In Linux, user accounts, user passwords, user group information, and user group passwords are stored in different configuration files.
In a Linux system, the user accounts created and their associated information (except for passwords) are stored in the/etc/passwd configuration file. Because all users have read permissions to the passwd file, the password information is not stored in the file, but is saved in the/Etc/shadow configuration file.
In the passwd file, a row defines a user account, each row consists of several different fields, separated by a ":" In each field, each representing the information for that account.
In the newly installed Linux system, the passwd profile already has a lot of account information, these accounts are automatically created by the system, they are the Linux process or part of the service program is required to use the account, the last field of these accounts value is generally/sbin/nologin, Indicates that the account cannot be used to log on to the Linux system.
In the passwd configuration file, the corresponding relationship of the fields from left to right and their meanings:
Because passwd no longer saves password information, it is represented by an X placeholder.
To make a user account unable to log on to Linux, simply set the shell/Sbin/nologin that the user is using. For example, for FTP accounts, it is generally only allowed to log in and access the FTP server, not allowed to log on to the Linux operating system. To give a user no Telnet permission, which means that the user is not allowed to telnet to and access the Linux operating system with the login, the shell used by the user is set to/Bin/true. To let users have no Telnet and FTP logon rights, you can set the user's shell to/bin/false.
in the/etc/shells file, if there is no/bin/true or/bin/false, you need to add it manually :
[Email protected] ~]# echo "/bin/false" >>/etc/shells
[Email protected] ~]# echo "/bin/true" >>/etc/shells
For security purposes, the user's true password is encrypted using the MD5 encryption algorithm, which is saved in the/Etc/shadow configuration file, which can only be read by the root user.
Similar to the passwd file, the shadow file is also information about each row defining and saving an account. The first field is the user account name, and the second field is the password for the account.
User group account information is saved in the/Etc/group profile and can be read by any user. The real password of the user group is saved in the/Etc/gshadow profile.
In group, the first field represents the name of the user group, the second is X, the third is the ID number of the user group, and the fourth is a list of user members for that user group, separated by commas.
Create or add a new user using the Useradd command, with the following command usage:
useradd [option] username
This command has more option options and is commonly used mainly for:
-C Comment User set comment description text for account
-D Home directory specifies the home directory to replace the default/Home/username
-M if the home directory does not exist, create it. -R and-m combine to create a home directory for the SYSTEM account
-M does not create a home directory
-e date Specifies the date on which the account expires. Date format is Mm/dd/yy
The-F days account expires after a few years of permanent stop rights. If specified as-, the right is immediately deactivated, if 1, the function is turned off
The-G user group specifies which user group the user is joined to, and the user group must exist
The-G user Group list specifies the list of user groups that the user joins together, and the groups are separated by tease
-N Do not create a private user group for the user
-S shell specifies the shell to use when the user logs on, default to/Bin/bash
-R creates a system account with a user ID of less than 500 and does not create the corresponding home directory by default
-U User ID manually specifies the ID value of the new user, which must be unique and greater than 499
-p password Specify the login password for the new user. The password here is the password value of the corresponding login password after MD5 encryption, false real password original, so in practical applications, this parameter option is less used, usually using the passwd command alone to set the user login password.
To create a user named Nisj, and as a member of the Babyfish user group, the action command is:
[Email protected] ~]# useradd-g babyfish NISJ
[[email protected] ~]# ID NISJ
uid=502 (NISJ) gid=500 (babyfish) groups=500 (babyfish)
[Email protected] ~]# tail-1/etc/passwd
Nisj:x:502:500::/home/nisj:/bin/bash
When adding a user, if the user group is not specified with the-g parameter, a private user group with the same name as the user account is automatically created by default. If you do not need to create this private user group, you can choose the-n parameter.
