Application system settings of user and user group files in Linux

ID:ChinaUnix2013

1. User and user group files

In Linux, user accounts, user passwords, user group information and user group passwords are stored in different configuration files.

In the Linux system, the created user account and its related information (except password) are stored in the /etc/passwd configuration file. Because all users have read permissions on the passwd file, the password information is not saved in the file, but in the /etc/shadow configuration file.

In the passwd file, one line defines a user account. Each line is composed of multiple different arrays. The values ​​of each array are separated by ":". Each array represents a certain aspect of the account's information.

In the newly installed Linux system, the passwd configuration file already contains a lot of account information. These accounts are manually created by the system. They are the accounts that are required for the normal operation of the Linux process or some service programs. Linux course , the value of the last array of this kind of account is usually /sbin/nologin, which means that this account cannot be used to log in to the Linux system.

In the passwd configuration file, the corresponding relationship and meaning of each array from left to right:

Because passwd no longer saves password information, it is represented by x placeholder.

To prevent a user account from logging into Linux, just set the shell used by the user to /sbin/nologin. For example, for FTP accounts, usually only login and access to the FTP server are allowed, and login to the Linux operating system is not allowed. If a user does not have telnet permissions, that is, the user is not allowed to remotely log in and access the Linux operating system through telnet, just set the shell used by the user to /bin/true. If you want the user to not have telnet and ftp login permissions, you can set the user's shell to /bin/false.

In the /etc/shells file, if there is no /bin/true or /bin/false, you need to add it automatically:

[root@localhost～]#echo"/bin/false">>/etc/shells

[root@localhost～]#echo"/bin/true">>/etc/shells

2. User password file

For security reasons, the user's real password is encrypted using the MD5 encryption algorithm and stored in the /etc/shadow configuration file. This file can only be read by the root user.

Similar to the passwd file, the shadow file also defines and saves information related to an account per line. The first array is the user account name, and the second array is the account password.

3. User group account file

User group account information is stored in the /etc/group configuration file What is the Linux system user configuration file?, any user can read it. The real password of the user group is stored in the /etc/gshadow configuration file.

In group, the first array represents the name of the user group, the second array is x, the third is the ID number of the user group, and the fourth is the list of user members of the user group. Between each user name Separate with colons.

4. Add user

To create or add a new user, use the useradd command. The command usage is:

useradd[option]username

This command has many options, the commonly used ones are:

-cComment user sets the comment description text for the account

-d home directory specifies the home directory to replace the default /home/username

-mIf the home directory does not exist, create it. -r combined with -m creates a home directory for the system account

-MDo not create home directory

-edate specifies the date the account will expire. The date format is MM/DD/YY

-fdays account will be permanently suspended after a few days of expiration. If it is specified as -, it will be suspended immediately. If it is -1, this function will be turned off

-gUser group specifies which user group to add the user to. The user group must exist

-GUser group list specifies the list of user groups that the user joins at the same time. Each group is separated by commas

-nDo not create private user groups for users

-sshell specifies the shell used when the user logs in, the default is /bin/bash

-rCreate a system account with a user ID greater than 500, and the corresponding home directory will not be created by default

-uUser ID automatically specifies the ID value of the new user, which must be unique and less than 499

-ppassword specifies the login password for the new user. The password here is the password value obtained after MD5 encryption of the corresponding login password, which does not match the original text of the real password. Therefore, in actual applications, this parameter option is rarely used, and the passwd command is generally used alone to set the login password for the user.

Example:

To create a user named nisj as a member of the babyfish user group, the operation command is:

[root@localhost~]#useradd-gbabyfishnisj

[root@localhost~]#idnisj

uid=502(nisj)gid=500(babyfish)groups=500(babyfish)

[root@localhost~]#tail-1/etc/passwd

nisj:x:502:500::/home/nisj:/bin/bash

When adding a user, if the user group is not specified with the -g parameter, the system will manually create a private user group with the same name as the user account by default. If you do not need to create this private user group, you can use the -n parameter.

For example, if you add an account named nsj820 but do not specify a user group, the operation result is:

[root@localhost~]#useraddnsj820

[root@localhost~]#idnsj820

uid=503(nsj820)gid=503(nsj820)groups=503(nsj820)

[root@localhost~]#tail-1/etc/passwd

nsj820:x:503:503::/home/nsj820:/bin/bash

[root@localhost~]#tail-2/etc/passwd

nisj:x:502:500::/home/nisj:/bin/bash

nsj820:x:503:503::/home/nsj820:/bin/bash#The system manually created a user group named nsj820 with the ID number 503

When creating a user account, the system will manually create the home directory corresponding to the user. This directory is placed in the /home directory by default. If you want to change the location, you can specify it with the -d parameter; for the shell used by the user to log in, the default It is /bin/bash. If you want to modify it, use the -s parameter to specify

