ID:ChinaUnix2013
1. User and user group files
In Linux, user accounts, user passwords, user group information and user group passwords are stored in different configuration files.
In the Linux system, the created user account and its related information (except password) are stored in the /etc/passwd configuration file. Because all users have read permissions on the passwd file, the password information is not saved in the file, but in the /etc/shadow configuration file.
In the passwd file, one line defines a user account. Each line is composed of multiple different arrays. The values of each array are separated by ":". Each array represents a certain aspect of the account's information.
In the newly installed Linux system, the passwd configuration file already contains a lot of account information. These accounts are manually created by the system. They are the accounts that are required for the normal operation of the Linux process or some service programs. Linux course , the value of the last array of this kind of account is usually /sbin/nologin, which means that this account cannot be used to log in to the Linux system.
In the passwd configuration file, the corresponding relationship and meaning of each array from left to right:
Because passwd no longer saves password information, it is represented by x placeholder.
To prevent a user account from logging into Linux, just set the shell used by the user to /sbin/nologin. For example, for FTP accounts, usually only login and access to the FTP server are allowed, and login to the Linux operating system is not allowed. If a user does not have telnet permissions, that is, the user is not allowed to remotely log in and access the Linux operating system through telnet, just set the shell used by the user to /bin/true. If you want the user to not have telnet and ftp login permissions, you can set the user's shell to /bin/false.
In the /etc/shells file, if there is no /bin/true or /bin/false, you need to add it automatically:
[root@localhost~]#echo"/bin/false">>/etc/shells
[root@localhost~]#echo"/bin/true">>/etc/shells
2. User password file
For security reasons, the user's real password is encrypted using the MD5 encryption algorithm and stored in the /etc/shadow configuration file. This file can only be read by the root user.
Similar to the passwd file, the shadow file also defines and saves information related to an account per line. The first array is the user account name, and the second array is the account password.
3. User group account file
User group account information is stored in the /etc/group configuration file What is the Linux system user configuration file?, any user can read it. The real password of the user group is stored in the /etc/gshadow configuration file.
In group, the first array represents the name of the user group, the second array is x, the third is the ID number of the user group, and the fourth is the list of user members of the user group. Between each user name Separate with colons.
4. Add user
To create or add a new user, use the useradd command. The command usage is:
useradd[option]username
This command has many options, the commonly used ones are:
-cComment user sets the comment description text for the account
-d home directory specifies the home directory to replace the default /home/username
-mIf the home directory does not exist, create it. -r combined with -m creates a home directory for the system account
-MDo not create home directory
-edate specifies the date the account will expire. The date format is MM/DD/YY
-fdays account will be permanently suspended after a few days of expiration. If it is specified as -, it will be suspended immediately. If it is -1, this function will be turned off
-gUser group specifies which user group to add the user to. The user group must exist
-GUser group list specifies the list of user groups that the user joins at the same time. Each group is separated by commas
-nDo not create private user groups for users
-sshell specifies the shell used when the user logs in, the default is /bin/bash
-rCreate a system account with a user ID greater than 500, and the corresponding home directory will not be created by default
-uUser ID automatically specifies the ID value of the new user, which must be unique and less than 499
-ppassword specifies the login password for the new user. The password here is the password value obtained after MD5 encryption of the corresponding login password, which does not match the original text of the real password. Therefore, in actual applications, this parameter option is rarely used, and the passwd command is generally used alone to set the login password for the user.
Example:
To create a user named nisj as a member of the babyfish user group, the operation command is:
[root@localhost~]#useradd-gbabyfishnisj
[root@localhost~]#idnisj
uid=502(nisj)gid=500(babyfish)groups=500(babyfish)
[root@localhost~]#tail-1/etc/passwd
nisj:x:502:500::/home/nisj:/bin/bash
When adding a user, if the user group is not specified with the -g parameter, the system will manually create a private user group with the same name as the user account by default. If you do not need to create this private user group, you can use the -n parameter.
