1 . 本地用户:
分类:
1) root: 超级用户 最高权限 uid: 0 uid 为0 就是超级用户 。
[root@server0 tmp]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
用户ID 主组ID 组列表 上下文 SELinx 安全标签
[root@server0 tmp]#
useradd -d /usr/local/bin -u 0 -o andy:创建假root , andy 与root用户权限相同
2) 普通用户: 无管理权限 1000 <= uid <= 60000
一个用户可以同时属于多个从属组, 但是 主组只能有一个 。
[root@server0 tmp]# id student
uid=1000(student) gid=1000(student) groups=1000(student),10(wheel) #student 同时在 student , wheel组
[root@server0 tmp]#
wheel : 系统管理员组 类拟windows中的 administrators 的组 可以sudo执行管理命令
[root@server0 tmp]# id zhangsan
uid=2001(zhangsan) gid=2001(zhangsan) groups=2001(zhangsan)
[root@server0 tmp]#
3) 服务账户:无登录权限 shell: /sbin/nologin , 0< uid < 1000
[root@server0 Desktop]# ps -aux |grep apache
apache 7530 0.0 0.0 215784 2996 ? S 11:23 0:00 /usr/sbin/httpd -DFOREGROUND
apache 7531 0.0 0.0 215784 2996 ? S 11:23 0:00 /usr/sbin/httpd -DFOREGROUND
apache 7532 0.0 0.0 215784 2996 ? S 11:23 0:00 /usr/sbin/httpd -DFOREGROUND
apache 7533 0.0 0.0 215784 2996 ? S 11:23 0:00 /usr/sbin/httpd -DFOREGROUND
apache 7534 0.0 0.0 215784 2996 ? S 11:23 0:00 /usr/sbin/httpd -DFOREGROUND
root 7571 0.0 0.0 112640 976 pts/0 R+ 11:23 0:00 grep --color=auto apache
[root@server0 Desktop]# cat /etc/passwd |grep apache
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
[root@server0 Desktop]#
组:
1) 主组: 默认创建用户时,会默认创建一个与用户名同名的主组 ,作用:用于用户创建文件时,给序文件的所属组 。
[student@server0 ~]$ touch student-file
[student@server0 ~]$ ll
bash: ll: command not found...
[student@server0 ~]$ ls
student-file
[student@server0 ~]$ ls -al
total 20
drwx------. 5 student student 4096 Jun 16 11:16 .
drwxr-xr-x. 6 root root 59 Jun 16 09:32 ..
-rw-------. 1 student student 288 Jun 16 11:12 .bash_history
-rw-r--r--. 1 student student 18 Jan 29 2014 .bash_logout
-rw-r--r--. 1 student student 193 Jan 29 2014 .bash_profile
-rw-r--r--. 1 student student 231 Jan 29 2014 .bashrc
drwxrwxr-x. 3 student student 17 Jun 15 09:55 .cache
drwxr-xr-x. 3 student student 67 Jun 15 09:55 .config
drwx------. 2 student student 28 Jul 11 2014 .ssh
-rw-rw-r--. 1 student student 0 Jun 16 11:16 student-file
[student@server0 ~]$
修改用户的主组:
[root@server0 tmp]#
[root@server0 tmp]# groupadd it
[root@server0 tmp]# usermod -g it student
[root@server0 tmp]# id student
uid=1000(student) gid=2005(it) groups=2005(it),10(wheel)
[root@server0 tmp]#
[student@server0 tmp]$ touch student-file3
[student@server0 tmp]$ ls -l
total 0
-rw-r--r--. 1 student it 0 Jun 16 11:17 student-file3
[student@server0 tmp]$
2) 从属组 : 用户附加的组 作用: 用于文件权限分配 ,用户手动创建
[root@server0 Desktop]# groupadd it #手动创建的组
将zhangsan,lisi 加入到it组中:
[root@server0 Desktop]# id zhangsan
uid=2001(zhangsan) gid=2001(zhangsan) groups=2001(zhangsan)
[root@server0 Desktop]# id lisi
uid=2002(lisi) gid=2002(lisi) groups=2002(lisi)
[root@server0 Desktop]#
[root@server0 Desktop]# usermod -aG it zhangsan
[root@server0 Desktop]# usermod -aG it lisi
[root@server0 Desktop]# id zhangsan
uid=2001(zhangsan) gid=2001(zhangsan) groups=2001(zhangsan),2005(it)
[root@server0 Desktop]#
