English | 简体中文 | 繁體中文 | Русский язык | Français | Español | Português | Deutsch | 日本語 | 한국어 | Italiano | بالعربية
Linux system is a multi-user and multitasking time-sharing operating system. Any user who wants to use system resources must first apply for an account from the system administrator and then log into the system with this account.
On the one hand, the user account can help the system administrator track the users using the system and control their access to system resources; on the other hand, it can also help users organize files and provide security protection for users.
Each user account has a unique username and their own password.
After entering the correct username and password during login, the user can enter the system and their home directory.
To achieve the management of user accounts, the main tasks to be completed include the following aspects:
Adding, deleting, and modifying user accounts.
Management of user passwords.
Management of user groups.
The management of user accounts mainly involves adding, modifying, and deleting user accounts.
Adding a user account is to create a new account in the system and then allocate resources such as a user ID, user group, home directory, and login Shell for the new account. The newly added account is locked and cannot be used.
useradd option username
Parameter description:
Options:
-c comment Specify a descriptive comment.
-d Directory Specify the user's home directory. If this directory does not exist, it will be used-m option, can create a home directory.
-g User group Specify the user group the user belongs to.
-G User group, user group Specify the additional group the user belongs to.
-s Shell file Specify the user's login Shell.
-u User ID Specify the user ID of the user. If there is a conflict with-o option, other users' identifiers can be reused.
Username:
Specify the login name of the new account.
# useradd –d /home/sam -m sam
This command creates a user sam, where-d and-The m option is used to generate a home directory for the login name sam /home/sam (/home is the parent directory where the default user home directory is located).
# useradd -s /bin/sh -g group –G adm,root gem
This command creates a user gem, whose login Shell is /bin/sh, which belongs to the group user group, and also belongs to the adm and root user groups, among which the group user group is the primary group.
Here may create a new group: #groupadd group and groupadd adm
Adding a user account is to/etc/passwd file adds a record for the new user, and also updates other system files such as/etc/shadow, /etc/group, etc.
Linux provides an integrated system management tool called userconf, which can be used for unified management of user accounts.
If a user's account is no longer in use, it can be deleted from the system. Deleting a user account is to/etc/passwd and other system files containing the user's records are deleted, and the user's home directory is also deleted if necessary.
To delete an existing user account, use the userdel command, and its format is as follows:
userdel option username
Common options are -r, which has the effect of deleting the user's home directory as well.
For example:
# userdel -r sam
This command deletes the user sam from the system files (mainly/etc/passwd, /etc/shadow, /etc/group records, and delete the user's home directory at the same time.
Modifying the user account is to change the relevant attributes of the user according to the actual situation, such as the user ID, home directory, user group, login Shell, etc.
To modify the information of an existing user, use the usermod command, and its format is as follows:
usermod option username
Common options include-c, -d, -m, -g, -G, -s, -u as well as-o, etc., which have the same meaning as the options in the useradd command, and can specify new resource values for the user.
In addition, some systems can use options:-l New username
This option specifies a new account, i.e., changing the original username to a new username.
For example:
# usermod -s /bin/ksh -d /home/z –g developer sam
This command changes the login Shell of user sam to ksh, and the home directory to/home/z,user group changed to developer.
An important part of user management is the management of user passwords. When a user account is created, there is no password, but it is locked by the system and cannot be used. It must be assigned a password before it can be used, even if it is an empty password.
The Shell command used to specify and modify user passwords is passwd. The superuser can specify passwords for themselves and other users, while regular users can only use it to modify their own passwords. The command format is:
passwd option username
Options available:
-l Locking the password, i.e., disabling the account.
-u Unlocking the password.
-d Making the account passwordless.
-f Forcing the user to change the password next time they log in.
If the default username is used, the password for the current user is modified.
