Linux User and Group management

On Linux systems, user management is the allocation of resources based on user name and password, and the users on Linux are divided into the following categories:

admin: Root UID 0

Normal Users: 1-65535

System User: 1-999 permission assignment for the daemon to get resources

Login User: 1000+ log in interactively

Group

Admin group; root GID 0

General group: 1-65535, the General group is divided into:

System Group: 1-999

General group: 1000+, while the general group is divided into:

Basic groups: Also known as private groups, when you create a user, if you do not specify the group to which they belong, the system automatically creates a group with the same name as the user, the user must belong to one and only one base group, the group name is the same as the user name, and only one user

Additional groups: Also called additional groups, other than the default group, a user can belong to 0 or more additional groups

Security context

Running programs: Processes (process), running as the initiator of the process:

Root:/bin/cat

Hadoop:/bin/cat

The ability of the process to tamper-proof resources depends on the identity of the process's runner

passwd file format

Can use the man 5 passwd to view the corresponding configuration file help information, through the query to know the passwd file format, it is a colon separated by seven segments, respectively:

Account: Login user Name

passwd: Password

UID: The user's identity number

GID: Default group number

Comment: Comment information

Homedir: User Home Directory

Shell: User Default Shell

650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M01/85/34/wKiom1eclajAKkRgAABZjzSfdCs373.jpg-wh_500x0-wm_3 -wmp_4-s_988270462.jpg "title=" 1.jpg "alt=" Wkiom1eclajakkrgaabzjzsfdcs373.jpg-wh_50 "/>

Group file format

The file format can be queried by man help in the following format:

GroupName: Group name

GPASSWD: Group Password

GID: The identity number of the group

Additional groups:

650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M00/85/34/wKiom1ecl3LgCk5IAAAok4-cVIU736.jpg-wh_500x0-wm_3 -wmp_4-s_4133033549.jpg "title=" 2.jpg "alt=" Wkiom1ecl3lgck5iaaaok4-cviu736.jpg-wh_50 "/>

Gshadow file format

Group name

Group password

Group Admins list: Group Admins list, change groups passwords and members

List of users with the current group as additional groups, separated by commas between multiple users

650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M01/85/3B/wKiom1edrRPyqK2QAAAl3d9cp9w619.jpg-wh_500x0-wm_3 -wmp_4-s_2331693032.jpg "title=" 2.jpg "alt=" Wkiom1edrrpyqk2qaaal3d9cp9w619.jpg-wh_50 "/>

Shadow file format

You can also use the man Help to query the format of the shadow file in the following format:

Account: Login Name

Encrypte passwd: Password after encryption

From January 1, 1970 to the time the password was last changed

Password can not be changed time, two times the password modification time interval, 0 means that it is possible to immediately change

The password remains the maximum effective number of days, at which time you must change the password

Password expiration warning time, a few days before the password expires the system will remind the user to change the password (default is one week)

Number of days the password expires account lockout

From January 1, 1970 onwards, the number of days after the account expires

Reserved items

Password encryption mechanism

Encryption: PlainText--redaction

Decryption: cipher-text

Symmetric encryption: Encryption and decryption using the same key

Public Key cryptography: each password appears in pairs, one for the public key and one for the private key

Single encrypted hash encryption: Extract data signature long user data integrity check

The single-item encryption has the following characteristics:

Avalanche effect

Fixed-length output

Algorithms typically include:

MD5 128-bit fixed-length output

Sha1:secure Hash algorithm 160-bit fixed-length output

sha224:224 bit

sha256

sha384

sha512

Change the encryption algorithm authconfig--passalgo=sha256--update

The complexity strategy for passwords

Use at least 3 of the numbers, uppercase and lowercase letters, and special characters

Long enough

Use random passwords

Change regularly and do not use passwords that have been used recently

Password duration

650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M01/85/34/wKioL1ecnmbzqh-eAABdv9i2iXY295.png-wh_500x0-wm_3 -wmp_4-s_2174565506.png "title=" 3.png "alt=" Wkiol1ecnmbzqh-eaabdv9i2ixy295.png-wh_50 "/>

User and Group Management commands

User Management commands

Useradd: Adding users

useradd [Options] Username

-U: Specify UID

Useradd-u 1050 user1

-G GID (Basic Group) specify user base group, can write group name can also write GID

