User and user group management for Linux

Linux is a multi-user multi-tasking time-sharing operating system, all of which use system resourcesof usersMust first request an account from the system administrator, and then enter the system as the ID of the account. The user's account can help the system administrator to use the systemof usersTo track and control their access to system resources, on the other hand, to help users organize files and provide security protection for users. Each user account has a uniqueof usersName and user password. Users type the correct logonof usersName and password to enter the system and its own home directory.
To achieve the management of user accounts, the main tasks to be completed are as follows:
A. Add, delete and modify user accounts.
B. Management of user passwords.
C. Management of user groups.
Management of Linux user accounts

The management of user accounts mainly involves the addition, deletion and modification of user accounts.
To add a user account is to create a new account in the system, and then assign the user number, user group, home directory, and login shell resources to the new account. The account you just added is locked and cannot be used.
1. Add Newof usersAccount using the Useradd command, the syntax is as follows:
Useradd option User Name
Each of these options has the following meanings:
-C Comment Specifies an annotative description.
The-D directory specifies the home directory, and if this directory does not exist, it can be created by using the-M option.
-G user group specifies which user belongs toof usersGroup.
-G user Group, user group specifies the additional group to which the user belongs.
-S Shell file specifies the user's login shell.
-u user number Specify userof usersNumber, if you have the-o option at the same time, you can reuse the other user's identification number.
-P This command is required to provide MD5 code encryption password, the ordinary number is not.

USERNAME Specifies the login name of the new account.

Ex
Example 1:
# useradd-d/usr/sam-m Sam
This command creates a user Sam, where the-D and-m options are used to generate a home directory for the login Sam/usr/sam (/usr as the defaultof usersThe parent directory where the home directory resides).
Example 2:
# useradd-s/bin/sh-g group-g adm,root Gem
This command creates a new user gem, which is the login shell of/bin/sh, which belongs to the group user groups, and also to the ADM and root user groups, where group user groups are their primary groups.
There may be a new group: Groupadd Group and Groupadd ADM
Adding a user account is adding a record to a new user in the/etc/passwd file, while updating other system files, such as/etc/shadow,/etc/group.
Linux provides an integrated system management tool, userconf, that can be used to manage user accounts.
Note:
The user account itself is defined in/etc/passwd. The Linux system contains a/etc/passwd companion file, called/etc/shadow. The file is not like/etc/passwd and is readable only for the root user and contains encrypted password information. Let's take a look at a sample line from/etc/shadow:
drobbins1$1234567890123456789012345678901:11664:0:-1:-1:-1:-1:0
Each line defines the password information for a special account, and in the same way, each field is separated by:. The first field defines a special user account associated with this shadow entry. The second field contains an encrypted password. The remaining fields are described in the following table:

Field 3 number of days since 1/1/1970 the password has been modified
Field 4 The number of days before the password is allowed to be modified (0 means "can be modified at all times")
Field 5 The number of days before the system will force the user to modify to a new password (1 means "never modify")
The number of days that the user will be warned of expiration before field 6 password expires (-1 means "no warning")
Field 7 The number of days that the system automatically disables the account after the password expires (-1 means "never disabled")
Field 8 The number of days that the account is disabled (-1 means "The account is enabled") Field 9 reserved for future use
2. Delete Account
If a user account is no longer in use, it can be removed from the system. Deleting a user account is to delete the user record in the system files such as/etc/passwd, and delete the user's home directory if necessary. Delete an existingof usersThe account uses the Userdel command in the following format:
Code:
Userdel option User Name
The commonly used option is-r, and his role is to remove the user's home directory.
For example:
# Userdel-r Sam
This command deletes the records of the user Sam in the system files (mainly/etc/passwd,/etc/shadow,/etc/group, etc.) and deletes the user's home directory.
3, modify the account
Modifying the user account is based on the actual situation to change the user (Chgrp is for the file) related attributes, such as user number, home directory, user group, login shell and so on.
Modify the information for an existing user using the Usermod command, in the following format:
Code:
Usermod option user name [only the ultimate administrator has permission to modify the account name, if you use the sudo command to authorize the normal account.]
