User and user group management for Linux systems

First, user and user groups (group) concept 1, users (user) concept

Linux is a typical multi-user operating system, we can build a number of users (user), for the operation of system services and rights management, different user login system, according to set permissions to the operating system, improve security. In the Linux system, some users are used to accomplish specific tasks, such as nobody and FTP, and some for security purposes, such as restricting root login system, create a SSHUSR user, log in sshusr, then su to root. You can find out what accounts are available on your Linux system by looking at/etc/passwd.

2. The concept of user groups (group)

User groups (group) is a collection of users with the same characteristics, for example, sometimes we want to have multiple users with the same permissions, such as viewing, modifying a file or executing a command, we need the user group, we define the user to the same user group, we modify the file or directory permissions , so that the user group has permission to operate so that users under the user group have the same permissions on the file or directory.

3. Correspondence between user and user group

Single: A user can be the only member of a group;
Many-to-one: multiple users can be members of a unique group;
One-to-many: a user can be a member of multiple user groups, with additional groups;
Many-to-many: multiple users correspond to multiple user groups, and several users can belong to the same group.

(user) and user groups (group) related profiles, commands or directory 1, the user and user groups related to the configuration file;

1) User-related profiles;
/etc/passwd Note: User's profile;
/etc/shadow Note: User shadow password (password) file;
2) configuration file related to user group;
/etc/group Note: User group profile;
/etc/gshadow Note: Shadow password files for user groups,
2, related tools or commands for managing users and user groups;
1) Manage user tools or commands;
Useradd: Add Users
AddUser : Add user
Userdel: Delete User
passwd: Set password for user
Usermod: Modify user command, can modify login name, user's home directory through USERMOD, etc.
Pwcov: Synchronize user from/etc/ passwd to/etc/shadow
Pwck:pwck is to verify that the contents of the user profile/etc/passwd and/etc/shadow files are legitimate or complete;
Pwunconv: Is the pwcov of the reverse operation, from the/etc/ Shadow and/etc/passwd create/etc/passwd and then delete the/etc/shadow file;
Finger: View user Information tool
ID: View the UID, GID, and user group to which the user belongs
Chfn : Change user Information tool
SU: User switch tool
Sudo:sudo is executed by another user (execute a command as another user), SU is used to switch users, and then by the user to switch to complete the corresponding task, However, Sudo can execute commands directly behind it, such as sudo does not require root password to perform root assignment, only root can execute the corresponding command, but it has to be done by Visudo to edit/etc/sudoers;
Visudo:visodo is edit/ Etc/sudoers command; You can also use the VI to edit the/etc/sudoers effect is the same without this command;
Sudoedit: similar to sudo function;

2) tools or commands for managing user groups;
Groupadd: adding user groups;
Groupdel: Delete user group;
Groupmod: Modifying user group information
Groups: Displays the user group to which the user belongs
GRPCK: Used to verify the integrity of the group file
GRPCONV: Synchronize or create/etc/gshadow by/etc/group and/etc/gshadow file contents, if/etc/gshadow is not present;
Grpunconv Note:/etc/group and/etc/gshadow file content to synchronize or create/etc/group, and then delete the Gshadow file;

3./etc/skel Catalogue

/etc/skel directory is usually a directory of user startup files, this directory is controlled by root permissions, when we add users, the files in this directory are automatically copied to the newly added user's home directory, the files under the/etc/skel directory are hidden files, It is similar to the. file format; We can provide users with a unified, standard, Default user environment by modifying, adding, and deleting files in the/etc/skel directory;
[Email protected] beinan]# ls-la/etc/skel/
Total dosage 92
Drwxr-xr-x 3 root root 4096 August 11 23:32.
Drwxr-xr-x-root root 12288 October 14 13:44.
-rw-r--r--1 root root 24 May 00:15. bash_logout
-rw-r--r--1 root root 191 May 00:15. Bash_profile
-rw-r--r--1 root root 124 May 00:15. BASHRC
-rw-r--r--1 root root 5619 2005-03-08. Canna
-rw-r--r--1 root root 438 May 15:23 Emacs
-rw-r--r--1 root root 120 May 05:18. GTKRC
Drwxr-xr-x 3 root root 4096 August 23:16. KDE
-rw-r--r--1 root root 658 2005-01-17. ZSHRC

/etc/skel directory files, generally we use the Useradd and AddUser command to add Users (user), the system automatically copied to the new Add users (user) in the home directory, if we modify the/etc/passwd to add users, We can create the user's home directory by ourselves, then copy the files under/etc/skel to the user's home directory, then use Chown to change the owner of the new user's home directory;

4./etc/login.defs configuration file

/etc/login.defs files are some planning when creating a user, such as when creating a user, whether the home directory, the UID and GID range, the user's deadline, and so on, can be defined by root;

such as Fedora's/etc/logins.defs file content;