For example, if you want to create an account named vodup, place the home directory in the /var directory, and specify the login shell as /sbin/nologin, the operation command is:

[root@localhost~]#useradd-d/var/vodup-s/sbin/nologinvodup

[root@localhost~]#idvodup

uid=504(vodup)gid=504(vodup)groups=504(vodup)

[root@localhost~]#tail-1/etc/passwd

vodup:x:504:504::/var/vodup:/sbin/nologin

[root@localhost~]#tail-1/etc/group

vodup:x:504:

5. Set account attributes

For created users, you can use the usermod command to change and set various attributes of the account, including login name, home directory, user group, login shell, etc. The usage of this command is:

usermod[option]username

Some options

(1)Change user account name

Use the -l parameter to achieve this. The command usage is:

usermod-lNew usernameOriginal username

For example, if you want to rename user nsj820 to nsj0820, the operation command is:

[root@localhost~]#usermod-lnsj0820nsj820

[root@localhost~]#idnsj0820

uid=503(nsj0820)gid=503(nsj820)groups=503(nsj820)

[root@localhost~]#tail-1/etc/passwd

nsj0820:x:503:503::/home/nsj820:/bin/bash

It can be seen from the output that the user name has been changed to nsj0820. The home directory is still the original /home/nsj820. If you want to change it to /home/nsj0820What is the Linux system user configuration file?, you can do it by executing the following command

[root@localhost~]#usermod-d/home/nsj0820nsj0820

[root@localhost~]#idnsj0820

uid=503(nsj0820)gid=503(nsj820)groups=503(nsj820)

[root@localhost~]#tail-1/etc/passwd

nsj0820:x:503:503::/home/nsj0820:/bin/bash

[root@localhosthome]#mv/home/nsj820/home/nsj0820

(2)Lock account

If you want to temporarily prohibit a user from logging in, you can lock the user account. Locking the account can be achieved with the -L parameter. The command usage is:

usermod-LAccount to be locked

Linux locks a user by adding "!" in front of the password array of the password file shadow to indicate that the user is locked.

[root@localhosthome]#usermod-Lnsj0820

[root@localhosthome]#tail-1/etc/shadow

nsj0820:!$1$JEW25RtU$X9kIdwJi/HPzSKMVe3EK30:16910:0:99999:7:::

But you can enter through the root user and then su to the locked user.

(3)Unlock account

To unlock the account, you can use the usermod command with the -U parameter.

[root@localhost~]#usermod-Unsj0820

[root@localhost~]#tail-1/etc/shadow

nsj0820:$1$JEW25RtU$X9kIdwJi/HPzSKMVe3EK30:16910:0:99999:7:::

6. Delete account

To delete an account, you can use the userdel command. Its usage is:

userdel[-r]Account name

-r is optional. If this parameter is provided, the home directory corresponding to the account will be deleted at the same time as the account is deleted.

[root@localhost~]#userdel-rnsj0820

To set the expiration time of all user account passwords, you can change the value of the PASS_MAX_DAYS configuration item in the /etc/login.defs configuration file. Its default value is 99999, which means that user account passwords will never expire. The PASS_MIN_LEN configuration item is used to specify the minimum width of the account password, which defaults to 5 characters.

7. Set user login password

Use the passwd command to set it. The command usage is:

passwd[account name]

If an account name is specified, the login password of the specified account is set, and the original password is manually overwritten. Only the root user has the authority to set the password for a specified account. Typically users can only set or change the password for their own account (without parameters).

For example, if you want to set the login password of the nisj account, the operation command is:

[root@localhosthome]#passwdnisj

Changingpasswordforusernisj.

Newpassword:

BADPASSWORD:itistooshort

BADPASSWORD:istoosimple

Retypenewpassword:

passwd:allauthenticationtokensupdatedsuccessfully.

After the account login password is set, the account can log in to the system.

8. Lock/unlock account password and query password status, delete account password

In LINUX, when LINUX deletes a directory, not only the user account can be locked, but the account password can also be locked. After either party is locked, they will not be able to log in to the system. Only the root user has the right to execute this command. To lock the account password, use the passwd command with the -l option. Its usage is:

passwd-laccountname

passwd-uaccountname#Unlock account password

[root@localhosthome]#passwd-lnisj

Lockingpasswordforusernisj.

passwd:Success

[root@localhosthome]#passwd-unisj

Unlockingpasswordforusernisj.

passwd:Success

To check whether the password of the current account is locked, you can use the passwd command with the -S parameter. Its usage is:

passwd-S account name

for example

[root@localhosthome]#passwd-Snisj

The above is the detailed content of Application system settings of user and user group files in Linux. For more information, please follow other related articles on the PHP Chinese website!