User Account Profile
Is the only user account credentials to log system, in which the root user is the top management of the system, the user's UID is 0, associated with the user and group account configuration file has
- /etc/passwd
- /etc/shadow
- /etc/group
- /etc/gshadow
User Account Categories
- root user
User roles by user ID root UID UID = 0, with the highest authority, also known as super administrator. Has beyond all users and groups on the file or directory read, modify, and delete (within the permissible range of normal system); can control the execution and termination of the executable program; you can add a hardware device to perform, create and remove and other operations; the properties can also be modified and permissions of files and directories to meet the needs of system administration.
- system user
Also known as virtual user, the user pseudo or false users, such users not only have the ability to log on Linux systems, but it is essential to run the system users, such as bin, daemon, adm, ftp, mail, etc., where users are the system itself has a system user's UID is 1 to 999.
- general user
This type of user is a system administrator to create, can operate their own content directory, using the system of privileges restricted. Common User UID of 1000 to 60,000.
/ Etc / passwd file
Any user can read / etc / passwd file contents. E.g:
[root@localhost ~]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:999:998:User for polkitd:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin chrony:x:998:996::/var/lib/chrony:/sbin/nologin linux:x:1000:1000:linux:/home/li:/bin/bash | Field | Field Meaning |
|---|---|
| username | Also called a login name, user name in the system should be unique. In the present embodiment, li is the user name |
| password | Store encrypted user passwords, see x, in fact, the password has been mapped to / etc / shadow file |
| User identification number (UID) | In the system by an integer number identifies the user ID, each user UID is unique, the root user's UID is 0, the ordinary user UID default start from 1000, the present embodiment of the lid the user's UID 1000 |
| Group identification number (GID) | Major groups within the system ID number by an integer identifying the user belongs to, each group of GID is unique |
| Username Full name | Username described, can not be provided. In the present embodiment, linux user's full name Linux user (using the user's full name usermod -c user name) can modify the user's full name. |
| Main directory | After the user logs into the system first directory, the user's home directory linux is / home / li |
| Login shell | shell type, linux user uses the system default shell is / bin / bash |
User UID
It identifies a user ID, uniqueness, UID range 0 to 60,000. Some commands can be viewed using the maximum value of the UID system
[root@localhost ~]# cat /etc/login.defs |grep UID_MAX
UID_MAX 60000
SYS_UID_MAX 999
root super administrator user if you change a user's UID is 0, then the user will be sure to use the rights for the root user.
/ Etc / shadow file
The documents include: users and encrypted passwords, and other / etc / passwd not include content, such as user account expiration date. It is / etc / passwd shadow file, but not by the / etc / passwd created corresponding complementary relationship. / Etc / shadow file with only root can read and operate, can not just change the file permissions to read other users, this can be very dangerous. / Etc / shadow file allows you to include 9 Dan, each with between Dan ":" division, the following is / etc / shadow part of the contents of the file.