Useradd-g Hadoop User2

-g:gid (additional group) specify user-attached groups

Useradd-g Dockr User3

-C: "Comment" Comment information

Useradd-c "The user is datebase user" MySQL

-d:home_dir Specify user home directory

useradd-d/tmp/user4 User4

-S: Specifies the shell used by the user

Useradd-s/bin/csh User5

-N: Do not create private group master group, use the Users group

Useradd-n User6

-M: Create a home directory when creating a new user

-M: Do not create a home directory when creating a user

Useradd-m User7

-R: Add a System User

Useradd-r Mail

650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M01/85/37/wKioL1edT8_D2OqfAAAxTlChng8385.jpg-wh_500x0-wm_3 -wmp_4-s_1818837152.jpg "title=" 2.jpg "alt=" Wkiol1edt8_d2oqfaaaxtlchng8385.jpg-wh_50 "/>

New user-related files

/etc/default/useradd

/etc/skel/* when creating a user, some files that are created under the home directory include the user's environment variable file. BASHRC record command aliases and local environment variables

When creating a user, a default setting is stored in the/etc/default/useradd file.

Show or change default values

Useradd-d

useradd-d-s/bin/csh username

/etc/login.defs user account limit files include the maximum number of days to expire, password maximum length constraints, and so on.

ID: View user's account attribute information

-U: Displays the UID of the user

-G: Displays the user's GID

-G: Displays the user's GID

-N: Show user's user name generally with the-u option

650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M01/85/37/wKiom1edT0PxHzl7AAAg9lhZ8K8211.jpg-wh_500x0-wm_3 -wmp_4-s_2324490426.jpg "title=" 1.jpg "alt=" Wkiom1edt0pxhzl7aaag9lhz8k8211.jpg-wh_50 "/>

Userdel: Deleting users

Userdel [option] Username

-r: Delete User home directory

650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M02/85/37/wKioL1edU2Sz89ZUAAApEFs3wbM867.jpg-wh_500x0-wm_3 -wmp_4-s_2103307964.jpg "title=" 3.jpg "alt=" Wkiol1edu2sz89zuaaapefs3wbm867.jpg-wh_50 "/>

User Property Modification

Usermod

usermod [Options] Username

-U uid: Modify UID of user

Usermod-u username

-G UID: Modify the user's base group

Usermod-g Hadoop username

-g-a: Add a new additional group to use with the-a option to overwrite the previous additional group if you do not use the-a option

Usermod-ag amind username

-C: Change the comment information

Usermod-c "My user" username

-d-m: Change user home directory and move user files

Usermod-c/tmp/123 username

-S: Change the user's shell

Usermod-s/bin/bash username

-L: Change user name

Usermod-l oldname newname

-L: Lock account

Usermod-l username

-U: Unlock Account

Usermod-u username

650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M00/85/37/wKiom1edVaqT2-5CAABFNaU4gew982.jpg-wh_500x0-wm_3 -wmp_4-s_1027761027.jpg "title=" 5.jpg "alt=" Wkiom1edvaqt2-5caabfnau4gew982.jpg-wh_50 "/>

SU Switch User

Su [OPTION] ... [-] [USER [ARG] ...]

SU Username: Non-logon switch, does not read the target user's profile, does not change the current working directory

Su-username: Login switch, will read the target user's profile, switch to home directory, completely switch

Su-l username =su-username

650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M01/85/3B/wKiom1edruzx0nZ-AAAkJPhD6yc024.jpg-wh_500x0-wm_3 -wmp_4-s_1407904931.jpg "title=" 4.jpg "alt=" Wkiom1edruzx0nz-aaakjphd6yc024.jpg-wh_50 "/>

Note: Root switch to non-root users do not need to enter a password, non-admin user switch needs to enter a password

passwd Setting a password

passwd [OPTION ...] <accountName>

passwd user defaults to modify the password of the currently logged on user

-L: Lock account

-U: Unlock Account

-D: Delete account password

-E: Force user to change password at next logon

-N mindays: Specify Minimum password age

-X maxdays: Specify Maximum password age

-I: Inactivity period, password expiration account lockout time

--stdin: Accept user password from standard input

echo "Redhat" |passwd--stdin username

650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M02/85/3B/wKiom1edsjbR5mmQAADf6W6A9jM690.jpg-wh_500x0-wm_3 -wmp_4-s_2715506325.jpg "title=" 5.jpg "alt=" Wkiom1edsjbr5mmqaadf6w6a9jm690.jpg-wh_50 "/>

