2-用户账号管理
2016.6.7
添加用户账号
- useradd命令/adduser(另一种可以创建用户的方式)
- useradd [选项]... 用户名
- -U:指定UID标记号
- -d:指定宿主目录,缺省/home/用户名
- -e:指定账号失效时间
- -M:不为用户建立并初始化宿主目录
- -s:指定用户的登录Shell
[root@test1 ~]# useradd --help
Usage: useradd [options] LOGIN
Options:
-b, --base-dir BASE_DIR base directory for the home directory of the
new account
-c, --comment COMMENT GECOS field of the new account
-d, --home-dir HOME_DIR home directory of the new account
-D, --defaults print or change default useradd configuration
-e, --expiredate EXPIRE_DATE expiration date of the new account
-f, --inactive INACTIVE password inactivity period of the new account
-g, --gid GROUP name or ID of the primary group of the new
account
-G, --groups GROUPS list of supplementary groups of the new
account
-h, --help display this help message and exit
-k, --skel SKEL_DIR use this alternative skeleton directory
-K, --key KEY=VALUE override /etc/login.defs defaults
-l, --no-log-init do not add the user to the lastlog and
faillog databases
-m, --create-home create the user's home directory
-M, --no-create-home do not create the user's home directory
-N, --no-user-group do not create a group with the same name as
the user
-o, --non-unique allow to create users with duplicate
(non-unique) UID
-p, --password PASSWORD encrypted password of the new account
-r, --system create a system account
-s, --shell SHELL login shell of the new account
-u, --uid UID user ID of the new account
-U, --user-group create a group with the same name as the user
-Z, --selinux-user SEUSER use a specific SEUSER for the SELinux user mapping
[root@test1 ~]#
expire [ex·pire || ɪk'spaɪə] v. 期满, 断气, 呼气; 呼出
实例1:
[root@test1 test]# useradd jason
[root@test1 test]# tail /etc/passwd
ntp:x:38:38::/etc/ntp:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
saslauth:x:498:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
pulse:x:497:496:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
test:x:500:500:test:/home/test:/bin/bash
bourn:x:501:501::/home/bourn:/bin/bash
jason:x:502:502::/home/jason:/bin/bash
[root@test1 test]#
实例2:
[root@test1 test]# useradd -u 5200 -d /home/test81 -s /bin/bash test100
[root@test1 test]# tail -2 /etc/passwd
jason:x:502:502::/home/jason:/bin/bash
test100:x:5200:5200::/home/test81:/bin/bash
[root@test1 test]#
[root@test1 test]# cd /home
[root@test1 home]# ls
bourn jason teacher test test81
[root@test1 home]#
4-3-2 用户账号的初始配置文件
文件来源
- 新建用户账号时,从/etc/skel目录中复制而来
主要的用户初始配置文件
- ~/.bash_profile:每次登录时执行
- 登录时后,想要什么特性就可以写入到这个文件当中。
- ~/.bashrc:每次进入新Bash环境时执行
- ~/.bash_logout:每次退出登录时执行
- 可以在这里设置清空历史“history -c”
vim .bash_profile
1 # .bash_profile
2
3 # Get the aliases and functions
4 if [ -f ~/.bashrc ]; then
5 . ~/.bashrc
6 fi
7
8 # User specific environment and startup programs
9
10 PATH=$PATH:$HOME/bin
11
12 export PATH
vim .bashrc
1 # .bashrc
2
3 # Source global definitions
4 if [ -f /etc/bashrc ]; then
5 . /etc/bashrc
6 fi
7
8 # User specific aliases and functions
vim .bash_logout
1 # ~/.bash_logout
2
实例:
[root@test1 /]# cd /home
[root@test1 home]# ls
bourn jason teacher test test81
[root@test1 home]# cd test81
[root@test1 test81]# ls -a
. .. .bash_logout .bash_profile .bashrc .gnome2 .mozilla
[root@test1 test81]#
实例:
[root@test1 test81]# cd /etc/skel/
[root@test1 skel]# ls
