The best Linux user and user group management Tutorial In 2024, In this tutorial you can learn A, Linux user account management system,Second, the management system Linux user group,Third, the user account related system files,Have an account file,
Linux system is a multi-user multi-task time-sharing operating system, a user to use any system resources, the system administrator must first apply for an account, then the identity of the account into the system.
The user's account on the one hand can help system administrators to users using the system to track and control their access to system resources; the other hand, can also help users organize files and provide users with security protection.
Each user account has a unique user name and password for each.
Users type the correct user name and password at login, you can enter the system and their own home directory.
Implement user account management, work to be done mainly in the following aspects:
User account management mainly related to the user account to add, modify, and delete.
Adding user accounts is to create a new account in the system, and then assign users to a new account number, user group, home directory and login Shell and other resources. Just add the account is locked and unusable.
useradd 选项 用户名
Parameter Description:
Options:
username:
Specify the new account login name.# useradd –d /usr/sam -m sam
This command creates a user sam, wherein -d and -m option is used to generate a login name sam home directory / usr / sam (/ usr for the default user's home directory is the parent directory).
# useradd -s /bin/sh -g group –G adm,root gem
This command creates a user-gem, the user's login Shell is /bin/sh
, it belongs to the group user group, but also belong to root and adm user groups, user group which group is the main group.
There may be a new group: #groupadd group及groupadd adm
Increase the user account it is in the / etc / passwd file to add a new user record, update other system files such as / etc / shadow, / etc / group and the like.
Linux provides integrated systems management tools userconf, which can be used for unified management of user accounts.
If a user account is no longer used, can be removed from the system. To delete a user account is / etc / passwd and other system files to delete the user record, if necessary, remove the user's home directory.
Delete an existing user account using the userdel
command, its format is as follows:
userdel 选项 用户名
Common option is -r, its role is to remove the user's home directory together.
E.g:
# userdel sam
This command removes the user sam in a system file (mostly / etc / passwd, / etc / shadow, / etc / group, etc.) record, delete the user's home directory.
Modify user account is about to change the attributes of a user based on the actual situation, such as the number of users, home directories, user groups, login Shell and the like.
Modify an existing user's information using the usermod
command, its format is as follows:
usermod 选项 用户名
Common options include -c, -d, -m, -g, -G, -s, -u以及-o等
-G, -s, -u useradd
-c, -d, -m, -g, -G, -s, -u以及-o等
, meaning these options with useradd
command option, you can specify a new value for the resource users.
In addition, some systems can use the options: -l new user name
This option specifies a new account, will the original user name to the new user name.
E.g:
# usermod -s /bin/ksh -d /home/z –g developer sam
This command sets the user's login Shell sam modify ksh, home directory to / home / z, the user group to developer.
An important part of user management is a user password management. Not just to create a user account password, but the system is locked, you can not use, you must assign a password before you can use even specify a null password.
Specify and modify user passwords Shell command is passwd
. The superuser can specify a password for themselves and other users, ordinary users can only use it to modify their own password. Format of the command is:
passwd 选项 用户名
Optional use:
If the default user name, then modify the current user's password.
For example, assume that the current user is sam, then the following command to change the user's password:
$ passwd Old password:****** New password:******* Re-enter new password:*******
If the super user, you can specify any user's password using the following form:
# passwd sam New password:******* Re-enter new password:*******
Ordinary users to change their passwords when, passwd command will check the original password, then verify that requires users to enter a new password twice, enter the password twice if consistent, then specify the password to the user; and the superuser password for the user specified when you do not need to know the original password.
For system security, you should choose more complex passwords, for example, is preferable to use an 8-bit password, the password contains uppercase and lowercase letters and numbers, and should name, birthday, etc. are not the same.
When you specify an empty password for a user, perform the following command in the form:
# passwd -d sam
This command will delete the user sam's password, so that the user sam next time you log in, the system will not ask a password.
passwd command can also lock with -l (lock) a user option, you can not log in, such as:
# passwd -l sam
Each user has a user group, a user of the system can group all users centralized management. Different Linux systems have different user groups of the provisions, such as the Linux user is the user group with its namesake, the user group is created at the same time when creating the user.
