Location>code7788 >text

Users and user groups

Popularity:893 ℃/2024-11-13 20:28:13

Users/User Groups

[1], User classification

  • Generally look at the user name, the essence of the user uid, gid.
  • uid user id User id is equivalent to ID number. It is also the one we are most concerned about.
  • gid group id Group id, equivalent to the account number.
user category uid clarification
root Fixed at 0 Privileges high /root/
regular user Generally >=1000 Low privileges, can only manage your own home directory /home/xxx
Virtual users (puppet users) Generally between 1 and 999, but can actually be modified Unable to log in, let services, processes run normally

The essence of user categorization depends on the uid and the command interpreter.

It is possible to allow simultaneous logins to multiple systems in Linux

[2], user-related documents

/etc/passwd

[root@kylin-xu ~]# head -5 /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
Column 1 Column 2 Columns 3-4 Column 5 Column 6 Column 7
user ID x Password tagging
Passwords are stored in /etc/shadow		 UID:GID Description information (can be empty) User's home directory (root, normal user is fine) command interpreter
/bin/bash to log into the system
/sbin/nologin Virtual user

/etc/shadow

[root@kylin-xu ~]# head -5 /etc/shadow
root:$6$h1B0FEVoIVn0B3in$/rzXmiZYxnswdLiQduLYwXAguj3W1D3pON.8ptxGuedBD29BPGUVnOTobTOJAtDl5dDq9kcIGsT01::0:99999:7:::
bin:*:18699:0:99999:7:::
daemon:*:18699:0:99999:7:::
adm:*:18699:0:99999:7:::
lp:*:18699:0:99999:7:::

replenishment

Commonly used command interpreters

  • /bin/bash

  • /bin/sh

  • /bin/dash #ubt, debian command interpreter

    xu@xu-ubuntu:~$ ll /bin/bash /bin/sh /bin/dash
-rwxr-xr-x 1 root root 1396520 Mar 14  2024 /bin/bash*
-rwxr-xr-x 1 root root  125688 Mar 23  2022 /bin/dash*
lrwxrwxrwx 1 root root       4 Mar 23  2022 /bin/sh -> dash*

  • /sbin/nologin Virtual user

  • ..... /bin/csh /bin/tcsh /bin/xxxx

[3] Commands for user additions, deletions, modifications and checks

1. Increase in users

  • Add User

  • Setting a password

  • Switching Users

  • Inspection.

  • kylin、redhat

useradd tom
grep --color tom /etc/passwd /etc/shadow /etc/group /etc/gshadow

# Set the password for the user in kylin to meet the required complexity.
passwd # Change the password for the current user
passwd username # Specify to change a user's password, can only be used by the root user.

[root@kylin-xu ~]# passwd tom
Change the password for user tom .
New password:
Retype the new password:
passwd: All authentication tokens have been successfully updated.

# Switching users, switching from root to an ordinary user does not require a password regardless of whether the ordinary user has a password or not, but switching back to root from an ordinary user requires a password.
# How to exit after switching users?   Shortcut key: CTRL+d Command: logout
# Commands related to checking the current logged-in user of the system
# id command
# whoami command
[root@kylin-xu ~]# su - tom
[tom@kylin-xu ~]$ whoami
tom
[tom@kylin-xu ~]$ id
user id=1000(tom) group id=1000(tom) group=1000(tom)
[tom@kylin-xu ~]$ su - root
Password:
Last login: 2 Nov 5 11:46:43 -03 2024 tty1 on

[root@kylin-xu ~]# logout
[tom@kylin-xu ~]$ logout
[root@kylin-xu ~]#
  • Ubuntu
useradd does not create a home directory, the command interpreter is /bin/sh (/bin/dash).
# Although we create the user and have the information in /etc/passwd, he will create the home directory in the system, we need to specify it additionally when we create the user, home directory
# And we can see that in Ubuntu the user's interpreter is sh by default, in Ubuntu /bin/sh --> /bin/dash, which is different from the bash interpreter that we often use, so we need to set our own interpreter to /bin/bash when we create the user.
root@xu-ubuntu:~# useradd tom
root@xu-ubuntu:~# grep tom /etc/passwd
tom:x:1001:1001::/home/tom:/bin/sh
root@xu-ubuntu:~# ll /home/tom
ls: cannot access '/home/tom': No such file or directory

useradd
-s Specify the command interpreter
-m means create the home directory when creating a user User

useradd -s /bin/bas -m tom
root@xu-ubuntu:~# ll /home/tom -d
drwxr-x--- 2 tom tom 4096 Nov 6 07:00 /home/tom/
root@xu-ubuntu:~# grep tom /etc/passwd
tom:x:1001:1001::/home/tom:/bin/bash
useradd clarification
-s Specifying the Command Interpreter
-m Creating a home directory
-M Do not create a home directory
-u Specify the uid. If you don't specify the uid, it will be deferred from the previous uid +1.
-c Add user's added description information
  • Add virtual user (command interpreter /sbin/nologin, do not create home directory), uid12306, abc
# kylin redhat
useradd -u 12306 -s /sbin/nologin -M abc
[root@kylin-xu ~]# useradd -u 12306 -s /sbin/nologin -M abc
[root@kylin-xu ~]# grep abc /etc/passwd
abc:x:12306:12306::/home/abc:/sbin/nologin
[root@kylin-xu ~]# ll /home/abc -d
ls: Can't access '/home/abc': No such file or directory exists

