Linux User Management

Linux User and User group management

Linux system is a multi-user multi-tasking time-sharing system, any user who wants to use system resources must first request an account from the system administrator and then enter the system as this account.

On the one hand, the user's account can help the system administrator to track the users who use the system and control their access to system resources, and on the other hand can help users organize files and provide security protection for users.

Each user account has a unique user name and a separate password.

When a user types the correct user name and password at logon, they are able to enter the system and their home directory.

To achieve the management of user accounts, the main tasks to be completed are as follows:

• Add, delete and modify user accounts.
• Management of user passwords.
• Management of user groups.

I. Management of Linux system user accounts

The management of user accounts mainly involves the addition, modification and deletion of user accounts.

To add a user account is to create a new account in the system, and then assign the user number, user group, home directory, and login shell resources to the new account. The account you just added is locked and cannot be used.

1. Add a new user account using the Useradd command with the following syntax:

useradd 选项 用户名

Options

-D" Login directory > -e" Expiration >

option	description
-C, remarks >	plus note text. The note text is saved in the Memo field of the passwd,
specify the starting directory for user login;
-D	change preset,
Specify the expiration date of the account;
-F buffer days >	Specifies the number of days after which the password expires;
-G Group >	Specify the group to which the user belongs;
-G Group >	Specify the additional group to which the user belongs;
-M	automatically establishes the user's login directory;
-M	do not automatically establish the user's login directory;
-N	cancels the establishment of a group named after the user name;
-R	set up system account;
-s<shell>	Specifies the shell to use when the user is logged in;
-u<uid>	specifies the user ID.

Example 1

# useradd –d /usr/sam -m sam

This command creates a user Sam, where the-D and-m options are used to generate a home directory for the login Sam/usr/sam (/usr is the parent directory where the default user home directory resides).

Example 2

# useradd -s /bin/sh -g group –G adm,root gem

This command creates a new user gem, which is the user's login shell, which belongs to the group user groups and also to the /bin/sh ADM and root user groups, where the group user groups are their primary groups.

You may create a new group here:#groupadd group及groupadd adm

Add user account is in the/etc/passwd file to add a record for the new user, while updating other system files such as/etc/shadow,/etc/group and so on.

Linux provides an integrated system management tool, userconf, which can be used to manage user accounts uniformly.

2. Delete Account

If a user's account is no longer in use, it can be removed from the system. Deleting a user account is to delete the user record in the system files such as/etc/passwd, and delete the user's home directory if necessary.

Delete an existing user account using the userdel command, in the following format:

userdel 选项 用户名

Options

Options	Description
-F	Force the deletion of the user, even if the user is currently logged in;
-R	Delete all files associated with the user while deleting the user.

Note: Please do not use -r the option easily; he will delete the user all the files and directories, remember that if there are important files in the user directory, please back up before deleting.

In fact, there is the simplest way, but this approach is a bit unsafe, that is, directly in the /etc/passwd deletion of the user you want to delete the record, but it is best not to do so, /etc/passwd is a very important file, you may be inadvertently operation error.

3, modify the account

Modify user account is based on the actual situation to change the user's relevant attributes, such as user number, home directory, user group, login shell and so on.

Modify information for an existing user using the usermod command, which is in the following format:

usermod 选项 用户名

Options

options	description
-C remarks >	Modify the user account's note text;
-D "Login directory >	Modify User Login
-E "validity period >	Modify the expiration date of the account;
-F buffer days >	change the number of days after the password expires to close the account;
-G Group >	Modify the group to which the user belongs;
-G Group, modify the additional group to which the user belongs;
-L "account name >	Modify user account name;
-L	Lock the user password to invalidate the password;
-s<shell>	Modify the shell used by the user when logging in;
-u<uid>	Modify user ID;
-U	unlock password.

Instance

Modify the NewUser user name to Newuser1:

usermod -l newuser1 newuser

4, the User password management

An important part of user management is the management of user passwords. The user account has just been created without a password, but is locked by the system, cannot be used, it must be given a password before it can be used, even if a blank password is specified.

The shell command that specifies and modifies the user's password is passwd . A superuser can specify a password for himself and another user, and a normal user can only use it to modify his or her password. The format of the command is:

passwd 选项 用户名

Options

Options	Description
-D	Delete password, only the System Manager can use;
-F	Enforcement;
-K	Settings can only be updated after expiration of the password expires;
-L	Lock the password;
-S	List password information, only the System Manager can use;
-U	Unlock your locked account.

Instance

If an ordinary user executes passwd, you can only modify your own password. If you want to create a password for a new user after creating a new user, use the passwd user name and note that you want to create it with the root user's permissions.

[[email protected] ~]# passwd linuxde    //更改或创建linuxde用户的密码；Changing password for user linuxde.New UNIX password:          //请输入新密码；Retype new UNIX password:   //再输入一次；passwd: all authentication tokens updated successfully. //成功；

If a normal user wants to change their own password, run passwd directly, such as the current user is linuxde.

