Linux user management system
1. User Management *****
2.Linux user commands ****
principle of user-created *** 3.
4. Password Management ***
5. Management Group command **
6. identity switch * ****
7.sudo elevated privileges *****
Operating system we use today is a multi-user operating system
AAA certification system
authentication and authorization statistics
Existing users and groups significance
Each process (running) on the 1. system requires a specific user runs
2. Each file has a specific user has
3. Access files or directories by users limit
4. The process can access certain ways a user associated with the file or directory, and processes related to
View user currently logged on the
[root @ localhost ~] # the above mentioned id
uid = 0 (root) gid = 0 (root) Groups = 0 (root)
Users uidd classification
ranges from 0 to 65,535
0 super administrator
1-200 users of the system, assigned by the system to system processes
201-999 system user, used to run the service account, you do not need to log into the system (dynamic allocation)
1000+ regular user
Note: Before Linux7 practice is, UID1-499 a system user, and is used for normal user UID500 +
Group categories
basic group use Basic set, the user can only belong to a basic group, the user's default set of basic
additional set of basic group can not meet the licensing requirements, create additional groups, users can belong to multiple groups additional
time private group private group, create a user if the basic set is not specified, the system creates a user and group of the same name
1. User Management
Account information is stored in / etc / passwd, the account password information stored in the / etc / shadow, which is one of the two documents linux system is the most important document
Without these two files or both files problems, it can not lead to normal landing
/etc/passwd
[root@localhost ~]# head -1 /etc/passwd
root:x:0:0:root:/root:/bin/bash
// / etc / passwd by the ":" character is divided into seven specific meaning of each field is as follows:
Field Name Description Comment
1. // user name of the user account name
password 2. password stored placeholder account @ , x represents a temporary password stored in / etc / Shadow
3. // user the UID user identification number
4. the basic user group identification number set the GID //
5 // user details user comment
6. user home @ the user's home directory, root home directory is / root, there is / home / username ordinary user's home directory, you can customize
7. user Login shell // user login shell cat linux use the / etc / shells
[root@localhost ~]# tail -1 /etc/shadow
xiaoming:$6$jI/Vus00$xYy4ndP1w1i1iejisph8DDbTx0SfZu31MZq3MAXVJX9/gdFUT5cd4I45IWFeO5xVLg6KtlFqxcl6XCebVtuD80:18193:0:99999:7:::
// / etc / shadow by the ":" is divided into nine characters, the specific meaning of each character is as follows:
Field Name Description Notes
1. // user login name of the user account name
password 2. // user password encryption, this is the encrypted password (password is not set to !!)
3. // last password change time from 1970 to the most recent change your password once time how many days
4. minimum password // password using the least used a few days genius can change the password (0 for unlimited)
5. maximum password // password a few days the number of days required to change the password (default 99999 never expires)
6. how many days before password expiration warning before password expiration period // to remind the user to change the password (the default seven days before expiration warning)
7 days remain active after the password expires // in the meantime, users can still log in and change your password after a specified number of days, the account is locked
8. account expires // since 1970, the account can be used before this date, after expiry
9. // reserved sign
Password format
$ A $ B $ c
A indicates the encryption algorithm
b salt random value
encrypted value c
Change User Password password using the chage
-d set the last time to change the password, 0 next login forced to change the password
-m user settings twice changed using the "minimum number of days" between password
-M set the user password twice to change between using the "maximum number of days"
-W password to change the alarm time, the number of days to expiration warning "warning days"
the -I set number of days after the password expires, the password is invalid status
-E setting user expiration time, after the failure of the account could not land
-l display User Info
// modified to August 31, 2014, and the time-matched, facilitate subsequent verification
[root @ localhost ~] # date -s '20140831' # modify the current system time for the August 31, 2014
Sun Aug 31 00 : 00: 00 CST 2014
[root @ localhost ~] # DATE # to view the current system time
Sun Aug 31 00:00:08 CST 2014
[root @ localhost ~] # # useradd oldboy1 create user
[root @ localhost ~] # echo " 123 "| passwd --stdin oldboy1 # oldboy1 to create a user password 123
Changing password for the user oldboy1.
passwd: All authentication tokens Updated successfully.
