Linux User and Group management

1.Linux user Management, user type, authentication mechanism, user related profile

1.1 User and user groups concepts and user types
User: The user here is the private identity of the computer-aware individual. Can be a mechanism for a user name, password, or computer-aware identity, which is ultimately converted to a unique use flag for the computer. We call it the user ID. The
user is divided into three categories: Superuser, normal user, virtual user
superuser : Root uid=0. The power of infinity, the existence of God.
Virtual user : exists in Linux and is created to meet the needs of the file or program running. Cannot log in and cannot be used. uid=1-499,1-999 (CENTOS7).
For example: Bin:x:1:1:bin:/bin:/sbin/nologin
Normal user : User created by Administrator root. uid=500+,1000+ (CENTOS7).
User Group : A collection of users with the same characteristics. A group can contain multiple users, and each user can belong to a different group. The purpose of the user group is convenient for administrators to centrally manage users. User groups are also divided into two categories: System group and normal group.
User and user group Relationships :
One-to-many: a user exists in a group, or it can be the only member in a group
one-to-multiple: a user belongs to multiple groups, only one primary group, and the remainder is an additional group
many-to-one: multiple users exist in a group
Many-to-many: multiple users can exist multiple groups
1.2 authentication mechanism
Certification (authentication) This is usually the process of associating a user identity with a certain identification technology on the current system. Certification does not mean the end, we also need authorization (Authorization) , authorization is the user identity through the restrictions on the use of resources on the system, including the creation of Deletes. Finally, Auditing (Audition) is required, and the audit is a supervisory authority to determine whether the user's authorization is used reasonably. It is called 3 a
Authentication authentication: Identify the relationship between the resource and the user
Authorization authorization: Create DELETE, etc.
Auditon Audit: supervisory Authority relationship

Therefore, for the operating system, the installation of the operating system after the first to enter the user name and password to log in.
1) After the system can be automatically authorized according to the user name, Linux licensing mechanism is relatively weak, its level is simple only 2 level allocation mechanism, only administrators and ordinary users two categories, administrators can manage global permissions, Normal users have full permissions to their resources for system-level resources with read and use permissions.

2) The system also attaches the owner, group, and other access rights to each file, thus completing the user-to-resource mapping. The owner usually means that the user is the owner of the resource and generally has full control of the permissions.

3) Each user's use of resources on the system, especially login authentication, is logged to the log file . For the operating system it does not audit every step of the user, if you want to do this audit can be implemented using a third-party mechanism, such as the system to install a global audit system, any user's operation will be recorded, such as SELinux. All the logs in the system are/var/log.
1.3 User-related profiles
/ETC/PASSWD users and their attribute information
We can use the Cat command to view the configuration file, which is partially intercepted.

First column (delimited by colon): User name
Second column: Password bit
Column three:uid number CentOS6 1-499 for system users, reserved
CentOS7 1-999 for system users, reserved
Fourth column:GID number primary and secondary groups
Fifth column: User's full name or comment
Sixth column: User's home directory
Seventh column: User's default shell type

/etc/group Group and its attribute information

First column: Group name
Second column: group password, usually do not need to set
Third column: GID CentOS6 1-499 for system Group, reserved
CentOS7 1-999 is a system group, reserved
Fourth column: List of users with this group as additional groups

/etc/shadow user passwords and their associated properties

First column: User name
Second column: password bits $ encryption mode $salt$password
!! On behalf of the account is locked
Third column: Change password time (days calculation)-time from January 1, 1970
Fourth column: Minimum password expiration date
Fifth column: Password expiration time, change the password in the future time
Sixth column: How many days before password expiration reminder
Column seventh: How many days after the password expires the account expires
Eighth column: The expiration date of the account

/etc/gshadow group password and its related properties

First column: Group name
Second column: group password
Third column: Administrator list, you can change the group password and members
Column Fourth: List the group as a member of the secondary group

