"Linux" Users and Groups

I. Basic concepts of users and groups

1. Users

User: The identifier used to obtain a computer resource or service, such as a user name. The computer handles the UID, the relationship between the user name and the UID is stored in the/etc/passwd file, and each user has access to the file.

　　Shadow Password: user's password is stored in/etc/shadow

　　User Category:

• Administrator. The administrator's UID is 0
• Ordinary users (System users and general users). Common user uid 1-65535, general user 500-60000.
• System users. System User 1-499. A background process (service) that runs on a login is run as an ordinary user, called a system user. The system user is simply running a certain class of processes, and such users do not need to log on to the system.

2. Group

Containers ( user group): is also an identifier that is used to associate permissions and to easily assign permissions, each of which has a GID.

　　Shadow password: group password stored in/etc/gshadow

　　Group Category:

• Normal group (System group and general Group)
• Administrators group.

Or can be divided into:

• Private group: When a user is created, a group that has the same name as the user name is automatically created for it if it is not assigned to it, and the group is a private group.
• Basic group: Default group for users

• Additional groups, additional groups: groups other than the default group

Second,/etc/passwd

Man 5 passwd can view the file in detail format

[email protected] ~]# cat/etc/passwdroot:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/ nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/ Sbin/nologinsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdown...hao:x:500:500:haohao :/home/hao:/bin/bash

Field Resolution:

1. Account: Login Name

2, Password: password. If x is the password placeholder, the real password is in/etc/shadow

3. UID

4. GID: Basic Group ID

5, GECOS: User annotation information

6, Directory: Home directory

7, Shell: User default shell. All legitimate shells on the current system exist/etc/shells.

[email protected] ~]# cat/etc/shells/bin/sh/bin/bash/sbin/nologin/bin/dash/bin/tcsh/bin/csh

Third,/etc/shadow

[email protected] ~]# cat/etc/shadowroot:$6$opy00imwabsqsynd$ ulgmkmkwszvor5giiokjk9tnn0pzimegqqudftwngu.9.oxrw5dcxwffi7cvyw9nuqulgna4vttyl0to6grwi.:16277:0:99999:7:::bin:* : 15980:0:99999:7:::...hao:$6$ogbf1lev5ro4510u$82.phdwem8yndttojmimb/mxk/2/clz.8he0wf5pz/ As9m4r2s2ptcg.vnhqops9ocl1la2e5or9uhlrqnuih/:16277:0:99999:7:::

Man 5 Shadow can view file detail format

Field Resolution:

1. Login Name

2, encrypted password: Password after encryption, as below. If it is * or!! , it means that the user is locked, that is, not allowed to log in.

$6$opy00imwabsqsynd$ Ulgmkmkwszvor5giiokjk9tnn0pzimegqqudftwngu.9.oxrw5dcxwffi7cvyw9nuqulgna4vttyl0to6grwi.:16277:0:99999:7:::

The format of the password is $<id>$<salt>$<pwd>. Where the ID represents the encryption method used, as follows

ID       |    Method  -------------------------------     1        |  MD5 (Linux, BSD)     2a       |  Blowfish (OpenBSD)     MD5      |  Sun md5for The new SHA-256 and SHA-512 methods The following values areselected:     ID       |    Method  -------------------------------     5        |  SHA-256     6        |  SHA-512

Salt for added impurities, randomly generated, so the same password, impurities are not necessarily the same.

3. Date of last password change. Last Password change time (the number of days elapsed since January 1, 1970).

4, Minimum password age. Minimum password usage period

5, Maximum password age password maximum use period.

6, password warning period: password warning period

7, password inactivity period: password grace period

8. Account Expiration Date: password expiration

9. Reserved field: Reserved fields

Common methods of encryption:

　　symmetric encryption: use the same password for encryption and decryption.

　　Public Key cryptography: Each password is paired, one is the private key (secret key), a public key is public key, the private key is decrypted or the private key is encrypted, the public key is decrypted, that is, public key encryption can only use the corresponding private key secret, and vice versa. The secret key length of public key encryption is much longer than symmetric encryption, and security is more secure than symmetric encryption, but it is slower and generally three orders of magnitude, so public key cryptography seldom encrypts data for secret key exchange.

