Linux - 用户和组
文章目录
Linux - 用户和组
环境信息
操作系统信息:
[aaa@qq.com ~]# cat /etc/centos-release
CentOS Linux release 7.7.1908 (Core)
[aaa@qq.com ~]# uname --kernel-release
3.10.0-1062.el7.x86_64
用户
用户的分类
创建用户
创建用户:
[aaa@qq.com ~]# useradd ops // 创建用户
[aaa@qq.com ~]# id ops // 查看用户的 ID 和所属组 ID
uid=1001(ops) gid=1001(ops) groups=1001(ops)
[aaa@qq.com ~]# su --login ops // 使用该用户登录
[aaa@qq.com ~]$ pwd
/home/ops
[aaa@qq.com ~]$ ls -a
. .. .bash_logout .bash_profile .bashrc
[aaa@qq.com ~]$ ls /var/spool/mail/ // 查看用户的邮箱目录
mk ops
[aaa@qq.com ~]$ exit // 退出登录
logout
通过指定 shell,创建不能登录的用户:
[aaa@qq.com ~]# useradd --shell /sbin/nologin nologin // 创建用户,并指定 shell
[aaa@qq.com ~]# id nologin
uid=1002(nologin) gid=1002(nologin) groups=1002(nologin)
[aaa@qq.com ~]# su --login nologin // 尝试登录,提示账户不可用
This account is currently not available.
设置密码
为用户 ops 设置密码:
# passwd ops // 为用户 ops 设置密码
Changing password for user ops.
New password: // 新密码 123
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: //确认密码 123
passwd: all authentication tokens updated successfully.
如果在使用 passwd
命令时,不指定用户名,则为当前登录的用户设置密码:
# passwd // 修改当前登录用户的密码
Changing password for user root.
New password: // 新密码 1234
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
免交互式设置用户密码,这种方式可用于与脚本搭配批量设置用户密码:
# echo 1234 | passwd --stdin ops
Changing password for user ops.
passwd: all authentication tokens updated successfully.
用户基本信息
用户基本信息保存在 /etc/passwd 文件中:
# vi /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
mk:x:1000:1000:mk:/home/mk:/bin/bash
ops:x:1001:1001::/home/ops:/bin/bash
nologin:x:1002:1002::/home/nologin:/sbin/nologin
其中,每列对应一个用户的信息,其格式为 name:password:UID:GID:GECOS:directory:shell,具体含义可以通过 man 5 passwd
命令查看:
Each line of the file describes a single user, and contains seven colon-separated fields:
name:password:UID:GID:GECOS:directory:shell
The field are as follows:
name This is the user's login name. It should not contain capital letters.
password This is either the encrypted user password, an asterisk (*), or the letter 'x'. (See pwconv(8) for an explanation of 'x'.)
UID The privileged root login account (superuser) has the user ID 0.
GID This is the numeric primary group ID for this user. (Additional groups for the user are defined in the system group file; see group(5)).
GECOS This field (sometimes called the "comment field") is optional and used only for informational purposes. Usually, it contains the full username. Some programs (for
example, finger(1)) display information from this field.
GECOS stands for "General Electric Comprehensive Operating System", which was renamed to GCOS when GE's large systems division was sold to Honeywell. Dennis Ritchie
has reported: "Sometimes we sent printer output or batch jobs to the GCOS machine. The gcos field in the password file was a place to stash the information for the
$IDENTcard. Not elegant."
directory This is the user's home directory: the initial directory where the user is placed after logging in. The value in this field is used to set the HOME environment
variable.
shell This is the program to run at login (if empty, use /bin/sh). If set to a nonexistent executable, the user will be unable to login through login(1). The value in
this field is used to set the SHELL environment variable.
