[Linux] [Task] user and User Group Management

Source: Internet
Author: User
Linux User and User Group Management

Linux is a multi-user multi-task time-sharing operating system. any user who wants to use system resources must first apply for an account from the system administrator and then enter the system as the account. User Accounts can help system administrators track users who use the system and control their access to system resources. They can also help users organize files and provide security protection for users. Each user account has a unique user name and password. After you enter the correct user name and password during logon, you can access the system and your home directory.

To manage user accounts, you must do the following:
· Add, delete, and modify user accounts.
· User password management.
· User group management.

I. User Account Management in Linux

The management of user accounts mainly involves adding, modifying, and deleting user accounts.

To add a user account is to create a new account in the system, and allocate resources such as user numbers, user groups, home directories, and logon shells to the new account. The newly added account is locked and cannot be used.

1. Add a new user account and use the useradd command. The syntax is as follows:

Code:
Useradd option Username

The options are described as follows:

Code:
-C comment specifies an annotation description.
-D directory specifies the user's main directory. If this directory does not exist, you can use the-m option to create a main directory.
-G User Group specifies the user group to which the user belongs.
-G user group, which specifies the additional group to which the user belongs.
The-s Shell file specifies the user's logon Shell.
-U user number specifies the user number of a user. If the-o option is available at the same time, the user ID of another user can be used again.

User name specifies the login name of the new account.

2. Example

Example 1:

Code:
# Useradd-d/usr/sam-m sam

This command creates a user sam,
The-d and-m options are used to generate a main directory/usr/sam for the logon sam (/usr is the parent directory of the default user main directory ).

Example 2:

Code:
# Useradd-s/bin/sh-g group-G adm, root gem

This command creates a new user gem. the user's logon Shell is/bin/sh, which belongs to the group user group and also to the adm and root user groups. The group user group is the main group.
A new group may be created here: # groupadd group and groupadd adm
 
Adding a user account adds a record to a new user in the/etc/passwd file and updates other system files, such as/etc/shadow and/etc/group.

Linux provides the integrated system management tool userconf, which can be used to manage user accounts in a unified manner.

3. delete an account

If a user's account is no longer in use, it can be deleted from the system. To delete a user account, you must delete the user record in system files such as/etc/passwd. If necessary, delete the user's home directory. Delete an existing user account and use the userdel command. The format is as follows:

Code:
Userdel option Username

The commonly used option is-r, which is used to delete the user's home directory together.

For example:

Code:
# Userdel sam

This command deletes the records of the user sam in the System File (mainly/etc/passwd,/etc/shadow,/etc/group), and deletes the user's home directory.

4. Modify an account

Modifying a user account is to change the user's attributes, such as the user ID, main directory, user group, and logon Shell.

Use the usermod command to modify existing user information. The format is as follows:

Code:
Usermod option Username

Common options include-c,-d,-m,-g,-G,-s,-u, and-o. These options have the same meaning as those in the useradd command, you can specify a new resource value for the user. In addition, some systems can use the following options:

Code:
-L New User Name

This option specifies a new account, changing the original user name to the new user name.

For example:

Code:
# Usermod-s/bin/ksh-d/home/z-g developer sam

This command changes the logon Shell of user sam to ksh, the main directory to/home/z, and the user group to developer.

5. User Password Management

An important part of user management is the management of user passwords. A user account has no password when it was created, but is locked by the system and cannot be used. It can only be used after a password is specified, even if it is null.

The Shell command used to specify and modify the user password is passwd. Super Users can specify passwords for themselves and other users. Common users can only use them to modify their own passwords. Command Format:

Code:
Passwd option User Name

Available options:

Code:
-L the password is disabled.
-U password unlock.
-D indicates that the account has no password.
-F forces the user to change the password upon next login.
If the default user name is used, modify the password of the current user.

For example, if the current user is sam, the following command modifies the user's own password:

Code:
$ Passwd
Old password :******
New password :*******
Re-enter new password :*******

If you are a super user, you can specify the password of any user in the following form:

Code:
# Passwd sam
New password :*******
Re-enter new password :*******

When a common user modifies his or her own password, the passwd command First asks for the original password and then asks the user to enter the new password twice. If the two passwords are the same, the original password is not required when the superuser specifies a password for the user.

For the sake of system security, you should select a complicated password. For example, you 'd better use an 8-bit long password, which contains uppercase letters, lowercase letters, and numbers, it should be different from the name and birthday.

When you specify a blank password, run the following commands:

Code:
# Passwd-d sam

This command deletes the password of the user sam, so that the system will not ask for the password during the next logon.

