user
The Linux system is a multi-user, multi-tasking, time-sharing operating system. Any user who wants to use system resources must first apply for an account from the system administrator, and then enter the system as this account. Each user account has a unique username and respective password. After the user enters the correct user name and password when logging in, he or she can enter the system and his/her home directory.
On the one hand, the user's account can help the system administrator track the users using the system and control their access to system resources; on the other hand, it can also help the user organize files and provide security protection for the user.
User account management
To realize the management of user accounts, the work to be completed mainly includes the following aspects:
- Add, delete and modify user accounts.
- User password management
- User group management
Add, delete and modify user accounts
Add user
Adding a user account refers to creating a new account in the system. In fact, it means adding a record for the new user in the /etc/passwd file, and updating other system files such as /etc/shadow, /etc/group, etc. for the new account. Allocate resources such as user numbers, user groups, home directories, and login shells. The account you just added is locked and cannot be used.
Linux provides an integrated system management tool, userconf, which can be used to uniformly manage user accounts. To add a new user account, use the useradd command. The syntax is as follows:
useradd [options] [username]
[Option] Parameter description:
- -c: Specify a comment description.
- -d: Specify the user's home directory. If this directory does not exist, use the -m option at the same time to create the home directory.
- -g: Specifies the main user group to which the user belongs.
- -G: Specifies additional groups to which the user belongs.
- -s: Specifies the user's login shell.
- -o: --non-unique, allows user accounts to be created with duplicate UIDs.
- -u: Specifies the user ID of the user. If the -o option is also given, the identification number of another user can be reused.
-m: Create a homepage. If the user's home directory does not exist, create it. Files and directories contained in the skeleton directory will be copied to the home directory. If this option is not specified, no home directory will be created by default.
[Username] parameter description: Specify the login name of the new account.
Example 1: Create a new user tom, in which the -d and -m options are used to generate a home directory /home/tom for the login name tom (/home is the parent directory of the default user home directory).
Example 2: Create a new user jerry. The user's login shell is /bin/sh. It belongs to the user group chen and is attached to the root user group. The user group chen is its primary group.
[root@localhost tom]# useradd -s /bin/sh -g chen -G root jerryNote : The user account does not have a password when it is first created. It is locked by the system and cannot be used. It must be assigned a password before it can be used, even if an empty password is assigned.
delete users
If a user's account is no longer used, it can be deleted from the system. Deleting a user account means deleting the user record in /etc/passwd and other system files, and also deleting the user's home directory if necessary. To delete an existing user account, use the userdel command. The format is as follows:
userdel [options] [username]
The commonly used option is -r, which is used to delete the user's home directory together.
For example: delete user tom and records in system files (mainly /etc/passwd, /etc/shadow, /etc/group, etc.), and delete the user's home directory at the same time.
[root@localhost chen]# userdel -r tom
Modify user
Modifying a user account means changing the relevant attributes of the user according to the actual situation, such as user number, home directory, user group, login shell, etc.
To modify the information of an existing user, use usermodthe command, whose format is as follows:
usermod [options] [username]
[Option] Parameter description:
- -c: Specify a comment description.
- -d: Specify the user's home directory. If this directory does not exist, use the -m option at the same time to create the home directory.
- -g: Specifies the main user group to which the user belongs. The group name or numeric code of the user's new initial login group. This group must exist. In the user's home directory, files belonging to the original primary group will be transferred to the new group. The groups to which files outside the home directory belong must be modified manually.
- -G: Specifies additional groups to which the user belongs.
- -s: Specifies the name of the user's new login shell. Setting this field to empty causes the system to choose the default login shell.
- -o: --non-unique, allows user accounts to be created with duplicate UIDs.
- -u: Specifies the user ID of the user. If the -o option is also given, the identification number of another user can be reused.
-m: Create a home page. If the user's home directory does not exist, create it. The files and directories contained in the skeleton directory will be copied to the main directory. If this option is not specified, no home directory will be created by default.
-l: Change the original username to the new username. Nothing else has been changed. The user's home directory or mail spool should probably be renamed manually to reflect the new login.
For example: Change the login shell of user tom to ksh, the home directory to /home/z, and the user group to root.
