Linux上用命令實現本地使用者和組的管理
本地使用者和組:管理檔案和程序等等
本地使用者和組:
1)root: 超級管理員 系統建立的第一個賬戶
特點:
id為:0
家目錄:/root
具有系統的完全控制權: 小心使用。
[root@servera ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@servera ~]#
2)普通使用者: 不具有管理員許可權
id範圍:
1000 <= id <=60000
家目錄: /home/使用者名稱
[root@servera ~]# id student
uid=1000(student) gid=1000(student) groups=1000(student),10(wheel)
3)服務使用者: 為服務提供許可權
0 < id < 1000
家目錄:應用程式服務目錄
[root@servera ~]# id apache
uid=48(apache) gid=48(apache) groups=48(apache)
如果是yum,rpm安裝的軟體: 由rpm包中的指令碼建立服務賬戶
Include conf.modules.d/*.conf
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
User apache
Group apache
# "Main" server configuration
本地組:
1) 主組:一個使用者一定要屬於某個主組中。 當些使用者在建立檔案時,給檔案的歸屬組
2)從屬組: 使用者容器 ,組織和管理使用者 許可權管控
作用:
檔案:
程序:
[student@servera ~]$ ps -ux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
student 32178 0.0 0.4 93052 9360 ? Ss 15:00 0:00 /usr/lib/system
student 32182 0.0 0.3 253776 7072 ? S 15:00 0:00 (sd-pam)
student 32188 0.0 0.2 159412 4980 ? S 15:00 0:00 sshd: student@p
student 32189 0.0 0.2 233912 4864 pts/0 Ss 15:00 0:00 -bash
student 32293 0.3 0.2 159408 5192 ? D 15:43 0:00 sshd: student@p
student 32294 0.3 0.2 233912 4924 pts/1 Ss 15:43 0:00 -bash
student 32319 0.5 0.2 233940 4804 pts/1 S 15:43 0:00 /bin/bash
student 32341 0.0 0.2 269312 3876 pts/1 R+ 15:43 0:00 ps -ux
[student@servera ~]$
賬戶檔案:
1) /etc/passwd:儲存使用者資訊
[root@servera tmp]# cat /etc/passwd |grep student
student: x :1000:1000: Student User:/home/student:/bin/bash
使用者名稱 密碼 uid 主組ID 描述 家目錄 登入shell
[root@servera tmp]#
[root@servera tmp]# cat /etc/passwd |grep -w root:x
root:x:0:0:root:/root:/bin/bash
[root@servera tmp]# cat /etc/passwd |grep apache
apache:x:48:48:Apache:/usr/share/httpd: /sbin/nologin
服務賬號 無法登入系統
2. /etc/shadow : 儲存使用者密碼的 HASH ,密碼的有效性資訊,密碼修改時間,賬戶有效期。
[root@servera tmp]# ls -l /etc/shadow
----------. 1 root root 1014 Mar 29 11:39 /etc/shadow
[root@servera tmp]# cat /etc/shadow |grep student
student:$6$8oIjLCsc$/n1iQXYh1E6.uOEuJKgioqAtmqm2TQmkJGF2RwyteIr1tIfrPdiRYgWe6Sjen5/eMij2uHM/a1tue/QRlo3X80:18038:0:99999:7:::
密碼的HASH: sha512
8oIjLCsc$/n1iQXYh1E6.uOEuJKgioqAtmqm2TQmkJGF2RwyteIr1tIfrPdiRYgWe6Sjen5/eMij2uHM/a1tue/QRlo3X80
18038:天數 密碼最後一次修改的時間 從1970-01-01 + 18038 天之後 那一天
0: 密碼最少使用天數 0 沒有限制 使用者隨時可以改密碼
99999 :天數, 密碼最大修改時間 永久 200多年
7 : warning 警告時間, 當密碼快到最後修改時間前7天, 通知使用者修改。
::天數 失效時間 inactive 使用者密碼過了最後修改時間,未改變密碼 ,再過多少天,賬戶將被 鎖定
:: 賬戶有效期
建立使用者和組:
建立時,沒有密碼:
[root@servera ~]# useradd zhangsan
[root@servera ~]# useradd lisi
[root@servera ~]# id zhangsan
uid=1001(zhangsan) gid=1001(zhangsan) groups=1001(zhangsan)
[root@servera ~]# id lisi
uid=1002(lisi) gid=1002(lisi) groups=1002(lisi)
無法登入:與PAM 有關
[student@servera ~]$ su - zhangsan
Password:
su: Authentication failure
設定密碼:
[root@servera ~]# cat /etc/passwd |grep zhangsan
zhangsan:x:1001:1001::/home/zhangsan:/bin/bash
[root@servera ~]# cat /etc/shadow |grep zhangsan
zhangsan:!!:18350:0:99999:7::: # !! 未設定密碼