[root@localhost ~]# cat /etc/shadow
root:$6$M/6IGwJsnpEbbRVM$QIVH755.NUulvLKYT40jztl8bpHenliMuLu.ijsfuAXDss3OYlfXQBAg7rYvAG0e1vIXD1Jw7V4YTA46zjvY30::0:99999:7::: bin:*:17834:0:99999:7::: daemon:*:17834:0:99999:7::: adm:*:17834:0:99999:7::: lp:*:17834:0:99999:7::: sync:*:17834:0:99999:7::: shutdown:*:17834:0:99999:7::: halt:*:17834:0:99999:7::: mail:*:17834:0:99999:7::: operator:*:17834:0:99999:7::: games:*:17834:0:99999:7::: ftp:*:17834:0:99999:7::: nobody:*:17834:0:99999:7::: systemd-network:!!:18056:::::: dbus:!!:18056:::::: polkitd:!!:18056:::::: sshd:!!:18056:::::: postfix:!!:18056:::::: chrony:!!:18056:::::: linux:$6$BHFHeYTp$5BT6uGhmira9H/Qr9FJAJy/0VeRnXwVq9/NRebt.n18wJRGfm.q52IEnbXyoqbzwmZ2saeumlookJtNvv0uzJ1:18058:0:99999:7::: | Field | Field Meaning |
|---|---|
| username | Here the user name and user name / etc / passwd in |
| Encrypted password | Password and encryption, as even some user is shown here "!!", it means that the user has not set a password, you can not log in to the system |
| The last time the user changes the password | From January 1, 1970 date to the last time the password was the number of days interval. |
| Password allowed number of days before replacement | If set to 0, this feature is disabled. This field is the number of days that a user can change the password |
| The number of days a password needs to be replaced | If set to 0, this feature is disabled. This field is the number of days that a user must change passwords |
| The number of days of warning before password replacement | After the user logs in the system, the system login program issues a new user password is about to expire |
| Account was canceled a few days before activation | Represents the number of days the user's password expires, the system will disable this user, this means that the system will let users log in, the user will not be prompted to expire, it is completely disabled. |
| User account expiration date | The number of days specified user account disabled (from 1 January 1970 to begin a few days to account disabled) If this field is empty, the account permanently available. |
| reserved text | Currently empty, ready for use when linux system development in the future. |
User account settings
- useradd
- usermod
- userdel
create Account
Create a new account ---> Assign user UID for the new user, group, home directory and login shell and other resources, to create a new default account is locked, you can not use, you need to use the directory after passwd to set a password. Creating a user account is in the / etc / passwd file, add a record for new users, while updating the / etc / shadon and / etc / group file
Syntax: useradd [options] [username]
| Options | meaning |
|---|---|
| -d (home directory) | Note each new account login directory used |
| -e (expiration date) | Set account expiration date, plus user accounts stop date, date format is MM / DD / YY |
| -f (expiration date) | Set number of days after the password expiration password that is set to a failed state |
| -c (username full name) | Set the full name of the user account's username |
| -g (mainly group name) | The main groups specified user account belongs. Group name must be the name of an existing presence. |
| -G (secondary group name) | Specifies the user account is a member of multiple groups of secondary. Each group use "," to separate |
| -m | User's home directory is automatically created if it does not exist |
| -M | It does not create the user's home directory, even if /etc/login.defs document set to establish the user's home directory |
| -r | Create a system user account. It does not create a user's home directory, not in response to the value defined in the file /etc/login.defs. |
| -s (shell type) | shell type using the login user |
| -u (user UID) | UID value of the user. Digital can not be negative |
Example: Create a user account and password zhangsan
[root@localhost ~]# useradd zhangsan
[root@localhost ~]# cat /etc/passwd|grep zhangsan
zhangsan:x:1001:1001::/home/zhangsan:/bin/bash [root@localhost ~]# passwd zhangsan Comparison of the user account password, and the password is not set
root@localhost ~]# useradd lisi
[root@localhost ~]# useradd wangwu
[root@localhost ~]# passwd wangwu
Changing password for user wangwu.
New password: BAD PASSWORD: The password is shorter than 8 characters Retype new password: passwd: all authentication tokens updated successfully. [root@localhost ~]# cat /etc/passwd|grep lisi lisi:x:1002:1002::/home/lisi:/bin/bash [root@localhost ~]# cat /etc/shadow|grep lisi lisi:!!:18097:0:99999:7::: [root@localhost ~]# cat /etc/passwd|grep wangwu wangwu:x:1003:1003::/home/wangwu:/bin/bash [root@localhost ~]# cat /etc/shadow|grep wangwu wangwu:$6$VO0QCht/$XMMLXG/GkOn7YaInrquUnjzDSiju.JzZhYodLIAPZ2uR5BOHXRcWOTAJ/mXPLQGG4AnHNOQMKJENQio8Bedst1:18097:0:99999:7::: Check / etc / shadow file to display "!" Displayed on the password field of the user lisi, indicating that the user has not set a password, you can not log in to the linux system.
Check / etc / shadow file, the password field is displayed on the user wangwu is encrypted password, and the password means that the user can log in to the linux system.
