centos7.5-User Management

What this section says:

- 6.1 用户和组的相关配置文件- 6.2 管理用户和组- 6.3实战：进入centos7 紧急模式恢复root密码

Users generally refer to the use of computers, the computer to the needle used by each person to give a specific name, users can use these names to log on to use the computer, in addition to people, some system services also need to have a partial privileged user account operation, so for security reasons, user management came into being, It explicitly restricts the permissions of the individual user accounts, root is used in the computer with high privileges, so generally only for administrative purposes, non-privileged users can use the SU or sudo program to temporarily gain privileges

Gnu/linux access control through users and user groups----including access to files, the control of the use of the device can have many accounts, but not the name of each other, such as the root name has been occupied can no longer use, in addition, any user may be dependent on a user group, This user can join some already existing groups to get the privileges of the group
Each file in the Gnu/linux system is owned by a user (owner) and a user group (genus). In addition, there are three types of access rights: Read, Write, run (execute). We can set the corresponding access rights for the owner and group of the file. Again, we can pass LS | Stat Command Query file owner, group, and permissions

[[email protected] ~]# ll | head -2总用量 8-rw-------. 1 root root 1680 9月  19 2017 anaconda-ks.cfg[[email protected] ~]# stat anaconda-ks.cfg   文件："anaconda-ks.cfg"  大小：1680       块：8          IO 块：4096   普通文件设备：803h/2051d   Inode：16797763    硬链接：1权限：(0600/-rw-------)  Uid：(    0/    root)   Gid：(    0/    root)

6.1 User account 6.1.1 User's classification

Three roles for Linux users

• Superuser: Root has the highest administrative authority on the system id=0

• Normal User: System user uid:1-999 (Centos7 version) 1-499 (CENTOS6 version)

  本地用户 UID:1000+          500+UID:即每个用户的身份标示,类似于每个人的×××号码.

• Virtual users: Pseudo-users are generally not used to log on to the system, it is mainly used to maintain the normal operation of a service. For example: Ftp,apache

Is the relationship between the user and the group:

• Single: One user can exist in a group; one-to-many: a user can exist in more than one group
• Many-to-one: multiple users can exist in a group; many-to-many: multiple users can exist in multiple groups
  

6.1.2 Configuration file

• User Profiles/etc/passwd Some of the basic properties of each user, are readable for all users, each row records a user, each row is delimited by a colon
• User group file/etc/group all information for the user group is stored and the group name cannot be duplicated
• Password information for the user/etc/shadow because the passwd file is readable for all users, it is safe to separate the password from the passwd into this separate file, which only the root user has read access to ensure password security

6.2 User Management 6.2.1 User commands

The Linux architect's high-paying entrance:
1. Learn God It Education official website: http://xuegod.ke.qq.com
2.1 Years veteran veteran of the industry MK:QQ2659153446
3. Join the Linux Technical Communication QQ Group:722287089, you can get the following benefits:
① regularly share free learning materials and videos (Tools + notes + expand Combat)
②10 senior veteran old birds online answer: Skills + Combat + Project sharing + high-paying employment
③ has the opportunity to receive 4 books of Linux cloud computing cluster architects free of charge

Command: Useradd

• useradd-d-U "UID"-G "The initial group"-G "additional group"-S "landed shell" user
• -D:-D user home directory path, which can be specified in user House directory
• -M: Do not create a user's home directory
• -G: Sets the name or numeric ID of the user's initial group, the group must be present, and if this option is not set, Useradd is set according to the USERGROUPS_ENAB environment variable in the/etc/login.defs file. Default Usergroups_enab
  Yes creates a group with the same name as the username, and the GID equals the UID.
• -G: The list of additional groups to be joined by the user, separating multiple groups with commas, and not adding spaces; if not set, the user simply joins the initial group. (a user is allowed to have only one primary group, which can have multiple satellite groups)
• -S: The path to the user's default login shell; When the startup process is finished, the default startup login shell is set here; make sure that the shell you are using is installed and that it is Bash by default. Sometimes it is necessary to prohibit certain users from performing logon actions, such as those used to perform system services. Set the Shell to/sbin/nologin
  You can prevent users from logging on.

