The Linux system is a multi-task time-time operating system. Any user who wants to use system resources must first apply to a system administrator, then enter the system as this account. User accounts can help system administrators track users using the system and control their access to system resources; on the other hand, they can help users with files and provide security protection. Each user account has a unique username and its own password. When the user typed the correct username and password when logging in, it can enter the system and its own home directory. Implement the management of user accounts, the work to be completed mainly has the following aspects: · Add, delete and modification of user accounts. · Management of user passwords. · Management of user groups. 1. The management of the management user account of the Linux system user account mainly involves the addition, modification, and deletion of user accounts. Adding a user account is to create a new account in the system, then assign a user number, user group, home directory, and login shell for a new account. The new account added is locked and cannot be used. 1. Add a new user account to use the useeradd command, whose syntax is as follows:
Code: UserAdd Option User Name
All of them have the following meaning:
Code: -c Comment Specifies a period of annotation. -D directory specifies the user's home directory, if this directory does not exist, use the -m option at the same time, you can create a main directory. -G User Group Specifies the user group to which the user belongs. -G User Group, the user group specifies the additional group to which the user belongs. -S shell file Specifies the user's login shell. -U user number Specifies the user's user number, if there is a -O option, you can reuse the identification number of other users.
The username specifies the login name of the new account. 2. Example Description Example 1:
Code: # useradd -d / usr / sam -m sam
This command creates a user SAM, where the -d and -m option uses a primary directory / usr / sam (/ usr as the parent directory where the default user home directory) is generated for the login name SAM. Example 2:
Code: # useradd -s / bin / sh -g group -g adm, root gem
This command has created a user GEM, the user's login shell is / bin / sh, which belongs to the Group user group, and is also an ADM and ROOT user group, where the Group user group is its primary group. Here, you may have a new group: #groupadd Group and GroupAdd ADM Add a user account is to add a record for new users in the / etc / passwd file, and update other system files such as / etc / shadow, / etc / group, etc. Linux provides an integrated system management tool userConf, which can be used to manage user accounts. 3. Remove the account If a user's account is no longer used, you can delete it from the system. Deleting User Account is to delete the user file in system files such as / etc / passwd, and then delete the user's home directory. Deleting an existing user account using the userdel command, its format is as follows:
Code: Userdel Option User Name
Commonly used options are -r, its role is to delete the home directory of the user. E.g:
Code: # Userdel Sam
This command deletes the user SAM record in the system file (primarily / etc / passwd, / etc / shadow, / etc / group, etc.), while deleting the user's home directory. 4. Modify the account to modify the user account is based on the actual situation to change the relevant properties of the user, such as the user number, home directory, user group, log in to the shell. Modify the information of the existing user uses the usermod command, its format is as follows:
Code: UserMod Option User Name
Commonly used options include -c, -d, -m, -g, -g, -s, -d, -u, and -o, the meaning of these options can specify new resource values for the user as the options in the useradd command. In addition, some systems can use the following options: Code: -L new username
This option specifies a new account that will change the original username to the new username. E.g:
Code: # usermod -s / bin / ksh -d / home / z -G developer Sam
This command modifies the login shell of the user SAM to KSH. The main directory is changed to / home / z, and the user group is changed to Developer. 5. An important part of the management user management of the user password is the management of the user password. There is no password when the user account is just created, but is locked by the system and cannot be used. It must be used for it to specify the password, even if the empty password is specified. The shell command that specifies and modifies the user password is Passwd. Super users can specify passwords for themselves and other users, and ordinary users can only use it to modify their passwords. The format of the command is:
Code: Passwd Option User Name
Useable options:
Code: -l lock password, disabled account. -U password unlock. -D makes the account no password. -F Forced users to modify passwords next time. If the user name is default, the password of the current user is modified.