Common options include-c,-d,-m,-g,-g,-s,-u,-o, which have the same meaning as the Useradd command, and can specify new resource values for the user. In addition, some systems can use the following options:
Code:
-L New User name
This option specifies a new account, which will be the originalof usersrenamed to Newof usersName.
For example:
# usermod-s/bin/ksh-d/home/z-G developer Sam
This command modifies the user Sam's login shell to Ksh, the home directory to/home/z, and the user group to developer.
#usermod Zte1-g Cheng
#此命令是改动用户zte1所属的组为cheng这个组
4. View account Attributes
Format: ID user1 displays the UID and GID of the User1, which defaults to the current user's ID information
ex: [email protected]:/home> ID ZTE uid=1011 (ZTE) gid=100 (users) groups=100 (UUCP), + (dialout), (audio), (VIDEO)

Groups User1 displays the group where the user User1 is located, by default the group information for the current user
ex: [Email protected]:/home> groups users UUCP dialout Audio Video (default)
managing passwords for Linux users

An important part of user management is the management of user passwords. User account has just been created without a password, is locked by the system, can not be used, it must be given a password before it can be used, even if it is a blank password.
The shell command that specifies and modifies the user's password is passwd. The ultimate user can specify passwords for themselves and other users, and ordinary users can only modify their own passwords. The format of the command is:
Code:
passwd option User Name
Options available for use:
-L locks the password, which disables the account.
-u password to unlock.
-D make the account no password.
-F forces the user to modify the password the next time they log on.
If the default user name, the password for the current user is modified.
For example: Assuming the current user is Sam, the following command modifies the user's own password:
$ passwd
Old password:******
New password:*******
Re-enter New password:*******
If you are the ultimate user, you can specify the password for any user in the following form:
# passwd Sam
New password:*******
Re-enter New password:*******
Ordinary users to modify their own password, the passwd command will first ask the original password, verify and then require the user to enter two times the new password, if the password two times the same, then the password is assigned to the user, and the ultimate user to specify a password for the user, you do not have to know the original password. For security reasons, the user should choose a more complex password, the best use of not less than 8-bit password, the password contains uppercase, lowercase letters and numbers, and should be different from name, birthday and so on.
When you specify an empty password for a user, the following forms of command are executed:
Code:
# passwd-d Sam
This command removes the password for the user Sam so that the next time the user Sam logs on, the system will no longer ask for the password.
The passwd command can also lock a user with the-l (lock) option so that it cannot log on, for example:
Code:
# passwd-l Sam
management of Linux user groups
Each user has a user group, and the system can centrally manage all users in a single user group. Different Linux systems differ from user groups, such as Linuxof usersbelongs to the same name as himof usersGroup, which is created at the same time as the user is created. The management of user groups involves adding, deleting, and modifying user groups. Group additions, deletions, and modifications are actually updates to the/etc/group file.
User groups (group) are the same characteristicsof users(user), for example, sometimes we want to let multiple users have the same permissions, such as to view, modify a file or execute a command, we need the user group, we define the user to the same user group, we modify the permissions of the file or directory, so that the user group has a certain operation rights, so that the user groupof usersHave the same permissions on the file or directory, which is achieved by defining the permissions of the group and modifying the file;
Example:
In order for some users to have permission to view a file, such as a schedule, and the person who writes the timesheet has permission to read and write, we want some users to know the content of the timesheet without letting them modify it, so we can put these users into a group (with the CHGRP command), Then to modify this file (with the chmod command) permissions, let the user group is readable (with the chgrp command to attribute this file to this group), so that each user under the user group is readable, other users are inaccessible.
1. Add a newof usersThe group uses the Groupadd command. The format is as follows:
Code:
Groupadd option user groups [user groups are added, assign users to groups with Chown and CHGRP directives]
The options you can use are:
-G GID Specifies the group identification number (GID) of the new user group.
The-O General and-G option are used together, indicating that the GID of the new user group is the same as the GID of the user group already in the system.
Example 1:
# Groupadd Group1
This command adds a new group group1 to the system, and the group identification number of the new group is added 1 on the basis of the currently existing maximum group identification number.
