[Recognize /etc/passwd and /etc/shadow]
These two files can be said to be one of the most important files in the
Linux system. If there are no two files or there is a problem with these two files, you cannot log in to the linux system normally.
/etc/passwd is divided into 7 fields by ‘:’, the specific meaning of each field is:
1) User name (for example, root in the first line is the user name), a string representing the user account. User name characters can be uppercase and lowercase letters, numbers, minus sign (cannot appear in the first position), dot, and underscore. Other characters are illegal. Although dots can appear in the user name, it is not recommended, especially when the first digit is dot, and the minus sign is also not recommended because it is easy to cause confusion.
2) What is stored is the password of the account, why is it'x'? The early unix system passwords were indeed stored here, but for security reasons, they were later stored in /etc/shadow, where only one'x' was used instead.
3) This number represents the user identification number, also called uid. The system recognizes the user's identity through this number, 0 is root, which means you can modify the uid of the test user to 0, then the system will consider root and test to be the same account. Usually the value range of uid is 0~65535, 0 is the identification number of the super user (root), 1~499 is reserved by the system, as a management account, the identification number of ordinary users starts from 500, if we create a custom user , You will see that the identification number of the account is greater than or equal to 500.
4) Represents the group identification number, also called gid. This field corresponds to a record in /etc/group. In fact, /etc/group and /etc/passwd are basically similar.
5) Note that this field has no practical meaning and usually records some attributes of the user, such as name, phone number, address, etc. However, this information will be displayed when you use the finger function (to be introduced later).
6) The user's home directory, which is under this directory when the user logs in. The home directory of root is /root, and the home directory of ordinary users is /home/username. This field can be customized. For example, if you create an ordinary user test1, if you want the home directory of test1 to be in the /data directory, just Modify the field in the test1 line in the /etc/passwd file to /data.
7) Shell. After the user logs in, a process is started to pass the instructions issued by the user to the kernel. This is the shell. There are many kinds of
Linux shells such as sh, csh, ksh, tcsh, bash, etc. The shell of Redhat/CentOS is bash. Check the /etc/passwd file. In addition to /bin/bash, there are many /sbin/nologin in this field, which means that the account is not allowed to log in. If you want to create an account to prevent him from logging in, then you can change this field to /sbin/nologin, and the default is /bin/bash.
Let's take a look at the file /etc/shadow, which is similar to /etc/passwd and is divided into 9 fields with ":".
1) User name, corresponding to /etc/passwd.
2) User password, this is the real password of the account, but this password has been encrypted, but some hackers can still decrypt it. So for safety, the file attribute is set to 600, and only root is allowed to read and write.
3) The date of the last password change. This number is calculated like this. It is from January 1, 1970 to the date of the last password change. For example, the date of the last password change was January 1, 2012. The value is 365*(2012-1970)+1=15331.
4) How many days does it take to change the password, the default is 0, which means there is no limit.
5) How many days will the password expire? That is, how many days must the password be changed. For example, if it is set to 30, the password must be changed once within 30 days. Otherwise, you will not be able to log in to the system. The default is 99999, which can be understood as never needing to change.
6) The warning period before the password expires. If this value is set to 7, it means that when the password expires after 7 days, the system will issue a warning to tell the user that his password will expire in 7 days.
7) Account expiration period. You can understand it this way. If you set this value to 3, it means: the password has expired, but the user did not change the password before the expiration, then after another 3 days, the account will become invalid, that is, locked.
8) The life cycle of the account, like the third paragraph, is calculated based on the number of days before January 1, 1970. It means that the account can be used before this date, and the account will be invalid after expiration.
9) As reserved, it has no meaning.
【Add/Delete User and User Group】
a. Add a group groupadd [-g GID] groupname
Without -g, the group will be created according to the system default gid. Like the user, the gid starts from 500.
-g option can customize gid
b. Delete group gropudel groupname
There are no special options.
c. Add user useradd [-u UID] [-g GID] [-d HOME] [-M] [-s]
-u custom UID
-g makes it belong to an existing GID
-d custom user's home directory
-M does not create a home directory
-s custom shell
[image]
You will find that when test11 is created, after the -M option is added, the sixth field of the test11 line in the /etc/passwd file still has /home/test11, but when ls checks the directory, it will prompt that the directory does not exist .
The function of the -M option is not to create the user's home directory.
-d. Delete user userdel [-r] username
The function of the -r option is to delete a user together with the user's home directory.
[Chfn change user's finger (not commonly used)]
The previous content mentioned findger, that is, the information displayed in the fifth field in the /etc/passwd file, so how to set this information?
This is the chfn command. After the modification, you will see the relevant information in the fifth field of the test line in the /etc/passwd file, which is empty by default.
[Create/modify a user's password "passwd [username]"]
After the account is created, there is no password set by default. Although there is no password, the account cannot log in to the system. You can log in to the system only after setting the password.
When creating a password for a user, for the sake of security, please set it as complicated as possible. You can set the password according to these rules: a. The length is greater than 10 characters; b. The password contains uppercase and lowercase alphanumeric characters and special characters (*& etc.); c. Irregularities (do not appear root, happy, love, etc.) linux, 123456, 111111, etc. words or numbers); d. Do not include your own name, company name, phone number, birthday, etc.
If the user name is not followed by passwd, the password of the current user is changed. The current user is root, so the password of root is changed at this time, and the password of test is changed after test.
【User Identity Switching】
In the Linux system, sometimes ordinary users cannot do some things unless they are root users. At this time, you need to temporarily switch to the root identity to do things.
Log in to the Linux system with the test account, and then use su-to switch to the root identity, provided that you know the root password.
You can use echo $LOGNAME to view the currently logged in user name
The syntax of su is: su [-] username
It can be followed by "-" or not. Ordinary user su will switch to root user without adding username. Of course, root user can also su to ordinary user.
After adding "-", it will be switched over together with the user's environment variables. Although I switched to the test user after su test, the current directory was still the /root directory before switching, and then when su-test was used to switch the user, I switched to the home directory of test /home/test. When using root to switch ordinary users, there is no need to enter a password. This also reflects the supremacy of the root user.
You can switch the user identity with su. If every ordinary user can switch to the root identity, if a user accidentally leaks the root password, wouldn't the system be very insecure? That's right, in order to improve this problem, the sudo command was created. It is possible to use sudo to execute a command that can be executed by root, but you need to enter a password. This password is not the root password but the user's own password. By default, only the root user can use the sudo command. If an ordinary user wants to use sudo, it needs to be set in advance by root, that is, use the visudo command to edit the relevant configuration file /etc/sudoers. If there is no visudo command, please use "yum install -y sudo" to install.
The default root is able to sudo because there is a line "root ALL=(ALL) ALL" in this file. Adding "test ALL=(ALL) ALL" below the line will allow the test user to have sudo rights. If you set a row for each additional user, it would be too much trouble. So you can set it like this.
Remove the "#" in front of this line to make this line effective. It means that all users in the wheel group have the right to sudo. Next, you need to add all users who want to have sudo rights to the wheel group.
