User and Group Management

PS: Red font is an important part, look carefully

I. Description of user profile and password profile fields

①. User Configuration file;

[[email protected] ~]# cat/etc/passwdroot:x:0:0:root:/root:/bin/bash......................../omitted user1:x:500:521::/home/user1:/bin/ Bash

First paragraph: User name

Second paragraph: password

The third paragraph: The UID of root is 0, the UID of the normal user starts from 500 (0-499 is the system user, more than 500 is the average user)

Fourth: Root GID is 0, the average user's GID starts from 500

Fifth paragraph: User description

Sixth paragraph: Specify home directory

Seventh: Specify the user shell login environment, default to/bin/bash

Ii. Password configuration file;

[Email protected] ~]# cat/etc/shadowroot:$6$ospj9fhzc1oqnxa6$bwq4qgnvm7dyfnba1nkxymtbrpevhzdcppcagt9vav/ Eivlhjttj1zozh726xkmkokrgftgjqsusm9a3m/l6m/:16455:0:99999:7:::......................../omitted user1:$6$pqfvlq/i$ Bxdduqaydsp1jx8g4eqihlinb/uwh7/snz7p.9wwpkwfgjon2supnne4wfwkwigtqakjuovdmcxtd8pyawqr/.:16515:0:99999:7:::

First paragraph: User name

The second paragraph: password (!! Indicates that the password is empty, $6$ is sha-512 encrypted, $1$ is MD5 encrypted, $2$ represents Blowfish encryption, $5$ is sha-256 encrypted, * Indicates the user is locked out)

Third paragraph: the date the password was last changed, indicating the time of the password change from January 1, 1970

The fourth paragraph: How many days to change the password, 0 for unlimited time.

The fifth paragraph: 99999 means that the password never expires.

Sixth paragraph: 7 How many days to prompt for password expiration

II. Create/delete/modify users and user groups, set a password for the user

1. Useradd/groupadd: Create user, user group;

[[email protected] ~]# Useradd Linux

Common options:

①. -D: Specify home directory;

[Email protected] ~]# useradd-d/home/1 user1[[email protected] ~]# tail-1/etc/passwduser1:x:500:500::/hom

Ii. -u: Specify user uid;

[[email protected] ~]# useradd-u 520 user2[[email protected] ~]# tail-2/etc/passwd | grep User2user2:x:520:520::/home/user2:/bin/bash

③. -G: Specify the user gid;

[Email protected] ~]# groupadd linux #创建用户组 [[email protected] ~]# tail-1/etc/grouplinux:x:521:[ [Email protected] ~]# tail-3/etc/groupuser1:x:500:user2:x:520:linux:x:521:[[email protected] ~]# useradd-g 521 user4[[ Email protected] ~]# ID user4uid=521 (user4) gid=521 (Linux) groups=521 (Linux)

④. -G: Specify user-attached groups;

[[email protected] ~]# useradd-g 520 user5[[email protected] ~]# ID user5uid=522 (USER5) gid=522 (USER5) groups=522 (USER5), 520 (User2)

⑤. -M: Do not create home directory;

[Email protected] ~]# useradd-m user6[[email protected] ~]# ls-l/home/| grep User6

⑥. -S: Specifies the user shell;

[[email protected] ~]# useradd-s/bin/nologin user7[email protected] ~]# tail-7/etc/passwd | grep user7user7:x:524:524::/home/user7:/bin/nologin

2. Userdel/groupdel: Delete user, user group;

[Email protected] ~]# Userdel User7

①. -R: Delete the user and home directory piece;

[Email protected] ~]# Userdel-r user4

Ii. Delete a group;

[Email protected] ~]# Groupdel user4

3. Usermod: Modify user information;

[[email protected] ~]# ID passwduid=1110 (passwd) gid=500 (user1) groups=500 (user1), 520 (User2), 521 (linux) [email Protected] ~]# usermod-u 11111 passwd[[email protected] ~]# ID passwduid=11111 (passwd) gid=500 (user1) groups=500 (user1), 520 (User2), 521 (Linux) Ps:usermod can not only modify the UID of the user, but also can modify the GID, login shell, home directory, etc...

4. passwd: Set the password for the user;

[Email protected] ~]# passwd user1[[email protected] ~]# echo "123" | passwd--stdin User1

Third, lock/release users

[Email protected] ~]# passwd-l user1 #锁定用户 [[email protected] ~]# passwd-u user1 #解锁用户 [[Email Protect Ed] ~]# Passwd-s User1 #查看用户是否锁定

Iv. using MKPASSWD to generate random cipher strings

[[Email protected] ~]# yum -y install expect option:                -l:      Password Length,  default to 9,   Minimum of 7                 The       -d:      password contains several numbers,  the default value is 2                      - The c:      password contains several lowercase letters,  The default value is 2          The          -C:      password contains several uppercase letters, and the default value is 2                    - s:      password contains several special characters, the default value is 2                   -p:      Encryption of Programs             [[email protected] ~]# mkpasswd -l 10 -d 3 -c  1 -c 1 -s 1o8xu7{kz8t

Five, user identity switch

1. Su and Su-difference;

[[email protected] ~]# su user1[[email protected] root]$ echo $PATH/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin  :/usr/bin:/root/bin:/sbin[[email protected] root]$ ls-lals:cannot Open Directory.: Permission Denied[[email protected]  ~]# Su-user1[[email protected] ~]$ ls-a.  .. . bash_logout. Bash_profile. Bashrc[[email protected] ~]$ echo $PATH/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr /sbin:/sbin:/home/1/binps: As you can see, the difference between plus-and-without-is that the environment variable is different. Environment variables are different, resulting in a write built-in/external command cannot be executed

2. Execute the order with the User1 user;

[[email protected] ~]# su-user1[[email protected] ~]$ su-c "echo AA >/tmp/a.txt"-user1password: Enter the password for the User1 [[EMA Il protected] ~]$ cat/tmp/a.txtaa

3. Authorizing orders for ordinary orders;

[[Email protected] ~]# visudo## allow root to run any commands  anywhereroot    all= (All)        ALL                                       #找到此行第一段:       named User;                                                                          second paragraph:      source ip,all for all IPs.   (all) to temporarily hold a user's execution identity;     third paragraph:       authorize which commands,  fill in the absolute path; 

                         .    ①. Use the root user authorization/bin/ls command to User1 for ordinary users;

[[email protected] ~]# su - user1                                   [[email protected] ~]$ ls -l /root/                               ls: cannot open directory / root/: permission denied         Execute ls to view/root directory without permission;                                                          [[ Email protected] ~]$&nBsp;su - root[[email protected] ~]# visudo## allow root to run  any commands anywhereroot    all= (All)         ALL                                         #找到此行user1    all= (root)       /bin/ls,  /bin/mv                           #增加此行 [[email protected] ~]# su -  user1[[email protected] ~]$ sudo /bin/ls /root[sudo] password for  user1:                                         # Enter the User1 password 2.txt            ceshi        drbd-8.4.3.tar.gz  install.log.sysloganaconda-ks.cfg  drbd-8.4.3   install.log

4. Do not allow root login, authorized to the normal user switch root user does not need a password;

[Email protected] ~]# vim/etc/ssh/sshd_config permitrootlogin no #去掉前面的 "#", yes changed to No[[email protected] ~]# visudous Er1 all= (Root) nopasswd:/bin/su #增加此行. NOPASSWD means no password is entered when switching [[email protected] ~]# su-user1[[email protected] ~]$ sudo su-

This article is from the Chen. "Blog, be sure to keep this provenance http://chenxiaojian.blog.51cto.com/9345444/1622914

User and Group Management