[Linux command] - 3 - user and group management

Posted by Norsk.Firefox on Thu, 03 Mar 2022 21:49:51 +0100

This article mainly introduces the basic knowledge of users and user groups in Linux; It includes how to use commands to create and delete users, create and delete user groups, and how to effectively manage users and user groups.
#Article catalogue

  • 0 × 1.Linux user information file and password file
  • 0 × 2.Linux user group information file and group password file
  • 0 × 3.Linux user group management
  •      a.How to create a group
  •      b.How to rename a group
  •      c.How to delete a group
  • 0 × 4.Linux user management
  •      a.How to add users
  •      b.How to rename a user
  •      c.How to lock and unlock users
  •      d.How to delete a user
  •      e.Modify user group

##0 × 1.Linux user information file and password file
When creating a user, the user's account information is saved in the user information file. Only root permission can modify the contents of this file, and non root users can only read the contents:

#The user account information file is in the "/ etc/passwd" file of Linux system. Use vim to view its contents
qing@qingsword.com:~$ vim /etc/passwd
#This is the information of the root account
#... Omit partial output
#This is the current account information
#The account information is separated by ":", and the contents of each field are explained as follows:
#Take "qingsword:x:500:500::/home/qingsword:/bin/bash" as an example:
#User name qingsword; The password is not saved in this file, so use "x" instead; Uid is the user ID value, the uid of root user = 0, the uid range of system user is 1-499, and the uid of other users is 499-429e9 + (more than 4.2 billion); GID is the user's group ID, and the ID value is assigned the same as uid. Both uid and GID of qingsword are 500; userinfo is the user information, which is generally equal to the user name, and the item of qingsword is empty; Home is the user's home directory, and qingsword's home directory is "/ home/qingsword"; Shell is the shell executed by the user after loading, generally / bin/bash

If you have root permission, in this file, change the UID and GID of a user to 0, such as "qingsword" ❌ 0:0::/home/qingsword:/bin/bash ", so" qingsword "has root permission.

In Linux, the user's account information and password information are saved separately. When viewing the user's account information file, it is found that the password is hidden with "x". In fact, the user's password is encrypted and saved in the file "/ etc/shadow". The permission of this file is more strict. Only root permission can view and modify it, Non root users cannot see the content (or use sudo command prefix under normal user permissions):

#View the contents of the password file
[root@localhost~]$ sudo vim /etc/shadow
#Some outputs are omitted above, and only the outputs of root and qingsword of the current account are retained. The corresponding fields are explained as follows:
#Take "root:6e5sGDXdfashsdf32:15453:0:99999:7:::" for example:
#username is root
#The password is "6e5sGDXdfashsdf32", which is the encrypted password
#lastChg: the number of days from January 1, 1970 to the last password change
#min: the minimum interval between two password changes. 0 means no interval
#max: the number of days the password is valid. 99999 is never expired
#warm: how many days before the password expires, the system sends a warning to the user (7 days by default)
#inactive: the number of days the user name is still valid before login is prohibited
#expire: the time when the user is forbidden to log in
#flag: reserved domain
#The last three parameters are not used in root

In the Ubuntu desktop version, if you forget the boot password, you can use a Linux boot disk (USB flash disk) to boot, and then mount the partition of the system where you forget the password (assuming that it is mounted in the / mnt directory of the USB flash disk system), Then, you can clear the boot password by vi deleting the password field of the corresponding account in the "/ mnt/etc/shadow" file (or deleting the "x" in the password field after the corresponding account name in "/ mnt/etc/passwd").
##0 × 2.Linux user group information file and group password file
The user's group information is saved in the file "/ etc/group". Only root permission can modify this file, and other users can only view it; The group password file is saved in "/ etc/gshadow". Only root permission can view and modify it, and other users have no right to view it:

