CentOS7 user account Configuration
Note:
1. This blog post records the configuration of CentOS 7 user accounts, including adding users, adding user groups, deleting users, and deleting user groups. This includes analyzing user configuration files, directories, and thinking about security.
2. There is no difference between CentOS 7 and previous versions in user configuration.
Part 1: understanding users
Centos 7 is installed in minimal mode. It is configured by default and no other users are created. As a server operating system, general users are generally used for security reasons. This involves creating and Deleting Users and user groups.
In addition, CentOS 7, like other versions of Linux, has corresponding user configuration files and directories, as follows:
/Etc/passwd // user account information, which indicates the encrypted information of the user name/etc/shadow // user account, including but not limited to/etc/passwd information/etc/group account information, you can see the group name/etc/gshadow // group account security information, including but not limited to/etc/group information/etc/default/useradd // default value/etc/skel // directory containing default files when the account is created, the specific role is unclear. defs // default security configuration, which is different from the above/etc/default/useradd
Let's take a look at the important configuration file/etc/default/useradd. The content is as follows:
# Useradd defaults fileGROUP = 100 // start GID value HOME =/home // HOME directory location INACTIVE =-1 // valid time, negative value permanent, positive number indicates the number of days EXPIRE = SHELL =/bin/bash // shell path SKEL =/etc/skel // default configuration file path CREATE_MAIL_SPOOL = yes // whether to create a mail pool, specific functions to be learned later
Let's take a look at the/etc/login. defs file. The key content is as follows:
MAIL_DIR/var/spool/mail... # Password aging controls: password duration configuration # PASS_MAX_DAYS Maximum number of days a Password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999PASS_MIN_DAYS 0PASS_MIN_LEN 8PASS_WARN_AGE 7... # Min/max values for automatic uid selection in useradd Min/max UID setting # UID_MIN 1000 // The UID of the user we created starts from 1000 UID_MAX 60000 .... # Min/max values for automatic gid selection in groupadd # GID_MIN 1000GID_MAX 60000 .... CREATE_HOME yes // whether to create a home directory... # Use SHA512 to encrypt password. // use SHA512 to encrypt ENCRYPT_METHOD SHA512
As you can see from the file content,/etc/login. defs is a macro-oriented security configuration.
The following are some common commands used in the actual process:
Useradd // Add User passwd // set password userdel // delete user usermod // modify user information groupadd // Add User Group groupdel // delete user group groupmod // modify user group information groups // display the user group to which the current process user belongs
Part 2 create a user
Example 1: The simplest way to create a user
Run the following command:
Useradd test
Passwd test
Instance, and the system limits the password, such as the length and complexity, but does not affect the creation. It can be understood as "tip ".
The user whose username is test has been created. Let's take a look at the attributes.
Run the command: id test // view user information
We found that the uid of test is 1000, gid = 1000, which is located in the test user group, indicating that a new user with the missing parameters will create a user group with the same name as the user name by default and add it to it, we also noticed that the UID and GID values are consistent with those in the default configuration file. It can be seen that the configuration file takes effect. You can also create a new user and check the UID and GID values, 1001 is displayed. you can try it. We can switch to the/home directory to see the user directory, which is consistent with the configuration file settings.
Example 2: create an account with Parameters
In the previous example, we used the default configuration, but set the user name and password. This time, we manually set UID and GID. First, let's take a look at the parameters of useradd as follows:
-B, -- base-dir BASE_DIR: base Directory of the new account's main directory-c, -- comment COMMENT GECOS field of the new account-d, -- home-dir HOME_DIR the main directory of the new account-D, -- defaults displays or changes the default useradd configuration-e, -- expiredate EXPIRE_DATE the expiration date of the new account-f, -- inactive INACTIVE the password of the new account is not active-g, -- Name of the master GROUP of the new account in gid GROUP or ID-G, -- Additional GROUP list of the new account in groups GROUP-h, -- help displays this help information and releases-k, -- skel SKEL_DIR uses this directory as the skeleton directory-K, -- key KEY = VALUE does not use/etc/login. the default value-l, -- no-log-init in defs should not add this user to the database of recent logon and logon Failure-m, -- create-home to create the user's home directory-M, -- no-create-home does not create the user's home directory-N, -- no-user-group does not create a group with the same name-o, -- non-unique allows you to use duplicate UID to create a user-p, -- password PASSWORD to encrypt the new account password-r, -- system to create a system account-R, -- root CHROOT_DIR chroot to the directory-s, -- shell SHELL New Account Login shell-u, -- uid UID new account user ID-U, -- user-group creates a group-Z with the same name as the user, -- selinux-user SEUSER is SELinux user ing using the specified SEUSER
Create a new user named "/home/test5" with UID = 501, GID =, and validity period of 30 days.