# *required*# directory where mailboxes reside, _or_ name of file, relative to the# home Directory. If you _do_ define both, Mail_dir takes precedence.# Qmail_dir are for qmail# #QMAIL_DIR maildirmail_dir/var/    Spool/mail Note: When creating a user, create a user mail file in directory/var/spool/mail; #MAIL_FILE. mail# Password Aging controls:## Pass_max_days Maximum number of days a password is used.# pass_min_days Minimum number of days allowed between password C hanges.# pass_min_len Minimum acceptable password length.# pass_warn_age number of days warning given BEF Ore a password expires. #PASS_MAX_DAYS 99999 Note: The maximum number of days the user's password expires; Pass_min_days 5 Note: The minimum number of passwords expires; Pass_min_len 5 note                   : Minimum password length; pass_warn_age 7 Note: Password Expiration warning Days # Min/max values for automatic uid selection in Useradd#uid_min  500 Note: The minimum UID is 500, that is, when adding a user, the UID is starting from 500; Uid_max 60000 Note: The maximum uid is 60000;## Min/max values for automatic       GID Selection in Groupadd#gid_min            500 Note: GID is starting from 500; Gid_max 60000## If defined, this command was run when removing a user.# It    Should remove any at/cron/print jobs etc. owned by# the user to be removed (passed as the first argument). # #USERDEL_CMD /usr/sbin/userdel_local## If Useradd should create home directories for users by default# on RH systems, we do.  This option was ORed with THE-M flag on#-useradd command line. #CREATE_HOME Yes Note: Create a user home directory, request creation; # The permission mask is initialized to this value. If not specified, # The permission mask is initialized to 022.UMASK 077# use SHA512 to encrypt Password.enc  Rypt_method SHA512

5./etc/default/useradd file

The rule file when adding user through useradd;

# useradd defaults fileGROUP=100HOME=/home  注：把用户的家目录建在/home中；INACTIVE=-1  注：是否启用帐号过期停权，-1表示不启用；EXPIRE=   注：帐号终止日期，不设置表示不启用；SHELL=/bin/bash  注：所用SHELL的类型；SKEL=/etc/skel   注： 默认添加用户的目录默认文件存放位置；也就是说，当我们用adduser添加用户时，用户家目录下的文件，都是从这个目录中复制过去的；

Iii. Management of user groups 1. Create a user group

Command format:
Groupadd [Options] [user Group]
Options:
-G:GID Specifies the group identification number (GID) of the new user group.
-O: Typically used in conjunction with the-G option, the GID of the new user group can be the same as the GID of the user group already in the system.
Example 1: Creating a group1,gid automatically adds 1 to the system's created base
# groupadd group1
Example 2: Create a new group group2, and specify the group identification number for the new group to be 101.
#groupadd -g 101 group2

2. Delete a user group

Command format:
Groupdel [user Group]
Example: This command removes the group group1 from the system.
#groupdel group1

3. Modify the properties of the user group

Command format:
groupmod [Options] [user Group]
Options:
-G:GID specifies a new group identification number for the user group.
-O: With the-G option, the new GID of the user group can be the same as the GID of the user group already in the system.
-N: New user group changes user group name to new name
Example: This command modifies the group ID number of group group2 to 102.
# groupmod -g 102 group2
Example: This command changes the identification number of the group group2 to 10000 and the group name to Group3.
# groupmod –g 10000 -n group3 group2
4. User Switch User Group
If a user belongs to more than one user group at the same time, the user can switch between groups of users so that they have permissions for the other user groups. After logging in, the user can switch to another user group using the command Newgrp, which is the target user group.
For example:
$ NEWGRP Root
This command switches the current user to the root user group, provided that the root user group is really the user's primary or additional group. Similar to the management of user accounts, the management of user groups can also be done through integrated system management tools.

Iv. User Management (i), add users

1. Command
The Useradd or AddUser command is used to establish the user account and create the user's starting directory, with the privilege being superuser.
2. Command format
Useradd [-D home] [-s Shell] [-c comment] [-M [--template]] [-F inactive] [-e expire] [-P passwd] [-R] Name
3. Main parameters
-C: Add note text, note text is saved in passwd's remarks column.
-D: Specifies the home directory at which the user is logged in, replacing the system default/home/< username >
-D: Change the preset value.
-e: Specifies the expiration date of the account, the date format is Mm/dd/yy, for example 06/30/12. The default indicates permanent validity.
-F: Specify the number of days after the password expires to close the account. If the 0 account is immediately deactivated, if 1 then the account is always available. The default value is-1.
-G: Specifies the group to which the user belongs. The value allows the group name to be a GID as well. The user group must already exist, with the default value of 100, which is users.
-G: Specifies the additional group to which the user belongs.
-M: Automatically establish the user's login directory.
-M: Do not automatically create a user's login directory.
-N: Cancels the creation of a group named after the user name.
-R: Set up the system account.
-S: Specifies the shell to use when the user is logged in. The default value is/bin/bash.
-U: Specifies the user ID number. The value must be unique within the system. 0~499 is reserved for use by the system user account, so the value must be greater than 499.
Example: Create user tom, no login permission
# useradd -s /sbin/nologin tom

4. Description
Useradd can be used to create a user account, and it is the same as the AddUser command. After the account is built, use passwd to set the password for the account. The account created by using the Useradd command is actually saved in the/etc/passwd text file.

