I. Management of System user accounts
1. Add user account
To add a user account is to create a new account in the system, and then assign the user number, user group, home directory, and login shell resources to the new account. The account you just added is locked and cannot be used. Use the Useradd command.
Syntax: Useradd option user name
Parameter description:
-
- -C Comment Specifies an annotative description.
- The-D directory specifies the home directory, and if this directory does not exist, the-m option can be used to create the master directory.
- The-G user group specifies the user group to which the user belongs.
- -G user Group, user group specifies the additional group to which the user belongs. (so that it can belong to multiple user groups at the same time)
- -S Shell file specifies the user's login shell.
- -u user number specifies the user's user number, and if you have the-o option, you can reuse the other user's identification number.
User name:
Specify the login name for the new account.
2. Delete Account
If a user's account is no longer in use, it can be removed from the system. Deleting a user account is to delete the user record in the system files such as/etc/passwd, and delete the user's home directory if necessary.
Delete an existing user account using the userdel
command
Syntax: Userdel option user name
The common option is the-R function to remove the user's home directory together
3. Modify your Account
Modify user account is based on the actual situation to change the user's relevant attributes, such as user number, home directory, user group, login shell and so on.
Modify information used by an existing user usermod
command
Syntax: usermod option user name
Parameter description:
Common options include the -c, -d, -m, -g, -G, -s, -u以及-o等
option to useradd
specify a new resource value for the user, as is the option in the command.
In addition, some systems can use the option:-L New user name
This option specifies a new account to change the original user name to a new one
4. Management of user's password (password is understood as password)
An important part of user management is the management of user passwords. The user account has just been created without a password, but is locked by the system, cannot be used, it must be given a password before it can be used, even if a blank password is specified.
The shell command that specifies and modifies the user's password is passwd
. A superuser can specify a password for himself and another user (Superuser, root), and the normal user can only use it to modify his or her password.
The command format is: passwd option user name
Parameter description:
- -L locks the password, which disables the account.
- -u password to unlock.
- -D make the account no password.
- -F forces the user to modify the password the next time they log on.
If the default user name, the password for the current user is modified. (i.e. input only passwd)
Ordinary users to modify their own password, the passwd command will first ask the original password, verify and then ask the user to enter two times the new password, if the password two times the same, the password is assigned to the user, and the superuser to specify a password for the user, you do not need to know the original password.
Two. Management of Llinux System user Group
1. Add a new user group using the Groupadd command
Syntax: Groupadd option user Group
Parameter description:
- -G GID Specifies the group identification number (GID) of the new user group.
- -O is commonly used with the-G option, which means that the GID of the new user group can be the same as the GID of the user group already in the system.
2. Delete an existing user group using the Groupdel command
Syntax: Groupdel user Group
3. Modify the user group's properties using Groupmod
Syntax: Groupmod option user Group
Parameter description:
- -G GID Specifies a new group identification number for the user group.
- The-O is used in conjunction with the-G option, and the user group's new GID can be the same as the GID of the user group already in the system.
- -N New user Group change user group name to new name
4. If a user belongs to more than one user group at the same time, the user can switch between groups of users so that they have permissions for other user groups
After logging in, the user can switch to another user group using the command Newgrp, which is the target user group. For example:
$ NEWGRP Root
This command switches the current user to the root user group, provided that the root user group is really the user's primary or additional group. Similar to the management of user accounts, the management of user groups can also be accomplished through integrated system management tools.
Three. system files related to user accounts
1./ETC/PASSWD files are one of the most important files involved in user management work
Each user in the Linux system has a corresponding record line in the/etc/passwd file, which records some of the basic properties of the user.
A row of records in/etc/passwd corresponds to a user, and each row of records is separated by a colon (:) into 7 fields, with the following format and specific meanings:
User name: Password: User id: Group identification number: Annotative Description: Home directory: Login Shell
1) "User name" is a string representing the user account.
It is usually not more than 8 characters in length and consists of uppercase and lowercase letters and/or numbers. The login name cannot have a colon (:), because the colon is the delimiter here.