Management user group involves adding the user group, delete and modify. Increase in the group, in fact, it is to delete and modify the / etc / group file updates.
groupadd 选项 用户组
Options can be used are:
# groupadd group1
This command adds to the system a new group group1, the new group's group ID is added to the basis of the currently available maximum group identification number 1.
# groupadd -g 101 group2
This command to add to the system a new group group2, while specifying a new group of group identification number is 101.
groupdel 用户组
# groupdel group1
This command to remove the group from the system group1.
groupmod 选项 用户组
Commonly used options are:
# groupmod -g 102 group2
This command group group2 group identification number changed to 102.
# groupmod –g 10000 -n group3 group2
This command group group2 identification number to 10,000, and the group name changed to group3.
Users can log, use the command newgrp to switch to the other user groups, the order parameter is the object of the user group. E.g:
$ newgrp root
This command will switch to the root of the current user groups, with the proviso that the root user group is indeed the user's primary group, or an additional group. Similar to the user account management, user group management can also be integrated systems management tools.
Complete user management work There are many ways, but each method are in fact related to the system files to be modified.
And user and group related information are stored in some system files, these files include / etc / passwd, / etc / shadow, / etc / group and the like.
The following describes the contents of these files.
Linux system, each user has a corresponding rows in the / etc / passwd file, which records the basic attributes of users.
This file is readable for all users. It is similar to the following example:
# cat /etc/passwd root:x:0:0:Superuser:/: daemon:x:1:1:System daemons:/etc: bin:x:2:2:Owner of system commands:/bin: sys:x:3:3:Owner of system files:/usr/sys: adm:x:4:4:System accounting:/usr/adm: uucp:x:5:5:UUCP administrator:/usr/lib/uucp: auth:x:7:21:Authentication administrator:/tcb/files/auth: cron:x:9:16:Cron daemon:/usr/spool/cron: listen:x:37:4:Network daemon:/usr/net/nls: lp:x:71:18:Printer administrator:/usr/spool/lp: sam:x:200:50:Sam san:/usr/sam:/bin/sh
From the above example we can see, / etc / passwd in a row corresponds to a user, each line has been recorded by a colon (:) separated into seven fields, format and specific meanings are as follows:
用户名:口令:用户标识号:组标识号:注释性描述:主目录:登录Shell
Usually no longer than eight characters, and uppercase and lowercase letters and / or numbers. Login name can not contain a colon (:), because here is the colon delimiters.
For compatibility reasons, the login name should not contain a dot character, and does not use a hyphen (.) (-) And plus (+) starts.
Although this field is stored in encrypted password string, not expressly, but due to / etc / passwd file for all users to read, so this is still a security risk. So now many Linux systems (such as SVR4) both use the shadow technique, the user passwords truly encrypted stored in / etc / shadow file, and in the password field of / etc / passwd file holds only a special characters, such as "x" or "*."
Under normal circumstances it is one to one with the user name. If several user name corresponding to the user identification number is the same as the internal system will treat them as the same user, but they may have different passwords, different home directories and different login Shell and the like.
User identification number is usually in the range of 0 to 65 535.0 superuser root identification number, from 1 to 99 are reserved by the system, as account management, common user identification number from 100 starts. On Linux systems, this limit is 500.
It corresponds to the / etc / group file record.
For example the user's real name, phone, address, etc., in this field and there is no practical use. In different Linux system, the format of this field is not unified. In many Linux systems, this field is stored in the comment section of any description text, is used as output finger command.
It is the directory where the user after logging in to the system. In most systems, each user's home directory are organized under one particular directory, and the name of the user's home directory is the user's login name. Each user has their own home directory read, write, execute (search) permission to access other users' directories are set depending on the circumstances.
Shell is the interface between the user and Linux systems. There are many Linux-Shell, each with different characteristics. Commonly used sh (Bourne Shell), csh (C Shell), ksh (Korn Shell), tcsh (TENEX / TOPS-20 type C Shell), bash (Bourne Again Shell) and the like.
The system administrator can specify a Shell for the user based on the system and user habits. If you do not specify a Shell, then the system uses sh as the default login Shell, that is, the field is / bin / sh.
User login Shell can also be specified for a particular program (this program is not a command interpreter).
