Latest web development tutorials

Linux user and user group management

Linux system is a multi-user multi-task time-sharing operating system, a user to use any system resources, the system administrator must first apply for an account, then the identity of the account into the system.

The user's account on the one hand can help system administrators to users using the system to track and control their access to system resources; the other hand, can also help users organize files and provide users with security protection.

Each user account has a unique user name and password for each.

Users type the correct user name and password at login, you can enter the system and their own home directory.

Implement user account management, work to be done mainly in the following aspects:

  • User account to add, delete and modify.
  • User password management.
  • User group management.

A, Linux user account management system

User account management mainly related to the user account to add, modify, and delete.

Adding user accounts is to create a new account in the system, and then assign users to a new account number, user group, home directory and login Shell and other resources. Just add the account is locked and unusable.

1. Add a new user account using the useradd command, its syntax is as follows:

useradd 选项 用户名

Parameter Description:

  • Options:

    • -c comment Specifies a comment description.
    • -d directory Specifies the user's home directory, if this directory does not exist, you can use the -m option, you can create a home directory.
    • -g group of users specify the user group they belong to.
    • -G Group of users, user groups, specify additional group the user belongs.
    • -s Shell file specifies a user's login Shell.
    • -u user specifies the user number user number, if the -o option at the same time, you can re-use other user identification number.
  • username:

    Specify the new account login name.

Example 1

# useradd –d /usr/sam -m sam

This command creates a user sam, wherein -d and -m option is used to generate a login name sam home directory / usr / sam (/ usr for the default user's home directory is the parent directory).

Example 2

# useradd -s /bin/sh -g group –G adm,root gem

This command creates a user-gem, the user's login Shell is /bin/sh , it belongs to the group user group, but also belong to root and adm user groups, user group which group is the main group.

There may be a new group: #groupadd group及groupadd adm

Increase the user account it is in the / etc / passwd file to add a new user record, update other system files such as / etc / shadow, / etc / group and the like.

Linux provides integrated systems management tools userconf, which can be used for unified management of user accounts.

3, delete account

If a user account is no longer used, can be removed from the system. To delete a user account is / etc / passwd and other system files to delete the user record, if necessary, remove the user's home directory.

Delete an existing user account using the userdel command, its format is as follows:

userdel 选项 用户名

Common option is -r, its role is to remove the user's home directory together.

E.g:

# userdel sam

This command removes the user sam in a system file (mostly / etc / passwd, / etc / shadow, / etc / group, etc.) record, delete the user's home directory.

4. Modify Account

Modify user account is about to change the attributes of a user based on the actual situation, such as the number of users, home directories, user groups, login Shell and the like.

Modify an existing user's information using the usermod command, its format is as follows:

usermod 选项 用户名

Common options include -c, -d, -m, -g, -G, -s, -u以及-o等 -G, -s, -u useradd -c, -d, -m, -g, -G, -s, -u以及-o等 , meaning these options with useradd command option, you can specify a new value for the resource users.

In addition, some systems can use the options: -l new user name

This option specifies a new account, will the original user name to the new user name.

E.g:

# usermod -s /bin/ksh -d /home/z –g developer sam

This command sets the user's login Shell sam modify ksh, home directory to / home / z, the user group to developer.

5, the user password management

An important part of user management is a user password management. Not just to create a user account password, but the system is locked, you can not use, you must assign a password before you can use even specify a null password.

Specify and modify user passwords Shell command is passwd . The superuser can specify a password for themselves and other users, ordinary users can only use it to modify their own password. Format of the command is:

passwd 选项 用户名

Optional use:

  • -l Lock password, which disables the account.
  • -u password unlock.
  • -d enable the account without a password.
  • -f Force users to change passwords at next logon.

If the default user name, then modify the current user's password.

For example, assume that the current user is sam, then the following command to change the user's password:

$ passwd 
Old password:****** 
New password:******* 
Re-enter new password:*******

If the super user, you can specify any user's password using the following form:

# passwd sam 
New password:******* 
Re-enter new password:*******

Ordinary users to change their passwords when, passwd command will check the original password, then verify that requires users to enter a new password twice, enter the password twice if consistent, then specify the password to the user; and the superuser password for the user specified when you do not need to know the original password.