# usermod -s /bin/ksh -d /home/z -g root tomUser password management
An important part of user management is the management of user passwords. When the user account is first created, it does not have a password and is locked by the system and cannot be used. It must be assigned a password before it can be used, even if an empty password is assigned.
The Shell command to specify and modify user passwords is: passwd. Super users can specify passwords for themselves and other users, and ordinary users can only use it to modify their own passwords. The format of the command is:
passwd [options] [username]
[Option] Parameter description:
- -l: Lock the password, that is, disable the account.
- -u: Password unlock.
- -d: Make the account without password.
- -f: Forces the user to change their password the next time they log in.
[Username] parameter description: If the default username is used, modify the current user's password.
For example, assuming that the current user is chen, the following command changes the user's own password:
If you are a superuser, you can specify the password of any user in the following form:
When an ordinary user changes his or her password, the passwd command will first ask for the original password, and then ask the user to enter the new password twice after verification. If the passwords entered twice are consistent, the password will be assigned to the user; while the super user will assign a password to the user. , there is no need to know the original password.
For the sake of system security, users should choose a more complex password. For example, it is best to use an 8-digit password. The password contains uppercase and lowercase letters and numbers, and should be different from the name, birthday, etc.
When specifying a blank password for a user, execute a command of the following form:
# passwd -d user
This command deletes the user's password so that the next time the user logs in, the system will no longer allow the user to log in.
The passwd command can also use the -l(lock) option to lock a user so that he or she cannot log in:
# passwd -l user
User group management
Each user has a user group, and the system can centrally manage all users in a user group. Different Linux systems have different regulations on user groups. For example, a user under Linux belongs to a user group with the same name. This user group is created at the same time when the user is created.
The management of user groups involves the addition, deletion and modification of user groups. The addition, deletion and modification of groups are actually updates to the /etc/group file.
Add user group
To add a new user group use the command: groupadd. The syntax is as follows:
groupadd [options] [username]
[Option] Parameter description:
- -g: Specifies the group identification number (GID) of the new user group.
- -o: Generally used together with the -g option, it means that the GID of the new user group can be the same as the GID of the existing user group in the system.
Example 1: A new group group1 is added to the system. The group identification number of the new group is the current maximum group identification number plus 1.
[root@localhost home]# groupadd group1
Example 2: A new group group2 is added to the system, and the group identification number of the new group is specified to be 101.
[root@localhost home]# groupadd -g 101 group2Use the command: # cat /etc/group to view the group identification number of the new group:
Delete user group
If you want to delete an existing user group, use the groupdel command with the following format:
groupdel user group
For example: This command removes group group2 from the system.
[root@localhost home]# groupdel group2
Modify user group
To modify the attributes of a user group, use the groupmod command. Its syntax is as follows:
groupmod [options] [username]
[Option] Parameter description:
- -g: Specify a new group identification number (GID) for the user group.
- -o: Used together with the -g option, the new group identification number of the user group can be the same as the GID of the existing user group in the system.
- -n: New user group changes the name of the user group to a new name
Example 1: Modify the group identification number of group group1 to 102.
[root@localhost home]# groupmod -g 102 group1
Use the command: # cat /etc/group to view the group identification number of the new group:
Example 2: Change the identification number of group group1 to 1006 and the group name to test.
[root@localhost home]# groupmod -g 1006 -n test group1
Replenish
If a user belongs to multiple user groups at the same time, the user can switch between user groups to have the permissions of other user groups.
After logging in, the user can use the command: newgrp to switch the current user to another user group. The parameter of this command is the target user group. The prerequisite is that the target user group is the current user's primary group or additional group. grammar:
newgrp [target user group]
Similar to the management of user accounts, the management of user groups can also be completed through integrated system management tools.
Related system files
User management actually involves modifying related system files. Information related to users and user groups is stored in some system files, including: /etc/passwd, /etc/shadow, /etc/group, etc.
