Enterprise user management in linux system

User Management in Linux System

1. The meaning of users and user groups ###

1) The meaning of the existence of users.
System resources are limited. How to allocate system resources reasonably?
When this problem is solved, there must be two resources to cooperate
1. Identity account
2. Authorization author
3. Authentication auth

3A mechanism, 3A mechanism constitutes the lowest security architecture in the system

2) The meaning of the existence of
user groups The user group is a logical container
to classify and authorize users uniformly

2. How users and user groups exist in the system###

Computers are sensitive to numbers and
humans are sensitive to strings.

id <------> The name must be recorded in the file. The user can exist. The
user is a line of characters in the /etc/passwd file.

The way the user group exists is a line of characters in the /etc/group file

3. User switching

1) User view

whoami ##View current user
id ##View user id information
-u ##View user's user id
-g ##View user's main group id
-G ##View user's all group id
-n ##Display name

[root@westoslinux Desktop]# whoami            ##查看用户名称
root
[root@westoslinux Desktop]# id -u root        ##查看用户的用户id 
0
[root@westoslinux Desktop]# id root 
uid=0(root) gid=0(root) groups=0(root)
[root@westoslinux Desktop]# id -g root        ##查看用户的主组id
0
[root@westoslinux Desktop]# id -G root        ##查看用户的所有组id
0
[root@westoslinux Desktop]# id -n root
id: cannot print only names or real IDs in default format
[root@westoslinux Desktop]# id -Gn root       ##查看用户的所有组id的名称
root 
[root@westoslinux Desktop]# id -gn root
root
[root@westoslinux Desktop]# id -u westos
1000
[root@westoslinux Desktop]# id westos
uid=1000(westos) gid=1000(westos) groups=1000(westos),10(wheel)
[root@westoslinux Desktop]# id -gn westos
westos
[root@westoslinux Desktop]# id -Gn westos
westos wheel
[root@westoslinux Desktop]# su -root

User id range
0 - 65535
0; ## Linux superuser ID
1-999: ## Linux system own ID
1000-65535 ## user level ID
## ID setting rules above are recorded in /etc/login.defs

2) User switch
su-username

•  #切换用户环境
  

username ##root Switching other users does not require a password
## Switching between other users must enter a password

           ##注意：在用户切换时当时使用完毕用户身份及时退出
           ##不要在一个shell中反复执行su命令会导致环境错乱

4. System configuration files involved by the user###

/etc/passwd ##User identity information file
##User name: User password: User id: User main group id: User description: User home directory: User default shell

/etc/group ##group identity information file
##group name: group password: group id: additional members of the group

/etc/skel/.* ##User authentication information file

/etc/shadow ##User environment configuration file template

/home/username ##User home directory
/var/spool/mail/username ##User mailbox file

5. Create and delete users and user groups

Commands created by monitoring users
watch -n 1 "tail -n 4 /etc/passwd /etc/group;echo=========;ls -l /home "

useradd username ##User establishment-
u id username ##uid
##0 means super user
##1-200 system reserved id
##201-999 system user
##1000-60000 user-level user
##/etc/login. defs records the default rules established by users
-g id username ##main group id
-G id username ##additional group id
-d dir username ##specify user home directory
-M username ##do not create home directory when creating user
-c word username ##Specify user description
-s shell username ## Specify the shell used by the user

userdel -r username ##User delete -r delete the user's system configuration file

groupadd groupname ##Create a group-
g id groupname ##Specify the group name (create a group with a group id of...)
groupdel groupname ##Group delete

6. Information management of users and user groups###

usermod
-l #change user name
-u #change user's id
-g #change user's group id
-G
#change user's additional group identity -aG #add user's additional group identity
-c #change user description
-d #change The user's home directory points to
-md #Change the user's home directory to point to and change the home directory name at the same time
-s #Change the default shell
-L #Freeze the account
-U #Unlock

groupmod -g ##Change user group id

Modify the user's name

[root@westoslinux Desktop]# useradd lee                 ##添加一个用户lee
[root@westoslinux Desktop]# userdel lee                 ##删除一个用户lee
[root@westoslinux Desktop]# useradd lee                 ##但是删除没有删除/home/的文件
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
Creating mailbox file: File exists
[root@westoslinux Desktop]# userdel -r lee
[root@westoslinux Desktop]# groupadd lee                 ##添加一个组
[root@westoslinux Desktop]# groupdel lee

Modify the user's main group id demo

User to add additional groups

usermod -G  “ ” username   删除用户的所有附加组

/etc/passwd ##User identity information file
##Group name: group password: id group: user main group id: user description: user home directory: user default shell

/etc/group ##group identity information file
##group name: group password: group id: additional members of the group /etc/
skel/.* ##User environment configuration file template
/etc/shadow ##User authentication information file
/ home/username ##User home directory
/var/spool/mail/username ##User mailbox file