Example 2:
# GROUPADD-G 101 Group2
This command adds a new group group2 to the system, specifying that the group identification number for the new group is 101.
2. If you want to delete an existingof usersGroup, using the Groupdel command, in the following format:
Code:
Groupdel User Group
For example:
# Groupdel Group1
This command removes the group group1 from the system.
3. Modify the properties of the user group using the groupmod command. Its syntax is as follows:
Code:
Groupmod Option User Group
The common options are:
-G GID Specifies a new group identification number for the user group.
The-O and-g options are used together, and the user group's new GID can be the same as the GID of the user group.
-N New user Group change user group name to new name
Example 1:
# GROUPMOD-G 102 Group2
This command modifies the group ID number of group group2 to 102.
Example 2:
# groupmod-g 10000-n Group3 group2
This command changes the identification number of the group group2 to 10000 and the group name to Group3.
4. If a user belongs to more than one user group at the same time, the user can convert between groups of users so that they have permissions from other user groups. After logging in, the user can use the command newgrp to convert to another user group, the parameter of this command is the targetof usersGroup.
For example:
$ NEWGRP Root
This command converts the current user to the root user group, provided that the root user group is indeed the user's primary or additional group. Similar to the management of user accounts, the management of user groups can also be accomplished through integrated system management tools.
system files related to user accounts
There are many ways to accomplish user-managed work, but each one actually modifies the system files concerned. Information related to users and user groups is stored in some system files, including/etc/passwd,/etc/shadow,/etc/group. The contents of these files are described below.
1./etc/passwd file is one of the most important files involved in user management work. Each user in the Linux system has a corresponding record line in the/etc/passwd file, and he records some basic attributes of the user. This file is readable for all users. His content is similar to the following example:
# CAT/ETC/PASSWD
root:x:0:0:superuser:/:
Daemon:x:1:1:system daemons:/etc:
Bin:x:2:2:owner of System Commands:/bin:
Sys:x:3:3:owner of System Files:/usr/sys:
Adm:x:4:4:system Accounting:/usr/adm:
UUCP:X:5:5:UUCP ADMINISTRATOR:/USR/LIB/UUCP:
Auth:x:7:21:authentication Administrator:/tcb/files/auth:
Cron:x:9:16:cron Daemon:/usr/spool/cron:
Listen:x:37:4:network Daemon:/usr/net/nls:
Lp:x:71:18rinter ADMINISTRATOR:/USR/SPOOL/LP:
Sam:x:200:50:sam san:/usr/sam:/bin/sh
From the above example, we can see that a row of records in/etc/passwd corresponds to a user, and each row of records is separated by a colon into 7 fields, with the following format and specific meanings:
Code:
User name: Password: User id: Group identification number: Annotative Description: Home directory: Login Shell
(1) "User name" is a string representing the user's account number. It is usually not more than 8 characters in length and consists of uppercase and lowercase letters and/or numbers. There cannot be a colon in the login name, because the colon is the delimiter here. For compatibility purposes, it is best not to include the dot character "." In the login name, and not use the hyphen "-" and the plus sign "+" to begin.
(2) "password", some systems are stored in the encryptionof usersPassword, although this field is stored only the user password encryption string, not clear text, but because the/etc/passwd file is readable to all users, so this is still a security risk. As a result, many Linux systems now use the shadow technology to put real encryptedof usersThe password word is stored in the/etc/shadow file, and only one special character, such as "X" or "*", is stored in the password field of the/etc/passwd file.
(3) "User identification number" is an integer that is used internally by the system to identify the user. In general, he and the user name are one by one corresponding. If several user names correspondof usersThe identification number is the same, the system will treat them as the same user, but they can have different passwords, different home directories and different login shells. The typical range of user identification numbers is 0~65535. 0 is the ultimate user root identification number, 1~99 reserved by the system, as a management account, the identification number of ordinary users starting from 100. In a Linux system, this limit is 500.
(4) The "Group Identification number" field records the user-ownedof usersGroup. He corresponds to a record in the/etc/group file.