2. User Management command Useradd,usermod,userdel and parse library file/etc/passwd

2.1 User created: Useradd
Useradd
-U UID: defined in/etc/login.defs
-G GID: Indicates the basic group that the user belongs to, can be a group name or GID
-C User's comment information
-D with the specified path as home directory
-S indicates shell
-m not building a home directory
-s Specifies the user's default shell
-E User Expiration time
-G to specify additional groups for the user, the group must exist beforehand

2.2 Modifying the user's basic information: Usermod
Usermod
-U uid: New UID
-G GID: New Primary Group
-G new Add-on group, the original additional group will be overwritten, if you keep the original, you want to use the-a option
-s new default shell
-C New Annotation information
-D Home: The new home directory is not created automatically; to create a new home directory and move the original home data, use the-M option
-l:login_name: The new name
-L: Lock the user password to invalidate the password;
-u: Unlock the password.

2.3 Delete a given user: Userdel
Userdel
-F: Force the deletion of the user, even if the user is currently logged in;
-r: Deletes all files associated with the user while deleting the user.

2.4.1 Parsing library Files/etc/passwd
3./ETC/PASSWD: User repository, name Resolution Library

Name:password:UID:GID:GECOS:directory:shell

~]# Man 5 passwd
Name: User Name
Password: But encrypted password; placeholder x means the password exists in/etc/shadow; Indicates that the user cannot log in with a password; the * details man 5 passwd;man pwconv (password conversion)
UID: Is the user identification Code (ID)
GID: The ID number of the primary group to which the user belongs; related to the/etc/group file;
GECOS: Optional; Comment information
Directory: The user's home directory;
Shell: The default shell of the user, the default shell program when logging in;

[Email protected] ~]# CAT/ETC/PASSWD
Root:x:0:0:root:/root:/bin/bash

2.4.2 Parse library file/etc/shadow: User password-related, including user term information (the true location of the password)
root:$1$hdhf2v4i$lmo.xghfxqdof8e043c.g/:16779:0:99999:7 :::

~]# Man 5 Shadow
Format (nine paragraph): User name: encrypted password: Last time the password was modified: Minimum Age: Maximum Age: Warning Period: Expiry Grace time: Account expiration Date: Reserved field
Username:password:last_change:min_change:max_change:warm:failed_expire:expiration:reserved
User name: Encrypted password: The last time the password was modified: Minimum Age: Maximum Age: Warning Period: Password disable period: Expiration period: Reserved field

Username: User Name
Password: encryption password; System user is not able to login, password word Cheweishing (*); two exclamation points (!! ) indicates that the user is locked out, unable to log in, the dollar sign ($) appears in the encrypted format of the password, is divided into three parts, separated by $, that is: $id $salt$encrypted $ number $ random number of encrypted cipher string; 3rd $ delimited is the real cipher string ID represents an encryption algorithm, when ID is 1 o'clock, MD5 encryption is used, and so on, ID 6 is encrypted with SHA512.
Last_change: The last time the password was changed, the relative time method, 1970.01.01;0 indicates that the user changes the password at the next logon, the empty field is disabled for the password term, and can be converted with awk, such as echo "17546" | awk ' {print strftime ("%F")} '
Min_change: The shortest period of use, password after the use of a period of time to change the password, 0 or empty means no restrictions;
Max_change: Maximum usage period, maximum usage time from last password change, after entering password warning period; default 99,999 days
Warm: warning period; Refer to maximum age, warning time of day before maximum usage period
Failed_expire: password disable period; Refer to above, password over grace period, password lock;
Expiration: User expiration period, different from password expiration, the user will not be allowed to log on when the account expires, the user will not be allowed to log in with their password when the password expires.
Reserved: Reserved fields

Password storage format: one-way encryption and salt completion
1:md5
Sha1
sha224
sha256
sha384
6:sha512

For example, view Cetnos user password information
[Email protected] ~]# Cat/etc/shadow
centos:$6$llzbczme$. Ajeox0ir.kpwzrims30tjq3kbar5vn3is/d6ube78lx9lz4vjktujxlufow79dboqmowxyadjr.x8iomgu6b1:17546:0:99999:7:::

