Linux User Management

/etc/skel directory:

Role:

The/etc/skel directory is the directory used to store the new user profile, and when we add a new user, all files in this directory are automatically copied to the newly added user's home directory; By default, all files under the/etc/skel directory are hidden files (files that begin with dots); , add and remove files from the/etc/skel directory, we can provide a unified, standard, and initialized user environment for newly created users.

Interview questions:

What is the principle and solution of the following login environment failure?

-bash-4.1$

-bash-4.1$

-bash-4.1$

-bash-4.1$

-bash-4.1$

This is because the user home directory is missing a. bashrc file, go to another user's home directory or/etc/skel directory under a copy to this user's home directory, exit the login again.

resolution process:

-bash-4.1$ cp-a/ETC/SKEL/.BASHRC.

-bash-4.1$ exit

Logout

[Email protected] yangrz]# su-yangrz/etc/login.defs file:

function:

Configure whether to use mail, default password expiration, home directory permissions, and more

[Email protected] ~]$ cat/etc/login.defs|egrep-v "^#|^$"

Mail_dir/var/spool/mail

Pass_max_days 99999

Pass_min_days 0

Pass_min_len 5

Pass_warn_age 7

Uid_min 500

Uid_max 60000

Gid_min 500

Gid_max 60000

Create_home Yes

UMASK 077

Usergroups_enab Yes

Encrypt_method Sha512/etc/default/useradd File:

function:

Where to go when you create a user./etc/skel, default bash, etc.

[Email protected] ~]# Cat/etc/default/useradd

# useradd defaults file

group=100

Home=/home #把用户的家目录建在/Home

Inactive=-1 #是否启用账号过期停权, 1 means not enabled

Expire= #账号终止日期, no setting indicates not enabled.

Shell=/bin/bash #新用户默认所用的shell类型

Skel=/etc/skel #配置新用户家目录的默认文件存放路径. That is, when we create a new user, the files in the user's home directory are copied from here.

Create_mail_spool=yes #创建mail文件. Example: Create YANGRZ user, set note to Handsomboy,uid to 806, belong to group root, login bash as/bin/sh, set home directory as/yangrz

[Email protected] ~]# useradd-c handsomeboy-u 806-g "root"-s/bin/sh-d/yangrz yangrz

Usrdel-r even home directories are deleted,

In production scenarios, do not easily use the-r parameter, which removes all files, directories in the user's home directory from the deleted user's colleague. If you do not want to delete the home directory, when there are important files in the user's home directory, then please back up before deleting. Before the operation of the backup, in any case is a good operation and maintenance of the habit of personnel.

A better way to remove users in a production environment:

1. Annotate the user in the/etc/passwd file.

2. Change Login bash to/sbin/nologin

3. passwd-l command lock user, or usermod-e set expiration time

Summary of User management commands:

1, and user-related configuration file knowledge points:

/etc/passwd account files and different column contents

/etc/shadow account files and different column contents

/etc/group group files and different column contents

/etc/gshadow group password file and different column contents

2. User Management commands

Useradd-u-g-g-s–m-e-c-d

Correspondence/etc/shkl,/etc/default/useradd,/etc/login.defs

Userdel–r

Usermod-u-g-g-s-m-e-c-d-l-u-l

Id

Chage-l-e-m-w-m-N

passwd--stdin-n-i-w-X

Su

Sudo

Visiudo

3. Group Management commands

Groupadd-g

Groupdel

Groupmod View User Login information:

[Email protected] ~]# ll/var/log/secure*

-RW-------1 root root 718 Nov 15:01/var/log/secure

-RW-------1 root root 12962 Nov 20:52/var/log/secure-20151112

-RW-------1 root root 1594 Nov 19:31/var/log/secure-20151115

-RW-------1 root root 6031 Nov 12:09/var/log/secure-20151122

-RW-------1 root root 11016 Nov 10:31/var/log/secure-20151129

[Email protected] ~]# ll/var/log/messages

-RW-------1 root root 143 Nov 11:46/var/log/messages

[Email protected] ~]# Ls/var/log/lastlog

ID, last, Lastb, W, who, users, groups, newgrp su commands:

-Switch Shell environment

-C uses a user to execute the command (su-yangrz-c pwd) sudo principle:

sudo Grant Su command permissions, very dangerous, so you can cut to root the user.