　　One-way encryption: or hash encryption. PlainText cannot be obtained by ciphertext. Used to implement extract data signatures, each of which has unique signatures, such as fingerprint encryption. One-way encryption can be used to perform data integrity checks. The features include:

1, non-reversible. That is, only plaintext can be obtained by the ciphertext, and cannot be obtained by cipher text.

2, avalanche effect. Minor changes in initial conditions can cause dramatic changes in results, preventing violent cracking. The Inittab file can be slightly variable to see that its signature changes greatly

[email protected] ~]# cp/etc/inittab  ./lsanaconda-ks.cfg  install.log         ??????     ??????  ??????  ?????? Inittab          install.log.syslog  ?????????  ??????  ??????  ?????? [[ Email protected] ~]# md5sum inittab3f206e10339f61eaf8d378bf504db462  inittab[[ Email protected] ~]# nano inittab[[email protected] ~]# md5sum inittab11bec7e54fd168e19ca5d8cff1b5dd1c  Inittab

3, fixed-length output md5:128 bit SHA1: (Secure Hash algorithm) secure hashing algorithm 160-bit fixed-length output

Third,/etc/group

First field group name second field password placeholder third field GID fourth field with this group as an additional group user list, multiple users separated by commas

cat/etc/grouproot:x:0:bin:x:1:bin,daemon...hao:x:500:guang:x:501:

Iv. User Management

1, Useradd (adduser) Add users

Which Useradd/usr/sbin/useradd~]# ls-l $ (which useradd)-rwxr-x---. 1 root root 103096 Dec  8  2011/usr/sbin/useradd~]# which adduser/usr/sbin/adduser  ~]# ls-l $ (which adduser) lrwxrwxrwx. 1 root root 7 Jul 20:14/usr/sbin/adduser-Useradd

command format:useradd [options] Username

[[Email protected] ~  Useradd Guang~]# tail-1/etc/passwdguang:x:501:501::/home/guang:/bin/bash   ~]# tail-1/etc/groupguang:x:501:~]# tail-1/etc/shadowguang:!! : 16377:0:99999:7:::~]# passwd guangchanging password for user Guang. New Password:bad Password:it does not contain enough DIFFERENT Charactersbad Password:is a palindromeretype new passwor D:passwd:all authentication tokens updated successfully.  ~]# tail-1/etc/shadowguang:$6$0ndd3rob$op74ka4bocxxtu87tdcue/ Jghlzbyghml9knabirixlj8yqjagdp7setenuzp1fvcok2zhhk05auwyqddbcjg/:16377:0:99999:7:::

Command options:

-U: Specifies the UID to ensure that the UID is not used. If this option is not used, the user UID defaults to the next of the maximum user uid under/etc/passwd

[email protected] ~]# useradd-u testuser~]# tail-1/etc/passwdtestuser:x:1000:1000: :/home/testuser:/bin/bash

-G: Specifies a basic group that, if not used, adds a basic group with the same name as the user by default, and if this option is used, the group name is guaranteed to exist.

[email protected] ~]# useradd-g mygroup testusergroup
[email protected] ~]# tail-1/etc/passwd
Testusergroup:x:1001:502::/home/testusergroup:/bin/bash

-G: Specifies additional groups (additional groups), which can have more than one.

Useradd-g mygroup testuser1~]# tail-1/etc/passwdtestuser1:x:1002:1002::/home/testuser1:/bin/ Bash~]# tail/etc/groupwebalizer:x:67:tomcat:x:91:sshd:x:74:tcpdump:x:72:slocate:x:21:hao:x : 500:guang:x:501:mygroup:x:502:testuser1testuser:x:1000:testuser1:x:1002:

-C: Specify annotation information

-D: Specify home directory by default to create a directory with the same name as the user under/home/.

[email protected] ~]# useradd-c "Haohao"-d/home/haohao testuser2tail-1/etc/ Passwdtestuser2:x:1003:1003:haohao:/home/haohao:/bin/bash

-S: Specifies the shell path. The path needs to appear in/etc/shells. Default is/bin/bash

-r: Add System user. That is, the UID is between 1-500, and the system user is not allowed to log into the system, and there is no home directory, even if the path exists. This option is usually used alone.