The passwd command can also use the-l (lock) option to lock a user so that the user cannot log on. For example:

Code:
# Passwd-l sam
2. User Group Management in Linux

Each user has a user group. The system can centrally manage all users in a user group. Different Linux systems have different user groups. For example, a user in Linux belongs to a user group with the same name as a user group, which is created at the same time.
User Group management involves adding, deleting, and modifying user groups. The addition, deletion, and modification of a group are actually updates to the/etc/group file.

1. Add a new user group to use the groupadd command. The format is as follows:
Code:
Groupadd option User Group

You can use the following options:
Code:
-G GID specifies the group ID (GID) of the new user group ).
-O is generally used together with the-g option, indicating that the GID of the new user group can be the same as the GID of the existing user group in the system.

Example 1:
Code:
# Groupadd group1

This command adds a new group group1 to the system. The Group ID number of the new group is added with 1 on the basis of the current largest group ID number.

Example 2:
Code:
# Groupadd-g 101 group2

This command adds a new group group2 to the system and specifies that the Group ID of the new group is 101.

2. to delete an existing user group, run the groupdel command in the following format:
Code:
Groupdel User Group

For example:
Code:
# Groupdel group1

This command deletes group group1.

3. Run The groupmod command to modify the attributes of a user group. The syntax is as follows:
Code:
Groupmod option User Group

Common options include:
Code:
-G GID: specify a new group ID for the user group.
-O and-g options are used at the same time. The new GID of a user group can be the same as the GID of an existing user group in the system.
-N new user group: Change the user group name to a new name.

Example 1:
Code:
# Groupmod-g 102 group2

This command changes the group ID of group group2 to 102.

Example 2:
Code:
# Groupmod-g 10000-n group3 group2

This command changes the ID of group group2 to 10000 and the group name to group3.

4. If a user belongs to multiple user groups at the same time, the user can switch between user groups to have permissions for other user groups. After logging on, you can use the newgrp command to switch to another user group. The parameter of this command is the target user group. For example:
Code:
$ Newgrp root

This command switches the current user to the root user group, provided that the root user group is indeed the user's main group or additional group. Similar to user account management, user group management can also be completed through integrated system management tools.
3. system files related to user accounts

There are many methods to complete user management, but each method is actually to modify the relevant system files. Information related to users and user groups is stored in some system files, including/etc/passwd,/etc/shadow and/etc/group. The following describes the content of these files.

1. the/etc/passwd file is the most important file involved in user management. In Linux, each user has a corresponding record row in the/etc/passwd file, which records some basic attributes of this user. This file is readable to all users. Its content is similar to the following example:

Code:
# Cat/etc/passwd

Root: x: 0: 0: Superuser :/:
Daemon: x: 1: 1: System daemons:/etc:
Bin: x: 2: 2: Owner of system commands:/bin:
Sys: x: 3: 3: Owner of system files:/usr/sys:
Adm: x: 4: 4: System accounting:/usr/adm:
Uucp: x: 5: 5: UUCP administrator:/usr/lib/uuucp:
Auth: x: 7: 21: Authentication administrator:/tcb/files/auth:
Cron: x: 9: 16: Cron daemon:/usr/spool/cron:
Listen: x: 37: 4: Network daemon:/usr/net/nls:
Lp: x: 71: 18: Printer administrator:/usr/spool/lp:
Sam: x: 200: 50: Sam san:/usr/sam:/bin/sh

From the above example, we can see that the records in the/etc/passwd line correspond to a user, and the records in each line are separated by colons (seven fields are separated. Their format and meaning are as follows:

Code:
User name: Password: User ID: Group ID: annotation Description: main directory: logon Shell

1) "User Name" is a string representing the user account. Generally, it cannot exceed 8 characters and may consist of uppercase/lowercase letters and/or numbers. The login name cannot contain a colon (because the colon is a separator here. For the sake of compatibility, it is recommended that the login name do not contain periods (.), and do not use hyphens (-) or plus signs (+) to start.

2) The encrypted user password is stored in some systems .. Although this field only stores the encrypted string of the user's password, it is still a security risk because the/etc/passwd file can be read by all users. Therefore, many Linux systems (such as SVR4) now use the shadow technology to store the encrypted user password in the/etc/shadow file, in the/etc/passwd file, only one special character is stored in the password field, for example, "x" or "*".

3) The "User ID" is an integer used internally to identify users. Generally, it corresponds to the user name one by one. If several user names correspond to the same user ID, the system regards them as the same user, but they can have different passwords, different home directories, and different logon shells.