For example, add an account named nsj820, but do not specify a user group with the following result:
[Email protected] ~]# Useradd nsj820
[[email protected] ~]# ID nsj820
uid=503 (nsj820) gid=503 (nsj820) groups=503 (nsj820)
[Email protected] ~]# tail-1/etc/passwd
Nsj820:x:503:503::/home/nsj820:/bin/bash
[Email protected] ~]# Tail-2/etc/passwd
Nisj:x:502:500::/home/nisj:/bin/bash
Nsj820:x:503:503::/home/nsj820:/bin/bash #系统自动创建了名为 nsj820 User Group with ID number 503
When creating a user account, the system automatically creates the user's home directory, which is placed by default in the/home directory, to change the location, can be specified by the-d parameter, and the default is/Bin/bash for the shell used when the user logs on, and the-s parameter is used to specify
For example, to create an account named Vodup, the home directory is placed in the/var directory, and the login shell is specified AS/sbin/nologin, the action command is:
[Email protected] ~]# useradd-d/var/vodup-s/sbin/nologin vodup
[[email protected] ~]# ID vodup
uid=504 (vodup) gid=504 (vodup) groups=504 (vodup)
[Email protected] ~]# tail-1/etc/passwd
Vodup:x:504:504::/var/vodup:/sbin/nologin
[Email protected] ~]# tail-1/etc/group
vodup:x:504:
For a created user, you can use the Usermod command to modify and set the properties of the account, including the login name, home directory, user group, login shell, and so on, which is used as:
usermod [option] Username
Partial option Options
(1) Change user account name
Implemented using the-l parameter, the command usage is:
Usermod-l New user name original user name
For example, to rename a user nsj820 to nsj0820, the action command is:
[Email protected] ~]# usermod-l nsj0820 nsj820
[[email protected] ~]# ID nsj0820
uid=503 (nsj0820) gid=503 (nsj820) groups=503 (nsj820)
[Email protected] ~]# tail-1/etc/passwd
Nsj0820:x:503:503::/home/nsj820:/bin/bash
The user name has been changed to nsj0820 from the output result. The home directory is still original/home/nsj820, and if you want to change to/home/nsj0820, you can do this by executing the following command
[Email protected] ~]# usermod-d/home/nsj0820 nsj0820
[[email protected] ~]# ID nsj0820
uid=503 (nsj0820) gid=503 (nsj820) groups=503 (nsj820)
[Email protected] ~]# tail-1/etc/passwd
Nsj0820:x:503:503::/home/nsj0820:/bin/bash
[Email protected] home]# mv/home/nsj820/home/nsj0820
(2) Lock account
To temporarily prevent a user from logging in, you can lock the user account. The locked account can be implemented using the-L parameter, which uses the following command:
Usermod-l the account to be locked
Linux locks the user by shadow the password field in the password file before adding "! "To identify that the user is locked out.
[Email protected] home]# usermod-l nsj0820
[Email protected] home]# tail-1/etc/shadow
Nsj0820:!$1$jew25rtu$x9kidwji/hpzskmve3ek30:16910:0:99999:7:::
But through the root user in, and then SU to the locked user, it is possible to go in.
(3) Unlocking an account
To unlock an account, you can use the Usermod command with the- u parameter.
[Email protected] ~]# usermod-u nsj0820
[Email protected] ~]# tail-1/etc/shadow
Nsj0820:$1$jew25rtu$x9kidwji/hpzskmve3ek30:16910:0:99999:7:::
To delete an account, you can use the Userdel command, which uses:
Userdel [-r] Account name
-R is optional, if the parameter is taken, delete the account and the home directory corresponding to the account.
[Email protected] ~]# Userdel-r nsj0820
To set the time at which all user account passwords expire, they can be implemented by modifying the value of the Pass_max_days configuration item in the/Etc/login.defs profile, which defaults to 99999 and never expires on behalf of the user account password. Where the Pass_min_len configuration item is used to specify the minimum length of the account password, which defaults to 5 characters.
Use the passwd command to set the command usage to:
passwd [account name]
If the account name is specified, the login password for the specified account is set and the original password is automatically overwritten. only the root user has permission to set the password for the specified account. General users can only set or modify their own account password (without parameters).
For example, to set the login password for the NISJ account, the action command is:
[Email protected] home]# passwd NISJ
Changing password for user nisj.
New Password:
Bad password:it are too short
Bad Password:is too simple
Retype new Password:
Passwd:all authentication tokens updated successfully.
Once the account login password is set, the account will be able to log into the system.
In Linux, in addition to the user account can be locked out, the account password can also be locked, either party is locked, will not be able to log on the system. Only the root user has permission to execute the command, and the lock account password uses the passwd command with the-l option, which uses:
Passwd-l account Name
Passwd-u Account name #解锁账户密码
[Email protected] home]# passwd-l NISJ
Locking password for user nisj.
Passwd:success
[Email protected] home]# passwd-u NISJ
Unlocking password for user nisj.
Passwd:success
To query whether the password for the current account is locked, you can use the passwd command with the-S parameter, which uses:
Passwd-s account Name
For example
[Email protected] home]# passwd-s NISJ
NISJ PS 2016-04-18 0 99999 7-1 (Password set, MD5 crypt.)
To remove the password for an account, use the passwd command with the-d parameter, which is only available to the root user, and is used as:
Passwd-d account Name
After the account password is deleted, you will not be able to log on to the system unless you reset the password .