[root @ localhost ~] # tail -1 / etc / Shadow # create a password to view user information
oldboy1: $ 6 $ nMLlslZx $ .olzO0byVVK7PANHO1R4w.ZPGIz4ZZC6NB5eQ7FcJhNwXLgj4pVru4tbFAdiDMrCtZsBpfWdunDo6q0ioCgbL0 : 16312: 0: 99999: 7 :::
//设置最近一次修改密码时间
[root@localhost ~]# chage -d '2019-09-01' oldboy1
[root@localhost ~]# chage -l oldboy1
Last password change : Sep 01, 2019
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
//设置密码最短使用时间
[root@localhost ~]# chage -m 2 oldboy1
[root@localhost ~]# chage -l oldboy1
Last password change : Sep 01, 2019
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 2
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
//设置密码最长使用时间
[root@localhost ~]# chage -M '15' oldboy1
[root@localhost ~]# chage -l oldboy1
Last password change : Sep 01, 2019
Password expires : Sep 16, 2019
Password inactive : never
Account expires : never
Minimum number of days between password change : 2
Maximum number of days between password change : 15
Number of days of warning before password expires : 7
// set the alarm time password
[the root @ localhost ~] # the chage -W '. 6' oldboy1
[the root @ localhost ~] # tail -1 / etc / Shadow
oldboy1: nMLlslZx $ $ $ .olzO0byVVK7PANHO1R4w.ZPGIz4ZZC6NB5eQ7FcJhNwXLgj4pVru4tbFAdiDMrCtZsBpfWdunDo6q0ioCgbL0. 6: 18140: 2: 15 : 6 :::
//设置密码过期时间
[root@localhost ~]# chage -I '5' oldboy1
[root@localhost ~]# chage -l oldboy1
Last password change : Sep 01, 2019
Password expires : Sep 16, 2019
Password inactive : Sep 21, 2019
Account expires : never
Minimum number of days between password change : 2
Maximum number of days between password change : 15
Number of days of warning before password expires : 6
//设置账号过期时间
[root@localhost ~]# chage -E '2020-01-01' oldboy1
[root@localhost ~]# chage -l oldboy1
Last password change : Sep 01, 2019
Password expires : Sep 16, 2019
Password inactive : Sep 21, 2019
Account expires : Jan 01, 2020
Minimum number of days between password change : 2
Maximum number of days between password change : 15
Number of days of warning before password expires : 6
// how to verify, just adjust the time for verification as follows:
1. Verify that the ordinary user can change the password, do not need to adjust the time
after 2. Ordinary users log in and password will be prompted to warn the number of days left to expire
[root @ localhost ~] # date -s '2019-09-14'
3. Normal user login system, forced to change the password
[root @ localhost ~] # date -s '2019-09-18'
4. ordinary user login system, suggesting that the account has expired
2.LInu user commands
before adding a user needs to determine
to determine whether the user's default set of special requirements
to determine whether the user is allowed to log in
to determine the user's password policy
to determine the validity of the user
to determine whether the user's UID have special requirements 1. Use the useradd command to add an account, Note: adduser command soft link to useradd
'-u' specifies the UID of the user, can not conflict with existing ID
'-g' basic default Specifies the user group
'-G' to specify additional user groups, to add a plurality of additional spaced group with a comma
'-d' to specify the user's home Catalog
'-c' comments specified user information
'-M' does not establish a home directory
'-s' to specify the user's default shell
'-r' to create a system account, no home directory
// Create oldboy user to specify UID5001, basic groups, students additional group sa, dba, annotation information "new new Student 2018", shell: bash
[root @ localhost ~] # useradd -u 5001 -g -G SA Students, dba - C '2018 new new Student' -d / Home / Oldboy -s / bin / the bash Oldboy
[the root @ localhost ~] # tail -1 / etc / the passwd
Oldboy: X: 5001: 1005: 2018 new new Student: / Home / Oldboy: / bin / bash
// Create a system user, -M -s does not establish a user's home directory to specify that it does not nologin login
