Linux user and user group management

Linux user and user group management

Linux system is a multi-user multi-tasking time-betweened operating system, any user who wants to use system resources must first apply to the system administrator for an account, and then enter the system as this account.

On the one hand, the user's account number can help the system administrator track the users who use the system and control their access to the system resources, on the other hand, it can also help the user organize the files and provide the user with security protection.

Each user account has a unique username and its own password.

Once the user types the correct user name and password when they log on, they can enter the system and their home directory.

To realize the management of user accounts, the work to be done mainly has the following aspects:

• Addition, deletion and modification of user accounts.
• The management of the user password.
• Management of user groups.

---

First, linux system user account management

The management of user account mainly involves the addition, modification and deletion of user account.

Adding a user account is creating a new account in the system and assigning resources such as user number, user group, home directory, and login shell to the new account. T he account you just added is locked and unavailable.

1, add a new user account using the userrad command, its syntax is as follows:

useradd 选项 用户名

Description of the parameters:

• Options:

  • -c comment specifies an annotative description.
  • The -d directory specifies the user's home directory, and if this directory does not exist, you can create the home directory using the -m option at the same time.
  • -g User group Specifies the user group to which the user belongs.
  • -G user group, user group Specifies the additional group to which the user belongs.
  • -s Shell file Specifies the user's login shell.
  • -u user number Specifies the user's user number, and if you have the -o option at the same time, you can reuse the other user's identification number.

• User name:

  Specify the login for the new account.

Example 1

# useradd –d /usr/sam -m sam

This command creates a user sam, where the -d and -m options are used to generate a home directory/usr/sam for the login sam (/usr is the parent directory where the default user's home directory is located).

Example 2

# useradd -s /bin/sh -g group –G adm,root gem

This command creates a new user gem, whose login /bin/sh which belongs to both the group user group and the adm and root user groups, where the group user group is its primary group.

New groups may be #groupadd group及groupadd adm

Increasing the user account number is adding a record to the new user in the /etc/passwd file, while updating other system files such as /etc/shadow, /etc/group, etc/group, etc.

Linux provides an integrated system management tool, userconf, which can be used to manage user accounts in a unified way.

3, delete the account

If a user's account is no longer in use, it can be deleted from the system. T o delete a user account is to delete the user record in a system file such as /etc/passwd and, if necessary, the user's home directory.

Delete an existing user account using userdel command in the following format:

userdel 选项 用户名

The commonly used option is -r, which is to delete the user's home directory together.

For example:

# userdel sam

This command deletes the user's record in the system file (primarily /etc/passwd, /etc/shadow, /etc/group, etc.) and deletes the user's home directory.

4, modify the account number

Modifying the user account is changing the user's relevant properties according to the actual situation, such as user number, home directory, user group, login Shell, etc.

Modifying the information of an usermod command in the following format:

usermod 选项 用户名

Commonly used -c, -d, -m, -g, -G, -s, -u以及-o等 which, useradd can specify a new resource value for the user.

In addition, some systems can use the option:-l new user name

This option specifies a new account number, changing the original user name to the new user name.

For example:

# usermod -s /bin/ksh -d /home/z –g developer sam

This command changes the user's sam login Shell to ksh, the home directory to /home/z, and the user group to developer.

5, the management of the user password

An important part of user management is the management of user passwords. T he user account was created without a password, but was locked by the system and cannot be used, and must be assigned a password before it can be used, even if an empty password is specified.

The Shell command that specifies and modifies the user's password is passwd S uper users can specify passwords for themselves and other users, and the average user can only use it to modify their own passwords. T he format of the command is:

passwd 选项 用户名

Options available:

• -l Lock the password, i.e. disable the account.
• -u password unlocked.
• -d Make the account password-free.
• -f Force the user to modify the password the next time they log on.

If the default user name is used, the current user's password is modified.

For example, if the current user is sam, the following command modifies the user's own password:

$ passwd 
Old password:****** 
New password:******* 
Re-enter new password:*******

In the case of a super user, you can specify the password of any user in the following form:

# passwd sam 
New password:******* 
Re-enter new password:*******

When an ordinary user modifies his or her password, the passwd command asks for the original password, verifies it, and then asks the user to enter the new password twice, and if the password is the same twice, the password is assigned to the user, and the super user does not need to know the original password when the password is assigned to the user.