Generally, the user ID number ranges from 0 ~ 65 535. 0 is the identification number of the Super User root, 1 ~ 99 is retained by the system and used as the management account. The identification number of a common user starts from 100. In Linux, this limit is 500.

4) the "Group ID" field records the user's user group. It corresponds to a record in the/etc/group file.

5) The "annotation description" field records the user's personal information, such as the user's real name, phone number, and address. This field has no practical use. In different Linux systems, the format of this field is not uniform. In many Linux systems, this field stores any comments of the description text and is used as the output of the finger command.

6) "main directory", that is, the user's initial working directory, which is the directory where the user logs on to the system. In most systems, the main directories of users are organized in the same specific directory, and the name of the main directories is the user's login name. Each user has the read, write, and execute (Search) permissions on his/her home directory. Other users have the permission to access this directory based on the actual situation.

7) after a user logs on, a process is started to pass user operations to the kernel. This process is a command interpreter or a specific program that the user logs on to the system and runs, that is, Shell. Shell is the interface between users and Linux systems. There are many types of Linux Shell, each of which has different characteristics. Common examples include sh (Bourne Shell), csh (C Shell), ksh (Korn Shell), tcsh (TENEX/TOPS-20 type C Shell), and bash (Bourne Again Shell). The system administrator can specify a Shell for the user based on the system conditions and user habits. If no Shell is specified, the system uses sh as the default logon Shell, that is, the value of this field is/bin/sh.

The user's logon Shell can also be specified as a specific program (this program is not a command interpreter ). With this feature, we can restrict the user to run only the specified application. After the application is running, the user automatically exits the system. In some Linux systems, only programs registered in the system can appear in this field.

In the system, a type of users are called psuedo users. These users also occupy a record in the/etc/passwd file, but cannot log on because their logon Shell is empty. They are mainly used to facilitate system management and meet the file owner requirements of the corresponding system processes. Common pseudo-users are as follows.

Code:
Definition of a pseudo-user
Bin has executable USER command files
Sys owns system files
Adm has account files
Uucp
Lp or lpd subsystem usage
Nobody NFS usage

Owned account file

In addition to the pseudo applications listed above, there are also many standard pseudo users, such as audit, cron, mail, and usenet, which are also required by related processes and files.

Since the/etc/passwd file can be read by all users, if the user's password is too simple or regular, a common computer can easily crack it, therefore, Linux systems with high security requirements separate encrypted passwords and store them separately in a file. The file is a/etc/shadow file. Only a Super User has the permission to read the file, which ensures the security of the user's password.

2. The record lines in/etc/shadow correspond to the records in/etc/passwd one by one. The pwconv command automatically generates the records based on the data in/etc/passwd. Its file format is similar to/etc/passwd and consists of several fields separated. These fields are:

Code:
Login Name: encrypted password: last modification time: minimum interval: maximum interval: warning time: inactive time: expiration time: Flag

1) The "Login Name" is the same as the login name in the/etc/passwd file.
2) The "password" field stores the encrypted user password, with a length of 13 characters. If it is blank, the corresponding user has no password and no password is required for Logon. If it contains characters not in the {./0-9A-Za-z} collection, the corresponding user cannot log on.
3) "last modification time" indicates the number of days from a certain time point to the last password change. The start time may be different for different systems. For example, in SCO Linux, the start time is January 1, January 1, 1970.
4) "minimum interval" refers to the minimum number of days required between two password changes.
5) The "maximum interval" indicates the maximum number of days for password persistence.
6) The "warning time" field indicates the number of days from when the system starts to warn the user to when the user password is officially invalid.
7) "No activity time" indicates the maximum number of days that the user has not logged on to the activity but the account remains valid.
8) the "expiration time" field shows an absolute number of days. If this field is used, the validity period of the corresponding account is given. After expiration, this account is no longer a legal account and cannot be used for logon.