(ii) deletion of the user

Command format:
Userdel [username] #只是删除用户名, user directory and mail account directory are still
userdel-r [user name] #清除用户的家目录和邮件目录

(c) Set user password

When the root user logs on, if the current user login, passwd Enter after the prompt to set the password.
1, command format:
echo [Password] | passwd--stdin [user name]
For example: Create a new user test, password test, add another usertest group

#useradd test #echo "test" | passwd --stdin test #groupadd usertest

2, user's password file
User-modified password information exists in/etc/shadow,

# sed -n ‘$p‘ /etc/shado`w`nalex:$6$QCsCA/7/$jsBzKSSoEOFW/.TsFlkJi.nZndkZz3EZ2nOMtpjDk9UInBxY6g76HnuTMgl9GqC0E0WNe.oznUKANMYrZG2FI.:17551:0:99999:7:0:17897:

--User name
--Password
--The number of days since January 1, 1970 until the password was last modified
--passwords can be changed in a few days (0 means they can be changed at any time)
--Passwords must be changed in a few days (99999 means never expire)
--Remind the user a few days before the password expires (default is one week)
--Password expires days payback is disabled
--The number of days after the January 1, 1970 count, the account expires

(iv) modifying user attributes
1. Modifying user attributes with Usermod
Syntax: usermod [parameter options] [user account]
Additional note: Usermod can be used to modify the user account settings.
Options
-a|--append # #把用户追加到某些组中, only used with the-G option
-c|--comment # #修改/etc/passwd file Fifth paragraph comment
-d|--home # #修改用户的家目录通常和-m option used together
-e|--expiredate # #指定用户帐号禁用的日期, Format yy-mm-dd
-f|--inactive # #用户密码过期多少天后采用就禁用该帐号, 0 means that the password is disabled after the expiration of the account, 1 means to disable this feature, the default value is-1
-g|--gid # #修改用户的gid, reorganization must exist
-g|--groups # #把用户追加到某些组中, use only with-a option
-l|--login # #修改用户的登录名称
-l|--lock # #锁定用户的密码
-m|--move-home # #修改用户的家目录通常和-D option with
-s|--shell # #修改用户的shell
-u|--uid # #修改用户的uid, the UID must be unique
-u|--unlock # #解锁用户的密码
2. Example
1). New user Alex, password Alex, add another Galex group

2). Add the Alex user to the Galex group
#usermod -aG galex alex #多个组之间用空格隔开

# id alexuid=1005(alex) gid=1006(alex) 组=1006(alex),1007(galex)

3). Modify the Alex user's home directory to Galex

# usermod -md /home/galex alex# cat /etc/passwd|grep "alex"alex:x:1005:1006::/home/galex:/bin/bash

4). Modify the user name

# usermod -l nalex alex# cat /etc/passwd|grep "alex"nalex:x:1005:1006::/home/galex:/bin/bash

5). Lock the Nalex password

# sed -n ‘$p‘ /etc/shadownalex:!$6$QCsCA/7/$jsBzKSSoEOFW/.TsFlkJi.nZndkZz3EZ2nOMtpjDk9UInBxY6g76HnuTMgl9GqC0E0WNe.oznUKANMYrZG2FI.:17551:0:99999:7:::

After the user is locked, the colon will be preceded by an exclamation point "! ”
6). Unlock the Nalex password
#usermod -U nalex
Remove the exclamation mark behind the user
7). Modify the user's shell

8) Specify the account expiration date

# sed -n ‘$p‘ /etc/shadownalex:$6$QCsCA/7/$jsBzKSSoEOFW/.TsFlkJi.nZndkZz3EZ2nOMtpjDk9UInBxY6g76HnuTMgl9GqC0E0WNe.oznUKANMYrZG2FI.:17551:0:99999:7:::

# usermod -e 2019-01-01 nalex]# sed -n ‘$p‘ /etc/shadownalex:$6$QCsCA/7/$jsBzKSSoEOFW/.TsFlkJi.nZndkZz3EZ2nOMtpjDk9UInBxY6g76HnuTMgl9GqC0E0WNe.oznUKANMYrZG2FI.:17551:0:99999:7::17897:

More time limits.
9). Specify how many days after the user account password expires, disable the account

# usermod -f 0 nalex# sed -n ‘$p‘ /etc/shadownalex:$6$QCsCA/7/$jsBzKSSoEOFW/.TsFlkJi.nZndkZz3EZ2nOMtpjDk9UInBxY6g76HnuTMgl9GqC0E0WNe.oznUKANMYrZG2FI.:17551:0:99999:7:0:17897:

User and user group management for Linux systems