Linux user and user group management
Linux system is a multi-user multi-task time-sharing operating system, a user to use any system resources, the system administrator must first apply for an account, then the identity of the account into the system.
The user's account on the one hand can help system administrators to users using the system to track and control their access to system resources; the other hand, can also help users organize files and provide users with security protection.
Each user account has a unique user name and password for each.
Users type the correct user name and password at login, you can enter the system and their own home directory.
Implement user account management, work to be done mainly in the following aspects:
- User account to add, delete and modify.
- User password management.
- User group management.
A, Linux user account management system
User account management mainly related to the user account to add, modify, and delete.
Adding user accounts is to create a new account in the system, and then assign users to a new account number, user group, home directory and login Shell and other resources. Just add the account is locked and unusable.
1. Add a new user account using the useradd command, its syntax is as follows:
useradd 选项 用户名
Parameter Description:
Options:
- -c comment Specifies a comment description.
- -d directory Specifies the user's home directory, if this directory does not exist, you can use the -m option, you can create a home directory.
- -g group of users specify the user group they belong to.
- -G Group of users, user groups, specify additional group the user belongs.
- -s Shell file specifies a user's login Shell.
- -u user specifies the user number user number, if the -o option at the same time, you can re-use other user identification number.
username:
Specify the new account login name.
Example 1
# useradd –d /usr/sam -m sam
This command creates a user sam, wherein -d and -m option is used to generate a login name sam home directory / usr / sam (/ usr for the default user's home directory is the parent directory).
Example 2
# useradd -s /bin/sh -g group –G adm,root gem
This command creates a user-gem, the user's login Shell is /bin/sh
, it belongs to the group user group, but also belong to root and adm user groups, user group which group is the main group.
There may be a new group: #groupadd group及groupadd adm
Increase the user account it is in the / etc / passwd file to add a new user record, update other system files such as / etc / shadow, / etc / group and the like.
Linux provides integrated systems management tools userconf, which can be used for unified management of user accounts.
3, delete account
If a user account is no longer used, can be removed from the system. To delete a user account is / etc / passwd and other system files to delete the user record, if necessary, remove the user's home directory.
Delete an existing user account using the userdel
command, its format is as follows:
userdel 选项 用户名
Common option is -r, its role is to remove the user's home directory together.
E.g:
# userdel sam
This command removes the user sam in a system file (mostly / etc / passwd, / etc / shadow, / etc / group, etc.) record, delete the user's home directory.
4. Modify Account
Modify user account is about to change the attributes of a user based on the actual situation, such as the number of users, home directories, user groups, login Shell and the like.
Modify an existing user's information using the usermod
command, its format is as follows:
usermod 选项 用户名
Common options include -c, -d, -m, -g, -G, -s, -u以及-o等
-G, -s, -u useradd
-c, -d, -m, -g, -G, -s, -u以及-o等
, meaning these options with useradd
command option, you can specify a new value for the resource users.
In addition, some systems can use the options: -l new user name
This option specifies a new account, will the original user name to the new user name.
E.g:
# usermod -s /bin/ksh -d /home/z –g developer sam
This command sets the user's login Shell sam modify ksh, home directory to / home / z, the user group to developer.
5, the user password management
An important part of user management is a user password management. Not just to create a user account password, but the system is locked, you can not use, you must assign a password before you can use even specify a null password.
Specify and modify user passwords Shell command is passwd
. The superuser can specify a password for themselves and other users, ordinary users can only use it to modify their own password. Format of the command is:
passwd 选项 用户名
Optional use:
- -l Lock password, which disables the account.
- -u password unlock.
- -d enable the account without a password.
- -f Force users to change passwords at next logon.
If the default user name, then modify the current user's password.
For example, assume that the current user is sam, then the following command to change the user's password:
$ passwd Old password:****** New password:******* Re-enter new password:*******
If the super user, you can specify any user's password using the following form:
# passwd sam New password:******* Re-enter new password:*******
Ordinary users to change their passwords when, passwd command will check the original password, then verify that requires users to enter a new password twice, enter the password twice if consistent, then specify the password to the user; and the superuser password for the user specified when you do not need to know the original password.