[root @ localhost ~] # useradd -M -s / sbin / nologin MySQL
[root @ localhost ~] # useradd -r -g -s DBA / sbin / nologin DBA
[the root @ localhost ~] # tail -2 / etc / the passwd
MySQL: X: 5002: 5002 :: / Home / MySQL: / sbin / nologin
DBA: X: 998: 1004 :: / home / dba: / sbin / nologin
Use usermod command to modify the user group
'-u' user to modify the UID
'-g' substantially modify the user belongs to the group GID
'-G' modify user additional groups
'-a' append more additional groups, the use of a plurality of comma additional groups, additional groups overwrite the original
'-md' home directory migration, must be used with the -d, mobile user's home directory to a new location
a new position '-d' to specify the user's home directory
'-c' modify user annotation information
'-s' change user's shell
'the -l' to change the user login name
'-L' lock users
'-U' unlock the user
// modify mysql user UID of 250
[the root @ localhost ~] # 250 mysql the usermod -u
[the root @ localhost ~] # tail -2 / etc / the passwd
mysql: X: 250: 5002 :: / Home / mysql: / sbin / nologin
// modify the user group Oldboy substantially the root
[the root @ localhost ~] # the root Oldboy the usermod -g
[the root @ localhost ~] # ID Oldboy
UID = 5001 (Oldboy) GID = 0 (the root) Groups = 0 (the root), 1003 (sa), 1004 (dba )
// modify Oldboy additional set of users, students added group
[the root @ localhost ~] # the usermod -G students, SA, DBA, MySQL Oldboy
[the root @ localhost ~] # ID Oldboy
UID = 5001 (Oldboy) GID = 0 (the root ) groups = 0 (root), 1003 (sa), 1004 (dba), 1005 (students)
// append an additional set of user Oldboy SA, DBA
[the root @ localhost ~] # the usermod -G Students. Oldboy
[the root @ localhost ~] # the usermod -AG SA, DBA Oldboy
[the root @ localhost ~] # ID Oldboy
UID = 5001 ( oldboy) gid = 0 (root) groups = 0 (root), 1003 (sa), 1004 (dba), 1005 (students)
// user oldboy migrate from the / home directory to / directory
[root @ localhost ~] # -md the usermod / oldboy oldboy
[root @ localhost ~] # LS /
bin dev Home lib64 mnt root sbin SYS usr opt
the Boot etc lib Media oldboy proc run srv tmp var
// modify the user oldboy the shell, making it impossible to log
[root @ localhost ~] # the usermod -s / sbin / nologin oldboy
[root @ localhost ~] # grep oldboy / etc / passwd
oldboy1: the X-: 1001: 1001 :: / Home / oldboy1: / bin / the bash
Oldboy: X: 5001: 0: 2018 new new Student: / Oldboy: / sbin / nologin
// change the user login name is oldboy oldgirl
[root @ localhost ~] # the usermod the -l oldgirl oldboy
[root @ localhost ~] # grep oldboy / etc / passwd
oldboy1: the X-: 1001: 1001 :: / Home / oldboy1: / bin / the bash
oldgirl: X: 5001: 0: 2018 new new Student: / Oldboy: / sbin / nologin
// modify the user oldgirl comment information
[the root @ localhost ~] -L oldgirl the usermod #
[the root @ localhost ~] # grep oldgirl / etc / the passwd
oldgirl: X: 5001: 0: 2019 new new STU: / Oldboy: / bin / bash
// lock oldboy user
usermod -L oldgirl
Use finger named query user information and login information
yum install -y finger # install the finger command
[root @ localhost ~] # finger oldgirl # View oldgirl user login information and
the Login: oldgirl the Name: 2019 new new STU
Directory: / Oldboy Shell: / bin / the bash
Last Login On Oct 28 Mon 14:45 (CST) ON PTS / from 10.0.1.26. 1
No mail.
No Plan.
Use chfn modify user information
[root @ localhost ~] # chfn oldgirl
Changing Information for oldgirl finger.
The Name [2019 new new STU]: 2019 new new Teacher
Office []: Oldboy 2009
Office Phone []: 1234567
Home Phone []: 132 131 231
Finger information changed.
使用finger再次检查
[root@localhost ~]# finger oldgirl
Login: oldgirl Name: 2019 new teacher
Directory: /oldboy Shell: /bin/bash
Office: oldboy 2009, 123-4567 Home Phone: 132131231
Last login Mon Oct 28 14:45 (CST) on pts/1 from 10.0.1.26
No mail.
No Plan.
使用chsh命令更改用户登录shell
[root@localhost ~]# chsh oldgirl
Changing shell for oldgirl.