[root@servera ~]# passwd zhangsan
Changing password for user zhangsan.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
zhangsan:$6$3wxuXomVbQ58wQcK$oQW6injgldxa2N/Pt4tCPDVRqWRVGw.UNZdxE4R0nhEt8K/3UDKzxap6ReIReEvDpG.GdwjpMiiDh7.f6DJNQ0:18350:0:99999:7:::
chage 可以檢視使用者 密碼屬性
[root@servera ~]# chage -l zhangsan
Last password change : Mar 29, 2020
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
建立組:從屬組
[root@servera ~]# groupadd it
[root@servera ~]# groupadd sales
[root@servera ~]# cat /etc/group
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mem:x:8:
kmem:x:9:
wheel:x:10:student
cdrom:x:11:
mail:x:12:postfix
man:x:15:
dialout:x:18:
floppy:x:19:
games:x:20:
tape:x:33:
video:x:39:
ftp:x:50:
lock:x:54:
audio:x:63:
users:x:100:
nobody:x:65534:
dbus:x:81:
utmp:x:22:
utempter:x:35:
input:x:999:
kvm:x:36:
render:x:998:
systemd-journal:x:190:
systemd-coredump:x:997:
systemd-resolve:x:193:
tss:x:59:
polkitd:x:996:
rpc:x:32:
unbound:x:995:
ssh_keys:x:994:
sssd:x:993:
setroubleshoot:x:992:
rpcuser:x:29:
insights:x:991:
cockpit-ws:x:990:
sshd:x:74:
chrony:x:989:
tcpdump:x:72:
student:x:1000:
printadmin:x:988:
libstoragemgmt:x:987:
slocate:x:21:
postdrop:x:90:
postfix:x:89:
apache:x:48:
zhangsan:x:1001:
lisi:x:1002:
it:x:1003: 組成員列表
sales:x:1004:
將使用者新增進組: zhangsan ,加入it組,lisi,sales組
[root@servera ~]# usermod -aG it zhangsan
[root@servera ~]# usermod -aG sales lisi
uid=1001(zhangsan) gid=1001(zhangsan) groups=1001(zhangsan),1003(it)
uid=1002(lisi) gid=1002(lisi) groups=1002(lisi),1004(sales)
[root@servera ~]# useradd andy
[root@servera ~]# userdel andy
[root@servera ~]# useradd andy #重建andy會不一樣, uid會不同
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
Creating mailbox file: File exists
[root@servera ~]# useradd user1
[root@servera ~]# useradd user2
[root@servera ~]# id andy
uid=1003(andy) gid=1005(andy) groups=1005(andy)
[root@servera ~]# userdel -r any
userdel: user "any" does not exist
[root@servera ~]# userdel -r andy #不保留使用者的檔案。家目,郵箱檔案 ,skel檔案都會
id: ‘andy’: no such user
uid=1006(andy) gid=1008(andy) groups=1008(andy)
從組中移除使用者:
uid=1001(zhangsan) gid=1001(zhangsan) groups=1001(zhangsan),1003(it) #zhangsan主組 ,it 從屬組
命令:
[root@servera ~]# gpasswd -d zhangsan it
Removing user zhangsan from group it
[root@servera ~]# groups zhangsan
zhangsan : zhangsan it
直接修改檔案:
[root@servera ~]# vim /etc/group
[root@servera ~]# cat /etc/group |grep it:
it:x:1003:
[root@servera ~]# groupadd test
[root@servera ~]# groupdel test
建立自定義使用者和組:
實驗:使用者名稱mary, 指定使用者id 2000,家目錄/maryhome ,不用登入系統 描述 this is mary user
[root@servera ~]# useradd -u 2000 -d /maryhome -s /sbin/nologin -c "this is mary" mary
[root@servera ~]# id mary
uid=2000(mary) gid=2000(mary) groups=2000(mary)
[root@servera ~]# cat /etc/passwd |grep mary
mary:x:2000:2000:this is mary:/maryhome:/sbin/nologin
[root@servera ~]# su - mary
Last login: Sun Mar 29 16:48:49 CST 2020 on pts/0
This account is currently not available.