[email protected] ~]# useradd-r testr~]# tail-1/etc/passwdtestr:x:496:493::/home/testr :/bin/bash~]# ls/homeguang  hao  haohao  testuser  

Add user's default information saved in/etc/default/useradd

File/etc/default/useradd/etc/default/useradd:ascii text~]# cat/etc/default/useradd# useradd Defaults Filegroup=100home=/homeinactive=-1expire=shell=/bin/bashskel=/etc/skelcreate_mail_spool=yes

2. Userdel Delete User

command format:userdel [option] username the home directory will not be deleted if no option is specified when deleting a user

Command options:

-r: Delete User's home directory while deleting user

[email protected] ~]# ls/homeguang  hao  haohao testuser  testuser1  testusergroup   ~]# userdel testuser~]# ls/homeguang  hao  haohao  TestUser  testuser1  testusergroup~]# userdel-r testusergroup~]# Ls/homeguang  hao  haohao  testuser  testuser1

3, ID View the user's UID and other related information

command format:ID [option] [username]

Command options:

-U: View UID

Id-u testuser11002

-G: View basic groups

[email protected] ~]# id-g testuser11002

-G: View its additional groups and basic groups

[email protected] ~]# id-g testuser11002 502

-N: Display name instead of ID

[[email protected] ~]# id-u-ntestuser1testuser1~]# id-g-  n testuser1testuser1 ~]# id-g-N testuser1testuser1 mygroup

4. Finger View user account information

command format: finger username

5, Usermod modify user account attributes

command format:usermod [option] username. Usage with Useradd,

Command options:

　　-U: Change user uid

-G: Change user gid

-G: Change the user attach group, that is, overwrite the existing additional group. Typically used with the-a option, that is, adding users to a new additional group, the original additional group is not overwritten.

-C: Change the comment information

-D: Change home directory. If the user's folder is already in the original home directory, the folders under the original home directory will not be migrated to the new home directory. When used with the-m option, the files in their original home directory can be migrated to the new home directory.

-S: Change the shell.

-L: Change user name

-L: Lock account

-U: Unlocking the user

6. Chsh (change shell) modify the user shell

[email protected] ~ ]# finger testuser1login:testuser1                  name:directory:/home/testuser1              Shell:/bin/bashnever logged in. No Mail. No Plan.  ~]# chsh testuser1changing shell for TestUser1. New Shell [/bin/bash]:/bin/tcsh                    shell changed.  ~ ]# finger testuser1login:testuser1                  name:directory:/home/testuser1              Shell:/bin/tcshnever Logged in. No Mail. No Plan.

7, CHFN (change finger) modify the annotation information

[email protected] ~]# chfn testuser1changing finger information for testuser1. Name []: Testoffice []: Testoffice phone []: 110Home phone []: 110Finger information changed. ~]#

8, passwd change user password

A normal user can only change his or her password with this command without parameters, and the administrator may use the command to change another user's password

command format:passwd [Option][username]

[email protected]:~# passwd user1enter new unix password:retype new Unix Password:passwd:password updated SUCC Essfully

Command options:

　　--stdin: Reads the password from the standard input. Tested Ubuntu does not have this parameter, you can use the CHPASSWD command to replace, CHPASSWD username password, you can use the Echo to output the specified information, and then pipeline to these two commands processing, such as:

[Email protected]:~# [email protected]: ~# Ehco "NewPassword" |chpasswd user1

-L: Lock user account

-U: Unlocking the user

-D: Remove password

[email protected]:~# tail-1/etc/shadowuser1:$6$ekf3mi4g$o3pzjiqirodxgrw9c4svuaq34oi8vomcgugw4/ 7lbtyk2adpph/spvtqsjkp9ajzamxu8smzgtm/uwkttaxam/:16362:0:99999:7:::[email protected]:~# passwd -d user1passwd:password expiry information changed. [email protected]: ~# tail-1/etc/shadowuser1::16362:0:99999:7:::

9, Pwck (password check) checking user integrity

[email protected] ~]# pwckuser ' adm ': Directory '/var/adm ' does not Existuser ' UUCP ': Directory '/var/s POOL/UUCP ' does not existuser ' gopher ': directory '/var/gopher ' does ' Existuser ' FTP ': directory '/var/ftp ' does not ex Istuser ' AVAHI-AUTOIPD ': directory '/VAR/LIB/AVAHI-AUTOIPD ' does not Existuser ' Saslauth ': Directory '/var/empty/ Saslauth ' does not existuser ' pulse ': directory '/var/run/pulse ' does not existpwck:no changes

