User and Rights Management for Linux

Linux account management and file Rights management

Linux operating system, regardless of the release version, whether it is the Redhat department or the Debain system or the UNIX department, they are in the implementation of the System account management is based on the ID number to achieve, we log in to the operating system, enter the user and password, The background will be the user name into the ID number in determining whether the account exists, the scope of the UID is 0-65535, wherein the UID is 0, it means that this is the Super administrator root, the average user will start from 1-60000, and here will include the system users and users logged in, Different versions of the system will also have differences, such as CENTOS6 and 7, then, in the CENTOS6, the system users, that is, some system processes need to use users, such as Web programs, FTP programs, their scope is 1-499, then 500 started to create is the login user, In Centos7, the system user is 1-999 and the logged-on user starts at 1000.

Create and manage commands and related parameters for Linux users:

1. Useradd
   

Description: Create a new account

Usage: useradd[option] User name

We can use the man useradd to see what options he has, first we look at where the relevant information for Useradd is located in the manual, and you can use the Whatis useradd command to see

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/72/11/wKioL1XdJvbQSU37AAI1JLOXEpQ216.jpg "style=" float: none; "title=" 12.png "alt=" Wkiol1xdjvbqsu37aai1jloxepq216.jpg "/>

In the result of the execution, we see the information related to Useradd in the 8th item of the Man manual, then we can use the man 8 useradd to see, we focus on the optios below the relevant information. 650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/72/15/wKiom1XdJN_TT8e2AAQ-eXc8IPs261.jpg "style=" float: none; "title=" 2234.png "alt=" Wkiom1xdjn_tt8e2aaq-exc8ips261.jpg "/>

Well, there are a lot of options here, and the Useradd-related parameters We commonly use are the following:

-C Set Account description information, generally for the entire account.

-D Set Account home directory

-E Sets the expiration date for the account, in the format YYYY-MM-DD

-G Set the basic group of Accounts

-G set up an additional group of accounts, multiple additional groups need to be separated by ","

-M does not create home directories and is typically used in conjunction with-s

-S Set account login shell, default to bash

-U Specify account UID

If we want to create an account called Nginx, do not allow it to log in, just want it as Nginx process users, then we can use the following command to create:

[Email protected] ~]# useradd-s/sbin/nologin-m nginx

For example, we want to create an account Mayun, his UID is 600, home directory is under the home of the Ali_mayun, log in using the shell is sh, then we can use the following command to create, after the creation, we can use the ID Mayun to see, Here we can see his UID is his user ID followed by, GID and groups, this is his group ID, when creating a new user, the system automatically creates a group with its name.

[[email protected] ~]# useradd-u 600-d/home/ali_mayun-s/bin/sh mayun[[email protected] ~]# ID mayunuid=600 (Mayun) GID =600 (Mayun) groups=600 (Mayun)

2.groupadd

The Linux group has a basic combination of additional groups, a user can only join a basic group, but may join multiple additional groups. As we said above, a user will automatically create a group with the same user name after creation, and set the user to join this basic group, the Linux group consists of Groupname/gid, where the Super Admins group is 0 and the system user group is 1-499,centos7 1-999 , the average user's group is 500+,CENTOS7 1000 +, so let's take a look at some of the parameters to create the group, or use the following command to view the man manual.

[[email protected] ~]# Whatis groupaddgroupadd (8)-Create a new group[[email protected] ~]# man 8 GROUPADDG Roupadd (8) System Management Commands groupadd (8) ...

Create common options for groups:

-G Sets the ID number of the group

For example, we're going to create a group Mayun_ali to specify that it has an ID of 1000, and we want to set him up as an additional group for the Mayun Kid we created earlier.

(1) preferred, need to create a group of 1000 Mayun_ali

[Email protected] ~]# groupadd-g Mayun_ali

(2) then execute the following command, then we compare the output of the ID Mayun value, you can see the difference, here usermod is to modify the creation of the user-related information.

