Basic concepts:
Linux system supports multiple users to log in at the same time. Different users can perform different tasks without affecting each other.
User group
Is a logical set of users with the same characteristics. For example, create a group, and then put all users who need to access this file into this group, then the users in the group will have the same permissions as the group.
Relationship between user and user group:
One to one: a user can be the only member of a group.
One to many: a user can be in multiple user groups, and this user has the common permissions of these groups.
Many to one: multiple users can be in a group. These users have the same permissions as the group.
Many to many: multiple users can be in multiple groups.
Files related to user and user group management
User related information includes the following items:
(1) Basic user information: stored in / etc/passwd file .
(2) User password information: stored in / etc/shadow file.
(3) Basic user group information: stored in the / etc/group file.
(4) User group password information: stored in / etc/gshadow file.
(5) User personal files: the home directory is located at / home / user name by default, and the mailbox is located at / var/spool/mail / user name.
/etc/passwd
The Linux system stores the correspondence between all user names and ID S in the / etc/passwd file:
[root@6c810f7f0bd8 /]# cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin systemd-coredump:x:999:997:systemd Core Dumper:/:/sbin/nologin systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin max:x:1000:1000::/home/max:/bin/bash
Each field is separated by a colon, for example, the last line max:x:1000:1000::/home/max:/bin/bash. The meaning of each field is shown in the following table:
| Field sequence number | content | meaning |
| 1 | max | user name |
| 2 | x | x indicates that the user has a password, and the real password is saved in / etc/shadow |
| 3 | 1000 | User ID(UID) |
| 4 | 1000 | User group ID(GID) |
| 5 | Description information | |
| 6 | /home/max | home directory |
| 7 | /bin/bash | Default shell |
/etc/shadow
The Linux system stores the password information of all users in / etc/shadow:
[root@6c810f7f0bd8 /]# cat /etc/shadow root:$6$Ut8D53FqcZRP/tqH$ckM1ABa3OaPQh/0BHgZ1IxheJn1IVZ8oBXHK2c1zmfHKnWpIjxZSCcWwjxlK/600PJDYm/oYyhCp5eyg7SSY50:18887:0:99999:7::: bin:*:18397:0:99999:7::: daemon:*:18397:0:99999:7::: adm:*:18397:0:99999:7::: lp:*:18397:0:99999:7::: sync:*:18397:0:99999:7::: shutdown:*:18397:0:99999:7::: halt:*:18397:0:99999:7::: mail:*:18397:0:99999:7::: operator:*:18397:0:99999:7::: games:*:18397:0:99999:7::: ftp:*:18397:0:99999:7::: nobody:*:18397:0:99999:7::: dbus:!!:18600:::::: systemd-coredump:!!:18600:::::: systemd-resolve:!!:18600:::::: max:$6$qzcSyCE4VFQmEcTm$p7ozCf/4pv3KbwS0dK8UXxZMnYjuYp/v3t5XUf42qB0XxXe.X30nWJgRoEqiRTbLv09KodP9BKiLQRlgxt.SA1:18887:0:99999:7:::
The meaning of each field is shown in the following table:
| Field sequence number | meaning |
| 1 | user name |
| 2 | Encrypted password. At present, Linux adopts SHA512 hash algorithm encryption, which has a higher encryption level than MD5 or DES encryption algorithm. |
| 3 | The last modification time shows the number of days from the first year of Unix, i.e. January 1, 1970. |
| 4 | Minimum modification time interval, that is, how long the password cannot be modified from the last modification time. |
| 5 | Password validity. Default 99999 |
| 6 | The number of warning days before password change is required to remind users that "your password will expire in n days“ |
| 7 | The grace time after the password expires. If the user's password expires and is not modified in time, the user can still log in within the grace time. |
| 8 | Account expiration time. |
| 9 | Reserved field. Not used yet |
/etc/group
Linux puts all the information of user groups in the / etc/group file:
[root@6c810f7f0bd8 /]# cat /etc/group root:x:0: bin:x:1: daemon:x:2: sys:x:3: adm:x:4: tty:x:5: disk:x:6: lp:x:7: mem:x:8: kmem:x:9: wheel:x:10: cdrom:x:11: mail:x:12: man:x:15: dialout:x:18: floppy:x:19: games:x:20: tape:x:33: video:x:39: ftp:x:50: lock:x:54: audio:x:63: users:x:100: nobody:x:65534: dbus:x:81: utmp:x:22: utempter:x:35: input:x:999: kvm:x:36: render:x:998: systemd-journal:x:190: systemd-coredump:x:997: systemd-resolve:x:193: ssh_keys:x:996: max:x:1000:
The meaning of each field is shown in the following table:
| Field sequence number | meaning |
| 1 | Group name |
| 2 | password |
| 3 | GID |
| 4 | List of users in user group (excluding initial group) |