Examples: create a user moon, and set the user UID 1010
[root@localhost ~]# useradd -u 1010 moon
[root@localhost ~]# cat /etc/passwd|grep moon
moon:x:1010:1010::/home/moon:/bin/bash Examples: create a user newuser, and sets the user's home directory is / home / www
[root@localhost ~]# useradd -d /home/www newuser
[root@localhost ~]# cat /etc/passwd|grep newuser
newuser:x:1011:1011::/home/www:/bin/bash The figure shows the user's home directory newuser is / home / www
[root@localhost ~]# ls -l /home
total 0
drwx------. 2 linux li 83 Jun 11 09:42 li drwx------. 2 lisi lisi 62 Jul 20 05:06 lisi drwx------. 2 1004 1004 62 Jul 20 05:13 moon drwx------. 2 wangwu wangwu 62 Jul 20 05:06 wangwu drwx------. 2 newuser newuser 62 Jul 20 05:19 www drwx------. 2 zhangsan zhangsan 62 Jul 20 05:01 zhangsan Use long ls command, you can see the user's home directory when creating the user and create a
Example: Create a user pp, and specify that the user is a member of the group root.
[root@localhost ~]# useradd -g root pp
[root@localhost ~]# cat /etc/passwd|grep pp
pp:x:1012:0::/home/pp:/bin/bash 显示用户pp的GID字段是0,0为root组群的GID.下面使用id命令,显示用户pp是属于组群root的成员。
[root@localhost ~]# id pp
uid=1012(pp) gid=0(root) groups=0(root)
修改用户账户
命令语法:usermod [选项] [用户名]
| 选项 | 含义 |
|---|---|
| -G | 修改用户所属的次要组群(附加组群) |
| -l(新登录名) | 修改用户账户名称 |
| -L | 锁定用户密码,使密码无效 |
| -s(shell类型) | 修改用户登录后使用的shell。如果没有,系统将选用系统预设的shell |
| -U | 解除密码锁定 |
| -u | 修改用户的UID |
| -C | 修改用户账户的用户名全称 |
| -d | 修改用户登录时的主目录,如果指定-m选项,用户旧目录会移动到新的目录中,如旧目录不存在,则新建目录.单独使用-d时,必须使用mkdir命令手动创建主目录。 |
| -e | 修改账户的有效期限,加上用户账户停止日期,日期格式为MM/DD/YY |
| -f | 修改在密码过期后多少天即设定密码为失效状态 |
| -g | 修改用户所属的主要组群,组群名必须已存在 |
| -o | 允许使用重复的UID |
| -m | 移动主目录的内容到新的位置 |
例子:修改用户王五的主目录为/home/opop,并自动创建/home/opop
[root@localhost ~]# ls /home
li lisi moon pp wangwu www zhangsan
[root@localhost ~]# cat /etc/passwd|grep wangwu
wangwu:x:1003:1003::/home/wangwu:/bin/bash [root@localhost ~]# usermod -d /home/opop -m wangwu [root@localhost ~]# ls /home li lisi moon opop pp www zhangsan [root@localhost ~]# cat /etc/passwd|grep wangwu wangwu:x:1003:1003::/home/opop:/bin/bash 例子:修改用户zhangsan账户的过期日期为2028年12月12日
[root@localhost ~]# cat /etc/shadow|grep zhangsan