6.2.2 Add login user,

Example: Add a user named Harry and use bash as the login shell

[[email protected] ~]# useradd harry[[email protected] ~]# tail -1 /etc/passwdharry:x:1001:1001::/home/harry:/bin/bash

Description: This command automatically creates the Harry group and becomes the default primary group for Harry's users, while the default login shell is bash
All information about the user account is saved in the/etc/passwd file. This file saves all the information for each system account in the following format (the field is split with ":")

harry:x:1001:1001::/home/harry:/bin/bash harry：用户名x：密码占位符1001：用户的UID，它都是用数字来表示的1001：用户所属组的GID，它都是用数字来表示的

User description Information: A brief description of the user's function or others

/home/harry：用户主目录（shell提示符中“~”代表的那个）/bin/bash：用户登录系统后使用的shell

#查看系统中, which shells are supported

[[email protected] ~]# cat /etc/shells    #查看系统中，支持哪些shell/bin/sh/bin/bash/sbin/nologin/bin/csh

6.2.3 Specifying user uid:-u user ID

[[email protected] ~]# useradd  -u 1100 oracle[[email protected] ~]# id oracleuid=1100(oracle) gid=1100(oracle) 组=1100(oracle)[[email protected] ~]# tail -1 /etc/passwdoracle:x:1100:1100::/home/oracle:/bin/bash[[email protected] ~]# ls /home/oracle/ -a.  ..  .bash_logout  .bash_profile  .bashrc  .mozilla

6.2.4 Designated Household Directory

[[email protected] ~]# useradd  -d /opt/mk1 mk1[[email protected] ~]# tail -1 /etc/passwdmk1:x:1102:1102::/opt/mk1:/bin/bash

6.2.5 The primary group of the specified user

Cases:

[[email protected] ~]# useradd  xuegod[[email protected] ~]# id xuegoduid=1103(xuegod) gid=1103(xuegod) 组=1103(xuegod) [[email protected] ~]# useradd  -g xuegod xuegod2[[email protected] ~]# id xuegod2uid=1104(xuegod2) gid=1103(xuegod) 组=1103(xuegod)

6.2.6 the specified user's satellite group

We can also refer to this subsidiary group as a supplemental group, where users can have 0 or more members of additional groups
If a group has more than one member, we can see it in the last field in the/etc/group file.

[[email protected] ~]# useradd  -G xuegod,harry,root xuegod3[[email protected] ~]# id xuegod3uid=1105(xuegod3) gid=1105(xuegod3) 组=1105(xuegod3),0(root),1001(harry),1103(xuegod)[[email protected] ~]# vim /etc/group  #在文件的最后

6.2.7 Another command to create a user

[[email protected] ~]# adduser xuegod4[[email protected] ~]# id xuegod4uid=1106(xuegod4) gid=1106(xuegod4) 组=1106(xuegod4)[[email protected] ~]# which  adduser/usr/sbin/adduser[[email protected] ~]# ll /usr/sbin/adduser lrwxrwxrwx. 1 root root 7 9月  19 2017 /usr/sbin/adduser -> useradd  注： adduser是useradd的软链接

6.2.8 Deleting a user

usage: userdel [options] LOGIN选项：-r 删除的时候，会同时删除用户的家目录和/var/mail下的目录

6.2.9 the password file

[[email protected] ~]# head -3  /etc/shadowroot:$6$C88LCVx5ZjfBU7xv$cKcdyNeTFmOYTs9NbRZDTA4hGcbMXc/5hQEWZKCtNyLqlBagrjct.pMfs39iEaF1UbEvcOzWZHMDf9Q5KojXM1::0:99999:7:::

