1. How to set a password for the user, and how to change the password?
2. The user creation process? [Extended understand]
3. How user group management?
4. how ordinary users do not have permission to do? Switch status or privilege escalation? Su sudo mention the right to switch users
5. Add the password for the user [root to perform]
6. Add a new user password can only be {root} {password as complex as} [0-9] [aZ] [aZ] [! @ # $% ^ &]
7. Change the password for the user
8. Change the password for the user to change the password for their own 1. (ok) directly using the passwd password needs to pay attention a bit more complex, and reach 8
[root@oldboyedu ~]# passwd oldxu Changing
password for user oldxu. New password: BAD
PASSWORD: The password is a palindrome
Retype new password: passwd: all authentication
tokens updated successfully.Non-interactive set password passwd --stdin
[root@oldboyedu ~]# echo "123" | passwd --stdin
oldxu Changing password for user oldxu. passwd:
all authentication tokens updated successfully.Batch create users and set a fixed password
[root@oldboyedu ~]# cat user.sh for i in {1..100}
do useradd test$i
echo "123456" | passwd --stdin test$i done9. Change Password (root) passwd username for others
10. considered how complicated password
to sum up:
1. Add a password for the new user privileges only root can
2. Change the password for the user root can only
3. Ordinary users can only change their own passwords, .. can not change other people's passwords
4. Modify the password, there are two ways, one is non-interactive interactive
4. The user creation process
1. During need to refer to a user-created /etc/login.defs and / etc / default / useradd these two files, the default reference.
If the parameter when creating a user, it will cover (the default /etc/login.defs and / etc / default / useradd)
[root@oldboyedu ~]# echo $RANDOM | md5sum |cut -c 5-15 9320a6f282d2.mkpasswd generating a random string, -l set password length, -d number of sub, -c lowercase letters, C uppercase, -s special characters
[root@oldboyedu ~]# mkpasswd -l 10 -d 2 -c 3 -C 3 -s 2 mQR1u^=q5Ylastpass online support windows MacOS Iphone Android browser plug-ins
[root@oldboyedu ~]# grep "^[a-Z]" /etc/login.defs MAIL_DIR /var/spool/mail Location 99999 #### PASS_MAX_DAYS mailbox is created in
#### the number of days a password using 0 #### PASS_MIN_DAYS longest number of days the shortest time password
The user group management
PASS_MIN_LEN 5 #密码的长度
PASS_WARN_AGE 7 #密码到期前7天警告
UID_MIN 1000 #uid 从1000开始
UID_MAX 60000 #uid从6w结束
SYS_UID_MIN 201 #系统用户的uid 从201
开始
SYS_UID_MAX 999 #系统用户的uid最大到
999
GID_MIN 1000
GID_MAX 60000
SYS_GID_MIN 201
SYS_GID_MAX 999
CREATE_HOME yes #给用户创建家目录,创建
在/home
UMASK 077
USERGROUPS_ENAB yes
ENCRYPT_METHOD SHA512
[root@baozexu ~]# cat /etc/default/useradduseradd defaults file
GROUP=100 #当用户创建用户时不指定组,并
且/etc/login.defs中USERGROUPS_ENAB为no时, 用户默认创建给分
配一个gid为100的组.
