Linux Study Notes (12) user and user group management, linux Study Notes

Linux Study Notes (12) user and user group management, linux Study Notes

The more servers that require higher server security, the more users need to establish a reasonable user permission Level System and server operation specifications. In Linux, the user configuration file is used to view and modify user information.

1. User information file (1) User information file/etc/passwd

The vim command displays the content of the file:

root:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologin

It can be found that each row of the file has a total of seven fields. Where:

The first field is the user name;

The 2nd fields are password marks;

The first field is UID (User flag), where 0 indicates the Super User (when the UID of a common user is changed to 0, the server regards the user as a Super User ). 1 ~ 499 is a system user (pseudo user) and cannot be logged in or deleted. 500 ~ 65535 is a common user. Therefore, the UID of the first user is 500.

The first field is GID (user's initial group ID ).

An initial group means that the user has the relevant permissions of the user group immediately upon login. each user's initial group can have only one, generally, the group name with the same user name is used as the initial group of the user.

An additional group means that you can join multiple other user groups and have permissions for these groups. An additional group can have multiple permissions.

The 5th fields are user instructions. Can be added or not added.

The 6th fields are home directories. The home Directory of a common user is/home/user name/, and the home directory of a Super User is/root /.

The first field indicates the Shell after login. Shell is a Linux Command Interpreter. In addition to the standard Shell, it can be written as/sbin/nologin if the user is temporarily disabled.

(2) shadow file/etc/shadow

1)/etc/shadow content:

root:$6$NvfaINezKBg3Cqn7$bB5im5NRggTOa45clyXAXjud4YDhyDlTUgBfqy51UieAx1aUOreJCyPkoaG4MRUkSJGp2Xd9lnqXPIHEfM.4A0:16363:0:99999:7:::bin:*:15980:0:99999:7:::daemon:*:15980:0:99999:7:::

The shadow file consists of nine fields. Where:

The username is represented by the 1st fields.

The second field indicates the encrypted password. CentOS 6.5 has upgraded its encryption algorithm from MD5 to SHA512 hash encryption. If the password is "!! "Or" * "indicates that the user does not have a password and cannot log on. It is a pseudo-user.

The first field is the last password modification date. The date of the last password modification is January 1, 3rd as the standard time. The timestamp is added to 1 every day.

The 4th fields are the time interval set for two password changes (based on the 3rd fields ).

The 5th fields indicate the password validity period (compared with the 2nd Field ).

The second field indicates the number of days before the password change expires (compared with the 6th field ).

The 7th fields indicate the number of days after the password expires (compared with the 5th field ).

The first field indicates the Account expiration time (expressed in timestamp ). 0 indicates that the password expires immediately, and-1 indicates that the password will never expire.

9th fields are retained.

2) timestamp Conversion

Converts a timestamp to a date. The command is:

[root@localhost ~]# date -d "1970-01-01 16461 days"Mon Jan 26 00:00:00 CST 2015

Converts a date to a timestamp. The command is:

[root@localhost ~]# echo $(($(date --date="2015/01/26" +%s)/86400+1))16461

(3) group information files and group password files

1) group information file/etc/group

[root@localhost ~]# vim /etc/grouproot:x:0:bin:x:1:bin,daemondaemon:x:2:bin,daemonsys:x:3:bin,admadm:x:4:adm,daemon

The group information file shows that there are 4 fields in total.

The group name is the 1st fields;

The 2nd fields are the group password flag (the group password is not commonly used );

The third field is GID (group ID );

The 4th fields are appended users in the group.

2) group password file/etc/gshadow

[root@localhost ~]# vim /etc/gshadowroot:::bin:::bin,daemondaemon:::bin,daemonsys:::bin,admadm:::adm,daemon

The group password file also has four fields:

The group name is the 1st fields;

Set the group password to the 2nd fields;

The username of the Group Administrator is set to 3rd fields;

The 4th fields are appended users in the group.

2. Users Manage Related Files

1) user's home directory

The home Directory of a common user is/home/user name/. The owner and the group belong to this user and the permission is 700.

The super user's home directory is/root/, and the owner and group are both root users. If you change a common user to a Super User, the home directory of the common user will not change.

2) user's mailbox

The path of the new user's mailbox is generally/var/spool/mail/user name.

3) User template directory

The user's template directory is/etc/skel. Each time a user is created, the user's home directory will be copied from this directory.

3. User management command (1) useradd

1) Format: useradd [Option] User Name

Here:-u (UID) indicates that the user's UID is manually specified,-d (Home Directory) indicates that the user's home directory is manually specified,-c (user instructions) specifies the description of the user manually,-g (group name) indicates manually specifying the user's initial group,-G (group name) indicates specifying the user's additional group,-s (Shell) specifies the shell for user logon. The default value is/bin/bash.

