User and user group management under Linux

/etc/passwd

'/etc/passwd ' is divided into 7 fields by ': ', and the specific meaning of each field is:

1) User name. The user name character can be uppercase and lowercase letters, numbers, minus signs (not appearing in the first place), dots, and underscores, and other characters are illegal. Although the user name can appear in the point, but not recommended, especially the first point, the other minus is also not recommended, because it is easy to cause confusion.

2) The password of the account is stored, why is ' x '? The early Unix system password was actually stored here, but based on security factors, it was later stored in '/etc/shadow ', where only one ' x ' was used instead.

3) This number represents the user identification number, also called the UID. The system identifies the user identity is through this number, 0 is root, that is, you can modify the test user uid is 0, then the system will consider root and test for the same account. Usually the value of the UID range is 0~65535 (but actually can be supported to 4294967294), 0 is the Super User (root) identification number, 1~499 reserved by the system, as a management account, the ordinary user's identification number starting from 500, if we customize the establishment of a normal user, You will see that the identification number of the account is greater than or equal to 500.

4) Represents the group identification number, also called GID. This field corresponds to a record in/etc/group, in fact/etc/group and/etc/passwd are basically similar.

5) Note that the field does not make sense and typically records some of the user's attributes, such as name, phone, address, and so on. However, this information is displayed when you use the Finger feature (described later).

6) The user's home directory, which is in this directory when the user logs in. Root home directory is/root, the normal user's home directory is/home/username, this field can be customized, such as you create a general user test1, want to let Test1 home directory in/data directory, as long as modify/etc/ This field in the Test1 line in the passwd file is/data.

7) shell, the user log in to start a process to the user issued instructions to the kernel, this is the shell. The Linux shell has many kinds of sh, csh, ksh, tcsh, bash, and so on, while Redhat/centos's shell is bash. View the/etc/passwd file, which has more than/bin/bash in addition to/sbin/nologin, which indicates that the account is not allowed to log on. If you want to create an account to not let him log in, then you can change the field to/sbin/nologin, the default is/bin/bash.

/etc/shadow

The meaning of each field is:

1) User name, corresponding to/etc/passwd.

2) User password, this is the real password of the account, but this password has been encrypted, but some hackers can be decrypted. Therefore, the file property is set to 000, but the root account can be accessed or changed.

[[email protected] ~]# ls-l/etc/shadow----------1 root root 719 May  09:02/etc/shadow

3) The date the password was last changed, this number is calculated from January 1, 1970 to the date the password was last changed, such as the last time the password was changed to January 1, 2012, then this value is ' 365 x (2012-1970) + (2012-1970)/4 + 1 = 15341 '. Because if it is a leap year, there are 366 days.

4) How many geniuses can change the password, the default is 0, that is, unlimited.

5) The password expires after a few days. That is, the number of days you must change the password, for example, set to 30, you must change the password within 30 days, otherwise you will not be able to log on to the system, the default is 99999, it can be understood that never need to change.

6) The warning period before expiration of the password, if the value is set to 7, indicates that when the password expires after 7 days, the system warns the user that his password will expire after 7 days.

7) Expiration date of the account. You can understand that if you set this value to 3, it means: the password has expired, but the user did not change the password before expiry, then after 3 days, then the account is invalid, that is locked.

8) The life cycle of the account, as in the third paragraph, is calculated by the number of days from January 1, 1970. It means that the account can be used before this date, and the account will expire after expiration.

9) as a reserved use, no meaning.