For example, suppose the current user is SAM, then the following command modifies the user's own password:
Code: $ passwd old password: ****** New password: ******* RE-Enter new password: *******
If it is a super user, you can specify any user's password in the following form:
Code: # Passwd Sam new password: ******* Re-enter new password: *******
When the ordinary user modifies its password, the passwd command will ask the original password first. After verification, the user will refer to the new password two times. If the password input is consistent twice, this password is assigned to the user; the super user specifies the password When you don't need to know the original call. For the sake of system security, users should choose a more complex password, such as using 8-bit long passwords, including capital, lowercase letters, and numbers, and should be different from names, birthdays. Perform the following forms of commands when specifying the empty password for the user:
Code: # Passwd -d Sam
This command deletes the password of the user SAM so that the user SAM is logged in again, the system will no longer ask the password. The passwd command can also lock a user with the -l (LOCK) option so that it cannot be logged in, for example:
Code: # Passwd -l Sam
Second, the management of the Linux system user group has one user group, and the system can centrally manage all users in a user group. Different Linux systems differ from the rules of the user group, such as the user under Linux belongs to the user group that is the same name it, and this user group is created simultaneously when creating the user. Management of user groups involves adding, deleting, and modifying user groups. The increase in groups, deletions, and modifications are actually updated to the / etc / group file. 1. Add a new user group to use the groupAdd command. The format is as follows:
Code: The options that the GroupAdd Options User Group can use:
Code: -g GID Specifies the group identification number (GID) of the new user group. -O Generally used the -g option, indicating that the GID of the new user group can be the same as the GID of the system existing user group. example 1:
Code: # GroupAdd Group1 This command adds a new group of Group1 to the system, the group identity of the new group is added on the basis of the current largest group identification number. Example 2: Code: #groupadd -g 101 Group2 This command adds a new group of Group2 to the system, and specifies the group identification number of the new group. 2. If you want to delete an existing user group, use the groupdel command, its format is as follows:
Code: GroupDel user group, for example:
Code: #groupdel group1 This command deletes group group1 from the system. 3. Modify the properties of the user group to use the groupmod command. The syntax is as follows:
Code: GroupMOD Options User Group Common options are:
Code: -g GID specifies the new group identification number for the user group. The -o is used simultaneously with the -g option, and the new GID of the user group can be the same as the GID of the system existing user group. -N new user group converts the name of the user group to a new name Example 1:
Code: # Groupmod -g 102 group2 This command changes the group identification number of the group group2 to 102. Example 2:
Code: # groupmod -g 10000 -n group3 group2 This command change the identification number of the group group2 to 10000, and the group name is modified to Group3. 4. If a user belongs to multiple user groups, the user can switch between user groups to have permissions of other user groups. The user can switch to other user groups after logging in, and the parameters of this command are destination user groups. E.g:
Code: $ newgrp root This command switches the current user to the root user group, and the premise is that the root user group is indeed the user's primary group or attachment. Similar to the management of user accounts, management of user groups can also be done by integrated system management tools. Third, there are many ways to complete user management work related to user accounts, but each method is actually modified to relevant system files. Information related to users and user groups is stored in some system files, including / etc / passwd, / etc / shadow, / etc / group, etc. The contents of these files are described below. 1, / etc / passwd file is the most important file involved in user management work. Each user in the Linux system has a corresponding record line in the / etc / passwd file, which records some basic attributes of this user. This file is readable for all users. Its content is similar to the following example:
Code: # cat / etc / passwd root: x: 0: 0: Superuser: /: daemon: x: 1: 1: System daem: / etc: bin: x: 2: 2: Owner of system commands: / bin: SYS: X: 3: 3: Owner of System Files: / usr / sys: adm: x: 4: 4: system accounting: / usr / adm: uucp: x: 5: 5: uucp administrator: / usr / lib / UUCP: Auth: x: 7: 21: Authentication Administrator: / TCB / Files / Auth: cron: x: 9: 16: Cron Daemon: / usr / spool / cron: Listen: x: 37: 4: Network daemon: / USR / NET / NLS: LP: X: 71: 18: Printer Administrator: / usr / spool / lp: SAM: X: 200: 50: SAM SAN: / usr / sam: / bin / sh From above example we can Seeing that a row of / etc / passwd corresponds to a user, each line record is also colon (separated into 7 fields, its format and specific meanings are as follows:
