Linux Learning Note 10: Linux User Management

This note says Linux User management mainly includes the following content:

1. User Configuration file (/etc/passwd/etc/shadow)

2. Group configuration file (/etc/group/etc/gshadow)

3. User default configuration file (/etc/login.defs/etc/default/useradd)

4./etc/motd file,/etc/issue file

5,setuid permissions, setgid permissions, adhesive position

6, one of the typical cases: manually create a user

7, a typical case of the second: Batch add users

8. Typical case three: restricting the use of SU by users

9. Four typical cases: open--sudo with root authority

10. John The Ripper password strength detection software

1. User Configuration file

The user profile consists of two files, namely:/etc/passwd and/etc/shadow. Where/etc/passwd is the user's information,/etc/shadow is stored in the user's password information. The file contents of these two files are written in a certain format.

Where the/etc/passwd file format is as follows:

User name: Password bit: uid:gid: Description Information: Host directory: Shell command used

such as: Zhangsan:x:0:0:marketing Dept:/home/zhangsan:shell

The format of the/etc/shadow file is as follows:

User name: Encrypted password: Last modified: Minimum time interval: Maximum time interval: Warning Time: Account idle time: Expiry time: Flag

Last modified: Refers to the number of days between the last password change and the date of January 1, 1970

Minimum time interval: refers to the minimum number of days between password changes two times (when 0 means no limit).

Maximum time interval: refers to the number of days after the password expires, but can re-password to enable the account can be re-enabled. The expiry time refers to how long after the account is directly invalid (when not limited, directly set a large value can be.) ）

Warning Time: Prompt warning on n days before password expires (when 0 indicates no warning)

Account idle time: The maximum number of days that a user does not have a login activity but the account remains active (left blank MARK if not set)

Expiry time: How long after the account is directly invalid. Generally applied to short-term foreign personnel accounts.

Flag: Generally not used

such as: to be added MARK

When we want to add a user, we can use Useradd [user name]/PASSWD [username] to set the user's information.

such as: Useradd hellen Add user Hellen

passwd Hellen Set the password for Hellen (then enter the password)

2. Group configuration file

The group configuration file also includes a group information file and a group password file, respectively:/etc/group,/etc/gpasswd. They are also written in a certain format.

The format of the/etc/group file is as follows:

Group name: group password bit: GID: Group member list

If there are multiple members of the group, separate them with commas

such as: Sys::3:root,bin,adm

The above indicates that there is a group named Sys,gid 3, and this group has root,bin,adm three users.

The format of the/etc/gshadow file is as follows:

Group name: Group Password: User Group Administrator account: Group member list

such as: MARK to add

3. User's default configuration file

The user default profile refers to the/etc/login.defs and/etc/default/useradd files.

They refer to the user's default settings (such as password strength, warning time, maximum effective time, and so on) when we use the Useradd command to add a user.

Where/etc/login.defs files can define the warning time, maximum effective time, and so on.

While the/etc/default/useradd file can be set home directory, using the shell and so on.

4./etc/motd file,/etc/issue file

/ETC/MOTD file: The message that holds the prompt after a successful login (message of the day)

/etc/issue file: The message that stores the login. As soon as you try to log in, it will prompt the information in this file, and. Generally this file only holds some form of welcome information and does not reveal any information about the server.

5, setuid permissions, setgid permissions, adhesive position

The setuid permission, in fact, corresponds to the S-permission bit of the binary file, which indicates that other users who have execution rights on this file are automatically promoted to the owner's permission when they execute. Such as:

-rwsr-xr-x lowercase s Indicates that there is an error in the SETUID permission when uppercase S is setuid permission.

Setuid permission permission value =4 code s

There are two ways to grant/REVOKE SETUID permissions (expressed in s):

chmod u+s or chmod 4755

chmod u-s or chmod 755

Note: 4 bits represent a special bit, and 4 is the permission value of the setuid permission.

Setgid permission Permission value =2 code g

There are two ways to grant/REVOKE Setgid permissions (expressed in s):

chmod g+s or chmod 2755

chmod g-s or chmod 755

If both Setgid and setuid are granted: chmod 6755

Adhesive bit permission value =1 code t

The mount bit (denoted by T) can only be set for directories with permissions of 777. (The permission is 777, and it is the directory!) ）。 If a directory has an adhesive bit, it means that each user can create files in this directory, but only the files that they create are deleted.

There are two ways to grant/revoke an adhesive bit:

chmod o+t or chmod 1777

chmod o-t or chmod 777

6, one of the typical cases: manually create a user

In addition to adding a user through useradd, we can also manually add a user by modifying the configuration file. We can manually add a user as long as the following is the order:

① Modify/etc/passwd,/etc/shadow file (MARK to be supplemented, a complete example)

② Creating a host Directory

③ Copy the configuration file under/etc/skel to the host directory/home/samlee (username)

7, a typical case of the second: Batch add users

The following is an example of adding 10 users in bulk. (MARK adds a complete example)

① with newusers command-import user information file

②pwunconv command-Cancel shadow password function

③CHPASSWD command-Import password file (format-user name: password)

④pwconv command-write password to shadow file

8. Typical case three: restricting the use of SU by users

The essence of restricting a user's use of SU is to change the executable bit of the SU Command and Grant x permissions to all users with the SU command.

① Create a Sugroup group and change the permissions of the SU command

#groupadd Sugroup

#chmod 4550/bin/su only creators and owning groups have X permissions

② Change/bin/su belongs to group Sugroup

#chgrp Sugroup/bin/su

Once set, only users in Sugroup can switch to root using Su.

9. Four typical cases: open--sudo with root authority

Sudo is a software that allows a normal user to execute commands as root and fine-tune to the parameters of a command.

sudo configuration file is:/etc/sudoers, to compile sudo configuration file with the command: Visudo, with the General VI command is not compiled.

And we edit the Sodoers file also in a certain format, the format of the/etc/sudoers file is: user name (group name) host address = command (absolute path)

For example, I want Hellen to have permission to add users, then I use Visudo to edit the configuration file and add the following configuration:

Hellen Localhost=/usr/sbin/useradd  //There are multiple commands to be given when separated by commas

So when I log in with Hellen, I can use the "sudo [command]" format to add users, such as:

sudo useradd testuser

sudo passwd testuser

This will allow the testuser user to be added successfully.

In addition, you can use the "sudo-l command" to find out which commands the current user has been granted root execution permissions. Such as:

Supplementary example MARK

In addition, sudo can be fine-grained to authorize commands, such as:

Hellen localhost=/sbin/shutdown-h now       //Only allow the user to execute the sudo shutdown-h now command, one less parameter is not possible.

10. John The Ripper password strength detection software

Linux Learning Note 10: Linux User Management