For example, if you add an account named nsj820 but do not specify a user group, the operation result is:
[root@localhost~]#useraddnsj820
[root@localhost~]#idnsj820
uid=503(nsj820)gid=503(nsj820)groups=503(nsj820)
[root@localhost~]#tail-1/etc/passwd
nsj820:x:503:503::/home/nsj820:/bin/bash
[root@localhost~]#tail-2/etc/passwd
nisj:x:502:500::/home/nisj:/bin/bash
nsj820:x:503:503::/home/nsj820:/bin/bash#The system manually created a user group named nsj820 with the ID number 503
When creating a user account, the system will manually create the home directory corresponding to the user. This directory is placed in the /home directory by default. If you want to change the location, you can specify it with the -d parameter; for the shell used by the user to log in, the default It is /bin/bash. If you want to modify it, use the -s parameter to specify
For example, if you want to create an account named vodup, place the home directory in the /var directory, and specify the login shell as /sbin/nologin, the operation command is:
[root@localhost~]#useradd-d/var/vodup-s/sbin/nologinvodup
[root@localhost~]#idvodup
uid=504(vodup)gid=504(vodup)groups=504(vodup)
[root@localhost~]#tail-1/etc/passwd
vodup:x:504:504::/var/vodup:/sbin/nologin
[root@localhost~]#tail-1/etc/group
vodup:x:504:
5. Set account attributes
For created users, you can use the usermod command to change and set various attributes of the account, including login name, home directory, user group, login shell, etc. The usage of this command is:
usermod[option]username
Some options
(1)Change user account name
Use the -l parameter to achieve this. The command usage is:
usermod-lNew usernameOriginal username
For example, if you want to rename user nsj820 to nsj0820, the operation command is:
[root@localhost~]#usermod-lnsj0820nsj820
[root@localhost~]#idnsj0820
uid=503(nsj0820)gid=503(nsj820)groups=503(nsj820)
[root@localhost~]#tail-1/etc/passwd
nsj0820:x:503:503::/home/nsj820:/bin/bash
It can be seen from the output that the user name has been changed to nsj0820. The home directory is still the original /home/nsj820. If you want to change it to /home/nsj0820What is the Linux system user configuration file?, you can do it by executing the following command
[root@localhost~]#usermod-d/home/nsj0820nsj0820
[root@localhost~]#idnsj0820
uid=503(nsj0820)gid=503(nsj820)groups=503(nsj820)
[root@localhost~]#tail-1/etc/passwd
nsj0820:x:503:503::/home/nsj0820:/bin/bash
[root@localhosthome]#mv/home/nsj820/home/nsj0820
(2)Lock account
If you want to temporarily prohibit a user from logging in, you can lock the user account. Locking the account can be achieved with the -L parameter. The command usage is:
usermod-LAccount to be locked
Linux locks a user by adding "!" in front of the password array of the password file shadow to indicate that the user is locked.
[root@localhosthome]#usermod-Lnsj0820
[root@localhosthome]#tail-1/etc/shadow
nsj0820:!$1$JEW25RtU$X9kIdwJi/HPzSKMVe3EK30:16910:0:99999:7:::
But you can enter through the root user and then su to the locked user.
(3)Unlock account
To unlock the account, you can use the usermod command with the -U parameter.
[root@localhost~]#usermod-Unsj0820
[root@localhost~]#tail-1/etc/shadow
nsj0820:$1$JEW25RtU$X9kIdwJi/HPzSKMVe3EK30:16910:0:99999:7:::
6. Delete account
To delete an account, you can use the userdel command. Its usage is:
userdel[-r]Account name
-r is optional. If this parameter is provided, the home directory corresponding to the account will be deleted at the same time as the account is deleted.
[root@localhost~]#userdel-rnsj0820
To set the expiration time of all user account passwords, you can change the value of the PASS_MAX_DAYS configuration item in the /etc/login.defs configuration file. Its default value is 99999, which means that user account passwords will never expire. The PASS_MIN_LEN configuration item is used to specify the minimum width of the account password, which defaults to 5 characters.
7. Set user login password
Use the passwd command to set it. The command usage is:
passwd[account name]
If an account name is specified, the login password of the specified account is set, and the original password is manually overwritten. Only the root user has the authority to set the password for a specified account. Typically users can only set or change the password for their own account (without parameters).
For example, if you want to set the login password of the nisj account, the operation command is:
[root@localhosthome]#passwdnisj
Changingpasswordforusernisj.
Newpassword:
BADPASSWORD:itistooshort
BADPASSWORD:istoosimple
Retypenewpassword:
passwd:allauthenticationtokensupdatedsuccessfully.
After the account login password is set, the account can log in to the system.
8. Lock/unlock account password and query password status, delete account password
In LINUX, when LINUX deletes a directory, not only the user account can be locked, but the account password can also be locked. After either party is locked, they will not be able to log in to the system. Only the root user has the right to execute this command. To lock the account password, use the passwd command with the -l option. Its usage is:
passwd-laccountname
passwd-uaccountname#Unlock account password
[root@localhosthome]#passwd-lnisj
Lockingpasswordforusernisj.
passwd:Success
[root@localhosthome]#passwd-unisj
Unlockingpasswordforusernisj.
passwd:Success
To check whether the password of the current account is locked, you can use the passwd command with the -S parameter. Its usage is:
passwd-S account name
for example
[root@localhosthome]#passwd-Snisj
The above is the detailed content of Application system settings of user and user group files in Linux. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
