Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "what is the use of Linux's shadow file". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

In linux, the password file is in / etc/passwd, and the early file stores the encrypted password directly. The first two digits are "salt" values, a random number, followed by an encrypted password. For security, linux now provides the shadow file / etc/shadow, the password is placed in this file, and only root can read it.

Description of the shadow file: richy:$6 $70rKewE7OH dictionary TPwG9kLBIzZZwKDKckpsnIYSTyXKXwIUplK0xZlPVkMgCxexz1a0rA70DJfD8eWEwOIxwcJuxj7Fr6zKS label Osn1re17009ZZDKckpsnISTyXKXwIUK0xZlPVkMgCxexz1a0rA70DJfD8eWEwOIxwcJuxj7Fr6zKS label Osn1re17009ZZZKckpsnIYSTyXKXwIUK0xZlPVkMgCxexz1a0rA70DJfD8eWEwOIxwcJuxj7Fr6zKS

1. The login name corresponding to the login name in the / etc/passwd file

two。 Encrypted password

3. The number of days from January 1, 1970 (the date when the password was last changed) to that day

4. How many days will it take to change the password?

5. How many days must the password be changed?

6. How many days before the password expires, remind the user to change the password?

7. How many days after the password expires, disable the user account?

8. The date on which the user account was banned, expressed as the number of days from January 1, 1970 to the same day

9. Reserved fields for future use; using the shadow,Linux system can better control the user's password, which can control how often the user changes the password and how long the user's account is disabled if the password is not updated.

Add a new user

1. Check the default useradd addition value of the Linux system: [root@alone ~] # / usr/sbin/useradd-D GROUP=100== > the new user will be added to the public group HOME=/home== with GID 100 > the new user's HOME directory will be located at / home/ account name INACTIVE=-1 = > the new user account password will not be disabled after expiration EXPIRE= = > the new user account will expire after a certain date SHELL=/bin/bash== > the new user account will use bash shell as The default shell SKEL=/etc/skel = = > system will copy the contents of the / etc/skel directory to the user's HOME directory CREATE_MAIL_SPOOL=yes== > the system creates a file under the maill directory for the user account to receive mail

Change the default parameter:-b default_home change the default user HOME directory location-e expiration_date preferred user's expiration date-f inactive change the number of days since the password expires until the account is disabled-g group change the default group name or GID-s shell change the default login shell example:

[root@alone skel] # useradd-D-s / bin/tsch [root@alone skel] # useradd-DGROUP=100HOME=/homeINACTIVE=-1EXPIRE=SHELL=/bin/tschSKEL=/etc/skelCREATE_MAIL_SPOOL=yes Delete user

Userdel only deletes the user information in the / etc/passwd file, not any files in the system that belong to that account. If you add the-r parameter, userdel deletes the user's HOME directory and mail directory. However, other files for the user may still exist on the system, which may cause some problems. Add an example of the-r parameter:

[root@alone skel] # / usr/sbin/userdel-r test [root@alone skel] # ls-al / home/tesls: unable to access / home/tes: there is no such file or directory modification user

The tools for modifying user information are as follows: usermod modify the fields of the user account, you can specify the ownership of the main group and the additional group (permissions) passwd modify the password of the existing user chpasswd read the login password pair from the file, and update the password chage modify password expiration date chfn modify the remarks information of the user account chsh modify the default login shell of the user account

1.usermod

Usermod can be used to modify most of the fields in the / etc/passwd file, just with the corresponding parameters. Most of the parameters are the same as the useradd command, for example,-c is used to modify the expiration date,-g modify the default login group:-l modify the login name of the user's account-L lock the account, so that the user cannot log in-p change the password of the account-U is unlocked, and the user can log in normally after the release. The-L parameter is especially applicable. With this parameter, the account can be locked and the user cannot log in. Instead of deleting the account and user data, to get the account back to normal, just add the-U parameter.

2.passwd and chpasswd

The easiest way to change a user's password is to change the user's test password with the passwd command: [root@alone skel] # passwd test. New password: invalid password: it is based on dictionary words invalid password: too simple to re-enter the new password: passwd: all authentication tokens have been successfully updated.

