Shulou(Shulou.com)06/03 Report--

1. Users and user group files

In linux, user accounts, user passwords, user group information and user group passwords are stored in different configuration files.

In the linux system, the created user account and its related information (except passwords) are stored in the / etc/passwd configuration file. Because all users have read access to the passwd file, the password information is not saved in the file, but in the configuration file of / etc/shadow.

In the passwd file, one line defines a user account, each line consists of several different fields, the values of each field are separated by ":", and each field represents some aspect of the account.

In the linux system that has just been installed, the passwd configuration file already has a lot of account information. These accounts are automatically created by the system. They are accounts that the linux process or some service programs need to use to work properly. The value of the last field of these accounts is generally / sbin/nologin, indicating that the account cannot be used to log in to the linux system.

In the passwd configuration file, the correspondence and meaning of the fields from left to right:

Because passwd no longer saves password information, it is represented by x placeholder.

To prevent a user account from logging into linux, simply set the shell used by the user to / sbin/nologin. For example, for FTP accounts, you are generally only allowed to log in and access the FTP server, not the linux operating system. If you want to make a user without telnet privileges, that is, do not allow the user to remotely log in and access the linux operating system using telnet, set the shell used by the user to / bin/true. To deprive a user of telnet and ftp login privileges, you can set the user's shell to / bin/false.

In the / etc/shells file, if there is no / bin/true or / bin/false, you need to add it manually:

[root@localhost ~] # echo "/ bin/false" > > / etc/shells

[root@localhost ~] # echo "/ bin/true" > > / etc/shells

2. User password file

For security reasons, the user's real password is encrypted using the MD5 encryption algorithm and saved in the / etc/shadow configuration file, which can only be read by root users.

Similar to passwd files, shadow files define and save information about an account per line. The first field is the user account name, and the second field is the account password.

3. User group account file

The user group account information is saved in the / etc/group configuration file and can be read by any user. The real password for the user group is saved in the / etc/gshadow configuration file.

In group, the first field represents the name of the user group, the second field is x, the third is the ID number of the user group, and the fourth is the list of user members of the user group, separated by commas.

4. Add users

Create or add a new user using the useradd command, which is used as follows:

Useradd [option] username

There are many option options for this command, and the main ones commonly used are:

-c Note the text of the note set by the user to the account

The-d home directory specifies the home directory that replaces the default / home/username

-m if the home directory does not exist, create it. -r and-m are combined to create a home directory for the system account

-M does not create a home directory

-e date specifies the date on which the account expires. Date format is MM/DD/YY

-f the days account will be permanently suspended a few days after it expires. If specified as -, the right will be suspended immediately, and if-1, this function will be turned off

-g user group specifies which user group to join the user to, which user group must exist

-G user group list specifies the list of user groups that users join at the same time, and each group is separated by teasing.

-n do not create private user groups for users

-s shell specifies the shell that the user uses when logging in. The default is / bin/bash

-r create a system account with user ID less than 500. the corresponding home directory is not created by default.

-u user ID manually specifies the ID value for the new user, which must be unique and greater than 499

-p password specifies the login password for the newly created user. The password here corresponds to the password value obtained after the login password is encrypted by MD5, which is not true to the original password. Therefore, in practical application, this parameter option is rarely used. Usually, the passwd command is used alone to set the login password for the user.

Example:

To create a user named nisj and be a member of the babyfish user group, the action command is:

[root@localhost ~] # useradd-g babyfish nisj

[root@localhost ~] # id nisj

Uid=502 (nisj) gid=500 (babyfish) groups=500 (babyfish)

[root@localhost] # tail-1 / etc/passwd

Nisj:x:502:500::/home/nisj:/bin/bash

When adding a user, if the user group is not specified with the-g parameter, a private user group with the same name as the user account is automatically created by default. If you do not need to create the private user group, you can choose the-n parameter.

For example, if you add an account named nsj820 without specifying a user group, the result is:

[root@localhost ~] # useradd nsj820

[root@localhost ~] # id nsj820

Uid=503 (nsj820) gid=503 (nsj820) groups=503 (nsj820)

[root@localhost] # tail-1 / etc/passwd

Nsj820:x:503:503::/home/nsj820:/bin/bash

[root@localhost] # tail-2 / etc/passwd

Nisj:x:502:500::/home/nisj:/bin/bash

The nsj820:x:503:503::/home/nsj820:/bin/bash # system automatically creates a user group named nsj820 with ID number 503

When creating a user account, the system automatically creates the home directory corresponding to the user. The directory is placed under the / home directory by default. To change the location, you can specify it using the-d parameter. For the shell used by the user when logging in, the default is / bin/bash. To change it, use the-s parameter to specify.

