User and user group management for Linux operating systems

Source: Internet
Author: User
Tags aliases parent directory readable

Linux system is a multi-user multi-tasking time-sharing system, any user who wants to use system resources must first request an account from the system administrator and then enter the system as this account. On the one hand, the user's account can help the system administrator to track the users who use the system and control their access to system resources, and on the other hand can help users organize files and provide security protection for users. Each user account has a unique user name and a separate password. When a user types the correct user name and password at logon, they are able to enter the system and their home directory.

To achieve the management of user accounts, the main tasks to be completed are as follows:
· Add, delete and modify user accounts.
· Management of user passwords.
· Management of user groups.

I. Management of Linux system user accounts

The management of user accounts mainly involves the addition, modification and deletion of user accounts.

To add a user account is to create a new account in the system, and then assign the user number, user group, home directory, and login shell resources to the new account. The account you just added is locked and cannot be used.

1. Add a new user account using the Useradd command with the following syntax:
Useradd option User Name

  Each of these options has the following meanings:

-C Comment Specifies an annotative description.
The-D directory specifies the home directory, and if this directory does not exist, the-m option can be used to create the master directory.
The-G user group specifies the user group to which the user belongs.
-G user Group, user group specifies the additional group to which the user belongs.
-S Shell file specifies the user's login shell.
-u user number specifies the user's user number, and if you have the-o option, you can reuse the other user's identification number.

  USERNAME Specifies the login name of the new account.

2. Example Description

Example 1:

# useradd–d/usr/sam-m Sam

This command creates a user Sam,
Where the-D and-m options are used to generate a home directory for the login Sam/usr/sam (/usr is the parent directory where the default user home directory resides).

  Example 2:

# useradd-s/bin/sh-g group–g adm,root Gem

This command creates a new user gem, which is the login shell of/bin/sh, which belongs to the group user groups, and also to the ADM and root user groups, where group user groups are their primary groups.
There may be a new group: #groupadd Group and Groupadd ADM
Add user account is in the/etc/passwd file to add a record for the new user, while updating other system files such as/etc/shadow,/etc/group and so on.

Linux provides an integrated system management tool, userconf, which can be used to manage user accounts uniformly.

3. Delete Account

If a user's account is no longer in use, it can be removed from the system. Deleting a user account is to delete the user record in the system files such as/etc/passwd, and delete the user's home directory if necessary. Delete an existing user account using the Userdel command, in the following format:

Userdel option User Name

  The common option is-r, which is to remove the user's home directory.

  For example:
# Userdel Sam

This command removes the user Sam's records in the system files (mainly/etc/passwd,/etc/shadow,/etc/group, etc.) while deleting the user's home directory.

4, modify the account

Modify user account is based on the actual situation to change the user's relevant attributes, such as user number, home directory, user group, login shell and so on.

Modify the information for an existing user using the Usermod command, which is in the following format:

Usermod option User Name

Common options include-C,-D,-M,-G,-G,-S,-u, and-O, etc., which have the same meaning as the options in the Useradd command, specifying a new resource value for the user. In addition, some systems can use the following options:

-L New User name

This option specifies a new account that will change the original user name to the new one.

  For example:

# usermod-s/bin/ksh-d/home/z–g developer Sam

This command modifies the user Sam's login shell to Ksh, the home directory to/home/z, and the user group to developer.

5, the User password management

An important part of user management is the management of user passwords. The user account has just been created without a password, but is locked by the system, cannot be used, it must be given a password before it can be used, even if a blank password is specified.

The shell command that specifies and modifies the user's password is passwd. A superuser can specify a password for himself and another user, and a normal user can only use it to modify his or her password. The format of the command is:

passwd option User Name

Options available for use:

-L locks the password, which disables the account.
-u password to unlock.
-D make the account no password.
-F forces the user to modify the password the next time they log on.
If the default user name, the password for the current user is modified.

For example, assuming the current user is Sam, the following command modifies the user's own password:

$ passwd
Old password:******
New password:*******
Re-enter New password:*******

If you are a superuser, you can specify the password for any user in the following form:

# passwd Sam
New password:*******
Re-enter New password:*******

Ordinary users to modify their own password, the passwd command will first ask the original password, verify and then ask the user to enter two times the new password, if the password two times the same, the password is assigned to the user, and the superuser to specify a password for the user, you do not need to know the original password.

