Detailed analysis of Linux User Management

Source: Internet
Author: User
Article Title: detailed analysis of Linux User management. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

In Linux, all users and groups are like one country. If the country needs to flourish, it needs proper governance and a combination of presidents and local officials and common people. In linux, if you have strict security requirements, you can completely restrict various behaviors of users. Different users have different permissions.

In linux, it does not know the account name. It recognizes our account ID, which is saved in the/etc/passwd file. When we log on to the linux host and enter the account and password, linux will first find whether the account exists in the/etc/passwd file. If not, it will jump out. If yes, he will read the user ID and group ID of the account and read the root directory and shell of the account. Check the password table, find the account and userID we just entered in/etc/shadow, and check whether the entered password is correct. Everything is correct. We can log on to the current user shell. First, let's take a look at the user account files.

1./etc/passwd. Let's use more to view this file.

First, let's look at the first line of the root line, there are seven items, each using: Separate, they mean as follows:

Account name: Account name because of the corresponding user ID, This Is The System Default User root super administrator. The account name in the same system is unique and the length varies depending on the linux system, generally, it is 8 bits.

Password: because there is also a/etc/shadow file in the system to store the encrypted password, this item here is "x". If the user has not set a password, this item is null.

User ID: This is used inside the system to identify different users. Different user identification codes are different. The user IDs are as follows:

0 represents the system administrator. If you want to create a system administrator, you can create a common account and change the user ID of this account to 0.

1-500 system reserved ID, more than is used by common users.

Group ID: in fact, this is similar to the user ID, used to regulate the group, it is related to/etc/group.

Description: This field has almost no effect, but is used to explain the meaning of this account.

User root directory: the starting directory for the user to log on to the system. After logging on to the system, the user enters the directory first. The default root user is/root, and the common user is/home/user name.

User Logon shell: The shell used by the user to log on to the system. We will study the shell later.


In earlier unix operating systems, the user's account information and password information were stored in the passwd file, although the system has encrypted the password, the passwd file is stored in the passwd file in ciphertext mode. However, because the passwd file is readable to all users in the system, it is easy to crack the password and has a large security risk. The "shadow" file is used to save the ciphertext user password, and the passwd file is used to save other information of the user account. The "shadow" file can only be read by the Administrator. Because the file may be cracked, do not disclose the file content to others to ensure system security.

Similarly, we analyze the first line, which contains nine items, respectively:

Account name: corresponds to passwd, which means the same as passwd.

Password: this is the real password, and it has been encrypted. You can only see some special symbols. It should be noted that these passwords are difficult to crack, but they are not the same. The first character in the password column is "*", indicating that the user does not need to log on. If the user does not want to log on, add a star in front of him.

Date of the last Password Change: This section records the last password change date. Why 13798? This is because the linux calculation date is January 1, 1970 as January 1, 366 as 13798, and so on.

Days when the password cannot be changed: due to fear of being stolen and endangering the security of the entire system, you have arranged this field and you have to change the password again within this period, otherwise, the account will be temporarily invalid. The above 99999 indicates that the password does not need to be re-entered. It is best to set a period of time to change the password. Ensure system security.

Warning period when the password change period is approaching: When the password expiration period of the account is approaching, the system issues a warning based on the settings in this field to remind the user that "your password will expire in n days, please reset the password as soon as possible. The default value is seven days.

Account expiration time: if the user does not re-enter the password after the warning period, the password becomes invalid, and the user does not report it to the Administrator within the time limit of this field, so that the account is re-enabled, this account will be temporarily invalid.

Account cancellation Date: This date is the same as the third field. It uses the date setting method since January 1, 1970. This field indicates that this account cannot be used after the date specified in this field. This field is usually used in the toll service system. You can specify a date so that the account cannot be used again.

Retained: The last field is retained to check whether new features are added in the future.

3. view the file in/etc/group.

We still analyze the first line. There are four items in sequence:

Group name: the name of the group.

Group password: Generally, you do not need to set the password because we seldom use group logon. However, this password is recorded in/etc/gshadow.

Group ID: that is, the Group ID.

Supported Account name: all accounts in this group. If you want the user qiuri to belong to the root group, add ", qiuri" at the end of the first line. Note that there is no space when adding qiuri.

4. adduser

If there are no special requirements, we usually use the adduser user name to directly create a user account. For example, we create a qiuri account:

Generally, the newly created account will add a line of content to the last row of the three files we just mentioned. Let's verify that:

You can use the/etc/login. defs and/etc/default/useradd default account configuration files to create a user.

In this file, we need to know that the SKEL option indicates that the user's root directory content is copied from the/etc/skel directory. It is useful when manually adding users. Check the contents in this directory:

This command also provides several parameter examples for your reference:

Adduser [-u uid] [-g group] [-d home] [-s shell]

-U: Give userID directly-g: Give GID directly

-D: directly create the root directory in the existing Directory-s: Define shell

5. Set the user password for passwd

By default, the user's password is not set after the user is added. Therefore, the created user account cannot log on to the system even if it exists. You must use the passwd command to set a password for your account to log on to the system. This command is divided into the Administrator to change the password for the user and the user to log on to the system to change the password.

The administrator root needs to change the password for the user. For example, create the user qiuri and set the password.

The administrator sets a password using the passwd [user name] command. During the password input process, to avoid incorrect input, the password is entered twice in a row. If the two passwords are the same, the entered passwords are correct, and the passwords are encrypted and saved to the shadow file. After the configuration is complete, we can use qiuri to log on. Qiuri user needs to change the password.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.