第五章 管理本地用户和组

1 . 本地用户：

分类：

1） root: 超级用户 最高权限 uid: 0 uid 为0 就是超级用户 。

[root@server0 tmp]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
用户ID      主组ID      组列表            上下文 SELinx 安全标签   
[root@server0 tmp]# 


useradd -d /usr/local/bin -u 0 -o andy:创建假root ， andy 与root用户权限相同

2） 普通用户： 无管理权限 1000 <= uid <= 60000
一个用户可以同时属于多个从属组， 但是 主组只能有一个 。

[root@server0 tmp]# id student
uid=1000(student) gid=1000(student) groups=1000(student),10(wheel) #student 同时在 student , wheel组 
[root@server0 tmp]# 
wheel ： 系统管理员组  类拟windows中的 administrators 的组 可以sudo执行管理命令

[root@server0 tmp]# id zhangsan
uid=2001(zhangsan) gid=2001(zhangsan) groups=2001(zhangsan)
[root@server0 tmp]# 

3） 服务账户：无登录权限 shell: /sbin/nologin , 0< uid < 1000

[root@server0 Desktop]# ps -aux |grep apache
apache     7530  0.0  0.0 215784  2996 ?        S    11:23   0:00 /usr/sbin/httpd -DFOREGROUND
apache     7531  0.0  0.0 215784  2996 ?        S    11:23   0:00 /usr/sbin/httpd -DFOREGROUND
apache     7532  0.0  0.0 215784  2996 ?        S    11:23   0:00 /usr/sbin/httpd -DFOREGROUND
apache     7533  0.0  0.0 215784  2996 ?        S    11:23   0:00 /usr/sbin/httpd -DFOREGROUND
apache     7534  0.0  0.0 215784  2996 ?        S    11:23   0:00 /usr/sbin/httpd -DFOREGROUND
root       7571  0.0  0.0 112640   976 pts/0    R+   11:23   0:00 grep --color=auto apache
[root@server0 Desktop]# cat /etc/passwd |grep apache
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
[root@server0 Desktop]# 

组：

1） 主组： 默认创建用户时，会默认创建一个与用户名同名的主组 ，作用：用于用户创建文件时，给序文件的所属组 。

[student@server0 ~]$ touch student-file
[student@server0 ~]$ ll
bash: ll: command not found...
[student@server0 ~]$ ls
student-file
[student@server0 ~]$ ls -al
total 20
drwx------. 5 student student 4096 Jun 16 11:16 .
drwxr-xr-x. 6 root    root      59 Jun 16 09:32 ..
-rw-------. 1 student student  288 Jun 16 11:12 .bash_history
-rw-r--r--. 1 student student   18 Jan 29  2014 .bash_logout
-rw-r--r--. 1 student student  193 Jan 29  2014 .bash_profile
-rw-r--r--. 1 student student  231 Jan 29  2014 .bashrc
drwxrwxr-x. 3 student student   17 Jun 15 09:55 .cache
drwxr-xr-x. 3 student student   67 Jun 15 09:55 .config
drwx------. 2 student student   28 Jul 11  2014 .ssh
-rw-rw-r--. 1 student student    0 Jun 16 11:16 student-file
[student@server0 ~]$ 

修改用户的主组：

[root@server0 tmp]# 
[root@server0 tmp]# groupadd it
[root@server0 tmp]# usermod -g it student
[root@server0 tmp]# id student
uid=1000(student) gid=2005(it) groups=2005(it),10(wheel)
[root@server0 tmp]# 
[student@server0 tmp]$ touch student-file3
[student@server0 tmp]$ ls -l
total 0

-rw-r--r--. 1 student it   0 Jun 16 11:17 student-file3
[student@server0 tmp]$ 

2） 从属组 : 用户附加的组 作用: 用于文件权限分配 ，用户手动创建

[root@server0 Desktop]# groupadd it #手动创建的组

将zhangsan,lisi 加入到it组中：

[root@server0 Desktop]# id zhangsan
uid=2001(zhangsan) gid=2001(zhangsan) groups=2001(zhangsan)
[root@server0 Desktop]# id lisi
uid=2002(lisi) gid=2002(lisi) groups=2002(lisi)
[root@server0 Desktop]# 

[root@server0 Desktop]# usermod -aG it zhangsan
[root@server0 Desktop]# usermod -aG it lisi
[root@server0 Desktop]# id zhangsan
uid=2001(zhangsan) gid=2001(zhangsan) groups=2001(zhangsan),2005(it)
[root@server0 Desktop]# 

2 用户信息保存文件： /etc/passwd #保存用户名，uid,gid,用户家目录，描述，登录的shell

[root@server0 Desktop]# cat /etc/passwd |grep student
student:x:1000:1000:Student User:/home/student:/bin/bash
[root@server0 Desktop]# 

