table of Contents:
-
- 1. Password usage strategy:
- 2. User and group management:
- 1).groupadd command:
- 2).groupmod command:
- 3).groupdel command:
- 4).useradd command:
- 5).usedmod command:
- 6).passwd:
- 7).gpasswd command:
- 8).newgrp command:
- 9).chage command:
- 3. Parse the library file:
- 1). /etc/passwd
- 2)./etc/shadow
- 3)./etc/group
- Four. sudo command:
When logging in to the system, when the system resolves users, it cannot directly resolve the user name root, but the ID number can be identified and resolved.
UID : Owner ID
GID : Owner Group ID
Linux users: Username/UID
Administrator: root, 0
Ordinary users: 1-65535
System users: 1-499 (CentOS6), 1-999 (CentOS7)
Login users: 500-65535 (Centos6), 1000-65535 (Centos7)
Parsing library: /etc/passwd
Linux group: Groupname/GID
Administrator group: root, 0
Common user group: 1-65535
System user group: 1-499 (CentOS6), 1-999 (CENTOS7)
Login user group: 500-65535 (Centos6), 1000- 65535 (Centos7)
parsing library: /etc/group
1. Password usage strategy:
- Change password regularly
- Password length is not less than 8 digits
- Use at least three types of characters and symbols
- Use random password
2. User and group management:
Security context:The process runs as its initiator, and the access permissions of the process to the file depend on the permissions of the user who initiated the process.
1).groupadd command:
Add group
usage:groupadd options groupname
| -g GID | Specify GID, the default is the GID+1 of the previous group |
|---|---|
| -r | Create system group |
实例:
创建组为tro(GID为4000)和gun(GID为4002)
[root@localhost ~]# groupadd -g 4000 tro
[root@localhost ~]# groupadd -g 4002 gun
2).groupmod command:
Modify group attributes
Usage:groupadd [option]…group
| -g GID | Modify GID |
|---|---|
| -n new_name | Modify group name |
3).groupdel command:
Delete group
usage:groupdel GROUP
4).useradd command:
Create user
| -u UID | UID |
|---|---|
| -g GID | Specify the basic group ID, this group must exist in advance |
| -G groupname,groupname2 | Specify the additional groups to which the user belongs, separated by commas |
| -c | Add comment information |
| -d | Use the specified path as the user's home directory; this can be achieved by copying the directory /etc/skel and renaming it |
| -s | Specify the user's default shell, a list of all available shells are stored in the /etc/shells file |
| -r | Create system user |
实例:
创建一个nebula用户,指定默认shell /bin/sh
创建jerry用户,指定默认shell /bin/sh并添加注释信息“helloworld”
[root@localhost ~]# useradd nebula -s /bin/sh
[root@localhost ~]# useradd jode -s /bin/sh -c "hello world! "
查看:
[root@localhost ~]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
gentoo:x:4001:4001::/home/gentoo:/bin/bash
gentooo:x:5001:6001::/var/tmp/gentooo:/bin/bash
fedore:x:5002:5002:fedore Core:/home/fedore:/bin/tcsh
jerry:x:5003:5003::/home/jerry:/bin/bash
jery2:x:5004:5004::/home/jery2:/bin/bash
nebula:x:5005:5005::/home/nebula:/bin/sh
jode:x:5006:5006:hello world! :/home/jode:/bin/sh
[root@localhost ~]# id jode
uid=5006(jode) gid=5006(jode) groups=5006(jode)
5).usedmod command:
Modify user attributes
| -u UID | Modify the user's ID to the new UID specified here |
|---|---|
| -g | Change the basic group to which the user belongs |
| -G | Modify the additional group to which the user belongs; the original additional group will be overwritten |
| -a | Used together with -G to add new additional groups for users |
| -c | Modify comment information |
| -d | Modify the user's home directory; the user's original files will not be transferred to the new location |
| -m | Can only be used with the -d option to move the original home directory to the new home directory |
| -l | Modify user name |
| -s | Modify the user's default shell |
| -L | Lock the user's password; that is, add a "!" before the user's original password string |
| -U | Unlock user's password |
userdel: delete user
| -r | Delete with the home directory |
|---|
6).passwd:
Create or modify user password
- passwd: modify the user's own password
- passwd USERNAME: modify the password of the specified user, but only root has this authority
| -l, -u | Lock and unlock users |
|---|---|
| -d | Clear user password string |
| -e | Password expires immediately |
| -n days | Minimum period of use |
| -w days | Alarm time |
| -x days | Maximum use period |
-Stdin: create password non-interactively
实例:
[root@localhost ~]# echo "111111" | passwd --stdin jerry
Changing password for user jerry.
passwd: all authentication tokens updated successfully.
