Linux system users and user group management

" know /etc/passwd and the /etc/shadow "

These two files can be said to be one of the most important files in a Linux system. If you don't have the two files or the two files, you won't be able to log on to the Linux system properly.

/ETC/PASSWD is divided into 7 fields by ': ', and the specific meaning of each field is:

1) User name (if root in the first row is the user name), the string representing the user account. The user name character can be uppercase and lowercase letters, numbers, minus signs (not appearing in the first place), dots, and underscores, and other characters are illegal. Although the user name can appear in the point, but not recommended, especially the first point, the other minus is also not recommended, because it is easy to cause confusion.

2) The password of the account is stored, why is ' x '? The early Unix system password was actually stored here, but based on security factors, it was later stored in/etc/shadow, where only one ' x ' was used instead.

3) This number represents the user identification number, also called the UID. The system identifies the user identity is through this number, 0 is root, that is, you can modify the test user uid is 0, then the system will consider root and test for the same account. Usually the value range of the UID is 0~65535,0 is the root identification number, 1~499 reserved by the system, as a management account, the ordinary user identification number starting from 500, if we customize the establishment of a normal user, you will see that the account identification number is greater than or equal to 500.

4) Represents the group identification number, also called GID. This field corresponds to a record in/etc/group, in fact/etc/group and/etc/passwd are basically similar.

5) Note that the field does not make sense and typically records some of the user's attributes, such as name, phone, address, and so on. However, this information is displayed when you use the Finger feature (described later).

6) The user's home directory, which is in this directory when the user logs in. Root home directory is/root, ordinary user's home directory is/home/username, this field can be customized, such as you build a normal user test1, want to let Test1 home directory in/data directory, just modify/etc/ This field in the Test1 line in the passwd file is/data.

7) shell, the user log in to start a process to the user issued instructions to the kernel, this is the shell. The Linux shell has many kinds of sh, csh, ksh, tcsh, bash, and so on, while Redhat/centos's shell is bash. View the/etc/passwd file, which has more than/bin/bash in addition to/sbin/nologin, which indicates that the account is not allowed to log on. If you want to create an account to not let him log in, then you can change the field to/sbin/nologin, the default is/bin/bash.

Take a look at/etc/shadow this file, similar to/etc/passwd, with ":" Divided into 9 fields.

1) User name, corresponding to/etc/passwd.

2) User password, this is the real password of the account, but this password has been encrypted, but some hackers can be decrypted. So for security, the file property is set to 600, allowing root to read and write only.

3) The date the password was last changed, this is calculated from January 1, 1970 to the date the password was last changed, such as the last time the password was changed to January 1, 2012, then this value is 365* (2012-1970) +1=15331.

4) How many geniuses can change the password, the default is 0, that is, unlimited.

5) The password expires after a few days. That is, the number of days you must change the password, for example, set to 30, you must change the password within 30 days, otherwise you will not be able to log on to the system, the default is 99999, it can be understood that never need to change.

6) The warning period before expiration of the password, if the value is set to 7, indicates that when the password expires after 7 days, the system warns the user that his password will expire after 7 days.

7) Expiration date of the account. You can understand that if you set this value to 3, it means: the password has expired, but the user did not change the password before expiry, then after 3 days, then the account is invalid, that is locked.

8) The life cycle of the account, as in the third paragraph, is calculated by the number of days from January 1, 1970. It means that the account can be used before this date, and the account will expire after expiration.

9) as a reserved use, no meaning.

" New / delete users and user groups "

A. Add a new group Groupadd [-G GID] GroupName

No-G is created according to the system default GID group, like the user, GID is also starting from 500

-G option to customize GID

B. Deleting a group Gropudel groupname

There are no special options.

C. Add user Useradd [-u UID] [-G GID] [-D HOME] [-m] [-s]

-U Custom UID

-G makes it part of an already existing GID

-D custom user's home directory

-M do not set up home directory

-S Custom shell

You will find that when you create test11, with the-M option, the sixth field in the/etc/passwd file test11 the row still has/home/test11, but when LS views the directory, it will be prompted that the directory does not exist.

The function of the-m option is to not create a user's home directory.

-D. Delete User Userdel [-r] Username

The-r option is removed when the user is deleted, along with the user's home directory.

"Chfn change the user's Finger (not commonly used) "

The previous section mentions Findger, which is the information displayed in the 5th field in the/etc/passwd file, so how do I set this information?

This is the CHFN order. After the modification, you will see the relevant information in the fifth field of the test in the/etc/passwd file, which is empty by default.

" Create / Modify a user's password "passwd [username]" "

After the creation of the account, the default is no password, although there is no password, but the account is also unable to log on the system. You can log in to the system only after you have set the password.

When creating a password for a user, make it as complex as possible for security reasons. You can set the password according to this rule: a. Length greater than 10 characters; b. The password contains the uppercase and lowercase alphanumeric characters and the special character (*&, etc.); c. Irregular (do not appear root, happy, love, Linux, 123456, 111111, etc. words or numbers); d. Don't take your name, company name, your phone, your birthday, etc.

PASSWD is not followed by the user name is to change the current user's password, the current user is root, so at this time the change is the root password, followed by test is modified by test password.

" User Identity Switch "

Linux system, sometimes the ordinary user some things can not be done, unless it is the root user can do. At this point, you need to switch to root for a temporary job.

Log in to the Linux system with the test account and then use Su-to switch to root, provided you know the root password.

You can use the Echo $LOGNAME to view the currently logged in user name

Su's syntax is: su [-] username

Can be followed by "-" can also not, ordinary users su username is to switch to the root user, of course, the root user can also su to ordinary users.

Plus "-" will be switched along with the user's environment variables. When SU test switches to the test user, the current directory is the/root directory before the switch, and then switches the user to test's home directory/home/test when Su-test. When you use root to switch to a normal user, you do not need to enter a password. This also embodies the supremacy of the root user rights.

With Su is able to switch user identity, if every ordinary user can switch to root identity, if a user accidentally leaked the root password, it is not very insecure system? No mistake, in order to improve this problem, yielded the sudo command. A command that executes a root with sudo can be done, but requires a password that is not the root password but the user's own password. By default only the root user can use the sudo command, the normal user wants to use sudo, which requires root pre-set, that is, using the Visudo command to edit the relevant configuration file/etc/sudoers. If this command is not Visudo, use the "Yum install-y sudo" installation.

The default root is sudo because there is a line in this file, "root all= (All)," and adding "Test all= (All") under that line will give the test user the right to sudo. If you set one line for each additional user, it's too much trouble. So you can set this up.

Remove the "#" in front of the line and let the line take effect. It means that all users of the wheel group have the right to sudo. Next you need to add all the users with Sudo rights to the wheel group.

You may as well try with the author, very interesting.

Linux system users and user group management