7. User authentication information management

#1. User name
passwd -S lee ##View password status

# 2.User encryption characters
#Change password)
passwd lee ##Only root users can execute "echo 123 | passwd --stdin lee"

passwd ##
Changing passwd for user lee
Current passwd: ##Enter the original password
New password: ##Enter a new password (more than 8 unordered numbers + unordered letter combination)
Retype new passwd: ##Re-enter
passwd: all authentication tokens updated successfully

#Freeze authentication)
passwd -l lee ##Freeze account authentication
passwd -u lee ##Unfreeze account authentication

Note: The reason for switching users in the above figure (root can switch any user, regardless of whether the account is frozen)
#Password deletion)
passwd -d lee

Interpretation of /etc/shadow
Username: Password: Password usage days: Minimum password validity period: Maximum password validity period: Password expiration warning: Authentication inactive days: Account authentication expiration time: To enable the function

#Password use days * count from 1970-1-1 to today's time
passwd -e lee ##Modify the default use time to 0
chage -d 0 lee ##The account must change the password to log in to the system

#The shortest password validity period
passwd -n 1 lee ##lee cannot change the password in one day
chage -m 1 lee ##

#Password longest valid period
passwd -x 40 lee ##lee user must update the new password within 40 days or it will be frozen
chage -M 30 lee

#Password expiration warning
passwd -w 2 lee ##Warning time before account expiration
chage -W 1 lee

#Verification of inactive days passwd -i 2 lee ##How long can the account be verified after the maximum time is exceeded?
chage -I 1 lee

##Account authentication expiration time
chage -E "2020-05-11" ##The account will be frozen until "2020-05-11"

##To enable the function

1  userdel -r lee                         
    3  useradd lee
    4  usermod -l  linux lee        ##改变用户的名称  将lee改成 linux
    5  usermod -l  lee linux        
    6  usermod -g 72 lee            ##改变用户的主组的id
    7  usermod -g 1001 lee
    8  id lee
    9  usermod -G 72 lee            ##改变用户的附加组的id
   10  id lee
   11  usermod -G 1000 lee
   12  id lee
   13  usermod -G 72 lee
   14  id lee
   15  usermod -aG 1000 lee         ##添加用户的附加组id
   16  usermod -G"" lee
   17  usermod -G ""
   18  usermod -G "" lee
   19  usermod -ag lee
   20  usermod -aG 1000 lee
   21  usermod -G 72 lee
   22  usermod -G "" lee
   23  usermod -c "hello westos" lee
   24  usermod -c "" lee
   25  usermod -d /home/linux lee        ##改变用户的指向
   26  usermod -d /home/lee lee
   27  usermod -md /home/linux lee       ##改变用户的指向和家目录
   28  usermod -s /bin/sh lee
   29  usermod -s /bin/bash              ##改变用户所用的shell
   30  usermod -s /bin/bash lee
   31  usermod -md /home/lee lee





   67  tail -n 3  /etc/passwd /etc/group
   68  tail -n 3  /etc/passwd /etc/group;ls -l /home/      
   69  watch -n 1 "tail -n 3  /etc/passwd /etc/group;ls -l /home/"   ##监控用户密码的文件
   70  watch -n 1 "tail -n 3  /etc/shodow " 
   71  watch -n 1 "tail -n 3  /etc/shadow " 
   72  passwd lee
   73  passwd -e lee                     ##将用户的最短有效期设置为0，意味着用户一登陆就要进行改密码的操作     
   74  chage -I 1 lee
   75  chage -E "2020-1-8"               ##将用户的账户到期时间设置为2020-1-8
   76  chage -E "2020-1-8" lee

####8. Decentralization of user power########### The
system management commands cannot be executed when ordinary users in the system.
If ordinary users are required to perform system management actions, then
root user authorization is required

The authorization method of ordinary users is sudo
function:
ordinary users can be used to run commands as specified users

Authorization method:
visudo ##This command is used to edit /etc/Sudoers and provide grammar service detection

visudo ##As a single command, directly enter the power interface of the system
sudo ##After the root user has given power, you still need to use sudo
which to call the command. A command to view the location of this command is
about 100 lines of this file## Code normative
username hostname=(newusername) NOPASSWD: /command

                                 免密码操作

lee westoslinux.westos.org=(root) NOPASSWD: /usr/sbin/useradd,/usr/sbin/userdel

User lee ## When performing adding and deleting users, it is equivalent to super user

Test su-lee
sudo useradd westostest ##When using the sudo command for the first time, you need to enter the lee password

exit
#Exit lee su-westos
sudo userdel -r westostest ##westos can execute userdel command without secret