建立自定義組:指定組id
[root@servera ~]# groupadd -g 3000 group1
[root@servera ~]# cat /etc/group |grep group1
group1:x:3000:
Linux上用命令實現本地使用者和組的管理
本地使用者和組:管理檔案和程序等等
本地使用者和組:
1)root: 超級管理員 系統建立的第一個賬戶
特點:
id為:0
家目錄:/root
具有系統的完全控制權: 小心使用。
[root@servera ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@servera ~]#
2)普通使用者: 不具有管理員許可權
特點:
id範圍:
1000 <= id <=60000
家目錄: /home/使用者名稱
[root@servera ~]# id student
uid=1000(student) gid=1000(student) groups=1000(student),10(wheel)
[root@servera ~]#
3)服務使用者: 為服務提供許可權
特點:
id範圍:
0 < id < 1000
家目錄:應用程式服務目錄
[root@servera ~]# id apache
uid=48(apache) gid=48(apache) groups=48(apache)
[root@servera ~]#
如果是yum,rpm安裝的軟體: 由rpm包中的指令碼建立服務賬戶
Include conf.modules.d/*.conf
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User apache
Group apache
# "Main" server configuration
#
本地組:
1) 主組:一個使用者一定要屬於某個主組中。 當些使用者在建立檔案時,給檔案的歸屬組
2)從屬組: 使用者容器 ,組織和管理使用者 許可權管控
作用:
檔案:
程序:
[student@servera ~]$ ps -ux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
student 32178 0.0 0.4 93052 9360 ? Ss 15:00 0:00 /usr/lib/system
student 32182 0.0 0.3 253776 7072 ? S 15:00 0:00 (sd-pam)
student 32188 0.0 0.2 159412 4980 ? S 15:00 0:00 sshd: student@p
student 32189 0.0 0.2 233912 4864 pts/0 Ss 15:00 0:00 -bash
student 32293 0.3 0.2 159408 5192 ? D 15:43 0:00 sshd: student@p
student 32294 0.3 0.2 233912 4924 pts/1 Ss 15:43 0:00 -bash
student 32319 0.5 0.2 233940 4804 pts/1 S 15:43 0:00 /bin/bash
student 32341 0.0 0.2 269312 3876 pts/1 R+ 15:43 0:00 ps -ux
[student@servera ~]$
賬戶檔案:
1) /etc/passwd:儲存使用者資訊
[root@servera tmp]# cat /etc/passwd |grep student
student: x :1000:1000: Student User:/home/student:/bin/bash
使用者名稱 密碼 uid 主組ID 描述 家目錄 登入shell
[root@servera tmp]#
[root@servera tmp]# cat /etc/passwd |grep -w root:x
root:x:0:0:root:/root:/bin/bash
[root@servera tmp]#
[root@servera tmp]# cat /etc/passwd |grep apache
apache:x:48:48:Apache:/usr/share/httpd: /sbin/nologin
服務賬號 無法登入系統
[root@servera tmp]#
2. /etc/shadow : 儲存使用者密碼的 HASH ,密碼的有效性資訊,密碼修改時間,賬戶有效期。
[root@servera tmp]#
[root@servera tmp]# ls -l /etc/shadow
----------. 1 root root 1014 Mar 29 11:39 /etc/shadow
[root@servera tmp]#
[root@servera tmp]#
[root@servera tmp]# cat /etc/shadow |grep student
student:$6$8oIjLCsc$/n1iQXYh1E6.uOEuJKgioqAtmqm2TQmkJGF2RwyteIr1tIfrPdiRYgWe6Sjen5/eMij2uHM/a1tue/QRlo3X80:18038:0:99999:7:::
[root@servera tmp]#
密碼的HASH: sha512
8oIjLCsc$/n1iQXYh1E6.uOEuJKgioqAtmqm2TQmkJGF2RwyteIr1tIfrPdiRYgWe6Sjen5/eMij2uHM/a1tue/QRlo3X80
18038:天數 密碼最後一次修改的時間 從1970-01-01 + 18038 天之後 那一天
0: 密碼最少使用天數 0 沒有限制 使用者隨時可以改密碼
99999 :天數, 密碼最大修改時間 永久 200多年
7 : warning 警告時間, 當密碼快到最後修改時間前7天, 通知使用者修改。