Using this feature, we can restrict users to running specific applications, after the application is running, users will automatically exit the system. Some Linux systems require only those registered in the system program to appear in this field.
The user also has the / etc / passwd file a record, but can not log in because their login Shell is empty. They exist mainly to facilitate system management, system processes to meet the appropriate requirements of the owner of the file.
Common pseudo-user is as follows:
伪 用 户 含 义 bin 拥有可执行的用户命令文件 sys 拥有系统文件 adm 拥有帐户文件 uucp UUCP使用 lp lp或lpd子系统使用 nobody NFS使用
Since the / etc / passwd file is readable for all users, if the user password is too simple or obvious words of the law, an ordinary computer can easily break it, so the higher security requirements Linux system regarded encrypted passwords separated, stored in a separate file, this file is / etc / shadow file. There have superuser privileges to read this file, which ensures the security of the user's password.
Its file format and / etc / similar passwd, made up of several fields, between fields with ":" separated. These fields are:
登录名:加密口令:最后一次修改时间:最小时间间隔:最大时间间隔:警告时间:不活动时间:失效时间:标志
Here is an example / etc / shadow of:
# cat /etc/shadow root:Dnakfw28zf38w:8764:0:168:7::: daemon:*::0:0:::: bin:*::0:0:::: sys:*::0:0:::: adm:*::0:0:::: uucp:*::0:0:::: nuucp:*::0:0:::: auth:*::0:0:::: cron:*::0:0:::: listen:*::0:0:::: lp:*::0:0:::: sam:EkdiSECLWPdSa:9740:0:0::::
The user group is a means Linux system to manage users and control access.
Each user belongs to a user group; a group can have multiple users, a user can belong to different groups.
When a user is a member of more than one group, the record in the / etc / passwd file is the primary group the user belongs, which is the default when you log on to your group, while the other group is called an additional group.
When the user wants to access a file belonging to additional groups, you must first use the newgrp command to become to be accessed by group members.
All information are stored in the user group / etc / group file. The format of this file is also similar to the / etc / passwd file, by a colon (:) separated by a number of fields, which are:
组名:口令:组标识号:组内用户列表
/ An example of etc / group file is as follows:
root::0:root bin::2:root,bin sys::3:root,uucp adm::4:root,adm daemon::5:root,daemon lp::7:root,lp users::20:root,sam
Add and delete users on every Linux system administrators are easy, more difficult is if you want to add dozens, hundreds or even thousands of users, we are unlikely to also use useradd to add one by one, necessarily looking for a way to create large numbers of users of the method is simple. Linux system provides a large number of users to create a tool that lets you create a large number of users immediately, as follows:
Each column according to /etc/passwd
written in the format of the password file, pay attention to each user's user name, UID, can not host the same directory, which can leave the password field blank or enter x number. User.txt a sample file reads as follows:
user001::600:100:user:/home/user001:/bin/bash user002::601:100:user:/home/user002:/bin/bash user003::602:100:user:/home/user003:/bin/bash user004::603:100:user:/home/user004:/bin/bash user005::604:100:user:/home/user005:/bin/bash user006::605:100:user:/home/user006:/bin/bash
/usr/sbin/newusers
, from a user file you just created user.txt
import data, create a user: # newusers < user.txt
You can then execute the command vipw
or vi /etc/passwd
to check /etc/passwd
file has been the emergence of these users' data, and the user's home directory has been created.
The /etc/shadow
generated shadow
password decoded and then written back to the /etc/passwd
, and the /etc/shadow
of the shadow
password field deleted. This is to facilitate the next step of the cryptographic transformation work, which is to cancel the shadow password
feature.
# pwunconv
Sample files passwd.txt
reads as follows:
user001:密码 user002:密码 user003:密码 user004:密码 user005:密码 user006:密码
/usr/sbin/chpasswd
. Create a user password, chpasswd
will go through /usr/bin/passwd
command encoded passwords written /etc/passwd
password field.
# chpasswd < passwd.txt
Run /usr/sbin/pwconv
password encoded as shadow password
, and the result is written to /etc/shadow
.
# pwconv
This completes the creation of a large number of users, after which you can go to check the permissions on the user's home directory under / home settings are correct if, and verify that the user login password is correct.