New shell [/bin/bash]: /sbin/nologin
chsh: Warning: "/sbin/nologin" is not listed in /etc/shells.
Shell changed.
[root@localhost ~]# grep oldgirl /etc/passwd
oldgirl:x:5001:0:2019 new teacher,oldboy 2009,1234567,132131231:/oldboy:/sbin/nologin
Checking a user's login case where
[the root @ localhost ~] # WHO
the root PTS / 0 2019-10-28 15:05 (10.0.1.26)
the root PTS / 2019-10-28. 1 15:30 (10.0.1.26)
[root@localhost ~]# w
15:51:16 up 47 min, 2 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 10.0.1.26 15:05 22:12 0.25s 0.02s -bash
root pts/1 10.0.1.26 15:30 4.00s 0.24s 0.00s w
Use the userdel Delete account
syntax: userdel [-r] username // - r delete home directory
[root @ localhost ~] # userdel TS
[root @ localhost ~] # LS -lhd / Home / TS /
drwx ----- - 2 5003 5004 62 Oct 28 15:56 / home / ts /
// delete along with the home directory
[root @ localhost ~] # userdel -r ts
3. The principle of user-created
Linux create user default read / etc / default / useradd configuration file, if when I specify parameters, using the specified parameters, if not specified, the default use / etc /
default / useradd configuration . When we create a user using the useradd command, will produce a corresponding .bash_ * files in the user's home directory. These files by default from / etc /
copy skel directory. For a copy of the directory site environmental change can be modified: / etc / default / useradd configuration file.
Note: If you run useradd create a new user specified parameters, it will cover the / etc / default / useradd default configuration
[root@localhost ~]#
[root@localhost ~]# egrep -v "^#|^$" /etc/login.defs
MAIL_DIR /var/spool/mail
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
UID_MIN 1000
UID_MAX 60000
SYS_UID_MIN 201
SYS_UID_MAX 999
GID_MIN 1000
GID_MAX 60000
SYS_GID_MIN 201
SYS_GID_MAX 999
CREATE_HOME yes
UMASK 077
USERGROUPS_ENAB yes
ENCRYPT_METHOD SHA512
[root @ localhost ~] # CAT / etc / default / useradd
# useradd Defaults File
the GROUP = 100
the HOME = / home // build the user's home directory in / home are
INACTIVE = -1 // whether to enable the account expired suspended, -1 means do not enable
EXPIRE = // account expiry date is not set means no enabled
SHELL = / bin / bash // default for all new users of shell types
sKEL = / etc / skel // default configuration file for the new user's home directory resides path
CREATE_MAIL_SPOOL = yes // create a mail file
// user login linux operating system, environment variables accidental deletion, -bash-4.2 $ appears now to solve
-bash-$ 4.2 cp -a /etc/skel/.bash* ./
-bash-$ 4.2 Exit
4. Password Management
After creating an account, the default is no password, so there is no way to log the account operating system. Only use the passwd set password to log into the system.
When you create a password for the user to use passwd, for safety reasons, please try to set up complex, you can set a password in accordance with the following rules:
1. The length greater than 10 characters
2. The password contains uppercase and lowercase letters numbers, and special characters, "@", "$" and "!";
3. irregularity (not appear his name, company name, its phone, etc. and other simple password)
Note
1. Ordinary users can only change their own passwords
2. The administrator root can change anyone's password
using the passwd command can modify the user password
syntax: passwd [username]
// 'passwd' back without username is the modification of the current account password.
// If you login is root account, you can specify later need to modify the password of the account
// only root can change the password of other accounts, general accounts can only change their own passwords, ordinary users do not modify another user's privileges
Random password generation tool in several ways
. // 1 system built-in variables generates a random password
[root @ localhost ~] # echo $ the RANDOM | md5sum | Cut -c 1-10
ae02560755
//2.mkpasswd password generation tool
// - l 7 default password length, -d number, -c small letters, -C large letters
[the root @ localhost ~] # yum the install -Y Expect
[the root @ localhost ~] # the -l -c 3 -d 15 mkpasswd 5
448crm3Zteq2Fs \
Recommended password hold client tools, support windows, MacOS, phone, and browser plug-ins Lastpass official website
https://www.lastpass.com/zh