Linux Study Notes (12) user and user group management, linux Study Notes
The more servers that require higher server security, the more users need to establish a reasonable user permission Level System and server operation specifications. In Linux, the user configuration file is used to view and modify user information.
1. User information file (1) User information file/etc/passwd
The vim command displays the content of the file:
root:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologin
It can be found that each row of the file has a total of seven fields. Where:
The first field is the user name;
The 2nd fields are password marks;
The first field is UID (User flag), where 0 indicates the Super User (when the UID of a common user is changed to 0, the server regards the user as a Super User ). 1 ~ 499 is a system user (pseudo user) and cannot be logged in or deleted. 500 ~ 65535 is a common user. Therefore, the UID of the first user is 500.
The first field is GID (user's initial group ID ).
An initial group means that the user has the relevant permissions of the user group immediately upon login. each user's initial group can have only one, generally, the group name with the same user name is used as the initial group of the user.
An additional group means that you can join multiple other user groups and have permissions for these groups. An additional group can have multiple permissions.
The 5th fields are user instructions. Can be added or not added.
The 6th fields are home directories. The home Directory of a common user is/home/user name/, and the home directory of a Super User is/root /.
The first field indicates the Shell after login. Shell is a Linux Command Interpreter. In addition to the standard Shell, it can be written as/sbin/nologin if the user is temporarily disabled.
(2) shadow file/etc/shadow
1)/etc/shadow content:
root:$6$NvfaINezKBg3Cqn7$bB5im5NRggTOa45clyXAXjud4YDhyDlTUgBfqy51UieAx1aUOreJCyPkoaG4MRUkSJGp2Xd9lnqXPIHEfM.4A0:16363:0:99999:7:::bin:*:15980:0:99999:7:::daemon:*:15980:0:99999:7:::
The shadow file consists of nine fields. Where:
The username is represented by the 1st fields.
The second field indicates the encrypted password. CentOS 6.5 has upgraded its encryption algorithm from MD5 to SHA512 hash encryption. If the password is "!! "Or" * "indicates that the user does not have a password and cannot log on. It is a pseudo-user.
The first field is the last password modification date. The date of the last password modification is January 1, 3rd as the standard time. The timestamp is added to 1 every day.
The 4th fields are the time interval set for two password changes (based on the 3rd fields ).
The 5th fields indicate the password validity period (compared with the 2nd Field ).
The second field indicates the number of days before the password change expires (compared with the 6th field ).
The 7th fields indicate the number of days after the password expires (compared with the 5th field ).
The first field indicates the Account expiration time (expressed in timestamp ). 0 indicates that the password expires immediately, and-1 indicates that the password will never expire.
9th fields are retained.
2) timestamp Conversion
Converts a timestamp to a date. The command is:
[root@localhost ~]# date -d "1970-01-01 16461 days"Mon Jan 26 00:00:00 CST 2015
Converts a date to a timestamp. The command is:
[root@localhost ~]# echo $(($(date --date="2015/01/26" +%s)/86400+1))16461
(3) group information files and group password files
1) group information file/etc/group
[root@localhost ~]# vim /etc/grouproot:x:0:bin:x:1:bin,daemondaemon:x:2:bin,daemonsys:x:3:bin,admadm:x:4:adm,daemon
The group information file shows that there are 4 fields in total.
The group name is the 1st fields;
The 2nd fields are the group password flag (the group password is not commonly used );
The third field is GID (group ID );
The 4th fields are appended users in the group.
2) group password file/etc/gshadow
[root@localhost ~]# vim /etc/gshadowroot:::bin:::bin,daemondaemon:::bin,daemonsys:::bin,admadm:::adm,daemon
The group password file also has four fields:
The group name is the 1st fields;
Set the group password to the 2nd fields;
The username of the Group Administrator is set to 3rd fields;
The 4th fields are appended users in the group.
2. Users Manage Related Files
1) user's home directory
The home Directory of a common user is/home/user name/. The owner and the group belong to this user and the permission is 700.
The super user's home directory is/root/, and the owner and group are both root users. If you change a common user to a Super User, the home directory of the common user will not change.
2) user's mailbox
The path of the new user's mailbox is generally/var/spool/mail/user name.
3) User template directory
The user's template directory is/etc/skel. Each time a user is created, the user's home directory will be copied from this directory.
3. User management command (1) useradd
1) Format: useradd [Option] User Name
Here:-u (UID) indicates that the user's UID is manually specified,-d (Home Directory) indicates that the user's home directory is manually specified,-c (user instructions) specifies the description of the user manually,-g (group name) indicates manually specifying the user's initial group,-G (group name) indicates specifying the user's additional group,-s (Shell) specifies the shell for user logon. The default value is/bin/bash.