For compatibility purposes, it is best not to include the dot character (.) in the login name, and to begin with a hyphen (-) and a plus sign (+).
2) "Password" in some systems, stored in the encrypted user password Word.
Although this field contains only the user password of the encrypted string, not clear text, but because the/etc/passwd file is readable to all users, so this is still a security risk. As a result, many Linux systems (such as SVR4) now use Shadow technology to store real encrypted user passwords into/etc/shadow files, while storing only a special character, such as "X" or "*", in the password field of the/etc/passwd file.
3) The user ID number is an integer that is used internally by the system to identify the user.
In general, it corresponds to a user name of one by one. If several user names correspond to the same user ID number, the system will treat them as the same user, but they can have different passwords, different home directories, and different login shells.
Typically, the range of user identification numbers is 0~65 535. 0 is the root identification number of Superuser, 1~99 is reserved by the system, as an administrative account, the identification number of ordinary users starts from 100. In a Linux system, this limit is 500.
4) The Group Identification Number field records the user group to which the user belongs.
It corresponds to a record in the/etc/group file.
5) The "Annotative description" field records some of the user's personal circumstances.
For example, the user's real name, phone number, address, etc., this field does not have any practical use. In different Linux systems, the format of this field is not uniform. In many Linux systems, this field holds an arbitrary annotated descriptive text that is used as the output of the finger command.
6) "Home Directory", which is the user's starting working directory.
It is the directory where the user is located after logging on to the system. In most systems, each user's home directory is organized under the same specific directory, and the user's home directory name is the user's login name. Each user has read, write, execute (search) permissions on his or her home directory, and other users ' access to this directory is set according to the specific circumstances.
7) After the user logs in, to start a process, is responsible for the user's actions to the kernel, the process is the user log on to the system run after the command interpreter or a specific program, the shell.
The shell is the interface between the user and the Linux system. There are many types of Linux shells, each of which has different characteristics. Commonly used are sh (Bourne shell), csh (c shell), Ksh (Korn Shell), tcsh (tenex/tops-20 type C shell), bash (Bourne Again shell), etc.
System administrators can assign a shell to a user based on system conditions and user habits. If you do not specify a shell, then the system uses SH as the default login shell, that is, the value of this field is/bin/sh.
The user's login shell can also be specified as a specific program (this program is not a command interpreter).
With this feature, we can restrict the user from running only the specified application, and the user exits the system automatically after the application has finished running. Some Linux systems require only those programs that are registered in the system to appear in this field.
8) There is a class of users in the system called pseudo-user (pseudo users).
These users also occupy a record in the/etc/passwd file, but cannot log on because their logon shell is empty. Their existence is mainly to facilitate the system management, to meet the corresponding system process of the document owner requirements.
Owning an account file
1, in addition to the pseudo-users listed above, there are many standard pseudo-users, such as: Audit, cron, mail, Usenet, etc., they are also related to the process and files required.
Because the/etc/passwd file is readable by all users, if the user's password is too simple or the rule is more obvious, a common computer can easily crack it, so the security requirements of the Linux system is encrypted after the password word separated out, stored in a file alone, This file is/etc/shadow file. A superuser has the ability to read the file, which guarantees the security of the user's password.
2. The record line in/etc/shadow corresponds to one by one in/etc/passwd, which is automatically generated by the Pwconv command according to the data in the/etc/passwd.
Its file format is similar to/etc/passwd and consists of several fields, separated by ":" Between the fields. These fields are:
Login: Encrypted password: Last modified: Minimum time interval: Maximum time interval: Warning Time: Inactivity time: Expiry time: Flag
- "Login Name" is a user account that matches the login name in the/etc/passwd file
- The password field holds the encrypted user password Word with a length of 13 characters. If null, the corresponding user does not have a password, the password is not required at logon, and if it contains characters that are not part of the collection {./0-9a-za-z}, the corresponding user cannot log on.
