Shulou(Shulou.com)06/01 Report--

This article mainly introduces Linux account management example analysis, the article is very detailed, has a certain reference value, interested friends must read!

I. User Management

1. User account management file

To manage user accounts in Linux, you should first understand how user accounts are saved in Linux systems, which involves two files--/etc/passwd and/etc/shadow. The former stores basic information such as UID and GID of users, while the latter mainly stores some information related to account passwords.

Let's see what's in/etc/passwd (just the first three lines):

In this file, each user account information is stored as a line, each line has 7 fields, and the information stored from left to right is:

1) Name of account.

(2) Password: The password of the early Unix system is placed here, but since the file/etc/passwd can be read by many programs, it is not safe. Later, the password data has been placed in the file/etc/shadow, so the second field here is "x".

UID: 0 represents the system administrator, 1-999 represents the system account, and 1000-6000 represents the general user.

(4) GID: The GID of the user's initial group.

(5) Full name of user name or account number.

(6) Home directory: default to/home/account name.

(7) Shell: The shell obtained after the account logs in to the system.

Let's see what's in/etc/shadow (just the first three lines):

Similarly, in this file, each account is stored as a line, a total of 9 fields, from left to right stored information are:

1) Name of account.

(2) Password: Password after encryption. If it is "! "The beginning means that the password is invalid, the account is blocked, and it is temporarily impossible to log in.

(3) Date of last password change: The number in this field indicates how many days after January 1, 1970, the date of last password change was.

(4) The number of days when the password cannot be modified: It means that after the last password modification, the password can be modified again several days later.

(5) Number of days the password needs to be modified again (password expiration date): indicates that the password needs to be modified again within a few days after the last password modification.

(6) Start issuing warnings a few days before the password expiration date.

(7) Account grace days after password expiration (password expiration date): The account password can still be used within a few days after the password expires, but after logging in to the system, the system will force the user to change the password. If the password has not been changed in the past few days, the password will be invalid after this time, and you can no longer use the account password to log in to the system.

(8) Account expiration date: How many days after January 1, 1970 the account expires, regardless of whether the password expires, the account can no longer be used.

(9) No information is stored temporarily and reserved for new functions.

2. User account management operations

After understanding how Linux accounts and passwords are saved in the system, we also need to know how to add accounts, modify account information, and how to modify passwords and other user management operations.

(1) User account added:

useradd [-u UID] [-g Initial Group] [-G Secondary Group] [-m/M] [-c Account Meaning Description] [-d Family Name Absolute Path] [-s shell] [-r] [-e Account Expiration Date, Format: Y-MM-DD] [-f Whether password will expire, 0 will expire immediately,-1 will never expire] Account Name

Here are some common options for useradd command, which can be added as needed, where-M means forced not to create a home directory, -m means forced to create a home directory, -r means to create a system account, and more options need to be viewed in the system using the man command. However, in general, when we create a user account, we only need to specify the account name: useradd account name, so that other information of the account will use the default value set by the system for us. In CentOS, the default things the system does for us are as follows:

Create a line in/etc/passwd that is associated with the account.

Create a line in/etc/shadow that relates to the password for this account, but there is no password yet.

Create a line of initial group information for this account in/etc/group. The group name is the same as the account name.

Create a line in/etc/gshadow with the password information for the initial group of this account, but there is no password.

Create the home directory of this account in/home. The directory name is the same as the account name. The permission is 700.

So where are these defaults for useradd stored? First, you can use useradd -D to check some of the default values (here, the meaning of each parameter is explained):

(The last parameter is: whether to establish an email mailbox)

These parameters are actually stored in the file/etc/default/useradd!

With regard to initial groups, there are two mechanisms: public group mechanisms and private group mechanisms. The public group mechanism uses the parameter value "GROUP=100" here as the initial group for new accounts. Each account will belong to the users group. Accounts can share data in the home directory. SuSE uses this mechanism. Private group mechanisms do not use this parameter, each account has its own group and home directory, and only you can enter your own home directory, using this mechanism are RHEL, Fedora, CentOS, etc.

"SKEL=/etc/skel" specifies the content reference directory for creating the account home directory, that is, the contents of the new account home directory are copied directly from the directory/etc/skel! "CREATE_MAIL_SPOL =yes" specifies that the system will automatically create an email box for the new account, that is, the file "/var/spool/mail/account name" will be created.

However, the/etc/default/useradd file only sets the default values of some basic information of the account. More parameter defaults can be viewed in the/etc/login.defs file, which sets the default values and specifications of more parameters such as user UID and GID.

So, to sum up, the files that are referenced when creating an account using the useradd command are: /etc/default/useradd,/etc/login.defs,/etc/skel/*.

(2) User account modification:

Usermod command can be used to modify user account. The option parameters of this command are mostly similar to useradd, so I won't repeat them here. There is only one special function that needs to be explained. That is, usermod can freeze and unfreeze the account with-L and-U option parameters respectively. Freeze is actually adding "!" in front of the password in the second column of/etc/shadow. ", so that the account password can not be logged in normally, thaw it will be removed, restore the account login.

(3) User account deletion:

User account deletion command: userdel user account, if added with the-r option will be deleted along with the user's home directory. Note that the userdel command deletes everything associated with the specified account!