::天數 失效時間 inactive 使用者密碼過了最後修改時間,未改變密碼 ,再過多少天,賬戶將被 鎖定
:: 賬戶有效期
建立使用者和組:
建立時,沒有密碼:
[root@servera ~]# useradd zhangsan
[root@servera ~]# useradd lisi
[root@servera ~]# id zhangsan
uid=1001(zhangsan) gid=1001(zhangsan) groups=1001(zhangsan)
[root@servera ~]# id lisi
uid=1002(lisi) gid=1002(lisi) groups=1002(lisi)
[root@servera ~]#
無法登入:與PAM 有關
[student@servera ~]$
[student@servera ~]$ su - zhangsan
Password:
Password:
su: Authentication failure
[student@servera ~]$
設定密碼:
[root@servera ~]#
[root@servera ~]# cat /etc/passwd |grep zhangsan
zhangsan:x:1001:1001::/home/zhangsan:/bin/bash
[root@servera ~]# cat /etc/shadow |grep zhangsan
zhangsan:!!:18350:0:99999:7::: # !! 未設定密碼
[root@servera ~]#
[root@servera ~]# passwd zhangsan
Changing password for user zhangsan.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
[root@servera ~]#
[root@servera ~]#
[root@servera ~]# cat /etc/shadow |grep zhangsan
zhangsan:$6$3wxuXomVbQ58wQcK$oQW6injgldxa2N/Pt4tCPDVRqWRVGw.UNZdxE4R0nhEt8K/3UDKzxap6ReIReEvDpG.GdwjpMiiDh7.f6DJNQ0:18350:0:99999:7:::
[root@servera ~]#
chage 可以檢視使用者 密碼屬性
[root@servera ~]# chage -l zhangsan
Last password change : Mar 29, 2020
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
[root@servera ~]#
建立組:從屬組
[root@servera ~]#
[root@servera ~]# groupadd it
[root@servera ~]#
[root@servera ~]#
[root@servera ~]# groupadd sales
[root@servera ~]#
[root@servera ~]#
[root@servera ~]#
[root@servera ~]# cat /etc/group
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mem:x:8:
kmem:x:9:
wheel:x:10:student
cdrom:x:11:
mail:x:12:postfix
man:x:15:
dialout:x:18:
floppy:x:19:
games:x:20:
tape:x:33:
video:x:39:
ftp:x:50:
lock:x:54:
audio:x:63:
users:x:100:
nobody:x:65534:
dbus:x:81:
utmp:x:22:
utempter:x:35:
input:x:999:
kvm:x:36:
render:x:998:
systemd-journal:x:190:
systemd-coredump:x:997:
systemd-resolve:x:193:
tss:x:59:
polkitd:x:996:
rpc:x:32:
unbound:x:995:
ssh_keys:x:994:
sssd:x:993:
setroubleshoot:x:992:
rpcuser:x:29:
insights:x:991:
cockpit-ws:x:990:
sshd:x:74:
chrony:x:989:
tcpdump:x:72:
student:x:1000:
printadmin:x:988:
libstoragemgmt:x:987:
slocate:x:21:
postdrop:x:90:
postfix:x:89:
apache:x:48:
zhangsan:x:1001:
lisi:x:1002:
it:x:1003: 組成員列表
sales:x:1004:
[root@servera ~]#
[root@servera ~]# id student
uid=1000(student) gid=1000(student) groups=1000(student),10(wheel)
[root@servera ~]#
將使用者新增進組: zhangsan ,加入it組,lisi,sales組
[root@servera ~]# id student
uid=1000(student) gid=1000(student) groups=1000(student),10(wheel)
[root@servera ~]# usermod -aG it zhangsan
[root@servera ~]#
[root@servera ~]#
[root@servera ~]# usermod -aG sales lisi
[root@servera ~]#