For system security, you should choose more complex passwords, for example, is preferable to use an 8-bit password, the password contains uppercase and lowercase letters and numbers, and should name, birthday, etc. are not the same.
When you specify an empty password for a user, perform the following command in the form:
# passwd -d sam
This command will delete the user sam's password, so that the user sam next time you log in, the system will not ask a password.
passwd command can also lock with -l (lock) a user option, you can not log in, such as:
# passwd -l sam
Second, the management system Linux user group
Each user has a user group, a user of the system can group all users centralized management. Different Linux systems have different user groups of the provisions, such as the Linux user is the user group with its namesake, the user group is created at the same time when creating the user.
Management user group involves adding the user group, delete and modify. Increase in the group, in fact, it is to delete and modify the / etc / group file updates.
1, add a new user groups groupadd command. Its format is as follows:
groupadd 选项 用户组
Options can be used are:
- -g GID Specifies the new user group group ID (GID).
- -o -g option is generally used simultaneously, indicating GID of the new group with GID system has the same user group.
Example 1:
# groupadd group1
This command adds to the system a new group group1, the new group's group ID is added to the basis of the currently available maximum group identification number 1.
Example 2:
# groupadd -g 101 group2
This command to add to the system a new group group2, while specifying a new group of group identification number is 101.
2, if you want to delete an existing user group, use groupdel command in the following format:
groupdel 用户组
E.g:
# groupdel group1
This command to remove the group from the system group1.
3, modify the properties of a user group use groupmod command. Its syntax is as follows:
groupmod 选项 用户组
Commonly used options are:
- -g GID Specifies the new group ID for the user group.
- -o -g option and use the new GID system user group with the same GID existing user groups.
- -n new user group will be changed to the new name of the user group name
Example 1:
# groupmod -g 102 group2
This command group group2 group identification number changed to 102.
Example 2:
# groupmod –g 10000 -n group3 group2
This command group group2 identification number to 10,000, and the group name changed to group3.
4, if a user belongs to more than one user group, the user can switch between user groups, in order to have rights of other user groups.
Users can log, use the command newgrp to switch to the other user groups, the order parameter is the object of the user group. E.g:
$ newgrp root
This command will switch to the root of the current user groups, with the proviso that the root user group is indeed the user's primary group, or an additional group. Similar to the user account management, user group management can also be integrated systems management tools.
Third, the user account related system files
Complete user management work There are many ways, but each method are in fact related to the system files to be modified.
And user and group related information are stored in some system files, these files include / etc / passwd, / etc / shadow, / etc / group and the like.
The following describes the contents of these files.
1, / etc / passwd file is the most important user of a document management involved.
Linux system, each user has a corresponding rows in the / etc / passwd file, which records the basic attributes of users.
This file is readable for all users. It is similar to the following example:
# cat /etc/passwd root:x:0:0:Superuser:/: daemon:x:1:1:System daemons:/etc: bin:x:2:2:Owner of system commands:/bin: sys:x:3:3:Owner of system files:/usr/sys: adm:x:4:4:System accounting:/usr/adm: uucp:x:5:5:UUCP administrator:/usr/lib/uucp: auth:x:7:21:Authentication administrator:/tcb/files/auth: cron:x:9:16:Cron daemon:/usr/spool/cron: listen:x:37:4:Network daemon:/usr/net/nls: lp:x:71:18:Printer administrator:/usr/spool/lp: sam:x:200:50:Sam san:/usr/sam:/bin/sh
From the above example we can see, / etc / passwd in a row corresponds to a user, each line has been recorded by a colon (:) separated into seven fields, format and specific meanings are as follows:
用户名:口令:用户标识号:组标识号:注释性描述:主目录:登录Shell
1) "User Name" is a string that represents the user account.
Usually no longer than eight characters, and uppercase and lowercase letters and / or numbers. Login name can not contain a colon (:), because here is the colon delimiters.
For compatibility reasons, the login name should not contain a dot character, and does not use a hyphen (.) (-) And plus (+) starts.
2) "Password" some systems, the storage of user passwords encrypted.