7).gpasswd command:
Create or modify group password
Usage:gpasswd groupname
| -a username | Add users to the group |
|---|---|
| -d username | Remove user from group |
【(Different from usermod) Example If the system has a peter account, the account itself is not a member of the groupname group, you need to enter a password to use newgrp. gpasswd groupname allows users to temporarily join as a member of this group, and the file group created by Peter will also be groupname. So this method can temporarily allow Peter to use other groups when creating files instead of the group where Peter himself is. Therefore, using gpasswd groupname to set a password is to allow those who know the group password to temporarily switch to the group name function. gpasswd -A peter users If peter is the administrator of the users group, you can perform the following operations: gpasswd -a mary users gpasswd -a allen users Note:To add a user to a certain group, you can use the usermod -G group_name user_name command to add a user to the specified group, but the previously added group will be cleared. So when you want to add a user to a group while keeping the previously added group, please use the gpasswd command to add operations.】
8).newgrp command:
Temporarily switch the specified group to the basic group
Usage:newgrp - groupname
id: Display the user's ID number
| -u | Show UID |
|---|---|
| -g | Show GID |
| -G | Display group ID |
| -n | Need to use display name instead of ID in conjunction with -u -g -G |
9).chage command:
Change user password expiration information
Usage:chage options login name
| -d date | Specify the password last modification time |
|---|---|
| -E date | Password expiration date, account is unavailable after the time has passed |
| -w days | Alarm time |
| -m days | The minimum number of days the password can be changed |
| -M days | Maximum number of days the password is valid: |
3. Parse the library file:
1). /etc/passwd
7个字段
root❌0:0:root:/root:/bin/bash(以冒号为一个字段)
- 用户名:是代表用户账号的字符串。通常长度不超过8个字符,并且由大小写字母和/或数字组成
- 口令: 存放着加密后的用户口令字。现在许多Linux系统都使用了shadow技术,把真正的加密后的用户口令字存放到/etc/shadow文件中,而在/etc/passwd文件的口令字段中只存放一个特殊的字符,例如“x”或者“*”
- 用户的标识符UID
- 用户组的标识符GID
- 注释信息
- 用户的家目录
- 登录shell
2)./etc/shadow
/etc/passwd文件中的每个用户都有一个对应的记录行,记录着这个用户的一下基本属性。/etc/passwd只有系统管理员才可以修改的,该文件对所有用户可读。而/etc/shadow文件正如他的名字一样,他是passwd文件的一个影子, /etc/shadow文件中的记录行与/etc/passwd中的一一对应,它由pwconv命令根据/etc/passwd中的数据自动产生。 但是/etc/shadow其他用户看不了,/etc/shadow文件只有系统管理员才能够进行修改和查看。)
[root@localhost ~]# vi /etc/shadow
root:$6$d9W9DLliJ3hzy0z9$luCn8Krt1O7zOs/AzjagY97ozAq4UPhOP3G299GmNvQMz3CXGPiN15Qk.MB/4.jylRE7dUJwnvQtJlZ5YOEp20:18321:0:99999:7:::
bin:*:15980:0:99999:7:::
daemon:*:15980:0:99999:7:::
adm:*:15980:0:99999:7:::
lp:*:15980:0:99999:7:::
sync:*:15980:0:99999:7:::
shutdown:*:15980:0:99999:7:::
halt:*:15980:0:99999:7:::
mail:*:15980:0:99999:7:::
uucp:*:15980:0:99999:7:::