For system security reasons, users should choose more complex passwords, such as the best 8-bit password, which contains capital, lowercase letters and numbers, and should not be the same as name, birthday, etc.

When you specify an empty password for a user, execute the following form of commands:

# passwd -d sam

This command removes the user's password so that the next time the user logs on, the system no longer asks for the password.

The passwd command can also lock a user with the -l (lock) option so that he or she cannot log on, for example:

# passwd -l sam

---

Second, the management of Linux system user groups

Each user has a user group, and the system can centrally manage all users in a user group. Different Linux systems have different rules for user groups, such as users under Linux who belong to a user group with the same name as it, which is created at the same time as the user.

The management of user groups involves the addition, deletion, and modification of user groups. The addition, deletion, and modification of a group is actually an update to the /etc/group file.

1. Add a new user group to use the groupad command. The format is as follows:

groupadd 选项 用户组

The options available are:

• -g GID specifies the group identification number (GID) for the new user group.
• -o is generally used in the same way as the -g option, indicating that the GID of the new user group can be the same as the GID of an existing user group on the system.

Example 1:

# groupadd group1

This command adds a new group group 1 to the system, and the group identification number for the new group is added to the maximum group identification number that is currently existing.

Example 2:

# groupadd -g 101 group2

This command adds a new group group 2 to the system and specifies that the group identification number for the new group is 101.

2. If you want to delete an existing user group, use the groupdel command, which is in the following format:

groupdel 用户组

For example:

# groupdel group1

This command removes group group1 from the system.

3. Modify the properties of the user group using the groupmod command. The syntax is as follows:

groupmod 选项 用户组

Common options are:

• -g GID specifies a new group identification number for the user group.
• -o is used in the same way as the -g option, and the new GID for the user group can be the same as the GID for the existing user group on the system.
• -n New user group Change the name of the user group to the new name

Example 1:

# groupmod -g 102 group2

This command changes the group identification number of group group2 to 102.

Example 2:

# groupmod –g 10000 -n group3 group2

This command changes the identification number of group group2 to 10000 and the group name to group3.

4. If a user belongs to more than one user group at the same time, the user can switch between user groups in order to have permissions for other user groups.

After the user logs on, the user switches to another user group using the command newgrp, which is the parameter of the destination user group. For example:

$ newgrp root

This command switches the current user to a root user group, provided that the root user group is indeed the user's primary or additional group. S imilar to the management of user accounts, the management of user groups can also be done through integrated system management tools.

---

Third, the user account related to the system files

There are many ways to do user management, but each method actually modifies the system files in place.

Information about users and groups of users is stored in system files, including /etc/passwd, /etc/shadow, /etc/group, etc.

The contents of these files are described separately below.

1, /etc/passwd file is the most important file involved in user management.

Each user in the Linux system has a corresponding record line in the /etc/passwd file, which records some of the user's basic properties.

This file is readable to all users. Its content is similar to the following example:

＃ cat /etc/passwd

root:x:0:0:Superuser:/:
daemon:x:1:1:System daemons:/etc:
bin:x:2:2:Owner of system commands:/bin:
sys:x:3:3:Owner of system files:/usr/sys:
adm:x:4:4:System accounting:/usr/adm:
uucp:x:5:5:UUCP administrator:/usr/lib/uucp:
auth:x:7:21:Authentication administrator:/tcb/files/auth:
cron:x:9:16:Cron daemon:/usr/spool/cron:
listen:x:37:4:Network daemon:/usr/net/nls:
lp:x:71:18:Printer administrator:/usr/spool/lp:
sam:x:200:50:Sam san:/usr/sam:/bin/sh

From the example above, we can see that a row of records in /etc/passwd corresponds to a user, and each row of records is separated by a colon (:) into seven fields, in the following format and specific meaning:

用户名:口令:用户标识号:组标识号:注释性描述:主目录:登录Shell

1) "User name" is a string that represents the user's account number.

Usually no more than 8 characters long and consists of case letters and/or numbers. The login cannot have a colon (:) because the colon is a separator here.

For compatibility, it is best not to include dot characters (.) in the login and not to start with hyphens (-) and plus marks .

