1、用户管理简介
1)所以越是对服务器安全性要求高的服务器,越需要建立合理的用户权限等级制度和服务器操作规范
2)在Linux中主要是通过用户配置文件来查看和修改用户信息。
2、/etc/passwd
第一字段:用户名称
第二字段:密码标志
第三字段:UID(用户ID)
>0: 超级用户 uid为0表示超级用户。注意UID=0的一定是超级用户,但是用户名为root的不一定是超级用户,因为UID是供系统识别的,而用户名是 给用户查看的。 Linux如果想设置某个用户为超级用户,只要更改其UID为0,则就是超级用户,或者说管理员。Windows中想要一个 用户成为管理员,需要将该用户加入到管理员组中。
> 1-499:系统用户(伪用户):叫做系统用户,供系统和命令调用的,不能登录,不能删除,删除系统会崩溃。
> 500-65535:普通用户 :一般创建的用户,默认UID从500开始,需要更多,新版本Linux内核是支持的,数量可达2的32次方。
第四字段:GID(初始组)
第五字段:用户说明。默认添加的普通用户没有用户说明,或者说用户说明为空。
第六字段:家目录,表示用户首次登陆的位置。
>普通用户:/home/用户名/
> 超级用户:/root/
第七字段:登录之后的shell
[root@localhost ~]# vi /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
rtkit:x:499:499:RealtimeKit:/proc:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
saslauth:x:498:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
pulse:x:497:496:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
注意打开因为文件看起来不太好看,换个查看命令,用vi命令的增强版vim进行查看(彩色的)
该文件,每一行代表一个用户,可以通过wc 或者vim 光标拖到最后,根据行数确定用户数量;
每行中,每项根据冒号进行分隔,从头开始,分别表示:
用户名:密码标志:
如上,
root:x:0:0:root:/root:/bin/bash
root 表示用户名,
x 表示密码标志:该符号表示密码标识,不代表真正的密码,出于安全考虑,密码存放在另一个叫做/etc/shadow 的影子文件中,x不可以省略,有x表示该用户是有密码的,但是具体密码要从影子文件中查找。如果没有x表示,表示该用户没有密码。同时注意,如果一个用户没有密码,则不可以远程登录的方式进行登录,只能在本机上登录.
[root@localhost ~]# vim /etc/passwd
[root@localhost ~]#
[root@localhost ~]# vim /etc/shadow
[root@localhost ~]# ll /etc/passwd
-rw-r--r--. 1 root root 1630 11月 25 23:26 /etc/passwd
[root@localhost ~]# ll /etc/shadow
----------. 1 root root 1044 11月 25 23:26 /etc/shadow
[root@localhost ~]#
如上,shadow 文件中存放了相应密码等信息。
从shadow 文件属性来看,该文件的读写权限均为无,表示只有root用户有权限查看
0 :UID,即用户id。理论上每一个用户都有一个唯一的识别号,供系统调用。
0 :GID,用户的初始组。初始组只能有一个,可以改,但不建议更改。
附,初始组和附加组区别
初始组:就是指用户一登录就立刻拥有这个用户组的相关权限,每个用户的初始组只能有一个,一般就是和这个用户的用户名相同的组名作为这个用户的初始组。
附加组:指用户可以加入几个其他的用户组,并拥有这些组的权限,附加组可以有多个。
root:用户说明
/bin/bash :登陆之后的shell,理论上可以更改,添加完一个用户如何将shell更改为/bin/bash之外,则该用户不可登录
4、shell是什么? shell就是Linux的命令解释器;在/etc/passwd当中,除了标准shell是/bin/bash之外,还可以写成如/sbin/nologin,表示暂时屏蔽该用户,该 用户不可登录
解释器,就是把命令进行解析。Windows中实质也叫命令解释器,比如点击开始菜单,系统会自动弹出一个开始菜单的窗口,也就是说, 用户和系统之间进行交互时,是需要命令解释器的,只是不叫命令解析器。
nologin 表示该用户不可登录,所以如果不希望某个用户登录,只需将其shell文件改为nologin即可
建议:用户名称最好格式统一,注意规范,便于管理,不要太长,最好有意义,最好不用随意的特殊字符。
看到如上信息,却看不懂配置信息怎么看(各项什么含义),可以通过man +文件类型(一个数字,比如5表示配置文件) +文件名 查看该文件的帮助信息
补充:man 5 +文件名称(注意不是绝对路径):该命令可以帮助查看配置文件信息。
[root@localhost ~]# man 5 /etc/passwd
打完如上命令会出现问题,所以,注意此处错误,应该用passwd,而不是用绝对路径
/etc/passwd
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:dae-
mon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nolo-
gin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin dbus:x:81:81:Sys-
tem message bus:/:/sbin/nologin usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin rpc:x:32:32:Rpcbind
Daemon:/var/lib/rpcbind:/sbin/nologin rtkit:x:499:499:RealtimeKit:/proc:/sbin/nologin avahi-au-
toipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin vcsa:x:69:69:virtual con-
sole memory owner:/dev:/sbin/nologin abrt:x:173:173::/etc/abrt:/sbin/nologin rpcuser:x:29:29:RPC
Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS Us-
er:/var/lib/nfs:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin
saslauth:x:498:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin post-
fix:x:89:89::/var/spool/postfix:/sbin/nologin gdm:x:42:42::/var/lib/gdm:/sbin/nologin
pulse:x:497:496:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin sshd:x:74:74:Privilege-sepa-
rated SSH:/var/empty/sshd:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin zhouxueli:x:500:500:zhoux-
ueli:/home/zhouxueli:/bin/bash
(END)
那正确的应该是
[root@localhost ~]# man 5 passwd
如此,可以看到该配置文件的帮助信息,5表示配置文件,此处用的是文件名passwd,而不是/etc/passwd