/etc/gshadow
The Linux system stores the group file password in the / etc/gshadow file:
[root@6c810f7f0bd8 /]# cat /etc/gshadow root::: bin::: daemon::: sys::: adm::: tty::: disk::: lp::: mem::: kmem::: wheel::: cdrom::: mail::: man::: dialout::: floppy::: games::: tape::: video::: ftp::: lock::: audio::: users::: nobody::: dbus:!:: utmp:!:: utempter:!:: input:!:: kvm:!:: render:!:: systemd-journal:!:: systemd-coredump:!:: systemd-resolve:!:: ssh_keys:!:: max:!::
The meaning of each field is shown in the following table:
| Field sequence number | meaning |
| 1 | Group name |
| 2 | Encryption password. For most users, the group password is usually not set. "!" means that there is no group password and no group administrator. |
| 3 | Group administrator |
| 4 | Group additional user list |
Commands for user and user group management
Add user useradd
# -u specifies the pid for the, which needs to be greater than 500 # -d specify the user's home directory (absolute path is required, pay attention to permissions) # -c description, that is, each user information field 5 in the / etc/passwd file # -g specifies the initial group of users # -G specify user attachment groups # -s specifies the user shell, and the default is / bin/bash # -o the user UID s allowed to be created are the same # -r create system user (UID in 1-499) #Create a user Tom and view its related information [root@6c810f7f0bd8 /]# useradd Tom [root@6c810f7f0bd8 /]# grep "Tom" /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/passwd:Tom:x:1002:1003::/home/Tom:/bin/bash /etc/shadow:Tom:!!:18887:0:99999:7::: /etc/group:Tom:x:1003: /etc/gshadow:Tom:!:: #Create a user Jerry, and specify the same UID as the root user (0), initial group (rat), additional group (root), home directory (/ home/rat), user description (test), shell (/ bin/bash) [root@6c810f7f0bd8 /]# useradd -u 0 -o -g rat -G root -d /home/rat -c "test" -s /bin/bash Jerry [root@6c810f7f0bd8 /]# grep "Jerry" /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/passwd:Jerry:x:0:1004:test:/home/rat:/bin/bash /etc/shadow:Jerry:!!:18887:0:99999:7::: /etc/group:root:x:0:Jerry /etc/gshadow:root:::Jerry
Password configuration passwd
# -S query the status of the user password, that is, the content in / etc/shadow. Enter the root user for use # -l temporarily lock the user, and add "!" before the encryption string of the specified user in the / etc/shadow file to invalidate the password, which can only be used by root user # -u unlock user, corresponding to - l, only used by root user # --sdtin can take the data output through the pipeline character as the user's password # -x sets the validity period of the user's password # -n set how long the password cannot be changed after the user changes the password # -w sets the number of warning days before the user password expires # -i set user password expiration date #Modify the password of user Tom [root@6c810f7f0bd8 /]# passwd Tom Changing password for user Tom. New password: BAD PASSWORD: The password is shorter than 8 characters Retype new password: passwd: all authentication tokens updated successfully. #Call the pipe character to change the password [root@6c810f7f0bd8 /]# echo "123456" |passwd --stdin Tom Changing password for user Tom. passwd: all authentication tokens updated successfully.
Ordinary users can only change their own passwords
Modify user related information usermod
# -c modify the user's description information # -d modify the user's home directory (absolute path) # -e. modify the user expiration date in the format of "YYYY--MM-DD" # -g modify the user's initial group # -u modify user ID(UID) # -G modify user's additional group # -l modify the user's name # -L temporarily lock users # -U unlock user # -S to modify the user's login shell
The usage is very similar to useradd, except that creation becomes modification
Modify user password status
# -l list the detailed password status of the user # -d date of last password modification in the user password information, in the format of YYYY-MM-DD # -m minimum retention days for password modification # -M modify the validity of the password # -W number of warning days before modifying password expiration # -i modify the grace days after the password expires # -E. modify the expiration date of the account in the format of YYYY-MM-DD #View user password status [root@6c810f7f0bd8 /]# chage -l Tom Last password change : Sep 17, 2021 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
Delete user userdel
Only root users can use.