HOME=/home #用户默认的家目录
INACTIVE=-1 #用户不失效
EXPIRE= #过期时间
SHELL=/bin/bash #默认登录shell
SKEL=/etc/skel #默认用户拷贝的环境变量
CREATE_MAIL_SPOOL=yes #创建邮箱
1. Create a group groupadd [-g GID] groupname
2. Modify the group groupmod
3.删除组 如果要删除基本组,需要先删除基本组中的用户才可以删除 该组。
[root@oldboyedu ~]# groupadd zhuzhu
[root@oldboyedu ~]# groupadd -g 6666 gougou
[root@oldboyedu ~]# grep "6666" /etc/group
gougou:x:6666:####创建系统组
[root@oldboyedu ~]# groupadd -r maomao
[root@oldboyedu ~]# grep "maomao" /etc/group
maomao❌993:
####-g 修改组gid
[root@oldboyedu ~]# groupmod -g 7777 gougou
[root@oldboyedu ~]# grep "7777" /etc/group gougou❌7777:
####-n 修改组名称
[root@oldboyedu ~]# groupmod gougou -n gg
[root@oldboyedu ~]# grep "7777" /etc/group gg❌7777:
[root@oldboyedu ~]# groupadd dawang
[root@oldboyedu ~]# groupadd laowang
[root@oldboyedu ~]# useradd xiaowang
[root@oldboyedu ~]# useradd gb -g laowang
[root@oldboyedu ~]# usermod xiaowang -G laowang,dawang
---------------------------------------------------------------
####6.用户提权
####su 切换用户 如果切换用户,需要知道用户的密码,不是很安全
#### sudo 提权( root事先分配好权限 --> 关联用户 ) 安全 方便 但是复杂
####基本概念
[root@oldboyedu ~]# id xiaowang
uid=6775(xiaowang) gid=7778(xiaowang)
groups=7778(xiaowang),
7779(dawang),7780(laowang)
[root@oldboyedu ~]# userdel -r xiaowang
[root@oldboyedu ~]# groupdel dawang
[root@oldboyedu ~]# userdel -r gb
[root@oldboyedu ~]# groupdel laowang
####1.交互式 需要不停的交互 2.非交互式 3.登录式shell 需要用户名以及密码开启bash窗口 4.非登录式shell 不需要用户名和密码即可开启bash窗口
####su - username属于登陆式shell,su username属于非登陆式shell,区别 在于加载的环境变量不一样。
####su 切换有缺点 需要知道用户对应的密码 说明不是很安全
####su - username 属于登录式shell 会加载全部的环境变量 #su username 属于非登录式shell 会加载部分环境变量(很有 可能就会出现错误清空)
####sudo提权 1.预先分配好权限 2.在关联对应的用户
####3.提升的权限太大,能否有办法限制仅开启某个命令的使用权限?其 他命令不允许?
####第一种方式:使用sudo中自带的别名操作, 将多个用户定义成一个组
[root@bgx ~]# visudo
#### 1.使用sudo定义分组,这个系统group没什么关系 User_Alias OPS = oldboy,oldgirl User_Alias DEV = alex
#### 2.定义可执行的命令组,便于后续调用 Cmnd_Alias NETWORKING = /sbin/ifconfig, /bin/ping Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/yum Cmnd_Alias SERVICES = /sbin/service, /usr/bin/systemctl start Cmnd_Alias STORAGE = /bin/mount, /bin/umount Cmnd_Alias DELEGATING = /bin/chown, /bin/chmod, /bin/chgrp Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
#### 3.使用sudo开始分配权限 OPS ALL=(ALL) NETWORKING,SOFTWARE,SERVICES,STORAGE,DELEGATING,PROCES SES DEV ALL=(ALL) SOFTWARE,PROCESSES
####第二种方式:使用groupadd添加组,然后给组分配sudo的权限,如果有新 用户加入,直接将用户添加到该组.*
####4.登陆对应的用户使用 sudo -l 验证权限
####1.添加两个真实的系统组, group_dev group_op
[root@www ~]# groupadd group_dev
[root@www ~]# groupadd group_op
####2.添加两个用户, group_dev(user_a user_b) group_op(user_c user_d)
[root@www ~]# useradd user_a -G group_dev
[root@www ~]# useradd user_b -G group_dev
[root@www ~]# useradd user_c -G group_op
[root@www ~]# useradd user_d -G group_op
####3.记得添加密码
[root@www ~]# echo "1" | passwd --stdin user_a
[root@www ~]# echo "1" | passwd --stdin user_b
[root@www ~]# echo "1" | passwd --stdin user_c
[root@www ~]# echo "1" | passwd --stdin user_d
####4.在sudo中配置规则
[root@www ~]# visudo
Cmnd_Alias NETWORKING = /sbin/ifconfig,
/bin/ping Cmnd_Alias SOFTWARE = /bin/rpm,
/usr/bin/yum Cmnd_Alias SERVICES =
/sbin/service, /usr/bin/systemctl start
Cmnd_Alias STORAGE = /bin/mount, /bin/umoun
Cmnd_Alias DELEGATING = /bin/chown,
/bin/chmod, /bin/chgrp Cmnd_Alias
PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill,
/usr/bin/killall
%group_dev ALL=(ALL) SOFTWARE
%group_op ALL=(ALL) SOFTWARE,PROCESSES
####5.检查sudo是否配置有错
[root@www ~]# visudo -c /etc/sudoers: parsed OK
####6.检查user_a,和user_d的sudo权限
[[email protected] ~]$ sudo -l
User user_a may run the following commands on www: (ALL) /bin/rpm, /usr/bin/yum
[[email protected] ~]$ sudo -l
User user_d may run the following commands on
www: (ALL) /bin/rpm, /usr/bin/yum, /bin/nice,
/bin/kill, /usr/bin/kil