PASSWD(5) Linux Programmer’s Manual PASSWD(5)
NAME
passwd - password file
DESCRIPTION
Passwd is a text file, that contains a list of the system’s accounts, giving for each
account some useful information like user ID, group ID, home directory, shell, etc. Often,
it also contains the encrypted passwords for each account. It should have general read per-
mission (many utilities, like ls(1) use it to map user IDs to usernames), but write access
only for the superuser.
In the good old days there was no great problem with this general read permission. Every-
body could read the encrypted passwords, but the hardware was too slow to crack a well-cho-
sen password, and moreover, the basic assumption used to be that of a friendly user-commu-
nity. These days many people run some version of the shadow password suite, where
/etc/passwd has "x" instead of encrypted passwords, and the encrypted passwords are in
/etc/shadow which is readable by the superuser only.
If the encrypted password, whether in /etc/passwd or in /etc/shadow, is an empty string,
login is allowed without even asking for a password. Note that this functionality may be
intentionally disabled in applications, or configurable (for example using the "nullok" or
"nonull" arguments to pam_unix.so).
If the encrypted password in /etc/passwd is "*NP*" (without the quotes), the shadow record
should be obtained from a NIS+ server.
Regardless of whether shadow passwords are used, many sysadmins use an asterisk in the
encrypted password field to make sure that this user can not authenticate him- or herself
using a password. (But see the Notes below.)
If you create a new login, first put an asterisk in the password field, then use passwd(1)
to set it.
There is one entry per line, and each line has the format:
account:password:UID:GID:GECOS:directory:shell
The field descriptions are:
account the name of the user on the system. It should not contain capital letters.
password the encrypted user password, an asterisk (*), or the letter 'x'. (See
pwconv(8) for an explanation of 'x'.)
UID the numerical user ID.
GID the numerical primary group ID for this user.
GECOS This field is optional and only used for informational purposes. Usually,
it contains the full username. GECOS means General Electric Comprehensive
Operating System, which has been renamed to GCOS when GE’s large systems
division was sold to Honeywell. Dennis Ritchie has reported: "Sometimes we
sent printer output or batch jobs to the GCOS machine. The gcos field in
the password file was a place to stash the information for the $IDENTcard.
Not elegant."
directory the user’s $HOME directory.
shell the program to run at login (if empty, use /bin/sh). If set to a non-
existing executable, the user will be unable to login through login(1).
FILES
/etc/passwd
NOTES
If you want to create user groups, their GIDs must be equal and there must be an entry in
/etc/group, or no group will exist.
If the encrypted password is set to an asterisk, the user will be unable to login using
login(1), but may still login using rlogin(1), run existing processes and initiate new ones
through rsh(1), cron(8), at(1), or mail filters, etc. Trying to lock an account by simply
changing the shell field yields the same result and additionally allows the use of su(1).
SEE ALSO
login(1), passwd(1), su(1), getpwent(3), getpwnam(3), group(5), shadow(5)
COLOPHON
This page is part of release 3.22 of the Linux man-pages project. A description of the
project, and information about reporting bugs, can be found at http://www.ker-
nel.org/doc/man-pages/.
,