[root@test1 skel]# ls -a
. .. .bash_logout .bash_profile .bashrc .gnome2 .mozilla
[root@test1 skel]#
[root@test1 skel]#
设置/更改用户口令passwd
- 格式 passwd [选项]... 用户名
- 如果passwd后面没有接用户名,那么就是给当前登录用户更改密码。
- 只有root才能给其他用户设定密码。
- -d:清空用户的密码,使之无需密码即可登录
- -l:锁定用户账号
- -S:查看用户账号的状态(是否被锁定)(status)
- -u:解锁用户账号 (unlock)
[root@test1 etc]# passwd --help
Usage: passwd [OPTION...] <accountName>
-k, --keep-tokens keep non-expired authentication tokens
-d, --delete delete the password for the named account (root only)
-l, --lock lock the password for the named account (root only)
-u, --unlock unlock the password for the named account (root only)
-e, --expire expire the password for the named account (root only)
-f, --force force operation
-x, --maximum=DAYS maximum password lifetime (root only)
-n, --minimum=DAYS minimum password lifetime (root only)
-w, --warning=DAYS number of days warning users receives before password expiration (root only)
-i, --inactive=DAYS number of days after password expiration when an account becomes disabled
(root only)
-S, --status report password status on the named account (root only)
--stdin read new tokens from stdin (root only)
Help options:
-?, --help Show this help message
--usage Display brief usage message
注意help当中的几个"root only"。也就是普通用户是无法进行这些操作的。如果想要普通用户可以执行这些操作,那么需要通过visudo来实现。
实例:
[root@test1 skel]# su jason
[jason@test1 skel]$ su -jason
su: invalid option -- 'j'
Try `su --help' for more information.
[jason@test1 skel]$ su - jason
Password:
su: incorrect password
[jason@test1 skel]$
[jason@test1 skel]$
[jason@test1 skel]$
我的问题是我直接通过su+jason就直接进入了jason这个用户,为什么加了一个“-”就需要密码了呢?
[jason@jason root]$ su - jason
Password:
[jason@jason ~]$ su jason
Password:
[jason@jason ~]$ man su
[root@jason ~]# su - jason
[jason@jason ~]$
因为第一次是root执行的“su jason”,和"-"没有关系
这里需要解释有“-”和没有“-”的区别
- 有“-”,就是在进入到下一个用户的时候,会把这个用户所对应的布置的环境加载进来
- 没有“-”,就不会加载个人定制的特殊环境,只是单单的进入该账号而已。
实例——没有设置密码的状态:
[root@test1 skel]# tail -1 /etc/passwd
test100:x:5200:5200::/home/test81:/bin/bash
[root@test1 skel]# tail -1 /etc/shadow
test100:!!:16959:0:99999:7:::
[root@test1 skel]#
- “!!”表示不能登录的意思
实例——为test100设定密码:
[root@test1 skel]# passwd test100
Changing password for user test100.
New password:
BAD PASSWORD: it does not contain enough DIFFERENT characters
BAD PASSWORD: is too simple
Retype new password:
Sorry, passwords do not match.
New password:
BAD PASSWORD: it does not contain enough DIFFERENT characters
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
[root@test1 skel]#
[root@test1 skel]# su - test100
[root@test1 skel]#
[test100@test1 ~]$
实例——普通用户下给其他用户设定密码:
[test100@test1 ~]$ passwd jason
passwd: Only root can specify a user name.
[test100@test1 ~]$ ^C
[test100@test1 ~]$
实例——不接用户名的状态下,直接使用passwd:
[root@test1 ~]# passwd
Changing password for user root.
New password:
[root@test1 ~]#
实例——查看添加密码后的状态:
[root@test1 ~]# tail -2 /etc/shadow
jason:$6$slhIARhM$m4H/FarcPbVSsya5txmdpVoqlDRAVlXTXMmsDG6oXyLQYk/HmVk3AaBPD2Z3JyFj1MZRfNUGckmQkrfKe2DiN1:16959:0:99999:7:::
test100:$6$tYEkiEDB$HNvSqlPkNVroNstmwmjXtzDX3XEL5Ny7EQOswdajn8D66mzrpCR.rBl18a3aNHI5aKPPsEM/NwA4QwBnghjrp/:16959:0:99999:7:::
[root@test1 ~]#
实例——删除用户密码后,普通用户之间转换:
[root@test1 ~]# su -d test100 //命令错误
su: invalid option -- 'd'
Try `su --help' for more information.