For system security, the user should choose a more complex password, for example, preferably with a 8-bit long password, the password contains uppercase, lowercase letters and numbers, and should be different from name, birthday, and so on.

When you specify an empty password for a user, the following forms of command are executed:

# passwd-d Sam

This command removes the password for the user Sam so that the next time the user Sam logs on, the system will no longer ask for the password.

The passwd command can also lock a user with the-l (lock) option so that it cannot log on, for example:

# passwd-l Sam

ii. Management of Linux system user groups

Each user has a user group, and the system can centrally manage all users in a single user group. Different Linux systems provide a different set of user groups, as users under Linux belong to a user group with the same name, which is created at the same time as the user is created.
The management of user groups involves adding, deleting, and modifying user groups. The addition, deletion, and modification of a group is actually an update to the/etc/group file.

1. Add a new user group using the Groupadd command. The format is as follows:   

Groupadd Option User Group
The options you can use are:

-G GID Specifies the group identification number (GID) of the new user group.
-O is commonly used with the-G option, which means that the GID of the new user group can be the same as the GID of the user group already in the system.
   Example 1:   

# Groupadd Group1
This command adds a new group group1 to the system, and the group identification number of the new group is added 1 on the basis of the currently existing maximum group identification number.

   Example 2:

#groupadd-G 101 group2
This command adds a new group group2 to the system, specifying that the group identification number for the new group is 101.

2. If you want to delete an existing user group, use the Groupdel command, which has the following format:

Groupdel User Group
   For example:

#groupdel group1
This command removes the group group1 from the system.

3. Modify the properties of the user group using the groupmod command. Its syntax is as follows:

Groupmod Option User Group
   The common options are:

-G GID Specifies a new group identification number for the user group.
The-O is used in conjunction with the-G option, and the user group's new GID can be the same as the GID of the user group already in the system.
-N New user Group change user group name to new name
   Example 1:   

# GROUPMOD-G 102 Group2
This command modifies the group ID number of group group2 to 102.

   Example 2:   

# groupmod–g 10000-n Group3 group2
This command changes the identification number of the group group2 to 10000 and the group name to Group3.

4. If a user belongs to more than one user group at the same time, the user can switch between groups of users in order to have permissions from other user groups. After logging in, the user can switch to another user group using the command Newgrp, which is the target user group. For example:  

This command switches the current user to the root user group, provided that the root user group is really the user's primary or additional group. Similar to the management of user accounts, the management of user groups can also be done through integrated system management tools.

Third, the user account related system files

There are many ways to accomplish user-managed work, but each of these methods actually modifies the system files concerned. Information related to users and user groups is stored in some system files, including/etc/passwd,/etc/shadow,/etc/group, etc. The contents of these files are described below.

1./etc/passwd file is one of the most important files involved in user management work. each user in the Linux system has a corresponding record line in the/etc/passwd file, which records some of the basic properties of the user. This file is readable for all users. Its content is similar to the following example:


Daemon:x:1:1:system daemons:/etc:
Bin:x:2:2:owner of System Commands:/bin:
Sys:x:3:3:owner of System Files:/usr/sys:
Adm:x:4:4:system Accounting:/usr/adm:
Auth:x:7:21:authentication Administrator:/tcb/files/auth:
Cron:x:9:16:cron Daemon:/usr/spool/cron:
Listen:x:37:4:network Daemon:/usr/net/nls:
Sam:x:200:50:sam san:/usr/sam:/bin/sh

From the above example we can see that a row of records in/etc/passwd corresponds to a user, each row of records is separated by a colon (7 fields, the format and the specific meaning are as follows:

User name: Password: User id: Group identification number: Annotative Description: Home directory: Login Shell

   1) "User name" is a string representing the user account. It is usually not more than 8 characters in length and consists of uppercase and lowercase letters and/or numbers. The login name cannot have a colon (because the colon is here as a delimiter.) For compatibility purposes, it is best not to include the dot character (.) in the login name, and to begin with a hyphen (-) and a plus sign (+).

   2) "password" in some systems, stored in the encrypted user password Word. 。 Although this field contains only the user password of the encrypted string, not clear text, but because the/etc/passwd file is readable to all users, so this is still a security risk. As a result, many Linux systems (such as SVR4) now use Shadow technology to store real encrypted user passwords into/etc/shadow files, while storing only a special character, such as "X" or "*", in the password field of the/etc/passwd file.