注意:如果在使用 man 5 passwd
命令时,提示 No manual entry for passwd in section 5
,则需要安装 man-pages:
# yum install --assumeyes man-pages
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.163.com
* updates: mirrors.163.com
base | 3.6 kB 00:00:00
extras | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
(1/4): base/7/x86_64/group_gz | 153 kB 00:00:00
(2/4): extras/7/x86_64/primary_db | 190 kB 00:00:00
(3/4): updates/7/x86_64/primary_db | 1.3 MB 00:00:01
(4/4): base/7/x86_64/primary_db | 6.1 MB 00:00:02
Resolving Dependencies
--> Running transaction check
---> Package man-pages.noarch 0:3.53-5.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=============================================================================================
Package Arch Version Repository Size
=============================================================================================
Installing:
man-pages noarch 3.53-5.el7 base 5.0 M
Transaction Summary
=============================================================================================
Install 1 Package
Total download size: 5.0 M
Installed size: 4.6 M
Downloading packages:
warning: /var/cache/yum/x86_64/7/base/packages/man-pages-3.53-5.el7.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Public key for man-pages-3.53-5.el7.noarch.rpm is not installed
man-pages-3.53-5.el7.noarch.rpm | 5.0 MB 00:00:02
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Importing GPG key 0xF4A80EB5:
Userid : "CentOS-7 Key (CentOS 7 Official Signing Key) <aaa@qq.com>"
Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5
Package : centos-release-7-7.1908.0.el7.centos.x86_64 (@anaconda)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : man-pages-3.53-5.el7.noarch 1/1
Verifying : man-pages-3.53-5.el7.noarch 1/1
Installed:
man-pages.noarch 0:3.53-5.el7
Complete!
用户密码信息
用户密码信息保存在 /etc/shadow 文件中:
# vi /etc/shadow
root:$6$S.td5Bpl$D9V84cscdyU0xt8NGOutwEGuk0AVYMkS.uVDg7mCvbpT04tcda1DkweGK3aa7MpYG4Lwpsy6q8AJFfpj7DakD1:18398:0:99999:7:::
bin:*:17834:0:99999:7:::
daemon:*:17834:0:99999:7:::
adm:*:17834:0:99999:7:::
lp:*:17834:0:99999:7:::
sync:*:17834:0:99999:7:::
shutdown:*:17834:0:99999:7:::
halt:*:17834:0:99999:7:::
mail:*:17834:0:99999:7:::
operator:*:17834:0:99999:7:::
games:*:17834:0:99999:7:::
ftp:*:17834:0:99999:7:::
nobody:*:17834:0:99999:7:::
systemd-network:!!:18397::::::
dbus:!!:18397::::::
polkitd:!!:18397::::::
sshd:!!:18397::::::
postfix:!!:18397::::::
mk:$6$0OCeYiUmwEUtD91n$RhnUnM2m7EUa6GVxakfXqsyj1a8pONucHbZIrPuTS5BXnrLEKPnZi4V3mbQSBqxqZN1iBQiPYxg3mzAvOTIW6.::0:99999:7:::
ops:$6$wg.UieRR$hxAsEDjV7m.ixRfPQThSZwN3VzLLL0.CWkotQapSuRzQA93LN6eG7fA.XJzEOZ9vhmZcpmoAQC9dtlGlBrrn.1:18398:0:99999:7:::
nologin:!!:18398:0:99999:7:::
/etc/shadow 文件中的每一列对应一个用户的密码信息,列的具体含义可以通过 man 5 shadow
命令查看:
Each line of this file contains 9 fields, separated by colons (“:”), in the following order:
login name // 登录名
It must be a valid account name, which exist on the system.
encrypted password // 加密的密码
Refer to crypt(3) for details on how this string is interpreted.
If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in (but the
user may log in the system by other means).
This field may be empty, in which case no passwords are required to authenticate as the specified login name. However, some applications which read the /etc/shadow file may
decide not to permit any access at all if the password field is empty.
A password field which starts with an exclamation mark means that the password is locked. The remaining characters on the line represent the password field before the
password was locked.
date of last password change // 最后一次更改密码的日期
The date of the last password change, expressed as the number of days since Jan 1, 1970 00:00 UTC.
The value 0 has a special meaning, which is that the user should change her password the next time she will log in the system.
An empty field means that password aging features are disabled.
minimum password age // 最小的密码年龄
The minimum password age is the number of days the user will have to wait before she will be allowed to change her password again.