The format is as follows:

name    登录名称，这个必须是系统中的有效账户名password    已加密密码，分为三个部分，第一部分是表示使用哪种哈希算法；第二部分是用于加密哈希的salt;第三部分是已加密的哈希哈希算法：$1表示MD5 ; $6 表示SHA-512 ;  $5 SHA-256查看帮助说明：man 5 passwdman 5 shadowman 5 groupman 3 cryptlastchange  最近一次更改密码的日期，以距离1970/1/1的天数表示min-age 不能更改密码的最少天数，最近更改过后几天才可以更改；如果为0表示“最短期限要求”maxage  密码过期时间，必须更改密码前的最多天数warning 密码即将到期的警告期，以天数表示，0表示“不提供警告”inactive    宽限天数，密码到期后expire  账号过期时间，以距离1970/1/1的天数计算 (千年虫)blank   预留字段

View Help Description:

• Mans 5 passwd
• Mans 5 Shadow
• Mans 5 Group
• Mans 3 Crypt
• Lastchange the date of the most recent password change, expressed as a number of days from 1970/1/1
• Min-age the minimum number of days that a password cannot be changed, a few days after the most recent change, or 0 for the minimum age requirement
• MaxAge Password expiration time, maximum number of days before password must be changed
• Warning password Expiring warning period, expressed in days, 0 for "no warning"
• Inactive Grace Days, after the password expires
• Expire account expiration time, in days from 1970/1/1 (Millennium bug)
• Blank reserved fields

To add a password to a user:

[[email protected] home]# passwd oracle   交互Changing password for user oracle.New password: BAD PASSWORD: The password is shorter than 8 charactersRetype new password: passwd: all authentication tokens updated successfully.[[email protected] ~]# echo 123456 | passwd --stdin xuegod    #不交互[[email protected] ~]# echo 123456 | passwd --stdin harry

Interaction: Two users with the same password? So is the hash value in shadow encrypted?

• Answer: not the same. Because salt is different.

Can the 2-segment encryption be switched on? When was the salt specified?

6.2.10 control two files to add User rule files:/etc/default/useradd and/etc/login.defs

[[email protected] home]# egrep-v "^$|^#"/etc/login.defsmail_dir/var/spool/mailpass_max_days 99999PASS_MIN_DA YS 0pass_min_len 5pass_warn_age 7uid_min #用户ID开始的数字UID_MAX 60000 # end of User ID   The digital sys_uid_min 201sys_uid_max 999gid_min 1000gid_max 60000 #组ID结束的数字SYS_GID_MIN 201sys_gid_max 999create_home Yes #是否为用户建立home目录UMASK 077USE Rgroups_enab yesencrypt_method SHA512 #shadow文件的加密算法 [[email protected] home]# cat/etc/default/useradd/etc/ The contents of the Default/useradd file are as follows: Group=100 #表示可以创建普通组. The Users group ID is 100. If this is not the case, or if you delete the Users group, when you create the user again, you will be prompted: Useradd:group ' does not exist home=/home #哪个目录作为用户主目录存放目录. If you do not want the user home directory to be under//, you can modify this place. Inactive=-1 #是否启用帐号过期. The 7th column in the passwd file. That is, whether the password expires after the set value. INACTIVE: invalid. -1 indicates the 8th column in the expire= #帐号终止日期 shadow is enabled. The date that the account expires is the eighth field in shadow, you can directly set the date after which the account will be invalidated without regard to the password. This item is usually not set, but if it is a paid membership system, perhaps this field can be set! shell=/Bin/bash #默认shell使用哪个SKEL =/etc/skel #模板目录CREATE_MAIL_SPOOL =yes #是否创建邮箱文件 

Command: Chage

• -M: The minimum number of days the password can be changed. For 0 o'clock delegates can change the password at any time
• -M: Maximum number of days the password remains valid
• -W: Number of days to receive warning messages before user password expires
• -E: The date when the account expires. This account will not be available after this day
• -D: The date of the last change, 0 means that the password is forced to be updated at the next logon

Example: Modify user mk Password information: Let this user Mk first log on to the system must change their password

[[email protected] ~]# chage -d 0 mk[[email protected] ~]# ssh [email protected]...Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added ‘192.168.1.63‘ (ECDSA) to the list of known hosts.[email protected]‘s password: 123456You must change your password now and login again!  #提示必须改密码

Change the user Mk password.
Interaction: Can the UID of two users be the same?

