Create, modify, and delete users, user groups, and ACLs in linux

Create, modify, and delete users, user groups, and ACLs in linux

Linux is a multi-user multi-task time-sharing operating system. any user who wants to use system resources must first apply for an account from the system administrator and then enter the system as the account. User Accounts can help system administrators track users who use the system and control their access to system resources. They can also help users organize files and provide security protection for users. Each user account has a unique user name and password. After you enter the correct user name and password during logon, you can access the system and your home directory.

To manage user accounts, you must do the following:

· Add, delete, and modify user accounts.

· User password management.

· User group management.

I. User Account Management in Linux

The management of user accounts mainly involves adding, modifying, and deleting user accounts.

To add a user account is to create a new account in the system, and allocate resources such as user numbers, user groups, home directories, and logon shells to the new account. The newly added account is locked and cannot be used.

1. Add a new user account and use the useradd command. The syntax is as follows:

Useradd option Username

The options are described as follows:

-C comment specifies an annotation description.

-D directory specifies the user's main directory. If this directory does not exist, you can use the-m option to create a main directory.

-G User Group specifies the user group to which the user belongs.

-G user group, which specifies the additional group to which the user belongs.

The-s Shell file specifies the user's logon Shell.

-U user number specifies the user number of a user. If the-o option is available at the same time, the user ID of another user can be used again.

User name specifies the login name of the new account.

Example 1: This command creates a user Suser,

# Useradd-d/usr/Suser-m Suser

The-d and-m options are used to generate a main directory/usr/Suser for the login Suser (/usr is the parent directory of the default user main directory ).

Column 2: This command creates a new user gem. the user's logon Shell is/bin/sh, which belongs to the group user group and also to the adm and root user groups, the group user group is the main group.

# Useradd-s/bin/sh-g group-G adm, root gem

A new group may be created here: # groupaddgroup and groupadd adm

Adding a user account adds a record to a new user in the/etc/passwd file and updates other system files, such as/etc/shadow,/etc/group, and/etc/pgroup.

Linux provides the integrated system management tool userconf, which can be used to manage user accounts in a unified manner.

2. delete an account

If a user's account is no longer in use, it can be deleted from the system. To delete a user account, you must delete the user record in system files such as/etc/passwd. If necessary, delete the user's home directory. Delete an existing user account and use the userdel command. The format is as follows:

Userdel option Username

The commonly used option is-r, which is used to delete the user's home directory together.

For example:

# Userdel-rSuser (Here r is recursion, and all information documents related to this Suser will be deleted)

This command deletes the records of the user's Suser in the system file (mainly/etc/passwd,/etc/shadow,/etc/group) and the user's home directory.

3. Modify an account

Modifying a user account is to change the user's attributes, such as the user ID, main directory, user group, and logon Shell.

Use the usermod command to modify existing user information. The format is as follows:

Column 1:

Usermod option Username

Common options include-c,-d,-m,-g,-G,-s,-u, and-o. These options have the same meaning as those in the useradd command, you can specify a new resource value for the user. In addition, some systems can use the following options:

Column 2:

-L change the user name to the new one:

# Usermod-l newUserName oldUserName

Column 3:

Modify the user's logon shell and its group, for example:

# Usermod-s/bin/ksh-d/home/z-g group1 Suser

This command changes the logon Shell of Suser to ksh, the main directory to/home/z, and the user group to group1.

4. User Password Management

An important part of user management is the management of user passwords. A user account has no password when it was created, but is locked by the system and cannot be used. It can only be used after a password is specified, even if it is null.

The Shell command used to specify and modify the user password is passwd. Super Users can specify passwords for themselves and other users. Common users can only use them to modify their own passwords. Command Format:

PasswdOption User Name

Available options:

-L the password is disabled.

-U password unlock.

-D indicates that the account has no password.

-F forces the user to change the password upon next login.

-S: displays the detailed information of the user password. This command is only available to the root user.

If the default user name is used, modify the password of the current user.

For example, if the current user is sam, the following command modifies the user's own password:

$ Passwd

Old password :******

New password :*******

Re-enter newpassword :*******

If you are a super user, you can specify the password of any user in the following form:

# Passwd sam

New password :*******

Re-enter newpassword :*******

When a common user modifies his or her own password, the passwd command First asks for the original password and then asks the user to enter the new password twice. If the two passwords are the same, the original password is not required when the superuser specifies a password for the user.

For the sake of system security, you should select a complicated password. For example, you 'd better use an 8-bit long password, which contains uppercase letters, lowercase letters, and numbers, it should be different from the name and birthday.

When you specify a blank password, run the following commands:

# Passwd-d Suser

This command deletes the Suser password, so that the system does not ask for the password during the next logon.

The passwd command can also use the-l (lock) option to lock a user so that the user cannot log on. For example:

# Passwd-l Suser

View the specific information of a user password: the root column is used to display the detailed information of the root user password.

# Passwd-S root

5. In addition to passwd-S username, you can also use chage to view user password information:

Chage option User Name:

Options:

-L: list detailed Password parameters for this account;
-D: followed by date, modified the shadow Third Field (date of the last password change), format YYYY-MM-DD
-E: followed by date, modify the shadow eighth field (Account Expiration Day), format YYYY-MM-DD
-I: next to the number of days. Modify the seventh field of shadow (password expiration date)
-M: followed by the number of days. Modify the fourth field of shadow (Minimum Password retention days)
-M: next to the number of days. Modify the fifth field of shadow. (You need to change the password of Dolly)
-W: followed by the number of days. Modify the sixth field of shadow (warning date before Password Expiration ).

