1. Description
Users and groups:
-
Every process (running program) on the system runs as a specific user
-
Each file is owned by a specific user
-
Access to files and directories is restricted by the user
-
The user associated with a running process determines which files and directories the process can access
2. View current user information
[root@localhost ~]# id
uid=0(root) gid=0(root) 组=0(root) 环境=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
3. View the owner of the file
[root@localhost ~]# ll
total usage 0
-rw-r--r--. 1 root root 0 April 30 11:21 1.txt
-rw-rw-rw-. 1 root root 0 April 30 11 :29 4.txt
drwxr-xr-x. 2 root root 6 Apr 30 11:21 dir
drwxrwxrwx. 2 root root 6 Apr 30 11:29 dir1
4. Check the running process username
[root@localhost ~]# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.4 128092 4000 ? Ss 11:13 0:01 /usr/lib/systemd/systemd --swi
5. User group information storage files
-
User basic information file /etc/passwd
-
User password information file /etc/shadow
-
User group information file /etc/group
0xff002 User management
1. Create a user
[root@tianyun ~]# useradd user01
. The user's primary group
is not specified. The user's additional group
is not specified. The user's HOME
is not specified. The user's SHELL
is not specified. The user's UID is not specified...
[root@tianyun ~]# grep 'user01' /etc/passwd /etc/shadow /etc/group
/etc/passwd:user01:x:507:512::/home/user01:/bin/bash
/etc/shadow:user01:! !:16589:0:99999:7:::
/etc/group:user01:x:512:
[
root@tianyun ~]# id user01
uid=507(user01) gid=512(user01) groups=512(user01 )
[
root@tianyun ~]# ls /var/spool/mail/user01
/var/spool/mail/user01
Summary
:
If you do not specify any options when creating a user, the system will create a group with the same name as the user Primary Group as user.
[root@tianyun ~]# useradd user02 -u 1503 //Create user usr02 and specify uid
[root@tianyun ~]# useradd user03 -d /aaa //Create user user03 and specify home directory
[root@tianyun ~]# useradd user05 -s /sbin/nologin //Create user and specify shell
[root@tianyun ~]# useradd user07 -G hr,it,fd //Create user and specify additional group
[root@tianyun ~]# useradd user10 -u 4000 - s /sbin/nologin
2. Delete user
[root@tianyun ~]# userdel user10
//Delete user user10, but do not delete the user's home directory and mail spool
[root@tianyun ~]# ll -d /home/user10/
drwx------ 3 506 510 4096 09-01 21:14 /home/user10/
[root@tianyun ~]# ll /var/spool/mail/user10
-rw-rw---- 1 506 mail 0 09-01 21:14 /var/spool/ mail/user10
[
root@tianyun ~]# userdel -r user2
//Delete user user2, and delete the user's home directory and mail spool
3. User password
Method 1: root to modify the password of another user (alice)
[root@tianyun ~]# passwd alice
Method 2: log in as a user (zhuzhu) and change the password by yourself.
[zhuzhu@tianyun ~]$ passwd
4. Group member management
Note: only for existing users -G group name group name... user name
[root@tianyun ~]# usermod -G hr niuniu2 //Overwrite the original additional group
[root@tianyun ~]# usermod -G fd ,it niuniu2
[root@tianyun ~]# usermod -aG hr niuniu2 //Add a new additional group
5. Other options management
[root@tianyun ~]# usermod -s /sbin/nologin niuniu2
Modify login SHELL
0xff003 Group management
1. Create and delete groups
[root@tianyun ~]# groupadd hr
[root@tianyun ~]# groupadd net01 -g 2000
//Add group net01 and specify gid 2000
[root@tianyun ~]# grep 'net01' /etc/group
//View/ Group net01 information in etc/group
[root@tianyun ~]# groupdel net01
//Delete group net01
0xff004 Privilege Escalation
1. Permanent escalation of rights
[alice@tianyun ~]$ useradd u1
-bash: /usr/sbin/useradd: insufficient permissions
[alice@tianyun ~]$ su - root
password:
[root@tianyun ~]# useradd u1
succeeded
2. Temporary escalation of rights
Authorize ordinary user xulei as
root [root@tianyun ~]# vim /etc/sudoers
%wheel ALL=(ALL) NOPASSWD: ALL
allows users in the wheel group to use all
commands
[root@tianyun ~]# useradd xulei -G wheel
[root@tianyun ~]# id xulei
uid=504(xulei) gid=504(xulei) group=504(xulei),10(wheel)
#
passwd xulei
switch user xulei login
[
xulei@tianyun ~]$ useradd gougou10
-bash: /usr/sbin/useradd: insufficient permissions
[xulei@tianyun ~]$ sudo useradd gougou10
[xulei@tianyun ~]$ id gougou10
uid=505(gougou10) gid =505(gougou10) group=505(gougou10)
0xff004 case
1. Case
1 useradd is the command to create a user.
2 usermod is a command to modify a user.
3 groupadd is the command to create a group.
4 -u Specify the user's UID.
5 -g Make the user's basic group.