Code: Username: Password: User ID: Group: Note Sexual Description: Main Directory: Login Shell 1) "User Name" is a string representing the user account. The general length does not exceed 8 characters and consists of case letter and / or numbers. There is no colon (since the colon is hereained here. For the sake of compatibility, the login name is best not to include the point character (.), And do not use the hyphen (-) and plus sign ( ) head. 2 "Password" in some systems, the encrypted user password is stored. . Although this field is stored just the encrypted string of the user password, it is not a plaintext, but because the / etc / passwd file is readable for all users, this is still a security hazard. Therefore, many Linux systems (such as SVR4) use Shadow technology, store the real encrypted user password to the / etc / shadow file, and only one special in the password field of the / etc / passwd file Characters, such as "X" or "*". 3) "User Logo" is an integer, and it is used to identify the user within the system. In general, it corresponds to the username. If the user identification number of several usernames is the same, the inside of the system will treat them as the same user, but they can have different passwords, different main directory, and different login shells. Usually, the value of the user ID number is 0 ~ 65 535.0 is the identification number of the superuser root, 1 to 99 are retained by the system, as a management account, the identification number of the ordinary user starts from 100. In the Linux system, this limit is 500. 4) The "Group Signs" field records the user group to which the user belongs. It corresponds to a record in the / etc / group file. 5) The "Note Sex Description" field records some of the user's personal situation, such as the user's real name, phone, address, etc., this field does not have actual use. In different Linux systems, the format of this field is not unified. In many Linux systems, this field is stored as an arbitrary annotation description text that uses the output of the finger command. 6) "Main Directory", that is, the user's starting authority, which is the directory where the user is logged in to the system. In most systems, the owner's main directory is organized in the same specific directory, and the user's home directory name is the user's login name. Each user reads, write, executes (search) permissions, and other users will be set according to the specific situation on this directory. 7) After the user logs in, start a process, responsible for transmitting the user's operation to the kernel, this process is a command interpreter or a particular program that the user logs in to the system, that is, the shell. The shell is an interface between the user and the Linux system. There are many kinds of Linux's shells, each with different features. Commonly used SH (Bourne Shell), Csh (C shell), Korn (Korn shell), TCSH (Tenex / TOPS-20 TYPE C shell), Bash (BSH Again Shell) System administrators can specify a shell for users based on system conditions and user habits. If you do not specify a shell, then the system uses SH as the default login shell, ie the value of this field is / bin / sh. The user's login shell can also be specified as a specific program (this program is not a command interpreter). Using this feature, we can limit users only run the specified application. After the application is running, the user automatically exits the system. Some Linux systems require only those registered procedures in the system to appear in this field.
There is a type of user known as pseudo users (PSUEDO users), which also have a record in the / etc / passwd file, but cannot be logged in because their login shell is empty. The existence is mainly convenient for system management to meet the requirements of the corresponding system process on the owner of the file. Common pseudo users are as follows. Code: Pseudo-Households BIN has executable user command file SYS Has system files ADM owned account file UUCP UUCP Using LP LP or LPD Subsystem Using Nobody NFS Using the Account File In addition to the pseudo users listed above, Many standard pseudo users, such as: Audit, cron, mail, usnet, etc., they are also their own required processes and files. Since the / etc / passwd file is readable all users, if the user's password is too simple or the law is more obvious, a normal computer can easily crack it, so the Linux system with high security requirements. Separate encrypted passwords, separately in a file, this file is / etc / shadow file. Only super users have the file read permissions, which guarantees the security of the user password. 2, the record line in / etc / shadow corresponds to one of the / etc / passwd, which is automatically generated by the PWCONV command according to the data in / etc / passwd. Its file format is similar to / etc / passwd, consists of several fields, and the fields are separated from ":". These fields are:
