Linux User Management
Course Outline
? User Management Profile
? User Management commands
? User Group Management commands
? Bulk Add Users
? User authorization
Configuration file
? User Information file:/etc/passwd
? Password file:/etc/shadow
? User group file:/etc/group
? User group password file:/etc/gshadow
? User Configuration file:
? /etc/login.defs
? /etc/default/useradd
? New user information file:/etc/ske1
? Login information:/etc/motd/etc/issue
/ETC/PASSWD file format
Field meaning
User name the user name to use when logging on to the system
Password Password bit
UID User identification number
GID Default Group identification number
Annotative descriptions such as information such as the user's full name
Default directory after the host directory user logs on to the system
Shell used by the command interpreter user, default to bash
User type
Linux users are divided into three types:
? Super User (Root,uid=0)
? Normal User (UID 500-60000)
? Pseudo-User (UID 1-499)
Pseudo user
1, pseudo-user and system and program services related
? Bin, daemon, shutdown, halt, and so on, any Linux system has these pseudo-users by default
? Mail, news, games, Apache, FTP, MySQL, and sshd are related to the process of the Linux system
2, pseudo-users usually do not need or unable to log on to the system
3, can not host directory
User groups
? Each user belongs to at least one user group
? Each user group can include multiple users
? Users of the same user group have permissions shared by the group
/etc/shadow file format
Field meaning
User name the user name to use when logging on to the system
Password encryption password
Last modified time the number of days the user last modified the password
Minimum number of days between password changes at minimum interval of two times
Maximum time interval password remains valid for maximum number of days
Warning time from the system start warning to the number of days the password expires
Account Idle time account idle time
Absolute number of days when the expiration password expires
Flags are generally not used
/etc/group file format
Field meaning
Group name when the user logs in
Group passwords are generally not used
GID Group Identification number
The list of users in the group belongs to all users of the group
Adding users manually
? Add a record to the/etc/passwd,/etc/group, and/etc/shadow files, respectively
? Create a user host Directory
? Set the default profile in the user host directory
? Set User initial password
SetUID
Think: Why do ordinary users change their passwords?
Definition of setuid: When an executable program has setuid
permissions, the user executes the program as the owner of the program.
Example: 1. Grant setuid permissions to the Touch command
# chmod U+s/bin/touch
# ls-l/bin/touch
Then touch file02 with ordinary users
Ls-l FILE02
You will find that the file owner is not the creator but the root user
chmod u-s/bin/touch//Cancel setuid permissions u-s change to 755 4755
chmod g+s "2755" file name//user group Add setuid permissions at the same time users and groups are added 6755
Adhesive bit =1//ls-ld/tmp Other people permissions are T
If a directory with a permission bit 777 is set up with an adhesive bit, each user can create files in the directory, but only the files that they create can be deleted.
Add an adhesive bit method chmod o+t directory name//or 1777
- When the VI command is granted SETUID permissions
# which VI//Query VI command path
# chmod U+s/bin/vi
Consequence ordinary users can modify the file to force save exit
3, find setuid program:
Find/-perm-4000-o-perm-2000
Added: # ls-l/USR/BIN/PASSWD
Add user
? Useradd SET Options User name-D view default parameters
? U:uid
? G: Default owning user group GID
? G: Specify multiple groups to which the user belongs
? D: Host Directory
? S: Command interpreter Shell
? C: Description Information
? E: Specify user Expiration Time
? passwd Sam
? Adding users manually
User Group Management commands
Add User group Groupadd
Groupadd-g 888 WebAdmin
Create user group WebAdmin, whose GID is 888
? Delete user group: Groupdel Group name
? Modify User group Information Groupmod
Groupmod-n Apache WebAdmin//Modify WebAdmin group named Apache
GPASSWD set the group password and manage members within the group
-A add user to user group
-D remove users from the user group
-A set User group administrator
-R Delete user group password
-r prevents users from switching to this group//GPASSWD-R group name
Example: GPASSWD-A user name Group name
GPASSWD Group name//set Group password
Modify user Information
? Usermod
? Usermod-g Softgroup Samlee
Add user Samlee to the Softgroup user group
? Usermod-l samlee-d/home/samlee-g Lampbrother liming
Change the login name of the user liming to Samlee, join the Lampbrother group, and change the user directory to/home/samlee
User Management commands
? PWCK Detecting/etc/passwd files
? VIPW edit/etc/passwd file (lock file)
? ID View User ID and group information
? Finger viewing user Details
? Su Switch User (SU-environment variable switch)//echo $PATH view environment variables
? Passwd-s View User Password status//#passwd-S user name
Passwd-l Jack//Lock Jack User password
? Who, W view current logged on user information
? groups see which user groups the user belongs to//ID command also see
? NEWGRP Switch User Group//NEWGRP group name will raise the input group password
? GRPCK User Group profile detection, '
? Chgrp modify file belongs to Group//CHGRP group name file name
? VIGR Edit/etc/group file (lock file)//Same as VIPW function
User group Permissions Example
Authorized user Jack and Mary have write access to directory/software
# Groupadd SOFTADM//Create Group Softadm
# usermod-g Softadm Jack//Jack joins the Softadm group
# gpasswd-a Mary Softadm//mary join the SOFTADM Group
# CHGRP Softadm/software//change software file belongs to group Softadm
# chmod g+w/software//Change file user group +wire permissions
# Ls-ld/software
Drwxrwxr-x 2 root Softadm 06:17/software
# grep Softadm/etc/group
Softadm::100:jack,mary
Disable and restore users?
