Users and Groups
I. Concepts of users and groups
The concept of users and groups is introduced as computers become more and more demanding for multiple users. The so-called user is the operating system used to identify the login system. Is that users and groups are the core elements that implement computer resource allocation. Group: is a collection of users with the same computer resources (mainly referred to as permissions).
In the computer kernel, users and groups are a number, which we call UID and GID. UID and GID have uniqueness in the system. Implementation of this process for name resolution to complete, in the Linux system using the GLib library system calls to complete.
Second, user identification
Identify user via 3A (authentication,authorization,audit)
Authentication: Using passwords to achieve
Authorization: Authorization
Audit: Auditing (implemented through the Operation log)
Iii. User and Group categories
User Category:
Admin User: Uid=0
System User: 1 <= UID <= 499
Normal User: UID >= 499
Group Category:
Administrators group: Gid=0
System Group: 1 <= GID <= 499
User group: GID >= 500
Iv. correspondence between users and groups
Single-to-one: a user exists in a group, that is, the user is the only member of the group
One-to-many: a user can exist in multiple user groups, and this user has common permissions for multiple groups
Many-to-one: multiple user groups can exist in a group that has the same permissions as the group
Many-to-many: multiple users can exist in multiple groups, that is, the extension of the above relationship
V. User and Group-related configuration files
1, relevant users of relevant documents
/ETC/PASSWD: User account information
/ETC/PASSWD-:/ETC/PASSWD backup (back up)
/ETC/PASSWD file Format:
Account:password:UID:GID:GECOS:directory:shell a user's information in one row
Specific meaning:
Field | " TD width= "valign=" Top ">account
password |
uid< /td> |
gid |
gecos |
dire Ctory |
shell |
meaning |
user account string |
Password locator (formerly password) |
user identification number is the UID of the user, usually the value range of the UID number is 0~65535 |
|
Note information |
|
|
Root:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x : 3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/sync
Password Complexity policy:
Numbers, lowercase, uppercase, and special characters at least three classes
Minimum Length 5 bits
Don't use easy-to-guess passwords
Revise regularly and do not use passwords that have been used recently
Encryption method:
Symmetric encryption: Encryption and decryption use the same key; Key distribution is difficult
Public-Key Cryptography (Asymmetric Encryption): Encryption and decryption using a pair of child keys
One-way encryption: Extract the unique characteristics of the data, mainly for the integrity of the data-only one-way encryption characteristics are fixed-length output, irreversible; avalanche effect
/etc/shadow: User password and associated account settings
/etc/shadow-:/etc/shadow backup (back up)
/etc/shadow file Format:
Login name:password:date of last password change:minimum password age:maximum password Age:password warning PERIOD:PASSWO RD Inactivity Period:account expiration date:reserved field One user information in a row, the user encrypts the consultation file. Since the/etc/passwd file is readable by all users, so that the user's password is vulnerable to disclosure, so the user's password information is separated from the/etc/passwd, and placed in a separate file, this file is/etc/shadow, This file only has read access to the root user, thus guaranteeing the security of the user's password.
Specific meaning:
field |
|
password |
date of last password change |
minimum password age |
maximum password age |
password warning period |
password inactivity period | TD width= "Valign=" "Top" >account expiration date
reserved field |
Meaning |
User name, corresponds with/etc/passwd |
Password after encryption |
The last time the password was modified (from 1970-01-01 to the current number of days) |
Minimum password lifetime (days) |
Maximum password age (days) |
Password Expiration warning interval (days) |
Inactivity Time (days) |
Account expiration time, absolute time |
Reserved area |
Centos:$6$x/hwvp5q$5quun33gwjfhalxij1e.9xveulseq1k6upmcdp.ry8h7y9bs7xvnqrdqsxihwciuueweqfw0re8utpk37zah91 : 16252:0:99999:7:::mandriva:!! : 16255:0:99999:7:::gentoo:$6$queamrzj$l8g8osdrr6lzm8kcuu9cienynbgs/ sutsvnjf2prd5idrsyama.jrkh2gi86b3qqfmqr1ozqwx.tqtlybocnj/:16255:2:60:3:7::openstack:!! : 16255:0:99999:7:::
2, relevant group of related documents
/etc/group: Group's account information
Backup of the/etc/group-:/etc/group file
/etc/group file Format:
Group_name:passwd:GID:user_list
Specific meaning:
Field |
Group_name |
passwd |
Gid |
User_list |
Meaning |
Group name |
Group Password Locator |
Gruopid |
Comma-separated list of users belonging to this group (as a subordinate group) |
Root:x:0:bin:x:1:bin,daemondaemon:x:2:bin,daemonsys:x:3:bin,admadm:x:4:adm,daemon
/etc/gshadow: Password information for the group
Backup of the/etc/gshadow-:/etc/gshadow file
/etc/gshadow file Format:
Field |
Group_name |
passwd |
Gid |
User_list |
Meaning |
Group name |
Password after encryption |
User Group Manager |
Group member |
Root:::bin:::bin,daemondaemon:::bin,daemonsys:::bin,admadm:::adm,daemon
Vi. other relevant configuration files
(1) Etc/login.defs file
Used to define the default settings for creating a user, such as specifying the scope of the user's UID and GID, the user's expiration time, whether to create a user home directory, and so on.