The following is an example of/etc/shadow:

Code:
# Cat/etc/shadow

Root: DNA kfw28zf38w: 8764: 0: 168: 7 :::
Daemon: *: 0: 0 ::::
Bin: *: 0: 0 ::::
Sys: *: 0: 0 ::::
Adm: *: 0: 0 ::::
Uucp: *: 0: 0 ::::
Nuucp: *: 0: 0 ::::
Auth: *: 0: 0 ::::
Cron: *: 0: 0 ::::
Listen: *: 0: 0 ::::
Lp: *: 0: 0 ::::
Sam: EkdiSECLWPdSa: 9740: 0: 0 ::::

 

3. All user group information is stored in the/etc/group file.

Grouping users is a way to manage users and control access permissions in Linux. Each user belongs to a user group. A group can contain multiple users, and a user can belong to different groups. When a user is a member of multiple groups at the same time, the main group to which the user belongs is recorded in the/etc/passwd file, that is, the default group to which the user belongs during logon, other groups are called additional groups. To access files in an additional group, you must first use the newgrp command to make yourself a member of the group to be accessed. All user group information is stored in the/etc/group file. The format of this file is also similar to that of the/etc/passwd file. Several fields are separated by colons. These fields include:

Code:
Group Name: Password: Group ID: group user list

1) "group name" is the name of the user group, which consists of letters or numbers. Same as the login name in/etc/passwd, the group name should not be repeated.
2) The "password" field stores the encrypted password of the user group. Generally, users in Linux do not have a password, that is, this field is generally blank, or *.
3) the "Group ID" is similar to the user ID and is also an integer used internally to identify the group.
4) The "group user list" is a list of all users in this group/B]. Different users are separated by commas. This user group may be the user's primary group or an additional group.

An example of the/etc/group file is as follows:

# Cat/etc/group

Code:
Root: 0: root
Bin: 2: root, bin
Sys: 3: root, uucp
Adm: 4: root, adm
Daemon: 5: root, daemon
Lp: 7: root, lp
Users: 20: root, sam

Iv. Add User batch

Adding and Deleting Users is a breeze for every Linux system administrator. the tricky thing is that if you want to add dozens, hundreds, or even thousands of users, we are unlikely to add useradd one by one, so we must find a simple method to create a large number of users. Linux provides a tool to create a large number of users, allowing you to create a large number of users immediately, as follows:

(1) edit a text user file. Each column is written in the format of the/etc/passwd password file. Note that the user name, UID, and home directory of each user cannot be the same, the password column can be left blank or enter the x number. The content of user.txt in a sample file is as follows:

Code:
User001: 600: 100: user:/home/user001:/bin/bash
User002: 601: 100: user:/home/user002:/bin/bash
User003: 602: 100: user:/home/user003:/bin/bash
User004: 603: 100: user:/home/user004:/bin/bash
User005: 604: 100: user:/home/user005:/bin/bash
User006: 605: 100: user:/home/user006:/bin/bash

(2) run the command/usr/sbin/newusers as root to import data from the user.txt file of the created user and create the user:

Code:
# Newusers <user.txt

Then, run vipw or vi/etc/passwd to check whether the data of these users is displayed in the/etc/passwd file and whether the user's home directory has been created.

(3) run the/usr/sbin/pwunconv command to decode the shadow password generated by/etc/shadow and write it back to/etc/passwd, delete the shadow password column of/etc/shadow. This is to facilitate the next step in password conversion, that is, to cancel the shadow password function first.

Code:
# Pwunconv

(4) edit the password comparison file for each user. The content of the example file passwd.txt is as follows:

Code:
User001: Password
User002: Password
User003: Password
User004: Password
User005: Password
User006: Password

(5) run the command/usr/sbin/chpasswd as root to create the user password, chpasswd writes the password encoded by the/usr/bin/passwd command to the/etc/passwd password column.

Code:
# Chpasswd <passwd.txt

(6) Confirm that the password is encoded into the/etc/passwd password column, and then execute the command/usr/sbin/pwconv to encode the password as shadow password, write the result to/etc/shadow.

Code:
# Pwconv

In this way, a large number of users are created. Then, you can go to/home to check whether the permission settings of these users in the home directory are correct, and log on to verify that the user password is correct.
5. grant special permissions to common users

In Linux, there are usually more than one administrator. If each administrator uses the root identity for management, it is impossible to figure out who should do what. The best way is to create some common users and assign some system management work to them.

We cannot use su to make them directly root, because these users must know the root password. This method is not safe and does not meet our division of labor needs. The general practice is to use permission settings to classify users with special identities into the same working group and set the permissions of the Working Group. For example, the user wwwadm is required to manage website data. Generally, the httpd owner of the Apache Web Server process is www. You can set wwwadm as the same working group as www, set the working group permissions for Apache to store the web directory/usr/local/httpd/htdocs by default to readable, writable, and executable, in this way, every user in this Working Group can manage webpages.

However, this is not the best solution. For example, if the administrator wants to grant the shutdown permission to an ordinary user, the above method is not ideal. You may think that I only want this user to execute the shutdown command as root. It's totally correct. Unfortunately, this feature cannot be implemented in common Linux systems, but sudo is already available in tools.