(5) "Annotative description" field records some of the user's personal circumstances, such as the user's real name, phone, address, etc., this field does not have any practical use. In different Linux systems, the format of this field is not uniform. In many Linux systems, this field holds an arbitrary annotated descriptive text that is used as the output of the finger command.
(6) "Home Directory", which is the user's starting working directory, is the directory where the user logs on to the system. In most systems, each user's home directory is organized under the same specific directory, and the user's home directory name is the user's login name. Each user has read, write, execute (search) permissions on his or her home directory, and other users ' access to this directory is set according to the specific circumstances.
(7) After the user logs in, to start a process, responsible for the user's actions to the kernel, the process is the user log on to the system to run after the command interpreter or a specific program, the shell. The shell is the interface between the user and the Linux system.of LinuxThere are many kinds of shells, each of which has different characteristics. Commonly used are sh (Bourne shell), csh (c shell), Ksh (Korn Shell), tcsh (tenex/tops-20 type C shell), bash (Bourne Again shell), etc. System administrators can specify a shell for users based on system conditions and user habits. If you do not specify a shell, then the system uses SH as the default login shell, that is, the value of this field is/bin/sh.
The user's login shell can also be specified as a specific program (the program is not a command interpreter). With this feature, we can restrict the user from running only the specified application, and the user will automatically exit the system after the application has finished running. Some Linux systems require only those programs that are registered in the system to be present in this field. There is a class of users in the system called Pseudo-users (Psuedo users) who also occupy a record in the/etc/passwd file, but cannot log on because their logon shell is empty. Their existence is mainly to facilitate the management of the system to meet the needs of the corresponding system process of the document owner. Common pseudo-users are shown below.
Pseudo user meaning
Bin has an executableof usersCommand file
SYS has system files
ADM has account files
UUCP UUCP Use
LP LP or LPD subsystem use
Nobody NFS Usage
In addition to the pseudo-users listed above, there are many standard pseudo-users, such as: Audit,cron,mail,usenet, and so on, they are all required for the relevant processes and files. Because the/etc/passwd file is readable by all users, if the user's password is too simple or the rule is obvious, a common computer can be very easy to crack him, so the security requirements of the Linux system is encrypted after the password word separated out, stored separately in a file, This file is/etc/shadow file. Only the ultimate user has the file Read permission, which ensures the security of the user's password.
2,/etc/shadow in the record line and/etc/passwd in the one by one corresponding, he by the Pwconv command according to the data in the/etc/passwd automatically generated. His file format is similar to/etc/passwd, and consists of several fields, separated by ":" Between the fields. These fields are:
Login: Encrypted password: Last modified: Minimum time interval: Maximum time interval: Warning Time: Inactivity time: Expiry time: Flag
(1) "Login name" is consistent with the login name in the/etc/passwd fileof usersAccount
(2) The "Password" field is stored after encryptionof usersA password word with a length of 13 characters. If null, the corresponding user does not have a password, does not need a password when logging in, and if it contains characters that are not part of the collection {./0-9a-za-z}, the correspondingof usersCannot log on.
(3) "Last Modified Time" represents the number of days from the time the user last modified the password. The beginning of time may not be the same for different systems. For example, in SCO Linux, the starting point for this time is January 1, 1970.
(4) "Minimum time interval" refers to the minimum number of days required between changing the password two times.
(5) "Maximum time interval" refers to the maximum number of days that a password remains valid.
(6) The "Warning Time" field represents the number of days from the beginning of the system warning user to the official expiration of the user's password.
(7) "Inactivity time" means the maximum number of days that a user does not have a login activity but the account remains valid.
(8) The "Expiration Time" field gives an absolute number of days, and if this field is used, the lifetime of the corresponding account is given. After expiry, the account is no longer a legitimate account, and can no longer be used to log on.
Here is an example of/etc/shadow:
# Cat/etc/shadow
Rootnakfw28zf38w:8764:0:168:7:::
daemon:*::0:0::::
bin:*::0:0::::
sys:*::0:0::::
adm:*::0:0::::
uucp:*::0:0::::
nuucp:*::0:0::::
auth:*::0:0::::
cron:*::0:0::::
listen:*::0:0::::
lp:*::0:0::::
sam:ekdiseclwpdsa:9740:0:0::::
3, all the information of the user group is stored in the/etc/group file.