[[email protected] ~]$ passwdChanging password for user linuxde. //更改linuxde用户的密码；(current) UNIX password:   //请输入当前密码；New UNIX password:         //请输入新密码；Retype new UNIX password:  //确认新密码；passwd: all authentication tokens updated successfully. //更改成功；

For example, we let a user cannot change the password, you can use the -l option to lock:

[[email protected] ~]# passwd -l linuxde    //锁定用户linuxde不能更改密码；Locking password for user linuxde.passwd: Success           //锁定成功；[[email protected] ~]# su linuxde   //通过su切换到linuxde用户；[[email protected] ~]$ passwd      //linuxde来更改密码；Changing password for user linuxde.Changing password for linuxde(current) UNIX password:          //输入linuxde的当前密码；passwd: Authentication token manipulation error     //失败，不能更改密码；

One more example:

[[email protected] ~]# passwd -d linuxde  //清除linuxde用户密码；Removing password for user linuxde.passwd: Success                         //清除成功；[[email protected] ~]# passwd -S linuxde    //查询linuxde用户密码状态；Empty password.                         //空密码，也就是没有密码；

Note: When we clear a user's password, we do not need a password when we log in.

II. Management of Linux system user groups

Each user has a user group, and the system can centrally manage all users in a single user group. Different Linux systems provide a different set of user groups, as users under Linux belong to a user group with the same name, which is created at the same time as the user is created.

The management of user groups involves adding, deleting, and modifying user groups. The addition, deletion, and modification of a group is actually an update to the/etc/group file.

1. Add a new user group using the Groupadd command. The format is as follows:

groupadd 选项 用户组

Options

Options	Description
-G	Specifies the ID of the new workgroup;
-R	Create system Workgroup, System Workgroup Group ID is less than 500;
-K	Overwrite configuration file "/ect/login.defs";
-O	Allows you to add a workgroup with a group ID number that is not unique.

Instance

Create a new group and set the group ID to join the system:

groupadd -g 344 linuxde

In this case, /etc/passwd a group ID (GID) is generated in the file that is 344 of the project.

2. If you want to delete an existing user group, use the Groupdel command, which has the following format:

groupdel 用户组

Instance

# groupdel group1

This command removes the group group1 from the system.

3. Modify the properties of the user group using the groupmod command. Its syntax is as follows:

groupmod 选项 用户组

Options

Options	Description
-G <群组识别码>	Set the group identification code to use;
-O	Re-use Group identification code;
-N <新群组名称>	Set the name of the group you want to use.

Example 1:

# groupmod -g 102 group2

This command modifies the group ID number of group group2 to 102.

Example 2:

# groupmod –g 10000 -n group3 group2

This command changes the identification number of the group group2 to 10000 and the group name to Group3.

4. If a user belongs to more than one user group at the same time, the user can switch between groups of users in order to have permissions from other user groups.

After logging in, the user can switch to another user group using the command Newgrp, which is the target user group. For example:

$ newgrp root

This command switches the current user to the root user group, provided that the root user group is really the user's primary or additional group. Similar to the management of user accounts, the management of user groups can also be done through integrated system management tools.

Third, the user account related system files

There are many ways to accomplish user-managed work, but each of these methods actually modifies the system files concerned.

Information related to users and user groups is stored in some system files, including/etc/passwd,/etc/shadow,/etc/group, etc.

The contents of these files are described below.

1./etc/passwd file is one of the most important files involved in user management work.

Each user in the Linux system has a corresponding record line in the/etc/passwd file, which records some of the basic properties of the user.

This file is readable for all users. Its content is similar to the following example:

# Cat /etc/passwdroot:x:0:0:superuser:/:Daemon:x:1:1:system daemons:/etc:Bin:x:2:2:owner  of system Commands:/bin:Sys:x:3:3:owner  of system Files:/usr/sys:Adm:x:4:4:system Accounting:/usr/adm:UUCP:X:5:5:UUCP ADMINISTRATOR:/USR/LIB/UUCP:auth:x:7:21:authentication Administrator:/tcb/files/auth:Cron:x:9:16:cron Daemon:/usr/spool/cron:listen:x:37:4:network Daemon:/usr/net/nls:Lp:x:71:18:printer ADMINISTRATOR:/USR/SPOOL/LP:Sam:x:200:50:sam san:/usr/sam:/bin/sh

As we can see from the above example, one row of records in/etc/passwd corresponds to a user, and each row of records is separated by a colon (:) into 7 fields, with the following format and meaning:

用户名:口令:用户标识号:组标识号:注释性描述:主目录:登录Shell

1) "User name" is a string representing the user account.

