CentOS 7 User account Configuration

Description

1. This blog post records the configuration of the CentOS 7 user account, including adding users, adding user groups, deleting users, deleting user groups, and so on. This includes analyzing the user's profile, directory, and thinking about security.

2, the User Configuration of CentOS 7 and previous versions feel no difference.

The first part knows the user

Centos 7 system minimized installation, default configuration, is not created by other users. As a server operating system, the general user is generally used for security purposes. This involves creating a user, creating a user group, and deleting it.

In addition, CentOS 7 and other versions of Linux have the corresponding user profiles and directories, as follows:

/etc/passwd     //user account information, you can see the user name
/etc/shadow          //user account encrypted information, including but not limitedto information in/etc/passwd
/etc/Group           //Group account information, you can see the team name
/etc/gshadow   //Group account security information, including but not limitedto information in /etc/
/etc/Default///account creation Defaults
/etc/skel/  //directory containing default files, the role is unclear
The default configuration for security is different from the above/etc/default/useradd

Let's take a look at the more important configuration file/etc/default/useradd, which reads as follows:

# useradd Defaults FileGROUP=+                        //Start GID value  home=/Home                       //home directory location INACTIVE=-1  //Effective time, negative value is permanent, positive number represents days  EXPIRE=SHELL=/bin/ Bash                   //shell path SKEL=/etc/SKEL                    //Default profile path create_mail_spool=yes             //whether to create a mail pool, specific role to learn later

Let's take a look at the /etc/login.defs file and focus on the following:

Mail_dir/var/spool/mail
...

# Password Aging Controls:Password Age Configuration
#
# pass_max_days Maximum number of days a password could be used.
# pass_min_days Minimum number of days allowed between password changes.
# Pass_min_len Minimum acceptable password length.
# pass_warn_age Number of days warning given before a password expires.
#
Pass_max_days 99999
Pass_min_days 0
Pass_min_len 8
Pass_warn_age 7
...

# Min/max values for automatic uid selection in UseraddMin/MAX UID settings
#
Uid_min 1000//The UID of the user we created starts from 1000
Uid_max 60000
....

# Min/max values for automatic gid selection in Groupadd
#
Gid_min 1000
Gid_max 60000
....
Create_home Yes//whether to create home directory
...

# Use SHA512 to encrypt password.With SHA512 encryption
Encrypt_method SHA512

From the contents of the file is visible,/etc/login.defs is a relatively macro-oriented security-oriented configuration.

Here are some of the commands that are commonly used in the actual process:

Useradd         // Add user passwd          // Set password   for user Userdel         // Delete User usermod         // Modify user information Groupadd       // Add user group Groupdel          Delete user group groupmod        // Modify user group information groups          //  Displays the user group to which the current process user belongs    

Part Two adding users

Example one: The simplest to add a user

Execute the following command:

Useradd test

passwd test

instance, and the system restricts the password, such as length, complexity, but does not affect creation. Can be understood as a "warm hint".

Such a user named Test has been created. Let's look at the properties.

Execute command: ID Test//view user Information

We found that test uid=1000,gid=1000, located in the test user group, stating that the new user with missing parameters, will default to create a user group with the same name as the user name and join it, we also notice that the UID, GID value is consistent with the default configuration file, the visible profile is in effect , you can also create a new user, look at the UID, GID value, you will see is 1001. You can try it. We can cut into the/home directory and see the user directory, which is consistent with the configuration file settings.

Example two: Creating an account with parameters

In the previous example, we used the default configuration, just set the user name and password. This time we set the UID, GID, etc. manually. First we look at the parameters of the Useradd, as follows:

-B,--Base-dir base_dir Base directory for the new account's home directory-C,--Comment Comment New account GECOS field-D,--home-dir home_dir The home directory of the new account-D,--defaults Display or change the default Useradd configuration-E,--expiredate expire_date New account expiration date-F,--inactive inactive New Account password inactivity period-G,--name or ID of the GID group new account owner-G,--Groups Groups additional group list for new account-H,--Help displays this helpful information and launches-K,--Skel Skel_dir Use this directory as a skeleton directory-K,--key key=value do not use/etc/default values in the Login.defs-L,--no-log-init do not add this user to the most recent logon and logon failure database-M,--create-Home Create user's home directory-M,--no-create-Home does not create a user's home directory-N,--no-user-Group does not create groups with the same name-O,--non-unique allows users to be created with duplicate UID-P,--Password Password password for new account after encryption-R,--system Create a systems account-R,--Root Chroot_dir CHROOT to the directory-S,--Shell Shell New Account login Shell-U,--UID UID user ID for new account-U,--user-Group creates groups with the same name as the user-Z,--selinux-user Seuser uses the specified seuser for SELinux user mappings

Create a new uid=501,gid=600,30 days validity, home directory for/HOME/TEST5 users test4.

Command:

 -   test3                //Create gid=600 user group Test3            501 -M   -d/home/test5 test4                 

When we open the user file again/etc/passwd or ID test4 will see our own configuration.

uid=501 (test4) gid=600 (test3) group =600 (TEST3)

Part Three deleting a user/group

When we create a user/group error, the user/group may be deleted and then recreated. We use the Userdel command to remove the user.

Execute command:

[[email protected] home]# Userdel test[[email protected] home]# useradd testuseradd: Warning: This home directory already exists. Do not copy any files from the Skel directory to them. Creating mailbox file: File already exists

This problem occurs because when we delete a user, the system does not delete the relevant files and directories for security reasons. Let's take a look at the Userdel parameter:

usage: userdel [options] Login options:   - F,--force force                                                   Some actions would fail otherwise                                inif Not owned by the user    -H,--                    Help displays this helpful information and  launches -R,-                  remove Delete home directory and Mail  pool  -R,--root Chroot_dir         CHROOT to the directory  - z,--selinux-user            Delete all SELinux user mappings for the user

We can use the parameter-rf to delete the relevant file directory, this step is dangerous, whether there is rollback operation, not particularly clear.

Execute command:

[[email protected] home]# Userdel-RF test[[email protected] home]# useradd test

This way, there is no hint.

In addition, I think the most important thing is the distribution of rights between different users. Keep it for the time being and assign it according to the actual situation. Everyone, but also according to the parameters, according to the actual situation configuration. We can communicate with each other.

CentOS 7 User account Configuration