For system security, you should choose more complex passwords, for example, is preferable to use an 8-bit password, the password contains uppercase and lowercase letters and numbers, and should name, birthday, etc. are not the same.

When you specify an empty password for a user, perform the following command in the form:

# passwd -d sam

This command will delete the user sam's password, so that the user sam next time you log in, the system will not ask a password.

passwd command can also lock with -l (lock) a user option, you can not log in, such as:

# passwd -l sam

Second, the management system Linux user group

Each user has a user group, a user of the system can group all users centralized management. Different Linux systems have different user groups of the provisions, such as the Linux user is the user group with its namesake, the user group is created at the same time when creating the user.

Management user group involves adding the user group, delete and modify. Increase in the group, in fact, it is to delete and modify the / etc / group file updates.

1, add a new user groups groupadd command. Its format is as follows:

groupadd 选项 用户组

Options can be used are:

  • -g GID Specifies the new user group group ID (GID).
  • -o -g option is generally used simultaneously, indicating GID of the new group with GID system has the same user group.

Example 1:

# groupadd group1

This command adds to the system a new group group1, the new group's group ID is added to the basis of the currently available maximum group identification number 1.

Example 2:

# groupadd -g 101 group2

This command to add to the system a new group group2, while specifying a new group of group identification number is 101.

2, if you want to delete an existing user group, use groupdel command in the following format:

groupdel 用户组

E.g:

# groupdel group1

This command to remove the group from the system group1.

3, modify the properties of a user group use groupmod command. Its syntax is as follows:

groupmod 选项 用户组

Commonly used options are:

  • -g GID Specifies the new group ID for the user group.
  • -o -g option and use the new GID system user group with the same GID existing user groups.
  • -n new user group will be changed to the new name of the user group name

Example 1:

# groupmod -g 102 group2

This command group group2 group identification number changed to 102.

Example 2:

# groupmod –g 10000 -n group3 group2

This command group group2 identification number to 10,000, and the group name changed to group3.

4, if a user belongs to more than one user group, the user can switch between user groups, in order to have rights of other user groups.

Users can log, use the command newgrp to switch to the other user groups, the order parameter is the object of the user group. E.g:

$ newgrp root

This command will switch to the root of the current user groups, with the proviso that the root user group is indeed the user's primary group, or an additional group. Similar to the user account management, user group management can also be integrated systems management tools.


Third, the user account related system files

Complete user management work There are many ways, but each method are in fact related to the system files to be modified.

And user and group related information are stored in some system files, these files include / etc / passwd, / etc / shadow, / etc / group and the like.

The following describes the contents of these files.

1, / etc / passwd file is the most important user of a document management involved.

Linux system, each user has a corresponding rows in the / etc / passwd file, which records the basic attributes of users.

This file is readable for all users. It is similar to the following example:

# cat /etc/passwd

root:x:0:0:Superuser:/:
daemon:x:1:1:System daemons:/etc:
bin:x:2:2:Owner of system commands:/bin:
sys:x:3:3:Owner of system files:/usr/sys:
adm:x:4:4:System accounting:/usr/adm:
uucp:x:5:5:UUCP administrator:/usr/lib/uucp:
auth:x:7:21:Authentication administrator:/tcb/files/auth:
cron:x:9:16:Cron daemon:/usr/spool/cron:
listen:x:37:4:Network daemon:/usr/net/nls:
lp:x:71:18:Printer administrator:/usr/spool/lp:
sam:x:200:50:Sam san:/usr/sam:/bin/sh

From the above example we can see, / etc / passwd in a row corresponds to a user, each line has been recorded by a colon (:) separated into seven fields, format and specific meanings are as follows:

用户名:口令:用户标识号:组标识号:注释性描述:主目录:登录Shell

1) "User Name" is a string that represents the user account.

Usually no longer than eight characters, and uppercase and lowercase letters and / or numbers. Login name can not contain a colon (:), because here is the colon delimiters.

For compatibility reasons, the login name should not contain a dot character, and does not use a hyphen (.) (-) And plus (+) starts.

2) "Password" some systems, the storage of user passwords encrypted.