/etc/passwd file
The /etc/passwd file is the most important file in user management. Each user in the Linux system has a corresponding record line in the /etc/passwd file, which records some basic attributes of the user. This file is readable by all users. Use the command: cat /etc/passwd to view:
As can be seen from the figure, a row of records in /etc/passwd corresponds to a user, and each row of records is separated into 7 fields by a colon (:). Its format and specific meaning are as follows:
Username: Password: User ID: Group ID: Commentary Description: Home Directory: Login Shell
username
The username is a string representing the user account, usually no more than 8 characters in length, and consists of "uppercase and lowercase letters" and "/" or "numbers". There cannot be a colon ":" in the login name because the colon is the separator here. For the sake of compatibility, it is best not to include the dot character "." in the login name, and do not use the hyphen "-" and the plus sign "+" at the beginning.
Password
In some systems, encrypted user passwords are stored. Although this field only stores the encrypted string of the user password, not plain text, the /etc/passwd file is readable by all users, so this is a security risk. Therefore, many Linux systems (such as SVR4) now use shadow technology to store the real encrypted user password in the /etc/shadow file, and only store a special password in the password field of the /etc/passwd file. Characters, such as "x" or "*".
user identification number
The user identification number is an integer that is used internally by the system to identify the user. Generally, it corresponds to the username one-to-one. If the user identification numbers corresponding to several user names are the same, they will be regarded as the same user internally by the system, but they can have different passwords, different home directories, different login shells, etc.
Usually the value range of user identification numbers is 0 to 65 535. 0 is the identification number of the super user root, 1 to 99 are reserved by the system as management accounts, and the identification numbers of ordinary users start from 100. On Linux systems, this limit is 500.
group identification number
The group identification number records the user group to which the user belongs. It corresponds to a record in the /etc/group file.
annotative description
The annotative description records some personal information of the user. For example, the user's real name, phone number, address, etc. This field has no practical use. The format of this field is not uniform in different Linux systems. In many Linux systems, this field stores an arbitrary comment description text, which is used as the output of the finger command.
Main directory
The home directory is the user's starting working directory. It is the directory where the user is located after logging into the system. In most systems, each user's home directory is organized in the same specific directory, and the name of the user's home directory is the user's login name. Each user has read, write, and execute (search) permissions on his or her own home directory, and other users' access permissions to this directory are set according to specific circumstances.
Login Shell
After the user logs in, a process is started, which is responsible for transmitting the user's operations to the kernel. This process is the command interpreter or a specific program, that is, the Shell, that is run after the user logs in to the system.
The Shell is the interface between the user and the Linux system. There are many types of Linux Shells, each with different characteristics. Commonly used ones include sh (Bourne Shell), csh (C Shell), ksh (Korn Shell), tcsh (TENEX/TOPS-20 type C Shell), bash (Bourne Again Shell), etc.
System administrators can designate a shell for users based on system conditions and user habits. If you do not specify a shell, the system uses sh as the default login shell, that is, the value of this field is /bin/bash.
The user's login shell can also be designated as a specific program (this program is not a command interpreter). Using this feature, users can be restricted to run only specified applications. After the application is finished running, the user will automatically exit the system. Some Linux systems require that only programs registered in the system can appear in this field.
fake user
There is a type of user in the system called pseudo users. These users also have a record in the /etc/passwd file, but cannot log in because their login shell is empty. Their existence is mainly to facilitate system management and meet the requirements of the corresponding system processes for file owners.
Common pseudo-users are as follows:
- bin: has executable user command files
- sys: owns system files
- adm: owns the account file
- uucp: UUCP usage
- lp: used by lp or lpd subsystem
- nobody: NFS use
In addition to the pseudo-users listed above, there are many standard pseudo-users, such as audit, cron, mail, usenet, etc., which are also required by related processes and files.
/etc/shadow file
Since the /etc/passwd file is readable by all users, if the user's password is too simple or the pattern is obvious, an ordinary computer can easily crack it, so Linux systems with higher security requirements The encrypted passwords are separated and stored in a separate file. This file is the /etc/shadow file. Only super users have read permissions for this file, which ensures the security of user passwords.