Sudo assigns privileges to different users by maintaining a database mapped to the user name. These privileges can be identified by different commands listed in the database. To obtain a specific permission, qualified users simply enter the sudo and command name on the command line and enter the password again as prompted (the user's own password, not the root user password ). For example, sudo allows a common user to format a disk, but does not grant other root user privileges.

1. The sudo tool is configured by the file/etc/sudoers, which contains a list of all users who can access the sudo tool and defines their privileges. A typical/etc/sudoers entry is as follows:

Code:
Liming ALL = (ALL) ALL

This entry allows the user liming to access all applications as a Super User. For example, if the user liming needs to run commands as a Super User, he simply needs to add the prefix sudo before the command. Therefore, to run the format command as the root user, liming can enter the following command:

Code:
# Sudo/usr/sbin/useradd sam

Note: The command must write an absolute PATH./usr/sbin is not in the search PATH of a common user by default, or add the PATH: PATH = $ PATH:/usr/sbin; export PATH. In addition, different system commands have different paths. You can use the command "whereis command name" to find the path.

The following output result is displayed:

Code:
We trust you have got ed the usual lecture from the local System
Administrator. It usually boils down to these two things:
#1) Respect the privacy of others.
#2) Think before you type.
Password:

If liming correctly enters the password, the command useradd will be executed as the root user.

Note: The configuration file/etc/sudoers must be edited using the cmddo command.

You only need to add the user name, host name, and license command list to the file/etc/sudoers in the standard format, and save the list to take effect. Let's look at another example.

2. Example: The administrator needs to allow the gem user to execute the reboot and shutdown commands on the host sun and add the following to/etc/sudoers:

Code:
Gem sun =/usr/sbin/reboot,/usr/sbin/shutdown

Note: the absolute path must be used for commands to prevent commands of the same name in other directories from being executed, resulting in security risks.

Save and exit. When you want to execute the reboot command, you only need to run the following command at the prompt:

Code:
$ Sudo/usr/sbin/reboot

Enter the correct password to restart the server.

If you want to define a group of users, you can add % before the group name to set it, such:

Code:
% Cuug ALL = (ALL) ALL

3. You can also use aliases to simplify the configuration file. Aliases are similar to group concepts, including user aliases, host aliases, and command aliases. Multiple users can define them with an alias first, and then use the alias when specifying what commands they can execute. This configuration takes effect for all users. The same is true for host aliases and command aliases. Note that before use, define the User_Alias, Host_Alias, and Cmnd_Alias items in/etc/sudoers. Add the corresponding names after them and separate them by commas. For example:

Code:
Host_Alias SERVER = no1
User_Alias ADMINS = liming, gem
Cmnd_Alias SHUTDOWN =/usr/sbin/halt,/usr/sbin/shutdown,/usr/sbin/reboot
Admins server = SHUTDOWN

4. Let's look at this example again:

Code:
Admins all = (ALL) NOPASSWD: ALL

Allow ADMINS to perform all operations without a password. "NOPASSWD:" indicates that the user does not need to enter a password when performing the operation.

5. The sudo command can also add some parameters to complete some auxiliary functions, such

Code:
$ Sudo-l

The following information is displayed:

Code:
User liming may run the following commands on this host:
(Root)/usr/sbin/reboot

Root allows liming to execute the/usr/sbin/reboot command. This parameter allows you to view which commands can be executed in sudo.

6. Enter the sudo command at the command prompt to list all parameters. Other parameters are as follows:

Code:
-V displays the version number.
-H: displays the parameters used by The sudo command.
-V will ask for the password because sudo is not executed during the first execution or within N minutes (N is set to 5 by default. This parameter is re-confirmed. If it is more than N minutes, you will also ask the password.
-K will force the user to ask for the password (whether or not it has been more than N minutes) during the next sudo execution ).
-B: Execute the command in the background.
-P prompt can change the password prompt, where % u is replaced with the user's account name, and % h displays the host name.
-U username/# this parameter is not added to the uid, which indicates that the command is to be executed as root, but this parameter is added, you can run commands as username (# uid of username ).
-S executes the SHELL specified by the Shell in the environment variable, or the Shell specified in/etc/passwd.
-H: Specify the HOME directory in the environment variable as the HOME Directory of the user who wants to change the identity. (If the-u parameter is not added, the system administrator root is used .)

Command to be executed as a system administrator (or changed to another person as a-u.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.