Shulou(Shulou.com)06/01 Report--

1. Basic introduction of linux user and group management

1. Any user who wants to use the Linux system has to apply for an account from the administrator. The management of these accounts is the management of users. The so-called group is a collection of multiple accounts. User and group management can improve user management efficiency, work efficiency and system security, such as putting members of the same department in a group and setting permissions, which can effectively share resources. at the same time, it can avoid malicious sabotage by people in other departments.

2. The management contents of users and groups are generally as follows:

Addition, deletion and modification of user accounts

Addition and deletion of group accounts and modification of permissions, addition and deletion of group members

Management of user account password and group account password

3. Users can be divided into administrators and ordinary users, and ordinary users can be subdivided into system users and login users. The Linux system does not identify the user by the user name, but by the user's ID number (UID). The ID number of the system administrator is 0, and the available ID number of the average user is 1 to 65535, in which the available ID number of the system user is 1-499 in CentOS6 and 1-999 in CentOS, and the available ID number of logged-in user is 1000 and above in CentOS6 and 1000 and above in CentOS.

4. The corresponding user group can be divided into administrator group and ordinary group, and the ordinary group can be divided into system group and ordinary group. The system also uses the ID number to identify the user group whose group number corresponds to the above user ID number. There can be multiple groups for a user, so groups can also be divided into the user's basic group (primary group) and additional groups. The basic group name and user name are the same, and there is only one user. The group other than the basic group belongs to the user's additional group. The user can only have one basic group, and there can be multiple additional groups.

2. Introduction of relevant configuration files for users and groups 1. / etc/passwd

This file records the basic information of Linux users, which is divided into 7 fields with a colon ":". Each field represents a different meaning. To understand its format, we can check the man manual:

Account:password:UID:GID:GECOS:directory:shell

Account: user name

Password: user password, the early user password was placed in the / etc/passwd file (only administrators can read it), but because everyone can read this file, it is very insecure, so the password data of this field is later changed to the / etc/shadow file. This field is represented by the X letter.

UID: user ID

GID: group ID

GECOS: user's comment information

Directory: the user's home directory

Shell: the shell that the user logs in by default

Take the root account as an example:

Root:x:0:0:root:/root:/bin/bash

2 、 / etc/shadow

This file records the user's password information and is divided into nine fields with a colon ":", as follows:

Login name:encrypted password:date of last password change:minimum password age:maximum password age:password warning period:password inactivity period:account expiration date:reserved field

Login name: login user name

Encrypted password: encrypted password if the first character of this field is "*" or "!" Indicates that this account is locked and cannot log in to the system

Date of last password change: the date on which the last password can be changed, starting on January 1, 1970 in days

Minimum password age: the number of days that the password cannot be changed. If this field is 0, the password can be changed at any time.

Maximum password age: the date on which the password needs to be changed. By default, this field is 99999, which means that the password must be changed again after 99999 days.

Password warning period: the warning period before the password needs to be changed. For example, the password must be changed after 99999 days, but the system will inform the user in advance. By default, 7 days in advance.

Password inactivity period: the grace period for the expiration of a password. It will be disabled a few days after the expiration of the password, but the account can still log in during this period.

Account expiration date: the date on which the password is disabled, in days from January 1, 1970. This account will no longer be available after the date specified in this field.

Reserved field: reserved field

Take root as an example:

Root:$6$ JPIUZBv/rrjJRRvU$8oTHpJ04gHA7iwWK7Ea6DMSQJmo01JJd4ClwJUEMFeyavOPdxFRpGpmjzYZd4PZNMQpK4qot4acCyyRlV6.hP.:17002:0:99999:7:::

3 、 / etc/group

This file records information about the user group and is divided into four fields with a colon ":", as follows:

Group_name:passwd:GID:user_list

Group_name: user group name

Passwd: user group password, usually not set, because the password is recorded in the / etc/gshadow file

GID: user group ID

User_list: group member

Take root as an example:

Root:x:0:gentoo

4 、 / etc/gshadow

This file records the password information of the user group and is divided into four fields with a colon ":", as follows:

Group name:encrypted password:administrators:members

Group name: group account

Encrypted password: encrypted group password

Administrators: group administrator

Members: group member

Take root as an example:

Root:::gentoo

5. Administrators can manage users and groups by modifying the above four files, and they can also use commands to manage users and groups.