An empty field and value 0 mean that there are no minimum password age.
maximum password age // 最大的密码年龄
The maximum password age is the number of days after which the user will have to change her password.
After this number of days is elapsed, the password may still be valid. The user should be asked to change her password the next time she will log in.
An empty field means that there are no maximum password age, no password warning period, and no password inactivity period (see below).
If the maximum password age is lower than the minimum password age, the user cannot change her password.
password warning period // 密码警告期
The number of days before a password is going to expire (see the maximum password age above) during which the user should be warned.
An empty field and value 0 mean that there are no password warning period.
password inactivity period // 密码禁用期
The number of days after a password has expired (see the maximum password age above) during which the password should still be accepted (and the user should update her
password during the next login).
After expiration of the password and this expiration period is elapsed, no login is possible for the user. The user should contact her administrator.
An empty field means that there are no enforcement of an inactivity period.
account expiration date // 账户过期日期
The date of expiration of the account, expressed as the number of days since Jan 1, 1970 00:00 UTC.
Note that an account expiration differs from a password expiration. In case of an account expiration, the user shall not be allowed to login. In case of a password
expiration, the user is not allowed to login using her password.
An empty field means that the account will never expire.
The value 0 should not be used as it is interpreted as either an account with no expiration, or as an expiration on Jan 1, 1970.
reserved field // 保留字段
This field is reserved for future use.
更改用户密码信息
可以使用 chage
命令更改用户密码信息,其帮助信息如下:
# chage --help
Usage: chage [options] LOGIN
Options:
-d, --lastday LAST_DAY set date of last password change to LAST_DAY
-E, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE
-h, --help display this help message and exit
-I, --inactive INACTIVE set password inactive after expiration
to INACTIVE
-l, --list show account aging information
-m, --mindays MIN_DAYS set minimum number of days before password
change to MIN_DAYS
-M, --maxdays MAX_DAYS set maximum number of days before password
change to MAX_DAYS
-R, --root CHROOT_DIR directory to chroot into
-W, --warndays WARN_DAYS set expiration warning days to WARN_DAYS
查看账户 ops 的年龄信息:
# chage --list ops
Last password change : May 16, 2020
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
要求用户下次登录时必须修改密码:
# chage --lastday 0 ops // 将账户 ops 的密码信息中的“date of last password change”字段的值改为 0,既要求用户下次登录时必须修改密码
# chage --list ops
Last password change : password must be changed
Password expires : password must be changed
Password inactive : password must be changed
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
当从一个普通用户切换到 ops 时,就会被要求修改密码:
[aaa@qq.com ~]$ su --login ops // 从账户 mk 切换到 ops
Password: // 输入密码 1234
You are required to change your password immediately (root enforced)
Changing password for ops.
(current) UNIX password: // 输入密码 1234
New password: // 新密码
Retype new password: // 确认新密码
Last login: Sat May 16 16:53:35 CST 2020 on pts/0
Last failed login: Sat May 16 16:55:34 CST 2020 on pts/0
There were 2 failed login attempts since the last successful login.