Although this field is stored in encrypted password string, not expressly, but due to / etc / passwd file for all users to read, so this is still a security risk. So now many Linux systems (such as SVR4) both use the shadow technique, the user passwords truly encrypted stored in / etc / shadow file, and in the password field of / etc / passwd file holds only a special characters, such as "x" or "*."

3) "User ID" is an integer within the system to use it to identify the user.

Under normal circumstances it is one to one with the user name. If several user name corresponding to the user identification number is the same as the internal system will treat them as the same user, but they may have different passwords, different home directories and different login Shell and the like.

User identification number is usually in the range of 0 to 65 535.0 superuser root identification number, from 1 to 99 are reserved by the system, as account management, common user identification number from 100 starts. On Linux systems, this limit is 500.

4) "Group ID" field of the record is a user group the user belongs.

It corresponds to the / etc / group file record.

5) "comments description" field records the user's personal situation.

For example the user's real name, phone, address, etc., in this field and there is no practical use. In different Linux system, the format of this field is not unified. In many Linux systems, this field is stored in the comment section of any description text, is used as output finger command.

6) "main menu", which is the initial working directory of the user.

It is the directory where the user after logging in to the system. In most systems, each user's home directory are organized under one particular directory, and the name of the user's home directory is the user's login name. Each user has their own home directory read, write, execute (search) permission to access other users' directories are set depending on the circumstances.

7) After the user logs on, to start a process, the user is responsible for the operation passed to the kernel, the process is run after the user logs on to the system command interpreter or a particular program, namely Shell.

Shell is the interface between the user and Linux systems. There are many Linux-Shell, each with different characteristics. Commonly used sh (Bourne Shell), csh (C Shell), ksh (Korn Shell), tcsh (TENEX / TOPS-20 type C Shell), bash (Bourne Again Shell) and the like.

The system administrator can specify a Shell for the user based on the system and user habits. If you do not specify a Shell, then the system uses sh as the default login Shell, that is, the field is / bin / sh.

User login Shell can also be specified for a particular program (this program is not a command interpreter).

Using this feature, we can restrict users to running specific applications, after the application is running, users will automatically exit the system. Some Linux systems require only those registered in the system program to appear in this field.

8) system has a class of users called pseudo-user (psuedo users).

The user also has the / etc / passwd file a record, but can not log in because their login Shell is empty. They exist mainly to facilitate system management, system processes to meet the appropriate requirements of the owner of the file.

Common pseudo-user is as follows:

伪 用 户 含 义 
bin 拥有可执行的用户命令文件 
sys 拥有系统文件 
adm 拥有帐户文件 
uucp UUCP使用 
lp lp或lpd子系统使用 
nobody NFS使用

Have an account file

1, except that pseudo-user listed above, there are many standard pseudo-users, such as: audit, cron, mail, usenet, etc., they are also relevant for the respective processes and documentation requirements.

Since the / etc / passwd file is readable for all users, if the user password is too simple or obvious words of the law, an ordinary computer can easily break it, so the higher security requirements Linux system regarded encrypted passwords separated, stored in a separate file, this file is / etc / shadow file. There have superuser privileges to read this file, which ensures the security of the user's password.

2, / etc / shadow in rows and etc / passwd in the correspondence /, it is automatically generated by the pwconv command data / etc / passwd, according to

Its file format and / etc / similar passwd, made up of several fields, between fields with ":" separated. These fields are:

登录名:加密口令:最后一次修改时间:最小时间间隔:最大时间间隔:警告时间:不活动时间:失效时间:标志
  1. "Login" is consistent with the / etc / passwd file, user account login name
  2. "Password" field is stored in encrypted user passwords, a length of 13 characters. If empty, the corresponding user with no password, no login password; if you do not belong to the set containing {./0-9A-Za-z} characters, the corresponding user can not log on.
  3. "Last modified" that is from a certain time, to the user to modify the number of days the password last time. Start time for different systems may be different. For example, in SCO Linux, the time to start is January 1, 1970.
  4. "Minimum interval" refers to the minimum number of days required between the two modify the password.
  5. "Maximum time interval" refers to the password is valid the maximum number of days.
  6. "Warning Time" field indicates the number of days from the system began warning users to a formal password between failures.
  7. "Inactive time" means is that the user is not logged, but account activity remains active maximum number of days.
  8. "Dead time" field is a given number of days absolute, if you use this field, then it gives the lifetime of the corresponding accounts. After the expiration of the account is no longer a legitimate account, it can not be used to login.