Chage Modifying user password policies

chage [Options] LOGIN

-D: The last time the password was modified

-E: Set Expiration time

-I: Set inactivity time, account lockout time after password expires

-M: Set Minimum password lifetime

-M: Set Maximum password lifetime

-W: Set warning days before password expires

650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M00/85/3B/wKioL1edtgaAIc0zAADf6W6A9jM636.jpg-wh_500x0-wm_3 -wmp_4-s_2011218059.jpg "title=" 5.jpg "alt=" Wkiol1edtgaaic0zaadf6w6a9jm636.jpg-wh_50 "/>

CHFN Modify user's personal information

CHFN username

650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M01/85/3C/wKiom1edttvgw5GPAAAn-mYdXO4363.jpg-wh_500x0-wm_3 -wmp_4-s_3503281522.jpg "title=" 6.jpg "alt=" Wkiom1edttvgw5gpaaan-mydxo4363.jpg-wh_50 "/>

CHSH Shell for Change

CHSH username

650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M02/85/3B/wKioL1edt0qglUa2AAAasiT6rMg924.jpg-wh_500x0-wm_3 -wmp_4-s_259295230.jpg "title=" 7.jpg "alt=" Wkiol1edt0qglua2aaaasit6rmg924.jpg-wh_50 "/>

Finger viewing user User Properties

Finger username

650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M01/85/3C/wKiom1edt7vRkGGLAAAkpp0h4gM037.jpg-wh_500x0-wm_3 -wmp_4-s_4210651278.jpg "title=" 8.jpg "alt=" Wkiom1edt7vrkgglaaakpp0h4gm037.jpg-wh_50 "/>

Group Management

Groupadd

Groupadd [Options] GroupName

-G GID: Create a group with the specified GID

-R: Add System group whose GID is less than 1000

650) this.width=650; "Src=" Http://s1.51cto.com/wyfs02/M00/85/3C/wKioL1educfwL26MAAAr-UEx8Yw042.jpg-wh_500x0-wm_3 -wmp_4-s_4197317042.jpg "title=" 9.jpg "alt=" Wkiol1educfwl26maaar-uex8yw042.jpg-wh_50 "/>

Groupdel Deleting a group

Groupdel [Options] GroupName

Groupdel test2

650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M02/85/3C/wKiom1edukWxDrg-AAATS17_7mA032.jpg-wh_500x0-wm_3 -wmp_4-s_2260695191.jpg "title=" 10.jpg "alt=" Wkiom1edukwxdrg-aaats17_7ma032.jpg-wh_50 "/>

GPASSWD Group Password

GPASSWD [option] Group

-A User: Add user to the specified group

-D User: Remove user from Group

-A user1,user2, ... Set up a list of users with administrative rights

NEWGRP: Temporary switch Basic Group, if the user does not belong to the phrase, you need a password

NEWGRP GroupName

650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M01/85/3C/wKiom1edvI-SC_hJAAB1MgYAstI559.jpg-wh_500x0-wm_3 -wmp_4-s_1518347416.jpg "title=" 12.jpg "alt=" Wkiom1edvi-sc_hjaab1mgyasti559.jpg-wh_50 "/>

Groupmems changing and viewing group members

Groupmems-a User_name | -D user_name | [-G group_name] | -L | -P

-g,--group groupname change to a specified group

-a,--add Username: User Join Group

-d,--delete Username: Remove a user from a group

-P,--Purge: Clears all members from the group

-l,--list: Show Group Members list

Grops viewing the group to which the user belongs

Groups GroupName

650) this.width=650; "Src=" Http://s1.51cto.com/wyfs02/M02/85/3C/wKiom1edvsrCf1t7AAAVXckpiHQ924.jpg-wh_500x0-wm_3 -wmp_4-s_642367664.jpg "title=" 12.jpg "alt=" Wkiom1edvsrcf1t7aaavxckpihq924.jpg-wh_50 "/>

1, create user Gentoo, additional group is bin and root, the default shell is/BIN/CSH, the annotated message is "Gentoo distribution"
2. Create the following user, group, and group memberships
Group with the name Admins
User Natasha, using admins as a subordinate group
User Harry, also use admins as a subordinate group
User Sarah, no interactive login system, and not a member of admins, Natasha,harry,sarah password is CentOS

This article is from the "Operation and maintenance Career" blog, please make sure to keep this source http://fszxxxks.blog.51cto.com/10122713/1832443

Linux User and Group management