Linux user and user group management
The Linux system is a multi-user, multi-tasking, time-sharing operating system. Any user who wants to use system resources must first apply for an account from the system administrator, and then enter the system as this account.
On the one hand, user accounts can help system administrators track users who use the system and control their access to system resources; on the other hand, they can also help users organize files and provide security protection for users. .
Each user account has a unique username and respective password.
After the user types in the correct user name and password when logging in, he can enter the system and his/her home directory.
To realize the management of user accounts, the work to be completed mainly includes the following aspects:
Add, delete and modify user accounts.
Management of user passwords.
Management of user groups.
1. Management of user accounts in Linux systems
The management of user accounts mainly involves the addition, modification and deletion of user accounts.
Adding a user account means creating a new account in the system, and then allocating resources such as user number, user group, home directory, and login shell to the new account. The account you just added is locked and cannot be used.
1. To add a new user account, use the useradd command. The syntax is as follows:
useradd 选项 用户名
Parameter description:
Options:
-c comment Specifies a comment description.
-d Directory Specifies the user's home directory. If this directory does not exist, use the -m option at the same time to create the home directory.
-g User group Specify the user group to which the user belongs.
-G User Group, User Group Specifies additional groups to which the user belongs.
-s Shell file Specifies the user's login shell.
-u User ID Specifies the user ID of the user. If the -o option is also present, the identification number of other users can be reused.
Username:
Specify the login name of the new account.
Instance 1
# useradd –d /usr/sam -m sam
This command creates a user sam, where the -d and -m options are used to generate a home directory /usr/sam for the login name sam (/usr is the parent directory of the default user home directory).
Instance 2
# useradd -s /bin/sh -g group –G adm,root gem
This command creates a new user gem. The user's login shell is /bin/sh, which belongs to the group user group and adm. and the root user group, where the group user group is its primary group.
It is possible to create new groups here: #groupadd group and groupadd adm
To add a user account is to add a record for the new user in the /etc/passwd file and update other ones at the same time System files such as /etc/shadow, /etc/group, etc.
Linux provides an integrated system management tool userconf, which can be used to uniformly manage user accounts.
3. Delete account
If a user's account is no longer used, it can be deleted from the system. Deleting a user account means deleting the user record in /etc/passwd and other system files, and also deleting the user's home directory if necessary.
To delete an existing user account, use the userdel command. The format is as follows:
userdel 选项 用户名
The commonly used option is -r, which is used to delete the user’s home directory. Delete them together.
For example:
# userdel sam
This command deletes the records of user sam in the system files (mainly /etc/passwd, /etc/shadow, /etc/group, etc.), and also deletes the user's Main directory.
4. Modify account
Modifying a user account means changing the relevant attributes of the user according to the actual situation, such as user number, home directory, user group, login shell, etc.
Use the usermod command to modify the information of an existing user. The format is as follows:
usermod 选项 用户名
Commonly used options include -c, -d, -m, - g, -G, -s, -u and -o etc. , these options have the same meaning as the options in the useradd command, they can specify new resource values for the user.
In addition, some systems can use the option: -l new username
This option specifies a new account, that is, changing the original username to a new username.
For example:
# usermod -s /bin/ksh -d /home/z –g developer sam
This command changes the login shell of user sam to ksh, the home directory to /home/z, and the user group to developer.
5. Management of user passwords
An important part of user management is the management of user passwords. The user account has no password when it is first created, but is locked by the system and cannot be used. It must be assigned a password before it can be used, even if an empty password is assigned.
The Shell command to specify and modify user passwords is passwd. Super users can specify passwords for themselves and other users, and ordinary users can only use it to modify their own passwords. The format of the command is:
passwd 选项 用户名
Available options:
-l Lock the password, that is, disable the account.
-u Password to unlock.
-d makes the account without password.
-f Forces the user to change their password the next time they log in.
If the default user name is used, modify the current user's password.
For example, assuming that the current user is sam, the following command changes the user's own password:
$ passwd Old password:****** New password:******* Re-enter new password:*******
If it is a super user, you can specify the password of any user in the following form:
# passwd sam New password:******* Re-enter new password:*******
When an ordinary user changes his or her password, the passwd command will first ask for the original password, and then ask the user to enter the new password twice after verification. If the passwords entered twice are consistent, the password will be assigned to the user; while the super user When assigning a password to a user, there is no need to know the original password.