Grouping users is a means of managing and controlling access to users in a Linux system. Each user belongs to a group of users, a group can have multiple users, and a user can belong to a different group. When a user is a member of more than one group at the same time, the primary group that the user belongs to is recorded in the/etc/passwd file, which is the default group to which the login belongs, and the other groups are called additional groups. When a user accesses a file that belongs to an additional group, you must first use the NEWGRP command to make yourself a member of the group you want to access. All the information for the user group is stored in the/etc/group file. The format of this file is also similar to the/etc/passwd file, which is separated by a colon by a number of fields, which are:
Group Name: password: Group identification number: List of users in the group
(1) "Group name" is the name of the user group, consisting of letters or numbers. The same name as the login in/etc/passwd, the group name should not be duplicated.
(2) The "Password" field holds the password word after the user group is encrypted. General Linux Systemsof usersThe group has no password, that is, the field is generally empty, or *.
(3) The "group identification number" is similar to the user identification number and is an integer that is used internally by the system to identify the group.
(4) "Group user list" is a list of all users belonging to this group, separated by commas "," between different users. This user group may be the user's primary group, or it may be an additional group.
An example of the/etc/group file is as follows:
# Cat/etc/group
Root::0:root
Bin::2:root,bin
Sys::3:root,uucp
Adm::4:root,adm
Daemon::5:root,daemon
Lp::7:root,lp
Users::20:root,sam
give special privileges to ordinary users [sudo command]
In a Linux system, administrators tend to be more than one person, and if each administrator manages the work as root, it is impossible to figure out who to do. So the best way to do this is: The administrator creates some ordinary users and assigns a portion of the system administration work to them.
Because SU does not have the restriction of permissions after transitioning to the ultimate user root, Su does not act as a system managed by multiple administrators. If you use Su to transform to the end user to manage the system, it is not clear what the work is done by which administrator. In particular, the management of the server is multi-ginseng and management, the best is for each administrator's technical expertise and scope of management, and targeted delegation to the authority, and agreed to use which tools to complete and its related work, then we need to use sudo. Through sudo, we can put some of the ultimate authority targeted decentralization, and do not need ordinary users to know the root password, so sudo is relative to the permission unrestricted Su, is still relatively safe, so sudo can also be referred to as restricted Su, and sudo is required to license, So also known as licensing Su;sudo the process of executing a command is to convert the current user to root (or other specified transitions toof users), and then root (or other specified conversion toof users) Identity Execution command, after the completion of the execution, directly back to the current user, and the premise is to use the sudo settings file/etc/sudoers to authorize;
We cannot use Su to direct them to root, because these users must know the root password, which is very insecure and does not meet our division of labor requirements. The general practice is to use the set of permissions, categorized according to the nature of the work, so that special identitiesof usersBecome the same workgroup and set up workgroup permissions. For example: To wwwadm This user is responsible for the management of Web site data, the general Apache WEB Server process httpd owner is WWW, you can set the user wwwadm and www for the same workgroup, and set Apache default hosting the Web record/usr/local/ Httpd/htdocs's workgroup permissions are readable, writable, and executable so that each user belonging to this workgroup can manage the Web page.
However, this is not the best solution, for example, if the administrator wants to grant a normal user permission to shut down, then using the above method is not the best option. At this point you might think, I just let this user be able to execute the shutdown command as root. It's all right, but it's not possible to do this in a typical Linux system, but there are tools that can do that. Sudo.
sudo assigns privileges to different databases by maintaining a privileged database of user name mappingsof users, these privileges can be identified by a number of different commands listed in the database. In order to obtain a privileged entry, a qualifiedof usersSimply enter sudo and the command name at the command line and follow the prompts to enter the password again. For example, sudo allows a normal user to format the disk, but does not give other root privileges to the user.
Note: sudo is designed to allow a normal user to perform root commands. You will be prompted for the password the first time you use sudo.
This password is the user's own password.
However, in SuSE 9 and 10, you must enter the root user's password when using sudo to find the password.
