Useradd cannot open the password file

During Linux security, we made the following steps:

4. Password File

The chattr command adds unchangeable attributes to the following files to prevent unauthorized users from obtaining permissions.

# Chattr + I/etc/passwd
# Chattr + I/etc/shadow
# Chattr + I/etc/group
# Chattr + I/etc/gshadow

And

Create a Common Logon user and cancel direct root logon.
# Useradd 'username'
# Passwd 'username'

# Vi/etc/ssh/sshd_config
Permitrootlogin no # cancel root direct remote login

A title error is reported during useradd.

In fact, when the above chattr + I command is executed, the four files have been converted into non-writable files. Even if the file attribute is read and written by the root user, this file cannot be written by the root user. Therefore, to add a new user, you must first reduce the limit on the four files:

# Chattr-I/etc/passwd
# Chattr-I/etc/shadow
# Chattr-I/etc/group
# Chattr-I/etc/gshadow

Then you can use useradd. (Note that + I should be added after useradd to ensure Linux security)

The following is a statement for adding a user:

# Useradd-D/home/wanglilin

# Passwd wanglilin

(Others' explanation :)

The reason for this is that the attribute of the ext2 file of the/etc/passwd file is modified (but this attribute works even in the ext3 system. Currently, it has not been tested in the ext4 File System ). You can use lsattr to view the attributes of the file:

View plainprint?

1. [Root @ RHEL ~] # Lsattr/etc/passwd
2. ---- I --------/etc/passwd

[Root @ RHEL ~] # Lsattr/etc/passwd <br/> ---- I --------/etc/passwd

This file is set with the "I" attribute, which specifies that the current file cannot be modified. In the manual, this attribute is described as (man chattr ):

View plainprint?

1. A file with the 'I' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file
2. And no data can be written to the file. Only the superuser or a process possessing the cap_linux_immutable capability
3. Can set or clear this attribute.

A file with the 'I' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file <br/> and no data can be written to the file. only the superuser or a process possessing the cap_linux_immutable capability <br/> can set or clear this attribute.

Use chattr to remove the "I" attribute of related files (in my system,/etc/shadow is also set with the "I" attribute ):

View plainprint?

1. [Root @ RHEL ~] # Chattr-I/etc/passwd
2. [Root @ RHEL ~] # Chattr-I/etc/shadow

[Root @ RHEL ~] # Chattr-I/etc/passwd <br/> [root @ RHEL ~] # Chattr-I/etc/shadowIn this way, you can add users. In addition, although you do not know who it is or which program has set the "I" attribute, this attribute is useful for system security, we recommend that you add a user and set the "I" attribute of the file.

Extension:

How to create a new user in Linux

In Linux, how to create a new user is usually considered as a security concern. Generally, you can create a common user for yourself instead of using the root user directly. Because of the high permissions, misoperations can easily lead to irreparable losses. In Linux, only the root user has the permission to create other users.
The creation process is as follows:
Useradd-D/home/wanglilin
Useradd-D/home/wanglilin-G 0-G 500,-u-r-p love wanglilin

The first method sets the user's home directory and user name. The second method not only specifies the function specified in method 1, the user group ID and a series of group IDs, user IDs, and passwords are also specified;
However, this is not enough. You have to explicitly set the password for the user (even the second method is no exception, because you still cannot log on to the system using love as the password ), command: passwd username;
[Root @ localhost ~] # Passwd wanglilin
Changing password for user wanglilin.
New UNIX password:
Bad password: It is too short
Retype new Unix Password:
Passwd: All authentication tokens updated successfully.

If you log on to the system, you will be prompted that the user's home directory has not been created. Therefore, you still need to create a home directory for the user, because the root directory of a new user is created first by the root user, the owner of the root directory must be the user. Therefore, after the root user is created, you also need to replace the owner with the new user. The command is as follows:

Mkdir-P/home/wanglilin
Chown newuser: newuser/home/wanglilin

Done! Now you can use wanglilin to log on...

Description and example of chattr and lsattr commands

The chattr command is very useful. Some of the functions are supported by the Linux kernel version. If the Linux kernel version is earlier than 2.2, many functions cannot be implemented. Similarly, if-D is used to check the wrong function in the compressed file, the kernel 2.5.19 or later is required. In addition, modifying attributes using the chattr command can improve system security, but it is not suitable for all directories. The chattr command cannot protect the/,/dev,/tmp, And/var directories. Lsattr is relatively simple. It only displays the file attributes.

[root]#lsattr

---- Ia --- J ---./lsattr_test

These two commands are used to change the attributes of files and directories. Compared with the CHMOD and LS commands, chmod only changes the read and write permissions of files, the underlying property control is changed by chattr. Usage of the chattr command: chattr [-RV] [-V version] [mode] files... the most important part is in the [mode] section. The [mode] Section is composed of the +-= and [asacddiijsttu] characters, which are used to control file attributes. +: Append parameters based on the original parameter settings.

-: Remove the parameter based on the original parameter settings.

=: Updated to the specified parameter settings. A: The atime (access time) of a file or directory cannot be modified, which can effectively prevent I/O errors on a laptop disk. S: Hard Disk I/O synchronization option, similar to sync. A: append. After this parameter is set, data can only be added to the file, but cannot be deleted. This attribute is mostly used for server log file security and can only be set by root. C: compresse: Specifies whether the file is compressed before being stored. Automatic decompression is required for reading. D: No dump. the file cannot be the backup target of the dump program. I: The set file cannot be deleted, renamed, or linked, and cannot be written or added. The I parameter is very helpful for security settings of the file system. J: That is, journal. this parameter is set so that when the file system is mounted by the Mount parameter: Data = ordered or data = writeback, the file is first recorded (in Journal) when written ). If the filesystem parameter is set to data = Journal, this parameter is automatically invalid. S: Confidential deletion of files or directories, that is, the hard disk space is all withdrawn. U: opposite to S. When set to U, the data content still exists in the disk and can be used for undeletion.

A and I are often used in each parameter option. Option A can only be added and cannot be deleted. It is mostly used for security settings of the log system. I is a more rigorous security setting. This option can be applied only to processes with superuser (Root) or cap_linux_immutable processing capability (identifier.

Application Example 1:
1. Use the chattr command to prevent the modification of a key file in the system.

# Chattr + I/etc/fstab and then try RM MV Rename and other commands to operate on this file. The results of operation not permitted are obtained. 2. You can only Append content to a file, cannot be deleted. Some log files apply to this operation # chattr + A/data1/user_act.log Application Example 2:

[Root @ ticket-A ~] # Passwd rootchanging password for user root. new Unix Password: retype new Unix Password: Sorry, passwords do not matchnew Unix Password: retype new Unix Password: passwd: authentication token manipulation error some say the root directory space is full, or the permission of the password file. If you have previously configured the system security and changed/etc/passwd and/etc/shadow to unmodifiable, you need to cancel the previous modification as follows: [root @ station22 ~] # Lsattr/etc/passwd/etc/shadow ---- I --------/etc/passwd ---- I --------/etc/shadow [root @ station22 ~] # Chattr-I/etc/passwd [root @ station22 ~] # Chattr-I/etc/shadow [root @ station22 ~] # Lsattr/etc/passwd/etc/shadow -------------/etc/passwd -----------/etc/shadow and then modify the root password. After the modification, run [root @ station22 ~]. # Chattr + I/etc/passwd [root @ station22 ~] # Chattr + I/etc/shadow