2) "Password" some systems, holding encrypted user password words.

Although this field holds only the encrypted string of the user's password, not clear text, this is still a security risk because the /etc/passwd file is readable to all users. As a result, many Linux systems, such as SVR4, now use shadow technology to store real encrypted user password words in /etc/shadow files, while only one special character, such as "x" or ", is stored in the password field of the /etc/passwd file.

3) The "user identification number" is an integer that is used internally by the system to identify the user.

In general, it corresponds to the user name one-to-one. If several user names correspond to the same user identification number, they are treated as the same user within the system, but they can have different passwords, different home directories, different login Shell, and so on.

Typically, the user identification number is valued from 0 to 65 535. 0 is the logo number of the super user root, 1 to 99 is retained by the system, as an administrative account, the identity number of ordinary users from 100. In Linux systems, the limit is 500.

4) The Group Identification Number field records the user group to which the user belongs.

It corresponds to a record in the /etc/group file.

5) The Annotative Description field records some of the user's personal circumstances.

For example, the user's real name, phone number, address, etc., this field has no practical use. I n different Linux systems, the format of this field is not uniform. In many Linux systems, this field holds an arbitrary annotative description that is used as the output of the finger command.

6) "Home directory", which is the user's starting working directory.

It is the directory that the user is in after logging on to the system. I n most systems, each user's home directory is organized under the same specific directory, and the name of the user's home directory is the user's login. Each user has read, write, and execute (search) permissions on their home directory, and other users have access to the directory on a case-by-case basis.

7) After the user logs on, a process is started that is responsible for passing the user's actions to the kernel, which is the command interpreter or a specific program that the user runs after logging on to the system, i.e. Shell.

Shell is the interface between the user and the Linux system. T here are many types of Shells in Linux, each with different characteristics. C ommonly used are sh (Bourne Shell), csh (C Shell), ksh (Korn Shell), tcsh (TENEX/TOPS-20 type C Shell), bash (Bourne Again Shell), etc.

The system administrator can specify a Shell for the user based on the system situation and user habits. If Shell is not specified, the system uses sh as the default login shell, i.e. the value of this field is /bin/sh.

The user's login Shell can also be specified as a specific program (this program is not a command interpreter).

With this feature, we can limit the user to running only the specified application, after which the user automatically exits the system. Some Linux systems require that only programs registered in the system appear in this field.

8) There is a class of users in the system called pseudo-users (psuedo users).

These users also have a record in the /etc/passwd file, but cannot log on because their login Shell is empty. Their existence is mainly to facilitate system management, to meet the corresponding system processes on the file owner requirements.

Common pseudo-users are as follows:

伪 用 户 含 义 
bin 拥有可执行的用户命令文件 
sys 拥有系统文件 
adm 拥有帐户文件 
uucp UUCP使用 
lp lp或lpd子系统使用 
nobody NFS使用

---

Have an account file

1, in addition to the above listed pseudo-users, there are many standard pseudo-users, such as: audit, cron, mail, usenet, etc. , they are also related to the process and file needs.

Since the /etc/passwd file is readable by all users, if the user's password is too simple or the law is more obvious, an ordinary computer can easily crack it, so the security requirements of the Linux system are encrypted password words separate, stored in a file, this file is / etc / shadow file. Only a super user has permission to read the file, which guarantees the security of the user's password.

2, / etc / shadow in the record line and / etc / passwd in one-to-one correspondence, it is automatically generated by the pwconv command based on the data in / etc / passwd

Its file format is similar to /etc/passwd and consists of several fields separated by ":" These fields are:

登录名:加密口令:最后一次修改时间:最小时间间隔:最大时间间隔:警告时间:不活动时间:失效时间:标志

1. A "login" is a user account that is consistent with the login in the /etc/passwd file
2. The Password field holds encrypted user password words that are 13 characters long. If it is empty, the corresponding user does not have a password, does not need a password to log on, and cannot log on if it contains characters that do not belong to the collection .
3. "Last modified time" represents the number of days from a certain moment to the last time the user modified the password. T ime starting points may not be the same for different systems. In SCO Linux, for example, this time starts on January 1, 1970.
4. "Minimum interval" refers to the minimum number of days required between password modifications.
5. "Maximum interval" refers to the maximum number of days the password remains valid.
6. The Warning Time field represents the number of days between the start of the system warning the user and the official expiration of the user's password.
7. In activity time represents the maximum number of days that a user is not logged in but the account remains active.
8. The Expiration Time field gives an absolute number of days, and if this field is used, the lifetime of the account is given. After the end of the period, the account is no longer a legitimate account, it can no longer be used to log in.