6. query uid gid group and other information of a user:

# Id [Option] username is usually used to view all information, so the options here are free of charge!

2. User Group Management in Linux

Each user has a user group. The system can centrally manage all users in a user group. Different Linux systems have different user groups. For example, a user in Linux belongs to a user group with the same name as a user group, which is created at the same time.

User Group management involves adding, deleting, and modifying user groups. The addition, deletion, and modification of a group are actually updates to the/etc/group file.

1. Add a new user group to use the groupadd command. The format is as follows:

Column 1:

Groupadd option User Group

You can use the following options:

Code:

-G GID specifies the group ID (GID) of the new user group ).

-O is generally used together with the-g option, indicating that the GID of the new user group can be the same as the GID of the existing user group in the system.

Example 2: This command adds a new group group1 to the system. The Group ID number of the new group is added with 1 on the basis of the current largest group ID.

# Groupadd group1

Example 3: This command adds a new group group2 to the system and specifies that the Group ID of the new group is 666.

# Groupadd-g 666 group2

2. to delete an existing user group, run the groupdel command in the following format:

Groupdel User Group

For example:

# Groupdel group1

This command deletes group group1.

3. Run The groupmod command to modify the attributes of a user group. The syntax is as follows:

Groupmod option User Group

Common options include:

Code:

-G GID: specify a new group ID for the user group.

-O and-g options are used at the same time. The new GID of a user group can be the same as the GID of an existing user group in the system.

-N new user group: Change the user group name to a new name.

Example 1: This command changes the group ID number of group2 to 102.

# Groupmod-g 102group2

Example 2: This command changes the ID of group2 to 10000, and the group name to group3.

# Groupmod-g release -n group3 group2

4. If a user belongs to multiple user groups at the same time, the user can switch between user groups to have permissions for other user groups. After logging on, you can use the newgrp command to switch to another user group. The parameter of this command is the target user group. For example:

$ Newgrp root

3. ACL (access control list) is mainly used for users, groups, and default attributes.

1. Enable ACL [root @ lyy ~] # Mount-o remount, acl/home enabled

[Root @ lyy ~] # Mount View

/Dev/hda2 on/typeext3 (rw)

Proc on/proc typeproc (rw)

Sysfs on/sys typesysfs (rw)

Devpts on/dev/ptstype devpts (rw, gid = 5, mode = 620)

/Dev/hda5on/home type ext3 (rw, usrquota, kgquota, acl) Enable the file system ACL

/Dev/hda1 on/boottype ext3 (rw)


Enable/etc/fstab automatically upon system startup. Add the acl after ults.

LABEL =/home ext3 defaults, acl 1 2

In fact, the partition created during system installation in RHEL5.x supports ACL by default. If the partition is created after the system is installed, add

The preceding parameters.

ACL settings: getfacl, setfacl

Getfacl: Get the ACL settings of a file/directory.

Setfacl: Set ACL rules for a file/directory.

Setfacl command usage:

-M sets the subsequent acl parameters for the file. It cannot be used with-x.

-X Delete subsequent Parameters

-B: Delete the acl settings.

-K remove preset acl Parameters

-R recursive settings, including sub-directory settings

-D: preset acl parameters, which only apply to the directory

2. Example: Use setacl to test the read and write permissions of acl_test to user1 [root @ lyytest] # touch acltest to create a file

[Root @ lyy test] # ll acltest

-Rw-r -- 1 rootroot 0 12-07 20:28 acltest

[Root @ lyytest] # setfacl-m u: user1: rw acltest: Set user1 to have read and write permissions

[Root @ lyy test] # ll

-Rw-r -- + 1 rootroot 0 12-07 20:28 acltest


You can use ll to view and find that the permissions are more

Simply use setfacl-mu: User: permission to set permissions.

3. view the permission getfacl
[Root @ lyy test] # getfacl acltest

# File: acltest description

# Owner: root owner

# Group: root group

User: rw-the user list is empty, representing the permissions of the owner

User: user1: rw-authorize read/write for user1

Group: r -- group

Mask: rw-preset valid Permissions

Other: r -- others

Mask: the permissions set by users and groups must be within the mask range.

By default, the acl is not inherited by the sub-directory. to inherit the acl, use the parameter d.

Example:

[Root @ lyy tmp] # setfacl-m g: pc: rwx test

[Root @ lyy tmp] # cdtest

[Root @ lyy test] # mkdir group

[Root @ lyy test] # llgroup/-d

Drwxr-xr-x 2 rootroot 4096 12-07 20:47 group/

Use the d parameter to inherit the sub-directory

[Root @ lyy test] # setfacl-m d: g: pc: rwx./test/

[Root @ lyy test] # ll-d

Drwxr-xr-x 3 rootroot 4096 12-07 20:51.

[Root @ lyy test] # lltest-d

Drwxr-xr-x + 2 rootroot 4096 12-07 20:51 test

[Root @ lyy test] # cdtest

[Root @ lyy test] # mkdir baidu

[Root @ lyy test] # ll

Command Format: setfacl-md: u: User: Permission

4. Run the setfacl-B command to cancel the ACL.

Example:

[Root @ lyytest] # setfacl-B test/cancel ACL

[Root @ lyy test] # ll

Drwxr-xr-x 3 root 4096 12-07 test No +