Disable
# USERMOD-L username//Lock user
# PASSWD-L username//Lock user password
?
Recovery
# usermod-u username//restore log in User
# passwd-u username//Restore login Password
Delete User
Userdel-r User Name
-r: Delete User Directory
Manual removal:
Use the Find command to find files that belong to a user or group of users
Find Options-user,-uid,-group,-gid
1. Move and backup files that need to be retained
2. Delete unwanted files
3. Clear related table entries in user files
4. Clear the User host directory
User Management commands
? Chage Set Password
-L View User password settings
-M Password modification minimum days
-M password modification maximum days
-d Password Last modified date
The number of days to lock an account after the-I password expires
-E Sets the expiration date of the password, if 0, represents the password
expire immediately; If 1, the password will never expire
-W Set the number of days to start warning before the password expires
Start or deactivate the shadow feature
Pwconv/pwunconv
Grpconv/grpunconv
? System-config-users
? Authconfig,/etc/sysconfig/authconfig
Bulk Add Users
NewUsers Command Import user information file//file template press/etc/passwd #newusers < User.info
Pwunconv command cancels shadow password function
CHPASSWD command Import password file//#chpasswd < Pass.info
(Format user name: password)
Pwconv command to write password to shadow file
Example: adding 10 users in a batch
Restrict user su to root:
# Groupadd Sugroup//Add a sugroup group
# chmod 4550/BIN/SU//Modify/BIN/SU Permissions
# CHGRP SUGROUP/BIN/SU//Modify the owning group
# ls-l/bin/su
-r-sr-x---1 root sugroup 18360 Jan 2010/bin/su
Once set, only users in the Sugroup group can use Su to switch to root
# Useradd Helen
# passwd Helen
# usermod-g Sugroup Helen//Add the Helen user to the Sugroup user group
Use sudo instead of SU:
? -When executing the sudo command, temporarily becomes root
? -No root password leakage
? -Provide limited command access to users only
Configuration files:/etc/sudoers,
Edit configuration File Command/usr/sbin/visudo,
Ordinary users use the command/sur/bin/sudo.
Format: User name (group name) host address = command (absolute path)
Additional: Visudo//Edit
CSDN1 Helen=/usr/sbin/useradd,/usr/sbin/userdel
CSDN2 helen=/sbin/shuthown-h-now//command can be refined
User name hostname (or IP address) = Authorization command Absolute path,
# SU-CSDN1//Toggle CSDN1 User
$ sudo/user/sbin/useradd lampbrother//Add Lampbrother User
[sudo] password for CSDN1://Enter CSDN1 password
$ sudo-l//See what commands you can execute with root
Authorizing a user Apache administrative rights
1 Editing Apache configuration files
2 using Apache startup scripts
3 Update page
# ls-l/etc/httpd/conf/httpd.conf
- A sets the user to be the profile owner Chown
b Change the owning group, add the user to the group, grant the Group W permission
C Visudo user Address csdn1 helen=/bin/vi/etc/httpd/conf/httpd.conf
2 Visudu user Address =/etc/rc.d/init.d/httpd start,/etc/rc.d/init.d/httpd Reload,
/ETC/RC.D/INIT.D/HTTPD Fullstatus,
/ETC/RC.D/INIT.D/HTTPD Configtest
3 grep Document root/etc/httpd/conf/httpd.conf//Find a directory that matches the WWW web page
/var/www/html change the owner or change the owning group, add the user to the group, grant the group W permissions
John the Ripper application:
# TAR-XZVF John-1.7.6.tar.gz
# CD John-1.7.6/run
# CD SRC
# Make Linux-x86-64
Crack User liming Password
# grep liming/etc/passwd >/TEST/LIMING.PASSWD
# grep Liming/etc/shadow >/test/liming.shadow
#/test/john-1.6.6/run/unshadow/test/liming.passwd/test/liming.shadow >/test/liming.john
#/test/john-1.6.6/run/john/test/liming.john
http://www.openwall.com/john/
Linux User Management