# ubuntu, in Ubuntu we can leave out the -M option since it automatically creates a home directory by default when creating a user
root@xu-ubuntu:~# useradd -u 12306 -s /sbin/nologin abc
root@xu-ubuntu:~# grep abc /etc/passwd
abc:x:12306:12306::/home/abc:/sbin/nologin
root@xu-ubuntu:~# ll /home/abc -d
ls: cannot access '/home/abc': No such file or directory
  • The difference between su and su -
The su command switches users and some environment variables are not updated.
The environment variables are updated when su - is used.
  • passwd Red Hat type system Non-interactive password change, only root use
echo   '0207xrzh!'  |passwd --stdin tom
  • The passwd ubt,debian passwd command does not have --stdin needs to use thechpasswd 
# First you need to write the username and corresponding password into the file
echo "tom:123" >
cat | chpasswd

User Templates

After we create a new user, there are files in the user's home directory

[root@kylin-xu ~]# ll /home/tom -a
Total Usage 20
drwx------ 2 tom tom 97 November 5 11:51 .
drwxr-xr-x 3 root root 17 November 5 11:42 ...
-rw------- 1 tom tom 27 November 5 11:51 .bash_history
-rw-r--r-- 1 tom tom 75 August 25 2022 .bash_logout
-rw-r--r-- 1 tom tom 71 Aug 25 2022 .bash_profile
-rw-r--r-- 1 tom tom 138 August 25 2022 .bashrc
-rw-r--r-- 1 tom tom 204 March 22 2022 .zshrc

# What files exist in the newly created user's home directory depends on the files in the /etc/skel directory, which is equivalent to a template for the user's home directory.
# We can modify the contents of /etc/skel so that the home directory of the newly created user will also change.
[root@kylin-xu ~]# cd /etc/skel/
[root@kylin-xu skel]# ls
[root@kylin-xu skel]# echo hello >
[root@kylin-xu skel]# cd
[root@kylin-xu ~]# useradd jerry
[root@kylin-xu ~]# ll /home/jerry/
Total usage 4
-rw-r--r-- 1 jerry jerry 6 November 5 14:26
[root@kylin-xu ~]# cat /home/jerry/
kylin-xu ~]# cat /home/jerry/

2. Delete

  • userdel Deletes a user. The home directory is not deleted by default.
  • userdel -r Delete users and home directories.
  • Modify the /etc/passwd username by adding the # sign (comment) before the username
userdel abc
userdel -r abc # Delete the user's home directory when deleting the user.


# Delete the user by modifying /etc/passwd directly and adding a comment before the corresponding line.
[root@kylin-xu ~]# vim /etc/passwd
[root@kylin-xu ~]# id abc
id: "abc": no such user
[root@kylin-xu ~]# vim /etc/passwd
[root@kylin-xu ~]# id abc
user id=12306(abc) group id=12306(abc) group=12306(abc)

3、View user information

  • whoami
  • id View the user's uid, gid, see if the user exists, what groups the user belongs to, and additional groups.
  • w See who's logged in and what they're doing, loads of info...
[root@kylin-xu ~]# w
# 2 users: two users are logged on the system
# load average: load average, compared to the number of CPU cores last minute last five minutes last fifteen minutes
# up 13:12: running time
# TTY: virtual terminal, locally called tty1, remotely called pts
 12:22:21 up 13:12, 2 users, load average: 0.01, 0.03, 0.04
USER TTY LOGIN@ IDLE JCPU PCPU WHAT
root tty1 11:46 35:33 0.06s 0.06s -bash
root pts/2 11:17 1.00s 0.13s 0.01s w
[root@kylin-xu ~]# tty
/dev/pts/2