Introduction of user management commands 1. Useradd

Features:

Create a new user for the system

Syntax:

Useradd [options] LOGIN

Useradd-D

Useradd-D [options]

Options:

-u: specify the UID of the user

-o: do not check the uniqueness of UID. Use with the-u option to force the UID to be specified, even if the UID already exists

-g: specify the basic group of the user. You can use the group name or GID. The group must exist in advance.

-c: add the user's comment information

-d: specify the directory that the user enters when logging in, that is, the home directory, which does not exist in advance and will be created automatically, but the parent directory of the home directory must exist

-e: specify the validity period of the account in the format: YYYY-MM-DD

-f: the specified account is permanently locked after a few days of expiration, and the table 0 is locked immediately.-1 means to disable this feature.

-s: specifies the default shell for user login

-G: specifies the additional group of the user, and multiple groups are separated by commas. Groups must exist in advance.

-N: do not create the user's primary group, but use the users group as its primary group

-r: create a system user. The system user will not create a home directory by default, which can be implemented with the-m option.

-M: force not to create a home directory

-D: the default option is to display the current system default value, and the next option is to modify the default value to the system. The options are as follows:

-b: modify the default home directory of the new user. This option has no effect if you use the-d option.

-e: modify the default stop date of the new account (validity period)

-f: modify the default lock date of the new account

-g: modify the group of new users, which must exist in advance

-s: modify the default shell for new users

Note: the content modified by the-D option will be recorded in the / etc/login.defs file, so it is permanent.

Example:

A new user has been created, whose login Shell is / bin/sh, and also belongs to the bin and root user groups. The UID is 2048 and the home directory is / testdir/.

[root@localhost] # useradd-G bin,root-s / bin/sh-d / testdir/-u 2048

2 、 usermod

Features:

Modify user account attributes

Syntax:

Usermod [options] LOGIN

Options:

-u: modify user UID

-g: modify user GID

-G: new additional group (and the group needs to exist in advance), the original additional group will be overwritten; if the original group is retained, use the-an option at the same time

-s: modify the user's default shell

-c: add new comment information

-d: the new home directory will not be created automatically, and the files in the original home directory will not be moved to the new home directory at the same time; to create a new home directory and move the original home data, use the-m option

-l: modify the user name

-L: lock the user, that is, add "!" at the beginning of the second field of / etc/shadow

-U: unlock the user, namely the "!" at the beginning of the second field of / etc/shadow. Delete

-e: indicates the expiration date of the user account in the format of YYYY-MM-DD

-f: set the period of inactivity, that is, the period of suspension

Description:

The usermod command cannot change the name of a user who is online, and when usermod is used to change UID, you must make sure that the user is not running any programs on the computer.

Example:

Add user to user group users without leaving other user groups

[root@localhost ~] # usermod-aG users

3 、 userdel

Features:

Delete user

Syntax:

Userdel [options] LOGIN

Options:

-f: force the deletion of a user, even if the user is logged in

-r: delete all files related to the user while deleting the user

Example:

[root@localhost] # userdel-r gentoo

Note: please do not easily use the-r option. If there are important files in the user's directory, please back up before deleting them.

4 、 passwd

Features:

Modify the user's password information, only the administrator can change the specified password information, other ordinary users can only change their own password.

Syntax:

Passwd [option] [username]

Options:

-l: lock the password of the specified user

-u: determine the password of the specified user

-e: force the user to change the password the next time he logs in

-n: specifies the minimum usage period of the user's password

-x: specify the maximum usage period of the user's password

-w: how many days in advance warn the user to change the password

-I: the period of suspension of user's rights

-S: displays information about the specified user, including encryption algorithm

-k: set the password to be changed only after the password expires, that is, to keep the user's password from expiration

-g: modify the group password

-d: delete the password. Only the administrator has permission.

-- stdin: receive and set the user password from standard input, as follows:

Echo "PASSWORD" | passwd-- stdin USERNAME

Example:

Lock the user's user1 password and delete the user sam's password

[root@localhost] # passwd-l user1; passwd-d sam

5 、 chage

Features:

Modify user password expiration information

Syntax:

Chage [options] LOGIN

Options:

-d: the date on which the password was last modified, in the format of YYYY-MM-DD. If set to 0, the user must change the password the next time he logs in.