Here is an example / etc / shadow of:

# cat /etc/shadow

root:Dnakfw28zf38w:8764:0:168:7:::
daemon:*::0:0::::
bin:*::0:0::::
sys:*::0:0::::
adm:*::0:0::::
uucp:*::0:0::::
nuucp:*::0:0::::
auth:*::0:0::::
cron:*::0:0::::
listen:*::0:0::::
lp:*::0:0::::
sam:EkdiSECLWPdSa:9740:0:0::::

3, all of the information are stored in the user group / etc / group file.

The user group is a means Linux system to manage users and control access.

Each user belongs to a user group; a group can have multiple users, a user can belong to different groups.

When a user is a member of more than one group, the record in the / etc / passwd file is the primary group the user belongs, which is the default when you log on to your group, while the other group is called an additional group.

When the user wants to access a file belonging to additional groups, you must first use the newgrp command to become to be accessed by group members.

All information are stored in the user group / etc / group file. The format of this file is also similar to the / etc / passwd file, by a colon (:) separated by a number of fields, which are:

组名:口令:组标识号:组内用户列表
  1. "Group Name" is the name of the group, composed of letters or numbers. And / etc / passwd login names, group names should not be repeated.
  2. "Password" field is stored in the user group passwords encrypted. Linux system user groups generally do not have a password, that this field is usually empty, or *.
  3. "Group ID" with the user identification number similar, is an integer, the internal systems used to identify groups.
  4. "Users in the group list" is part of a list of all users / b] this group, separated between different users with a comma (,). This user group may be the user's primary group, it may be an additional group.

/ An example of etc / group file is as follows:

root::0:root
bin::2:root,bin
sys::3:root,uucp
adm::4:root,adm
daemon::5:root,daemon
lp::7:root,lp
users::20:root,sam

Fourth, the amount of grant users

Add and delete users on every Linux system administrators are easy, more difficult is if you want to add dozens, hundreds or even thousands of users, we are unlikely to also use useradd to add one by one, necessarily looking for a way to create large numbers of users of the method is simple. Linux system provides a large number of users to create a tool that lets you create a large number of users immediately, as follows:

(1) to edit a text file user.

Each column according to /etc/passwd written in the format of the password file, pay attention to each user's user name, UID, can not host the same directory, which can leave the password field blank or enter x number. User.txt a sample file reads as follows:

user001::600:100:user:/home/user001:/bin/bash
user002::601:100:user:/home/user002:/bin/bash
user003::602:100:user:/home/user003:/bin/bash
user004::603:100:user:/home/user004:/bin/bash
user005::604:100:user:/home/user005:/bin/bash
user006::605:100:user:/home/user006:/bin/bash

(2) As root, execute the command /usr/sbin/newusers , from a user file you just created user.txt import data, create a user:

# newusers < user.txt

You can then execute the command vipw or vi /etc/passwd to check /etc/passwd file has been the emergence of these users' data, and the user's home directory has been created.

(3) Run / usr / sbin / pwunconv.

The /etc/shadow generated shadow password decoded and then written back to the /etc/passwd , and the /etc/shadow of the shadow password field deleted. This is to facilitate the next step of the cryptographic transformation work, which is to cancel the shadow password feature.

# pwunconv

(4) to edit each user's password control file.

Sample files passwd.txt reads as follows:

user001:密码
user002:密码
user003:密码
user004:密码
user005:密码
user006:密码

(5) Run as root /usr/sbin/chpasswd .

Create a user password, chpasswd will go through /usr/bin/passwd command encoded passwords written /etc/passwd password field.

# chpasswd < passwd.txt

(6) to determine the password encoded write / etc / passwd password field later.

Run /usr/sbin/pwconv password encoded as shadow password , and the result is written to /etc/shadow .

# pwconv

This completes the creation of a large number of users, after which you can go to check the permissions on the user's home directory under / home settings are correct if, and verify that the user login password is correct.