# -r delete the user's home directory (home directory) while deleting the user [root@6c810f7f0bd8 /]# userdel -r Tom [root@6c810f7f0bd8 /]# grep "Tom" /etc/passwd /etc/shadow /etc/group /etc/gshadow The output is empty
View user UID and GID id
[root@6c810f7f0bd8 /]# id Jerry uid=0(root) gid=0(root) groups=0(root)
Inter user switching su
# -Switch to the specified user identity and include the working environment (including PATH variable and MAIL variable). If the user name is omitted, it defaults to root # -l is the same as' - ', but users need to be added at the end # -p switch to the specified user identity without changing the working environment # -m is the same as' - p ' # -c only switch the user and execute the command once, and automatically switch back after execution. [root@6c810f7f0bd8 /]# su - Last login: Fri Sep 17 11:21:11 UTC 2021 on pts/1 Last failed login: Fri Sep 17 11:29:40 UTC 2021 on pts/1 There was 1 failed login attempt since the last successful login. #Switch to max without switching to the working directory [root@6c810f7f0bd8 ~]# su max [max@6c810f7f0bd8 root]$
Add user group groupadd
# -g specify GID # -r create system user groups [root@6c810f7f0bd8 ~]# groupadd grouptest [root@6c810f7f0bd8 ~]# grep "grouptest" /etc/group /etc/gshadow /etc/group:grouptest:x:1005: /etc/gshadow:grouptest:!::
Modify user group related information groupmod
Do not modify it at will, which will easily lead to confusion in the logic of the administrator. If you have to modify it, it is recommended to delete the old one first and then create a new one.
# -G modify GID # -n modify group name #Change the user group grouptest to grouptest1 [root@6c810f7f0bd8 ~]# groupmod -n grouptest1 grouptest [root@6c810f7f0bd8 ~]# grep "grouptest1" /etc/group /etc/gshadow /etc/group:grouptest1:x:1005: /etc/gshadow:grouptest1:!::
Delete user group groupdel
In essence, it is to delete the data information about the target group in the / etc/group file and / etc/gshadow file.
Note: if a group is the initial group of a user, it cannot be deleted using groupdel
[root@6c810f7f0bd8 ~]# groupdel root groupdel: cannot remove the primary group of user 'root'
Set up group administrator gpasswd
# -A user,... Hand over the control of the group to user... And so on. Only the root user can use it # -M user,... Add users such as user... To this group. Only root users can use it # -r remove the password of the group, which can only be used by root user # -R invalidates the group's password, which can only be used by root # -a add users to this group # -d remove user from group
Using usermod -G can also add users to the group, but it will make users quit the group they joined before. Therefore, it is best to use the gpasswd command.
Modify the user's initial group newgrp
The newgrp instruction is similar to the login instruction. To use the newgrp instruction to switch a group, you must be a user of the group, otherwise you will not be able to switch to the specified group.
Every time you switch the user's initial group with newgrp, the user will log in with another shell (new process, or sub process), but the user's initial group logged in on the new shell has changed.
#Each time newgrp is executed, use echo $$to view the process ID [root@6c810f7f0bd8 ~]# echo $$ 274 [root@6c810f7f0bd8 ~]# newgrp root [root@6c810f7f0bd8 ~]# echo $$ 287 [root@6c810f7f0bd8 ~]# newgrp max [root@6c810f7f0bd8 ~]# echo $$ 298 [root@6c810f7f0bd8 ~]# newgrp root [root@6c810f7f0bd8 ~]# echo $$ 309 [root@6c810f7f0bd8 ~]# exit exit [root@6c810f7f0bd8 ~]# echo $$ 298 [root@6c810f7f0bd8 ~]# exit exit [root@6c810f7f0bd8 ~]# echo $$ 287 [root@6c810f7f0bd8 ~]# exit exit [root@6c810f7f0bd8 ~]# echo $$ 274