User and Group Management
Each user has a UID, the administrator root is 0, and the average user is 1-65535.
System users: 1-499 (centos6), 1-999 (centos7)
Login users: 500 + (centos6), 1000 + (centos7)
/ etc/passwd User and Its Attribute Information
/ etc/group and its attribute information
/ etc/shadow User Password and Related Properties
/ etc/gshadow group password and its related properties
/ etc/passwd file format: 7
Username: password (x): UID: GID: GECOS (user full name or comment): home directory:shell
/ etc/shadow file format: 8
username: Encrypted password: The last password change time (from January 1, 1970 to today): The shortest password validity date is 0 days: The longest password validity date is 9999, which means never expired: Notify the user to change password a few days before the password expires: Lock the account a few days after the password expires: Account validity date
$6 sha512 ;$5 sha256 ;$1 md5 128bit
Double exclamation marks are more secure, and no unlocking of empty password users is allowed on centos7, that is, usermod-U Tom can not be executed (set Tom password to empty tom:!:)
/ etc/group file format: 4
Groupname: x: gid: members (a list of users with the current group as an additional group and a comma separator,)
/ etc/gshadow file format: 4
groupname:!:administrators:members
### As far as possible, all system-level operations do not change the configuration file directly, but by command.
useradd
Create new users
Usage: useradd [options] LOGIN useradd -D useradd -D [options] -u Defined in/etc/login.defs -o Coordination-u Options, not checked uid Uniqueness -g Specifies the base group to which the user belongs, which can be a group name or gid -c User's Annotation Information -d Specify home directory, directory must not exist, system automatically created -D Display or change the default useradd Configuration -s Specify user default shell,Reference resources/etc/shells -G Specify additional groups, which must exist -N Do not create a group with the same name as the main group, use users Group as main group -r Creating System Users id<500(centos6);id<1000(centos7)
Default settings: more /etc/login.defs more /etc/default/useradd Useradd-D Displays default configuration properties for adding users Useradd-D-s shell Useradd-D-b base_dir Change default base directory Useradd-D-g group Default login settings for cat/etc/login.defs authconfig --passalgo=sha256 --update File template of home directory, can modify or add files, default file. bashrc. ll /etc/skel/* Rm-rf/home/userb//Error deletion of new user home directory Cp-r/etc/skel/home/userb//regenerate the default configuration file for the home directory
useradd userb
When creating a new user, the system will modify the following four files at the same time. In order to avoid errors and asynchronism caused by manual modification of configuration files, it is recommended to add users by using the useradd command.
Ll/etc/passwd/etc/shadow/etc/group/etc/gshadow and modify the four files at the same time
date // Check the time to see if the file is the latest change
The ll/home//useradd command creates the same name home directory at the same time
Ll/var/spool/mail//Create mail files with the same name
linux system focuses on id number, not name. after deleting the user, the home directory will not be deleted synchronously. it will be displayed as id number, and then create an account with the same id number will automatically take over the home directory.
usermod
Modify user's basic information
usermod [options] LOGIN -c Note Description Information -d Specify a new home directory, but it will not be created immediately; to create and move home directory data to a new directory, use both-m option -e Specify the expiration date of the account in the format of YYYY-MM-DD -f Setting inactive deadlines -g Designated subgroup -G Specify additional groups to cooperate-a Use -l Specify a login name -L Locking Users -s Designate NEW shell -u Appoint uid -U Unlock Users usermod -L userabc Locking Users usermod -U userabc Unlock usermod -aG g1 userabc take userabc Add to g1 In group usermod -l userabc usera Will user userabc Renamed usera usermod -G "" userabc Delete all additional groups usermod -G userabc userabc Ditto getent shadow userabc View password information for specified users
Experiments: Pay attention to early backup or snapshot
If the root id is changed to zero, that is, there is no root account with id=0 in the system, the system will not be able to start. The recovery method is as follows:
Experimental platform: centos6*, (7* Start menu is different, the same way)
Restart with init/bin/bash after pressing a on the boot menu; add parameters on the line of Linux 16 on centos7
mount -o remount,rw /
Vi/etc/passwd Change root id to 0
sync: Preservation
reboot
userdel
delete user
groupadd
Create a new group
groupadd [options] GROUP -g Appoint gid Number,Manually specified gid No. login.defs The scope limitation of the definition; [gid_min,gid_max]--file/etc/login.defs Defining automatic allocation gid -r: Create system groups, id<500(centos6);id<1000(centos7) groupadd -g 666666 group2 Manually specified gid No. is not limited by scope
groupmod
Change group name, group ID and group password
groupmod [options] GROUP -g Change Group ID -n Change group name -p Change group password
groupdel
Delete the specified group
groupdel g1
To delete a group, it must be a non-primary group, i.e. there are no users under the primary group.