For example, assuming the current user is sam, the following command modifies the password for this user:
$ passwd Old password:****** New password:******* Re-enter new password:*******
If the user is a superuser, they can specify the password for any user in the following form:
# passwd sam New password:******* Re-enter new password:*******
When a regular user modifies their own password, the passwd command will first ask for the original password, verify it, and then require the user to enter the new password twice. If the two passwords entered are the same, this password will be assigned to the user; while the superuser does not need to know the original password when assigning passwords to users.
For the sake of system security, users should choose more complex passwords, for example, it is better to use8A password of a certain length, containing uppercase and lowercase letters and numbers, and should be different from names, birthdays, etc.
When specifying an empty password for a user, use the following command form:
# passwd -d sam
This command deletes the password of user sam, so the system will no longer allow user sam to log in next time they log in.
The passwd command can also be used -l(lock) option locks a user, preventing them from logging in, for example:
# passwd -l sam
Each user has a user group, and the system can centrally manage all users in a user group. Different Linux systems have different specifications for user groups, such as in Linux, the user belongs to a user group with the same name, which is created at the same time as the user is created.
User group management involves adding, deleting, and modifying user groups. The addition, deletion, and modification of groups actually refer to/etc/Update of group files.
groupadd options user group
Options that can be used include:
-g GID to specify the GID (GID) of the new user group.
-o Generally with-g option is used at the same time, indicating that the GID of the new user group can be the same as the GID of an existing user group in the system.
# groupadd group1
This command adds a new group group to the system1The new group identifier is one more than the largest existing group identifier in the system.1.
# groupadd -g 101 group2
This command adds a new group group to the system2At the same time, specify the new group identifier for the new group101.
groupdel user group
# groupdel group1
This command deletes the group group from the system1.
groupmod options user group
Common options include:
-g GID to specify a new group identifier for the user group.
-o With-g option is used at the same time, the new GID of the user group can be the same as the GID of an existing user group in the system.
-n New user group. Rename the user group to a new name
# groupmod -g 102 group2
This command changes the group identifier of group2The group identifier is modified to102.
# groupmod –g 10000 -n group3 group2
This command changes the group identifier of group2The identifier is changed to10000, and the group name is changed to group3.
After logging in, users can use the newgrp command to switch to other user groups, with the command parameters being the target user group. For example:
$ newgrp root
This command switches the current user to the root user group, provided that the root user group is indeed the primary group or an additional group of the user. Similar to user account management, user group management can also be completed through integrated system management tools.
There are many ways to complete user management tasks, but each method actually involves modifying the relevant system files.
Information related to users and user groups is stored in some system files, including/etc/passwd, /etc/shadow, /etc/group, etc.
The following sections will introduce the content of these files separately.
Each user in the Linux system is/etc/There is a corresponding record line in the passwd file, which records some basic attributes of this user.
This file is readable by all users. Its content is similar to the following examples:
# cat /etc/passwd root:x:0:0:Superuser:/: daemon:x:1:1:System daemons:/etc: bin:x:2:2:Owner of system commands:/bin: sys:x:3:3:Owner of system files:/usr/sys: adm:x:4:4:System accounting:/usr/adm: uucp:x:5:5:UUCP administrator:/usr/lib/uucp: auth:x:7:21:Authentication administrator:/tcb/files/auth: cron:x:9:16:Cron daemon:/usr/spool/cron: listen:x:37:4:Network daemon:/usr/net/nls: lp:x:71:18:Printer administrator:/usr/spool/lp: sam:x:200:50:Sam san:/home/sam:/bin/sh
From the above example, we can see that,/etc/Each line in passwd corresponds to a user, and each line is separated by a colon (:)7fields, with the format and specific meaning as follows:
Username:Password:User Identifier:Group Identifier:Descriptive Comment:Home Directory:Login Shell
The length is usually not more than8characters, and is composed of both uppercase and lowercase letters and/or numbers. The login name cannot contain a colon (:), as the colon is a delimiter here.