2) Add a default user

For example, add the Default User ws:

[root@localhost ~]# useradd ws

This operation modifies the user's information file, which can be viewed using the following command:

[root@localhost ~]# grep ws /etc/passwdws:x:500:500::/home/ws:/bin/bash[root@localhost ~]# grep ws /etc/shadowws:!!:16436:0:99999:7:::[root@localhost ~]# grep ws /etc/groupws:x:500:[root@localhost ~]# grep ws /etc/gshadowws:!::[root@localhost ~]# ll -d /home/ws/drwx------. 2 ws ws 4096 Jan  1 20:26 /home/ws/[root@localhost ~]# ll /var/spool/mail/ws-rw-rw----. 1 ws mail 0 Jan  1 20:26 /var/spool/mail/ws

For example, add a specified user:

[root@localhost ~]# useradd -u 550 -G root,bin -d /home/ws1 -c "test user" -s \> /bin/bash ws1

"\" Indicates a line break.

3) User default file

①/Etc/default/useradd

[Root @ localhost ~] # Vim/etc/default/useradd # useradd defaults fileGROUP = 100 # user default group HOME =/home # user default HOME directory INACTIVE =-1 # Password Expiration Grace days (shadow 7th field) EXPIRE = # password expiration time SHELL =/bin/bash # default shell SKEL =/etc/skel # template directory CREATE_MAIL_SPOOL = yes # whether to create an email

②/Etc/login. defs

PASS_MAX_DAYS 99999 # password validity period PASS_MIN_DAYS 0 # Password Change Interval PASS_MIN_LEN 5 # password minimum digit PASS_WARN_AGE 7 # Password Expiration Warning UID_MIN 500 # minimum and maximum UID range UID_MAX 60000ENCRYPT_METHOD SHA512 # encryption mode

(2) Change the User Password

Command Format

Passwd [Option] User Name

You only need to enter passwd to modify the meter. Here, "-S" indicates querying the User Password status (only available as root), and "-l" indicates temporarily locking the user. The actual operation is to add an exclamation point before the password in the/etc/passwd file "!! ",-U table indicates unlocking the user, -- stdin indicates that the data output through the pipeline can be used as the user's password (usually used by shell programming ).

(3) modify user information usermod and Change User Password status chage

1) usermod Command Format

Usermod [Option] User Name

Here, the-u table indicates modifying the user UID,-G indicates modifying the user's additional group,-c Indicates modifying the user description,-L indicates temporarily locking the user, and-u indicates unlocking the user's lock.

2) chage Command Format

Chage [Option] User Name

Here, the-l option lists the detailed password status of the user, and-d (date) indicates the last password change date (shadow 3rd Field),-m (days) indicates the password change interval (shadow 4th field),-M (days) indicates the password validity period (5 fields),-W (days) indicates the number of days before the password expires (6 fields),-I (days) indicates the number of days after the password expires (7 fields),-E (date) indicates the Account expiration time (8 fields ).

Example:

Chage-d 0 ws # This command returns the password modification date to 0, so that the user needs to change the password upon login

(4) Delete user userdel and User Switch command

1) userdel Command Format

Userdel [-r] User Name

The "-r" option indicates that the user's home directory can be deleted while deleting the user, or the user name can be manually modified to delete the file.

2) switch the Command Format

Su [Option] User Name

Only the "-" option indicates that the environment variables of the associated users are switched together, and the "-c" option indicates that only one command is executed without switching the user identity.

For example: Do not switch to root, but execute the useradd command to add user1 User:

Su-root-c "useradd user1"

4. User Group Management

1) Add a user group: groupadd [Option] group name

-G indicates the specified GID.

2) modify the user group: groupmod [Option] group name

Here,-g indicates the ID of the group to be modified, and-n indicates the name of the group to be modified (it is generally not recommended to modify ).

For example, modify the group name ws to wstest:

[root@localhost ~]# groupadd tg[root@localhost ~]# groupmod -n wstest tg

3) delete a user group: groupdel group name

NOTE: If an initial user exists in the group, the group cannot be deleted. If the user is appended, the deletion of the group is not affected.

4) add or delete a user from the group

Gpasswd [Option] group name

-A indicates that the user is added to the group, and-d indicates that the user is deleted from the group.

For example, create a user ws1, add it to the wstest group, and delete it:

[root@localhost ~]# useradd ws1[root@localhost ~]# echo "ws1" | passwd --stdin ws1Changing password for user ws1.passwd: all authentication tokens updated successfully.[root@localhost ~]# gpasswd -a ws1 wstestAdding user ws1 to group wstest[root@localhost ~]# gpasswd -d ws1 wstestRemoving user ws1 from group wstest