It is usually not more than 8 characters in length and consists of uppercase and lowercase letters and/or numbers. The login name cannot have a colon (:), because the colon is the delimiter here.

For compatibility purposes, it is best not to include the dot character (.) in the login name, and to begin with a hyphen (-) and a plus sign (+).

2) "Password" in some systems, stored in the encrypted user password Word.

Although this field contains only the user password of the encrypted string, not clear text, but because the/etc/passwd file is readable to all users, so this is still a security risk. As a result, many Linux systems (such as SVR4) now use Shadow technology to store real encrypted user passwords into/etc/shadow files, while storing only a special character, such as "X" or "*", in the password field of the/etc/passwd file.

3) The user ID number is an integer that is used internally by the system to identify the user.

In general, it corresponds to a user name of one by one. If several user names correspond to the same user ID number, the system will treat them as the same user, but they can have different passwords, different home directories, and different login shells.

Typically, the range of user identification numbers is 0~65 535. 0 is the root identification number of Superuser, 1~99 is reserved by the system, as an administrative account, the identification number of ordinary users starts from 100. In a Linux system, this limit is 500.

4) The Group Identification Number field records the user group to which the user belongs.

It corresponds to a record in the/etc/group file.

5) The "Annotative description" field records some of the user's personal circumstances.

For example, the user's real name, phone number, address, etc., this field does not have any practical use. In different Linux systems, the format of this field is not uniform. In many Linux systems, this field holds an arbitrary annotated descriptive text that is used as the output of the finger command.

6) "Home Directory", which is the user's starting working directory.

It is the directory where the user is located after logging on to the system. In most systems, each user's home directory is organized under the same specific directory, and the user's home directory name is the user's login name. Each user has read, write, execute (search) permissions on his or her home directory, and other users ' access to this directory is set according to the specific circumstances.

7) After the user logs in, to start a process, is responsible for the user's actions to the kernel, the process is the user log on to the system run after the command interpreter or a specific program, the shell.

The shell is the interface between the user and the Linux system. There are many types of Linux shells, each of which has different characteristics. Commonly used are sh (Bourne shell), csh (c shell), Ksh (Korn Shell), tcsh (tenex/tops-20 type C shell), bash (Bourne Again shell), etc.

System administrators can assign a shell to a user based on system conditions and user habits. If you do not specify a shell, then the system uses SH as the default login shell, that is, the value of this field is/bin/sh.

The user's login shell can also be specified as a specific program (this program is not a command interpreter).

With this feature, we can restrict the user from running only the specified application, and the user exits the system automatically after the application has finished running. Some Linux systems require only those programs that are registered in the system to appear in this field.

8) There is a class of users in the system called Pseudo-user (Psuedo users).

These users also occupy a record in the/etc/passwd file, but cannot log on because their logon shell is empty. Their existence is mainly to facilitate the system management, to meet the corresponding system process of the document owner requirements.

Common pseudo-users are as follows:

伪 用 户 含 义 bin 拥有可执行的用户命令文件 sys 拥有系统文件 adm 拥有帐户文件 uucp UUCP使用 lp lp或lpd子系统使用 nobody NFS使用

Owning an account file

1, in addition to the pseudo-users listed above, there are many standard pseudo-users, such as: Audit, cron, mail, Usenet, etc., they are also related to the process and files required.

Because the/etc/passwd file is readable by all users, if the user's password is too simple or the rule is more obvious, a common computer can easily crack it, so the security requirements of the Linux system is encrypted after the password word separated out, stored in a file alone, This file is/etc/shadow file. A superuser has the ability to read the file, which guarantees the security of the user's password.

2. The record line in/etc/shadow corresponds to one by one in/etc/passwd, which is automatically generated by the Pwconv command according to the data in the/etc/passwd.

Its file format is similar to/etc/passwd and consists of several fields, separated by ":" Between the fields. These fields are:

登录名:加密口令:最后一次修改时间:最小时间间隔:最大时间间隔:警告时间:不活动时间:失效时间:标志

1. "Login Name" is a user account that matches the login name in the/etc/passwd file
2. The password field holds the encrypted user password Word with a length of 13 characters. If null, the corresponding user does not have a password, the password is not required at logon, and if it contains characters that are not part of the collection {./0-9a-za-z}, the corresponding user cannot log on.
3. Last modified time represents the number of days from the time the user last modified the password. The beginning of time may not be the same for different systems. For example, in SCO Linux, the starting point for this time is January 1, 1970.
4. "Minimum time interval" refers to the minimum number of days required between changing the password two times.
5. Maximum time interval refers to the maximum number of days that a password remains valid.
6. The warning Time field represents the number of days from the beginning of the system warning user to the official expiration of the user's password.
7. "Inactivity Time" represents the maximum number of days that a user does not have a login activity but the account remains valid.
8. The "Expiration Time" field gives an absolute number of days, and if this field is used, the lifetime of the corresponding account is given. After expiry, the account is no longer a legitimate account, and can no longer be used to log on.

