Linux administrator Manual (7)-manage user accounts

This chapter describes how to generate a new user account, modify the attributes of an account, and delete an account. Different Linux systems have different tool implementations.

What is an account?

When a computer is used by multiple people, it is usually necessary to differentiate users, for example, to keep personal files personal. Even if the computer is only used by one person at the same time, this is also important, for example, most computers. Therefore, each user is given a separate user name, which is used for logon.

There are more users besides their names. An account contains all files, resources, and information of this user. This implies that a bank, in a business system, each account is usually related to some money, and the money depends on the amount of the user's use of the system to be spent at a different speed. For example, the disk space may have a daily price per MB, and the processing time may also have a price per second.

Create user

Linux core only regards users as numbers. Each user uses a single integer to identify the user ID or uid, because numbers are faster and easier to process than text names. A separate database outside the core assigns a text name to each user ID, that is, the username. This database also contains some other information.

To generate a user, you need to add information about the user to the user database and generate a home directory for the user. It is also necessary to train users and establish an appropriate initialization environment.

Most Linux distributions generate accountsProgramAnd there are multiple. Adduser and useradd are two of them. There may be GUI tools. Whatever the program, the result is that there is little if any manual work to be done. even if the details are attached and intricate, these programs make everything seem trivial. however, section 8.2.4 describes how to do it by hand.

/Etc/passwd and other information files
The basic user database of UNIX systems is a text file,/etc/passwd (password file), which lists all valid user names and their related information. Each user line of the file is divided into seven fields separated:

User Name
Encrypted password
User ID of the number
Group ID of a number
Full name or other account description
Home Directory
Log on to shell (the program that runs during logon)

The detailed format is described in passwd (5.

Any user in the system can read the password file, so they can get the names of other users. That is, anyone can obtain the password (second domain ). The password file has encrypted the password, so there should be no problems in terms of profits. However, encryption can be cracked, especially when the password is relatively simple (for example, it is too short or can be found in the dictionary ). Therefore, it is not good to have a password in the password file.

Many Linux systems have shadow passwords files. In this way, the encrypted password is stored in another file/etc/shadow, which can only be read by the root user. The/etc/passwd file has only one special marker in the second domain. Any program that needs to verify a user is setuid, you can access the shadow password file. Only common programs in other domains of the password file cannot obtain the password.
Obtains the user and group ID of a number.

Most systems, regardless of the number of users and group IDs, must use the same UID and GID if Network File System (NFS) is used. Because NFS also uses UID to authenticate users. If you do not use NFS, you can use the account generation tool to automatically obtain the UID.

If NFS is used, you must use a mechanism to synchronize account information. One method is to use the NIS system (see [Kir]).

Initial environment:/etc/skel

When a new user's home directory is generated, use the file in the/etc/skel directory for initialization. The system administrator can generate files in/etc/skel to provide users with a good default environment. For example, generate a/etc/skel/. profile to set the editor environment variable, and provide a friendly editor for new users.

However, it is usually better to keep/etc/skel as small as possible, because it will be next to impossible to update existing users 'files. for example, if the friendly editor name changes, all existing users must edit their. profile. The system administrator can use a script to automatically complete the task, but may still destroy the file of a user.

If possible, it is best to put the global settings in a Global File, such as/etc/profile. In this way, you can upgrade to avoid damaging your settings.

Create a user manually

To create a user manually, follow these steps:

Use vipw (8) to edit/etc/passwd and add a new line for the new user. Pay attention to the syntax. Do not use the editor to edit it directly! Vipw locks the file, and other commands cannot update it. Set the password domain to "*", so you cannot log on.

Similarly, if you want to create a new group, use vigr to edit/etc/group.

Use mkdir to generate the user's home directory.

Copy the files in/etc/skel to the new home directory.

Use chown and chmod to modify the owner and permissions. The-r option is the most useful. The correct permissions vary a little from one site to another, but usually the following commands do the right thing:

CD/home/newusername
Chown-r username. Group.
Chmod-r go = u, go-w.
Chmod go =.

Use passwd (1) to set the password.

The account can be used after the password is set in the last step. You should not set a password before all other tasks are completed. Otherwise, the user may not be allowed to log on to the while you're still copying the files.

Sometimes it is necessary to generate a false (dummy) account for no one, for example, creating an anonymous FTP Server (so that anyone can download files from it without having to get an account ), an FTP account must be generated. In this case, you do not need to set the password later. In addition, it is recommended that you do not set this account so that no one can use this account, unless it is first changed to root, because root can be changed to any user.

Change User attributes

There are several commands to change different attributes of an account (that is, the related domain in/etc/passwd ):

Chfn
Change the full name domain.
CHSH
Change the logon shell.
Passwd
Change the password.

Super Users can use these passwords to change the attributes of any account. Normal users can only change the attributes of their own accounts. Sometimes it may be necessary to make these commands unavailable to common users (using chmod), for example, in an environment with many new users.

Other tasks must be completed manually. For example, to change the user name, you need to edit/etc/passwd (remember to use vipw ). Similarly, to add or delete a user to more groups, you need to edit/etc/group (with vigr ). You need to be careful when there are few such tasks: for example, if you change the user name, emails cannot reach this user unless you generate an email alias at the same time.

Delete a user

To delete a user, you must first delete all his files and then delete related rows from/etc/passwd and/etc/group. Some Linux distributions have specific commands to check whether deluser or userdel exists. However, manual deletion is also very easy.

Temporarily disabling a user

Sometimes a user needs to be temporarily disabled without deleting it. For example, the user does not pay, or the system administrator suspects that the hacker has obtained the password of an account.

The best way to disable a user is to change its shell to a specific program that prints only one piece of information. In this way, anyone who wants to log on to this account will not be able to log on, and learn the cause. This information allows you to contact the system administrator to handle any problems.

You can also change the user name or password, but the user does not know what is going on. Confused users mean more work.

One simple way to generate the above specific program is to write "tail scripts ":

#! /Usr/bin/tail + 2
This account has been closed due to a security breach.
Please call 555-1234 and wait for the men in black to arrive.
The first two characters ("#! ") The other part that tells the core bank is to explain the commands to be run in this file. In this way, the tail command processes everything outside the first line to the standard output.
If you suspect that billg is a security gap, the system administrator can do this:

# CHSH-S/usr/local/lib/no-login/security billg
# Su-Tester
This account has been closed due to a security breach.
Please call 555-1234 and wait for the men in black to arrive.
#
The purpose of Su is to change whether it is working at this time.
Tail scripts should be placed in a separate directory so that their names do not interfere with common user commands.