[[email protected] ~]# ID mayunuid=600 (Mayun) gid=600 (Mayun) groups=600 (Mayun) [[email protected] ~]# usermod-a-G mayun_a Li Mayun[[email protected] ~]# ID mayunuid=600 (Mayun) gid=600 (Mayun) groups=600 (Mayun), + (Mayun_ali) [email Protected] ~]#

3.usermod

Description: Modify account information

Usage: usermod[option] Account name

Options:

-D Modify the home directory of the account

-e Modify the date on which the account expires

-G Modify the user's base group

-G Modify the user's additional group

-A If you want to add additional groups to the user, you must add the-a parameter

-S Modify the user's login shell

-U modify UID of user

For example, we will just mayun that kid's home directory to the home directory of Alibaba, login shell for tcsh, and let him join the Taobao this group, then we can do this like:

[[email protected] ~]# mkdir/home/alibaba[[email protected] ~]# groupadd taobao[[email protected] ~]# usermod-d/home/al ibaba/-s/bin/tcsh-a-G Taobao mayun[[email protected] ~]# ID mayunuid=600 (Mayun) gid=600 (Mayun) groups=600 (Mayun), 1000 ( Mayun_ali), 1001 (Taobao)

We have just created Mayun this user and set up some group information, but the user is not currently logged in because he does not have a password.

4.passwd

Description: Update account authentication information

Usage: passwd [option] [account name]

Options:

-L lock account, only root can use this option

--stdin reading passwords from pipes

-U Unlock User

-D Fast Erase password, only root can use this command

For example, set Mayun password, note, we enter the password is invisible, you entered the wrong can only re-enter, cannot delete.

[Email protected] ~]# passwd mayunchanging password for user Mayun. New Password:retype New Password:passwd:all authentication tokens updated successfully.

We want to read the password from the pipeline to set the Mayun account, you can do this, this way, reset the Mayun password, overwriting the previous password.

[Email protected] ~]# echo "[email protected]" | passwd--stdin mayunchanging password for user Mayun.passwd:all authentication tokens updated successfully.

We now from another ordinary user login Mayun This account, you can see is normal can log in, here su is switch user meaning for switching users, direct SU will use the current user's environment variables to log on to another user, using Su- You will be logged in using the user environment variable after login.

[email protected] ~]# su robin[[email protected] root]$ su-mayunpassword: [[email protected] ~]$

So, we are switching to the root user, using the following command, this will lock the Mayun account, he cannot log in

[Email protected]]# passwd-l mayunlocking password for user mayun.passwd:Success

5.userdel

Options:

-R delete accounts and related files

[Email protected] robin]# Userdel Robin//delete robin, but the account file will not be deleted Userdel:user Robin is currently used by process 1973[[emai L protected] home]# userdel-r Mayun//delete Mayun, but will delete the corresponding home directory Userdel:user Mayun is currently used by process 1945

So, we just said so much, create a user, delete, the user's account password information is stored where it?

1. /etc/passwd file

The information for all users of the system account is stored under the/etc/passwd file. We can use CAT/ETC/PASSWD to view it as follows:

[Email protected] home]# cat/etc/passwdroot:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x : 2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologin......nginx:x:502:502::/home/nginx:/sbin/ Nologinmayun:x:600:600::/home/alibaba/:/bin/tcshrobin:x:601:601::/home/robin:/bin/bash

The format of the file is: Login name: x:uid:gid:comment: Home directory: User default Shell

So, you can see that this file does not actually have password information, so where is the password information stored?

2./etc/shadow file

[Email protected] home]# cat/etc/shadowbin:*:15980:0:99999:7:::d aemon:*:15980:0:99999:7:::adm:*:15980:0:99999:7: :: Lp:*:15980:0:99999:7:::sync:*:15980:0:99999:7:::shutdown:*:15980:0:99999:7:::halt:*:15980:0:99999:7:::...... mayun:!! $6$ct0iu7l9$yqxe2rwl5g2yip8diu1/brnszic5aog.ouxzioyohxzvvzxv1hi.pq5xh5fqhktjbnumhy8konee2m6cme7eg0 : 16673:0:99999:7::: ...

Shadow file is to save the user's password information, this password is not clear text, but encrypted ciphertext, and is irreversible one-way encryption.

It's format:

Login name:encrypted password:date of last password change:minimum password age:maximum password Age:password warning Peri Od:password Inactivity Period:account Expiration date:reserved field, it has 9 groups of fields separated by:

(1) Account name: Must be the same as/etc/passwd.

(2) Encrypted password (encrypted password), here the password in the user name behind!! Indicates that the password is not available because I have banned him before.

(3) The date of the recent password change, the display is 16673, this is the Linux timestamp from 1970.1.1 to the current time, you can calculate

[[email protected] home]# echo $ (($ (Date--date= "2015/08/26" +%s)/86400+1)) 16673

(4) Number of days the password cannot be changed

(5) The number of days the password needs to be re-replaced

(6) Number of days before the password needs to be changed

(7) Account grace period after expiry of password

(8) Expiration date of account

(9) Retention

This article from the "Fang Wenjun It Technology blog" blog, reproduced please contact the author!

User and Rights Management for Linux