6 -G Make additional groups for users.
7 /etc/passwd can view the basic group of the user.
8 /etc/group You can view the user's additional groups. I. Create user AAA and generate basic group AAA [root@QF ~]# useradd AAA [root@QF ~]# grep AAA /etc/passwd AAA:x:6001:6001::/home/AAA: /bin/bash 2. Create user BBB and generate basic group BBB [root@QF ~]# useradd BBB [root@QF ~]# grep BBB /etc/passwd BBB:x:6002:6002::/home/ BBB:/bin/bash 3. Create group CCC [root@qf ~]# groupadd CCC [root@qf ~]# grep CCC /etc/group CCC:x:7001: 4. Modify the basic group of user AAA to CCC.
5. In passwd, the basic group of user AAA is CCC.
[root@qf ~]# usermod AAA -g CCC
[root@qf ~]# grep AAA /etc/passwd
AAA:x:6001:7001::/home/AAA:/bin/bash
Sixth
, modify the user BBB The additional group is CCC.
7. In the view group, the additional group of user BBB is CCC.
[root@qf ~]# usermod BBB -G CCC
[root@qf ~]# grep CCC /etc/group
CCC:x:7001:BBB
0xff05 Extended knowledge
1. Can the default settings for user creation be changed? (For example, SHELL is forbidden to log in)
[root@tianyun ~]# vim /etc/default/useradd
SHELL=/sbin/nologin
Try to create a new user.
2. Can the user password policy be set?
1. Set the user password minimum days (-m), maximum days (-M), reminder days (-W), inactive days (-l)
chage -m 0 -M 90 -W 7 -I 14 username
2. Set The user immediately changes the password the next time they log in.
chage -d 0 username
3. List user password policy information.
chage -l username
4. Set the user password expiration date.
chage -E YYYY-MM-DD username
3. Can the user password policy be set? (For example, the password is only valid for 14 days)
-
describe
/etc/login.defs is a file for setting user account password restrictions. The configuration in this file is invalid for the root user
-
Example
[root@tianyun ~]# vim /etc/login.defs
MAIL_DIR /var/spool/mail
PASS_MAX_DAYS 30
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
CREATE_HOME yes
ENCRYPT_METHOD SHA512
-
MAN Manual
The file man login.defs
/etc/login.defs
defines the user restriction settings that go with /etc/password and /etc/shadow. This file is required, and its absence will not affect the use of the system, but may produce unexpected errors.
If
there are the same options in the /etc/shadow file, the settings in /etc/shadow shall prevail, that is to say, the configuration priority of /etc/shadow is higher than that of /etc/login.defs.
#
*REQUIRED* required
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail #When
creating a user, create a user mail file in the directory /var/spool/mail #
MAIL_FILE .mail
#
Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999 #Password
maximum validity period
PASS_MIN_DAYS 0 #Minimum
interval between two password changes
PASS_MIN_LEN 5 #Minimum
length of password, invalid for root
PASS_WARN_AGE 7 #How
many days before the password expires
#
# Min/max values for automatic uid selection in useradd #The
range of automatic UID if no UID is specified when creating a user
UID_MIN 500 #Minimum
value of user ID
UID_MAX 60000 #Maximum
value of user ID
#
# Min/max values for automatic gid selection in groupadd #The
range of automatic group ID
GID_MIN 500 #Minimum
value of group ID
GID_MAX 60000 #Maximum value
of group ID #
# If defined, this command is run when removing a user. # It should remove any at/cron/print jobs etc. owned by # the user to be removed (passed as the first argument). # #USERDEL_CMD /usr/sbin/userdel_local #Script to be executed when a user is deleted # # If useradd should create home directories for users by default # On RH systems, we do. This option is overridden with the -m flag on # useradd command line. # CREATE_HOME yes #When using useradd, it is enough to create a user directory # The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
UMASK 077
# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes
#用MD5加密密码
4. How to add multiple users to a specified group
-
describe
After usemod -G rewrites the user's group, the user's group information is overwritten, that is to say, usermod makes the user only exist in one group. So how do you make a user belong to multiple groups at the same time? gpasswd -a try it
-
case
[root@localhost ~]# useradd user1
[root@localhost ~]# useradd user2
[root@localhost ~]# useradd user3
[root@localhost ~]# groupadd group1
[root@localhost ~]# gpasswd -a user1 group1
正在将用户“user1”加入到“group1”组中
[root@localhost ~]# gpasswd -a user2 group1
[root@localhost ~]# cat /etc/group
group1:x:1011:user1,user2
5. How to replace all members of a group?
[root@localhost ~]# gpasswd -M user2,user3 group1
[root@localhost ~]# cat /etc/group
group1:x:1011:user2,user3
6. How to delete a member of a group
There are three users in the original group, delete one of them.
[root@localhost ~]# grep group1 /etc/group
group1:x:1011:user3,user1,user2
[root@localhost ~]# gpasswd -d user1 group1
is removing user "user1" from group "group1"
[ root@localhost ~]# grep group1 /etc/group
group1:x:1011:user3,user2