Detailed management of Linux users and user groups

Source: Internet
Author: User

Linux User and user group management

Linux system is a multi-user multi-tasking time-sharing system, any user who wants to use system resources must first request an account from the system administrator and then enter the system as this account.

On the one hand, the user's account can help the system administrator to track the users who use the system and control their access to system resources, and on the other hand can help users organize files and provide security protection for users.

Each user account has a unique username and a separate password (that is, passwords).

To manage user/user groups, you first have to create this user/user group, the user/user group management work mainly involves the user/user group account Add, modify and delete a summary of the administrative user/user Group command.

Summary of Administrative user commands (individuals think important, common, need to master)
Command Description
Useradd With the AddUser command, execute this command to add a user to the system
Userdel Delete user and associated user's configuration or files
passwd Set a password for a user
Chage Modify User Password Expiration
Id View the user's uid,gid and the user group they belong to
Su User Switching tool
Sudo sudo is executed by another user (execute a command as another user)
Viosudo Visudo the edit command to configure sudo permissions (equivalent to direct VI edit/etc/sudoers)
Pwck PWCK is verifying that the contents of the user profile/etc/passwd and/etc/shadow files are legitimate or complete (very weak chickens)
Finger Viewing the User Information tool
Summary of Administrative User group commands (individuals think important, common, need to master)
Groupadd To add a user group
gpasswd Set a password for a user group
Newgrp Change the valid user group to which the user belongs
Groupdel Delete a user group
Groupmod

1) G GID Specifies a new group identification number for the user group

2)-O with the-G option, the user group's new GID can be the same as the GID of the system's existing user group

3)-N New user Group change user group name to new name

I believe you have seen the above summary, also have some clear, then we come to practice a, add a new user account using the useradd command, command format: Useradd option username

Before practicing, let's introduce a useradd parameter,

Useradd parameter Options Simple description
-C comment< Notes > Add note text. Note text is saved in the remarks field of the passwd
-D home_dir< Log in Directory > Specify the start directory for user login
-e expre_date< Expiry date > End date of account, format: mm/dd/yy
-F inactive_days< Buffer days > Account number of days after the closing of accounts
-G initial_group< Group > Specify the group to which the user belongs
-G group,[...] < groups > Specify additional groups to which the user belongs
-M Automatically establish the user's login directory.
-M Do not set up the user home directory, prior to the/etc/login.defs file settings
-s<shell> Specifies the shell to use when the user is logged in.
-u<uid> Specify User ID
useradd-d parameters Simple description
-B Default_home Change the default location for creating user home directories
-E Expiration_date Change the expiration date of the default new account
-F Inactive_days Inactive for days after account expires
-G Group Change the default group name or GID
-S Shell Change the default login shell
/etc/default/useradd file

The/etc/default/useradd file is a default profile that needs to be used when adding a user with Useradd, you can use ' useradd-d ', so let's take a look at the contents of it.

cat/etc/Default/useradd

useradd-d-s/bin/tsch <== Modify the default shell for/bin/tsch

Example (1)
Useradd–d/usr/user2-m User2

This command creates a user user2, where the-D and-m options are used to generate a home directory/usr/user2 for the login user2 (/usr is the parent directory where the default user home directory resides).

Example (2)
Groupadd Admin #创建一个admin用户组
Groupadd Admax #创建一个admax用户组
Useradd-s/bin/sh-g root–g Admin,admax User

This command creates a new user, the user's logon shell, which belongs to the root user group and also to the /bin/sh admin and Admax groups, where the root user group is its primary group.

Add user account is in the/etc/passwd file to add a record for the new user, while updating other system files such as/etc/shadow,/etc/group and so on.

Linux provides an integrated system management tool, userconf, which can be used to manage user accounts uniformly.

Delete Account

If a user's account is no longer in use, it can be removed from the system. Deleting a user account is to delete the user record in the system files such as/etc/passwd, and delete the user's home directory if necessary.

Delete an existing user account using the userdel command, in the following format:

Option  user name

The common option is- R, which is to remove the user's home directory.

Userdel-r User

This command deletes the user's record in the system file (mainly/etc/passwd,/etc/shadow,/etc/group, etc.) while deleting the user's home directory.

Modify Account

Modify user account is based on the actual situation to change the user's relevant attributes, such as user number, home directory, user group, login shell and so on.

Modify information used by an existing user usermod command

Option  user name

Common options include the -c, -d, -m, -g, -G, -s, -u以及-o等 option to useradd specify a new resource value for the user, as is the option in the command.

In addition, some systems can use the option:-L New user name

This option specifies a new account that will change the original user name to the new one.

Usermod-s/bin/ksh-d/home/z–g Proxy User

This command modifies the user's login shell to Ksh, the main directory to/home/z, and the user group to proxy.

Management of user passwords

User account has just been created without a password, but is locked by the system, can not be used, it must be a password to use, even if you specify an empty password.

A shell command that specifies and modifies a user's password is a power passwd, user who can specify a password for himself and another user, and the normal user can only use it to modify his or her password .

Option  user name
Common options
-L Lock can not change password
-U Unlock to change your password
-D Make the account do not need password login
-F Forcing the user to change the password the next time they log on
If the default user name, modify the current user's password

1) "User name" is a string representing the user account

It is usually not more than 8 characters in length and consists of uppercase and lowercase letters and/or numbers. The login name cannot have a colon (:), because the colon is the delimiter here.