After verified that the present sudo settings file exists in Defaults TARGETPW represents that sudo will prompt for input by sudo's-u option specifiedof usersPassword (root by default) instead of sudoof usersPassword, if it is commented out, then the password entered is the current executing user. The default requirement in SuSE is the root password.
You can understand this: your server does not allow you to SSH directly to the server using root or allow you to log in to the TTY directly using root. Add a user so he can ssh but not let him use the SU command. This way you can use this method to let him work on one of the commands of root.
The formula for sudo;
Authorize user host =[(convert to which user or user group)] [requires password Authentication] command 1,[(convert to which user or user group)] [requires password authentication] [command 2],[(which user or user group to convert to)] [requires password authentication] [command 3] ...
Note:
The contents of any [] shall be omitted; the command and the command are separated by a number, and the examples in this article can be used to see which ones are omitted and where spaces are required; in [(to which users or groups of users)], if omitted, the default is the root user, and if all, the delegate can be converted to all users Note the target to be converted to.of usersmust be enclosed in (), e.g. (all), (Beinan).

1. The sudo tool is set by the file/etc/sudoers, which contains all the tools that can access sudoof usersList and define their privileges. A typical/etc/sudoers entry is as follows:
ZTE All= (All) all
This entry enables user ZTE to access all applications as the ultimate user, such as the user ZTE needs to run the command as the ultimate user, simply by prefixing the command with sudo. Therefore, to execute the command as the root user, Ifconfig,zte can enter the following command:
[Email protected]:/home># sudo/usr/sbin/ifconfig
Note: Execute the ifconfig command to write the absolute path/usr/sbin/ifconfig,/usr/sbin default is not in the normal user's search path, or join this path: path= $PATH:/usr/sbin;export path. In addition, the paths for different system commands vary. You can use the command "Whereis command name" to find its path. ex: [Email protected]:/home> whereis usermod
Usermod:/usr/sbin/usermod/usr/share/man/man8/usermod.8.gz, here to find 2 paths, take the first one. Indicates the specific path of the USERMOD command under ZTE User login
The following output results are displayed:
We Trust you are received the usual lecture from the local System
Administrator. It usually boils to these and things:
#1) Respect the privacy of others.
#2) Think before you type.
Password:
If ZTE correctly enters his password, the command ifconfig will be executed as the root user.
Note: The settings file/etc/sudoers must be edited using the command Visudo.
As long as the correspondingof usersName, hostname, and licensed command list are added to the file/etc/sudoers in a standard format, and saved to take effect, see an example.
2. Example:
[1] The administrator needs to allow the gem user to execute the reboot and shutdown commands on the host Sun, adding in/etc/sudoers:
Gem Sun=/usr/sbin/reboot,/usr/sbin/shutdown
Note: The command must use absolute paths to avoid the execution of commands with the same name in other directories, thus creating a security risk.
Then save exit, the gem user wants to execute the reboot command whenever the following command is run at the prompt:
$ sudo/usr/sbin/reboot
By entering the correct password, you can restart the server.
[2]beinan all= (Root)/bin/chown,/bin/chmod
Indicates that the Beinan can be in the host of all possible host names, can be converted to root execution/bin/chown, can be converted to all users to execute/bin/chmod command, through the sudo-l to view the Beinan on this host to allow and prohibit the operation of the command;
[3]beinan all= (Root) nopasswd:/bin/chown,/bin/chmod
Indicates that the Beinan can be converted to root execution/bin/chown in all host names that may appear, without having to enter the Beinan user's password, and be able to switch to all users to execute the/bin/chmod command. However, you need to Beinan enter your own password when executing chmod, and sudo-l to view the commands that Beinan allow and disable on this host;
About a command action does not require a password, we can send the current system in the default case is required by the user password, unless Dobby point out that the user needs to enter their own password, so before performing the action to add nopasswd: parameters;
[4] Cancel the execution of a program class, to precede the command action to add!; In this example, the use of the wildcard character is also present;
Beinan All=/usr/sbin/*,/sbin/*,!/usr/sbin/fdisk Note: Add this line of rules to/etc/sudoers, but you have to have beinan this user group, and Beinan is in this group as well. This rule means that the Beinan user runs all programs under/usr/sbin and/sbin on all hosts that may exist, except for the FDISK program;
[Beinan@localhost ~]$ Sudo-l
Password: Note: Enter the password of the Beinan user here;
User Beinan may run the following commands on this host:
(Root)/usr/sbin/*
(Root)/sbin/*
(Root)!/sbin/fdisk
[Email protected] ~]$ sudo/sbin/fdisk-l
Sorry, user Beinan is not allowed to execute '/sbin/fdisk-l ' as root on localhost.