For the sake of system security, users should choose a more complex password. For example, it is best to use an 8-digit password. The password contains uppercase and lowercase letters and numbers, and should be different from the name, birthday, etc.
When specifying an empty password for the user, execute the following form of command:
# passwd -d sam
This command deletes the password of user sam, so that the system will no longer ask for the password when user sam logs in next time.
The passwd command can also use the -l (lock) option to lock a user so that he or she cannot log in, for example:
# passwd -l sam
2. Management of Linux system user groups
Each user has a user group, and the system can centrally manage all users in a user group. Different Linux systems have different regulations on user groups. For example, a user under Linux belongs to a user group with the same name. This user group is created at the same time when the user is created.
The management of user groups involves the addition, deletion and modification of user groups. The addition, deletion and modification of groups are actually updates to the /etc/group file.
1. Add a new user group using the groupadd command. The format is as follows:
groupadd 选项 用户组
The options that can be used are:
-g GID Specifies the group identification number (GID) of the new user group.
-o is generally used together with the -g option, indicating that the GID of the new user group can be the same as the GID of the existing user group in the system.
Instance 1:
# groupadd group1
This command adds a new group group1 to the system. The group identification number of the new group is the largest existing group identification number. plus 1 on the basis of .
Instance 2:
# groupadd -g 101 group2
This command adds a new group group2 to the system and specifies that the group identification number of the new group is 101.
2. If you want to delete an existing user group, use the groupdel command with the following format:
groupdel 用户组
For example:
# groupdel group1
This command deletes group group1 from the system .
3. Use the groupmod command to modify the attributes of the user group. The syntax is as follows:
groupmod 选项 用户组
Commonly used options are:
-g GID specifies a new group identification number for the user group.
-o When used together with the -g option, the new GID of the user group can be the same as the GID of the existing user group in the system.
-n New user group Change the name of the user group to the new name
Instance 1:
# groupmod -g 102 group2
This command Change the group identification number of group group2 to 102.
Instance 2:
# groupmod –g 10000 -n group3 group2
This command changes the identification number of group group2 to 10000 and the group name to group3.
4. If a user belongs to multiple user groups at the same time, the user can switch between user groups to have the permissions of other user groups.
After logging in, users can use the command newgrp to switch to other user groups. The parameter of this command is the destination user group. For example:
$ newgrp root
This command switches the current user to the root user group, provided that the root user group is indeed the user's main group or additional group. Similar to the management of user accounts, the management of user groups can also be completed through integrated system management tools.
3. System files related to user accounts
There are many ways to complete user management, but each method actually modifies the relevant system files. .
Information related to users and user groups is stored in some system files, including /etc/passwd, /etc/shadow, /etc/group, etc.
The contents of these files are introduced below.
1. The /etc/passwd file is the most important file involved in user management work.
Each user in the Linux system has a corresponding record line in the /etc/passwd file, which records some basic attributes of the user.
This file is readable by all users. Its content is similar to the following example:
# cat /etc/passwd root:x:0:0:Superuser:/: daemon:x:1:1:System daemons:/etc: bin:x:2:2:Owner of system commands:/bin: sys:x:3:3:Owner of system files:/usr/sys: adm:x:4:4:System accounting:/usr/adm: uucp:x:5:5:UUCP administrator:/usr/lib/uucp: auth:x:7:21:Authentication administrator:/tcb/files/auth: cron:x:9:16:Cron daemon:/usr/spool/cron: listen:x:37:4:Network daemon:/usr/net/nls: lp:x:71:18:Printer administrator:/usr/spool/lp: sam:x:200:50:Sam san:/usr/sam:/bin/sh
From the above example, we can see that a row of records in /etc/passwd corresponds to a user, and each row of records is separated into 7 fields by colons (:) , its format and specific meaning are as follows:
用户名:口令:用户标识号:组标识号:注释性描述:主目录:登录Shell
1) "Username" is a string representing the user account.
is usually no more than 8 characters in length and consists of uppercase and lowercase letters and/or numbers. There cannot be a colon (:) in the login name because colon is the separator here.
For the sake of compatibility, it is best not to include dot characters (.) in the login name, and do not use hyphens (-) and plus signs (+) as the beginning.
2) "Password" In some systems, encrypted user passwords are stored.