修改账户的过期日期:
# date +%F // 查看当前日期
2020-05-16
# chage --expiredate $(date --date '+30days' +%F) ops // 设置账户 ops 在 30 天之后过期
# chage --list ops
Last password change : May 16, 2020
Password expires : never
Password inactive : never
Account expires : Jun 15, 2020 // 过期时间
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
修改用户基本信息
修改用户 uid:
# id ops
uid=1001(ops) gid=1001(ops) groups=1001(ops)
# usermod --uid 1100 ops // 将用户 ops 的 uid 改为 1100
# id ops
uid=1100(ops) gid=1001(ops) groups=1001(ops)
# tail -2 /etc/passwd // 查看文件 /etc/passwd 最后两行
ops:x:1001:1001::/home/ops:/bin/bash
nologin:x:1002:1002::/home/nologin:/sbin/nologin
修改用户 shell:
# tail -1 /etc/passwd // 查看文件 /etc/passwd 最后 1 行
nologin:x:1002:1002::/home/nologin:/sbin/nologin
# usermod --shell /bin/sh nologin // 修改用户 shell
# tail -1 /etc/passwd
nologin:x:1002:1002::/home/nologin:/bin/sh
修改用户 home 目录,并将老 home 搬到新 home:
# ll /home/
total 0
drwx------. 2 mk mk 83 May 15 22:10 mk
drwx------. 2 nologin nologin 83 May 16 18:00 nologin // 老家
drwx------. 2 ops ops 83 May 16 14:41 ops
# tail -1 /etc/passwd
nologin:x:1002:1002::/home/nologin:/bin/sh
# usermod --move-home --home /home/login nologin // 搬家(home)
# ll /home/
total 0
drwx------. 2 nologin nologin 83 May 16 18:00 login // 新家
drwx------. 2 mk mk 83 May 15 22:10 mk
drwx------. 2 ops ops 83 May 16 14:41 ops
# tail -1 /etc/passwd
nologin:x:1002:1002::/home/login:/bin/sh
组
组的信息保存在 /etc/group 文件中:
# cat /etc/group
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mem:x:8:
kmem:x:9:
wheel:x:10:
cdrom:x:11:
mail:x:12:postfix
man:x:15:
dialout:x:18:
floppy:x:19:
games:x:20:
tape:x:33:
video:x:39:
ftp:x:50:
lock:x:54:
audio:x:63:
nobody:x:99:
users:x:100:
utmp:x:22:
utempter:x:35:
input:x:999:
systemd-journal:x:190:
systemd-network:x:192:
dbus:x:81:
polkitd:x:998:
ssh_keys:x:997:
sshd:x:74:
postdrop:x:90:
postfix:x:89:
mk:x:1000:mk
ops:x:1001:
nologin:x:1002:
创建组
创建一个组,然后查看其信息:
# groupadd admin
# tail -1 /etc/group
admin:x:1003:
可以通过 man 5 group
查看 /etc/group 文件中列的定义:
DESCRIPTION
The /etc/group file is a text file that defines the groups on the system. There is one entry per line, with the following format:
group_name:password:GID:user_list
The fields are as follows:
group_name the name of the group.
password the (encrypted) group password. If this field is empty, no password is needed.
GID the numeric group ID.
user_list a list of the usernames that are members of this group, separated by commas.
指定 gid 创建一个组:
# groupadd --gid 1111 sysadmin
# tail -1 /etc/group
sysadmin:x:1111:
修改用户的主组和附加组
修改用户的主组:
# tail -2 /etc/group
admin:x:1003:
sysadmin:x:1111:
# id ops
uid=1100(ops) gid=1001(ops) groups=1001(ops)
# usermod --gid 1003 ops // 修改用户的主组
# id ops
uid=1100(ops) gid=1003(admin) groups=1003(admin)
修改用户的附加组:
# tail -2 /etc/group
admin:x:1003:
sysadmin:x:1111:
# id ops
uid=1100(ops) gid=1003(admin) groups=1003(admin)
# usermod --groups 1111 ops // 修改用户的附加组
# id ops
uid=1100(ops) gid=1003(admin) groups=1003(admin),1111(sysadmin)
删除组
删除一个非主组:
# tail -2 /etc/group
admin:x:1003:
sysadmin:x:1111:ops
# id ops
uid=1100(ops) gid=1003(admin) groups=1003(admin),1111(sysadmin)
# groupdel sysadmin // 删除组 sysadmin
# tail -1 /etc/group // 查看组信息,sysadmin 已不存在
admin:x:1003:
# id ops
uid=1100(ops) gid=1003(admin) groups=1003(admin)
无法删除一个主组:
# tail -1 /etc/group
admin:x:1003:
# id ops
uid=1100(ops) gid=1003(admin) groups=1003(admin)
# groupdel admin
groupdel: cannot remove the primary group of user 'ops' // 提示无法删除
