Manage local users and groups

Enterprise 2023-10-03 06:41:59 views: null

Manage local users and groups

Insert image description here

Describe users and groups

user

User accounts are used to provide security boundaries between different people and programs running commands.

Display information about the currently logged in user using id

[root@servera ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Find basic information about other users

[root@servera ~]# id usr1
uid=1000(usr1) gid=1000(usr1) groups=1000(usr1)

View file owner

[root@servera /]# ls -ld
dr-xr-xr-x. 17 root root 224 Jul 15 10:14 .

To view process-related information, use the ps command -u process association user


[root@servera /]# ps -au
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         890  0.0  0.0   6916  1708 tty1     Ss+  23:00   0:00 /sbin/agetty -o -p -- \u --noclear tty1 l
root        1651  0.0  0.2  15120  3680 pts/0    Ss   23:01   0:00 -bash
root        1756  0.0  0.2  47636  3692 pts/0    R+   23:58   0:00 ps -au

Group

Group A collection of users who need access to shared files and other system resources. Groups can be used to grant file access to a group of users instead of granting access to one user.

The system distinguishes different groups by assigning unique identification GIDs. The mapping of group names to GIDs is defined in the group account information database. By default it is stored in/etc/group


[root@servera ~]# head -n 1 /etc/group
root:x:0:
#被冒号分隔
#用户组名称:过时的组密码字段始终x:改组GID:作为补充组成员的用户列表

Main group and supplementary group

Each user has one and only one primary group. For local users, /etc/passwdlist according to the GID number on.

When a new user is created, a new group is created with the same name as the user. This group is the primary group for the new user, of which the user is the only member.

User groups can also have supplementary groups. Eligibility for supplementary groups is /etc/groupdetermined by. The user will be granted access to the file based on whether the group he or she belongs to has access rights.

Get superuser access

Switch user

The su command can switch users. If a normal user runs su, the system will prompt you to enter the password for switching accounts. If you run su as root, no password is required.

[root@servera ~]# su - tmpUsr
[tmpUsr@servera ~]$

[tmpUsr@servera ~]$ su - root
Password:
Last login: Mon Jul 17 02:34:36 EDT 2023 from 192.168.182.1 on pts/0
[root@servera ~]#

Run command using sudo

Sometimes for security reasons, the root user may not have a valid password. In this case, the user cannot directly log in to the system as root using the password, nor can he use su to obtain an interactive shell.

sudo can be configured to run commands as a specific user like other users, or to run only some commands as that user. And all commands are logged by default /var/log/secure.


[root@servera ~]# tail /var/log/secure
Jul 17 02:34:59 servera sshd[6232]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jul 17 02:46:09 servera useradd[6282]: new group: name=tmpUsr, GID=1000
Jul 17 02:46:09 servera useradd[6282]: new user: name=tmpUsr, UID=1000, GID=1000, home=/home/tmpUsr, shell=/bin/bash
Jul 17 02:46:26 servera passwd[6289]: pam_unix(passwd:chauthtok): password changed for tmpUsr
Jul 17 02:46:36 servera su[6293]: pam_unix(su-l:session): session opened for user tmpUsr by root(uid=0)
Jul 17 02:46:59 servera su[6321]: pam_unix(su-l:session): session opened for user root by root(uid=1000)
Jul 17 02:54:47 servera su[6349]: pam_unix(su-l:session): session opened for user tmpUsr by root(uid=0)
Jul 17 02:55:11 servera sudo[6377]:  tmpUsr : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/tmpUsr ; USER=root ; COMMAND=/sbin/usermod -L root
Jul 17 02:56:49 servera sudo[6381]:  tmpUsr : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/tmpUsr ; USER=root ; COMMAND=/bin/tail /var/log/secure
Jul 17 02:57:05 servera su[6385]: pam_unix(su:session): session opened for user root by root(uid=1000)

Configure sudo

/etc/sudoers, If multiple administrators edit the file at the same time, in order to avoid problems, only use the special visudo command to edit.