[[email protected] ~]# vim /etc/passwd  # 改 mk uid为0mk:x:0:0:mk:/home/mk:/bin/bash[[email protected] ~]# su - mk上一次登录：二 9月 19 22:03:16 CST 2017:0 上[[email protected] ~]# id mkuid=0(mk) gid=0(root) 组=0(root),10(wheel)

To view user-related commands:

#id  用户和组的信息#whoami　　 #查看当前有效用户名#who        #显示目前登入系统的用户信息。#w           # w命令用于显示已经登陆系统的用户列表#users       #用于显示当前登录系统的所有用户的用户列表

6.2.11 Modifying user information

Syntax: usermod "parameter" user name
Common parameters:

• -U UID
• -D Host Directory
• -G Start Group #只能有一个
• -G Additional Group #可以有多个
• -S Login Shell
• -L Lock

Example 1: Modifying the UID

[[email protected] ~]# id oracleuid=1100(oracle) gid=1100(oracle) 组=1100(oracle)[[email protected] ~]# usermod   -u 1111 oracle[[email protected] ~]# id oracleuid=1111(oracle) gid=1100(oracle) 组=1100(oracle)

Example 2: Modifying the shell

Example 3: Changing the user home directory

[[email protected] home]# usermod -m -d /mnt/market market-m选项会自动创建新目录并且移到内容到新目录里面

Example 4: Adding descriptive information

[[email protected] mnt]# usermod -c "hello world" market总结：如果你记不住命令， 那么直接改vim /etc/passwd 一样的。

6.2.12 resolve the problem that the template file is not displayed after it is deleted

[[email protected] ~]# rm -rf /home/xuegod/.bash*[[email protected] ~]# su - xuegod-bash-4.2$ exit    #出现这个不完整的shell提示符，如何处理？[[email protected] ~]# cp /etc/skel/.bash* /home/xuegod/[[email protected] ~]# chown xuegod:xuegod /home/xuegod/.bash*[[email protected] ~]# su - xuegod[[email protected] ~]$

6.3 Combat: Enter CENTOS7 emergency mode to restore the root password

Actual combat scene: A company CENTOS7 system, forget the root password, you need to quickly change the root password to Xuegod, retrieve root identity.

• First reboot, press ↑↓ key, enter the following interface, select the first item, press the E key to edit
  

• Find RO in this interface, change to RW init=/sysroot/bin/sh
  

• After the change, press CTRL+X to enter the emergency mode principle: Start a shell environment, the system does not really start
  

Change root, change password

• The chroot command is used to run instructions under the specified root directory. Chroot, that is, change root directory (changes root). In
  In a Linux system, the default directory structure of the system is a/, which starts with root (root). While using the Chroot
  After that, the system's directory structure will be in the specified location AS/location after the chroot
  After the command, the system reads directories and files that are not under the old system root but under the new root (that is, the new location that is specified).
  

• Note: If the system's SELinux is turned on, the command needs to be executed: Touch/.autorelabel to update the system information, or the password modification will not take effect after reboot
  First exit the current root, reboot restart the system
  
  The Linux architect's high-paying entrance:
  1. Learn God It Education official website: http://xuegod.ke.qq.com
  2.1 Years veteran veteran of the industry MK:QQ2659153446
  3. Join the Linux Technical Communication QQ Group:722287089, you can get the following benefits:
  ① regularly share free learning materials and videos (Tools + notes + expand Combat)
  ②10 senior veteran old birds online answer: Skills + Combat + Project sharing + high-paying employment
  ③ has the opportunity to receive 4 books of Linux cloud computing cluster architects free of charge

Public Number:

MK Teacher Number:

Summarize:

• 6.1 Related profiles for users and groups
• 6.2 Managing Users and Groups
• 6.3 Combat: Enter CENTOS7 emergency mode to restore the root password

centos7.5-User Management