Account Management for Linux

User identifier UID and GID

When we landed on the Linux system, we entered our account number, but since the computer only knew 0 and 1, Linux would not know the account name directly, but would only know our ID. Each logged-on user will receive at least two IDs, one user id--uid, one user group Id--gid, Files are judged by UID and GID to determine the owner and user group of the file. When we want to display the properties of the file, the OS will find the uid/gid corresponding account and group name based on the contents of/etc/passed and/etc/group.

When landing Linuxos, through the login interface input account and password, the system will call/etc/passwd and/etc/group account, and the corresponding UID and GID read out, at the same time, the Account home folder and shell settings are also read out; Then to check the password list, Linuxos will go into the/etc/shadow to find the corresponding UID, and then check whether the password matches, if the above are correct, you can log into the system, into the shell control phase.

There are four configuration files related to UID and GID, respectively

/etc/passed: Store users and their attribute information (name, UID, primary group ID, etc.)

/etc/shadow: Storing user passwords and their associated properties

/etc/group: Storing groups and their attribute information

/etc/gshadow: group password and its attribute information

/ETC/PASSWD file Structure

The existence of a few lines means that there are several accounts in the system, but can not be arbitrarily deleted, because there are many accounts are necessary for the system to run, these are the system account.

/ETC/PASSWD is a user-related information, the structure is as follows

1 2 3 4 5 6 7

USERNAME:X: UID:GID:GECOS:directory:shell

where x is the original password location, because/etc/passwd all programs readable, there is a security risk, so the password is stored in/etc/shadow, here can only see an X

UID, this is the user identifier, the value of this ID is a certain range, 0 for the system administrator, cut only this one, CENTOS6 1~499 is the ID range of the SYSTEM account, 500~ is the ordinary user Id;centos7 1~999 is the SYSTEM account ID, and is generally not able to log in, 1000~ is a normal user's account ID, you can log in

Gecos User's descriptive information, user's full name or comment

Directory for user's home directory

Shell type for the user

/etc/shadow file Structure

1:2:3:4:5:6:7:8:9

1 User Name

2 Encrypted password password This password is encrypted after the display, and after the encryption of the length of the cipher to display the length of the encoding system is certain, so change the length of the password, will make the password temporarily invalid

3 Date of last password changes the time of the most updated password, this time is calculated starting from January 1, 1970, Unit is S

4 Minimum Password The number of days the age password cannot be changed

5 maxmum Password Age password number of days to re-change

6 Password warning period password need to change the warning days before the deadline

7 Password inactive period number of days after the password expires (password expiration date)

8 account expiration date on expiration

9 reserved

General user's password, can be changed directly with the root account, re-set

Query encryption algorithm Authconfig--test | grep hashing

Valid with initial user group: GROUPS,NEWGRP

/etc/group file structure

Group_name:password:GID:user_list

Adding user_list only needs to be added at the rear, user can

Password generally do not need to set, the same password also moved to/etc/gshadow, here also shows the X

User_list account names supported by this user group

If we join more than one user group at the same time, what user group will we use when we operate?

Valid user groups (effective group) and initial user groups (initial group)

To switch users or execute commands as other users: su

Su [Options ...] [-] [[User]args ...]

How to switch users

Su uesrname non-logon switch, does not read user's configuration file

Su-username login switch, will read the user's configuration file, completely switch

groups: active and supported user groups view

Executes the command, the first one shows the active user group

NEWGRP: Switching of effective user groups

The user group that you want to switch must already have a supported user group

/etc/gshadow file Structure

User group name: Password column: User group Administrator's account number: The user group's account number

The password column starts with! Indicates no valid password, so no user group administrator

Account Management

New and deleted users: Useradd, related profiles, Passwd,usermod,userdel

Useradd -Create a new user or update the default new user information

useradd [Options] Login

Useradd-d

useradd-d [Options]

Options

-U UID: [Uid_min, Uid_max] defined in/etc/login.defs

-O with-u option to not check UID uniqueness

-G GID: Indicates that the user belongs to the basic group, can be a group name, or GID

-C "COMMENT": User's comment information

-D Home_dir: Home directory with the specified path (not present)

-S Shell: Indicates the user's default shell program available list in the/etc/shells file

-G group1[,group2,...] : To indicate additional groups for the user, the group must exist beforehand

-N Do not create private group master group, use the Users group master Group

-r: Create System user CentOS 6:id<500,centos 7:id<1000

-m: Force, do not create user home folder (System account default)

-M: mandatory, to create User home folder (General account default)

-F: The Seventh field option followed by Shadow will invalidate the password. 0 for immediate invalidation,-1 for never failing

Create a row of account-related data in/etc/passwd, including Uid/gid/home folder, etc.

The password-related parameters of the account are filled in/etc/shadow, but no password has been

Add a group name that is identical to the account name in the/etc/group

Create a directory with the same name as the username under/home as the user Master folder

NOTICE: Because the system account is mainly used to run the system to operate the necessary services to set the permissions, so the system account is not the active creation of the home folder by default.

Practice:

Create user Gentoo, additional group is bin and root, default shell is/bin/csh, annotation information is "Gentoo distribution"

Useradd-g bin,root-s/bin/csh-c "Gentoo distribution" Gentoo

Result 650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/85/4A/wKioL1efJamhw1uxAAAu0-z1rHk004.png "title=" Create user Gentoo.png "alt=" Wkiol1efjamhw1uxaaau0-z1rhk004.png "/>

When we created the user, the system for us to set the default properties and reference files, useradd-d can view, 650) this.width=650; "Src=" http://s4.51cto.com/wyfs02/M00/85/4A/ Wkiol1efkgibsjayaaaajg9f0ia102.png "title=" Useradd-d.png "alt=" Wkiol1efkgibsjayaaaajg9f0ia102.png "/>

This data is actually called by the/etc/default/useradd file, you can use a text editor to modify the required content.

From the above you can see the system default user initial gid=100, but CentOS above the default user group is the same as the account user group.

passwd Update user's authentication tokens updating the identity card token

Usage passwd [-K] [-l] [-u [-f]] [-d] [-e] [-N mindays] [-X Maxdays] [-W warndays] [-I inactivedays] [-S] [--stdin] [username]

Options

-L: Lock the specified user

-U: Unlock the specified user

-S: Lists the password-related parameters, i.e. most of the information in the shadow file.

-E: Force user to change password at next logon

-N mindays: Specifying the shortest period of use

-X maxdays: Maximum lifespan

-W Warndays: How many days in advance to start warning

-I inactivedays: inactivity period;

--stdin: Receive user password from standard input;

echo "PASSWORD" | Passwd--stdinusername

Not to be continued

Account Management for Linux