Below is the centos6.4 under the/etc/login.defs, briefly introduced as follows:
[Email protected] ~]# Cat/etc/login.defs | Grep-v ^# | grep-v ^ $MAIL _dir/var/spool/mail# When creating a user, create a user MAIL file in the directory/var/spool/mail pass_max_days99999# Specify the maximum number of days that the password remains valid Pass_ min_days0# indicates how many days since the last password modification the user is allowed to modify the password pass_min_len5# the minimum length of the specified password pass_warn_age7# indicates how many day before the password expires the system notifies the user that the password is about to expire Uid_min 500# Specify a minimum UID of 500, that is, when adding a user, the user's UID starts at 500 uid_max60000# specifies that the maximum UID is 60000 gid_min 500# specifies a minimum GID of 500, that is, when the group is added, the group's GID starts with 500. gid_max60000# specifies that the maximum GID is 60000create_homeyes# This entry is to specify whether the user home directory is created, yes is created, and no is not created. UMASK 077# default Home directory mask Usergroups_enab yes######## #有待验证 ####################### #ENCRYPT_METHOD SHA512 #默认密码加密算法是SHA512
(2)/etc/skel catalogue
The/etc/skel directory defines the default profile for new users in the home directory, and changes the contents of the/etc/skel directory to change the profile information for the new user's default home directory, such as when a new user is created, and a similar. Bash_profile is seen in the new user's home directory. BASHRC,. Bash_logout, and so on, these files are present in the/etc/skel directory.
(3)/etc/default/useradd file
Useradd when adding a user's rule file, when we create a user through the Useradd command without any parameters, the user's default home directory is usually located under///, the default shell used is/bin/bash, which is/etc/default/ Defined in the Useradd file. Changing this file allows you to change the default configuration of the add user, which can be implemented through the parameters of the AddUser command in addition to this method.
[Email protected] ~]# Cat/etc/default/useradd # useradd defaults filegroup=100home=/home #把用户的家目录建在/Home Inactive=-1 # Whether to enable account expiration stop, 1 means not to enable expire= #帐号终止日期, not set to indicate that Shell=/bin/bash #所用SHELL的类型SKEL =/etc/skel is not enabled #默认添加用户的目录默认文件存放位置; When we add a user with AddUser, the files in the user's home directory are copied from this directory to the past Create_mail_spool=yes #当创建用户时, and a user MAIL file is created in the directory/var/spool/mail. Yes is created, no is not created.
Vii. management of users and groups
1) User's management commands
Useradd,adduser: Adding users
Command |
Common parameters |
Parameter meaning |
Example |
Useradd or AddUser
|
-U |
Specify UID for user |
Useradd-u 506 Gentoo |
-G |
Specify the user's GID |
Useradd-u 506-g-Gentoo |
-G |
Specify additional groups for users, you can specify multiple additional groups |
Useradd-u 506-g Linux,centos Gentoo |
-C |
Add comment information, do not specify empty by default |
Useradd-c ' This is a test user ' Ubantu |
-D |
Specifies the user's home directory, if not specified, the default number of directories under the/hmoe/directory with the same name as the user name |
useradd-d/tmp/redhat Redhat |
-S |
Specifies the user's default shell, which is not specified by default,/bin/bash |
Useaadd-s/sbin/nologin Slackware
|
-R |
Add a System User |
Useradd-r MySQL |
-M |
Automatically created if the user does not have a home directory |
|
-M |
Force not to create home directory
|
Useradd-m ArchLinux |
-E |
Expire_date Account Termination Date |
USERADD-E 14/7/20 SuSE |
Userdel: Deleting users
Usage: Userdel user_name
Common parameters:-R Delete User is to remove user's home directory such as Userdel-r Gentoo
passwd: Set a password for the user
common parameters |
parameter meaning |
example |
--stdin |
avoid interactive setup password |
echo ' Acrhlinux ' | passwd archlinux |
-l,-u |
user lock, Solution Lock |
passwd-l archlinux Passwd-u archlinux |
-n,-x,-w,-i |
set user's minimum use, maximum use, alarm, inactivity period |
|
Usermod: Modify the user command, you can change the login name, the user's home directory through USERMOD, etc.