Users and user groups belong to many-to-many relationships, one user can belong to multiple user groups at the same time, and one user group can contain several different users.
The Create user group uses the Groupadd command with the following command:
Groupadd [-r] User group name
If the command has the-r parameter, the system user group is created, and the GID value of the group is less than 500, and if there is no-r parameter, a normal user group is created with a GID value greater than or equal to 500.
After the user group is created, the relevant properties of the user group can be modified as needed. The modification of user group properties is primarily to modify the name of the user group and the GID value of the user group.
(1) Change the name of the user group
To rename a user group, you can use the Groupmod command with the-n parameter, which uses:
Groupmod-n New user group name original user group name
Renaming a user group does not change the value of its GID
For example, to rename the student user group to the Teacher user group, the action command is:
[Email protected] home]# Groupadd Student
[Email protected] home]# tail-1/etc/group
student:x:505:
[Email protected] home]# groupmod-n teacher Student
[Email protected] home]# tail-1/etc/group
teacher:x:505:
(2) To reset the GID of the user group
The GID value of the user group can be re-set and modified, but cannot be duplicated with the GID value of the existing user group. Changes to the GID do not change the name of the user name.
To modify the GID for a user group, you can use the Groupmod command with the-G parameter, which uses:
Groupmod-g New_gid User Group name
For example, to change the GID of the teacher group to 506, the action command is:
[Email protected] home]# GROUPMOD-G 506 Teacher
[Email protected] home]# tail-1/etc/group
teacher:x:506:
The Delete user group is implemented using the Groupdel command, which uses the following:
Groupdel User Group Name
When you delete a user group, the deleted user group cannot be a private user group for an account, or it cannot be deleted, and to delete it, you should first delete the account that references the private user group before you delete the user group.
[Email protected] home]# Groupdel teacher
[[email protected] ~]# grep teacher/etc/group #没有输出, stating that the teacher user group does not exist, the deletion succeeds
You can add a user to a specified group so that it becomes a member of the group. Its implementation commands are:
Gpasswd-a user account user group name
To remove a user from a user group, the implementation command is:
Gpasswd-d user account user group name
For example:
[Email protected] home]# Groupadd Student
[Email protected] home]# gpasswd-a NISJ Student
Adding user NISJ to group student
[[email protected] home]# ID NISJ
uid=502 (NISJ) gid=500 (babyfish) groups=500 (Babyfish), 505 (student)
[Email protected] home]# gpasswd-d NISJ Student
Removing user nisj from group student
[[email protected] home]# ID NISJ
uid=502 (NISJ) gid=500 (babyfish) groups=500 (babyfish)
[email protected] home]# groups NISJ
Nisj:babyfish
Adding a user to a group and removing a user from a group can be performed by the user group Administrator, in addition to the root user's ability to perform the operation.
To designate a user as an administrator for a user group, use the following command to accomplish this;
Gpasswd-a user accounts to be managed by user groups
Command function: sets the specified user as the user administrator for the specified user group. User administrators can only administer user groups for authorized users (add users to groups or remove users from a group) and do not have permission to manage other user groups.
[Email protected] home]# gpasswd-a NISJ Student
Adding user NISJ to group student
[Email protected] home]# gpasswd-a NISJ Student
[Email protected] home]# Useradd Stu
[Email protected] home]# gpasswd-a stu Student
Adding user Stu to group student
[email protected] home]# groups Stu
Stu:stu Student
[Email protected] home]# SU-NISJ
[Email protected] ~]$ gpasswd-d stu Student
Removing user Stu from group student
[Email protected] ~]$ gpasswd-d Stu Stu
Gpasswd:permission denied.
In addition, Linux provides commands such as Id,whoami and groups to view the status of users and groups. The ID command is used to display the current user's uid,gid and the list of user groups to which the whoami is used to query the name of the current user; Groups is used to produce the user groups to which the specified user belongs.
At the same time, we can use the graphical interface to manage users and user groups, system---> Management---> Users and Groups can open the appropriate configuration interface.
Attached: Add a user to a group, or you can do the following
Add a user to a user group and never use it directly:
Usermod-g Groupa
Doing so will allow you to leave the other user groups, just as members of this user group Groupa.
Should be added with the-a option:
Usermod-a-G Groupa User
(fc4:usermod-g GROUPA,GROUPB,GROUPC user)
-A represents append, which is to add itself to the user group Groupa without having to leave another user group.
Detailed to no friend, a article to help you clear Linux user and user group relationship ~
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