The-e` option forces users to change their password the next time they log in If you need to change passwords for a large number of users in the system, the chpasswd command can make things much easier. The chpasswd command can automatically read the list of logins and password pairs (separated by colons) from standard input, encrypt the password, and then set it for the user account. You can also use the redirect command to redirect files containing `userid: passwd` pairs to the commands: `[root@alone skel] # chpasswd3.chsh, chfn and chage.

The chsh, chfn, and chage tools are specifically used to modify specific account information. The chsh command is used to quickly modify the default user login shell. You must use the full path name of shell as a parameter, not just shell name:

[root@alone skel] # chsh-s / bin/csh testChanging shell for test.Shell changed.

When chfn does not add parameters, it will be used to enter prompt comments. Such as: "

[root@alone skel] # chfn testChanging finger information for test.Name []: ImaTestOffice []: ChongQingOffice Phone []: 88925925Home Phone []: 88592626Finger information changed. [root@alone skel] # tail-2 / etc/passwdrichy:x:500:500:richy:/home/richy:/bin/bashtest:x:501:501:ImaTest,ChongQing,88925925,88592626:/home/test:/bin/csh

The chage command is used to help manage the validity period of user accounts. The parameters are as follows:

-d sets the number of days since the password was last modified

-E sets the date on which the password expires

-I set the number of days for the password to expire to lock the account

-m sets the minimum number of days it takes to change the password

-W sets how long before the password expires, the reminder message starts to appear.

The date format of the chage command can be used in one of two ways:

Date in YYYY-MM-DD format.

two。 Represents the number of days from January 1, 1970 to that date.

Tip: you can create temporary users by setting the expiration date of your account. An expired account is similar to a locked account, where the account still exists, but cannot be logged in.

Use the Linux group 1./etc/group file [root@alone skel] # cat / etc/grouproot:x:0:bin:x:1:bin,daemondaemon:x:2:bin,daemonsys:x:3:bin,admadm:x:4:adm,daemontty:x:5:disk:x:6:lp:x:7:daemonmem:x:8:kmem:x:9:

The / etc/group file contains four field group names: group password: GID: the group's user-group password allows non-group members to temporarily become members of the group through it, but it is not commonly used. -you cannot directly modify the / etc/group file to add groups, but use the usermod command to add groups. When you add a user to a group, you need to create a group first.

two。 Create a new group

Use the groupadd command

[root@alone skel] # / usr/sbin/groupadd shared [root@alone skel] # tail / etc/groupfuse:x:494:stapusr:x:156:stapsys:x:157:stapdev:x:158:sshd:x:74:tcpdump:x:72:slocate:x:21:richy:x:500:test:x:501:shared:x:502:

When you create a group, by default no user is a member of the group. The groupadd command does not provide the option to add users to a group, but you can use the usermod command to add users to a group:

[root@alone skel] # / usr/sbin/usermod-G shared richy [root@alone skel] # / usr/sbin/usermod-G shared test [root@alone skel] # tail-3 / etc/grouprichy:x:500:test:x:501:shared:x:502:richy,test

The usermod-G command adds the new group to the list of groups for the user's account. (the group relationship change takes effect and you must log out and log back in). Note: if it is the-g parameter, the specified group name replaces the default group for the account. The-G parameter adds the group to the user's group list without affecting the default group.

3. Modify and reorganize

Groupmod can modify the GID (plus-g parameter) or the group name (plus-n parameter) of an existing group:

[root@alone skel] # tail-2 / etc/grouptest:x:501:sharing:x:502:richy,test

When you change the group name, the GID and the group members do not change, only the group name changes. Since all security permissions are based on GID, you can change the group name at will without affecting the security of the file.

Permissions of the file 1. Use file permission symbols

-for files; d for directories; l for connections; c for character devices; b for block devices; n for network devices

two。 Default file permissions

The use of umask, the full permission of the file is 666 umask 0022 description: the first is the special security option, the second is the main permission, the third is the group permission, the fourth is the value of other user rights umask is in the form of mask, he will shield the unwanted permissions. If you want the file to be 644 (that is, rw-r-r-), the mask of the file is 022,666-644.

