Linux User and User Group Management

concept

The Linux system is a time-sharing operating system with multiple users and multiple tasks. Any user who wants to use system resources must have an account to enter the system. The account is essentially the identification of a user on the system. The system allocates different permissions and resources according to the identity. An account contains two parts: user and user group.

User Classification

Users can be divided into three categories according to UID and permissions:

• Super Administrator (root): UID is 0, with all permissions of the operating system. It is generally a root user. It is not recommended to have multiple super Administrator users in one system.

• System user: UID is between 1-999, which is convenient for system management. Users who are used to run the system and services do not have a password and cannot log in to the system. For example, some services do not want to run using the root user's identity, but want to use an account with smaller permissions to execute, so we need to provide the owners of these operating programs.

• Ordinary user: UID starts at 1000, users who can log in to the system, and users who have some permissions in the system

User Management

Managing users is nothing more than adding, deleting, modifying, and viewing the user. Let’s take a look at what commands they are.

Files stored by user information

• /etc/passwd: This file stores basic user information and is in the formatUsername: Password placeholder (x): UID: GID: Description: Home Directory: Login Shell

root@master-02:~# cat /etc/passwd
 root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
 ...Omit ten thousand words of content
 nobody:x:65534:65534:nobody:/noneexistent:/usr/sbin/nologin
 unscd:x:110:114::/var/lib/unscd:/usr/sbin/nologin

• /etc/shadow: Store encryption password and validity period (only root can be read)

root@master-02:~# cat /etc/shadow
 root:$6$RONxOP1Exfi1ewiA$gFkY1hDAuaJHxKSytAgM/.4lSikmihfocjvzlj/:20153:0:99999:7:::
 daemon:*:19820:0:99999:7:::
 ...Omit ten thousand words of content
 _chrony:*:19881:0:99999:7:::
 _rpc:*:19881:0:99999:7:::
 statd:*:19881:0:99999:7:::
 Debian-exim:!:19881:0:99999:7:::
 unscd:*:19881:0:99999:7:::

Add a useruseradd

useuseraddCommand to add users

grammar:

useradd [Option parameter] username

Option parameter description:

-u: Specify user ID, generally the UID should be greater than 1000. If there are no special needs, try not to specify it and use the system to allocate it.
 -m: Create the user's home directory (the default location is /home/username). Generally, it does not need to be specified, just use the default one.
 -M: Do not create a user's home directory, it is used to create a system user, that is, it does not require its login
 -s: Specify the user's shell, the default is /bin/bash, generally no need to specify it, just use the default one
 -g: Specify the user group to which the user belongs. Try not to specify it. The system will automatically create a group with the same name as the new user. The reorganization will become the initial user group of the new user.
 -c: Add the notes text, and the notes text will be saved in the fifth column of the /etc/passwd file
 -d: Specify the custom home directory path, generally no need to specify
 -e: Set the account expiration date (format: YYYY-MM-DD)
 -p: Directly set the encrypted password (not safe, it is recommended to use passwd)

Example: Add user-test01 user and set password

#Add user
 root@master-02:~# useradd -m user-test01

 #Use the `passwd` command to set password
 root@master-02:~# passwd user-test01
 New password:
 Retype new password:
 password updated successfully

 #Switch users
 root@master-02:~# su - user-test01
 $
 $ pwd
 /home/user-test01

Example: Add www-www system user

#Add www-www user, -s specify shell, /sbin/nologin specify that you cannot log in, -u specify UID, -M does not create home directory
 root@master-02:~# useradd -s /sbin/nologin -u 10086 -M www-www

 #View Users
 root@master-02:~# grep www-www /etc/passwd
 www-www:x:10086:10086::/home/www-www:/sbin/nologin

 #Switch user, switching failed
 root@master-02:~# su - www-www
 su: warning: cannot change directory to /home/www-www: No such file or directory
 This account is currently not available.