Although this field only stores the encrypted string of the user password, not plain text, since the /etc/passwd file is readable by all users, this is still a security risk. Therefore, many Linux systems (such as SVR4) now use shadow technology to store the real encrypted user password in the /etc/shadow file, and only store a special password in the password field of the /etc/passwd file. Characters, such as "x" or "*".
3) "User identification number" is an integer, which is used internally by the system to identify users.
Generally, it corresponds to the user name one-to-one. If the user identification numbers corresponding to several user names are the same, they will be regarded as the same user internally by the system, but they can have different passwords, different home directories, different login shells, etc.
Usually the value range of user identification numbers is 0~65 535. 0 is the identification number of the super user root, 1~99 is reserved by the system as a management account, and the identification numbers of ordinary users start from 100. On Linux systems, this limit is 500.
4) The "Group ID" field records the user group to which the user belongs.
It corresponds to a record in the /etc/group file.
5) The "Annotative Description" field records some personal information of the user.
For example, the user's real name, phone number, address, etc. This field has no practical use. The format of this field is not uniform in different Linux systems. In many Linux systems, this field stores an arbitrary descriptive text, which is used as the output of the finger command.
6) "Home directory", which is the user's starting working directory.
It is the directory where the user is located after logging in to the system. In most systems, each user's home directory is organized in the same specific directory, and the name of the user's home directory is the user's login name. Each user has read, write, and execute (search) permissions on his or her own home directory, and other users' access permissions to this directory are set according to specific circumstances.
7) After the user logs in, a process must be started, which is responsible for transmitting the user's operations to the kernel. This process is a command interpreter or a specific program, that is, Shell, that is run after the user logs in to the system.
Shell is the interface between the user and the Linux system. There are many types of Linux Shells, each with different characteristics. Commonly used ones include sh (Bourne Shell), csh (C Shell), ksh (Korn Shell), tcsh (TENEX/TOPS-20 type C Shell), bash (Bourne Again Shell), etc.
The system administrator can designate a shell for the user based on the system conditions and user habits. If you do not specify a shell, the system uses sh as the default login shell, that is, the value of this field is /bin/sh.
The user's login Shell can also be designated as a specific program (this program is not a command interpreter).
Using this feature, we can restrict users to run only specified applications. After the application is finished running, the user will automatically exit the system. Some Linux systems require that only programs registered in the system can appear in this field.
8) There is a type of user in the system called pseudo-users.
These users also have a record in the /etc/passwd file, but cannot log in because their login shell is empty. Their existence is mainly to facilitate system management and meet the requirements of the corresponding system processes for file owners.
Common pseudo-users are as follows:
伪 用 户 含 义 bin 拥有可执行的用户命令文件 sys 拥有系统文件 adm 拥有帐户文件 uucp UUCP使用 lp lp或lpd子系统使用 nobody NFS使用
Have account files
1. In addition to the pseudo-users listed above, there are many standard pseudo-users Users, such as audit, cron, mail, usenet, etc., are also required by related processes and files.
Since the /etc/passwd file is readable by all users, if the user's password is too simple or the rules are obvious, an ordinary computer can easily crack it, so it is a threat to security. Linux systems with higher requirements separate the encrypted passwords and store them in a separate file. This file is the /etc/shadow file. Only super users have read permission for this file, which ensures the security of user passwords.
2. The record lines in /etc/shadow correspond to the ones in /etc/passwd. It is automatically generated by the pwconv command based on the data in /etc/passwd.
Its file The format is similar to /etc/passwd, consisting of several fields separated by ":". These fields are:
登录名:加密口令:最后一次修改时间:最小时间间隔:最大时间间隔:警告时间:不活动时间:失效时间:标志
"Login name" is the user account that matches the login name in the /etc/passwd file
" The "Password" field stores the encrypted user password, which is 13 characters in length. If it is empty, the corresponding user does not have a password and does not need a password when logging in; if it contains characters that do not belong to the set { ./0-9A-Za-z }, the corresponding user cannot log in.
"Last modification time" means the number of days from a certain moment to the last time the user modified the password. The starting point of time may be different for different systems. For example, in SCO Linux, the starting point of this time is January 1, 1970.
"Minimum time interval" refers to the minimum number of days required between two password changes.
"Maximum time interval" refers to the maximum number of days that the password remains valid.
The "Warning Time" field indicates the number of days between when the system starts warning the user and when the user's password officially expires.