[root@test1 ~]# passwd -d test100
Removing password for user test100. //提示正在移除test100的密码
passwd: Success //移除成功
[root@test1 ~]# tail -2 /etc/shadow
jason:$6$slhIARhM$m4H/FarcPbVSsya5txmdpVoqlDRAVlXTXMmsDG6oXyLQYk/HmVk3AaBPD2Z3JyFj1MZRfNUGckmQkrfKe2DiN1:16959:0:99999:7:::
test100::16959:0:99999:7:::
[root@test1 ~]# su - jason
[jason@test1 ~]$ su - test100
[test100@test1 ~]$ su - jason
Password:
[jason@test1 ~]$
[jason@test1 ~]$
这里可以看出来原本是加密密码的位置,现在是空的。这是删除密码带来的结果。
实例——锁定、查看状态、解锁
[root@test1 ~]# passwd -l jason
Locking password for user jason.
passwd: Success
[root@test1 ~]#
[root@test1 ~]#
[root@test1 ~]# su - test100
[test100@test1 ~]$ su - jason
Password:
su: incorrect password //此处输入密码是正确的,不过因为lock,所以显示不正确
[test100@test1 ~]$
[test100@test1 ~]$ exit
logout
[root@test1 ~]# tail -2 /etc/shadow
jason:!!$6$slhIARhM$m4H/FarcPbVSsya5txmdpVoqlDRAVlXTXMmsDG6oXyLQYk/HmVk3AaBPD2Z3JyFj1MZRfNUGckmQkrfKe2DiN1:16959:0:99999:7:::
test100::16959:0:99999:7:::
[root@test1 ~]#
[root@test1 ~]#
[root@test1 ~]# passwd -S jason //查看jason用户的状态
jason LK 2016-06-07 0 99999 7 -1 (Password locked.)
这里可以看到查看密码的时候,密码前面有两个“!!”这表示已经锁定。
解锁:
[root@test1 ~]# passwd -u jason
Unlocking password for user jason.
passwd: Success
[root@test1 ~]#
[root@test1 ~]# su - test100
[test100@test1 ~]$ su - jason
Password:
[jason@test1 ~]$
修改用户账号的属性usermod
格式
usermod [选项]... 用户名
- -l:更改用户账号的登录名称
- -L:锁定用户账号
- -U:解锁用户账号
- 一项选项与useradd命令的中的含义相同-u、-d、-e、-s
[root@test1 etc]# usermod --help
Usage: usermod [options] LOGIN
Options:
-c, --comment COMMENT new value of the GECOS field
-d, --home HOME_DIR new home directory for the user account
-e, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE
-f, --inactive INACTIVE set password inactive after expiration
to INACTIVE
-g, --gid GROUP force use GROUP as new primary group
-G, --groups GROUPS new list of supplementary GROUPS
-a, --append append the user to the supplemental GROUPS
mentioned by the -G option without removing
him/her from other groups
-h, --help display this help message and exit
-l, --login NEW_LOGIN new value of the login name
-L, --lock lock the user account
-m, --move-home move contents of the home directory to the
new location (use only with -d)
-o, --non-unique allow using duplicate (non-unique) UID
-p, --password PASSWORD use encrypted password for the new password
-s, --shell SHELL new login shell for the user account
-u, --uid UID new UID for the user account
-U, --unlock unlock the user account
-Z, --selinux-user new SELinux user mapping for the user account
[root@test1 etc]#
实例:
[root@test1 ~]# usermode -l test100 test101
bash: usermode: command not found
[root@test1 ~]# usermod -l test100 test101
usermod: user 'test101' does not exist
[root@test1 ~]#
[root@test1 ~]#
[root@test1 ~]# tail -2 /etc/passwd
jason:x:502:502::/home/jason:/bin/bash
test100:x:5200:5200::/home/test81:/bin/bash
[root@test1 ~]# usermod -l test101 test100
[root@test1 ~]# tail -2 /etc/passwd
jason:x:502:502::/home/jason:/bin/bash
test101:x:5200:5200::/home/test81:/bin/bash
[root@test1 ~]#
[root@jason ~]# usermod -l jason
usermod: no changes
[root@jason ~]# usermod -L jason //大写"L"
[root@jason ~]# passwd -S jason
jason LK 2016-06-30 0 99999 7 -1 (Password locked.)
[root@jason ~]# passwd -u jason //使用passwd来解锁
Unlocking password for user jason.
passwd: Success //解锁成功
[root@jason ~]# passwd -l jason
Locking password for user jason.
passwd: Success
[root@jason ~]# passwd -S jason
jason LK 2016-06-30 0 99999 7 -1 (Password locked.)
