Linux Build User Details

Create a new user

Modify the user's personal settings

Permission settings for the file directory

Two important documents:passwd and Group

Create a new user

Setting up a new user consists of two steps, the first step is to use the Useradd command to complete the initialization of a new user, and the second step is to use passwd to set the password for the new user. For example, we want to giveThe system adds a user called floatboat, the password is fan2001z, and that related operation is:

Useradd Floatboat < return >

The system does not have any display at this time. Then:

passwd Floatboat < return >

The system shows:

Changing password for user floatboat

New UNIX Password:

You enter:

fan2001z< return >

Note that because Linux does not use Windows-like password echo (shown as *)--to prevent you from entering a password when you are noticed how many bits--so, the input of these characters you are invisible.

The system shows:

Retype new UNIX Password:

You re-enter the password again, and then enter confirm, then the system will display:

Passwd:all Authentication Tokens updated successfully

Indicates that you have modified the password successfully.

Here, the creation of a new user is completed. Below, let's add some common sense about adding new users:

1, the initialization of Useradd has been included in the/home directory for the Floatboat account to establish a master directory named Floatboat. If you don't want to use this default directory,hoping to put his home directory in the/home/goal.(also put in home/home, just a good habit, no other special requirements), you can useuseradd parameter-D, the command is as follows:

useradd-d/home/goal Floatboat

2. Useradd initialization also includes creating a separate group for the user with the same name as the user name (Floatboat Group). This is called the mechanism of the user private group, which corresponds to the default group mechanism. The user Group One is convenient for management, the second is to be able to clear permissions. Complex we will explore in the future in-depth content.If we want this user to join an existing group, you can use the-g parameter. For example, we want Floatboat to join the WebUsers group ., you can use the following command:

Useradd-g webusers Floatboat

Similarly, we can use the-G parameter to allow him to join multiple groups at the same time, such as WebUsers and ftpusers:

Useradd-g ftpusers,webusers Floatboat

3.
The passwd command sets a password for a user, but it is essentially a program that modifies the password. Only the superuser and the user can change the password, other ordinary users do not give him to change the password
Right. The composition of the user's password should be as complex as possible, preferably including letters, numbers and special symbols, and preferably set to more than 6 digits. Too short passwd programs are not allowed, just simple letters or simple numbers
Words, passwd will also have an opinion. You will see the hint of passwd, don't be afraid, take a closer look at what it says:)

4, when you add a new user,You can also set the shell for user login。 By default, the system provides/bin/bash. You can use the-s parameter if you want to specify it. For example

useradd-d/www-s/usr/bin/passwd Floatboat

Note that these parameters can be used in one piece, as shown in the example above, which indicates that the new user is added and the home directory path is set to/www, and the login shell is/usr/bin/passwd. For a more detailed description of the shell, please refer to the following to modify the user's personal settings related content.

5.Delete a user can use the Userdel command, directly with the user name to do the parameters.

Modify the user's settings

To the existing user's modification, the more commonly used mainly is modifies the password (uses passwd to be good), modifies the user's login shell, modifies the user to belong to the default group, sets the account expiration date, modifies the user's explanation information and so on, occasionally also may use modifies the user home directory.

to modify a user's logon shell

Use the CHSH command to modify your shell, only the superuser can modify the shell settings for other users with CHSH username. Note that the specified shell must be a shell listed in the/etc/shells file, otherwise the user will not be able to log in.

Generally, the more common shells files include the following shells:

/bin/bash2

/bin/bash

/bin/sh

/bin/ash

/bin/bsh

/bin/tcsh

/bin/csh

And the network management also like to add/usr/bin/passwd inside, this is in order to otherwise users through the console or Telnet login system, but can use to modify the account password (such as in FTP). And/bin/false, that is, do not let this user login meaning ^&^, even ftp can not be used.

You can also useusermod command to modify shell information, as shown below:

Usermod-s/bin/bash Floatboat

where/bin/bash and floatboat should take the corresponding shell path file name and user name.