View users

Check that the user has multiple commands and use different commands according to different scenarios

• whoami: Show the current user name

root@master-02:~# whoami
root

• id username: Check the user's information or check whether the user exists

#Check root
 root@master-02:~# id root
 uid=0(root) gid=0(root) groups=0(root)

 root@master-02:~# id user-test01
 uid=1000(user-test01) gid=1000(user-test01) groups=1000(user-test01)

 root@master-02:~# id www-www
 uid=10086(www-www) gid=10086(www-www) groups=10086(www-www)

 #User does not exist
 root@master-02:~# id www
 id: ‘www’: no such user

Delete usersuserdel

grammar:

userdel [Option parameter] username

Option description:

-f: Forced delete the user, even if the user's process is still running or the user is logging in.
 -r: Delete user directory and user email

Notes:

• Deleting users is a dangerous operation and needs to be treated with caution. It is recommended to pass/etc/passwdPerform comment operations in the file, replaceuserdeldelete
• Userdel will not delete the home directory by default, and it is necessary to use it-rOptions

Example:

#The error is reported because there is no email from the user
 root@master-02:~# userdel -r user-test01
 userdel: user-test01 mail spool (/var/mail/user-test01) not found

Modify user:usermod

grammar

usermod [Option parameter] username

Option description

-l: Modify the user name, not modify the user group
 -d: Modify the user's home directory.
 -m: Mobile user's home directory to a new location.
 -s: Modify the user's login shell.
 -g: Modify the user's initial user group.
 -G: Modify the user's additional user group.

Example:

#Modify the user's name, but the user group has not been modified
 root@master-02:~# usermod -l www www-www
 root@master-02:~# id www
 uid=10086(www) gid=10086(www-www) groups=10086(www-www)

Change user password:passwd

grammar

passwd [Option parameter] username

Option description

-l: lock, lock the user account and prohibit the user from logging in.  The system will set the password to an irreversible value to prevent the user from logging in, that is, add one more before the second column of /etc/shadow ciphertext password!!
 -u: unlock, unlock the user account, and allow the user to log in again.  This option is used to unlock the lock set by the -l option, which is equivalent to the reverse operation of -l
 -n: Set the minimum life span of the password (days).  During this period, the user cannot change the password, corresponding to column 4 of /etc/shadow
 -x: Set the maximum life span of the password (number of days).  After this period, the password will expire. The user needs to change the password, corresponding to the fifth column of /etc/shadow
 -w: Set the number of warning days before the password expires.  During this period, the system will prompt the user's password to expire soon.
 -i: Set the grace number of days after the password expires.  During this time, the user can still log in, but must change his password.
 -S: Displays the user's password status information, including whether the password has expired, whether it is locked, etc.
 --s: tdin reads tokens from standard input, mainly used in scenarios where users are added in batches through scripts and do not require interaction

Example:

# Change password
 passwd jhon

 # Lock the user
 passwd -l [username]

 # Unlock the user
 passwd -u [username]

Bulk modify user password:chpasswd

chpasswdIs a command used to batch modify user passwords in Unix-like systems (such as Linux), usually used by system administrators. It can read usernames and passwords from standard input or files and update users' passwords in batches

usage:

# Modify the username and password from standard input, the format is Username: Password
 echo "user1:newpassword1" | chpasswd

 # You can write the username and password to a file and then use chpasswd to read it from the file.  The file format is one record per line, and the format is Username: Password.
 # Create a file with username and password
 cat > <<EOF
 user1:newpassword1
 user2:newpassword2
 EOF

 # Use chpasswd to read and modify password from the file
 chpasswd <

User authorization-sudoAuthorization

sudoCommands are used to execute commands in other identities, and the preset identity is root. exist/etc/sudoersIf an unauthorized user attempts to use the sudo commandsudo, a warning email will be sent to the administrator and the user will usesudoWhen the command is first entered, the command must be entered first, and then there will be a valid period of 5 minutes. If the period exceeds the period, the password must be entered again.

sudoAllows ordinary users to execute commands that require superuser permissions when specific conditions are met. These conditions are/etc/sudoersFile definition.sudoersA file is a configuration file that specifies which users or groups of users can execute which commands and whether a password is required.

View and edit/etc/sudoersdocument

sudoersThe file issudoThe core configuration file is usually located in/etc/sudoers. Editing the file directly may cause configuration errors, so it is recommended to use itvisudoCommand to edit. visudo checks for syntax errors to ensure the correctness of the configuration file.

root@master:~# visudo

 # Or use
 root@master:~# vim /etc/sudoers

 Defaults env_reset
 Defaults mail_badpass
 Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 # User privilege specification
 root ALL=(ALL:ALL) ALL

 # Allow members of group sudo to execute any command
 %sudo ALL=(ALL:ALL) ALL

Detailed explanation of the file content:

root ALL=(ALL:ALL) ALL
 # root: indicates the username,
 # ALL: Indicates that this rule applies to all hosts.
 # =(ALL:ALL): means that the root user can execute commands as any user (including root) and any group (including root).
 # ALL: means that the root user can execute all commands.

