Linux user and user group management

Others 2022-04-27 17:13:23 views: 0

User Profiles and Password Profiles

user profile

[root@centos-01 ~]# ls /etc/passwd
/etc/passwd
[root@centos-01 ~]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:997:User for polkitd:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin

'/etc/passwd' is divided into 7 fields by ':', the specific meaning of each field is:

  1. Username (eg root in the first line is the username), a string representing the user account. Username characters can be uppercase and lowercase letters, numbers, minus signs (cannot appear in the first place), dots and underscores, other characters are not legal. Although a dot can appear in the username, it is not recommended, especially when the first place is a dot, and the minus sign is also not recommended, because it is easy to cause confusion.
  2. Stored is the password of the account. The password of the early unix system was indeed stored here, but for security reasons, it was later stored in '/etc/shadow', where only an 'x' was used instead.
  3. This number represents the user identification number, also known as the uid. The system identifies the user through this number, 0 is root, that is to say, you can change the uid of the test user to 0, then the system will consider root and test as the same account. Usually the value range of uid is 0~65535 (but it can actually support 4294967294), 0 is the identification number of the super user (root), 1~499 is reserved by the system, as the management account, the identification number of ordinary users is from 500 To start, if we create a custom user, you will see that the account's identification number is greater than or equal to 500.
  4. Represents the group identification number, also called gid. This field corresponds to a record in /etc/group. In fact, /etc/group and /etc/passwd are basically similar.
  5. Note that this field has no practical meaning, and usually records some attributes of the user, such as name, phone, address, and so on. However, this information is displayed when you use the finger function.
  6. The user's home directory, which is in this directory when the user logs in. The home directory of root is /root, and the home directory of ordinary users is /home/username. This field can be customized. For example, if you create a common user test1, if you want the home directory of test1 to be in the /data directory, just Modify the field in the line of test1 in the /etc/passwd file to /data.
  7. Shell, after the user logs in, a process is started to pass the instructions issued by the user to the kernel, which is the shell. There are many kinds of Linux shells such as sh, csh, ksh, tcsh, bash, etc., and the shell of Redhat/CentOS is bash. Check the /etc/passwd file. In addition to /bin/bash, there are more /sbin/nologin in this field, which means that the account is not allowed to log in. If you want to create an account to prevent him from logging in, you can change this field to /sbin/nologin, the default is /bin/bash.

password profile

[root@centos-01 ~]# ls /etc/shadow
/etc/shadow
[root@centos-01 ~]# cat /etc/shadow
root:$6$No.JB2wHarMNf3Sy$q9KcXnZ1V2.Pwfn6ZO79RjjrvkfGdJYJDcHlVmUj1lfwL7gRR3mgDq8hsFJjzaEiQrwHrl0FJvVJehs2p5gV0/::0:99999:7:::
bin:*:17110:0:99999:7:::
daemon:*:17110:0:99999:7:::
adm:*:17110:0:99999:7:::
lp:*:17110:0:99999:7:::
sync:*:17110:0:99999:7:::
shutdown:*:17110:0:99999:7:::
halt:*:17110:0:99999:7:::
mail:*:17110:0:99999:7:::
operator:*:17110:0:99999:7:::
games:*:17110:0:99999:7:::
ftp:*:17110:0:99999:7:::
nobody:*:17110:0:99999:7:::
systemd-network:!!:17526::::::
dbus:!!:17526::::::
polkitd:!!:17526::::::
postfix:!!:17526::::::
sshd:!!:17526::::::
chrony:!!:17526::::::

The file /etc/shadow, similar to /etc/passwd, is divided into 9 fields with ':'. The meaning of each field is:

  1. Username, corresponding to /etc/passwd.
  2. User password, this is the real password of the account, but this password has been encrypted. So, the file attribute is set to 000, but the root account can access or change it.
  3. The date the password was last changed. This number is the number of days since January 1, 1970, when the password was last changed.
  4. How many days before the password can be changed, the default is 0, that is, there is no limit.
  5. The number of days after which the password expires, i.e. the number of days within which the password must be changed. The default is 99999, which can be understood as never needing to be changed.
  6. The warning period before the password expires. If this value is set to 7, it means that when the password expires after 7 days, the system will issue a warning to tell the user that his password will expire in 7 days.
  7. Account expiration date. If this value is set to 3, it means that the password has expired, but the user does not change the password before the expiration, then after another 3 days, the account will be invalid, that is, locked.
  8. The life cycle of an account, like the third paragraph, is calculated in days from January 1, 1970. It means that the account can be used before this date, and the account will be invalid after it expires.
  9. As a reservation, it has no meaning.