[Email protected] ~]# echo "17546" | awk ' {print strftime ("%F")} ' #转换最近一次修改密码时间为易读时间
2018-01-16

3. User group Management Class command Groupadd,groupmod,groupdel and parse library file/etc/group

3.1 Create a new workgroup: Groupadd
Groupadd
-G: Specifies the ID of the new workgroup;
-r: Create system Workgroup, System Workgroup Group ID is less than 500;
-K: Overwrite configuration file "/ect/login.defs";
-O: Allows you to add a workgroup with a group ID number that is not unique.
3.2 Change the group ID or name: groupmod
-g< group identification Code;: Set the group identifier to use;
-O: Repeated use of the group identification Code;
-n< New group Name: Set the name of the group you want to use. D
3.3 To delete the specified workgroup: Groupdel
Groupdel
Groupdel Group name Delete Group.

4. User authentication commands passwd, GPASSWD and other related commands chage, id, su

The passwd command is used to set the user's authentication information
-D: Remove the password, only the System Manager can use;
-F: Enforcement;
-K: Settings can only be updated after expiration of the password expires;
-L: Lock the password;
-S: Lists information about the password, only the System Manager can use;
-U: Unlock the locked account.
gpasswd
-A: adding users to groups;
-D: Remove users from the group;
-A: Specify the Administrator;
-M: The use of the specified group member and-A is similar;
-r: Remove password;
-r: Restrict user login group, only members in group can join the group with NEWGRP
For example: [[email protected] ~] #gpasswd-a ma-g Zhu
Adding user Ma to group Zhu #将用户ma添加到组zhu中
[[Email protected] ~] #gpasswd-D ma-g Zhu
Removing user ma from group Zhu #将用户ma从组zhu中删除

Groupmems[options] [action]
Options
-G changes to the specified group
Actions
-A specify user join group
-D Remove the user from the group
-P clears all members from the group
-L Display Group members list
Case:
[[Email protected] ~] #groupmems-G admins-a ma
[[Email protected] ~] #groupmems-G admins-a Zhu #将ma和zhu用户添加到admins中
[[Email protected] ~] #groupmems-G admins-l #查看admins中的用户列表
Ma Zhu
[[Email protected] ~] #groupmems-G admins-d Ma #将ma从admins中删除
[[Email protected] ~] #groupmems-G admins-l
Zhu
[[Email protected] ~] #groupmems-G admins-p #清空admins中的所有组成员
[[Email protected] ~] #groupmems-G admins-l

Groups viewing a list of groups to which a user belongs
[[Email protected] ~] #groups ma
Ma:ma
[email protected] ~] #groups Zhu
Zhu:zhu
The Chage command is used to modify the expiration date of the account and password

-M: The minimum number of days the password can be changed. At zero, the password can be changed at any time.
-M: The maximum number of days the password remains valid.
-W: The number of days before the user's password expires before the warning message is received.
-E: The date when the account expires. This account will not be available after this day.
-D: The date of the last change.
-I: Stasis period. If a password has expired these days, then this account will not be available.
-L: Example the current setting. By non-privileged users to determine when their password or account expires.
The ID command can display the actual valid user ID (UID) and group ID (GID)
ID [-ggnru][--help][--version][User name]
-G or--group displays the ID of the group to which the user belongs.
-G or--groups displays the ID of the additional group to which the user belongs.
-N or--name displays the name of the user, the owning group, or the additional group.
-R or--real displays the actual ID.
-U or--user displays the user ID.
-help display Help.
-version displaying version information

The SU command toggles the current user identity to another user's identity
-c< directive > or--command=< instruction;: After executing the specified instructions, the original identity will be restored;
-F or--fast: For CSH and Tsch, so that the shell does not have to read the boot file;
-L or--login: changes the working directory as well as home,shell,user,logname when changing identities. In addition, the path variable is changed;
-m,-p or--preserve-environment: Do not change the environment variables when changing identities;
-s<shell> or--SHELL=<SHELL>: Specifies the shell to execute;
--help: Display Help;
--version; displays version information.

Linux User and Group management