[Share Experiences] UOS 1060a Sharing Series on User and Group Management
Experiences and Insight 154 views · 0 replies ·
SuperDavid
Moderator
2024-08-30 17:50
Author
I. Concepts of Users and Groups
(1) What is a User?
Different services use different users for better security. Using multiple users can enhance system efficiency and improve permission distribution and management.
Within the system, each user is assigned a unique identifier (User ID or UID) to distinguish them, while usernames are created for ease of use. Typically, users are given a password for login authentication.
There are three main types of users:
Super Administrator: Manages the system with UID 0 and has full system access.
System Users: Provide support services and processes. These processes (or daemons) generally do not run as super users. The system assigns non-privileged accounts to ensure their files and resources are unaffected by others. Users cannot log in interactively with system user accounts.
Normal Users: Have limited system access.
Use the id command to display information about the currently logged-in user.
[root@1060a ~]# id
uid=0(root) gid=0(root) groups=0(root)
(2) What is a User Group?
A group is a collection of users. Groups can be used to grant file access permissions to a set of users rather than just a single user. Groups are distinguished by a unique identifier (Group ID or GID) internally, and group names are for user convenience.
For a user, user groups can be divided into primary groups and supplementary groups.
Primary Group (Main Group): If no user group is specified during user creation, the system creates a user group with the same name as the username, which is the user's private group.
Supplementary Group (Secondary Group): A user can belong to multiple supplementary groups besides the primary group.
In the output of the id command, the Group ID represents the primary group, and the Groups field lists the supplementary groups.
(3) Explanation of User and Group Related Files
/etc/passwd: This file contains user account information, storing all users' basic details and is readable by all users. Each line in the file has seven fields separated by colons (:).root:x:0:0:root:/root:/bin/bash
Encrypted Password: The encrypted password. !! indicates no password has been set, and an empty field means the password has been removed.
Last Password Change Date: The number of days since January 1, 1970, when the password was last changed. For example, 19663 represents the 19663rd day after January 1, 1970.
Use the following command to convert it to a standard date:
[root@1060a ~]# date -d '1970-01-01 19663 days'
Thu Nov 2 00:00:00 CST 2023
Password Verification: When a user attempts to log in, the system looks up the user's entry in /etc/shadow, combines the user's salt with the entered password, encrypts it using the specified hash algorithm, and compares the result with the stored hash.
/etc/group: This file contains information about user groups.
root:x:0:
Group Name:Password Placeholder:GID:Group Members
Group Name: The name of the group.
Password Placeholder: Always x.
GID: The group ID.
Group Members: Users belonging to the group.
/etc/gshadow: Stores group password information, accessible only by the root user.
root:::
Group Name:Group Password:Group Administrator:Group Members
Group Name: The name of the group.
Group Password: The encrypted group password.
Group Administrator: Can manage the group using the gpasswd command.
I. Concepts of Users and Groups
(1) What is a User?
Different services use different users for better security. Using multiple users can enhance system efficiency and improve permission distribution and management.
Within the system, each user is assigned a unique identifier (User ID or UID) to distinguish them, while usernames are created for ease of use. Typically, users are given a password for login authentication.
There are three main types of users:
Use the
id
command to display information about the currently logged-in user.[root@1060a ~]# id
uid=0(root) gid=0(root) groups=0(root)
(2) What is a User Group?
A group is a collection of users. Groups can be used to grant file access permissions to a set of users rather than just a single user. Groups are distinguished by a unique identifier (Group ID or GID) internally, and group names are for user convenience.
For a user, user groups can be divided into primary groups and supplementary groups.
In the output of the
id
command, the Group ID represents the primary group, and the Groups field lists the supplementary groups.(3) Explanation of User and Group Related Files
:
).root:x:0:0:root:/root:/bin/bash
Username:Password Placeholder:UID:GID:Description:Home Directory:Default Shell
x
means no password is required./sbin/nologin
.root:XXXX:19663:0:90:7:::
Username:Encrypted Password:Last Password Change Date:Minimum Password Age:Maximum Password Age:Warning Period:Inactive Period:Expiration Date:Reserved
!!
indicates no password has been set, and an empty field means the password has been removed.Use the following command to convert it to a standard date:
[root@1060a ~]# date -d '1970-01-01 19663 days'
Thu Nov 2 00:00:00 CST 2023
/etc/shadow
, combines the user's salt with the entered password, encrypts it using the specified hash algorithm, and compares the result with the stored hash.root:x:0:
Group Name:Password Placeholder:GID:Group Members
x
.root:::
Group Name:Group Password:Group Administrator:Group Members
gpasswd
command.II. User and Group Management
(1) User Management
useradd
useradd [options] username
Common Options:
-u
: Specify the user's UIDuseradd -u 1100 user1
id user1
uid=1100(user1) gid=1100(user1) groups=1100(user1)
-g
: Specify the user's primary groupuseradd -g user1 user2
id user2
uid=1101(user2) gid=1100(user1) groups=1100(user1)
-G
: Specify the user's supplementary groupsuseradd -G user1 user3
id user3
uid=1102(user3) gid=1102(user3) groups=1102(user3),1100(user1)
-c
: Specify the user's GECOS informationuseradd -c "web server" user4
grep user4 /etc/passwd
user4:x:1103:1103:web server:/home/user4:/bin/bash
-d
: Specify the user's home directoryuseradd -d /opt/user5 user5
cd ~user5
pwd
/opt/user5
-s
: Specify the user's default shelluseradd -s /sbin/nologin user7
grep user7 /etc/passwd
user7:x:1106:1106::/home/user7:/sbin/nologin
Effect of
useradd
** command:**/etc/passwd
/etc/group
/etc/shadow
/etc/gshadow
/home
/var/spool/mail
passwd
passwd [options] [username]
Changing Passwords:
passwd user1
passwd
Common Options:
-d
: Delete the passwordpasswd -d user1
-l
: Lock the accountpasswd -l user1
-u
: Unlock the accountpasswd -u user1
--stdin
: Read password from standard input (not recommended)echo"password" | passwd --stdin user1
usermod
usermod [options] username
Common Options:
-l
: Change the usernameusermod -l new_name old_name
-u
: Change the UIDusermod -u uid username
-g
: Change the primary groupusermod -g groupname username
-G
: Change supplementary groupsusermod -G groupname username
-c
: Change the user's GECOS informationusermod -c "new comment" username
-md
: Change the user's home directoryusermod -md /new/home/dir username
-s
: Change the user's shellusermod -s /bin/sh username
userdel
userdel [options] username
Common Options:
-r
: Delete the user's home directory and mailboxuserdel -r username
chage
chage [options] username
Common Options:
chage username
(2) Group Management
groupadd
groupadd [options] groupname
Common Options:
-g
: Specify the GIDgroupadd -g gid groupname
groupmod
groupmod [options] groupname
Common Options:
-n
: Change the group namegroupmod -n new_name old_name
-g
: Change the GIDgroupmod -g gid groupname
groupdel
groupdel groupname
gpasswd
gpasswd [option] groupname
Common Options:
-A
: Assign group administratorsgpasswd -A username groupname
-a
: Add a user to the groupgpasswd -a username groupname
-d
: Remove a user from the groupgpasswd -d username groupname
-r
: Remove the group passwordgpasswd -r groupname
groupmems
groupmems [options]
Common Options:
-l
: List all group membersgroupmems -l -g groupname
-a
: Add a user to the groupgroupmems -a username -g groupname
-d
: Delete a user from the groupgroupmems -d username -g groupname
-p
: Remove all users from the groupgroupmems -p -g groupname