Here is an example of/etc/shadow:

＃cat/etc/shadowroot:Dnakfw28zf38w:8764:0:168:7:::daemon:*::0:0::::bin:*::0:0::::sys:*::0:0::::adm:*::0:0::::uucp:*::0:0::::nuucp:*::0:0::::auth:*::0:0::::cron:*::0:0::::listen:*::0:0::::lp:*::0:0::::sam:EkdiSECLWPdSa:9740:0:0::::

3, all the information of the user group is stored in the/etc/group file.

Grouping users is a means of managing and controlling access to users in a Linux system.

Each user belongs to a group of users, a group can have multiple users, and a user can belong to a different group.

When a user is a member of more than one group at the same time, the primary group that the user belongs to is recorded in the/etc/passwd file, which is the default group to which the login belongs, and the other groups are called additional groups.

When a user accesses a file that belongs to an additional group, you must first use the NEWGRP command to make yourself a member of the group you want to access.

All the information for the user group is stored in the/etc/group file. The format of this file is also similar to the/etc/passwd file, separated by a colon (:) several fields, which are:

组名:口令:组标识号:组内用户列表

1. Group name is the name of the user group, consisting of letters or numbers. As with logins in/etc/passwd, group names should not be duplicated.
2. The password field holds the password word after the user group is encrypted. The user groups in the General Linux system do not have a password, that is, the field is generally empty or *.
3. The group ID is similar to the user identification number and is an integer that is used internally by the system to identify the group.
4. The "group user list" is a list of all users belonging to this group/b], separated by commas (,) between different users. This user group may be the user's primary group, or it may be an additional group.

An example of the/etc/group file is as follows:

root::0:rootbin::2:root,binsys::3:root,uucpadm::4:root,admdaemon::5:root,daemonlp::7:root,lpusers::20:root,sam

Iv. Adding bulk users

Adding and removing users to every Linux system administrator is a breeze, the tricky thing is that if you want to add dozens of, hundreds or even thousands of users, we are not likely to use Useradd to add one by one, it is necessary to find a simple way to create a large number of users. The Linux system provides the tools to create a large number of users, allowing you to create a large number of users immediately, as follows:

(1) Edit a text user file first.

Each column according to the /etc/passwd format of the password file, to note that each user's user name, UID, host directory can not be the same, where the password bar can be left blank or enter the X number. An example file user.txt the contents as follows:

user001::600:100:user:/home/user001:/bin/bashuser002::601:100:user:/home/user002:/bin/bashuser003::602:100:user:/home/user003:/bin/bashuser004::603:100:user:/home/user004:/bin/bashuser005::604:100:user:/home/user005:/bin/bashuser006::605:100:user:/home/user006:/bin/bash

(2) Execute the command as root /usr/sbin/newusers, from the user file that you just created user.txtImport data in, create a user:

# newusers < user.txt  #newusers命令用于批处理的方式一次创建多个命令。

You can then execute commands vipw or vi /etc/passwd check whether the /etc/passwd files already have data for those users, and whether the user's host directory has been created.

(3) Execute command/usr/sbin/pwunconv.

/etc/shadowdecode the resulting shadow password, then write it back /etc/passwd in and /etc/shadow shadow delete the password bar. This is to facilitate the next step of the password conversion work, that is, the first cancellation shadow password function.

# pwunconv   #pwunconv命令与pwconv功能相反，用来关闭用户的投影密码。它会把密码从shadow文件内，重回存到passwd文件里。

(4) Edit the password control file for each user.

The sample file reads passwd.txt as follows:

user001:密码user002:密码user003:密码user004:密码user005:密码user006:密码

(5) Execute the command as root /usr/sbin/chpasswd。

Creates a user password that writes a password that has been encoded by a chpasswd /usr/bin/passwd command to /etc/passwd the password bar.

# chpasswd < passwd.txt  #chpasswd命令是批量更新用户口令的工具，是把一个文件内容重新定向添加到/etc/shadow中。

(6) After you have determined that the password has been encoded into the/etc/passwd password bar.

The Execute command /usr/sbin/pwconv encodes the password shadow password and writes the result /etc/shadow .

# pwconv     #pwconv命令用来开启用户的投影密码。Linux系统里的用户和群组密码，分别存放在名称为passwd和group的文件中， 这两个文件位于/etc目录下。因系统运作所需，任何人都得以读取它们，造成安全上的破绽。投影密码将文件内的密码改存在/etc目录下的shadow和gshadow文件内，只允许系统管理者读取，同时把原密码置换为"x"字符，有效的强化了系统的安全性。

This completes the creation of a large number of users, after which you can check whether the permissions settings for these user host directories are correct, and log on to verify that the user's password is correct.

Linux User Management