Linux users and user groups
1. User and user group files
In linux, user accounts, user passwords, user group information, and user group passwords are stored in different configuration files.
In linux, the created user account and related information (except the password) are stored in the/etc/passwd configuration file. Because all users have the permission to read the passwd file, the password information is not saved in the file, but saved in the configuration file of/etc/shadow.
In the passwd file, a user account is defined for one row. Each row consists of multiple different fields. The values of each field are separated, each field represents some information about the account.
In the just-installed linux system, the passwd configuration file already contains a lot of account information, which is automatically created by the system, they are the accounts required for the normal operation of linux processes or some service programs. The value of the last field of these accounts is generally/sbin/nologin, indicating that this account cannot be used to log on to the linux system.
In the passwd configuration file, the correspondence between the fields from left to right and their meanings are as follows:
User account user password user ID user group ID full name user main directory User shell
Root x 0 0 root/bin/bash
Because passwd no longer saves password information, it is represented by x placeholder.
To prevent a user account from logging on to linux, you only need to set the shell used by the user to/sbin/nologin. For example, for an FTP account, you can only log on to and access the FTP server, but cannot log on to the linux operating system. To prevent a user from having the telnet permission, that is, the user is not allowed to remotely log on to and access the linux operating system using telnet, set the shell used by the user to/bin/true. If you do not have the telnet and ftp logon permissions, you can set the user's shell to/bin/false.
In the/etc/shells file, manually add:
[Root @ localhost ~] # Echo "/bin/false">/etc/shells
[Root @ localhost ~] # Echo "/bin/true">/etc/shells
2. User Password File
For security, the user's real password is encrypted using the MD5 encryption algorithm and stored in the/etc/shadow configuration file. This file can only be read by the root user.
Similar to the passwd file, the shadow file defines and stores information about an account in each row. The first field is the user account name, and the second field is the account password.
3. User Group account files
User group account information is stored in the/etc/group configuration file, which can be read by any user. The user group's real password is saved in the/etc/gshadow configuration file.
In group, the first field represents the name of the user group, the second field is x, the third is the ID number of the user group, and the fourth is the user member list of the user group, each user name is separated by a comma.
4. Add a user
Create or add a new user using the useradd command. Its usage is as follows:
Useradd [option] username
This command has many option options, which are commonly used:
-C. Comments for user settings
-D: Specifies the home directory used to replace the default/home/username.
-M: If the main directory does not exist, create it. -R is combined with-m to create a home directory for the system account
-M: do not create a home directory
-E date specifies the Account expiration date. The date format is MM/DD/YY.
-F days after the account expires, the permission is permanently suspended. If-is specified, the permission is immediately suspended. If-1 is specified, this function is disabled.
-G User Group specifies the user group to which the user is added. The user group must exist.
-G user group list: Specifies the list of user groups that users join at the same time. Each group is separated by a comma.
-N does not create a private user group for the user
-S shell specifies the shell used for Logon. The default value is/bin/bash.
-R creates a system account with a user ID less than 500. By default, the corresponding home directory is not created.
-U user ID: manually specify the ID value of the new user, which must be unique and greater than 499
-P password specifies the logon password for the new user. The password here is the password value obtained after the logon password is encrypted using MD5. The original password is invalid. Therefore, this parameter is rarely used in practical applications, you can use the passwd command to set a logon password.
Example:
To create a user named nisj and serve as a member of the babyfish user group, run the following command:
[Root @ localhost ~] # Useradd-g babyfish nisj
[Root @ localhost ~] # Id nisj
Uid = 502 (nisj) gid = 500 (babyfish) groups = 500 (babyfish)
[Root @ localhost ~] # Tail-1/etc/passwd
Nisj: x: 502: 500:/home/nisj:/bin/bash
When you add a user, if you do not use the-g parameter to specify a user group, the system automatically creates a private user group with the same name as the user account by default. If you do not need to create this private user group, you can use the-n parameter.
For example, if you add an account named nsj820 without specifying a user group, the operation result is:
[Root @ localhost ~] # Useradd nsj820
[Root @ localhost ~] # Id nsj820
Uid = 503 (nsj820) gid = 503 (nsj820) groups = 503 (nsj820)
[Root @ localhost ~] # Tail-1/etc/passwd
Nsj820: x: 503: 503:/home/nsj820:/bin/bash
[Root @ localhost ~] # Tail-2/etc/passwd
Nisj: x: 502: 500:/home/nisj:/bin/bash
Nsj820: x: 503: 503:/home/nsj820:/bin/bash # the system automatically creates a user group named nsj820 with the ID 503.
When a user account is created, the system automatically creates the user's home directory, which is stored in the/home directory by default. To change the location, you can use the-d parameter to specify it; the default shell used for logon is/bin/bash. to change it, use the-s parameter to specify.