- Last modified time represents the number of days from the time the user last modified the password. The beginning of time may not be the same for different systems. For example, in SCO Linux, the starting point for this time is January 1, 1970.
- "Minimum time interval" refers to the minimum number of days required between changing the password two times.
- Maximum time interval refers to the maximum number of days that a password remains valid.
- The warning Time field represents the number of days from the beginning of the system warning user to the official expiration of the user's password.
- "Inactivity Time" represents the maximum number of days that a user does not have a login activity but the account remains valid.
- The "Expiration Time" field gives an absolute number of days, and if this field is used, the lifetime of the corresponding account is given. After expiry, the account is no longer a legitimate account, and can no longer be used to log on.
3, all the information of the user group is stored in the/etc/group file.
Grouping users is a means of managing and controlling access to users in a Linux system.
Each user belongs to a group of users, a group can have multiple users, and a user can belong to a different group.
When a user is a member of more than one group at the same time, the primary group that the user belongs to is recorded in the/etc/passwd file, which is the default group to which the login belongs, and the other groups are called additional groups.
When a user accesses a file that belongs to an additional group, you must first use the NEWGRP command to make yourself a member of the group you want to access.
All the information for the user group is stored in the/etc/group file. The format of this file is also similar to the/etc/passwd file, separated by a colon (:) several fields, which are:
Group Name: password: Group identification number: List of users in the group
- Group name is the name of the user group, consisting of letters or numbers. As with logins in/etc/passwd, group names should not be duplicated.
- The password field holds the password word after the user group is encrypted. The user groups in the General Linux system do not have a password, that is, the field is generally empty or *.
- The group ID is similar to the user identification number and is an integer that is used internally by the system to identify the group.
- The "group user list" is a list of all users belonging to this group/b], separated by commas (,) between different users. This user group may be the user's primary group, or it may be an additional group.
Iv. Adding bulk users
Adding and removing users to every Linux system administrator is a breeze, the tricky thing is that if you want to add dozens of, hundreds or even thousands of users, we are not likely to use Useradd to add one by one, it is necessary to find a simple way to create a large number of users. The Linux system provides the tools to create a large number of users, allowing you to create a large number of users immediately, as follows:
(1) Edit a text user file first.
Each column according to the /etc/passwd
format of the password file, to note that each user's user name, UID, host directory can not be the same, where the password bar can be left blank or enter the X number. An example file user.txt the contents as follows:
user001::600:100:User:/home/user001:/bin/bashuser002::601:100:User:/home/user002:/bin/bashuser003::602:100:User:/home/user003:/bin/bashuser004::30V:100:user: /home/user004:/bin/::604:100 : user:/home/user005: /bin/bashuser006::605 :100:user: /home/user006:/bin/
(2) Execute the command as root
/usr/sbin/newusers
, from the user file that you just created
user.txt
Import data in, create a user:
# NewUsers < User.txt
You can then execute commands vipw
or vi /etc/passwd
check whether the /etc/passwd
files already have data for those users, and whether the user's host directory has been created.
(3) Execute command/usr/sbin/pwunconv.
/etc/shadow
decode the resulting shadow
password, then write it back /etc/passwd
in and /etc/shadow
shadow
delete the password bar. This is to facilitate the next step of the password conversion work, that is, the first cancellation shadow password
function.
# Pwunconv
(4) Edit the password control file for each user.
The sample file reads passwd.txt
as follows:
user001: Password user002: Password user003: Password user004: password user005: password user006: Password
(5) Execute the command as root
/usr/sbin/chpasswd
。
Creates a user password that writes a password that has been encoded by a chpasswd
/usr/bin/passwd
command to /etc/passwd
the password bar.
# CHPASSWD < Passwd.txt
(6) After you have determined that the password has been encoded into the/etc/passwd password bar.
The Execute command /usr/sbin/pwconv
encodes the password shadow password
and writes the result /etc/shadow
.
# Pwconv
This completes the creation of a large number of users, after which you can check whether the permissions settings for these user host directories are correct, and log on to verify that the user's password is correct.
Linux User and user group management