User group management

user group file

[root@centos-01 ~]# ls /etc/group
/etc/group
[root@centos-01 ~]# cat /etc/group
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mem:x:8:
kmem:x:9:
wheel:x:10:
cdrom:x:11:
mail:x:12:postfix
man:x:15:
dialout:x:18:
floppy:x:19:
games:x:20:
tape:x:30:
video:x:39:
ftp:x:50:
lock:x:54:
audio:x:63:
nobody:x:99:
users:x:100:
utmp:x:22:
utempter:x:35:
ssh_keys:x:999:
input:x:998:
systemd-journal:x:190:
systemd-network:x:192:
dbus:x:81:
polkitd:x:997:
postdrop:x:90:
postfix:x:89:
sshd:x:74:
chrony:x:996:
slocate:x:21:

User group password file

[root@centos-01 ~]# cat /etc/gshadow
root:::
bin:::
daemon:::
sys:::
adm:::
tty:::
disk:::
lp:::
mem:::
kmem:::
wheel:::
cdrom:::
mail:::postfix
man:::
dialout:::
floppy:::
games:::
tape:::
video:::
ftp:::
lock:::
audio:::
nobody:::
users:::
utmp:!::
utempter:!::
ssh_keys:!::
input:!::
systemd-journal:!::
systemd-network:!::
dbus:!::
polkitd:!::
postdrop:!::
postfix:!::
sshd:!::
chrony:!::
slocate:!::

[root@centos-01 ~]# ls /etc/shadow
shadow   shadow-  
[root@centos-01 ~]# ls /etc/gshadow
gshadow   gshadow-  
[root@centos-01 ~]# ls /etc/passwd
passwd   passwd-  
[root@centos-01 ~]# ls /etc/group
group   group-

The files with '-' are automatically backed up by the system. If you delete them accidentally, you can copy them back. There may be new users that are not updated in time.

[root@centos-01 ~]# ls -l /etc/passwd*
-rw-r--r--. 1 root root 846 12月 27 05:28 /etc/passwd
-rw-r--r--. 1 root root 846 12月 27 05:28 /etc/passwd-

groupadd command

grammar:groupadd [-g GID] groupname

If the "-g" option is not added, the group is created according to the default gid of the system. Like the user, the gid also starts from 1000.

  • The "-g" option can customize the gid.

groupdel command

There are no special options for this command, but there are users in the deleted group, and the user must be deleted before the group is deleted.

useradd command

grammar:useradd [-u UID] [-g GID] [-d HOME] [-M] [-s] username

  • '-u': custom UID
  • '-g': make it belong to an existing group, followed by the group id, or the group name
  • '-d': Customize the user's home directory
  • '-M': do not create home directory
  • '-s': custom shell

The '-g' option followed by a non-existing gid will give an error that the group does not exist. After the '-M' option is added, the user's home directory will not be created, but there is still this field in the /etc/passwd file. At this time, using lsthe home directory will prompt that the directory does not exist, so the '-M' option The effect is just not to create that directory.

'useradd' followed by the username without any options will create a group with the same name as the username.

userdel command

grammar:userdel [-r] username

The '-r' option has only one function, which is to delete the account's home directory together when deleting the account.

usermod command

Basic information for modifying users

grammar:usermod [选项] username

usermod -g gid username
  • '-u': modify uid
  • '-g': modify gid
  • '-d': specify the user's home directory
  • '-s': specify the user's shell
  • '-G': Modify the extended group to which the user belongs

id rootView root user uid, gid, and group ID (including not only gid, but also extended groups)

[root@centos-01 ~]# id root
uid=0(root) gid=0(root) 组=0(root)
  • '-L': lock user password
  • '-U': Unlock password lock

passwd command

grammar:passwd [username]

After the account is created, no password is set by default. Although there is no password, the account cannot log in to the system either. You can log in to the system only after setting the password. When creating passwords for users, try to make them as complex as possible for security reasons. If the username is not added after "passwd", the password of the current account is changed. If the current account is the root account, it can be followed by the name of the ordinary account, which means to modify the password of the specified account. Only root can change the passwords of other accounts, ordinary accounts can only change their own passwords, and the passwords of other accounts cannot be changed.