2) Add a default user
For example, add the Default User ws:
[root@localhost ~]# useradd ws
This operation modifies the user's information file, which can be viewed using the following command:
[root@localhost ~]# grep ws /etc/passwdws:x:500:500::/home/ws:/bin/bash[root@localhost ~]# grep ws /etc/shadowws:!!:16436:0:99999:7:::[root@localhost ~]# grep ws /etc/groupws:x:500:[root@localhost ~]# grep ws /etc/gshadowws:!::[root@localhost ~]# ll -d /home/ws/drwx------. 2 ws ws 4096 Jan 1 20:26 /home/ws/[root@localhost ~]# ll /var/spool/mail/ws-rw-rw----. 1 ws mail 0 Jan 1 20:26 /var/spool/mail/ws
For example, add a specified user:
[root@localhost ~]# useradd -u 550 -G root,bin -d /home/ws1 -c "test user" -s \> /bin/bash ws1
"\" Indicates a line break.
3) User default file
①/Etc/default/useradd
[Root @ localhost ~] # Vim/etc/default/useradd # useradd defaults fileGROUP = 100 # user default group HOME =/home # user default HOME directory INACTIVE =-1 # Password Expiration Grace days (shadow 7th field) EXPIRE = # password expiration time SHELL =/bin/bash # default shell SKEL =/etc/skel # template directory CREATE_MAIL_SPOOL = yes # whether to create an email
②/Etc/login. defs
PASS_MAX_DAYS 99999 # password validity period PASS_MIN_DAYS 0 # Password Change Interval PASS_MIN_LEN 5 # password minimum digit PASS_WARN_AGE 7 # Password Expiration Warning UID_MIN 500 # minimum and maximum UID range UID_MAX 60000ENCRYPT_METHOD SHA512 # encryption mode
(2) Change the User Password
Command Format
Passwd [Option] User Name
You only need to enter passwd to modify the meter. Here, "-S" indicates querying the User Password status (only available as root), and "-l" indicates temporarily locking the user. The actual operation is to add an exclamation point before the password in the/etc/passwd file "!! ",-U table indicates unlocking the user, -- stdin indicates that the data output through the pipeline can be used as the user's password (usually used by shell programming ).
(3) modify user information usermod and Change User Password status chage
1) usermod Command Format
Usermod [Option] User Name
Here, the-u table indicates modifying the user UID,-G indicates modifying the user's additional group,-c Indicates modifying the user description,-L indicates temporarily locking the user, and-u indicates unlocking the user's lock.
2) chage Command Format
Chage [Option] User Name
Here, the-l option lists the detailed password status of the user, and-d (date) indicates the last password change date (shadow 3rd Field),-m (days) indicates the password change interval (shadow 4th field),-M (days) indicates the password validity period (5 fields),-W (days) indicates the number of days before the password expires (6 fields),-I (days) indicates the number of days after the password expires (7 fields),-E (date) indicates the Account expiration time (8 fields ).
Example:
Chage-d 0 ws # This command returns the password modification date to 0, so that the user needs to change the password upon login
(4) Delete user userdel and User Switch command
1) userdel Command Format
Userdel [-r] User Name
The "-r" option indicates that the user's home directory can be deleted while deleting the user, or the user name can be manually modified to delete the file.
2) switch the Command Format
Su [Option] User Name
Only the "-" option indicates that the environment variables of the associated users are switched together, and the "-c" option indicates that only one command is executed without switching the user identity.
For example: Do not switch to root, but execute the useradd command to add user1 User:
Su-root-c "useradd user1"
4. User Group Management
1) Add a user group: groupadd [Option] group name
-G indicates the specified GID.
2) modify the user group: groupmod [Option] group name
Here,-g indicates the ID of the group to be modified, and-n indicates the name of the group to be modified (it is generally not recommended to modify ).
For example, modify the group name ws to wstest:
[root@localhost ~]# groupadd tg[root@localhost ~]# groupmod -n wstest tg
3) delete a user group: groupdel group name
NOTE: If an initial user exists in the group, the group cannot be deleted. If the user is appended, the deletion of the group is not affected.
4) add or delete a user from the group
Gpasswd [Option] group name
-A indicates that the user is added to the group, and-d indicates that the user is deleted from the group.
For example, create a user ws1, add it to the wstest group, and delete it:
[root@localhost ~]# useradd ws1[root@localhost ~]# echo "ws1" | passwd --stdin ws1Changing password for user ws1.passwd: all authentication tokens updated successfully.[root@localhost ~]# gpasswd -a ws1 wstestAdding user ws1 to group wstest[root@localhost ~]# gpasswd -d ws1 wstestRemoving user ws1 from group wstest