For compatibility purposes, it is best not to include the dot character (.) in the login name, and to begin with a hyphen (-) and a plus sign (+).

2) "Password" in some systems, stored encrypted user password Word

Although this field contains only the user password of the encrypted string, not clear text, but because the/etc/passwd file is readable to all users, so this is still a security risk. As a result, many Linux systems (such as SVR4) now use Shadow technology to store real encrypted user passwords into/etc/shadow files, while storing only a special character, such as "X" or "*", in the password field of the/etc/passwd file.

3) "User identification number" is an integer that is used internally by the system to identify the user

In general, it corresponds to a user name of one by one. If several user names correspond to the same user ID number, the system will treat them as the same user, but they can have different passwords, different home directories, and different login shells.

Typically, the range of user identification numbers is 0~65 535. 0 is the root identification number of Superuser, 1~99 is reserved by the system, as an administrative account, the identification number of ordinary users starts from 100. In a Linux system, this limit is 500.

4) The Group Identification Number field records the user group to which the user belongs

It corresponds to a record in the/etc/group file.

5) The "Annotative description" field records some of the user's personal circumstances

For example, the user's real name, phone number, address, etc., this field does not have any practical use. In different Linux systems, the format of this field is not uniform. In many Linux systems, this field holds an arbitrary annotated descriptive text that is used as the output of the finger command.

6) "Home Directory", which is the user's starting working directory

It is the directory where the user is located after logging on to the system. In most systems, each user's home directory is organized under the same specific directory, and the user's home directory name is the user's login name. Each user has read, write, execute (search) permissions on his or her home directory, and other users ' access to this directory is set according to the specific circumstances.

7) After the user logs in, to start a process, is responsible for the user's actions to the kernel, the process is the user log on to the system run after the command interpreter or a specific program, the shell

The shell is the interface between the user and the Linux system. There are many types of Linux shells, each of which has different characteristics. Commonly used are sh (Bourne shell), csh (c shell), Ksh (Korn Shell), tcsh (tenex/tops-20 type C shell), bash (Bourne Again shell), etc.

System administrators can assign a shell to a user based on system conditions and user habits. If you do not specify a shell, then the system uses SH as the default login shell, that is, the value of this field is/bin/sh.

The user's login shell can also be specified as a specific program (this program is not a command interpreter).

With this feature, we can restrict the user from running only the specified application, and the user exits the system automatically after the application has finished running. Some Linux systems require only those programs that are registered in the system to appear in this field.

8) The system has a class of users called Pseudo-users (Psuedo users)

These users also occupy a record in the/etc/passwd file, but cannot log on (Nologin) because their logon shell is empty. Their existence is mainly to facilitate the system management, to meet the corresponding system process of the document owner requirements.

Common pseudo-users are as follows:

Pseudo      -user-defined command file owning a system file owning an account file uucp UUCP using LP LP or LPD subsystem uses nobody NFS usage              
There will definitely be a need to add bulk users to your work.

Adding bulk users We can not also use Useradd to add one by one, it is necessary to find a simple way to create a large number of users, the Linux system provides a tool to create a large number of users, to use,

Method One:

1) Edit a text user file first

Each column according to the /etc/passwd format of the password file, to note that each user's user name, UID, host directory can not be the same, where the password bar can be left blank or enter the X number. An example file user.txt the contents as follows:

USER001:: 600:100:user:/home/user001:/bin/bash
User002::601:100:user:/home/user002:/bin/bash
User003::602:100:user:/home/user003:/bin/bash
User004::603:100:user:/home/user004:/bin/bash
User005::604:100:user:/home/user005:/bin/bash
User006::605:100:user:/home/user006:/bin/bash
User007::606:100:user:/home/user007:/bin/bash
User008::607:100:user:/home/user008:/bin/bash
User009::608:100:user:/home/user009:/bin/bash

2) Execute the command as root /usr/sbin/newusers , import the data from the user file you just created user.txt , create the user

# NewUsers < User.txt

You can then execute commands vipw or vi /etc/passwd check whether the /etc/passwd files already have data for those users, and whether the user's host directory has been created.

3) Execute Command/usr/sbin/pwunconv

/etc/shadowdecode the resulting shadow password, then write it back /etc/passwd in and /etc/shadow shadow delete the password bar. This is to facilitate the next step of the password conversion work, that is, the first cancellation shadow password function.

# Pwunconv

4) Edit each user's password control file

User01:: 01 (password)
USER02::02 (password)
user03::03 (password)
user04::04 (password)
user05::05 (password)

5) Execute the/usr/bin/passwd file as root

Creates a user password that writes a password that has been encoded by a chpasswd /usr/bin/passwd command to /etc/passwd the password bar.

# CHPASSWD < Passwd.txt

6) After you have determined that the password has been encoded into the/etc/passwd password bar

The Execute command /usr/sbin/pwconv encodes the password shadow password and writes the result /etc/shadow .

# Pwconv
Method Two: Use the script to add in bulk, the script is as follows:
#! /bin/bash## Batch Add users with file called user.list# forUsernameinch$ (more users.list) Doif[ -n $username]then useradd-m $username Echo Echo $username"123"|PASSWD--stdin $username Echo Echo"User $username ' s password is changed!"ElseEcho"The username is null"Fidone~

Where User.list file content is:

King

One

Both

As the script learns, the user's initial password is " user name +123" and can be changed on demand.

The above summary, are parrot, also hope big guy advice, reference blog Alexia.

Detailed management of Linux users and user groups

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.