Linux Learning Notes (12) User and user group management

The more server security requirements of servers, the more need to establish a reasonable level of user rights and server operating norms. In Linux, user information is viewed and modified primarily through user profiles .

1 User information file (1) User information file/etc/passwd

The VIM command displays the contents of the file:

Root:x:0:0: root:/root:/bin/bashbin:x:1:1: bin:/bin:/sbin/  NOLOGINDAEMON:X:2:2:d aemon:/sbin:/sbin/nologin

You can see that there are 7 fields in each line of the file. which

The 1th field is a user name;

The 2nd field is a password flag;

The 3rd field is the UID (user flag), where 0 represents the Superuser (when the UID of a normal user changes to 0 o'clock, the server treats the user as a superuser). 1~499 for the system user (pseudo-user), can not login, can not be deleted, 500~65535 for ordinary users, so the new first user's UID is 500.

The 4th field is a GID (user initial group ID).

The initial group refers to the user immediately login to have the user group of the relevant permissions, each user's initial group can only have one, generally, and the user's user name of the same group name as the initial group of this user.

Additional groups are users who can join multiple other groups of users and have permissions for those groups, and additional groups can have multiple.

The 5th field is a user description. Can be added, or not added.

The 6th field is a home directory. General user's home directory is generally/home/username/, Super User's home directory is/root/.

The 7th field represents the shell after landing. The shell is the command interpreter for Linux, except that the standard shell is/bin/bash, which can be written as/sbin/nologin if the user is temporarily disabled.

(2) Shadow file/etc/shadow

1) Contents of/etc/shadow:

root:$6$NvfaINezKBg 3cqn7$ bb5im5nrggtoa45clyxaxjud4ydhydltugbfqy51uieax1auorejcypkoag4mruksjgp2xd9lnqxpihefm.4a0:16363:0 :99999:7::: Bin:*:15980:0:99999:7:: £ º Daemon:*:15980:0:99999:7:::

You can see that the shadow file consists of 9 fields . which

The 1th field represents a user name.

The 2nd field represents an encrypted password. CentOS 6.5 has been upgraded from MD5 to SHA512 hash encryption method. If the password is "!!" or "*" means no password, can not login, that is, pseudo-user.

The 3rd field is the last modified date of the password, using January 1, 1970 as the standard time, each day timestamp plus 1.

The 4th field is a two-time password modification set interval (based on the 3rd field).

The 5th field indicates the password validity period (compared to the 2nd field).

The 6th field indicates the number of warning days before the password modification expires (compared to the 5th field).

The 7th field indicates the number of days after the password expires (compared to the 5th field).

The 8th field indicates the expiration time of the account (to be represented by a timestamp). 0 indicates that the password expires immediately after expiration, 1 means that the password will never expire.

The 9th field is reserved.

2) Conversion of timestamps

Convert the timestamp to a date with the following command:

Date " 1970-01-01 16461 days "  xx: xx

Convert the date to a timestamp whose command is:

[[email protected] ~]# echo $ (($ (Date--date= "2015/01/26" +%s)/86400+1)) 16461

(3) Group information file and group password file

1) Group information file /etc/group

[[email protected] ~]# vim/etc/grouproot:x:0: bin:x:1: bin,daemondaemon:x:  2: bin,daemonsys:x:3: bin,admadm:x:4: Adm,daemon

As you can see from the group information file, there are 4 fields .

The 1th field is a group name;

The 2nd field is a group password flag (group password is not used);

The 3rd field is a GID (group ID);

The 4th field is an additional user in the group.

2) Group password file /etc/gshadow

[Email protected] ~]# vim/etc/Gshadowroot:::bin:::bin,daemondaemon:::bin,daemonsys:::bin,admadm:::adm,daemon 

A group password file also has 4 fields :

The 1th field is a group name;

The 2nd field is a group password;

The 3rd field is a group administrator user name;

The 4th field is an additional user in the group.

2 User Management related files

1) User's home directory

The general user's home directory is generally/home/user name/, owner and owning group are the users, and the permissions are.

The home directory for the Superuser is/root/, and the owner and the owning group are root users. If you modify a normal user to a superuser, the home directory of the normal user does not change .

2) User's mailbox

The path to the new user's mailbox is typically the /var/spool/mail/user name .

3) User Templates Directory

The user's template directory is/etc/skel, and each user is created, and the user's home directory is copied from that directory .