Code: Login Name: Encryption Password: Last Modification: Minimum Time Interval: Maximum Time Interval: Warning Time: Inactive Time: Failure Time: Sign 1) "Login" is the login name in the / etc / passwd file The consistent user account 2) "Password" field is stored in the encrypted user password, the length is 13 characters. If it is empty, the corresponding user does not have a password, and does not require a password when logging in; if the characters do not belong to the collection {./0-9a-za-z}, the corresponding user cannot log in. 3) "The last revision time" indicates that from a certain moment, the number of days when the user last modifies the password. The starting point may not be the same for different systems. For example, in SCO Linux, this time starting point is January 1, 1970. 4) The "Minimum Time Interval" refers to the minimum number of days required between the two modifications. 5) "Maximum Time Interval" refers to the maximum number of days of passwords. 6) The "Warning Time" field indicates that the number of days from the system starts to warn the user to the user password formal failure. 7) "Inactive Time" is indicated by the user without logging in, but the account still maintains a maximum number of days. 8) The "Failure Time" field is given an absolute day number. If you use this field, then give the survival period of the corresponding account. After the expiration, the account is no longer a legal account, so it is no longer used to log in. Here is an example of / etc / shadow:
Code: # cat / etc / shadow root: DNAKFW28ZF38W: 8764: 0: 168: 7 ::: Daemon: * :: 0: 0 :::: BIN: * :: 0: 0 ::: SYS: *: ::: uucp: * :: 0: 0 :: 0 :: 0 ::: Auth: * :: 0 : 0 :::: Cron: * :: 0 :: 0 ::: Listen: * :: 0: 0 :: 0: 0 :::: SAM: EKDISECLWPDSA: 9740: 0: 0 :::: 3, all information about the user group is stored in the / etc / group file. A means of managing and controlling access to users in a Linux system. Each user belongs to a user group; there can be multiple users in a group, and one user can belong to a different group. When a user is a member in multiple groups, it is recorded in the / etc / passwd file that is the primary group to which the user belongs, that is, the default group to which the login is located, and other groups are additional groups. When the user is to access a file belonging to the attached group, you must first use the newgrp command to make yourself a member of the group you want to access. All information about the user group is stored in the / etc / group file. The format of this file is similar to the / etc / passwd file, by the colon (separated from several fields, these fields: Code: Group Name: Password: Group: Group 1) "Group name" is a user group Name, consisting of letters or numbers. Like the login name in / etc / passwd, the group name should not be repeated. 2) The Password field is stored by the password of the user group encryption. The general Linux system has no password, that is, this field is generally empty, or *. 3) "Identification Number" is similar to the user identification number, and is an integer that is used inside the system to identify the group. 4) "Group User List" is a list of all users of this group / B], and dividing a comma (,) between different users. This user group may be the main group of the user, or it may be an additional group. One example of / etc / group file is as follows: # cat / etc / group
Code: root :: 0: root bin :: 2: root, bin sys :: 3: root, uucp adm :: 4: root, adm daem :: 5: root, daem lp :: 7: root, lp users: : 20: root, SAM IV, add the amount of user batch to add and delete users to each Linux system administrator is a light, more tricky, if you want to add dozens, hundreds of or even thousands of users, We are unlikely to add a place to use UseerAdd, inevitably find a way to create a large number of users. The Linux system provides a tool for creating a large number of users, allowing you to create a large number of users immediately, the methods are as follows: (1) Edit a text user file first, each column is written according to the format of the / etc / passwd password file, pay attention to each user User name, UID, host directory can not be the same, where the password bar can be left blank or enter X. One sample file User.txt content is as follows:
Code: User001 :: 600: 100: User: / Home / User001: / BIN / Bash User002 :: 601: 100: User: / Home / User002: / Bash User003 :: 602: 100: User: / HOME / User003 :: 603: 100: User: / Home / User004: / bin / Bash User005 :: 604: 100: User: / Home / user005: / bin / bash user006 :: 605: 100: User : / home / user006: / bin / bash (2) Execute command / usr / sbin / newusers as root, import data from the user file User.txt you just created, create users: code: # newusers Code: #PUnConv (4) Edit the password control file for each user, sample file passwd.txt content is as follows: Code: User001: Password User002: Password User003: Password User004: Password User005: Password User006: Password (5) Perform command / usr / sbin / chpasswd as root, create user password, chpasswd will pass / usr / bin / passwd command The encoded password writes the / etc / passwd password bar. Code: # chpasswd Code: #PCONV This completes a large number of users' creation, then you can check if the permission settings of these user host directories are correct, and log in to verify that the user password is correct. 