For example, to create an account named vodup, put the main directory in the/var directory, and specify the logon shell as/sbin/nologin, the Operation Command is:
[Root @ localhost ~] # Useradd-d/var/vodup-s/sbin/nologin vodup
[Root @ localhost ~] # Id vodup
Uid = 504 (vodup) gid = 504 (vodup) groups = 504 (vodup)
[Root @ localhost ~] # Tail-1/etc/passwd
Vodup: x: 504: 504:/var/vodup:/sbin/nologin
[Root @ localhost ~] # Tail-1/etc/group
Vodup: x: 504:
5. Set Account attributes
You can use the usermod command to modify and set attributes of an account, including the logon name, main directory, user group, and logon shell. The command is used as follows:
Usermod [option] username
Partial option options
(1) Change the account name
Use the-l parameter. The command usage is as follows:
Usermod-l new username original Username
For example, to rename your nsj820 to nsj0820, run the following command:
[Root @ localhost ~] # Usermod-l nsj0820 nsj820
[Root @ localhost ~] # Id nsj0820
Uid = 503 (nsj0820) gid = 503 (nsj820) groups = 503 (nsj820)
[Root @ localhost ~] # Tail-1/etc/passwd
Nsj0820: x: 503: 503:/home/nsj820:/bin/bash
The output shows that the user name has been changed to nsj0820. The main directory is still the original/home/nsj820. If you want to change it to/home/nsj0820, You can execute the following command to implement
[Root @ localhost ~] # Usermod-d/home/nsj0820 nsj0820
[Root @ localhost ~] # Id nsj0820
Uid = 503 (nsj0820) gid = 503 (nsj820) groups = 503 (nsj820)
[Root @ localhost ~] # Tail-1/etc/passwd
Nsj0820: x: 503: 503:/home/nsj0820:/bin/bash
[Root @ localhost home] # mv/home/nsj820/home/nsj0820
(2) Locking an account
To temporarily disable user logon, you can lock the user account. You can use the-L parameter to lock an account. The command usage is as follows:
Usermod-L account to be locked
Linux users are locked by adding "!" to the password field of the password file shadow. To identify that the user is locked.
[Root @ localhost home] # usermod-L nsj0820
[Root @ localhost home] # tail-1/etc/shadow
Nsj0820 :! $1 $ JEW25RtU $ X9kIdwJi/HPzSKMVe3EK30: 16910: 0: 99999: 7 :::
But root users can access the database and then su to the locked users.
(3) Unlock an account
To unlock an account, you can use-UParameter usermod command.
[Root @ localhost ~] # Usermod-U nsj0820
[Root @ localhost ~] # Tail-1/etc/shadow
Nsj0820: $1 $ JEW25RtU $ X9kIdwJi/HPzSKMVe3EK30: 16910: 0: 99999: 7 :::
6. delete an account
To delete an account, you can run the userdel command. The usage is as follows:
Userdel [-r] account name
-R is optional. If this parameter is set, the main directory of the account is deleted while deleting the account..
[Root @ localhost ~] # Userdel-r nsj0820
To set the password expiration time for all user accounts, modify/etc/login. the PASS_MAX_DAYS configuration item value in the defs configuration file. The default value is 99999, indicating that the user account password will never expire. PASS_MIN_LEN is used to specify the minimum length of the account and password. The default value is 5 characters.
7. Set the user logon Password
Use the passwd command to set the parameters. The command usage is as follows:
Passwd [Account name]
If the account name is specified, set the logon password of the specified account. The original password is automatically overwritten.Only the root user has the right to set the password of the specified account. Generally, users can only set or modify their own account passwords (without parameters ).
For example, to set a logon password for the nisj account, run the following command:
[Root @ localhost home] # passwd nisj
Changing password for user nisj.
New password:
Bad password: it is too short
Bad password: is too simple
Retype new password:
Passwd: all authentication tokens updated successfully.
After the Account Logon password is set, the account can log on to the system.
8. Lock/unlock the account password, query the password status, and delete the account password
In linux, except that the user account can be locked, the account password can also be locked. Once either party is locked, the user cannot log on to the system. Only the root user has the right to execute this command. The passwd command with the-l option is used to lock the account password. Its usage is:
Passwd-l account name
Passwd-u account name# Unlock account password
[Root @ localhost home] # passwd-l nisj
Locking password for user nisj.
Passwd: Success
[Root @ localhost home] # passwd-u nisj
Unlocking password for user nisj.
Passwd: Success
To query whether the password of the current account is locked, you can use the passwd command with the-S parameter. The usage is as follows:
Passwd-S account name
For example
[Root @ localhost home] # passwd-S nisj
Nisj PS 0 99999 7-1 (Password set, MD5 crypt .)