Although this field is stored in encrypted password string, not expressly, but due to / etc / passwd file for all users to read, so this is still a security risk. So now many Linux systems (such as SVR4) both use the shadow technique, the user passwords truly encrypted stored in / etc / shadow file, and in the password field of / etc / passwd file holds only a special characters, such as "x" or "*."
3) "User ID" is an integer within the system to use it to identify the user.
Under normal circumstances it is one to one with the user name. If several user name corresponding to the user identification number is the same as the internal system will treat them as the same user, but they may have different passwords, different home directories and different login Shell and the like.
User identification number is usually in the range of 0 to 65 535.0 superuser root identification number, from 1 to 99 are reserved by the system, as account management, common user identification number from 100 starts. On Linux systems, this limit is 500.
4) "Group ID" field of the record is a user group the user belongs.
It corresponds to the / etc / group file record.
5) "comments description" field records the user's personal situation.
For example the user's real name, phone, address, etc., in this field and there is no practical use. In different Linux system, the format of this field is not unified. In many Linux systems, this field is stored in the comment section of any description text, is used as output finger command.
6) "main menu", which is the initial working directory of the user.
It is the directory where the user after logging in to the system. In most systems, each user's home directory are organized under one particular directory, and the name of the user's home directory is the user's login name. Each user has their own home directory read, write, execute (search) permission to access other users' directories are set depending on the circumstances.
7) After the user logs on, to start a process, the user is responsible for the operation passed to the kernel, the process is run after the user logs on to the system command interpreter or a particular program, namely Shell.
Shell is the interface between the user and Linux systems. There are many Linux-Shell, each with different characteristics. Commonly used sh (Bourne Shell), csh (C Shell), ksh (Korn Shell), tcsh (TENEX / TOPS-20 type C Shell), bash (Bourne Again Shell) and the like.
The system administrator can specify a Shell for the user based on the system and user habits. If you do not specify a Shell, then the system uses sh as the default login Shell, that is, the field is / bin / sh.
User login Shell can also be specified for a particular program (this program is not a command interpreter).
Using this feature, we can restrict users to running specific applications, after the application is running, users will automatically exit the system. Some Linux systems require only those registered in the system program to appear in this field.
8) system has a class of users called pseudo-user (psuedo users).
The user also has the / etc / passwd file a record, but can not log in because their login Shell is empty. They exist mainly to facilitate system management, system processes to meet the appropriate requirements of the owner of the file.
Common pseudo-user is as follows:
伪 用 户 含 义 bin 拥有可执行的用户命令文件 sys 拥有系统文件 adm 拥有帐户文件 uucp UUCP使用 lp lp或lpd子系统使用 nobody NFS使用
Have an account file
1, except that pseudo-user listed above, there are many standard pseudo-users, such as: audit, cron, mail, usenet, etc., they are also relevant for the respective processes and documentation requirements.
Since the / etc / passwd file is readable for all users, if the user password is too simple or obvious words of the law, an ordinary computer can easily break it, so the higher security requirements Linux system regarded encrypted passwords separated, stored in a separate file, this file is / etc / shadow file. There have superuser privileges to read this file, which ensures the security of the user's password.
2, / etc / shadow in rows and etc / passwd in the correspondence /, it is automatically generated by the pwconv command data / etc / passwd, according to
Its file format and / etc / similar passwd, made up of several fields, between fields with ":" separated. These fields are:
登录名:加密口令:最后一次修改时间:最小时间间隔:最大时间间隔:警告时间:不活动时间:失效时间:标志
- "Login" is consistent with the / etc / passwd file, user account login name
- "Password" field is stored in encrypted user passwords, a length of 13 characters. If empty, the corresponding user with no password, no login password; if you do not belong to the set containing {./0-9A-Za-z} characters, the corresponding user can not log on.
- "Last modified" that is from a certain time, to the user to modify the number of days the password last time. Start time for different systems may be different. For example, in SCO Linux, the time to start is January 1, 1970.
- "Minimum interval" refers to the minimum number of days required between the two modify the password.
- "Maximum time interval" refers to the password is valid the maximum number of days.
- "Warning Time" field indicates the number of days from the system began warning users to a formal password between failures.