5. Give ordinary users Special authority in the Linux system, the administrator often more than one person, if each administrator is managed with root, I can't figure out what to do. So the best way is: Administrators create some ordinary users, assign some system management to them. We can't use SU to make them directly into root, because these users must know the root password, which is unsafe, and does not meet our division of labor. The general approach is to use the settings of the rights, classify the working nature, allowing users of the special identity to become the same working group, and set the working group permissions. For example: To manage the website data, the user's process httpd owner is WWW, you can set the user wwwadm and WWW for the same working group, and set the Apache default storage web directory / usr / local / httpd / HTDOCS's working group permission is readable, writable, executable, which belongs to each user of this working group to manage the web page. But this is not the best solution. For example, administrators want to grant an ordinary user shutdown, then the above way is not very ideal. At this point you may think, I only let this user can execute the shutdown command as root. It's all right, but unfortunately you can't achieve this in the usual Linux system, but you have a tool to achieve such functions - Sudo. SUDO assigns privilege to different users by maintaining a privilege to username mapping, these privileges can be identified by some of the different commands listed in the database. In order to obtain a special item, qualified users simply enter SUDO and the command name simply, follow the prompts to enter the password again (the user's own password, not the root user password). For example, SUDO allows normal users to format disks, but they do not give other root user privileges. 1. Sudo tools are configured by file / etc / sudoers that contains all users who have access to sudo tools and define their privileges. A typical / etc / sudoers entry is as follows: Liming all = (all) all this entry allows the user limited to access all applications as a super user, such as user limited needs to run commands as a superuser, he only needs to simply be in front of the command Plus the prefix Sudo. Therefore, to execute command format as a root user, limited can enter the following command: Code: # sudo / usr / sbin / usradd SAM Note: Command To write an absolute path, / usr / sbin is not in a normal user's search path, or add this path: path = $ PATH: / usr / sbin; export path. In addition, the path of different system commands is not the same, you can use the command "whereis command name" to find its path. The following output results are displayed: Code: We trust you have received the usual lecture from the local System Administrator It usually boils down to these two things:. # 1) Respect the privacy of others # 2) Think before you type Password:.. If liming entered correctly The password, the command UserAdd will be executed as root user. Note: Profile / etc / sudoers must use the command Visudo to edit. Just add the corresponding username, hostname, and licensed command list to file / etc / sudoers in standard format, and save it to take effect, then look at an example. 2, example: Administrator needs to allow GEM users to execute the reboot and shutdown commands on the host Sun, add: Code: Gem Sun = / usr / sbin / reboot, / usr / sbin / shutdown Note: Command must To use an absolute path to avoid the same name command of other directories being executed, thereby causing security hidden dangers. Then save exit, GEM users want to execute the reboot command, just run the following command at the prompt: Code: $ sudo / usr / sbin / reboot Enter the correct password, you can restart the server. If you want to define a group of users, you can add% to the group name, set it to it, such as: Code:% Cuug All = (all) ALL3, in addition, you can use an alias to simplify the configuration file. The concept of an alias is similar, with user alias, host alias and command alias. Multiple users can first define one alias, and then use alias when they can do any commands, this configuration takes effect for all users. The same is true for host alias and command alias. Note Before using: user_alias, host_alias, cmnd_alias item, add the corresponding name after it, also separated by a comma, is as follows: Code: host_alias server = no1 user_alias admins = limited, gem cmnd_alias shutdown = / usr / sbin / halt, / usr / sbin / shutdown, / usr / sbin / reboot admin server = shutdown4, then see this example: Code: Admins All = (all) NOPASSWD: ALL indicates that the admins are allowed to perform all the operations without password, where the "NOPASSWD:" is not required to enter the password when the user performs operation. 5, the sudo command can also add some parameters to complete some auxiliary features, such as Code: $ sudo -l will show information similar to this: Code: User Liming May Run The Following Commands On this Host: (root) / usr / sbin / reboot Description root Allows the user limited to execute the / usr / sbin / reboot command. This parameter allows users to see which commands can be executed in SUDO. 6. Type the sudo command at the command prompt, all parameters are listed, and some other parameters are as follows:
