dev owned by the group, but I
     
177.     can't see the point. On another system, I noticed that some of the files
     
178.     lilo puts in /boot are also owned by disk. I can imagine local uses for
     
179.     such a group, like if you want to give some users in the group direct
     
180.     access to some hard disk. But these uses I've found on my systems seem to
     
181.     preclude doing that easily; if I put a user in group disk here, they'd have
     
182.     write access to the root filesystem.
     
183. 
     
184. kmem
     
185. 
     
186.     /dev/kmem and similar files are readable by this group. This is mostly a
     
187.     BSD relic, but any programs that need direct read access to the system's
     
188.     memory can thus be made setgid kmem.
     
189. 
     
190. dialout
     
191. 
     
192.     Full and direct access to serial ports. Members of this group can
     
193.     reconfigure the modem, dial anywhere, etc.
     
194. 
     
195. dip
     
196. 
     
197.     The group's name stands for "Dialup IP". Being in group dip allows you to
     
198.     use a tool such as ppp or dip to dial up a connection.
     
199. 
     
200. fax
     
201. 
     
202.     Allows members to use fax software to send or receive faxes.
     
203. 
     
204. voice
     
205. 
     
206.     Voicemail, useful for systems that use modems as answering machines.
     
207. 
     
208. cdrom
     
209. 
     
210.     This group can be used locally to give a set of users access to a CD-ROM
     
211.     drive.
     
212. 
     
213. floppy
     
214. 
     
215.     This group can be used locally to give a set of users access to a floppy
     
216.     drive.
     
217. 
     
218. tape
     
219. 
     
220.     This group can be used locally to give a set of users access to a tape
     
221.     drive.
     
222. 
     
223. sudo
     
224. 
     
225.     Members of this group do not need to type their password when using sudo.
     
226.     See /usr/share/doc/sudo/OPTIONS.
     
227. 
     
228. audio
     
229. 
     
230.     This group can be used locally to give a set of users access to an audio
     
231.     device.
     
232. 
     
233. src
     
234. 
     
235.     This group owns source code, including files in /usr/src. It can be used
     
236.     locally to give a user the ability to manage system source code.
     
237. 
     
238.     HELP: /usr/src is owned by group src and is setgid. This doesn't make files
     
239.     put there by foo-src packages necessarily be owned by group src though. If
     
240.     the intent is to make group src be able to manage source code, perhaps
     
241.     policy should say that foo-src packages make files in /usr/src owned and
     
242.     writeable by the group (and files in tarballs dropped there likewise)?
     
243. 
     
244. shadow
     
245. 
     
246.     /etc/shadow is readable by this group. Some programs that need to be able
     
247.     to access the file are setgid shadow.
     
248. 
     
249. utmp
     
250. 
     
251.     This group can write to /var/run/utmp, /var/log/wtmp, /var/log/lastlog, and
     
252.     similar files. Programs that need to be able to write to them (such as X
     
253.     terminal emulators) are setgid utmp.
     
254. 
     
255. video
     
256. 
     
257.     This group can be used locally to give a set of users access to a video
     
258.     device.
     
259. 
     
260. plugdev
     
261. 
     
262.     Members of this group can mount removable devices in limited ways via
     
263.     pmount without a matching entry in /etc/fstab. This is useful for local
     
264.     users who expect to be able to insert and use CDs, USB drives, and so on.
     
265. 
     
266.     Since pmount always mounts with the nodev and nosuid options and applies
     
267.     other checks, this group is not intended to be root-equivalent in the ways
     
268.     that the ability to mount filesystems might ordinarily allow. Implementors
     
269.     of semantics involving this group should be careful not to allow
     
270.     root-equivalence.
     
271. 
     
272. staff
     
273. 
     
274.     Allows users to add local modifications to the system (/usr/local, /home)
     
275.     without needing root privileges. Compare with group 'adm', which is more
     
276.     related to monitoring/security.
     
277. 
     
278. users
     
279. 
     
280.     While Debian systems use the user-group system by default (each user has
     
281.     their own group), some prefer to use a more traditional group system. In
     
282.     that system, each user is a member of the 'users' group.
     
283. 
     

复制代码

Debian中base-passwd文档中的部分内容，但各个发行版还是有些区别的。

akuma

非常感谢!

aaccdd

root：超级用户，就是管理员，拥有所有权限
bin：历史遗留用户
daemon：守护进程，非特权的、需要对一些以磁盘文件有写权限的daemon以daemon.daemon(portmap,atd,etc)运行；不需要占有任何文件的daemon 以nobody.nogroup运行；比较复杂的、涉及安全问题的daemon以特定的用户运行。daemon用户也方便本地安装的daemon运行。
adm：adm组执行系统监控任务，组成员可以读取/var/log下的多数文件，可以使用xconsole。历史上/var/log来自于/usr/adm，后来叫/var/adm，这也是组名称的由来。

bonly

这是在哪个man 下的?

bonly

找到了/usr/share/doc/base-passwd

troll

收到邮件，5年啦。

fjcyz

汗~五年的贴子翻出来了.

wdk230411

这坟挖的……