The record lines in /etc/shadow correspond to those in /etc/passwd. They are automatically generated by the pwconv command based on the data in /etc/passwd. The file format is similar to /etc/passwd and consists of several fields separated by ":". These fields are:
登录名:加密口令:最后一次修改时间:最小时间间隔:最大时间间隔:警告时间:不活动时间:失效时间:标志
- Login name : a user account that is consistent with the login name in the /etc/passwd file
- Password : The field stores the encrypted user password, which is 13 characters in length. If it is empty, the corresponding user does not have a password and does not need a password when logging in; if it contains characters that do not belong to the set { ./0-9A-Za-z }, the corresponding user cannot log in. Currently, Linux passwords use the SHA512 hash encryption algorithm, which originally used the MD5 or DES encryption algorithm.
- Last modified time : represents the number of days from a certain moment to the last time the user modified the password. The starting point of time may be different for different systems. For example, in SCO Linux, the starting point of this time is January 1, 1970.
- Minimum time interval : refers to the minimum number of days required between two password changes.
- Maximum time interval : refers to the maximum number of days that a password remains valid.
- Warning time : The field indicates the number of days between when the system starts warning the user and when the user's password officially expires.
- Inactivity time : Indicates the maximum number of days that the user has no login activity but the account can still remain valid.
- Expiration time : The field gives an absolute number of days. If this field is used, the lifetime of the corresponding account will be given. After the expiration, the account is no longer a legal account and can no longer be used to log in.
- Flag : This field is currently not in use, waiting for new features to be added
/etc/group file
All information about user groups is stored in the /etc/group file. Grouping users is a means of managing users and controlling access rights in Linux systems.
Each user belongs to a user group; there can be multiple users in a group, and a user can also belong to different groups. When a user is a member of multiple groups at the same time, what is recorded in the /etc/passwd file is the primary group to which the user belongs, which is the default group to which the user belongs when logging in, and other groups are called additional groups.
Note : When a user wants to access files belonging to an additional group, he must first use the newgrp command to become a member of the group he wants to access.
The format of the /etc/group file is also similar to the /etc/passwd file, with several fields separated by colons (:). These fields are:
组名:口令:组标识号:组内用户列表
- Group name : It is the name of the user group, consisting of letters or numbers. As with login names in /etc/passwd, group names should not be repeated.
- Password : The field stores the encrypted password of the user group. Generally, user groups in Linux systems do not have passwords, that is, this field is usually empty or *.
- Group identification number : Similar to the user identification number, it is also an integer and is used internally by the system to identify the group.
- User list in the group : It is a list of all users belonging to this group, separated by commas (,) between different users. This user group may be the user's main group or an additional group.
Add users in batches
If you need to add dozens, hundreds, or even thousands of users, it is too inefficient to use the useradd command to add them one by one. Therefore, the Linux system provides tools for creating a large number of users. The method is as follows:
1. First edit a text user file
Each column is written in the format of the /etc/passwd password file. It should be noted that the user name, UID, and host directory of each user cannot be the same. The password field can be left blank or the number x can be entered. The content of a sample file test.txt is as follows:
user001::600:100:user:/home/user001:/bin/bash
user002::601:100:user:/home/user002:/bin/bash
2. Execute the command:/usr/sbin/newusers as root , import data from the newly created user file test.txt , and create a user:
# newusers < test.txtThen you can execute the command: cat /etc/passwd to check whether the data of these users has appeared in the /etc/passwd file, and whether the user's home directory has been created.
3. Execute the command /usr/sbin/pwunconv
Decode the shadow password generated by /etc/shadow, then write it back to /etc/passwd, and delete the shadow password field of /etc/shadow. This is to facilitate the next step of password conversion, that is, cancel the shadow passwd function first.
# pwunconv4. Edit each user’s password comparison file
The format is: username:password
The content of the example file passwd.txt is as follows:
user001:123456
user002:123456
5. Execute the command /usr/sbin/chpasswd as root
Create a user password, chpasswd will write the password encoded by the /usr/bin/passwd command into the password field of /etc/passwd.
# chpasswd < passwd.txt6. Make sure the password is encoded and written into the password field of /etc/passwd.
Execute the command /usr/sbin/pwconv to encode the password into shadow passwd and write the result to /etc/shadow.
# pwconvThis completes the creation of a large number of users. You can then go to /home to check whether the permission settings of these users' home directories are correct, and log in to verify whether the user password is correct.