#View the contents of the group information file
qing@qingsword.com:~$ vim /etc/group
#root group
#... Omit partial output
#This is the group of the current user. When the user is created, if no group is specified, a group with the same name as the user will be automatically created and the user will be divided into this group
#The format of user group information is as follows:
#In "qingsword:x:500:"
#username is qingsword
#Password is hidden by x, and the group password is saved separately in the / etc/gshadow file
#The GID is 500, the GID of root is 0, the system GID ranges from 1-499 (Ubuntu system is 1-1000), and the GID that users can use starts from 500, which is the same as the UID range,
#g_members: represents the list of members in this group, separated by commas

##0 × 3.Linux user group management
The following operations need root permission or sudo command prefix to execute.
###a. How to create a group
Create a random GID user group:

#Create a random GID user group (GID is generally incremental), and the group name is testgroup1
qing@qingsword.com:~$ sudo groupadd testgroup1
qing@qingsword.com:~$ sudo more /etc/group
testgroup1:x:501: #This is the user group just created. GID is 501

Create a user group with the specified GID:

#The specified GID is 1555 and the group name is testgroup2
qing@qingsword.com:~$ sudo groupadd -g 1555 testgroup2
qing@qingsword.com:~$ sudo more /etc/group

Create a system group:

#If - g is not used, the system can not specify GID
qing@qingsword.com:~$ sudo groupadd -r testsystemgroup1
qing@qingsword.com:~$ sudo more /etc/group
testsystemgroup1:x:495:  #GID S ranging from 1-499 are all system groups (Ubuntu users are 1-1000)
#Specify a GID, but do not conflict with an existing GID
qing@qingsword.com:~$ sudo groupadd -g 496 -r testsystemgroup2
groupadd: GID '496' already exists  #If this prompt appears, it means that the system group ID has been used

###b. How to rename a group
You can change the existing group name and GID through groupmod. See the following example:

#Rename "p1tgroutes" to "p1tgroutes"
qing@qingsword.com:~$ sudo groupmod -n testgroup111 testgroup1
#Rename "testgroup2" to "testgroup22" and change GID to 666
qing@qingsword.com:~$ sudo groupmod -g 666 -n testgroup222 testgroup2

###c. How to delete a group
You can use the following command to delete an existing group:

#Delete the "testsystemgroup1" created above
qing@qingsword.com:~$ sudo groupdel testsystemgroup1
 Through the above operations, there are two newly created user groups in the system, namely"testgroup111"and"testgroup222",Continue the following experiment.

##0 × 4.Linux user management
###a. How to add users
Use the useradd command to create a user:

#Add a user named "testuser1" without any parameters, and the system will automatically create a user group with the same group name and user name, and then divide the user into this user group
qing@qingsword.com:~$ sudo useradd testuser1
#Set user password
qing@qingsword.com:~$ sudo passwd testuser1
#Create a new user "testuser 222", specify his UID as 2222, and assign him to the group "testgroup 222"
qing@qingsword.com:~$ sudo useradd -u 2222 -g testgroup222 testuser222
#Create a new user "testuser111", specify his UID as 1111, assign him to the group "testgroup111", and specify his home directory as "/ home/user111"
qing@qingsword.com:~$ sudo useradd -u 1111 -g testgroup111 -d /home/user111 testuser111

###b. How to rename a user
Rename the user using the usermod command:

#Rename "testuser222" to "qingsword123"
qing@qingsword.com:~$ sudo usermod -l qingsword123 testuser222
#Rename the "testuser1" created above to "hello", and rename the home directory to hello
qing@qingsword.com:~$ sudo usermod -m -d /home/hello -l hello testuser1

This command can also add parameters - g, change user group, - u, change UID, etc. you can try it yourself.
###c. How to lock and unlock users

#To lock the hello user, you can use "Ctrl+Alt+F2" to switch to tty2, and then try to log in with the locked account. You will find the prompt "Login incorrect", and you can't log in
qing@qingsword.com:~$ sudo usermod -L hello
#After unlocking with the following command, you can log in normally
qing@qingsword.com:~$ sudo usermod -U hello

###d. How to delete a user
You can use the "userdel" command to completely delete users:

#Parameter - r, you can delete the user and delete the user's home directory and mail file. The user's mail is saved in the directory "/ var/spool/mail /"
qing@qingsword.com:~$ sudo userdel -r hello
Ps: stay Ubuntu In the system, ordinary users UID and GID All start from 1000, and all systems within 1000 UID and GID,and CentOS Ordinary users of the system UID and GID It starts from 500. Please judge by yourself according to different systems.