For example, to create an account named vodup, place the home directory in the / var directory, and specify the login shell as / sbin/nologin, the action command is:

[root@localhost] # useradd-d / var/vodup-s / sbin/nologin vodup

[root@localhost ~] # id vodup

Uid=504 (vodup) gid=504 (vodup) groups=504 (vodup)

[root@localhost] # tail-1 / etc/passwd

Vodup:x:504:504::/var/vodup:/sbin/nologin

[root@localhost] # tail-1 / etc/group

Vodup:x:504:

5. Set the properties of account

For users who have been created, you can use the usermod command to modify and set various properties of the account, including login name, home directory, user group, login shell, etc. The command is used as follows:

Usermod [option] username

Some option options

(1) change the user account name

Using the-l parameter, the command usage is:

Usermod-l New user name original user name

For example, to rename the user nsj820 to nsj0820, the action command is:

[root@localhost ~] # usermod-l nsj0820 nsj820

[root@localhost ~] # id nsj0820

Uid=503 (nsj0820) gid=503 (nsj820) groups=503 (nsj820)

[root@localhost] # tail-1 / etc/passwd

Nsj0820:x:503:503::/home/nsj820:/bin/bash

As you can see from the output, the user name has been changed to nsj0820. The home directory is still the original / home/nsj820. If you also want to change it to / home/nsj0820, you can do this by executing the following command

[root@localhost] # usermod-d / home/nsj0820 nsj0820

[root@localhost ~] # id nsj0820

Uid=503 (nsj0820) gid=503 (nsj820) groups=503 (nsj820)

[root@localhost] # tail-1 / etc/passwd

Nsj0820:x:503:503::/home/nsj0820:/bin/bash

[root@localhost home] # mv / home/nsj820 / home/nsj0820

(2) Lock the account

To temporarily disable a user from logging in, lock the user account. Locking an account can be achieved using the-L parameter, and its command usage is:

Account to be locked by usermod-L

Linux locks the user by adding "!" to the password field of the password file shadow. To identify that the user is locked.

[root@localhost home] # usermod-L nsj0820

[root@localhost home] # tail-1 / etc/shadow

NSJ0820 virtual 1 $JEW25RtU$X9kIdwJi/HPzSKMVe3EK30:16910:0:99999:7:::

But through the root user to enter, and then su to the locked user, you can enter.

(3) unlock the account

To unlock an account, you can use the usermod command with the-U parameter.

[root@localhost ~] # usermod-U nsj0820

[root@localhost] # tail-1 / etc/shadow

Nsj0820:$1 $JEW25RtU$X9kIdwJi/HPzSKMVe3EK30:16910:0:99999:7:::

6. Delete the account

To delete an account, you can use the userdel command, which is:

Userdel [- r] account name

-r is optional. If this parameter is taken, the home directory corresponding to the account will be deleted while deleting the account.

[root@localhost] # userdel-r nsj0820

To set the time for all user account passwords to expire, you can do so by modifying the value of the PASS_MAX_DAYS configuration item in the / etc/login.defs configuration file, which defaults to 99999, which means that the user account password will never expire. The PASS_MIN_LEN configuration item is used to specify the minimum length of the account password, which defaults to 5 characters.

7. Set the user login password

Use the passwd command to set it, and the command usage is:

Passwd [account name]

If the account name is specified, the login password of the specified account is set, and the original password is automatically overwritten. Only root users have the right to set the password for the specified account. Ordinary users can only set or change the password of their own account (without parameters).

For example, to set the login password for the nisj account, the action command is:

[root@localhost home] # passwd nisj

Changing password for user nisj.

New password:

BAD PASSWORD: it is too short

BAD PASSWORD: is too simple

Retype new password:

Passwd: all authentication tokens updated successfully.

After the account login password is set, the account can log in to the system.

8. Lock / unlock account password and query password status, delete account password

In linux, in addition to the user account can be locked, the account password can also be locked, either party is locked, will not be able to log in to the system. Only root users have the right to execute this command. Use the passwd command with the-l option to lock the account password as follows:

Passwd-l account name

Passwd-u account name # unlock account password

[root@localhost home] # passwd-l nisj

Locking password for user nisj.

Passwd: Success

[root@localhost home] # passwd-u nisj

Unlocking password for user nisj.

Passwd: Success

To query whether the password of the current account is locked, you can use the passwd command with the-S parameter, which is used as follows:

Passwd-S account name

For example

[root@localhost home] # passwd-S nisj

Nisj PS 2016-04-18 99999 7-1 (Password set, MD5 crypt.)