   3) The user ID number is an integer that is used internally by the system to identify the user. In general, it corresponds to a user name of one by one. If several user names correspond to the same user ID number, the system will treat them as the same user, but they can have different passwords, different home directories, and different login shells.

Typically, the range of user identification numbers is 0~65 535. 0 is the root identification number of Superuser, 1~99 is reserved by the system, as an administrative account, the identification number of ordinary users starts from 100. In a Linux system, this limit is 500.

   4) The Group Identification Number field records the user group to which the user belongs. It corresponds to a record in the/etc/group file.

   5) The "Annotative description" field records some of the user's personal circumstances, such as the user's real name, phone number, address, etc., this field does not have any practical use. In different Linux systems, the format of this field is not uniform. In many Linux systems, this field holds an arbitrary annotated descriptive text that is used as the output of the finger command.

   6) "Home Directory", which is the user's starting working directory, which is the directory where the user is logged on to the system. In most systems, each user's home directory is organized under the same specific directory, and the user's home directory name is the user's login name. Each user has read, write, execute (search) permissions on his or her home directory, and other users ' access to this directory is set according to the specific circumstances.

   7) After the user logs in, to start a process, is responsible for the user's actions to the kernel, the process is the user log on to the system run after the command interpreter or a specific program, the shell. The shell is the interface between the user and the Linux system. There are many types of Linux shells, each of which has different characteristics. Commonly used are sh (Bourne shell), csh (c shell), Ksh (Korn Shell), tcsh (tenex/tops-20 type C shell), bash (Bourne Again shell), etc. System administrators can assign a shell to a user based on system conditions and user habits. If you do not specify a shell, then the system uses SH as the default login shell, that is, the value of this field is/bin/sh.

The user's login shell can also be specified as a specific program (this program is not a command interpreter). With this feature, we can restrict the user from running only the specified application, and the user exits the system automatically after the application has finished running. Some Linux systems require only those programs that are registered in the system to appear in this field.

   there is a class of users in the system called Pseudo-user (Psuedo users),These users also occupy a record in the/etc/passwd file, but cannot log on because their logon shell is empty. Their existence is mainly to facilitate the system management, to meet the corresponding system process of the document owner requirements. Common pseudo-users are shown below.

[Copy to Clipboard] [-] CODE: Pseudo                 including       
bin                         Have an executable user command file
sys                      & nbsp; own system files
adm                      own account files
uucp                    UUCP using
lp                         LP or LPD subsystem using
nobody                 nfs use

has an account file

In addition to the pseudo-users listed above, there are many standard pseudo-users, such as: Audit, cron, mail, Usenet, etc., and they are all needed for related processes and files.

Because the/etc/passwd file is readable by all users, if the user's password is too simple or the rule is obvious, a common computer can easily crack it, so the security requirements of the Linux system are encrypted password word separated out, stored separately in a file, this file is a/etc/shadow file. Only the superuser has the file Read permission, which guarantees the security of the user's password. The record line in

2,/etc/shadow, corresponds to one by one in/etc/passwd, which is automatically generated by the PWCONV command based on the data in the/etc/passwd. its file format is similar to/etc/passwd and consists of several fields, separated by a ":" Between the fields. These fields are:

  Login: encrypted password: Last modified: Minimum time interval: Maximum time interval: Warning Time: Inactivity time: Expiry time, flag

1) The "login name" is a user account that matches the login name in the/etc/passwd file
2) The password field holds the encrypted user password Word, which is 13 characters long. If null, the corresponding user does not have a password, the password is not required at logon, and if it contains characters that are not part of the collection {./0-9a-za-z}, the corresponding user cannot log on.
3) "Last Modified Time" represents the number of days from the time the user last modified the password. The beginning of time may not be the same for different systems. For example, in SCO Linux, the starting point for this time is January 1, 1970.
4) "Minimum time interval" refers to the minimum number of days required between changing the password two times.
5) "Maximum time interval" refers to the maximum number of days that a password remains valid.
6) The "Warning Time" field represents the number of days from the beginning of the system warning user to the official expiration of the user's password.
7) "Inactivity Time" represents the maximum number of days that a user does not have a login activity but the account remains valid.
8) The "Failure Time" field gives an absolute number of days, and if this field is used, the lifetime of the corresponding account is given. After expiry, the account is no longer a legitimate account, and can no longer be used to log on.