Here's an example of /etc/shadow:

＃ cat /etc/shadow

root:Dnakfw28zf38w:8764:0:168:7:::
daemon:*::0:0::::
bin:*::0:0::::
sys:*::0:0::::
adm:*::0:0::::
uucp:*::0:0::::
nuucp:*::0:0::::
auth:*::0:0::::
cron:*::0:0::::
listen:*::0:0::::
lp:*::0:0::::
sam:EkdiSECLWPdSa:9740:0:0::::

3, all the information of the user group is stored in the /etc/group file.

Grouping users is a means of managing and controlling access to users in Linux systems.

Each user belongs to a user group;

When a user is a member of more than one group at the same time, what is recorded in the /etc/passwd file is the primary group to which the user belongs, that is, the default group to which the user belongs when signed in, while the other groups are called additional groups.

When a user wants to access files that belong to an attached group, they must first use the newgrp command to make themselves a member of the group they want to access.

All information about the user group is stored in the /etc/group file. The format of this file is also similar to that of the /etc/passwd file, which is separated by a colon (:)) and separated by several fields:

组名:口令:组标识号:组内用户列表

1. A group name is the name of a user group that consists of letters or numbers. As with logins in /etc/passwd, group names should not be duplicated.
2. The Password field holds password words encrypted by the user group. In general, user groups on Linux systems do not have passwords, i.e. this field is generally empty, or .
3. A "group identification number" is similar to a user identification number and is an integer that is used within the system to identify a group.
4. The In-Group User List is a list of all users belonging to this group/b), separated by commas (,) between different users. This user group may be the user's primary group or an additional group.

An example of a /etc/group file is as follows:

root::0:root
bin::2:root,bin
sys::3:root,uucp
adm::4:root,adm
daemon::5:root,daemon
lp::7:root,lp
users::20:root,sam

Fourth, add users in bulk

Adding and removing users is a breeze for every Linux system administrator, and it's tricky to add dozens, hundreds, or even thousands of users, and we're unlikely to add them one by one using userradd, and we'll have to find an easy way to create a large number of users. Linux systems provide the tools to create a large number of users, allowing you to create a large number of users immediately, as follows:

(1) Edit a text user file first.

Each column is written /etc/passwd password file, paying attention to the user name, UID, host directory can not be the same, where the password bar can be left blank or enter x number. One example file, .txt as follows:

user001::600:100:user:/home/user001:/bin/bash
user002::601:100:user:/home/user002:/bin/bash
user003::602:100:user:/home/user003:/bin/bash
user004::603:100:user:/home/user004:/bin/bash
user005::604:100:user:/home/user005:/bin/bash
user006::605:100:user:/home/user006:/bin/bash

(2) Execute the command /usr/sbin/newusers as root, import data from user.txt you just created, and create a user:

# newusers < user.txt 

You can then execute the vipw vi /etc/passwd check whether the /etc/passwd data for these users and whether the user's host directory has been created.

(3) Execute command/usr/sbin/pwunconv.

Decode the shadow password shadow write /etc/passwd and delete the shadow password shadow for /etc/shadow /etc/shadow This is to facilitate the next step in password conversion, which is to cancel shadow password first.

# pwunconv

(4) Edit each user's password control file.

The example passwd.txt as follows:

user001:密码
user002:密码
user003:密码
user004:密码
user005:密码
user006:密码

(5) Execute commands as root /usr/sbin/chpasswd

To create a user chpasswd /usr/bin/passwd command to the password bar of /etc/passwd

# chpasswd < passwd.txt

(6) After determining that the password has been encoded into the password bar of /etc/passwd.

The execution /usr/sbin/pwconv shadow password writes the result /etc/shadow

# pwconv

This completes the creation of a large number of users, after which you can go to /home to check that the permission settings for these user host directories are correct and log in to verify that the user password is correct.