[Email protected] ~]$ sudo-l

Matching Defaults entries for Oldboy the This host:

Requiretty,!VISIBLEPW, Always_set_home, Env_reset,

env_keep= "COLORS DISPLAY HOSTNAME histsize INPUTRC kdedir

Ls_colors ", env_keep+=" MAIL PS1 PS2 qtdir USERNAME LANG

Lc_address lc_ctype ", env_keep+=" lc_collate

Lc_identification lc_measurement lc_messages ",

env_keep+= "Lc_monetary lc_name lc_numeric Lc_paper

Lc_telephone ", env_keep+=" Lc_time lc_all LANGUAGE Linguas

_xkb_charset xauthority ",

Secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User Oldboy may run the following commands on this host:

(All) Nopasswd:all

sudo-l See what sudo permissions the user has.

Sudo-k let the timestamp information expire, the next time you need to enter the password

Visudo can check the configuration file, if the configuration is wrong, cannot be saved,

If the use of vim/etc/sudoers does not have this function, if the error can not be used sudo function, then use VISUDO-C to check the configuration file is correct or not.

Visudo=====vi/etc/sudoers

Detailed sudo configuration file:

Format:

User Machine=commands

Oldboy all= (All) nopasswd:/bin/rm

Oldboy all= (All) nopasswd:/bin/rm

User_alias host_alias= (Runas_alias) Cmnd_alias

Host_alias fileservers = FS1, FS2

User_alias ADMINS = Oldboy,oldgirl,%sa (all users of the SA Group)

Cmnd_alias NETWORKING =/sbin/route,/sbin/ifconfig,/bin/pin

G,/sbin/dhclient,/usr/bin/net,/sbin/iptables,/usr/bin/rfcom

M,/usr/bin/wvdial,/sbin/iwconfig,/sbin/mii-tool

Runas_alias OP = root, Oldboy (role alias, sudo can switch to the role)

Cmnd_alias NETWORKING =/sbin/route,/sbin/ifconfig,/bin/pin\

G,/sbin/dhclient,/usr/bin/net,/sbin/iptables,/usr/bin/rfcom

You can use \ To continue sudo configuration file/etc/sudoers Authorization rules Considerations Summary:

1. All of the all strings in the authorization rule must be uppercase.

2. After testing, the command is effective from the back, such as allowing the user to use all/sbin/* commands, but excluding/sbin/useradd can write!/sbin/useradd to the rear.

3. A line of content can be wrapped in a "\" Slash.

4.! Mean no,! /bin/ifconfig, you cannot use this command for sudo reference:

1)/etc/sudoers

2) Man Sudoers

3) Man sudo

sudo configuration considerations:

1. The member under the command alias must be the absolute path to the file or directory.

2. Alias names include uppercase letters, numbers, underscores, and uppercase letters.

3. Under an alias there are multiple members, members and members, through half-width ";" Members must be valid and physically present.

4. Alias members are subject to alias type Host_alias, User_alias, Runas_alias, Cmnd_alias, and what types of aliases are defined, and what types of members will be matched.

5. The alias rule is one rule per line, and if an alias rule does not fit in one line, it can be continued by "\".

6. Specify that the user to switch is enclosed in brackets (). If you omit parentheses, the default is the root user; if all is in parentheses, the delegate can switch to all users.

7. If you do not need a password to run the command directly, you should add the NOPASSWD parameter.

8. Prohibit some kind of program or command execution, add "!" in front of the command action. and placed behind the command that is allowed to execute.

9. The user group must be preceded by a% number.

Linux User Management