3 User Management commands (1) useradd

1) Format:useradd [options] User name

Where:-U (UID) to specify the user's UID number manually,-D (home directory) to specify the user's home directory manually,-C (user description) to specify the manual user's description,-G (group name) to manually specify the user's initial group,-G (Group name) represents the specified user's additional group,- The S (shell) indicates that the shell is manually specified for user login and defaults to/bin/bash.

2) Add Default User

Example: Add Default User ws:

[[email protected] ~]# useradd ws

This action modifies the user's information file, which can be viewed by the following command:

[Email protected] ~]#grepws/etc/passwdws:x: -: -::/home/ws:/bin/Bash[[email protected]~]#grepws/etc/SHADOWWS:!!:16436:0:99999:7::: [[email protected]~]#grepws/etc/groupws:x: -: [[email protected]~]#grepws/etc/GSHADOWWS:!:: [[email protected]~]# ll-d/home/ws/drwx------.2WS ws4096Jan1  -: -/home/ws/[[Email protected]~]# ll/var/spool/mail/ws-RW-RW----.1WS Mail0Jan1  -: -/var/spool/mail/ws

Example: Adding a specified User:

550 " Test User " ->/bin/bash ws1

where "\" means line wrapping.

3) User Default file

①/etc/default/useradd

[Email protected] ~]# vim/etc/default/fileGROUP=                            #用户默认组HOME= /Home                         #用户默认家目录INACTIVE=-1                            #密码过期宽限天数 (Shadow 7th field) EXPIRE=                                   # Password Expiration time shell=/bin/bash                     #默认shell  SKEL=/etc/SKEL                         #模板目录CREATE_MAIL_SPOOL =yes     #是否建立邮箱

②/etc/login.defs

Pass_max_days   99999            #密码有效期PASS_MIN_DAYS   0                    #密码修改间隔PASS_MIN_LEN     5                     #密码最小位数PASS_WARN_AGE   7                   #密码到期警告UID_MIN                        #最小和最大UID范围UID_MAX          60000encrypt_method SHA512         #加密模式

(2) Modify user password

Command format

passwd [Options] User name

When users modify their own meters, just enter passwd. Where-s means query user password status (only root available),-L means temporarily lock the user, the actual operation is the password of the/etc/passwd file is preceded by an exclamation mark "!",-u means unlock the user,-- STDIN represents the data that can be exported by the pipeline as the user's password (commonly used in shell programming).

(3) Modify user information Usermod and modify user password status Chage

1) usermod command format

usermod [Options] User name

Where-u means to modify user uid,-g to represent an additional group to modify the user,-C to modify the user description,-l to temporarily lock the user,-u means to unlock the user lock.

2) chage command format

chage [Options] User name

Where the-l option indicates that the user's detailed password status is listed,-D (date) indicates the last change date of the password (shadow 3rd field),-m (number of days) represents two password modification intervals (Shadow 4th field),-M (days) indicates the password validity period (5 field),- W (days) indicates the number of days before the password expires (6 fields), and-I (days) indicates the number of days after the password expires (7 fields), and-e (date) indicates the account expiration time (8 field).

Cases:

chage-d 0 ws #该命令其实是将密码修改日期归0 so that users change their passwords as soon as they log in

(4) Delete user Userdel and user switch commands

1) Userdel command format

Userdel [-r] User name

Where the-r option means that the user's home directory is deleted while the user is deleted, or the file deletion user name can be modified manually.

2) Toggle Command format

SU [option] User name

only the "-" option is used to toggle the environment variables for the associated user, and-C means that only one command is executed, not the user identity .

Example: do not switch root, but execute the useradd command to add User1 User:

Su-root-c "Useradd user1"

4 User Group Management

1) Add user group : groupadd [options] Group name

Where-G indicates the specified GID.

2) Modify user group:groupmod [options] Group name

where-G means that modifying the group id,-n means modifying the group name (which is generally not recommended).

Example: Change the group name WS to Wstest:

[Email protected] ~~]# groupmod-n wstest TG

3) Delete user group:groupdel Group name

Note: If there is an initial user in the group, the group cannot be deleted, and if it is an additional user, it does not affect the deletion of the group.

4) Add the user to the group or remove it from the group

GPASSWD [Options] Group name

Where-a means that theuser is joined to a group and-d means that the user is removed from the group.

Example: Create a new user ws1, add it to the Wstest group, and then delete:

[email protected] ~echo"ws1"passwd -- for user ws1. passwd  ~]# gpasswd-~]# gpasswd-d ws1 wstestremoving user ws1 from group Wstest

Linux Learning Notes (12) User and user group management