Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to do a good job of account management in linux. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

Account management

As we all know, linux operating system is a typical multi-user and multi-task operating system, that is, at the same time, multiple users are allowed to log on to the same computer and run one or more tasks, and each user may not be able to clearly perceive the login operations of other users. One superuser on linux is the root,root account, which is almost omnipotent and can be used to create and configure non-root accounts.

With regard to account management, there are two concepts that must be understood: users (User) and user groups (Group).

User (User): account configuration information on a computer that allows a program or person to log in and run a task within certain permissions.

User groups (Group): Linux allows you to divide a class of users (multiple users) into a group, and this group of users have the same permission to operate. Of course, a user can only correspond to one group, and one account can be added to multiple groups.

How do I create users and user groups?

Create a group:

Groupadd group1

Specify GID (group ID) when creating a group:

Groupadd-g 100 group2

Create a user:

Useradd user1

Specify the initial group when creating the user. If you do not specify the group,linux, a group with the same name will be created by default:

Useradd user1-g group1

When you create a user, specify UID (user ID):

Useradd user2-u 100-g group2

According to different scenarios, Linux can divide users into system accounts and ordinary accounts. System accounts are mainly used as accounts for system processes or programs, and ordinary accounts can also be called interactive accounts. Ordinary accounts are mainly used for operating system users and are related to a certain user. Through this account, users have certain permissions to use the computer resources, such as logging in, browsing the web, and running programs. Read the documents and so on. In addition to the differences in use, the UID and GID ranges of system accounts and ordinary accounts are different. System accounts are defined by SYS_UID_MIN, SYS_UID_MAX, SYS_GID_MIN and SYS_GID_MAX, and ordinary accounts are defined by GID_MIN, GID_MAX, UID_MIN and UID_MAX. The definition of these parameters can be found in / etc/login.defs:

# # Min/max values for automatic uid selection in useradd#UID_MIN 1000UID_MAX 60000# System accountsSYS_UID_MIN 201SYS_UID_MAX 999## Min/max values for automatic gid selection in groupadd#GID_MIN 1000GID_MAX 60000# System accountsSYS_GID_MIN 201SYS_GID_MAX 999

Create system accounts and system groups:

Groupadd-r-g 100group2useradd-r user2-u 100g group2

You can also add a user to two different group:

Groupadd-r-g 100group2 useradd-r user2-u 100-g group2-G group1

When creating an ordinary account, specify the home directory and the interactive program to log in:

Useradd user2-u 100-g group2-d / home/user2-s / bin/bash

Login and home directory are prohibited when creating a system account:

Useradd user2-u 100-g group2-d / dev/null-s / sbin/nologin how to modify or delete the account configuration?

Modify the GID and group name of group, change the gid to 10000, and change the name as group2 to group3:

Groupmod-g 10000-n group3 group2

Delete group:

Groupdel group2

Modify the account attributes. This command changes the login Shell of user user1 to ksh, the home directory to / home/test, and the user group to group3.

Usermod-s / bin/ksh-d / home/test-g group3 user1

Delete account:

Userdel user1

If a user belongs to multiple group at the same time, you can switch between different group so that the same account has different group permissions:

Newgrp root

Refer to help useradd, groupadd,usermod,groupmod,userdel,groupdel

Password management

Password is a key for account access. No matter how to log on to the account, the user must enter the password to use computer resources. Generally, the interactive account must set the password. There are two ways to set the user password. One is to use the-p parameter to set the initial password when creating the account, and the other is to use the passwd command to change the account password. Ordinary users can only change the password of their own account, while root users can change the password of any account.

Specify the password when creating the account:

Useradd user2-u 100-g group2-d / home/user2-s / bin/bash-p jlkdakfdf

The password specified when creating an account is in clear text. Although Linux will eventually encrypt it, this method is still not secure. It is recommended to use the second method.

Change the account password:

(svnenv) user2@d076cf119be7:/mnt/share$ passwdCurrent password:New password:Retype new password:passwd: password updated successfully

The user is first prompted for the current password, then the new password is set and reconfirmed. The password should contain 6 to 8 characters, including one or more characters from each of the following collections:

Lowercase letters

The numbers 0 to 9

punctuation

Care must be taken not to include system default erase or termination characters. Passwd will reject any inappropriate passwords.

Refer to help passwd.

Where is the system account information and password information stored?

If you want to know all the users and group information in the system in some way, the easiest way is to look at the data files related to user management, which are generally readable to all users, including / etc/passwd, / etc/shadow, / etc/group and so on.

/ etc/passwd

Don't be confused by the name of the file. In the past, you did save the password, but now you mainly save the user configuration information. You can use this file to query all the account information of the system, including system accounts and ordinary accounts:

# cat / etc/passwdroot:x:0:0:Superuser:/:daemon:x:1:1:System daemons:/etc:bin:x:2:2:Owner of system commands:/bin:sys:x:3:3:Owner of system files:/usr/sys:adm:x:4:4:System accounting:/usr/adm:uucp:x:5:5:UUCP administrator:/usr/lib/uucp:auth:x:7:21:Authentication administrator:/tcb/files/auth:cron:x : 9:16:Cron daemon:/usr/spool/cron:listen:x:37:4:Network daemon:/usr/net/nls:lp:x:71:18:Printer administrator:/usr/spool/lp:sam:x:200:50:Sam san:/usr/sam:/bin/shuser2:x:1007:1007::/home/user2:/bin/bashuser1:x:1008:1008::/home/user1:/bin/bash

Each record corresponds to an account and its attributes, usually divided by a colon ":" into seven fields, corresponding to:

User name: password: user identification number: group identification number: comment: home directory: login Shell

User name: a string of uppercase and lowercase letters and numbers for a user's account. There cannot be a colon (:) in the login, because the colon is the delimiter here. For compatibility, it is best not to include a dot character (.) in the login name and not to start with a hyphen (-) and a plus sign (+).