Common parameters |
Parameter meaning |
Example |
-u,-g,-s,-c |
Modify the user's Uid,gid, default shell, annotation information |
Usermod-u 800-g 6666-s/bin/zsh-c ' Beijing Zhongguancun ' Gentoo |
-g-a |
When you modify a user's additional group, you want to keep the original additional group, and you need to use the-A and otherwise overwrite the original additional group |
Usermod-a-G Gentoo,centos,linux Ubantu |
-d-m |
Modify the home directory, if you want to save all the files in the original home directory, then use with-M |
usermod-d/tmp/linux-m Gentoo |
-l,-u |
Locking and unlocking users |
Usermod-l Redhat Usermod-u Redhat |
Chown: The genus group that changed the file
common parameters |
|
example |
-r,-r |
change this directory and all the files in this directory belong to the main group |
1, modify/tmp/ The genus Group for the Mylinux file is Gentoo Chown gentoo:gentoo/tmp/mylinux or chown gentoo.gentoo/tmp/mylinux 2, modify/ The owner of the Tmp/mylinux file is Gentoo Chown gentoo/tmp/mylinux 3, modify/tmp/mylinux file belong to Gentoo 4, modify/ The main genus of the files under the tmp/test/directory is the Gentoo |
PWCOVN: Synchronizing users from/etc/passwd to/etc/shadow
PWCK:PWCK is verifying that the contents of the user profile/etc/passwd and/etc/shadow files are legitimate or complete
Pwunconv: Is Pwcov the reverse operation, is to create/etc/passwd from/etc/shadow and/etc/passwd, and then delete the/etc/shadow file
Finger: Viewing the user Information tool
[email protected] ~]# finger centoslogin:centos name:directory:/home/centos Shell:/bin/bashon sin Ce Sat Jul 5 11:21 (CST) on PTS/2 from 172.16.9.17 8 hours minutes Idleno mail. No Plan.
ID: View the UID, GID, and user group belonging to the user
[email protected] ~]# ID centosuid=500 (CentOS) gid=500 (CentOS) groups=500 (CentOS), (magedu)
CHFN: Change user Information tool
SU: User Switching tool
Common parameters:
Su-l usename or su-username full switch
SU-C executes the command as a switch user, for example:
[Email protected] ~]# su-centos-c ' WhoAmI ' CentOS
Sudo:sudo is executed by another user (execute a command as another user), SU is used to switch the user, and then to complete the task by switching to the user, but sudo can execute commands directly, such as sudo does not need root The password can perform the root assignment and only root can execute the corresponding command, but you have to edit the/etc/sudoers through Visudo to achieve
Visudo:visodo is the command to edit the/etc/sudoers, or you can edit the/etc/sudoers directly with VI without this command.
Sudoedit: Same as sudo function
2) Group Management commands
Groupadd: Adding user groups
Common parameters:
-G: Specify the group ID for example: groupadd-g CentOS
-r: Specify a system group
Groupdel: Deleting a user group
Groupmod: Modifying user group information
CHGRP: Changing the group to which the user belongs
Groups: Displays the user group to which the user belongs
GRPCK: Check the/etc/group file and/etc/gshadow file to check that the data is stored correctly
GRPCONV: Synchronize or create/etc/gshadow with file contents of/etc/group and/etc/gshadow, if/etc/gshadow does not exist create
Grpunconv: Synchronize or create/etc/group by/etc/group and/etc/gshadow file contents, then delete gshadow file
Eight, manually create a user
1, manually add a line in the/etc/passwd (of course, the user name, UID can not use already exist)
Test1:x:2222:2222::/home/tes1t:/bin/bash
2. Generate Password information
echo ' Redhat ' | Sha512sum
20641bd9d93708c844f59bf5f5d5bfb16fd5c3cece84127f56072579f778e6aca04ca7985eb4a7f555bd9532115205884d11fc5323534618da7596c30 0b4666d
and add this line in/etc/shadow
test1:$6$brfe2dsw$ 20641bd9d93708c844f59bf5f5d5bfb16fd5c3cece84127f56072579f778e6aca04ca7985eb4a7f555bd9532115205884d11fc5323534618da7596c30 0b4666d:16255:0:99999:7::::
3. Manually add a line to the/etc/group
test1:x:2222:
4, copy the relevant documents to the home directory
Cp-r/etc/skel//home/test1
5. Modify Home Directory Permissions
Chown-r test1.test1/home/test1/
This completes the creation of a user, which can be landed.
This article is from the "After Dark" blog, be sure to keep this source http://guoting.blog.51cto.com/8886857/1434957