-E: sets the date on which the password expires, after which the user's password is locked (field 8 of the / etc/shadow file is set)

-I: set the stagnation time, after which the account will not be available (field 7 of the / etc/shadow file is set)

-m: the minimum number of days that the password can be changed. If set to 0, it can be changed at any time.

-M: the maximum number of days for which the password is valid

-W: password expires, warning a few days in advance

-l: displays the information set with the password

Example: take my system as an example

(1) [root@localhost ~] # chage-l root

Last password change time: never

Password expiration time: never

Password expiration time: never

Account expiration time: never

The minimum number of days between two password changes: 0

The maximum number of days between two password changes: 99999

Number of days to warn before password expiration: 7

(2) [root@localhost] # chage-I 5 user1

[root@localhost ~] # chage-l user1

Last password modified: August 02, 2016

Password expiration date: October 01, 2016

Password expiration time: October 06, 2016

Account expiration time: January 01, 1970

The minimum number of days between two password changes: 0

The maximum number of days between two password changes: 60

Number of days to warn before password expiration: 7

6 、 finger

Features:

User information finder. Execute the finger directive separately, which displays the information of all logged-in users of the local host now. If you want to query the user information of a remote host, you need to use the format of user@host

Syntax:

Finger [- lmsp] [user...] [user@host...]

Options:

-l: list the user's account name, real name, user-specific directory, Shell used to log in, login time, forwarding address, e-mail status, as well as the contents of the plan file and solution file

-m: do not find the user's real name

-s: list the user's account name, real name, login terminal, idle time, login time, address and phone number

-p: list the user's account name, real name, user-specific directory, Shell used to log in, login time, forwarding address, e-mail status, but do not display the contents of the user's plan file and plan file

Example:

[root@localhost ~] # finger linuxpao

Login: linuxpao Name:

Directory: / home/linuxpao Shell: / bin/bash

On since Tue Aug 2 16:25 (CST) on tty3 6 minutes 47 seconds idle

New mail received Fri Jul 29 21:19 2016 (CST)

Unread since Wed Jul 20 17:51 2016 (CST)

No Plan.

7 、 chfn

Features:

Modify the information displayed by the finger command

Syntax:

Chfn [- f full-name] [- o office], RB [- p office-phone] [- h home-phone]-u] [- v] [username]

Options:

-f: set the user's real name

-o: set the user's office address

-p: set the user's office phone

-h: set the user's home phone

Example:

[root@localhost ~] # chfn

Changing finger information for root.

Name [root]: xiaobao

Office []: Sanlitun, Beijing

Office Phone []: 010020

Home Phone []: 12345678

Finger information changed.

8 、 chsh

Features:

Modified the login shell of the user

Syntax:

Chsh [- s shell] [- l] [- u] [- v] [username]

Options:

-s: modify the user's shell

-l: print the shell supported by the current system (that is, the shell recorded in the / etc/shells file)

Example:

(1) View the shell supported by the current system

[root@localhost ~] # chsh-l

/ bin/sh

/ bin/bash

/ sbin/nologin

/ bin/dash

/ bin/tcsh

/ bin/csh

(2) modify the shell of user to / bin/csh

[root@localhost] # chsh-s / bin/csh

Changing shell for .

Shell changed.

Introduction of user group management commands 1. Groupadd

Features:

Create a new group.

The group name must begin with a lowercase letter or underscore, followed by a lowercase letter, an underscore, or a dash. It can end with a dollar sign. The regular expression is: [a murz _] [a-z0-9 colors -] * [$]?

The maximum length of the group name is 16 characters.

Syntax:

Groupadd [options] group

Options:

-g: specify the GID of the new group

-o: need to be used with the-g option, which allows you to add a group that uses non-unique GID.

-r: create a system group

-K: overwrite the default value of the / etc/login.defs file

Example:

A new system group xixi has been added, and the group identification number of the new group is specified to be 222nd.