[root@servera ~]#
[root@servera ~]# id zhangsan
uid=1001(zhangsan) gid=1001(zhangsan) groups=1001(zhangsan),1003(it)
[root@servera ~]# id lisi
uid=1002(lisi) gid=1002(lisi) groups=1002(lisi),1004(sales)
[root@servera ~]#
[root@servera ~]# useradd andy
[root@servera ~]#
[root@servera ~]# userdel andy
[root@servera ~]#
[root@servera ~]#
[root@servera ~]# useradd andy #重建andy會不一樣, uid會不同
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
Creating mailbox file: File exists
[root@servera ~]#
[root@servera ~]# useradd user1
[root@servera ~]# useradd user2
[root@servera ~]# id andy
uid=1003(andy) gid=1005(andy) groups=1005(andy)
[root@servera ~]# userdel -r any
userdel: user "any" does not exist
[root@servera ~]#
[root@servera ~]# userdel -r andy #不保留使用者的檔案。家目,郵箱檔案 ,skel檔案都會
[root@servera ~]#
[root@servera ~]#
[root@servera ~]# id andy
id: ‘andy’: no such user
[root@servera ~]# useradd andy
[root@servera ~]# id andy
uid=1006(andy) gid=1008(andy) groups=1008(andy)
[root@servera ~]#
從組中移除使用者:
[root@servera ~]#
[root@servera ~]# id zhangsan
uid=1001(zhangsan) gid=1001(zhangsan) groups=1001(zhangsan),1003(it) #zhangsan主組 ,it 從屬組
[root@servera ~]#
命令:
[root@servera ~]# gpasswd -d zhangsan it
Removing user zhangsan from group it
[root@servera ~]#
[root@servera ~]#
[root@servera ~]# id zhangsan
uid=1001(zhangsan) gid=1001(zhangsan) groups=1001(zhangsan)
[root@servera ~]#
[root@servera ~]#
[root@servera ~]# usermod -aG it zhangsan
[root@servera ~]#
[root@servera ~]#
[root@servera ~]# id zhangsan
uid=1001(zhangsan) gid=1001(zhangsan) groups=1001(zhangsan),1003(it)
[root@servera ~]#
[root@servera ~]#
[root@servera ~]#
[root@servera ~]# groups zhangsan
zhangsan : zhangsan it
[root@servera ~]#
直接修改檔案:
[root@servera ~]# vim /etc/group
[root@servera ~]# cat /etc/group |grep it:
it:x:1003:
[root@servera ~]#
[root@servera ~]# groupadd test
[root@servera ~]#
[root@servera ~]#
[root@servera ~]# groupdel test
建立自定義使用者和組:
實驗:使用者名稱mary, 指定使用者id 2000,家目錄/maryhome ,不用登入系統 描述 this is mary user
[root@servera ~]#
[root@servera ~]# useradd -u 2000 -d /maryhome -s /sbin/nologin -c "this is mary" mary
[root@servera ~]#
[root@servera ~]# id mary
uid=2000(mary) gid=2000(mary) groups=2000(mary)
[root@servera ~]# cat /etc/passwd |grep mary
mary:x:2000:2000:this is mary:/maryhome:/sbin/nologin
[root@servera ~]#
[root@servera ~]# su - mary
Last login: Sun Mar 29 16:48:49 CST 2020 on pts/0
This account is currently not available.
[root@servera ~]#
建立自定義組:指定組id
[root@servera ~]# groupadd -g 3000 group1
[root@servera ~]# cat /etc/group |grep group1
group1:x:3000:
[root@servera ~]#