Another situation is that you set up an empty shell (or "") for the user, which means that the user does not have a shell. Oh, absolutely not in I have not seen, because this user login, the system will still give it a shell. Don't believe you try:

Usermod-s "" Floatboat

Depending on the system, this user will have an SH or bash operation, and I don't see any difference between the functionality and other normal user logins.

to modify the default group to which a user belongs

This function can also be implemented through the USERMOD command, using the-g parameter, such as changing the default group of Floatboat to nobody, you can use the following command:

Usermod-g Nobody Floatboat

Nobody in Unix-like systems generally means that they do not have any permissions.

Set your account expiration date

If you use a shadow password, you can use the following command to modify the validity period of an account:

USERMOD-E mm/dd/yy username

For example, the validity period of the user floatboat is December 31, 2001:

USERMOD-E 12/31/01 Floatboat

If you set the user's validity period to a time that has elapsed, you can temporarily disable the user from logging on to the system.

Modify User's description information

To modify the user's description information, the simplest way is to directly modify the/etc/passwd file to find the corresponding user record line, such as the following line:

Floatboat:x:503:503::/home/floatboat:/bin/bash

You can insert a user's description directly between the fourth colon and the fifth colon. In fact, many user settings can be changed here, such as the last part of the line/bin/bash is the user login shell settings. For this/etc/passwd file, we'll go into further detail later.

Modify the user home directory

Modify the user's home directory primarily using the USERMOD command- D parameterFor example:

usermod-d/www Floatboat

This will change the Floatboat home directory to/www. If you want to transfer the main contents of an existing home directory to a new directory, you should use the-m switch as follows:

usermod-d-m/www Floatboat

Permissions for the file directory

Linux, each file, each directory has a master, and for the user himself, the user group, all other accounts (groups) respectively set read, write, execute three kinds of permissions. For example, I (assume that the owner of the Floatboat account for the WebUsers group) uses the following command to create a new file

TouchMytestfile

Then we use ls-l mytestfile This command to see the permission status of this file (about the LS command, you can check the command query on this site), you can get the following screen output display:

-rw-rw-r--1 floatboat webusers 0 Feb 6 21:37 mytestfile

The output is divided into 9 parts, we are concerned about the 第一、三、四个 field, respectively, the file permission attributes, the file owner account, the file belongs to a group.

Modify the owner of the file using the Chown command

When
When you create a new file, the owner of the file is, of course, you. The fact that only superuser (for example, root) can be changed by the chown command (e.g. Chown
OtherUser
Mytestfile, change the owner of the Mytestfile file to OtherUser). Ordinary users can not "send" their own files to others, or you have a special purpose of the program to
What about root? ：)

The use of the Chown command is relatively straightforward. Here I assume that you now have superuser privileges, so you can use the following command to "send" a file to the Floatboat:

Chown Floatboat/home/floatboat/thefileisrootcreate.txt (assuming that the file was created by root)

Modifying the owner of a directory is similar:

Chown Floatboat/home/newboat

Of course, such asThis directory also has subdirectories and files that need to be sent to Floatboat,chown also supports the-R parameter：

Chown-r floatboat/home/newboat

If you want to change the group that the file/directory belongs to at the same time, you can use the following command to achieve the purpose conveniently:

Chown-rfloatboat.ftpusers/home/newboat

In this way, not only the file owner has been modified, the file belongs to the group has become ftpusers

Modify the group properties of a file

The file belongs to the group you can change, if:

1.Your super user.

2, you belong to two or more than two groups at one time.

Two conditions if you have at least one, you can change the old group of files to a new group. Use the following command to change the group that all HTML files in the current directory belong to HTTPD:

CHGRP httpd *.html

Andchown command, CHGRP can also use the-R parameter to recursively modify group properties for all files and subdirectories within a directory。

< note: You can use a non-parametric Groups command to see which group you belong to。

The setting of file permissions is at the core of our discussion in this section, and we mainly introduce two uses of the chmod command.