[root@localhost] # groupadd-r 222xixi

[root@localhost] # tail-1 / etc/group

Xixi:x:222:

2 、 groupmod

Features:

Modify user group related information

Syntax:

Groupmod [options] GROUP

Options:

-n: modify the name of the user group

-g: modify the GID of a user group

-o: used with the-g option to force the use of an existing group ID number

Example:

Change the identification number of the group xixi to 10000 and the group name to xixi

[root@localhost] # groupmod-g 10000-n xixi xixi

[root@localhost ~] # getent group xixi

Xixi:x:10000:

3 、 groupdel

Features:

Delete a group

Syntax:

Groupdel [options] GROUP

Description:

The primary group of an existing user cannot be removed. You must remove this user before you can remove this group

Example:

Delete user1 group (user user1 deleted)

[root@localhost ~] # groupdel user1

4 、 gpasswd

Features:

Manage user groups, which are management tools for group files / etc/group and / etc/gshadow

Syntax:

Gpasswd [options] group

Options:

-a: add new users to group

-d: delete a user from group

-r: delete group password

-A: specify the group administrator

-M: specify group members

Example:

Add user ,sarah to the admins group

[root@localhost] # gpasswd-M ,sarah admins

[root@localhost ~] # tail / etc/group

Tcpdump:x:72:

Linuxpao:x:500:

Admins:x:502:,sarah

5 、 newgrp

Features:

Temporarily log in to a new group

Syntax:

Newgrp [-] [group]

Example:

If the user does not belong to a group, the group password is required, as shown in the following example

[root@localhost ~] # id

Uid=2048 () gid=2048 () groups=2048 (), 0 (root), 1 (bin), 100 (users), 502 (admins)

[root@localhost ~] # su-

[@localhost ~] $newgrp admins

[@localhost ~] $id

Uid=2048 () gid=502 (admins) groups=502 (admins), 0 (root), 1 (bin), 100 (users), 2048 ()

[@localhost ~] $newgrp harry (group)

Password:

6 、 groupmems

Features:

Manage and view primary group members

Syntax:

Groupmems-a user_name |-d user_name | [- g group_name] |-l |-p

Options:

-a: add a user to the list of group members

-d: removes a user from the list of group members

-g: the super user can specify which group's group membership list to modify, which needs to be used in conjunction with several other options

-l: list group members

-p: removes all users from the list of group members

Example:

Show members of the bin group

[root@localhost] # groupmems-l-g bin

Bin daemon

Add a member linuxpao to the bin group

[root@localhost] # groupmems-a linuxpao-g bin

[root@localhost] # groupmems-l-g bin

Bin daemon linuxpao

7 、 groups

Features:

View the group to which the user belongs

Syntax:

Groups [OPTION]... [USERNAME]...

Example:

Displays the group in which the user belongs

[root@localhost ~] # groups

Haha: root bin users admins

Fifth, user and group management-related commands supplement 1. Newusers

Features:

Batch updates and create new users

Syntax:

Newusers [options] [File]

Options:

-c: encrypt the password using the specified method. The available methods are DES, MD5, NONE, and SHA256 or SHA512, provided that your libc supports this write method

-r: create a system account

-s: encrypts the password with a specified number of rotations. A value of 0 means that the system selects the default number of rotations for the encryption method (5000). By default, the number of rotations is determined by the SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in the / etc/login.defs file.

File format:

Must be in the format of / etc/passwd file, as follows:

Pw_name:pw_passwd:pw_uid:pw_gid:pw_gecos:pw_dir:pw_shell

Corresponding user name: password: UID:GID:GECOS: home directory: login shell

Example:

Create the file user.txt to bulk add user 1,2,3. Exe.

Vim user.txt (here are the contents of the file)

Haha1:x:3001:3001::/home/1:/bin/bash

Haha2:x:3002:3002::/home/2:/bin/bash

Haha3:x:3003:3003::/home/3:/bin/bash

-

[root@localhost testdir] # newusers user.txt (batch creation)

[root@localhost testdir] # tail-3 / etc/passwd (view the creation result)

Haha1:x:3001:3001::/home/1:/bin/bash

Haha2:x:3002:3002::/home/2:/bin/bash

Haha3:x:3003:3003::/home/3:/bin/bash

2 、 chpasswd

Features:

Update user passwords in bulk

Syntax:

Chpasswd [options]

Format:

User_name:password, the password must be provided in clear text by default, and then encrypted by chpasswd

Options:

-c: encrypts the password using the specified method

-e: the password provided is encrypted

-m: if the password provided is not encrypted, use MD5 encryption instead of DES

-s: encrypts the password using a specified number of rotations

Example:

Create a file passwd.txt to bulk add the password of the user 1,2,3, using MD5 for the algorithm.