- "Inactive time" means is that the user is not logged, but account activity remains active maximum number of days.
- "Dead time" field is a given number of days absolute, if you use this field, then it gives the lifetime of the corresponding accounts. After the expiration of the account is no longer a legitimate account, it can not be used to login.
Here is an example / etc / shadow of:
# cat /etc/shadow root:Dnakfw28zf38w:8764:0:168:7::: daemon:*::0:0:::: bin:*::0:0:::: sys:*::0:0:::: adm:*::0:0:::: uucp:*::0:0:::: nuucp:*::0:0:::: auth:*::0:0:::: cron:*::0:0:::: listen:*::0:0:::: lp:*::0:0:::: sam:EkdiSECLWPdSa:9740:0:0::::
3, all of the information are stored in the user group / etc / group file.
The user group is a means Linux system to manage users and control access.
Each user belongs to a user group; a group can have multiple users, a user can belong to different groups.
When a user is a member of more than one group, the record in the / etc / passwd file is the primary group the user belongs, which is the default when you log on to your group, while the other group is called an additional group.
When the user wants to access a file belonging to additional groups, you must first use the newgrp command to become to be accessed by group members.
All information are stored in the user group / etc / group file. The format of this file is also similar to the / etc / passwd file, by a colon (:) separated by a number of fields, which are:
组名:口令:组标识号:组内用户列表
- "Group Name" is the name of the group, composed of letters or numbers. And / etc / passwd login names, group names should not be repeated.
- "Password" field is stored in the user group passwords encrypted. Linux system user groups generally do not have a password, that this field is usually empty, or *.
- "Group ID" with the user identification number similar, is an integer, the internal systems used to identify groups.
- "Users in the group list" is part of a list of all users / b] this group, separated between different users with a comma (,). This user group may be the user's primary group, it may be an additional group.
/ An example of etc / group file is as follows:
root::0:root bin::2:root,bin sys::3:root,uucp adm::4:root,adm daemon::5:root,daemon lp::7:root,lp users::20:root,sam
Fourth, the amount of grant users
Add and delete users on every Linux system administrators are easy, more difficult is if you want to add dozens, hundreds or even thousands of users, we are unlikely to also use useradd to add one by one, necessarily looking for a way to create large numbers of users of the method is simple. Linux system provides a large number of users to create a tool that lets you create a large number of users immediately, as follows:
(1) to edit a text file user.
Each column according to /etc/passwd
written in the format of the password file, pay attention to each user's user name, UID, can not host the same directory, which can leave the password field blank or enter x number. User.txt a sample file reads as follows:
user001::600:100:user:/home/user001:/bin/bash user002::601:100:user:/home/user002:/bin/bash user003::602:100:user:/home/user003:/bin/bash user004::603:100:user:/home/user004:/bin/bash user005::604:100:user:/home/user005:/bin/bash user006::605:100:user:/home/user006:/bin/bash
(2) As root, execute the command /usr/sbin/newusers
, from a user file you just created user.txt
import data, create a user:
# newusers < user.txt
You can then execute the command vipw
or vi /etc/passwd
to check /etc/passwd
file has been the emergence of these users' data, and the user's home directory has been created.
(3) Run / usr / sbin / pwunconv.
The /etc/shadow
generated shadow
password decoded and then written back to the /etc/passwd
, and the /etc/shadow
of the shadow
password field deleted. This is to facilitate the next step of the cryptographic transformation work, which is to cancel the shadow password
feature.
# pwunconv
(4) to edit each user's password control file.
Sample files passwd.txt
reads as follows:
user001:密码 user002:密码 user003:密码 user004:密码 user005:密码 user006:密码
(5) Run as root /usr/sbin/chpasswd
.
Create a user password, chpasswd
will go through /usr/bin/passwd
command encoded passwords written /etc/passwd
password field.
# chpasswd < passwd.txt
(6) to determine the password encoded write / etc / passwd password field later.
Run /usr/sbin/pwconv
password encoded as shadow password
, and the result is written to /etc/shadow
.
# pwconv
This completes the creation of a large number of users, after which you can go to check the permissions on the user's home directory under / home settings are correct if, and verify that the user login password is correct.