To set file directory permissions by using an access string

Is
As mentioned above, each file, directory for the user, the user group, all other accounts (groups) have read, write, execute three kinds of permissions and their combinations. When a normal user creates a new file
, its default access is displayed as shown in the first field of the example we just gave. A total of 10 characters "-rw-rw-r--", the first is a directory-differentiated flag, if it is D, indicates
This is a directory. The second to fourth bits represent the read (R:read), write (W:write), execute (X:execute) properties of the file owner, and the fifth to seventh bit is the group that the file belongs to.

Read, write, execute permission, eighth to tenth bit is other user's read, write, execute permission. If the corresponding bit is the corresponding letter, that is the corresponding permission, otherwise "-", indicating that this license is not obtained. Like
The file in the example just now reads and writes, this group can read and write, the other user is readable, all the users (including themselves) can not execute it.

Our use ofu,G,oTo refer to the user separately(user),groups (group),other accounts (other),You can easily set permissions for files and directories. Of course, we can also use a to show that all of these three items。

For example, to set permissions on all Perl script files, read and execute for all users, and allow the file owner to write a license, we can use the following command:

chmod a+rx,u+w *.pl

Attention:If you want to use multiple access strings, they are separated by commas , between each license stringspaces are not allowed。 As shown in the example above.

If you want to modify permission properties for all files and subdirectories in the directory, you can use the-R parameter provided by chmod to recursively modify it. For example, the following command sets the permissions property of the/www/site1 directory and its subdirectories below to be readable, writable, and executed by the owner and group, which other users cannot access:

Chmod-r a+rwx,o-rwd/www/site1

Note that it is not easy to use the-r option, which may pose a security risk.

The use of strings to facilitate understanding, a single input so many letters or a little tired, if you have some concepts on the 8 binary, you can use the method described below to do permission settings.

Set file directory permissions using octal numbers

I
They know that in LS
The output of-l, the file permission is expressed as "-rw-rw-r--", the previous one only and whether it is a directory, the other nine bits can be divided into three paragraphs, three bits per paragraph, "rw-", "rw-" and
"r--", "-" on behalf of invalid "0", the other characters represent a valid "1", then the permissions of this file is "110", "110", "100", the 2 binary string converted to the corresponding 8

The binary number is 6, 6, 4, which means that the file has a permission of 664 (three-bit octal number). We can also use a similar three-bit octal number to set the file authorization, such as the top two examples, you can also write
For:

chmod 755 *.pl

Chmod-r 770/www/site1

Isn't it simple? The key is that you can choose the octal number correctly based on the permissions you need to set (it can be done very easily with the binary representation of octal numbers).

permission descriptions for read, write, and execute

1, the so-called write permissions, that is, the file modification and deletion of permissions. If the write permission for the directory is also open to you, you can create, delete, or modify any file or self-directory in that directory-even if the file and subdirectory do not belong to you.

2. A user with read-only permission to the directory cannot enter the directory with a CD command, and must also have a license to enter the directory.

3. You must have both read and Execute permissions to list directory contents with programs such as LS.

4, only the user who has execute permission to the directory, want to access files with Read permission in the directory, must know the file name to be accessible.

Two important documents: passwd and Group

In the Linux security mechanism,/etc/passwd and/etc/group these two files occupy the very important position. They control some important settings for Linux users and groups.

/etc/passwd File Description

Here is an example of a common passwd file in Rhlinux:

Root:x:0:0:root:/root:/bin/bash

Bin:x:1:1:bin:/bin:

Daemon:x:2:2:daemon:/sbin:

......

Operator:x:11:0perator:/root:

Games:x:12:100:games:/usr/games:

Gopher:x:13:30:gopher:/usr/lib/gopher-data:

Ftp:x:14:50:ftp user:/home/ftp:

nobody:x:99:99:nobody:/:

Xfs:x:43:43:x Font Server:/etc/x11/fs:/bin/false

Named:x:25:25:named:/var/named:/bin/false

Postgres:x:26:26ostgresql Server:/var/lib/pgsql:/bin/bash

Lanf:x:500:500::/home/hujm:/bin/bash

Mysql:x:101:101:mysql Server:/var/lib/mysql:/bin/bash

Imnotroot:x:0:0::/home/imnotroot:/bin/bash

In this file there is only one regular account lanf. Others are the accounts required for the process of the system or system services, including the superuser who is very familiar with root. In the passwd file, each line is divided into 7 parts by a colon (":"), namely:

[user name]:[password]:[uid]:[gid]:[identity description]:[home directory]:[login Shell]

which

⒈[User Name] is the only field in the passwd file that has a "uniqueness" requirement for each record line. This means that the contents of the first area of each row cannot be the same, and other areas do not matter.