Vim passwd.txt (following is the text content)

Haha1:123456

Haha2:qwerty

Haha3:asdfgh

-

[root@localhost testdir] # cat passwd.txt | chpasswd-c MD5 (batch encryption)

[root@localhost testdir] # tail-3 / etc/shadow (encryption result)

Haha1:$1$ Epulz/Ew$.VMMX.uodFeo7wOay6slU.:17015:0:99999:7:::

Haha2:$1$ YMvrS/Ks$S5aDmDuaRwG3NsOe4z7wS1:17015:0:99999:7:::

Haha3:$1$ hwyABoHg$tY0ZP4xmRQ.pwmkuMKiXD0:17015:0:99999:7:::

3 、 id

Features:

Display real and valid user and group ID numbers

Syntax:

Id [OPTION]... [USER]

Options:

-u: displays the user UID

-g: displays the GID of the user's primary group

-G: displays the GID of the additional group to which the user belongs

-n: displays the group name instead of the number, used with-ugG

-r: displays real ID instead of valid ID, used with-ugG

-Z: displays only the current user's security environment

Example:

Displays the user ID and all group ID for

[root@localhost testdir] # id

Uid=2048 () gid=2048 () groups=2048 (), 0 (root), 1 (bin), 100 (users), 502 (admins)

4 、 su

Features:

Switch users or execute commands as other users

Syntax:

Su [options...] [-] [user [args...]]

Options:

-l: use all relevant environment settings files for new users, equivalent to su-username

-m: indicates that the current environment settings are used without rereading the new user's settings file

-c: execute the command only once, so-c can be followed by a command

-s: specify the shell to be executed

Example:

Use the account number root and exit to change back to the original user after executing the ls instruction

[root@localhost testdir] # su-c ls root (need to pay attention to file permissions)

Bc file ls passwd.txt uset.txt cat file1 lost+found

[root@localhost testdir] #

5 、 getent

Features:

Used to view the relevant records in the database of the system

Syntax:

Getent database [key...]

Datebase includes a list of:

Ahosts;ahostsv4;ahostsv6;aliases;ethers;group;gshadow;hosts;initgroups

Netgroup;networks;passwd;protocols;rpc;services;shadow

Example:

Use the command getent to view the information of Linuxpao users in the / etc/passwd file

[root@localhost testdir] # getent passwd linuxpao

Linuxpao:x:500:500::/home/linuxpao:/bin/bash

6. Pwconv and pwunconv

Features:

Pwconv: enable the user's projection password

Pwunconv: turn off the user's projection password

Example:

[root@localhost testdir] # getent passwd

Haha:x:2048:2048::/testdir/:/bin/csh

[root@localhost testdir] # getent shadow

Haha:$6 $3X8z.cbVroomkhAmbdajf7fyqZaNtRZWKBlRAaKuPUm6pvGIyvhJfSMObQVX08kUniwUoksDDcG71UhxBUNBeO0andWaa.hUPN1:

-the above are the / etc/passwd and / etc/shadow of the user before turning off the user's projection password

[root@localhost testdir] # pwunconv (turn off projection password)

[root@localhost testdir] # getent passwd (you can see the / etc/shadow password moved to / etc/passwd)

Haha:$6 $3X8z.cbV$khAmbdajf7fyqZaNtRZWKBlRAaKuPUm6pvGIyvfhJfSMObQVX08k/6wUoksDDc/G71UhxBUNBeO0/Waa.hUPN1:2048:2048::/testdir/:/bin/csh

[root@localhost testdir] # cat / etc/shadow | grep (prompt / etc/shadow does not exist)

Cat: / etc/shadow: No such file or directory

-

[root@localhost testdir] # pwconv (open the projection password and restore the default state of the system

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.