To delete the account password, run the passwd command with the-d parameter. Only the root user has the right to execute the command. The usage is as follows:
Passwd-d account name
After the account password is deleted, you cannot log on to the system unless you reset the password..
9. Create a user group
A user and a user group belong to many-to-many relationships. A user can belong to multiple user groups at the same time. A user group can contain multiple different users.
Create a user group and use the groupadd command. Its usage is as follows:
Groupadd [-r] user group name
If the command carries the-r parameter, a system user group is created. The GID value of this type of user group is less than 500. If the-r parameter is not provided, a common user group is created, whose GID value is greater than or equal to 500.
10. Modify user group attributes
After a user group is created, you can modify the attributes of the user group as needed. Modify user group attributes mainly by modifying the user group name and GID value of the user group.
(1) Change the user group name
To rename a user group, you can use the groupmod command with the-n parameter. Its usage is as follows:
Groupmod-n new user group name original user group name
If a user group is renamed, its GID value is not changed.
For example, to rename the student user group to the teacher user group, run the following command:
[Root @ localhost home] # groupadd student
[Root @ localhost home] # tail-1/etc/group
Student: x: 505:
[Root @ localhost home] # groupmod-n teacher student
[Root @ localhost home] # tail-1/etc/group
Teacher: x: 505:
(2) reset the GID of the user group
You can modify the GID value of a user group again, but it cannot be the same as the GID value of an existing user group. Modify the GID without changing the name of the user name.
To modify the GID of a user group, you can use the groupmod command with the-g parameter. Its usage is:
Groupmod-g new_GID user group name
For example, to change the GID of the teacher group to 506, run the following command:
[Root @ localhost home] # groupmod-g 506 teacher
[Root @ localhost home] # tail-1/etc/group
Teacher: x: 506:
11. delete a user group
Delete a user group using the groupdel command. Its usage is as follows:
Groupdel user group name
When deleting a user group, the deleted user group cannot be the private user group of an account. Otherwise, the user group cannot be deleted. to delete a user group, delete the account that references the user group, then delete the user group.
[Root @ localhost home] # groupdel teacher
[Root @ localhost ~] # Grep teacher/etc/group # No output indicates that the teacher user group does not exist and is deleted successfully.
12. Add a user to a specified group/remove the user from the specified group
You can add a user to a specified group to become a member of the group. The implementation command is:
Gpasswd-a user account user group name
To remove a user from a user group, run the following command:
Gpasswd-d user account user group name
For example:
[Root @ localhost home] # groupadd student
[Root @ localhost home] # gpasswd-a nisj student
Adding user nisj to group student
[Root @ localhost home] # id nisj
Uid = 502 (nisj) gid = 500 (babyfish) groups = 500 (babyfish), 505 (student)
[Root @ localhost home] # gpasswd-d nisj student
Removing user nisj from group student
[Root @ localhost home] # id nisj
Uid = 502 (nisj) gid = 500 (babyfish) groups = 500 (babyfish)
[Root @ localhost home] # groups nisj
Nisj: babyfish
13. Set the User Group Administrator
Add a user to a group or remove a user from a group. In addition to the root user, the user group administrator can also perform this operation.
To assign a user as the administrator of a user group, run the following command;
Gpasswd-A user account's user group to be managed
Command function:Set the specified user as the user administrator of the specified user group. The user administrator can only manage authorized user groups (add users to a group or delete users from a group), and cannot manage other user groups.
[Root @ localhost home] # gpasswd-a nisj student
Adding user nisj to group student
[Root @ localhost home] # gpasswd-A nisj student
[Root @ localhost home] # useradd stu
[Root @ localhost home] # gpasswd-a stu student
Adding user stu to group student
[Root @ localhost home] # groups stu
Stu: stu student
[Root @ localhost home] # su-nisj
[Nisj @ localhost ~] $ Gpasswd-d stu student
Removing user stu from group student
[Nisj @ localhost ~] $ Gpasswd-d stu
Gpasswd: Permission denied.
14. Other user problems
In addition, linux provides commands such as id, whoami, and groups to view the status of users and groups.The id command is used to display the uid, gid, and user group list of the current user. The whoami command is used to query the name of the current user. The groups command is used to view the user group to which the specified user belongs.
At the same time, we can use a graphical interface to manage users and user groups,System ---> Management ---> users and groups can open the corresponding configuration interface.
Appendix: Add a user to a group. You can also perform the following operations:
You cannot add a user to a user group directly:
Usermod-G groupA
This will cause you to leave other user groups and act only as a member of the groupA user group.
The-a option should be added:
Usermod-a-G groupA user
(FC4: usermod-G groupA, groupB, groupC user)
-A indicates append, that is, adding yourself to the groupA user group without leaving other user groups.