Five, group management

1. Groupadd Create Group

command format:groupadd [Options] GroupName

Command options:

-G: Specify GID

-R: Adding system Groups

[ email protected] ~]# Groupadd-  R nginx[[email protected]~]# tail-1/etc/groupnginx:x : 492:

2. Groupmod Modify Group Properties

command format:groupmod [Options] GroupName

Command options:

　　-G: Modify GID

-N: Modify GroupName

3. Groupdel Delete a group

4, gpasswd to group plus password

command format:gpasswd groupname

The user creates a file that is the owner of the file and that the group is the base group for that user

[[Email protected] ~]# Useradd Hadoop[[Email protected]~]#Su-hadoop[[Email protected]~]$Cd/tmp[email protected] tmp]$Touch A.hadoop[email protected] tmp]$Lltotal 40-rw-rw-r--. 1 Hadoop Hadoop 0 Nov 4 12:09 a.hadoopdrwx------. 2 Hao Hao 4096 6 15:58 keyring-4bcuxtdrwx------. 2 Hao hao 4096 Jul 12:49 keyring-dtemaldrwx------. 2 Hao hao 4096 Jul 13:01 keyring-fd7muxdrwx------. 2 Hao Hao 4096 4 16:58 keyring-ytvbn9drwx------. 2 Hao hao 4096 Jul 13:05 keyring-zcik4hdrwx------. 2 root root 4096 Jul 12:48 keyring-l3td4rdrwx------. 2 GDM GDM 4096 Nov 4 10:00am-orbit-gdmdrwx------. 2 GDM GDM 4096 Nov 4 09:59 pulse-0dtthptuzieldrwx------. 2 Hao Hao 4096 6 15:58 pulse-1lfmnulto8smdrwx------. 2 root root 4096 Jul 12:48 pulse-u8bnu0ncsmtx[email protected] tmp]$iduid=1004 (Hadoop) gid=1004 (Hadoop) groups=1004 (Hadoop) Context=unconfined_u:unconfined_r:unconfined_t:s0-s0: c0.c1023

5. NEWGRP: Temporarily switch User's basic group to other group (login to other group)

You need to enter a password only if the user has no relationship to the group that you are switching to (that is, the group you are switching to is not an additional group for that user). You can exit with exit

[[Email protected] ~]# GPASSWD mygroupchanging The password for group mygroupnew password:re-enter New password:[[Email protected]~]#Su-hadoop[[Email protected]~]$Cd/tmp[email protected] tmp]$NEWGRP Mygrouppassword:[email protected] tmp]$iduid=1004 (Hadoop) gid=502 (mygroup) groups=1004 (Hadoop), 502 (MyGroup) context=unconfined_u:unconfined_r:unconfined _t:s0-s0:c0.c1023
[email protected] tmp]$Touch B.hadoop[email protected] tmp]$Lltotal 40-rw-rw-r--. 1 Hadoop Hadoop 0 Nov 4 12:09 a.hadoop-rw-r--r--. 1 Hadoop mygroup 0 Nov 4 12:21 b.hadoopdrwx------. 2 Hao Hao 4096 6 15:58 keyring-4bcuxtdrwx------. 2 Hao hao 4096 Jul 12:49 keyring-dtemaldrwx------. 2 Hao hao 4096 Jul 13:01 keyring-fd7muxdrwx------. 2 Hao Hao 4096 4 16:58 keyring-ytvbn9drwx------. 2 Hao hao 4096 Jul 13:05 keyring-zcik4hdrwx------. 2 root root 4096 Jul 12:48 keyring-l3td4rdrwx------. 2 GDM GDM 4096 Nov 4 10:00am-orbit-gdmdrwx------. 2 GDM GDM 4096 Nov 4 09:59 pulse-0dtthptuzieldrwx------. 2 Hao Hao 4096 6 15:58 pulse-1lfmnulto8smdrwx------. 2 root root 4096 Jul 12:48 pulse-u8bnu0ncsmtx

"Linux" Users and Groups