#1. Significance of users and user groups#
1) The significance of users' existence and system resources are limited. How to reasonably allocate system resources?
In solving this problem, we must have the cooperation of multiple resources
1. Identity account
2. Authorize author
3. Certification auth
3A mechanism, which constitutes the lowest security architecture in the system
2) User group meaning
User group is a logical container that classifies and uniformly authorizes users
#2. Existence mode of users and user groups in the system#
ID < -------- > the name must be recorded in the file before the user can exist
The user is a line of characters in the / etc/passwd file
The way user groups exist is a line of characters in the / etc/group file
#3. User switching#
1) user view
whomai ##View current user id ##View user id information id user ##View user information id -u ##View the user id of the user id -g ##View user primary group id id -G ##View the IDs of all groups of the user id -n ##The display name cannot be used alone. It should be used together with - g,-G,-u
User id range: 0-65535
0: ##Linux superuser ID
1-999: ##Liunx system self use ID
1000-65535: ## user level ID
## the above ID setting rules are recorded in / etc / login defs
2) user switching
su - username ##Switch to username environment
- ##Switch user environment
username ##If root ---- > commonuser does not need the latter password
##Commonuser ---- > root requires password
##Commonuser ----- > commonuser needs password
Note: when user switching is done, the user identity will exit in time after use
Do not repeatedly execute the su command in a shell
Repeated execution of the su command in a shell can lead to a disordered environment
#4. System configuration files #
(1)/etc/passwd ## user identity information file
westos:x:1000:1000::/home/westos:/bin/bash #User name: user password: user id: user main group id: user description: user home directory: user default shell
westos:x:1000: #Group name: group password: group id: additional members of the group
watch -n 1 "tail -n 4 /etc/passwd /etc/group;echo =======;ls -l /home"
##Monitor user established commands
1) User establishment
useradd username ##User establishment
-u id username ##uid
-g id username ##Primary group id
-G id username ##Additional group id
-d dir username ##Specify user home directory
-M username ##Do not create home directory when creating users
-c word username ##Specify user description
-s shell username ##Specified shellNote: uid 2**16=0-65535
##0 indicates super user
##1-200 system reserved id
##201-999 system user
##1000-60000 user level users
##/etc/login.defs records user established default rules
2) User delete
userdel -r username ##User delete - r deletes the user's system profile userdel username ##Delete the user, but the user's home directory still exists
3) User group creation and deletion
groupadd groupname ##Group establishment
-g id groupname ##Specify group name
groupdel groupname ##groups deleting
# 6. Information management of users and user groups#
usermod -l #Change user name -u #Change user id -g #Change primary group id -G #Change user attachment group identity -aG #Add user additional group identity -c #Change user description -d #Change home directory to -md #Change the home directory point and change the home directory name at the same time -s #Change default shell -L #Frozen account -U #Unlock
groupmod -g ##Change user group id
# 7. User authentication information management#
/Content description of etc/shadow file
User name: encrypted character of user password: last modified time of user password: minimum validity period of password: maximum validity period of password: warning period before password Expiration: account inactive period: account expiration time: user defined (not used)
1) User name
passwd -S lee ##View password status
The password position with "!" indicates that the account is frozen, "!" indicates that the passwd command is frozen, "!" indicates that the usermod command is frozen. The freezing degree is different. In addition, only "!" It indicates that the account is frozen and the login password is not set for the account.
2) User encrypted character
Change password
passwd lee ##Only root can execute "echo 123 | passwd --stdin lee" passwd ##Ordinary users change their passwords ##Changing password for user lee. ##Current password: #Enter the original password ##New password: ##Enter a new password (more than 8 unordered numbers + unordered letter combination) ##Retype new password: ##Repeat input ##passwd: all authentication tokens updated successfully.