For compatibility, it is better not to include a period character (.) in the login name, and do not use a hyphen (-) and a plus sign (+) starts with.
Although this field stores only the encrypted string of the user password and not the plaintext, due to/etc/The passwd file is readable by all users, so this is still a security risk. Therefore, many Linux systems (such as SVR4all use shadow technology to store the actual encrypted user password in/etc/in the shadow file, while/etc/The password field of the passwd file stores only a special character, such as 'x' or*”。
Generally, it corresponds one-to-one with the username. If several usernames correspond to the same user identifier number, the system internally treats them as the same user, but they can have different passwords, different home directories, and different login Shells, etc.
The value range of the user identifier number is usually 0 to65 535. 0 is the identifier number for the superuser root.1~99Reserved by the system, serving as the management account, the identifier number of the ordinary user starts from100 starts. In the Linux system, this boundary is500.
It corresponds to/etc/A record in the group file.
For example, the real name, phone number, address, etc. of the user, this field has no actual use. The format of this field is not unified in different Linux systems. In many Linux systems, this field stores arbitrary descriptive text, used as the output of the finger command.
It is the directory where the user is located after logging into the system. In most systems, the home directories of each user are organized under the same specific directory, and the name of the user's home directory is the user's login name. Each user has read, write, and execute (search) permissions for their home directory, while the access permissions of other users to this directory are set according to specific circumstances.
Shell is the interface between users and the Linux system. Linux has many types of Shells, each with different features. Common ones include sh (Bourne Shell), csh (C Shell), ksh (Korn Shell), tcsh (TENEX)/TOPS-20 type C Shell), bash (Bourne Again Shell), etc.
System administrators can specify a Shell for users according to the system situation and user habits. If not specified, the system uses sh as the default login Shell, that is, the value of this field is/bin/sh.
The user's login Shell can also be specified as a specific program (this program is not a command interpreter).
By taking advantage of this feature, we can limit users to only run specified applications, and after the application runs, the user will automatically log out of the system. Some Linux systems require only those programs registered in the system to appear in this field.
These users are/etc/The passwd file also contains a record, but they cannot log in because their login Shell is empty. Their existence is mainly for the convenience of system management and to meet the requirements of the corresponding system processes for the file owner.
Common pseudo users are as follows:
Pseudo user meanings bin: Owns executable user command files sys: Owns system files adm: Owns account files uucp: UUCP usage lp: Used by lp or lpd subsystems nobody NFS use
1,in addition to the pseudo users listed above, there are many standard pseudo users, such as: audit, cron, mail, usenet, etc., which are all required for related processes and files.
Because/etc/passwd file is readable by all users. If a user's password is too simple or the pattern is too obvious, a regular computer can easily crack it. Therefore, Linux systems with high security requirements usually separate the encrypted password from the password and store it in a separate file, which is/etc/shadow file. Only super users have read permission to this file, which ensures the security of user passwords.
2,/etc/and/etc/corresponding to the records in shadow based on the command/etc/The data in passwd is automatically generated
Its file format is similar to/etc/Similar to passwd, it consists of several fields separated by ":". These fields are:
login name:encrypted password:last modified time:minimum time interval:maximum time interval:warning time:inactivity time:expiry time:flags
"Login name" is consistent with/etc/The user account with the login name consistent with the login name in the passwd file
"Password" field stores the encrypted user password, with a length of13characters. If it is empty, the corresponding user has no password and does not need a password to log in; if it contains characters not belonging to the set { ./0-9A-Za-characters in z } and the corresponding user cannot log in.
"Last modified time" indicates the number of days from a certain point in time to the day the user last changed the password. The starting point may vary between different systems. For example, in SCO Linux, this starting point is1970 years1Month1Day.
"Minimum time interval" refers to the minimum number of days required between two password changes.
"Maximum time interval" refers to the maximum number of days a password remains valid.