2 用户信息保存文件: /etc/passwd #保存用户名,uid,gid,用户家目录,描述,登录的shell
[root@server0 Desktop]# cat /etc/passwd |grep student
student:x:1000:1000:Student User:/home/student:/bin/bash
[root@server0 Desktop]#
3 用户密码保存文件:/etc/shadow 保存用户密码的SHA哈希值(MD5,SHA,),密码属性(密码最后一次修改时间,密码最长使用天数,最少使用天数,警告时间,失效时间) ,账户有效期
[root@server0 Desktop]# cat /etc/shadow |grep zhangsan
zhangsan:$6$4lIdvqB3$ae216VZvjrNyV7TKJ1Ib6qN5DkPDRVPus/tO1wrXz.lcQncHJQHJ/RXXrL2E0OdXevMkviK4HXHLrYZi3uVaS.:18063:0:99999:7:::
[root@server0 Desktop]#
zhangsan:用户名
$6$4lIdvqB3$ae216VZvjrNyV7TKJ1Ib6qN5DkPDRVPus/tO1wrXz.lcQncHJQHJ/RXXrL2E0OdXevMkviK4HXHLrYZi3uVaS.: SHA512
18063 :密码最后一次修改时间 从1970-01-01 开始后的第 18063天之后日期
0: 密码最少使用天数 0 表示随时可以修改密码
99999: 密码最长使用天数 永久
7 : 警告时间,密码最长时间到期前 7天开始警告
:: 密码失效时间 密码最长使用时间到期后 多少天, 账户锁定。
:: 账户有效期 天数
查看用户密码属性:
[root@server0 ssh]#
[root@server0 ssh]# chage -l zhangsan
Last password change : Jun 16, 2019
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
[root@server0 ssh]#
修改密码属性:
需求:将zhangsan的密码属性修改为 最长使用天数 30 ,警告时间7天, 失效 10天, 有效期到 2020-06-16
[root@server0 ssh]# chage -E 2020-06-16 -M 30 -W 7 -I 10 zhangsan
[root@server0 ssh]# chage -l zhangsan
Last password change : Jun 16, 2019
Password expires : Jul 16, 2019
Password inactive : Jul 26, 2019
Account expires : Jun 16, 2020
Minimum number of days between password change : 0
Maximum number of days between password change : 30
Number of days of warning before password expires : 7
[root@server0 ssh]#
需求:使用户立即失效,要求必须修改密码:
[root@server0 ssh]# chage -d 0 zhangsan
[root@server0 ssh]# chage -l zhangsan
Last password change : password must be changed
Password expires : password must be changed
Password inactive : password must be changed
Account expires : Jun 16, 2020
Minimum number of days between password change : 0
Maximum number of days between password change : 30
Number of days of warning before password expires : 7
[root@server0 ssh]#
删除用户:userdel
1 ) userdel -r 用户名, 彻底删除用户,家目录等全部删除,邮箱目录
[root@server0 ssh]# userdel -r zhangsan
[root@server0 ssh]# cd /home
[root@server0 home]# ls
lisi student wangwu
[root@server0 home]#
2)userdel 用户名 /etc/passwd /etc/shadow
[root@server0 home]# userdel lisi
[root@server0 home]# ls
lisi student wangwu
[root@server0 home]#
[root@server0 home]# cat /etc/login.defs
#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201
SYS_UID_MAX 999
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 1000
GID_MAX 60000
# System accounts
SYS_GID_MIN 201
SYS_GID_MAX 999
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local
#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME yes
# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
UMASK 077
# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes
# Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512
[root@server0 home]#
[root@server0 home]# id andy
uid=0(root) gid=0(root) groups=0(root)
[root@server0 home]#
[root@server0 home]#
[root@server0 home]# cd /var/spool/mail/
[root@server0 mail]# ls
andy lisi root rpc student wangwu
[root@server0 mail]#
创建时,会将/etc/skel目录中的所有文件复制到 创建的用户的家目录 隐藏