zhangsan:$6$0ac0Spe6$TjT3lG36EEZTXhU/2d6ecpDRC0.mJXB/UJvHkgrF0FxYd6iSnCD2Zfq2br/rpNrCfjtkWTJmcdNLkug1mH3l3.:18097:0:99999:7::: [root@localhost ~]# usermod -e 12/12/2028 zhangsan [root@localhost ~]# cat /etc/shadow|grep zhangsan zhangsan:$6$0ac0Spe6$TjT3lG36EEZTXhU/2d6ecpDRC0.mJXB/UJvHkgrF0FxYd6iSnCD2Zfq2br/rpNrCfjtkWTJmcdNLkug1mH3l3.:18097:0:99999:7::21530: 查看/etc/shadow文件,显示用户zhangsan的账户过期日期以及更改,21530是2028年12月12日减去1970年1月1日的天数
例子:修改用户zhangsan的shell类型为/bin/ksh
[root@localhost ~]# cat /etc/passwd|grep zhangsan
zhangsan:x:1001:1001::/home/zhangsan:/bin/bash [root@localhost ~]# usermod -s /bin/ksh zhangsan [root@localhost ~]# cat /etc/passwd|grep zhangsan zhangsan:x:1001:1001::/home/zhangsan:/bin/ksh 删除用户账户
命令语法:userdel [选项] [用户名
| 选项 | 含义 |
|---|---|
| -r | 在删除用户是,把用户的主目录和本地邮件存储的目录或文件一同删除 |
| -f | 强制删除用户 |
例子:删除用户lisi
[root@localhost ~]# userdel lisi
userdel: user 'lisi' does not exist
[root@localhost ~]# ls /home li lisi moon opop pp www zhangsan 使用userdel命令删除用户账户并不会删除该用户的主目录
例子:删除用户moon,并且在删除该用户的同时一起主目录
[root@localhost ~]# ls /home
li lisi moon opop pp www zhangsan
[root@localhost ~]# userdel -rf moon
[root@localhost ~]# ls /home li lisi opop pp www zhangsan 组群账户
含义:具有某种共同特征的用户集合就是组群。
- 分类法一
私有组群:当创建一个新的用户账户时,如果没有指定该用户属于哪一个组群,那么linux就会创建一个和该用户同名的组群,在这个私有组群中只包含这个用户。
标准组群:普通组群,可以包含多个用户账户,如果使用标准组群,那么在创建一个新的用户账号时,一个指定该用户属于那个组群。
两者关系:当把其他用户加入到私有组群中,那么这个私有组群就变成标准组群了。
- 分类法二
主要组群:当一个用户账号属于多个组群成员时,登录后所属的组群是主要组群,其他的组群是次要的组群,一个用户账户只能属于一个主要组群。
次要组群:也称附加组群,一个用户账号可以属于多个次要组群。
配置文件
- /etc/group
文件内容包括组群名、组群密码、GID及该组群所包含的用户,每个组群一条记录,一行有4隔断我,每个段位用“:”分隔。
| 字段 | 含义 |
|---|---|
| 组群名 | 组群名称,如组群名root |
| 组群密码 | 存放加密的组群密码,看到一个x,密码已被映射到/etc/gshadow文件中 |
| 组群标识号(GID) | 在系统内用一个整数标识组群GID,每个组群的GID都是唯一的,默认普通组群的GID从1000开始,root组群的GID是0 |
| 组群成员 | 属于这个组群的成员,如root组群的成员只有root |
组群GID:类似UID,是一个0开始的正整数,GID为0的组群是roo组群。linux会预留GID号1~999给系统虚拟组群使用,创建新组群GID是从1000开始的,查看系统创建组群默认的GID 范围应该查看/etc/login.defs中的GID_MIN和GID_MAX值,可以使用以下命令查看
[root@localhost ~]# cat /etc/login.defs|grep GID
GID_MIN 1000
GID_MAX 60000
SYS_GID_MIN 201
SYS_GID_MAX 999 - /etc/gshadow 含义:/etc/gshadow是/etc/group的加密文件,组群密码就是存放在这个文件中。两者是互补的两个文件;每个组群都有一条记录,一行有4个段位,每个段位用":"分隔。
| 字段 | 含义 |
|---|---|
| 组群名 | 组群的名称 |
| 组群密码 | 密码已经加密,如果有些组群在这里显示的是"!",表示这个组群没有密码。本例中组群zhangsan没有密码。 |