"Warning time" field indicates the number of days from the system starting to warn the user to the official expiration of the user's password.
"Inactivity time" represents the maximum number of days an account can remain valid without any login activity.
"Expiry time" field indicates an absolute number of days. If this field is used, it specifies the lifespan of the corresponding account. After the expiration, the account is no longer valid and cannot be used to log in.
The following is/etc/An instance of shadow:
# cat /etc/shadow root:Dnakfw28zf38w:8764:0:168:7::: daemon:*::0:0:::: bin:*::0:0:::: sys:*::0:0:::: adm:*::0:0:::: uucp:*::0:0:::: nuucp:*::0:0:::: auth:*::0:0:::: cron:*::0:0:::: listen:*::0:0:::: lp:*::0:0:::: sam:EkdiSECLWPdSa:9740:0:0::::
Grouping users is a means of managing and controlling access permissions for users in the Linux system.
Each user belongs to a user group; a group can have multiple users, and a user can also belong to different groups.
When a user is a member of multiple groups at the same time, in/etc/The passwd file records the primary group of the user, which is the default group when logging in, while other groups are called additional groups.
When a user needs to access files belonging to an additional group, they must first use the newgrp command to become a member of the group they want to access.
All information about user groups is stored in/etc/The group file. This file format is also similar to/etc/The passwd file, separated by colons (:), consists of several fields, including:
Group name:password:group identifier:group user list
"Group name" is the name of the user group, consisting of letters or numbers. Like/etc/The same as the login name in passwd, the group name should not be repeated.
"Password" field stores the encrypted password of the user group. Generally, Linux system user groups do not have passwords, that is, this field is usually empty or*.
"Group identifier" is similar to the user identifier, which is an integer used internally by the system to identify the group.
"Group user list" is the list of all users belonging to this group/b], separated by commas (,). This user group may be the primary group of the user or an additional group.
/etc/An example of a group file is as follows:
root::0:root bin::2:root,bin sys::3:root,uucp adm::4:root,adm daemon::5:root,daemon lp::7:root,lp users::20:root,sam
Adding and deleting users is an easy task for every Linux system administrator, but when it comes to adding dozens, hundreds, or even thousands of users, it is unlikely that we would still use useradd to add one by one, and we must find a simple method to create a large number of users. Linux systems provide tools for creating a large number of users, allowing you to create a large number of users immediately. The method is as follows:
Each column is sorted according to/etc/The format of the passwd password file should be written with attention to the uniqueness of each user's username, UID, and home directory, among which the password field can be left blank or input with the letter x. An example content of the user.txt file is as follows:
user001::600:100:user:/home/user001:/bin/bash user002::601:100:user:/home/user002:/bin/bash user003::602:100:user:/home/user003:/bin/bash user004::603:100:user:/home/user004:/bin/bash user005::604:100:user:/home/user005:/bin/bash user006::605:100:user:/home/user006:/bin/bash
# newusers < user.txt
Then you can execute the command vipw or vi /etc/passwd checks /etc/Check whether the passwd file has already appeared with the data of these users, and whether the user's home directory has already been created.
Write /etc/Decode the shadow password generated by shadow, and then write back to /etc/in passwd, and then write back to/etc/Delete the shadow password field in shadow. This is to facilitate the next password conversion work, that is, to cancel the shadow password function first.
# pwunconv
The format is:
Username:Password
The content of the example file passwd.txt is as follows:
user001:123456 user002:123456 user003:123456 user004:123456 user005:123456 user006:123456
Create user password, chpasswd will encode the password passed /usr/bin/Encoded password written by passwd command /etc/Password field of passwd.
# chpasswd < passwd.txt
Execute the command /usr/sbin/pwconv encodes passwords into shadow passwords and writes the results to /etc/shadow.
# pwconv
This completes the creation of a large number of users, and after that, you can go to/Check the permission settings of these user home directories under home and log in to verify whether the user password is correct.