chage
Duration of validity of account number and password modification
chage [options] LOGIN -d The date of the last password change, in the format of YYYY-MM-DD,If set to 0, the user will be prompted to change his password the next time he logs in. -E Account validity period expiredate -I Password expiration time Password inactive -l Display user's password policy -m Minimum password validity, minimum number of days between password changes mindays -M Maximum password validity, maximum number of days between password changes maxdays -W Warning a few days before password expires warndays chage -d 0 tom Next login forcing password reset chage -m 0 -M 42 -W 14 -I 7 tom chage -E 2016-09-10 tom
Setting default password parameters affects password policy for subsequent new users
/etc/login.defs
/etc/default/useradd
Default configuration for new users (centos 7.3)
#chage -l test Last password change : Jun 03, 2017 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
chsh
Change the default shell of the login system
chsh [-s shell] [-l] [-u] [-v] [username] chsh -l //View the shell supported by the system cat /etc/shells //Ditto echo $SHELL //View the shell currently in use chsh -s /bin/zsh usera //Change the user's shell tail /etc/passwd //View the changed user shell
chfn
Information used to change finger command display
-f Full name -h Home phone -o Office Address -p Office Telephone chfn abc //Change user information directly in steps finger abc //View user information
id
Display user ID and group ID
id [OPTION]... [USER] -g Display user group ID -G Display User Additional Groups ID -r Display reality ID -u show user ID
finger
Find and display user information
finger [-lmsp] [user ...] [user@host ...] -l Information displayed by default -s Display in a row -p Do not display planned task information chsh -s /bin/csh usera change usera Default shell getent passwd usera View the specified user's passwd Information, not all more /etc/passwd | grep abc Ibid.
logname // Used to display user name
groups
Display the group to which the user belongs
groups to display the group to which the current user belongs
groups usera View the group to which the specified user belongs
groupmems
Change and view group members
groupmems [options] [action] options: -g Change to the specified group (only root) actions: -a Specify users to join groups -d Delete users from groups -p Clear all members from the group -l Display group membership list groupmems -l -g g2 See g2 Members of the group groupmems -a usera -g g2 to g2 Add in group usera user groupmems -d usera -g g2 delete usera user groupmems -p -g g2 Clearance crew members
Three ways to add users to additional groups:
usermod -aG groupname username gpasswd -a username groupname groupmems -a username -g groupname
passwd
Used to allow users to change their passwords
passwd [OPTION...] <accountName> -k Settings can only be changed after passwords expire -d Delete passwords( root Permission) -l Locking Users -u Unlock Users -f Enforcement -S List the user's password information in one line -e: Force user to log in next time to change password -n mindays: Specify the minimum password life -x maxdays: Maximum useful life -w warndays: How many days in advance to start warning -i inactivedays: Inactive duration --stdin: Receiving User Password from Standard Input echo "password" | passwd --stdin username Write scripts to change user passwords #passwd -S abc abc PS 2017-06-03 0 35 8 10 (Password set, SHA512 crypt.) #passwd -S aaaa aaaa LK 2017-06-03 0 99999 7 -1 (Password locked.) echo centos | passwd --stdin userb Automatically Setting User Password echo centos | passwd --stdin test &> /dev/null No prompt information output getent passwd > username Export all current system users and delete their system accounts
gpasswd
Change group passwords or management group members
gpasswd [option] GROUP -a Add users to groups -d Delete users from groups -A Specify a group administrator to have administrative authority to add or delete users in a group -M Designated Group Members -r Delete group passwords -R Restrict users to log in to a group, only members of the group can use it newgrp Join the group newgrp usera //Temporarily switch the primary group. If the user does not belong to this group, the group password is required. touch newabc //Create the file newabc ll newabc //View File Group -rw-r--r--. 1 root usera 0 May 27 20:52 newabc
newusers
Bulk creation of users
The file format must follow the passwd file format, i.e. user name 1:x:UID:GID: user description: user's home directory: SHELL used
vi user Creating the same format passwd file test1:x:2000:2000::/home/test1:/bin/bash test2:x:3000:3000::/home/test2:/bin/csh :wq newusers user Bulk Creation of User Commands newusers ll /home/test1 The directory is empty, that is newusers Commands do not automatically create directory files
chpasswd
Batch Update User Password
Vi. password Creates a user password file in username:password format and cannot have empty lines test1:centos test2:redhat :wq cat passwd | chpasswd Or chpasswd < passwd) reads user password files Openssl rand-base 64 10 randomly generates a password of 10 bit length
pwconv
The projection password used to open the user
After opening, the password will be recorded in the / etc/passwd file, and after closing, the password will be recorded in the / etc/shadow file. The original passwd file's password segment will be replaced by x.
pwunconv
Projection password used to close users
grpconv
Projection password used to open groups
The system will record the password directly in the / etc/group file after opening, and the password will be recorded in the / etc/gshadow file after closing.
grpunconv
Projection passwords for closing groups
vi edit command changes directly and checks the grammar format automatically
vipw
vigr
grpck
Used to verify the integrity of group files
grpck /etc/group /etc/gshadow
pwck
Used to verify the integrity of the content and format of the system authentication file
pwck /etc/passwd
nologin
Deny User Login System
Vi/etc/passwd Find users who need to be banned from logging in and change their shell field to / sbin/nologin
Touch/etc/nologin Create Technology file, prohibit all users except root to login, delete the file can be restored
su
Switch users or execute commands as other users
su username: Non-login switching, i.e. it does not read the configuration file of the target user and does not change the current working directory
su - uername: Login mode switching, will read the target user's configuration file, and switch to the home directory, that is, complete switching
No password is required for root to switch to other users via su; password is required for non-root users to switch
Su [-] username-c CMD // / Switch user identity to execute specified commands
Su-l username // equivalent to su-username, i.e. complete switching
Root can be omitted when su - [root] switches to root
Note that after su switch, it's better to exit in time, otherwise it will cause some command execution errors.
Su-root-c'cat/etc/shadow'switch to root identity to execute the cat/etc/shadow command