# cloud server
root@xu-ecs:~# w
 15:22:12 up 1 day, 10 min, 2 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
ecs-assi pts/1 - Tue15 24:06m 0.01s 0.01s sudo su -
root pts/2 60.28.43.165 15:22 1.00s 0.01s 0.00s w
  • last View User Login Status
[root@kylin-xu ~]# last
root     tty1                          Tue Nov  5 11:46   still logged in
root     pts/2        192.168.121.1    Tue Nov  5 11:17   still logged in
。。。
reboot   system boot  4.19.90-52.22.v2 Mon Nov  4 07:22 - 14:40  (07:17)
。。。
  • lastlog View all user logins
[root@kylin-xu ~]# lastlog
Username Port From Last logon time
root pts/0 192.168.121.1 Feb Nov 5 12:31:22 -0300 2024
bin **never logged in
daemon **never logged in
adm **never logged in
lp **never logged in
sync **never logged in
shutdown **never logged in
halt **never logged in
mail **never logged in
operator **never logged in
games **never logged in
ftp **never logged in** nobody **never logged in
nobody **never logged in
systemd-coredump **never logged on** systemd-network **never logged off
systemd-network **never logged on** systemd-resolve **never logged on
systemd-resolve **never logged in** systemd-timesync **never logged in
systemd-timesync **never logged in** systemd-timesync **never logged in** systemd-timesync **never logged in
tss **never logged in
libstoragemgmt **never logged in** systemd-resolve **never logged in** systemd-timesync **tss** never logged in
rpc **never logged in** systemd-timesync **tss **never logged in** libstoragemgmt
dbus **never logged in
polkitd **never logged in** **polkitd **never logged in
unbound **never logged in
named **never logged in
setroubleshoot **never logged on** apache **never logged on
apache **never logged in
cockpit-ws **never logged in** apache **never logged in
chrony **never logged in
abrt **never logged in
dhcpd **never logged in** rpcuser **never logged in
rpcuser **never logged in** rpcuser **never logged in** sshd **never logged in
sshd **never logged in** pesign **never logged in** rpcuser **never logged in
pesign **never logged in
tcpdump **never logged on
nginx **never logged in** nginx **never logged in** nginx **never logged in
tom pts/2 Feb Nov 5 11:47:09 -0300 2024
abc **never logged in

4. Modifications

  • Modify information for an existing user.useradd.
  • usermod modification.

The parameters are similar to those of the useradd command

【4】、User security protection

1、sudo

Privileges, for regular users

  • Ordinary users can temporarily become root, to run the correspondingcommand

  • It's like the Emperor giving his ministers the Sword of Honor.

  • The root user goes to configure it and the normal user does the work.

  • Authorize the xu user to run tail,cat,,less,,grep with root privileges.

[root@kylin-xu ~]# passwd xu
Change the password for user xu.
New password:
Retype the new password:
passwd: All authentication tokens have been successfully updated.
  • With root authorization, visudo is equivalent to running vi /etc/sudoers, and we recommend using thevisudoGoing to make changes he can make to our changes, it is not recommended to use the/etc/sudoers
# Authorization in the root user, the specific authorization of the command we need to write an absolute path, multiple commands between the use of commas and space separation
[root@kylin-xu ~]# visudo
xu ALL=(ALL) /bin/tail, /bin/less, /bin/more
[root@kylin-xu ~]# su - xu
Last login: Tue Nov 5 16:00:10 -03 2024 pts/0 on
[xu@kylin-xu ~]$ sudo -l # See what commands are currently available with sudo -l.

We trust that you have already learned the daily dos and don'ts from your system administrator.
It is summarized in these three points:

    #1) Respect the privacy of others.
    #2) Think before you type (consequences and risks).
    #3) With great power comes great responsibility.

[sudo] xu's password:
Match %2$s on %1$s default entry:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE
    KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
    LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE
    LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User xu can run the following commands on kylin-xu:
    (ALL) /bin/tail, /bin/less, /bin/more


# Add sudo when using authorized commands.
[xu@kylin-xu ~]$ sudo tail -1 /var/log/secure
Nov 5 16:21:58 kylin-xu sudo[190100]: pam_unix(sudo:session): session closed for user root

When authorizing regular users, don't give a lot, give what you need

Summary:

  • Configure sudo privileges for regular users.
  • The root user is authorized via visudo, vi/vim /etc/sudoers
  • Ordinary users: sudo + command

ubt configuration visudo defaults to the nano editor

Ubuntu uses the nano editor by default when modifying /etc/sudoers, which can be changed.

Defaults env_editor,editor=/bin/vim
:wq! Force save to exit

# After that you can open it with visudo
root@xu-ubuntu:~# visudo
visudo: /etc/ unchanged

Authorize xu for all commands without entering a password

sudo -k : clear the cache, if you do not set up a password, after the first time to enter the password, there will be a cache, for a certain period of time is also not required to enter the password

visudo
xu ALL=(ALL) NOPASSWD: ALL
# ALL=(ALL)
# ALL host=(any user)
[xu@kylin-xu ~]$ sudo -k
[xu@kylin-xu ~]$ sudo -l
Match the default entry for %1$s on %2$s:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE
    KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
    LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE
    LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User xu can run the following commands on kylin-xu:
    (ALL) NOPASSWD: ALL
  • Summary:
    • Configure sudo privileges for regular users.
    • The root user is authorized via visudo, vi/vim /etc/sudoers
    • Ordinary users: sudo + command
    • Configuration write /etc/sudoers last
<Previous Next>