(4) Account password modification:

After using useradd to create an account, the new account still cannot log in to the system. You need to use passwd command to set the password:

In addition to changing passwords, the passwd command has the following uses:

Password attribute modification: passwd [-n Number of days password cannot be modified] [-x Number of days password needs to be modified again] [-w Start warning a few days before password expiration] [-i Number of days account expires after password expires] Account name

Freeze password: passwd -l account name, modify/etc/passwd, add "!!" before password "。(similar to usermod-L)

Thaw password: passwd -u account name. (similar to usermod -U)

View password information: passwd -S Account name.

In addition to passwd, there is also a command that can be used to modify account password information, that is chage:

chage [-d Date of last password modification, format Y-MM-DD] [-m Number of days password cannot be modified] [-M Number of days password needs to be modified again] [-W Start warning a few days before password expiration] [-I Number of days of account expiration after password expiration] [-E Account expiration date, format Y-MM-DD]

In addition, chage can also be used to view account password information, which is displayed in a format that is easier to view than the passwd -S command:

You can also force users to change their password the next time they log in to the system by "chage -d 0 account name"!

3. user function

The account management operations described above, except for the use of passwd to modify their passwords and some information viewing operations, are only the system administrator can perform, the following describes the general user can view and modify the information command operations.

id Account Name: View User UID and GID.

Finger: Query all user information currently logged into the system.

finger Account Name: Query attributes related to an account.

chfn: Modify some of the information displayed in the finger.

As you can see, the actual changes are stored in column 5 of the/etc/passwd file. (Modify your own information and directly execute "chfn")

chsh -l: View all available shells on the current system, i.e. the contents of/etc/shells.

chsh -s: Modify your shell.

II. Group Management

1. group management file

Similar to user management, if you want to understand group management, you need to first look at how group information is saved in Linux systems. Group information involves two files--/etc/group and/etc/gshadow. The former holds basic group information, and the latter holds group password information.

Let's take a look at the/etc/group file:

In this file, each group information is stored as a line, each line has 4 fields, and the information stored from left to right is respectively:

1) Name of group.

(2) Group password: has been transferred to/etc/gshadow storage, so save "x" here.

（3）GID。

(4) List of all user account members in this group.

Take a look at the/etc/gshadow file:

In this file, each group information is stored as a line, each line has 4 fields, and the information stored from left to right is respectively:

1) Name of group.

(2) Group password: Usually used by group administrators, rarely set.

(3) Group Administrator's account.

(4) List of all user account members in this group.

2. group management operation

(1) Group additions:

groupadd [-g gid] group name

(add-r option if creating system group)

(2) Group modification:

groupmod [-g gid] [-n group new name] group name

(Note: Do not change the GID at will, it is easy to cause confusion in system resources)

(3) Group deletion:

groupdel Group name

(If the group is the initial group of a user account, an error will be reported and cannot be deleted)

(4) Initial group and effective group:

The user's initial group is the group that the user obtains and has the relevant permissions after logging in to the system, that is, the group corresponding to the GID in the fourth field of the/etc/passwd file. Users can join multiple groups in the system, and can use the permissions and functions of all the groups they belong to. However, when creating files or directories, the group of the new file or directory can only be the current valid group of the current user.

You can use the command "groups" to view all the groups that the current user has joined. The first group in the list is the current active group. You can use the command "newgrp group name" to switch the active groups, but you can only switch among all the groups that the current user has joined. After switching to active groups, you enter a new shell environment. You can use the "exit" command to exit and return to the original active groups and shell environment.

(5) Users join groups:

There are two ways for users to join a group. The first way is to ask the system administrator root to use the usermod command (-a option combination-G option):

(add user jet to group jet2)

The second method is to ask the administrator of the corresponding group to use the gpasswd command.

First, you need the system administrator root to specify the administrator of this group, also using the gpasswd command. Let's look at root operations:

Modify group password: gpasswd group name

Set group administrator and user members: gpasswd [-A group administrator account list] [-M user member account list] group name

Remove group password: gpasswd -r group name

Disable group password: gpasswd -R Group name

Then the group administrator manages the group members:

III. User identity switching

1. su：

After logging in to the Linux system, users can switch to different accounts through the su command, exit through the exit command, and restore to the original account.

(1) su account name: switch identity in non-login shell mode, many environment variables including PATH are still the current user's.

(2) su -/-l account name: switch identity in login shell mode, all environment variables become the new account.

(3) su - -c "instruction" account name: execute an instruction with the new identity, and restore the identity to the current user after execution.

(If you do not add the account name, it means switching to root identity)

2. sudo：

Using su command to switch identity requires entering the password of the new switching account (only root does not need it). In other words, if you want to use su to switch identity, you must know the password of the new switching account. Another command sudo can also switch identity to execute command operations, and only need to enter the current account password, do not need to know the password of the new switch account, just switch identity after executing the command will automatically restore to the original account identity. The instruction format is as follows:

sudo -u Account name command

(If no account name is specified, the default is to use root identity to execute instructions)

However, not all user accounts can use sudo command and switch any account at will. You need to configure relevant information in/etc/sudoers file. This file has a defined syntax and needs to be edited using the visudo command. The/etc/sudoers file allows you to set which users or groups can switch to which accounts and which commands to execute when which hosts log in to the system. You can also set the sudo command without entering a password. A screenshot of some of the contents of this file is as follows:

The above is "Linux account management sample analysis" all the content of this article, thank you for reading! Hope to share the content to help everyone, more relevant knowledge, welcome to pay attention to the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.