Linux system users and user group management

User Group Management

1. Groupadd

Feature Description: create a new group.
syntax:groupadd [-G gid [-o]] [-R] [-f] [group name]
Additional Note:Groupadd can specify a group name to create a new group account. New group values can be obtained from the system when needed.

Parameters:
-G < Group identifier > set the group ID that you want to use, group ' s.

Example :

No-G is created according to the system default GID group, like the user, GID is also starting from 500

-G option to customize GID

2. Groupdel

Feature Description: Delete group.
syntax:groupdel [group name]
Supplemental Note: When you need to delete a group from your system, you can use the Groupdel directive to do this. If some users are still included in the group, you must delete the users before you can delete the groups.

Instance:

There are no special options.

3. Groupmod

Feature Description: change the group ID or name.
syntax:groupmod [-G < Group ID > <-o>][-n < new group name >][Group name]
Additional note: When you need to change the group's identification code or name, you can use the GROUPMOD directive to complete the work.
Parameters:
-G < Group identification Code > set the group ID you want to use.
-O re-use the group identification code.
-N < New group name > set the name of the group you want to use.

User Management

1. Useradd

Function Description: create user account.
Syntax: useradd [-mmnr][-c < remarks >][-d < login directory >][-e < expiration >][-f < buffer days >][-g < groups >][-g < group >][-s <shell>][-u <uid>][user Account] or useradd-d [-b][-e < expiration >][-f < buffer days >][-g < Group >][-g < group >][-s <shell>]
supplemental Note: Useradd can be used to establish user accounts. After the account is built, then use passwd to set the password of the account. You can delete an account by using Userdel. The account number created by using the USERADD directive is actually saved in the/etc/passwd text file.
parameter:
-c< Notes >  Add notes text. Note text is saved in the remarks field of the passwd.   
-d< Login Directory >  Specify the start directory for user login.  
-d  Change the preset value.  
-e< Expiration >  Specify the expiration date of the account.  
-f< buffer days >  Specify how many days after the password expires to close the account.  
-g< Group >  Specify the group to which the user belongs.  
-g< Group >  Specify additional groups to which users belong.  
-m  automatically establishes the user's login directory.  
-m  do not automatically establish a user's login directory.  
-n  to cancel the creation of a group named after the user name.  
-r  set up the system account.  
-s<shell>   Specifies the shell to use when the user is logged in.  
-u<uid>  Specifies the user ID.

Instance

You will find that when you create test11, with the-M option, the sixth field in the/etc/passwd file test11 the row still has/home/test11, but when LS views the directory, it will be prompted that the directory does not exist.

The function of the-m option is to not create a user's home directory.

2. Userdel

Feature Description: Delete the user account.
syntax:userdel [-r][user Account]
Additional Note:Userdel can delete the user account and related files. Without parameters, only the user account will be deleted, not the relevant files.
Parameters:
-F Delete the user log in directory and all files in the directory.

Instance:

The-r option is removed when the user is deleted, along with the user's home directory.

3. Usermod

Function Description: Modify user account.
syntax:usermod [-lu][-c < remarks >][-d < login directory >][-e < expiration >][-f < buffer days >][-g < group >][-g < group >][-l < account name >][-s <shell>][-u <uid>][user Account]
Additional Note:Usermod can be used to modify the user account settings.
Parameters:
-c< Notes > Modify the Notes text for the user account.
-D Login Directory > Modify user login directory.
-e< Expiration date > Modify the expiration date of the account.
-f< Buffer days > Modify the number of days after the password expires to close the account.
-g< Group > Modify the group to which the user belongs.
-g< Group > Modify the additional groups to which the user belongs.
-l< Account name > Modify user account name.
-L LOCKS the user password to invalidate the password.
-s<shell> modifies the shell used by the user when they log in.
-u<uid> Modify the User ID.
-U unlocks the password.

Other related commands

1. passwd (password)

Feature Description: set the password.
syntax:passwd [-dkls][-u <-f>][user Name]
Additional Note:the passwd directive allows users to change their own passwords, while system administrators can use it to manage passwords for users of the system. Only the manager can specify the user name, the general user can only change their own password.
Parameters:
-D Remove the password. This parameter is only available to system administrators.
-F enforcement.
-K settings can be updated only after the password expiration expires.
-L locks the password.
-S lists information about the password. This parameter is only available to system administrators.
-u unlock the locked account.