Command:
Groupadd-g 600 test3 // create a user group named test3 useradd-u 600-g 501-f 30-m-d/home/test5 test4
When we open the user file/etc/passwd or id test4 again, we will see our own configuration.
Uid = 501 (test4) gid = 600 (test3) group = 600 (test3)
Part 3 change user settings
Different users need different permissions, have different shells, and Allow logon. In this section, you need to use the usermod command to modify the user configuration. In the previous example, we created a test account. The default SHELL is/bin/bash, which can be logged on.
Login prohibited:
Usermod-s/sbin/nologin test //-s specifies shell
Modify user name:
Usermod-l test88 test //-l New User Name
In addition, you can view parameter practices by using the Home Directory, Expiration days, group replacement, user locking, and user unlocking functions.
Part 4 delete users/groups
If an error occurs when creating a user or group, the user or group may be deleted and re-created. We use the userdel command to delete users.
Run the following command:
[Root @ localhost home] # userdel test [root @ localhost home] # useradd testuseradd: Warning: This main directory already exists. No files are copied from the skel directory. Creating a mailbox file: The file already exists
This problem occurs because when we delete a user, the system did not delete the relevant files and directories for security reasons. Let's take a look at the userdel parameters:
Usage: userdel [Option] logon option:-f, -- force some actions that wowould fail otherwise e.g. removal of user still logged in or files, even if not owned by the user-h, -- help displays this help information and releases-r, -- remove deletes the home directory and mail pool-R, -- root CHROOT_DIR chroot to the directory-Z, -- selinux-user deletes all SELinux user mappings for the user
We can use the parameter-rf to delete related file directories. This step is risky. It is not clear whether rollback is performed.
Run the following command:
[root@localhost home]# userdel -rf test[root@localhost home]# useradd test
In this way, no prompt will appear.
Part 5 user security configuration
In operating system security, user permissions and file permissions are also very important. Now let's record a few dots. The main purpose of this operation is to prohibit root user connection and general users use the sudo command to escalate permissions. In the previous step, we created a test user. When we enter the sudo command, the following message is displayed:
Test is not in the sudoers file. The incident will be reported.
To solve this problem, we only need to add the user test in/etc/sudoers. The Code is as follows:
// Find the following line and add it below... root ALL = (ALL) ALLtest ALL = (ALL) ALL // This line is added
The problem can be solved here.
New: A CentOS 7 is re-installed in the Virtual Machine. After an experiment, it can be successful. The attributes of/etc/sudoers are as follows:
You can see that you have the setUID permission. Any user has the x (execution) Permission, so you can run the sudo command. The following content serves as an understanding of the setUID permission.
Ps. Because the other parts have been set according to the online materials, but the feeling does not affect, the modified part and its purpose will be posted below
// Modify the file/usr/bin/sudo user and user group chown root: root/usr/bin/sudo // modify the permission to 4755, 4 indicates that chmod 4755/usr/bin/sudo is executed as the file owner.
The above command means to change the owner of the file/usr/bin/sudo to root. When the file is executed, it is executed as root. This is also the meaning of '4. If you do not set "4755" to "755" when setting the permission, this error will occur.
Sudo: The valid user ID is not 0. Does sudo belong to the root user and set the setuid bit?
The solution is to run as root (uid = 0.
In the actual environment, to prevent hackers from cracking the root account, we usually disable SSH remote connection for the root account. The procedure is as follows:
// Modify the/etc/ssh/sshd. config file and change # PermitRootLogin yes to PermitRootLogin no // restart the sshd service systemctl restart sshd. service
Note: CentOS 7 cancels service usage. Although it can be used in some cases, I will use systemctl first.
In addition, I think the most important issue is the permission allocation between different users. Temporarily stay, and then add notes based on the actual situation.
You can also configure the parameter based on the actual situation. You can communicate with each other.