| 组群管理者 | 组群的管理者有权在该组群中添加、删除用户 |
| 组群成员 | 属于该组群的用户成员列表,如果有多个用户则用逗号分隔 |
组群的账户设置
- groupadd
- groupmod
- groupdel
1.创建组群账户 命令语法:groupadd [选项] [组群名]
| 选项 | 含义 |
|---|---|
| -g | 为组群设置GID |
| -r | 创建系统组群 |
| -o | 允许使用和别的组群相同的GID创建组群 |
| -f | 即使组群已经存在,还是强制创建组群 |
| -p | 为新组群设置加密的密码 |
例子:创建名为ou的组群,并且设置该组群的GID为1300
[root@localhost ~]# groupadd -g 1300 ou [root@localhost ~]# cat /etc/group|grep ou dialout:x:18: systemd-journal:x:190: ou:x:1300: 创建名为chinese的系统组群
[root@localhost ~]# groupadd -r chinese
[root@localhost ~]# cat /etc/group|grep chinese
chinese:x:995: 2.修改组群账户 命令语法:groupmod [选项] [组群名]
| 选项 | 含义 |
|---|---|
| -g | 设置组群GID |
| -o | 重复使用组群GID |
| -n | 更改组群名称 |
例子:修改组群ou的新组群名为shanghai
[root@localhost ~]# groupmod -n shanghai ou
[root@localhost ~]# cat /etc/group|grep shanghai
shanghai:x:1300: 3.删除组群账户 命令语法:groupdel [组群名] 例子:删除组群shanghai
root@localhost ~]# groupdel shanghai
[root@localhost ~]# cat /etc/group|grep shanghai
用户和组群账户维护
- passwd
- gpasswd
- su newgrp
- groups
- id
命令语法:passwd [选项] [用户名]
| 选项 | 含义 |
|---|---|
| -d | 删除用户密码,仅能以root用户操作 |
| -k | 保持身份验证令牌不过期 |
| -l | 锁住用户账户的密码 |
| -u | 为用户账户解除密码 |
| -e | 终止指名账户的密码 |
| -x | 密码的最长有效时限(天) |
| -n | 密码的最短有效时限(天) |
| -w | 在密码过期前多少天开始提醒用户 |
| -i | 当密码过期后结果多少天该账户会被禁用 |
| -S | 查询用户的密码状态 |
| -f | 强制执行操作 |
命令语法:gpasswd [选项] [组群名]
| 选项 | 含义 |
|---|---|
| -a | 将一个用户加入到一个组群中 |
| -d | 将一个用户从一个组群中删除掉 |
| -r | 取消一个组群的组群密码 |
| -R | 限制其成员访问组 |
| -A | 指定组群的管理员 |
| -M | 设置组群的成员列表 |
命令语法:su [选项] [用户]
| 选项 | 含义 |
|---|---|
| - | 改变登陆shell |
| -l | 登陆并改变用户shell环境 |
| -f | 适用于csh与tsch,使shell不用去读取启动文件 |
| -m | 不设置环境变量 |
| -s | 指定要执行的shell类型 |
| -c | 执行一个命令,然后退出所在的用户环境 |
例子:把用户root切换为用户it进行登录,并且连shell环境也切换
[root@localhost ~]# su - it
[it@localhost ~]$ pwd
/home/it
root切换为用户it登录,shell环境不需要切换时
[root@localhost ~]# su it
[it@localhost root]$ pwd
/root
- newgrp命令可以让用户账户以另一个组群的身份进行登陆。如果不指定组群名称,则呢武功人品命令会登陆该用户名称的预设组群。
命令语法:newgrp [组群名]
-
groups命令:可以显示指定用户账户的组群成员身份 groups [用户名]
-
id命令:可以显示用户的UID以及该用户所属组群的UID 命令语法:id [选项] [用户名] 选项|含义 ---|--- -g|显示用户所属主要组群的GID -G|显示用户所属组群的GID(主要组群和次要组群都会列出来) -u|显示用户UID 例子:显示用户it的UID、主要组群的GID以及归属组群的情况
[root@localhost ~]# id it
uid=1013(it) gid=1013(it) groups=1013(it)
摘自:《Linux实用教程》人民邮电出版社出版发行 於岳编著