如果要删除一个主组,需要先将其变为非主组:
# id ops
uid=1100(ops) gid=1003(admin) groups=1003(admin)
# usermod --gid ops ops // 重新为 ops 用户分配组
# id ops
uid=1100(ops) gid=1001(ops) groups=1001(ops)
# groupdel admin // 当 admin 组中没有成员,就可以将其删除
# tail -1 /etc/group
nologin:x:1002:
组成员管理
添加用户到组中:
# tail -2 /etc/group
admin:x:1003:
sysops:x:1004:
# id ops
uid=1100(ops) gid=1001(ops) groups=1001(ops)
# gpasswd --add ops sysops // 添加用户 ops 到组 sysops 中
Adding user ops to group sysops
# id ops
uid=1100(ops) gid=1001(ops) groups=1001(ops),1004(sysops)
# tail -1 /etc/group
sysops:x:1004:ops
设置组的成员列表:
# tail -1 /etc/group
sysops:x:1004:ops // 当前组中成员
# id ops1
uid=1101(ops1) gid=1101(ops1) groups=1101(ops1)
# id ops2
uid=1102(ops2) gid=1102(ops2) groups=1102(ops2)
# gpasswd --members ops1,ops2 sysops // 设置组的成员列表
# tail -1 /etc/group
sysops:x:1004:ops1,ops2 // 当前组中成员
# id ops1
uid=1101(ops1) gid=1101(ops1) groups=1101(ops1),1004(sysops)
# id ops2
uid=1102(ops2) gid=1102(ops2) groups=1102(ops2),1004(sysops)
注意:使用 gpasswd --members
命令设置组成员,会覆盖组中原有成员。
删除组成员
# tail /etc/group | grep sysops
sysops:x:1004:ops1,ops2
# gpasswd --delete ops2 sysops
Removing user ops2 from group sysops
# tail /etc/group | grep sysops
sysops:x:1004:ops1
设置组管理员
[aaa@qq.com ~]# tail /etc/group | grep sysops
sysops:x:1004:ops1
[aaa@qq.com ~]# gpasswd --administrators ops1 sysops // 设置组管理员
[aaa@qq.com ~]# su --login ops1 // 切换到 ops1 用户
[aaa@qq.com ~]$ gpasswd --add ops sysops // 因为用户 ops1 是组 sysops 的管理员,所以能添加成员到组中
Adding user ops to group sysops
[aaa@qq.com ~]$ cat /etc/group | grep sysops
sysops:x:1004:ops1,ops
设置组密码
# tail /etc/gshadow | grep sysops // 查看组 sysops 的信息
sysops:!:ops1:ops1,ops
# gpasswd sysops
Changing the password for group sysops
New Password:
Re-enter new password:
# tail /etc/gshadow | grep sysops
sysops:$6$e1VZu6p6dw$1pXvv9GI7hErnllHDd8YJhDmXfqDENoLGjHP96oaOYvsEui4k/UpoEBxubQFtzfjp/EfFzL62xuHhKM2HtbOh.:ops1:ops1,ops
可以使用 man 5 gshadow
命令查看文件 /etc/gshadow 的介绍:
DESCRIPTION
/etc/gshadow contains the shadowed information for group accounts.
This file must not be readable by regular users if password security is to be maintained.
Each line of this file contains the following colon-separated fields:
group name // 组名
It must be a valid group name, which exist on the system.
encrypted password // 加密的密码
Refer to crypt(3) for details on how this string is interpreted.
If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, users will not be able to use a unix password to access the group
(but group members do not need the password).
The password is used when a user who is not a member of the group wants to gain the permissions of this group (see newgrp(1)).
This field may be empty, in which case only the group members can gain the group permissions.
A password field which starts with an exclamation mark means that the password is locked. The remaining characters on the line represent the password field before the
password was locked.
This password supersedes any password specified in /etc/group.
administrators // 管理员
It must be a comma-separated list of user names.
Administrators can change the password or the members of the group.
Administrators also have the same permissions as the members (see below).
members // 成员
It must be a comma-separated list of user names.
Members can access the group without being prompted for a password.
You should use the same list of users as in /etc/group.
下一篇: linux之权限管理及访问控制列表
推荐阅读