###e. Modify user group
After CentOS uses useradd to create a user, a user group with the same name as the user will be created by default. This group is the default group of the user. In addition, users can also belong to multiple groups at the same time. See the following example:

#Create two users u1, u2
qing@qingsword.com:~$ sudo useradd u1
qing@qingsword.com:~$ sudo useradd u2
#View new users
qing@qingsword.com:~$ tail -n 2 /etc/passwd
#Create a default user group. You can see from the output below that the system automatically creates two groups with the same name as the user
qing@qingsword.com:~$ tail -n 2 /etc/group
#Now create two more groups
qing@qingsword.com:~$ sudo groupadd g1
qing@qingsword.com:~$ sudo groupadd g2
qing@qingsword.com:~$ tail -n 2 /etc/group
#Use "usermod -g group name user name" to change the default group of u1 to g1
qing@qingsword.com:~$ sudo usermod -g g1 u1
#Check that the group ID of u1 is 1003, that is, the group ID of g1
qing@qingsword.com:~$ tail -n 2 /etc/passwd
#Adding u2 to g1 and g2 groups, syntax
#usermod -G group name, group name user name
qing@qingsword.com:~$ sudo usermod -G g1,g2 u2
#Check that the group ID of u2 is still 1002, indicating that its default group is still u2
qing@qingsword.com:~$ tail -n 2 /etc/passwd
#If the user's default group is g1, it will not be displayed after the colon, so in the following output, u2 is displayed after the colon, because its default group is u2, not g1 and g2, but it belongs to g1 and g2 groups
qing@qingsword.com:~$ tail -n 2 /etc/group
#Change the default group of user u1 back to u1 group, and then put u1 into g1 group
qing@qingsword.com:~$ sudo usermod -g u1 u1
qing@qingsword.com:~$ sudo usermod -G g1 u1
#This time, you can see that the user u1 appears after g1
qing@qingsword.com:~$ tail -n 2 /etc/group

Let's take another example:

#First create a group g1, a user u1
root@qingsword.com:~# groupadd g1
root@qingsword.com:~# useradd u1
root@qingsword.com:~# passwd u1
 Enter a new UNIX password:
Re enter the new UNIX password:
passwd: Successfully updated password
#View the ID of u1, which belongs to u1 group by default
root@qingsword.com:~# id u1
uid=1014(u1) gid=1016(u1) group=1016(u1)
#Put u1 in group g1
root@qingsword.com:~# usermod -G g1 u1
root@qingsword.com:~# id u1
uid=1014(u1) gid=1016(u1) group=1016(u1),1015(g1)
#Create a test file with root privileges
root@qingsword.com:~# touch rootfile
#Change the group of this test file to g1
root@qingsword.com:~# chgrp g1 rootfile
root@qingsword.com:~# ls -al rootfile
-rw-r--r-- 1 root g1 0 12 June 11:40 rootfile
#Write data to rootfile
root@qingsword.com:~# echo www.qingsword.com > rootfile
#Copy the rootfile to the / home directory
root@qingsword.com:~# cp rootfile /home
#Switch to u1 user and try to read the contents of the file
root@qingsword.com:~# su u1
u1@qingsword.com:/root$ cd /home
u1@qingsword.com:/home$ more rootfile
#Although the owner of the file is root, u1 can be used to read the contents of the file because u1 belongs to the g1 group and the file belongs to the group and has readable permissions on the file
u1@qingsword.com:/home$ ls -al rootfile
-rw-r--r-- 1 root share 18 12 June 11:41 rootfile
#But not writable
u1@qingsword.com:/home$ echo qingsword.com >> rootfile
bash: rootfile: insufficient privilege

As can be seen from the above example, for a file, if the owner of the file is not u1, as long as the file belongs to group g1 and u1 belongs to group g1, whether the user's default group is g1 or not, the user's permission to the file is equal to the permission of group g1 to the file.

Topics: Linux