Note: You cannot switch to the root user to run the FDISK program;
[5] If you want to define a group of users, you can add% to the group name and set it up, such as:
%cuug all= (All) all
Then all members of the group that belong to Cuug can sudo to perform a specific task
3, in addition, can also use aliases to simplify the settings file. Aliases are similar to groups of concepts, with user aliases, host aliases, and command aliases. Multiple users can be defined first with an alias, and then use aliases when they specify what commands they can execute, and this setting takes effect for all users. The same is true for host aliases and command aliases. Note Before using the first to define in/etc/sudoers: User_alias, Host_alias, Cmnd_alias entries, after which the corresponding name, also separated by commas can be, for example, as follows:
Host_alias Server=no1
User_alias Admins=liming,gem
Cmnd_alias
Shutdown=/usr/sbin/halt,/usr/sbin/shutdown,/usr/sbin/reboot
ADMINS Server=shutdown
4, sudo command can also add some parameters, complete some auxiliary functions, such as:
$ sudo-l
A message similar to this is displayed:
User Liming may run the following commands on this host:
(Root)/usr/sbin/reboot
Description root allows the user to liming execute the/usr/sbin/reboot command. This parameter allows the user to see what commands they are currently able to execute in sudo.
5, typing the sudo command at the command prompt lists all parameters, and some other parameters are as follows:
-V Displays the version number.
-h Displays the usage parameters of the sudo command.
-V The password is queried when Sudo is executed for the first time or in n minutes (n preset is 5). This parameter is a re-confirmation, if more than n minutes, will also ask the password.
-K will force the user to ask for a password at the next execution of sudo, whether or not more than n minutes.
-B The command to be executed is placed in the background execution.
-P Prompt can change the prompt for the password, where%u will be replaced with the username of the user, and%h will display the host name.
-U username/#uid do not add this parameter, which means to execute the command as root, and add this parameter to execute the command (#uid为该username的UID) as username.
-S executes the shell specified by the shell in the environment variable, or the shell specified in the/etc/passwd.
-H designates the home (host directory) in the environment variable as the host directory of the consumer who is changing the identity. (If you do not add the-u parameter is the system administrator root.) ）
The command to execute as a system administrator (or change to someone else with-u).

*************************************************************************************************************** **************
User and user group application instances
Drwxr-xr-x 7 zte_a users 4096 2007-11-22 09:58 zte_a
Drwxr-xr-x 7 Zte_b users 4096 2007-11-22 09:14 Zte_b
Drwxr-xr-x 7 Zte_c users 4096 2007-11-22 09:14 Zte_c
Build three users Zte_a,zte_b,zte_c are all members of the Users group
Create a time directory
Drwxr-xr-x 2 root root 4096 2007-11-22 09:26 time
Create a time file under the time directory
-rw-r--r--1 root root 2007-11-22 09:26 time.txt
Requirements: Allow root users to WRX directory time Time.txt, while allowing only the users user groupof usersRead Time.txt file
Steps:
chmod o-r-x Time Set directory permissions
Drwxr-x---2 root root 4096 2007-11-22 09:26 time
chmod o-r time.txt Set file permissions
-rw-r-----1 root root 2007-11-22 09:26 time.txt
CHGRP User Time setting the group to which the directory belongs
Drwxr-x---2 root users 4096 2007-11-22 09:26 time
CHGRP user time.txt settings file belongs to group
-rw-r-----1 root users 2007-11-22 09:26 time.txt
Note:In the future, when you want to expand this type of user for the Users group, simply useradd-m new and usermod-g user new to the Users group.

User and user group management for Linux