 %sudo ALL=(ALL:ALL) ALL
 # Indicates that permissions are set for all members in the sudo user group.  The configuration here means that any user in the sudo group can execute any command on any host as any user and any group.
 # %sudo: refers to the sudo user group.  The % symbol indicates that this is a user group rather than a single user.
 # ALL: Indicates that this rule applies to all hosts.
 # =(ALL:ALL): means that the root user can execute commands as any user (including root) and any group (including root).
 # ALL: means that the root user can execute all commands.

Example: Add authorization for devops users

# Add user
 root@master:~# useradd -m devops

 # Change password
 root@master:~# passwd devops
 New password:
 Retype new password:
 password updated successfully


 # Edit /etc/sudoers, add authorization
 root@master:~# cat /etc/sudoers
 Defaults env_reset
 Defaults mail_badpass
 Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 # User privilege specification
 root ALL=(ALL:ALL) ALL
 # Added authorization
 devops ALL=(ALL:ALL) /bin/cat,/bin/less,/bin/more
 # Allow members of group sudo to execute any command
 %sudo ALL=(ALL:ALL) ALL

 # Switch users
 root@master:~# su - devops

 # Execute the command and find that you need to enter a password every time
 root@master:~# sudo cat /etc/passwd
 [sudo] password for devops:

Authorize all permissions of devops without entering a password

root@master:~# cat /etc/sudoers
 Defaults env_reset
 Defaults mail_badpass
 Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 # User privilege specification
 root ALL=(ALL:ALL) ALL
 # Added authorization
 devops ALL=(ALL:ALL) NOPASSWD: ALL
 # Allow members of group sudo to execute any command
 %sudo ALL=(ALL:ALL) ALL


 # Switch users
 root@master:~# su - devops

 # Execute the command and find that you do not need to enter a password
 root@master:~# sudo cat /etc/passwd

User Group Management

In Linux systems, user groups are collections of users that simplify permission management. By assigning users to specific groups, unified permission settings can be applied to the entire group, rather than for each user alone. This makes system management more efficient and orderly.

Basic concepts

User group usage:

• Permission Management: manages access rights to files and directories through groups, simplifying permission settings.
• Resource Sharing: Allows users in the group to share resources, such as files, directories, etc.
• System management: Assign system resources and set user permissions through groups.

Main user groups:

• root: Super user group, with all permissions on the system.
• bin, sys, mail, etc.: Predefined user groups of the system, used for system processes and services.
• User-defined groups: groups created as needed, such as developers, admins, etc.

Files stored in user group information

/etc/groupStore user group information

root@master:~# cat /etc/group
 root:x:0:
 #...Omit ten thousand words of content
 unscd:x:114:
 docker:x:998:
 devops:x:1000:

File format:

• Group name: The name of the user group, such as root, wheel, users, etc.
• Password placeholder: Usually an x ​​or an asterisk (*), indicating that the group password is stored in the /etc/gshadow file, or the group password is not used.
• GID (group identifier): A unique integer that identifies a user group. GID must be unique in the system.

View user groups

# View all groups
 root@master:~# cat /etc/group

 # View the user's group
 # group command
 root@master:~# groups devops
 devops : devops
 # id command
 root@master:~# id devops
 uid=1000(devops) gid=1000(devops) groups=1000(devops)

Create a user groupgroupadd

grammar:

groupadd [Options] Group name

Common options description:

• -g GID: Specify the GID of the new group. If not specified, the next available GID will be assigned automatically.

groupadd -g 1001 newgroup

• -M: Specifies a member list to directly add users to the newly created group.

groupadd -M user1,user2 newgroup

Delete user groupgroupdel

grammar:

groupdel group name

Notes:

• Make sure there are no users in the group: Before deleting a user group, make sure there are no users in the group. If there are users belonging to this group, you may need to move these users to other groups first.
• Check system services and processes: Some system services and processes may depend on specific user groups. Deleting these groups may affect the normal operation of the system.
• Backup:Before performing the deletion operation, it is recommended to back up the /etc/group file, just in case you need to recover.
• Permissions: Only users with appropriate permissions (usually root users) can execute the groupdel command.

Move users to other groupsusermod

usermod -aG New group name Username

Modify user group

grammar:

groupmod [Options] Group name

Common options description:

• -n: Modify the group name

# Change the group name from group_old to group_new
 roupmod -n group_new group_old

• -g: Modify the GID of the group

groupmod -g GID groupname