Freeze certification
passwd -l lee ##Frozen account authentication passwd -u lee ##Unlock account authentication
Password deletion
passwd -d lee
Password usage days * from January 1, 1970 to today
passwd -e lee ##Modify the default usage time to 0 chage -d 0 lee ##The account must change the password to log in to the system
Minimum password validity
passwd -n 1 lee ##lee can't change his password within 1 day chage -m 1 lee
Maximum password validity
passwd -x 40 lee ##lee users must update their passwords within 40 days or they will be frozen chage -M 30 lee
Password expiration warning
passwd -w 2 lee ##Warning time before account expiration chage -W 1 lee
Certified inactive days
passwd -i 2 lee ##How long can the account be used after the maximum authentication time is exceeded chage -I 1 lee
Account authentication expiration time
passwd -i 2 lee ##How long can the account be used after the maximum authentication time is exceeded chage -I 1 lee
#Unable to execute system management commands when ordinary users are in the system
#If you need ordinary users to perform system management actions, you need #root users to authorize
Normal user authorization method "sudo"
Function: enables ordinary users to run commands using the specified user identity
Authorization method: visudo ##This command is used to edit / etc/sudoers and provide syntax detection ##Syntax detection is not provided when entering vim directly ##When the visit exits abnormally, for example, when "ctr + z" is hung in the background, press fg to re-enter The modification position is about 100 lines of the file ##Code normalization
username hostname=(newusername) [NOPASSWD:] /command, /command1 #lee users in Linux wesots. Com host = (as super user) execute the useradd command lee linux.westos.com=(root) /usr/sbin/useradd #westos users in Linux wesots. Com enables super users to execute useradd and userdel without secret westos linux.wesots.com = (root) NOPASSWD: /usr/sbin/useradd, /usr/sbin/
Related commands
hostname ##View the name of the current host which useradd ##Find the location of the useradd command. You can find the location of relevant system management commands
Test: su - lee sudo useradd westostest ##The first time lee uses the sudo command, you need to enter the lee password exit #Exit lee su - westos sudo userdel -r westostest ##westos can execute userdel command without secret
###test###
1. Establish user groups shengchan, caiwu and jishu, and meet the following requirements:
*The shengchan group id is 8000
*caiwu group id is 8001
*ABCD group id is 8002
2. Establish users such as westos, Linux, Lee and westosadmin to complete the following requirements
*The additional groups for westos users are shengchan and jishu
*The main group of lee is caiwu, the additional group is technology, and the uid and gid of lee must be consistent
*linux is a system account and cannot be directly used by the operator
*westosamdin users do not belong to the above three departments, but they can manage users freely in the system
3. * all the above user passwords are westos, and the user is required to change the password when logging in for the first time
*Setting the above user password must be changed within 30 days, and a warning shall be issued 2 days before the expiration
4. Establish a directory and complete the following requirements
*New directory / sc /cw /js /pub
*/sc directory is the data storage directory of the production department, which can only be read and written by the personnel of the production department, and the files created in sc belong to the production department
*/cw directory is the data storage directory of the financial department, which can only be read and written by the personnel of the financial department, and the files created in cw belong to the financial department
*/js directory is the data storage directory of the technical department, which can only be read and written by the personnel of the technical department, and the files created in js belong to the technical department
*/pub is the public directory of the company's personnel, which can be read and written by any employee of the company
[root@westoslinux Desktop]# groupadd -g 8000 shengchan [root@westoslinux Desktop]# groupadd -g 8001 caiwu [root@westoslinux Desktop]# groupadd -g 8002 jishu [root@westoslinux Desktop]# useradd -G shengchan,jishu westosuser [root@westoslinux Desktop]# useradd -u 8001 -g caiwu -G jishu lee [root@westoslinux Desktop]# useradd -s /sbin/nologin linux [root@westoslinux Desktop]# visudo [root@westoslinux Desktop]# id westosadmin uid=0(root) gid=0(root) groups=0(root) [root@westoslinux Desktop]# echo westos | passwd --stdin westosuser [root@westoslinux Desktop]# echo westos | passwd --stdin lee [root@westoslinux Desktop]# echo westos | passwd --stdin linux [root@westoslinux Desktop]# echo westos | passwd --stdin westosadmin [root@westoslinux Desktop]# passwd -e westosuser [root@westoslinux Desktop]# passwd -e lee [root@westoslinux Desktop]# passwd -e linux [root@westoslinux Desktop]# passwd -e westosadmin [root@westoslinux Desktop]# passwd -x 30 -w 2 westosuser [root@westoslinux Desktop]# passwd -x 30 -w 2 lee [root@westoslinux Desktop]# passwd -x 30 -w 2 linux [root@westoslinux Desktop]# passwd -x 30 -w 2 westosadmin [root@westoslinux Desktop]# mkdir /sc /cw /js /pub [root@localhost Desktop]# chgrp shengchan /sc [root@localhost Desktop]# chgrp caiwu /cw [root@localhost Desktop]# chgrp jishu /js [root@localhost Desktop]# chmod 770 /sc /cw /js [root@localhost Desktop]# chmod 777 /pub/