"Inactivity time" refers to the maximum number of days that the user has no login activity but the account can still remain valid.
The "Expiration Time" field gives an absolute number of days. If this field is used, the lifetime of the corresponding account will be given. After the expiration, the account is no longer a legal account and can no longer be used to log in.
The following is an example of /etc/shadow:
# cat /etc/shadow root:Dnakfw28zf38w:8764:0:168:7::: daemon:*::0:0:::: bin:*::0:0:::: sys:*::0:0:::: adm:*::0:0:::: uucp:*::0:0:::: nuucp:*::0:0:::: auth:*::0:0:::: cron:*::0:0:::: listen:*::0:0:::: lp:*::0:0:::: sam:EkdiSECLWPdSa:9740:0:0::::
3. All information about user groups is stored in the /etc/group file.
Grouping users is a means of managing users and controlling access rights in the Linux system.
Each user belongs to a certain user group; there can be multiple users in a group, and a user can also belong to different groups.
When a user is a member of multiple groups at the same time, what is recorded in the /etc/passwd file is the main group to which the user belongs, which is the default group to which the user belongs when logging in, and other groups are called additional Group.
When a user wants to access files belonging to an additional group, he must first use the newgrp command to become a member of the group he wants to access.
All information about user groups is stored in the /etc/group file. The format of this file is also similar to the /etc/passwd file, with several fields separated by colons (:). These fields are:
组名:口令:组标识号:组内用户列表
"Group name" is the name of the user group , consisting of letters or numbers. As with login names in /etc/passwd, group names should not be repeated.
The "Password" field stores the encrypted password of the user group. Generally, user groups in Linux systems do not have passwords, that is, this field is usually empty or *.
"Group identification number" is similar to the user identification number. It is also an integer and is used internally by the system to identify the group.
"User list in group" is a list of all users belonging to this group/b], and different users are separated by commas (,). This user group may be the user's main group or an additional group.
An example of the /etc/group file is as follows:
root::0:root bin::2:root,bin sys::3:root,uucp adm::4:root,adm daemon::5:root,daemon lp::7:root,lp users::20:root,sam
4. Add user batch
Add and delete users for each Linux system Administrators are an easy task. What is more difficult is that if we want to add dozens, hundreds or even thousands of users, we are unlikely to use useradd to add them one by one. We must find a simple way to create a large number of users. User method. The Linux system provides tools for creating a large number of users, which allows you to create a large number of users immediately. The method is as follows:
(1) First edit a text user file.
Each column is written in the format of the /etc/passwd password file. Please note that the user name, UID, and host directory of each user cannot be the same, and the password field can be left blank. Or enter the number x. The content of a sample file user.txt is as follows:
user001::600:100:user:/home/user001:/bin/bash user002::601:100:user:/home/user002:/bin/bash user003::602:100:user:/home/user003:/bin/bash user004::603:100:user:/home/user004:/bin/bash user005::604:100:user:/home/user005:/bin/bash user006::605:100:user:/home/user006:/bin/bash
(2) Execute the command /usr/sbin/newusers as root, import data from the newly created user file user.txt, and create a user:
# newusers < user.txt
Then you can execute the command vipw or vi /etc/passwd to check whether the data of these users has appeared in the /etc/passwd file, and the user's Whether the host directory has been created.
(3) Execute the command /usr/sbin/pwunconv.
Decode the shadow password generated by /etc/shadow, then write it back to /etc/passwd, and Delete the shadow password field of /etc/shadow. This is to facilitate the next step of password conversion, that is, cancel the shadow password function first.
# pwunconv
(4) Edit the password control file for each user.
Sample file passwd.txt The content is as follows:
user001:密码 user002:密码 user003:密码 user004:密码 user005:密码 user006:密码
(5) Execute the command /usr/sbin/chpasswd as root.
Create a user password, chpasswd will write the password encoded by the /usr/bin/passwd command into /etc/passwd Password field.
# chpasswd < passwd.txt
(6) After confirming that the password is encoded and written into the password field of /etc/passwd.
Execute the command /usr/sbin/pwconv to encode the password into shadow password, and write the result to /etc/shadow.
# pwconv
This completes the creation of a large number of users. Afterwards, you can go to /home to check whether the permission settings of these user host directories are correct, and log in to verify whether the user password is correct.