2. SU (super User)

function Description: change user identity.
syntax:su [-flmp][--help][--version][-][-c < instruction >][-s <shell>][user account]
Supplemental Note:SU allows users to temporarily change the identity of the login. Changes must be entered in the user account and password to be changed.
Parameters:
-c< command > or--command=< command > After executing the specified instruction, the original identity is restored.
-F or--fast is suitable for csh and Tsch, so the shell does not have to read the boot file.
-.-L or--login change your identity, you also change the working directory, as well as home,shell,user,logname. In addition, the path variable is changed.
Do not change the environment variables when-m,-p or--preserve-environment change identities.
-s<shell> or--shell=<shell> Specifies the shell to execute.
--help display Help.
--version Displays version information.
[user Account] Specifies the user to change. If you do not specify this parameter, the default is changed to root

3. sudo

function Description: executes the instruction as a different identity.
syntax:sudo [-bhhpv][-s <shell>][-u < user >][instructions] or sudo [-klv]
Additional instructions:sudo allows the user to execute the specified instruction in a different identity, with the default identity as root. The user who can execute the sudo instruction is set in/etc/sudoers. If an unauthorized user attempts to use sudo, a warning message is sent to the administrator. When using sudo, the user must first enter the password, then have a 5-minute expiration date, and the password must be re-entered after the deadline.
Parameters:
-B executes the instruction in the background.
-h displays Help.
-H Sets the home environment variable to the new identity of the home environment variable.
-K The expiration of the password, which is required to enter the password the next time the sudo is executed.
-l lists instructions that are currently available to users and cannot be executed.
-p Change the hint symbol to ask for the password.
-s<shell> executes the specified shell.
-u< user > with the specified user as the new identity. If this parameter is not added, the default is the new identity as root.
-V Extend the password for a period of 5 minutes.
-V Displays version information.

know /etc/passwd and the /etc/shadow

These two files can be said to be one of the most important files in a Linux system. If you don't have the two files or the two files, you won't be able to log on to the Linux system properly.

/ETC/PASSWD is divided into 7 fields by ': ', and the specific meaning of each field is:

1) User name (if root in the first row is the user name), the string representing the user account. The user name character can be uppercase and lowercase letters, numbers, minus signs (not appearing in the first place), dots, and underscores, and other characters are illegal. Although the user name can appear in the point, but not recommended, especially the first point, the other minus is also not recommended, because it is easy to cause confusion.

2) The password of the account is stored, why is ' x '? The early Unix system password was actually stored here, but based on security factors, it was later stored in/etc/shadow, where only one ' x ' was used instead.

3) This number represents the user identification number, also called the UID. The system identifies the user identity is through this number, 0 is root, that is, you can modify the test user uid is 0, then the system will consider root and test for the same account. Usually the value range of the UID is 0~65535,0 is the root identification number, 1~499 reserved by the system, as a management account, the ordinary user identification number starting from 500, if we customize the establishment of a normal user, you will see that the account identification number is greater than or equal to 500.

4) Represents the group identification number, also called GID. This field corresponds to a record in/etc/group, in fact/etc/group and/etc/passwd are basically similar.

5) Note that the field does not make sense and typically records some of the user's attributes, such as name, phone, address, and so on. However, this information is displayed when you use the Finger feature (described later).

6) The user's home directory, which is in this directory when the user logs in. Root home directory is/root, ordinary user's home directory is/home/username, this field can be customized, such as you build a normal user test1, want to let Test1 home directory in/data directory, just modify/etc/ This field in the Test1 line in the passwd file is/data.

7) shell, the user log in to start a process to the user issued instructions to the kernel, this is the shell. The Linux shell has many kinds of sh, csh, ksh, tcsh, bash, and so on, while Redhat/centos's shell is bash. View the/etc/passwd file, which has more than/bin/bash in addition to/sbin/nologin, which indicates that the account is not allowed to log on. If you want to create an account to not let him log in, then you can change the field to/sbin/nologin, the default is/bin/bash.

Take a look at/etc/shadow this file, similar to/etc/passwd, with ":" Divided into 9 fields.

1) User name, corresponding to/etc/passwd.

2) User password, this is the real password of the account, but this password has been encrypted, but some hackers can be decrypted. So for security, the file property is set to 600, allowing root to read and write only.

3) The date the password was last changed, this is calculated from January 1, 1970 to the date the password was last changed, such as the last time the password was changed to January 1, 2012, then this value is 365* (2012-1970) +1=15331.

4) How many geniuses can change the password, the default is 0, that is, unlimited.

5) The password expires after a few days. That is, the number of days you must change the password, for example, set to 30, you must change the password within 30 days, otherwise you will not be able to log on to the system, the default is 99999, it can be understood that never need to change.

6) The warning period before expiration of the password, if the value is set to 7, indicates that when the password expires after 7 days, the system warns the user that his password will expire after 7 days.

7) Expiration date of the account. You can understand that if you set this value to 3, it means: the password has expired, but the user did not change the password before expiry, then after 3 days, then the account is invalid, that is locked.

8) The life cycle of the account, as in the third paragraph, is calculated by the number of days from January 1, 1970. It means that the account can be used before this date, and the account will expire after expiration.

9) as a reserved use, it doesn't make any sense.