[root@centos-01 ~]# tail /etc/shadow
operator:*:17110:0:99999:7:::
games:*:17110:0:99999:7:::
ftp:*:17110:0:99999:7:::
nobody:*:17110:0:99999:7:::
systemd-network:!!:17526::::::
dbus:!!:17526::::::
polkitd:!!:17526::::::
postfix:!!:17526::::::
sshd:!!:17526::::::
chrony:!!:17526::::::

Two exclamation marks "!!" indicate that the user password is empty and the user cannot log in. The asterisk "*" indicates that this user's password is locked and cannot be used, and it is also impossible to log in.

  • '-l': lock user password
  • '-u': Unlock user password
  • --stdin’:This option is used to indicate that passwd should read the
    new password from standard input, which can be a pipe.

mkpasswd command

Generate random passwords, this command is not available by default, a package "expect" needs to be installed.

[root@centos-01 ~]# mkpasswd
-bash: mkpasswd: 未找到命令
[root@centos-01 ~]# yum install -y expect

The default is a 9-digit password

[root@centos-01 ~]# mkpasswd
9rv1yM~mH
[root@centos-01 ~]# mkpasswd -l 12
2au6koOaqSe^
[root@centos-01 ~]# mkpasswd -l 12 -s 3
@:Ozudf2a(4W
[root@centos-01 ~]# mkpasswd -l 12 -s 0
d3ymVkze5Qcd
  • '-l': specify the length of the password
  • '-s': Specify the number of bits of special characters in the password

su command

grammar:su [-] username

Use whoamicommand or idcommand to view current user

[root@centos-01 ~]# whoami
root

After the su command, you can add '-' or not. If a normal user su does not add a username, it will switch to the root user. Of course, the root user can also su to a normal user. The role of the '-' character is to initialize various environment variables of the current user after adding it.

sudo instruction

Let an ordinary user temporarily execute a command as a specified user. Usually, the ordinary user is authorized to be the root user.

Open the sudo configuration file

[root@centos-01 ~]# visudo

It is not recommended to viedit the /etc/sudoers file directly, as it will not check for errors after modification. It is recommended to use visudoopen, this method will detect errors.

By default, root can sudo because there is a line "root ALL=(ALL) ALL" in the /etc/sudoers file. Adding "test ALL=(ALL) ALL" below this line will allow the test user to have the right to sudo. Use the " visudo" command to edit the /etc/sudoers configuration file. Its operation method is the visame as that of the " " command. Press 'i' to enter the editing mode. After editing, press "Esc", and then enter ":wq" to complete the save.

More examples are detailed in the /etc/sudoers file.

Restrict root remote login

[root@centos-01 ~]# vi /etc/ssh/sshd_config

turn up

#PermitRootLogin yes

change into

PermitRootLogin no

restart the service

[root@centos-01 ~]# systemctl restart sshd.service

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=325729610&siteId=291194637
Recommended
TIOBE May list: Fortran “resurrected” into Top 10
GCC 14.1 released
Ranking
B. Little Girl and Game【1300 / 回文字符串 博弈论】
CIKERS Shane 20190613
"Javascript advanced programming" study notes - the constructor and prototype
beeline hiveserver2 start
springboot - Automatically backup mysql data every day
Data Storage Full Solution--Detailed Persistence Technology
Detailed Explanation of Spring Web MVC DispatcherServlet—Official Original
TCP / IP protocol layers structure and function
Command type literal pos: unknown; Fallback type literal pos: unknown] with root cause
Design of multifunctional curtain controller with indoor anti-theft alarm
Daily
More
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)

Code World

© 2018 codetd.com