Groupadd

-G GID for the specified group

Add a group

Groupdel

Delete a group

Useradd

-U Specify UID

-G Specify GID

-M do not set up home directory

-S Specify custom shell

Userdel

-R Delete User's home directory while deleting

passwd

mkpasswd

The generated random string can be used as a password

Installing yum-y install expect before use

Su

Command su

Syntax: su [-] username

Can be followed with '-' can also not, ordinary users su username is to switch to the root user, of course, the root user can also su to ordinary users. '-' The function of this character is, plus will initialize the current user's various environment variables, about the environment variables this part of the content Amin in the following chapters. The following Amin do a simple experiment to illustrate the difference between adding and not adding '-':

[[email protected] ~]$ pwd/home/test[[email protected] ~]$ su Password: [[email protected] test]# Pwd/home/test[[email protected ] test]# exitexit[[email protected] ~]$ Su-password: [[email protected] ~]# Pwd/root

If you do not add '-' to the root account, the current directory does not change, plus '-' after switching to the root account, the current directory is the root account of the home directory, which is the same as the direct login root account. When you use root to switch to a normal user, you do not need to enter a password. This also embodies the supremacy of the root user rights.

Command: sudo

Sudo

Command: sudo

With Su is able to switch user identity, if every ordinary user can switch to root identity, if a user accidentally leaked the root password, it is not very insecure system? No mistake, in order to improve this problem, yielded the sudo command. A command that executes a root with sudo can be done, but requires a password that is not the root password but the user's own password. By default only the root user can use the sudo command, the normal user wants to use sudo, which requires root pre-set, that is, using the visudo command to edit the relevant configuration file/etc/sudoers. If this command is not Visudo, use yum install- y sudo installation.

The default root is sudo because there is a line in this file, "root all= (All)," and adding "Test all= (All") under that line will give the test user the right to sudo. Use the "Visudo" command to edit the/etc/sudoers configuration file, in fact, its operation method and the previous Amin described in the "VI" command using the same method, press ' I ' into the editing mode, after editing, press "ESC", and then enter ": Wq" to complete the save.

# allow ROOT to run any commands anywhereroot    all= (All)       alltest    all= (All)       all

You can verify the permissions on the test account at this point.

[[email protected] ~]# su test[[email protected] root]$ Lsls: Unable to open Directory.: Insufficient permissions [[email protected] root]$ sudo lswe trust you H Ave received the usual lecture from the local systemadministrator. It usually boils down to these three things:    #1) Respect the privacy of others.    #2) Think before you type.    #3) with great power comes great responsibility. [sudo] password for test:123  456  789  anaconda-ks.cfg  dirb  install.log  install.log.syslog  test  test1  test2  test3

Because the current directory after switching to the test account is still under/root, the test account does not have any permissions, so ' ls ' when prompted to say that the permissions are not enough, however, using sudo ls to enter the test account's own password after the permission. The first time you use sudo, you'll get a big tip, and then use the sudo command again to stop prompting.

If you set one line for each additional user, this is too > annoying. So you can set this up. Remove the ' # ' in front of ' #%wheel all= (All) ' and let this line take effect. It means that all users of the wheel group have the right to sudo. Next you need to add all users who want sudo rights to the wheel group.

# # allows people in group wheel-run all Commands%wheel  all=       

The configuration file/etc/sudoers contains many configuration items, and you can use the command man sudoers to get help information. The following Amin introduces a very practical case, our requirement is to set up the Linux server as such: only allow the use of ordinary account login, and the ordinary account login, you can not enter the password will be able to sudo switch to the root account. Below but the configuration of Amin:

[Email protected] ~]# Visudo

Then add three lines to the last side of the file:

User_alias user_su = Test, test1, Amingcmnd_alias SU =/bin/suuser_su all= (All) nopasswd:su

After saving the configuration file, using Test, Test1, aming three accounts after logging on to Linux, execute command sudo su - switch to the root account and get all the rights of the root account.

[[email protected] ~]# su-test[[email protected] ~]$ sudo su-[[email protected] ~]# whoamiroot

Instead of allowing root to log in directly, this simple, set up a very complicated password that you can't even remember. However, there is also a problem, that is, ordinary users can su to root, and then he can modify the simple password to direct root login, right? Indeed there is this problem, in fact, there is a better way Amin, will be introduced in the Extended Learning section later.

Password Logging tool KeePass to save passwords

User and user group management under Linux