User Account Management
User Administration
User Account Management
Different Kinds of Users
The Shadow Password Suite
The /etc/passwd File
The /etc/group File
The /etc/shadow File
The /etc/gshadow File
The /etc/login.defs File
Command Line Tools
Adding Users Directly
vipw
Add a user home directory.
Populate the user home directory.
Add Users to a Group Directly
vigr
vigr -s
Add Users at the Command Line
useradd
Assign a Password
passwd username
Add or Delete a Group at the Command Line
# groupadd -g 60001 project
# groupdel project
Delete a User
userdel
By default, this command does not delete that user’s home directory, so administrators can transfer files from that user perhaps to an employee who has taken over the tasks of the deleted user.
userdel -r username
deletes that user’s home directory along with all of the files stored in that home directory.
Modify an Account
More User and Group Management Commands
usermod
-aG group1 Appends to existing group memberships; multiple groups may be specified, split with a comma, with no spaces. -l newlogin Changes the username to newlogin, without changing the home directory. -L Locks a user’s password. -U Unlocks a user’s password.
chage
Option | Purpose |
---|---|
-d | YYYY-MM-DD Sets the last change date for a password; output shown in /etc/shadow as the number of days after January 1, 1970. |
-E | YYYY-MM-DD Assigns the expiration date for an account; output shown in /etc/ shadow as the number of days after January 1, 1970. |
-I | num Locks an account num days after a password has expired; can be set to |
-1 | to make the account permanent. |
-l | Lists all aging information. |
-m | num Sets a minimum number of days that a user must keep a password. |
-M | num Sets a maximum number of days that a user is allowed to keep a password; can be set to -1 to remove that limit. |
-W | num Specifies the number of days before a password must be changed; a user is warned at that time. |
Administrative Control
The Ability to Log In as root
/etc/securetty
[root@jason ~]# vi /etc/securetty
console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11
~
"/etc/securetty" 23L, 122C
The virtual consoles listed in /etc/securetty determine the consoles where the root
administrative user is allowed to log in. If the directives in this file were commented
out, administrators would not be able to log in directly to the root account. They’d
have to log in to a regular account and use either the su or sudo command for
administration.
/etc/init/start-ttys.conf
[root@jason ~]# vi /etc/init/start-ttys.conf
#
# This service starts the configured number of gettys.
#
# Do not edit this file directly. If you want to change the behaviour,
# please create a file start-ttys.override and put your changes there.
start on stopped rc RUNLEVEL=[2345]
env ACTIVE_CONSOLES=/dev/tty[1-6]
env X_TTY=/dev/tty1
task
script
. /etc/sysconfig/init
for tty in $(echo $ACTIVE_CONSOLES) ; do
[ "$RUNLEVEL" = "5" -a "$tty" = "$X_TTY" ] && continue
initctl start tty TTY=$tty
done
end script
~
~
~
~
"/etc/init/start-ttys.conf" 18L, 473C
/etc/sysconfig/init
[root@jason ~]# vi /etc/sysconfig/init
BOOTUP=color
# to something like "tput hpa ${RES_COL}" if your terminal supports it
MOVE_TO_COL="echo -en \\033[${RES_COL}G"
# terminal sequence to set color to a 'success' color (currently: green)
SETCOLOR_SUCCESS="echo -en \\033[0;32m"
# terminal sequence to set color to a 'failure' color (currently: red)
SETCOLOR_FAILURE="echo -en \\033[0;31m"
# terminal sequence to set color to a 'warning' color (currently: yellow)
SETCOLOR_WARNING="echo -en \\033[0;33m"
# terminal sequence to reset to the default color.
SETCOLOR_NORMAL="echo -en \\033[0;39m"
# Set to anything other than 'no' to allow hotkey interactive startup...
PROMPT=yes
# Set to 'yes' to allow probing for devices with swap signatures
AUTOSWAP=no
# What ttys should gettys be started on?
ACTIVE_CONSOLES=/dev/tty[1-6]
# Set to '/sbin/sulogin' to prompt for password on single-user mode
# Set to '/sbin/sushell' otherwise
SINGLE=/sbin/sushell
The Ability to Log In
Login access control table.
#
Comment line must start with "#", no space at front.
Order of lines is important.
#
When someone logs in, the table is scanned for the first entry that
matches the (user, host) combination, or, in case of non-networked
logins, the first entry that matches the (user, tty) combination. The
permissions field of that table entry determines whether the login will
be accepted or refused.
#
Format of the login access control table is three fields separated by a
":" character:
#
[Note, if you supply a 'fieldsep=|' argument to the pam_access.so
module, you can change the field separation character to be
'|'. This is useful for configurations where you are trying to use
pam_access with X applications that provide PAM_TTY values that are
the display variable like "host:0".]
#
permission : users : origins
#
The first field should be a "+" (access granted) or "-" (access denied)
character.
#
The second field should be a list of one or more login names, group
names, or ALL (always matches). A pattern of the form user@host is
matched when the login name matches the "user" part, and when the
"host" part matches the local machine name.
#
The third field should be a list of one or more tty names (for
non-networked logins), host names, domain names (begin with "."), host
addresses, internet network numbers (end with "."), ALL (always
matches), NONE (matches no tty on non-networked logins) or
LOCAL (matches any string that does not contain a "." character).
#
You can use @netgroupname in host or user patterns; this even works
for @usergroup@@hostgroup patterns.
#
The EXCEPT operator makes it possible to write very compact rules.
#
The group file is searched only when a name does not match that of the
logged-in user. Both the user's primary group is matched, as well as
groups in which users are explicitly listed.
To avoid problems with accounts, which have the same name as a group,
you can use brackets around group names '(group)' to differentiate.