The following is an example of/etc/shadow:

  # Cat/etc/shadow

root:dnakfw28zf38w : 8764:0:168:7:::
uucp:*::0:0:::: ().
Sam:ekdise clwpdsa:9740:0:0:::

3, all the information of the user group is stored in the/etc/group file.

Grouping users is a means of managing and controlling access to users in a Linux system. Each user belongs to a group of users, a group can have multiple users, and a user can belong to a different group. When a user is a member of more than one group at the same time, the primary group that the user belongs to is recorded in the/etc/passwd file, which is the default group to which the login belongs, and the other groups are called additional groups. When a user accesses a file that belongs to an additional group, you must first use the NEWGRP command to make yourself a member of the group you want to access. All the information for the user group is stored in the/etc/group file. The format of this file is also similar to the/etc/passwd file, separated by a colon (several fields, these fields are:

Group Name: password: Group identification number: List of users in the group

1) "Group name" is the name of the user group, consisting of letters or numbers. As with logins in/etc/passwd, group names should not be duplicated.
2) The Password field holds the password word after the user group is encrypted. The user groups in the General Linux system do not have a password, that is, the field is generally empty or *.
3) "Group ID" is similar to the user identification number and is an integer that is used internally by the system to identify the group.
4) "Group user list" is the list of all users belonging to this group/b], separated by commas (,) between different users. This user group may be the user's primary group, or it may be an additional group.

  An example of the/etc/group file is as follows:

# Cat/etc/group


Iv. Add Volume user batch

Adding and removing users is a breeze for every Linux system administrator, and the tricky thing is that if you add dozens of, hundreds, or even thousands of users, we're not likely to use Useradd to add them one at a time. It is necessary to find a simple way to create a large number of users. The Linux system provides tools to create a large number of users, allowing you to create a large number of users immediately, as follows:

(1) First edit a text user file , each column is written in the format of the/etc/passwd password file, Note that each user's user name, UID, and host directory can not be the same, where the password bar can be left blank or enter the X number. An example file user.txt the contents as follows:

user002::601:100:user:/home/ User002:/bin/bash
User004::603:100:user:/home/user004:/bin /bash

  (2) Execute the command/usr/sbin/newusers as root, import the data from the user file user.txt that you just created, create the user: 

# NewUsers < User.txt
You can then execute the command VIPW or vi/etc/passwd to check whether the/etc/passwd file already has data for those users, and whether the user's host directory has been created.

  (3) Execute the command/usr/sbin/pwunconv, decode the shadow password generated by/etc/shadow, then write back to/etc/passwd and delete the/etc/shadow password bar. This is to facilitate the next step of the password conversion work, that is, the first cancellation shadow password function.

# Pwunconv
  (4) Edit each user's password control file , sample file Passwd.txt content as follows:

user001: Password
USER002: Password
user003: Password
user004: Password
user005: Password
user006: Password
  (5) Execute the command/usr/sbin/chpasswd as root, create the user password, CHPASSWD will write the password/usr/bin/passwd The command code to the/etc/passwd password bar.

# CHPASSWD < Passwd.txt
  (6) After determining that the password has been encoded into the/etc/passwd's password bar , execute the command/usr/sbin/pwconv encode the password to shadow password and write the result to/etc/shadow.

# Pwconv
This completes the creation of a large number of users, after which you can check whether the permissions settings for these user host directories are correct, and log on to verify that the user's password is correct.

v. Giving special privileges to ordinary users

In a Linux system, administrators tend to be more than one person, and if each administrator manages the work as root, it is impossible to figure out who to do. So the best way to do this is: The administrator creates some ordinary users and assigns a portion of the system administration work to them.

We are not allowed to use SU to direct them to root because these users must know the root password, which is unsafe and does not meet our division of labor requirements. The general practice is to make use of the settings of permissions, classify them according to the nature of the work, let the users of special identities become the same workgroup, and set workgroup permissions. For example: To wwwadm This user is responsible for managing the Web site data, the general Apache WEB Server process httpd owner is WWW, you can set the user wwwadm and www as the same workgroup, and set the Apache default storage page Directory/usr/local/ Httpd/htdocs's workgroup permissions are readable, writable, and executable so that each user belonging to this workgroup can manage the Web page.