3 用户密码保存文件：/etc/shadow 保存用户密码的SHA哈希值（MD5,SHA,），密码属性(密码最后一次修改时间，密码最长使用天数，最少使用天数，警告时间，失效时间） ，账户有效期

[root@server0 Desktop]# cat /etc/shadow |grep zhangsan
zhangsan:$6$4lIdvqB3$ae216VZvjrNyV7TKJ1Ib6qN5DkPDRVPus/tO1wrXz.lcQncHJQHJ/RXXrL2E0OdXevMkviK4HXHLrYZi3uVaS.:18063:0:99999:7:::
[root@server0 Desktop]# 

zhangsan：用户名

$6$4lIdvqB3$ae216VZvjrNyV7TKJ1Ib6qN5DkPDRVPus/tO1wrXz.lcQncHJQHJ/RXXrL2E0OdXevMkviK4HXHLrYZi3uVaS.： SHA512

18063 ：密码最后一次修改时间  从1970-01-01 开始后的第 18063天之后日期

0： 密码最少使用天数  0 表示随时可以修改密码

99999： 密码最长使用天数  永久

7 ： 警告时间，密码最长时间到期前 7天开始警告

:: 密码失效时间  密码最长使用时间到期后 多少天， 账户锁定。

:: 账户有效期 天数 

查看用户密码属性：

[root@server0 ssh]# 
[root@server0 ssh]# chage -l zhangsan
Last password change					: Jun 16, 2019
Password expires					: never
Password inactive					: never
Account expires						: never
Minimum number of days between password change		: 0
Maximum number of days between password change		: 99999
Number of days of warning before password expires	: 7
[root@server0 ssh]# 

修改密码属性：

需求：将zhangsan的密码属性修改为　最长使用天数　30　　，警告时间7天， 失效 10天， 有效期到 2020-06-16

[root@server0 ssh]# chage -E 2020-06-16 -M 30 -W 7 -I 10 zhangsan
[root@server0 ssh]# chage -l zhangsan
Last password change					: Jun 16, 2019
Password expires					: Jul 16, 2019
Password inactive					: Jul 26, 2019
Account expires						: Jun 16, 2020
Minimum number of days between password change		: 0
Maximum number of days between password change		: 30
Number of days of warning before password expires	: 7
[root@server0 ssh]# 

需求：使用户立即失效，要求必须修改密码：

[root@server0 ssh]# chage -d 0 zhangsan

[root@server0 ssh]# chage -l zhangsan
Last password change					: password must be changed
Password expires					: password must be changed
Password inactive					: password must be changed
Account expires						: Jun 16, 2020
Minimum number of days between password change		: 0
Maximum number of days between password change		: 30
Number of days of warning before password expires	: 7
[root@server0 ssh]# 

删除用户：userdel

1 ） userdel -r 用户名， 彻底删除用户，家目录等全部删除,邮箱目录

[root@server0 ssh]# userdel -r zhangsan
[root@server0 ssh]# cd /home
[root@server0 home]# ls
lisi  student  wangwu
[root@server0 home]#

2）userdel 用户名 /etc/passwd /etc/shadow

[root@server0 home]# userdel lisi
[root@server0 home]# ls
lisi  student  wangwu
[root@server0 home]# 

[root@server0 home]# cat /etc/login.defs 
#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#

# *REQUIRED*
#   Directory where mailboxes reside, _or_ name of file, relative to the
#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
#   QMAIL_DIR is for Qmail
#
#QMAIL_DIR	Maildir
MAIL_DIR	/var/spool/mail
#MAIL_FILE	.mail

# Password aging controls:
#
#	PASS_MAX_DAYS	Maximum number of days a password may be used.
#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
#	PASS_MIN_LEN	Minimum acceptable password length.
#	PASS_WARN_AGE	Number of days warning given before a password expires.
#
PASS_MAX_DAYS	99999
PASS_MIN_DAYS	0
PASS_MIN_LEN	5
PASS_WARN_AGE	7

#
# Min/max values for automatic uid selection in useradd
#
UID_MIN                  1000
UID_MAX                 60000
# System accounts
SYS_UID_MIN               201
SYS_UID_MAX               999

#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN                  1000
GID_MAX                 60000
# System accounts
SYS_GID_MIN               201
SYS_GID_MAX               999

#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD	/usr/sbin/userdel_local

#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME	yes

# The permission mask is initialized to this value. If not specified, 
# the permission mask will be initialized to 022.
UMASK           077

# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes

# Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512 

[root@server0 home]# 

[root@server0 home]# id andy
uid=0(root) gid=0(root) groups=0(root)
[root@server0 home]# 
[root@server0 home]# 
[root@server0 home]# cd /var/spool/mail/
[root@server0 mail]# ls
andy  lisi  root  rpc  student  wangwu
[root@server0 mail]# 

创建时，会将/etc/skel目录中的所有文件复制到 创建的用户的家目录 隐藏