In this case, you should also set the "nodefgroup" option.
#
TTY NAMES: Must be in the form returned by ttyname(3) less the initial
"/dev" (e.g. tty1 or vc/1)
#
#
#
Disallow non-root logins on tty1
#
-:ALL EXCEPT root:tty1
"/etc/security/access.conf" 122L, 4620C
/etc/security/access.conf
# Login access control table.
#
# Comment line must start with "#", no space at front.
# Order of lines is important.
#
# When someone logs in, the table is scanned for the first entry that
# matches the (user, host) combination, or, in case of non-networked
# logins, the first entry that matches the (user, tty) combination. The
# permissions field of that table entry determines whether the login will
# be accepted or refused.
#
# Format of the login access control table is three fields separated by a
# ":" character:
#
# [Note, if you supply a 'fieldsep=|' argument to the pam_access.so
# module, you can change the field separation character to be
# '|'. This is useful for configurations where you are trying to use
# pam_access with X applications that provide PAM_TTY values that are
# the display variable like "host:0".]
#
# permission : users : origins
#
# The first field should be a "+" (access granted) or "-" (access denied)
# character.
#
# The second field should be a list of one or more login names, group
# names, or ALL (always matches). A pattern of the form user@host is
# matched when the login name matches the "user" part, and when the
# "host" part matches the local machine name.
#
# The third field should be a list of one or more tty names (for
# non-networked logins), host names, domain names (begin with "."), host
# addresses, internet network numbers (end with "."), ALL (always
# matches), NONE (matches no tty on non-networked logins) or
# LOCAL (matches any string that does not contain a "." character).
#
# You can use @netgroupname in host or user patterns; this even works
# for @usergroup@@hostgroup patterns.
#
# The EXCEPT operator makes it possible to write very compact rules.
#
# The group file is searched only when a name does not match that of the
# logged-in user. Both the user's primary group is matched, as well as
# groups in which users are explicitly listed.
# To avoid problems with accounts, which have the same name as a group,
# you can use brackets around group names '(group)' to differentiate.
# In this case, you should also set the "nodefgroup" option.
#
# TTY NAMES: Must be in the form returned by ttyname(3) less the initial
# "/dev" (e.g. tty1 or vc/1)
#
##############################################################################
#
# Disallow non-root logins on tty1
#
#-:ALL EXCEPT root:tty1
"/etc/security/access.conf" 122L, 4620C
-:ALL EXCEPT root:tty1
disallow (with the -) access to the first virtual console (tty1) to ALL users but root:
-:ALL EXCEPT (wheel) shutdown sync:LOCAL
disallow access to all users, except users who are members of the wheel group, along with the shutdown and sync users, on the LOCAL system.
+ : root : 192.168.200.1 192.168.200.4 192.168.200.9
- : root : 127.0.0.1
The following lines allow (with the +) the root
user to access the system from three specific remote IP addresses, along with the
localhost address:
- : ALL : ALL
the following
directive denies access to all other users from all other local or remote systems:
The Proper Use of the su Command
su - username
su -c
su -c '/usr/bin/tail -1 /etc/sh
adow'
[jason@jason root]$ su -c '/usr/bin/tail -1 /etc/sh
adow'
Password:
jason:$6$.u7PW0Cg$fnrrDMyN/2daWCst/W4VYpi4qjprb36Pa9lVSKzoWitstfFbBjk7LVzNBhDL8IE54vM7az4foTLWtES0umrcG0:16982:0:99999:7:::
[jason@jason root]$
Limit Access to su
wheel:x:10:root
/etc/pam.d/su
[root@jason ~]# vi /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
~
...//省略
~
~
:wq
The Proper Use of the sg Command
$ sg project -c ‘cp important.doc /home/project’
Custom Administrators with the sudo Command
To access /etc/sudoers in the vi editor, run the visudo command
/etc/sudoers
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.
## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias FILESERVERS = fs1, fs2
# Host_Alias MAILSERVERS = smtp, smtp2
## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem
## Command Aliases
## These are groups of related commands...
## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
## Services
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb
## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe
# Defaults specification
#
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
# You have to run "ssh -t hostname sudo <cmd>".
#
Defaults requiretty
"/etc/sudoers" [readonly] 118L, 4002C
visudo
root ALL=(ALL) ALL
allows the root user full access to administrative commands
%wheel ALL=(ALL) NOPASSWD: ALL
the following directive in /etc/sudoers
would allow all users who are members of the wheel group to run administrative
commands without a password
%users localhost=/sbin/shutdown -h now
if you want
to allow users who are members of the %users group to shut down the local system,
activate the following directive
%
In many Linux configuration files, the % sign in front of a directive specifies a group.
Even though the users group has a GID of 100, it’s acceptable to make regular users
members of that group.
Other Administrative Users
/etc/cups/cupsd.conf
User and Shell Configuration
Home Directories and /etc/skel
Home Directory
/etc/skel
File | Purpose |
---|---|
.bashrc | This basic bash configuration file may include a reference to the general /etc/bashrc configuration file. Can include commands to run when the bash shell is started. One example is an alias such as rm=’rm -i’. |
.bash_logout | This file is executed when you exit a bash shell and can include commands appropriate for this purpose, such as commands for clearing a screen. |
.bash_profile | Configures the bash startup environment. Appropriate place to add environment variables or modify the directories in your user account PATH. |
.gnome2/ | Includes settings for the GNOME Desktop Environment |
.kde/ | Specifies settings for the K Desktop Environment. Not added to /etc/skel and not copied to user home directories if KDE is not installed. |
.mozilla/ | Includes options associated with the Firefox web browser, developed by the Mozilla project. |
/etc/bashrc
/etc/profile
The /etc/profile file is used for system-wide environments and startup files.