[root@alone testdir] # ls-ld / root/testdirdrwxr-xr-x. 2 root root 4096 July 28 10:05 / root/testdir

(that is, 0026) since the directory default permissions are different from the generated file permissions, the umask value of 026 will be subtracted from 777, leaving it as the directory permission setting.

3. Change the security settings [root@alone testdir] # chmod 760 newfile [root@alone testdir] # ls-l newfile-rwxrw----. 1 root root 0 July 28 10:10 newfile

The objects of chmod are u (owner) g (group) o (other users) a (all). Add (+), remove (-), reset to (=) chmod permissions. Chmod permission setting symbols x (grant execute rights), s (run time reset UID or GID), t (keep files or directories), u (permissions set to owner), g (permissions set to belong to groups), o (permissions set to the same as other users).

[root@alone testdir] # chmod otakr newfile [root@alone testdir] # ll newfile-rwxrw-r--. 1 root root July 28 10:10 newfile [root@alone testdir] # chmod Umurx newfile [root@alone testdir] # ll newfile-rw-rw-r--. 1 root root 0 July 28 10:10 newfile

Chmod can use-R to recursively act on files and subdirectories, and can use wildcards to work with multiple files when specifying file names

4. Change ownership chown options owner [.group] filename for example: [root@alone testdir] # chown dan newfile [root@alone testdir] # ll newfile-rw-rw-r--. 1 dan root 0 July 28 10:10 newfile [root@alone testdir] # chown dan.sharing newfile [root@alone testdir] # ll newfile-rw-rw-r--. 1 dan sharing July 28 10:10 newfile can change the default group with the following command: [root@alone testdir] # chown .test newfile [root@alone testdir] # ll newfile-rw-rw-r--. 1 dan test July 28 10:10 newfilechown with the-R parameter plus wildcards can recursively change the ownership of subdirectories and files, and the-h parameter can change the ownership of all symbolic link files of the file. The chgrp command makes it easier to change the default array of files or directories: [root@alone testdir] # chgrp sharing newfile [root@alone testdir] # ll newfile-rw-rw-r--. 1 dan sharing 0 July 28 10:10 newfile

5. Share a file

The most basic method is to share access rights by creating groups. Sharing method in large environment:-set user ID (SUID): when the file is used by the user, it will run with the file owner permission. -set group ID (SGID): for files, the program will run with file group permissions. For directories, creating new files in the directory will take the default group of directories as the default group. -Adhesion bit: the file will also be in memory after the end of the process. Example: [root@alone testdir] # mkdir sss [root@alone testdir] # ls-l Total usage 4-rw-r--r--. 1 root root 0 July 28 10:26abc-rw-rw-r--. 1 dan sharing July 28 10:10 newfiledrwxr-xr-x. 2 root root 4096 July 28 10:51 sss [root@alone testdir] # chgrp sharing sss [root@alone testdir] # chmod gears sss [root@alone testdir] # ls-ld sssdrwxr-sr-x. 2 root sharing 4096 July 28 10:51 sss [root@alone testdir] # umask 002 [root@alone testdir] # cd sss [root@alone sss] # touch onetext [root@alone sss] # ls-l Total dosage 0kw RWMuir. 1 root sharing July 28 10:53 onetext first, create a shared directory with mkdir, then change the default belonging group to a group containing shared users through chgrp, and finally change the SGID location bit of the directory to ensure that sharing is used as the default group for all the new files in the directory. In order for this environment to work properly, all group members need to set their umask value to be writable to file-dependent group members (002). In this way, group members can create files under the shared directory, and the new files follow the subordinate groups of the directory, not those of the user, and all users of the sharing group have access. Account information / etc/passwd group information / etc/group create new user useradd create new group groupadd modify existing account usermod modify group account information groupmod 3 security levels rwxr-r- default permission setting umask (mask rule-file 666 Directory 777) chmod modifies the security settings of a file or directory (only the owner of the file can modify the owner and group, or root users) SGID forces new files or directories created in a directory to follow the group of the parent directory (the easy way to share). " What is the use of Linux's shadow file? this is the end of the introduction. Thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.