However, this is not the best solution, such as the administrator wants to grant a normal user to shut down the permissions, then the use of the above method is not ideal. At this point you might think, I just let this user be able to execute the shutdown command as root. It's true, but it's not possible to do this in a typical Linux system,However, there are tools available to enable such a function--sudo

sudo assigns privileges to different users by maintaining a database of privileged-to-user-name mappings, which can be identified by a number of different commands listed in the database. In order to obtain a privileged entry, the eligible user simply enters sudo and the command name at the command line, following the prompts to enter the password again (the user's own password, not the root user password). For example, sudo allows a normal user to format the disk, but does not give other root privileges to the user.

1. Sudo tool is configured by file/etc/sudoers, the file contains a list of all users who can access the Sudo tool and defines their privileges. A typical/etc/sudoers entry is as follows:

Liming all= (All) all
This entry allows the user liming to access all applications as superuser, such as the user liming needs to run the command as a superuser, simply by prefixing the command with sudo. Therefore, to execute the command as the root user, format,liming can enter the following command:

# Sudo/usr/sbin/useradd Sam
Note: command to write absolute path,/usr/sbin default is not in the normal user's search path, or join this path: path= $PATH:/usr/sbin;export path. In addition, the paths for different system commands vary, and you can use the command "Whereis command name" to find its path.

The following output results are displayed:

We Trust you are received the usual lecture from the local System
Administrator. It usually boils to these and things:
#1) Respect the privacy of others.
#2) Think before you type.
If Liming has entered the password correctly, the command Useradd will be executed as the root user.

Note: The configuration file/etc/sudoers must be edited using command Visudo.

Simply add the appropriate user name, hostname, and licensed command list to the file/etc/sudoers in a standard format, and save it to take effect, and then look at an example.

2. Example: Administrator needs to allow gem users to execute reboot and shutdown commands on host SunAdd in/etc/sudoers:

Gem Sun=/usr/sbin/reboot,/usr/sbin/shutdown
Note: The command must use absolute paths to avoid the execution of commands with the same name in other directories, thus creating a security risk.

Then save exit, the gem user wants to execute the reboot command whenever the following command is run at the prompt:

$ sudo/usr/sbin/reboot
You can restart the server by entering the correct password.

If you want to define a group of users, you can set it up by adding% to the group name, such as:

%cuug all= (All) all
3. In addition, aliases can be used to simplify configuration files. Aliases are similar to groups of concepts, with user aliases, host aliases, and command aliases. Multiple users can be defined first with an alias, and then use aliases when they specify what commands they can execute, and this configuration is valid for all users. The same is true for host aliases and command aliases. Note Before using the first to define in/etc/sudoers: User_alias, Host_alias, Cmnd_alias, add the corresponding name after it, also separated by commas can be, for example, as follows:

Host_alias Server=no1
User_alias Admins=liming,gem
Cmnd_alias Shutdown=/usr/sbin/halt,/usr/sbin/shutdown,/usr/sbin/reboot
ADMINS Server=shutdown
4. Look again at this example:   

ADMINS all= (All) Nopasswd:all
Indicates that admins is allowed to perform all operations without a password, where the "NOPASSWD:" key defines the user's need to enter a password when performing an action.

5, sudo command can also add some parameters, to complete some auxiliary functionsSuch as

$ sudo–l
A message similar to this is displayed:

User Liming may run the following commands on this host:
Description root allows the user to liming execute the/usr/sbin/reboot command. This parameter allows users to see what commands they can now execute in sudo.

6, type the sudo command at the command prompt to list all parameters, some other parameters are as follows:

[Copy to Clipboard] [ - ] Code:-V Displays the version number.
-h Displays the usage parameters of the sudo command.
-V The password is queried when Sudo is executed for the first time or in n minutes (n preset is 5). This parameter is a re-confirmation, if more than n minutes, will also ask the password.
-K will force the user to ask for a password at the next execution of sudo, whether or not more than n minutes.
-B The command to be executed is placed in the background execution.
-P Prompt can change the prompt to ask for a password, where%u is replaced with the username of the user, and%h displays the host name.
-U username/#uid do not add this parameter, which means to execute the command as root, and add this parameter, you can execute the command (#uid为该username的UID) as username.
-S executes the shell specified by the shell in the environment variable, or the shell specified in the/etc/passwd.
-H designates the home (host directory) in the environment variable as the host directory of the consumer who is changing the identity. (If you do not add the-u parameter is the system administrator root.) )
The command to execute as a system administrator (or change to someone else with-u).

User and user group management for Linux operating systems

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.