operator:*:15980:0:99999:7:::
games:*:15980:0:99999:7:::
gopher:*:15980:0:99999:7:::
ftp:*:15980:0:99999:7:::
nobody:*:15980:0:99999:7:::
vcsa:!!:18321::::::
saslauth:!!:18321::::::
postfix:!!:18321::::::
sshd:!!:18321::::::
apache:!!:18322::::::
gentoo:!!:18328:0:99999:7:::
gentooo:!!:18328:0:99999:7:::
fedore:!!:18328:0:99999:7:::
jerry:$6$U36uAM.o$/f3MT7P7vIu7VC6lno38VUMmVoFJGHTnfCsBpZDUdXmg2uyI6Vp7vn56dHyKubBSHr9ygaRaUkN7jbCwugTu./:18331:0:99999:7:::
jery2:!!:18329:0:99999:7:::
nebula:!!:18331:0:99999:7:::
jode:!!:18331:0:99999:7:::
文件以冒号为分隔符
第一列:账户名称
第二列:用户的加密口令,*,被锁定,!!代表过期,$6$加密算法,$rxtW5qBw$加密因子
第三列:上次修改密码的时间距离1970年01月01日多少天
第四列:两次修改口令最小的时间间隔
第五列:口令有效的最大天数/密码最长有效天数(默认位99999天,可以理解为永不过期)
第六列:到期前的提醒天数
第七列:到期后的宽限时间
第八列:账号失效时间
第九列:预留
root:$ 6 rxtW5qBw$yNHpzQxqF61aBP.4EgWwdZG32DiaRg537VnUFV0x947zXHs3VLgEiToxwCQB1YsdqgTBlaQuP.gYirQQABoYB.:18312:0:99999:7:::
- 6开头的,表明是用SHA-512加密
- 1表明是用MD5加密
- 2 是用Blowfish加密
- 5 是用 SHA-256加密
3)./etc/group
Linux /etc/group文件与==/etc/passwd和/etc/shadow文件都是有关于系统管理员对用户和用户组管理时相关的文件==。linux /etc/group文件是有关于系统管理员对用户和用户组管理的文件,linux用户组的所有信息都存放在/etc/group文件中。具有某种共同特征的用户集合起来就是用户组(Group)。用户组(Group)配置文件主要有 /etc/group和/etc/gshadow,其中/etc/gshadow是/etc/group的加密信息文件
组名:口令:组标识号(GID):组内用户列表
[root@localhost ~]# cat /etc/group
root:x:0:
bin:x:1:bin,daemon
daemon:x:2:bin,daemon
sys:x:3:bin,adm
adm:x:4:adm,daemon
tty:x:5:
disk:x:6:
lp:x:7:daemon
mem:x:8:
kmem:x:9:
wheel:x:10:
mail:x:12:mail,postfix
uucp:x:14:
man:x:15:
games:x:20:
gopher:x:30:
video:x:39:
dip:x:40:
ftp:x:50:
lock:x:54:
audio:x:63:
nobody:x:99:
users:x:100:
utmp:x:22:
utempter:x:35:
floppy:x:19:
vcsa:x:69:
cdrom:x:11:
tape:x:33:
dialout:x:18:
- 组名: 组名是用户组的名称,由字母或数字构成。与/etc/passwd中的登录名一样,组名不应重复。
- 口令: 口令字段存放的是用户组加密后的口令字。一般Linux系统的用户组都没有口令,即这个字段一般为空,或者是*。
- 组标识号: 组标识号与用户标识号类似,也是一个整数,被系统内部用来标识组。别称GID
- 组内用户列表: 是属于这个组的所有用户的列表,不同用户之间用逗号(,)分隔。这个用户组可能是用户的主组,也可能是附加组。
四.sudo命令:
- 设置用户在某台机器上运行某些命令
- sudo提供了丰富的日志,详细记录每个用户干了什么
- 通行证作用,免验证时间
- /etc/sudoers
1、编辑/etc/sudoers, 使用visudo编辑
2、用户需要是登录用户,并且启用密码
3、在普通用户下 sudo commond username
创建新用户 user1, 让它能够使用useradd命令添加用户user2
1.在root用户下输入 visudo
2.找到如下图
[root@localhost ~]# su - user1
[user1@localhost ~]$ sudo useradd user2
[sudo] password for user1:
[user1@localhost ~]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
gentoo:x:4001:4001::/home/gentoo:/bin/bash
gentooo:x:5001:6001::/var/tmp/gentooo:/bin/bash
fedore:x:5002:5002:fedore Core:/home/fedore:/bin/tcsh
jerry:x:5003:5003::/home/jerry:/bin/bash
jery2:x:5004:5004::/home/jery2:/bin/bash
nebula:x:5005:5005::/home/nebula:/bin/sh
jode:x:5006:5006:hello world! :/home/jode:/bin/sh
user1:x:5007:5007::/home/user1:/bin/bash
user2:x:5008:5008::/home/user2:/bin/bash
账户名 主机名称=(可切换的身份) 可用的指令
比如root账户
root ALL=(ALL) ALL
对于新增的账户就在下面加上
test ALL=(root) ALL
允许test用sudo命令执行root的所有命令
(如果是其他的命令需要用locate,whereis,which先找到命令的路径)
需要注意的是 每次切换 你都需要密码才可以,使用如下命
令可以避免输入密码
test ALL=(root) NOPASSWD: ALL