⒉[Secret
Code] area, a 13-bit character with an irreversible hash algorithm for DES encryption, but not single quotes and colons, is preserved. Of these 13-bit characters, the first two bits are the key, in the encrypted
Randomly generated. Since this string does not include single quotes, there was a previous way of not changing the password and preventing the user from logging in by adding a single quotation mark in front of the password. It is worth noting that now because of the use of
Shadow password, there is only one X character in the password area.

⒊[UID] Although the system is used to flag file attribution, to determine the various permissions of the flag, but the content of this area is not
Requirements are unique. One example that is more common and relevant to security concerns is that there are multiple
UID and GID are 0 user accounts. Notice that in the last line of the file there is also a UID and GID 0 user imnotroot, although it claims that it is not root, but it has

The same permissions as root because the system is not based on [user name], but on the UID and GID to divide the user's power. So, this situation undoubtedly buried a safe bomb for the system. However, when

Imnorroot do the lock screen and so on, if its password and root is not the same, it will not be unlocked, because the system only found the first user uid 0 (naturally root)
, it's not looking down-it's the only UID.

⒋[gid] User default group ID, this ID can be found in the file/etc/group the corresponding group name.

⒌[Identity Description]: is the user's identity description, the default is no description, can be manually added.

⒍[Home Directory]: The user's home directory can be modified using the commands described earlier.

⒎[Login Shell]: The system-provided shell when the user logs in, please refer to the previous content.

< note>:[uid] and [GID] less than 500 are generally reserved by the system itself,Do not do the identity of ordinary users and groups, so the newly added users and groups are generally UID and GID greater than 500.

/etc/group File Description

The following is an example of a group file for RH:

Root:x:0:root,hujm,hjm

Bin:x:1:root,bin,daemon

Daemon:x:2:root,bin,daemon

Sys:x:3:root,bin,adm

Adm:x:4:root,adm,daemon

Tty:x:5:

Disk:x:6:root

Lp:x:7:daemon,lp

Mem:x:8:

Kmem:x:9:

Wheel:x:10:root

Mail:x:12:mail

News:x:13:news

Uucp:x:14:uucp

......

Hujm:x:503:root,mynoshell,hjm

MYSQL:X:101:

mynoshell:x:505:

ftpusers:x:506:

It has a total of four parts:

[Group name]:[password field]:[gid]:[member list]

Meaning
Think very clearly, need to explain that, because the group is generally not password-protected, so although it seems that the password field has an X character, in fact, it only means that the use of shadow (the corresponding file is
Gshadow). The members list separates each account with a comma. In addition, a group of members if the default login group is it, then in the team member list will not show the member's account, for example, with the following command
Added users:

Useradd-g ftpusers Floatboat

In the/etc/group file, the Ftpusers team list will not show this member (really failed), but only the GID in the passwd file is set to 506. Instead, use the following command:

Usermod-g ftpusers,mysql,webusers Floatboat

You can see the associated group followed by the Floatboat account. Of course, you can directly edit this file directly with VI.

Group
Files and passwd files are linked by GID, which is a bit like a relational database. Depending on the GID of an account in the passwd file, the group file can be
Locate the corresponding group name. If the user private group mechanism is used, then a general new account, there will be a corresponding with the account name of the group added to the group file. Although at this time passwd text

The unique [username] field in the piece is the same as the unique [group name] field in the group file, and does not mean that they form a one by one correspondence between the two fields. Don't forget, the department
More sensitive to numbers (Uid,gid) ^_^.

Linux Build User Details