[root@jason ~]# usermod -U jason
[root@jason ~]# passwd -S jason
jason LK 2016-06-30 0 99999 7 -1 (Password locked.) //usermod无法解锁使用passwd锁定的账户
[root@jason ~]# passwd -u jason
Unlocking password for user jason.
passwd: Success
[root@jason ~]# passwd -S jason
jason PS 2016-06-30 0 99999 7 -1 (Password set, SHA512 crypt.)
[root@jason ~]# passwd -l jason
Locking password for user jason.
passwd: Success
[root@jason ~]# tail /etc/shadow | grep jason
jason:!!$6$.u7PW0Cg$fnrrDMyN/2daWCst/W4VYpi4qjprb36Pa9lVSKzoWitstfFbBjk7LVzNBhDL8IE54vM7az4foTLWtES0umrcG0:16982:0:99999:7:::
[root@jason ~]# passwd -u jason
Unlocking password for user jason.
passwd: Success
[root@jason ~]# tail /etc/shadow | grep jason
jason:$6$.u7PW0Cg$fnrrDMyN/2daWCst/W4VYpi4qjprb36Pa9lVSKzoWitstfFbBjk7LVzNBhDL8IE54vM7az4foTLWtES0umrcG0:16982:0:99999:7:::
[root@jason ~]# usermod -L jason
[root@jason ~]# tail /etc/shadow | grep jason
jason:!$6$.u7PW0Cg$fnrrDMyN/2daWCst/W4VYpi4qjprb36Pa9lVSKzoWitstfFbBjk7LVzNBhDL8IE54vM7az4foTLWtES0umrcG0:16982:0:99999:7:::
[root@jason ~]# usermode -U jason
-bash: usermode: command not found
[root@jason ~]# usermod -U jason
[root@jason ~]# tail /etc/shadow | grep jason
jason:$6$.u7PW0Cg$fnrrDMyN/2daWCst/W4VYpi4qjprb36Pa9lVSKzoWitstfFbBjk7LVzNBhDL8IE54vM7az4foTLWtES0umrcG0:16982:0:99999:7:::
[root@jason ~]#
实例——修改shell:
[root@test1 ~]# cat /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/bin/dash
/bin/tcsh
/bin/csh
[root@test1 ~]# usermod -s /bin/dash test100
usermod: user 'test100' does not exist (test100,此时这个用户已经不存在了)
[root@test1 ~]# usermod -s /bin/dash test101
[root@test1 ~]#
[root@test1 ~]# taril -2 /etc/passwd
bash: taril: command not found
[root@test1 ~]# tail -2 /etc/passwd
jason:x:502:502::/home/jason:/bin/bash
test101:x:5200:5200::/home/test81:/bin/dash
[root@test1 ~]#
通过tail可以看出现在test101的shell是dash.
删除用户账号userdel
格式
- userdel [-r] 用户名
[root@test1 etc]# userdel --help
Usage: userdel [options] LOGIN
Options:
-f, --force force removal of files,
even if not owned by user
-h, --help display this help message and exit
-r, --remove remove home directory and mail spool
-Z, --selinux-user remove SELinux user from SELinux user mapping
实例——删除、删除+r:
[root@test1 home]# ls
bourn jason teacher test test1 test2 test81
[root@test1 home]#
[root@test1 home]# userdel test1
[root@test1 home]# ls
bourn jason teacher test test1 test2 test81
[root@test1 home]# tail -5 /etc/passwd
test:x:500:500:test:/home/test:/bin/bash
bourn:x:501:501::/home/bourn:/bin/bash
jason:x:502:502::/home/jason:/bin/bash
test101:x:5200:5200::/home/test81:/bin/dash
test2:x:5202:5202::/home/test2:/bin/bash
[root@test1 home]#
[root@test1 home]# userdel -r test2
[root@test1 home]#
[root@test1 home]# ls
bourn jason teacher test test1 test81
[root@test1 home]# rm -rf test1
[root@test1 home]# ls
bourn jason teacher test test81
[root@test1 home]# tail -2 /etc/passwd
jason:x:502:502::/home/jason:/bin/bash
test101:x:5200:5200::/home/test81:/bin/dash
[root@test1 home]#
[root@test1 home]#
- -r在删除某个用户的同时删除对应的家目录