To delete the password of an account, use the passwd command with the-d parameter, which only the root user has the right to execute. Its usage is as follows:

Passwd-d account name

After the account password is deleted, you will not be able to log in to the system unless the password is reset.

9. Create a user group

Users and user groups belong to a many-to-many relationship. A user can belong to multiple user groups at the same time, and a user group can contain many different users.

Create a user group using the groupadd command, which is used as follows:

Groupadd [- r] user group name

If the command takes a-r parameter, create a system user group whose GID value is less than 500; if there is no-r parameter, create a normal user group whose GID value is greater than or equal to 500.

10. Modify user group attributes

After the user group is created, the relevant attributes of the user group can be modified as needed. The modification of the user group attribute is mainly to modify the name and GID value of the user group.

(1) change the name of the user group

To rename a user group, use the groupmod command with the-n parameter, which is used as follows:

Groupmod-n new user group name original user group name

For renaming a user group, the value of its GID will not be changed.

For example, to rename the student user group to the teacher user group, the action command is:

[root@localhost home] # groupadd student

[root@localhost home] # tail-1 / etc/group

Student:x:505:

[root@localhost home] # groupmod-n teacher student

[root@localhost home] # tail-1 / etc/group

Teacher:x:505:

(2) reset the GID of user groups

The GID value of a user group can be re-set and modified, but it cannot duplicate the GID value of an existing user group. Making changes to GID does not change the name of the user name.

To modify the GID of a user group, use the groupmod command with the-g argument, which is:

Groupmod-g new_GID user group name

For example, to change the GID of the teacher group to 506, the action command is:

[root@localhost home] # groupmod-g 506 teacher

[root@localhost home] # tail-1 / etc/group

Teacher:x:506:

11. Delete user groups

Delete a user group using the groupdel command, which is used as follows:

Groupdel user group name

When deleting a user group, the deleted user group cannot be a private user group of an account, otherwise it cannot be deleted. To delete, you should delete the account that references the private user group before deleting the user group.

[root@localhost home] # groupdel teacher

[root@localhost ~] # grep teacher / etc/group # has no output, indicating that the teacher user group is deleted successfully because it does not exist.

12. Add users to / remove users from specified groups

You can add users to a specified group to make them members of that group. The implementation command is:

Gpasswd-a user account user group name

To remove a user from a user group, the implementation command is:

Gpasswd-d user account user group name

For example:

[root@localhost home] # groupadd student

[root@localhost home] # gpasswd-a nisj student

Adding user nisj to group student

[root@localhost home] # id nisj

Uid=502 (nisj) gid=500 (babyfish) groups=500 (babyfish), 505 (student)

[root@localhost home] # gpasswd-d nisj student

Removing user nisj from group student

[root@localhost home] # id nisj

Uid=502 (nisj) gid=500 (babyfish) groups=500 (babyfish)

[root@localhost home] # groups nisj

Nisj: babyfish

13. Set up a user group administrator

Add a user to a group and remove a user from a group, which can be performed by the user group administrator in addition to the root user.

To assign a user as an administrator for a user group, use the following command to implement the

User groups to be managed by gpasswd-A user account

Command function: sets the specified user as the user administrator of the specified user group. The user administrator can only manage authorized user groups (adding users to or removing users from the group) and does not have the right to manage other user groups.

[root@localhost home] # gpasswd-a nisj student

Adding user nisj to group student

[root@localhost home] # gpasswd-A nisj student

[root@localhost home] # useradd stu

[root@localhost home] # gpasswd-a stu student

Adding user stu to group student

[root@localhost home] # groups stu

Stu: stu student

[root@localhost home] # su-nisj

[nisj@localhost ~] $gpasswd-d stu student

Removing user stu from group student

[nisj@localhost ~] $gpasswd-d stu stu

Gpasswd: Permission denied.

14. Other related users

In addition, linux provides commands such as id,whoami and groups to view the status of users and groups. The id command is used to display the uid,gid of the current user and the list of user groups to which the user belongs; whoami is used to query the name of the current user; and groups is used to see the user group to which the specified user belongs.

At the same time, we can use the graphical interface to manage users and user groups, and the system-> manage-> users and groups can open the corresponding configuration interface.

Attachment: add users to the group, or you can do the following

To add a user to a user group, never directly use:

Usermod-G groupA

Doing so will cause you to leave other user groups and just be a member of this user group groupA.

You should use the-an option:

Usermod-a-G groupA user

(FC4: usermod-G groupA,groupB,groupC user)

-a stands for append, which means adding yourself to the user group groupA without having to leave other user groups.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.