[root@servera ~]# cat /etc/sudoers | grep wheel
## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL
# %wheel        ALL=(ALL)       NOPASSWD: ALL

%wheel is the user or group to which the rule applies. % specifies that this is a group, ALL=(ALL) specifies that wheel can run any command on any host that may contain this file. The final ALL specifies that wheel can run these commands as any user on the system.

By default, the contents of all files in the directory are /etc/sudoersalso included as part of the configuration file. /etc/sudoers.dAdministrators can add sudo access to users simply by placing the appropriate files into this directory.

Enable full sudo permissions for user tmpUsr and create a/etc/sudoer.d/tmpUsr

tmpUsr	ALL=(ALL)	ALL

Manage user passwords

Shadow passwords and password policies

Encrypted passwords are stored in a world-readable file /etc/passwd. As attacks on encrypted passwords became common; encrypted passwords were moved to a file that only the root user can read /etc/shadow. This file also allows for enforcement of expiration dates and expiration times.

[root@servera ~]# head -n 1 /etc/shadow
root:$6$Jbj1e1iV11tUoVKP$OpdEsyOvZ0vS0ndaXi06/2yPBFPJMOE6vkSoht0zeh8kPBAp9mFIqyHEv4BKsCCJk27RWC5kGlFH1pJicwywq.::0:99999:7:::
#
#用户名:加密密码:上次更改密码时间:自上次更改后可以再次更改必须经过的最短时间:密码过期之前不进行更改可以经过的最长时间:警告期(在密码过期前几天,登录会有提示):非活动期(一旦密码过期,在有些天内仍可以使用,之后账户被锁定):密码过期时间:留给未来使用

Configure password expiration

Use chage command

[root@servera ~]# chage -m 0 -M 90 -W 7 -I 14 tmpUsr


chage -d 0 tmpUsr #强制tmpUsr用户下次登录更新密码
chage -l tmpUsr #显示tmpUsr密码期限详情
chage -E 2011-08-05 tmpUsr #2011-08-05tmpUsr用户到期


#计算未来日期
[root@servera ~]# date
Mon Jul 17 05:21:39 EDT 2023
[root@servera ~]# date -d "+45 days" -u
Thu Aug 31 09:21:53 UTC 2023

Edit /etc/login.defs, set password expiration policy


[root@servera ~]# cat /etc/login.defs | grep PASS_
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_MIN_LEN    Minimum acceptable password length.
#       PASS_WARN_AGE   Number of days warning given before a password expires.
PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_MIN_LEN    5
PASS_WARN_AGE   7

Restrict access

nologin shell is used as a replacement shell for user accounts that are not intended to log into the system interactively.

[root@servera ~]# su - usr1
Last login: Mon Jul 17 05:57:24 EDT 2023 on pts/0
[usr1@servera ~]$ exit
logout

[root@servera ~]# usermod -s /sbin/nologin usr1
[root@servera ~]# su - usr1
Last login: Mon Jul 17 06:09:15 EDT 2023 on pts/0
This account is currently not available.

Guess you like

Origin blog.csdn.net/weixin_51882166/article/details/131772459
Recommended
LFOSSA Yuanlaisusu Open Course | Mastering the Cloud Native Future: Comprehensive Guide to CNCF Certification and Exam Preparation Tips
Ranking
C++ Basic Syntax
bootstrapTable hides a column based on a condition
Why is reentrant lock recommended instead of Synchronized when dynamic high concurrency?
hexo create a blog
[Fully open source and non-encrypted version] Imitation of the eighth district distribution/online signature/multiple sets of download templates/APP distribution hosting/APP packaging and packaging
Polymerization combination
https://www.flysnow.org/2017/05/06/go-in-action-go-log.html
From the perspective of Flutter and the front-end, talk about how to ensure UI fluency under the single-threaded model
nginx-301, 302 redirect
Geolocation by IP Address in ASP.NET
Daily
More
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(31)

Code World

© 2018 codetd.com