Password: although this field stores only an encrypted string of user passwords, not clear text, this is still a security concern because the / etc/passwd file is readable to all users. Therefore, many Linux systems (such as SVR4) now use shadow technology to store the real encrypted user password in the / etc/shadow file, while only one special character, such as "x" or "*", is stored in the password field of the / etc/passwd file.

User identification number: UID, which is used to identify users. The UID size range for system users and ordinary users is defined in the configuration file / etc/login.defs. It corresponds to the user name one by one. When adding an account using useradd, if the specified UID is already in use, the user will be prompted for "UID 1008 is not unique".

Group identifier: this field identifies the user's initial group, corresponding to a record in / etc/group, where the extended group will not be recorded.

Note: for example, the user's real name, phone number, address, etc., this field has no practical use. The format of this field is not uniform in different Linux systems. In many Linux systems, this field holds an arbitrary annotative description.

Home directory: the initial working directory of the user, which is the directory where the user is located after logging in to the system. In most systems, each user's home directory is organized under the same specific directory, and the name of the user's home directory is the user's login name. Each user has read, write, and execute (search) rights to his home directory, and other users' access to this directory is set on a case-by-case basis. When you use useradd to add a new account, it will be created in a directory with the same account name under the / home directory by default. If the user specifies the (- d parameter) home directory, the specified directory will prevail.

After logging in to shell:Linux, the user should start a process, which is responsible for passing the user's operation to the kernel. This process is the command interpreter or a specific program that the user runs after logging into the system, namely Shell. Shell is the interface between the user and the Linux system. There are many kinds of Shell for Linux, each of which has its own characteristics. The commonly used ones are sh (Bourne Shell), csh (C Shell), ksh (Korn Shell), tcsh (TENEX/TOPS-20 type C Shell), bash (Bourne Again Shell) and so on. The user's login Shell can also be specified as a specific program (this program is not a command interpreter). Taking advantage of this feature, we can restrict the user to run only the specified application, and when the application is finished, the user automatically exits the system.

/ etc/group

This file holds information about all user groups, and each user belongs to a user group; there can be multiple users in a group, or a user can belong to a different group. When a user is a member of multiple groups at the same time, the primary group to which the user belongs is recorded in the / etc/passwd file, that is, the default group to which the user is logged in, while the other groups are called additional groups. When users want to access files that belong to an additional group, they must first use the newgrp command to make themselves a member of the group they want to access.

$cat / etc/grouproot:x:0:bin:x:1:daemon:x:2:sys:x:3:adm:x:4:tty:x:5:disk:x:6:lp:x:7:user2:x:1007:user1:x:1008:user3:x:1009:user4:x:1010:user5:x:1011:user1,user2

Each record recorded in this file is divided into 3 fields using a colon:

Group name: password: group identification number: list of users in the group

Group name: group name, composed of letters and numbers, the rule is similar to the user name, the group name can not be repeated.

Password: group does not set the password, so the field is empty, x, or *.

The group identification number is GID, and the size range of the common group of the system combination is defined in the file / etc/login.defs.

List of users within a group: a list of all users who belong to this group, separated by commas. This user group may be the user's primary group or an additional group.

/ etc/shadow

The record line in / etc/shadow corresponds to the one-to-one in / etc/passwd, which is automatically generated by the pwconv command based on the data in / etc/passwd. Its file format is similar to / etc/passwd and consists of several fields separated by ":". These fields are:

Login name: encrypted password: date of last password change: minimum password age: maximum password age: password warning period: password inactivity period: account expiration date: reserved field

Login: that is, the user account.

Encrypted password: encrypted user password, this field may be blank, in which case no password is required to authenticate the login.

Date of the last password change: the date of the last password change, expressed as a number, for a few days since January 1, 1970, an empty field indicates that the password aging feature is disabled.

Minimum password age: the minimum password life is the number of days the user has.

Maximum password age: the maximum password age is the number of days after which the user must change her password. After a few days, the password may still be valid. The user should be asked to change her password the next time she will log in. The empty field indicates that there is no maximum password age, no password warning period, no password inactivity period, and if the maximum password age is lower than the minimum password age, the user cannot change the password.

Password warning period: indicates the number of days between the time the system warns the user and the time the user's password officially expires.

Password inactivity period: indicates the maximum number of days that the user has no login activity but the account can remain valid.

Account expiration date: the field gives an absolute number of days, and if this field is used, the lifetime of the corresponding account is given. After the expiration of the period, the account is no longer a legitimate account and can no longer be used to log in.

$cat / etc/shadowroot:$1 $eWL4wrs5 $W.HzKJ24HVGTyADdFYsOd1vO1vO1VO1VO1VO1VO1HzKJ24HVGTyADdFYsOd1vO1VO1VO1VO1: 17637HzKJ24HVGTyADdFYsOd1vO1vO1VO1HzKJ24HVGTyADdFYsOd1vO1vO1VO1HzKJ24HVGTyADdFYsOd1vO1vO1VO1HzKJ24HVGTyADdFYsOd1vO1vO1vO1VO1HzKJ24HVGTyADdFYsOd1vO1vO1VO1HzKJ24HVGTyADdFYsOd1vO1vO1vO1VO1HzKJ24HVGTyADdFYsOd1vO1vO1vO1vO1vO1 The article "how to manage accounts well in linux" ends here. Hope that the above content can be helpful to you, so that you can learn more knowledge, if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.