linux User Management


Users and Groups

User account

User's Home Directory

Group Account

What happens behind creating users?

Exercise: #Intercept the seventh field and find out several

useradd command

Userdel-r username-->Remove all home and local mail directories

usermod command


passwd command

group related commands

selinux(security Linux)

Directories and files about users and groups

passwd and shadow

Group related files


User Default Property Settings File

linux encryption



The difference between su and su -

vsftpd service and local users

ftp: Text Transfer Protocol

How can 10,000 machines be managed?


Users and Groups

User --> Logged on person

group -->Organization

User--Join Group--Inherit Permissions

Multiple accounts can belong to the same group; A user can join multiple groups

Why introduce this user and group?

1. Security

2. Rights Management

3. Resource control: access, reading and execution of files

To control the resources on the Linux system -- who can access them and who can't access them

User account

  1. [root @kafka01 usergroup] # id root
  2. uid= 0(root) gid= 0(root) groups= 0(root)

UID -- ID number for each user -- unique

GID -- Identity of each group -- Unique

Superuser root (maximum privilege), superuser root UID 0

Program user, UID1-1000 for program user

Normal user, normal user UID greater than or equal to 1001

User's Home Directory

By default, a folder with the same name is created in the / home directory when the user is created

UID_MIN* 1000 #Minimum common user uid 1000

UID_MAX                 60000

Exercise: Find out usernames with user id greater than or equal to 1000 in/etc/passwd

[root@kafka01 sc3]# awk -F:'$3>=1000{print $1,$3}' /etc/passwd

Group Account

Primary Group (Private Group)

User-related default group, defined in the fourth field of the/etc/passwd file

Secondary group (subsidiary group)

Users can belong to other groups, defined in the fourth field of the/etc/group file

The name of the user's primary group is related to the GID

  1. [root @kafka01 usergroup] # useradd chaochao
  2. [root @kafka01 usergroup] # id chaochao
  3. uid= 1001(chaochao) gid= 1001(chaochao) groups= 1001(chaochao)
  4. [root @kafka01 usergroup] # useradd sc1
  5. [root @kafka01 usergroup] # id sc1
  6. uid= 1002(sc1) gid= 1002(sc1) groups= 1002(sc1)

What happens behind creating users?

/etc/passwd -- Records user information. This file is viewed when the user logs in

Log a user on a line

  1. [root @kafka01 usergroup] # tail -3 /etc/passwd
  2. mysql: x: 27 : 27 :MariaDB Server:/var/lib/ mysql:/sbin/nologin
  3. chaochao: x: 1001 : 1001 : :/home/chaochao :/bin/bash
  4. sc1: x: 1002 : 1002 : :/home/sc1 :/bin/bash

Use: to split

Field 1: User name

Field 2: User password field and password placeholder

Field 3: User ID --> Unique, the common user UIDs created are all + 1 based on the previous user

Field 4: The ID of the base group to which the user belongs --> A group with the same name is created by default when the user creates the group, which becomes the user's base group - g can be specified

Field 5: User's description'--> Default is empty - c can be specified

Field 6: Home directory-d can be specified

Field 7: Login shell information - s can be specified

Exercise: #Intercept the seventh field and find out several

sort first sorts the same text together, then uniq weighting (uniq weighting only removes the same items that are next to each other)

  1. [root @kafka01 usergroup] # awk -F: '{print $7}' /etc/passwd|sort|uniq
  2. /bin/bash  #Normal shell
  3. /bin/false #Prevent users from logging on
  4. /bin/sync  #Memory cache synchronization to disk
  5. /sbin/halt #
  6. /sbin/nologin
  7. /sbin/shutdown

useradd command

Format: useradd [options]... username

Common Command Options

-u: Specify UID tag number

-d: Specify the host directory, default is/home/user name

-e: Specify account expiration time

-g: The base group name (or GID number) of the specified user

-G: Additional group name (or GID number) for the specified user

-M: Do not create and initialize host directories for users

-s: The login Shell for the specified user

-c: User Note Description Information

-r: New system user, no new home directory

Specify Login-s

  1. [root @sc usergroup] # useradd -s /sbin/nologin sc3   #Logon Prohibited
  2. [root @sc usergroup] # tail -1 /etc/passwd
  3. sc3: x: 1063 : 1063 : :/home/sc3 :/sbin/nologin
  4. [root @sc usergroup] # echo 123456|passwd sc3 --stdin  #Specify Password
  5. Change User sc3 Password.
  6. passwd: All authentication tokens have been successfully updated.

Remote login command xshell in ssh linux

Remote login to host using sc3 user

  1. [root@sc usergroup]# ssh sc3@ 192.168. 0.204 -p 2233
  2. The authenticity of host '[]:2233 ([]:2233)' can't be established.
  3. ECDSA key fingerprint is SHA256:JccgoJ9N7Tel3N/Zehpgraddu8nLaQUlepsJrQNX34c.
  4. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
  5. Warning: Permanently added '[]:2233' (ECDSA) to the list of known hosts.
  6. sc3@ 192.168. 0.204 's password:
  7. Connection closed by 192.168. 0.204 port 2233
  8. [root@sc usergroup]# su - sc3
  9. This account is currently not available.

Change user password

  1. [root @sc usergroup] # useradd -s /bin/false sc4
  2. [root @sc usergroup] # echo 123456|passwd sc4 --stdin
  3. passwd: All authentication tokens have been successfully updated.
  4. [root @sc usergroup] # su - sc4
  5. [root @sc usergroup] # ssh sc4@ -p 2233
  6. sc4 @192. 168.0. 204 's password:
  7. Last login: Tue Aug  3 11:23:46 2021
  8. Connection to closed.

-c Specify description information

  1. [ root@sc ~] # useradd -c "this is sc5" sc5
  2. [ root@sc ~] # tail -1 /etc/passwd
  3. sc5:x: 1065: 1065: this is sc5:/home/sc5:/bin/bash

-d Specify home directory

  1. [root @sc ~] # useradd -d /tmp/sc6 sc6
  2. [root @sc ~] # tail -1 /etc/passwd
  3. sc6: x: 1066 : 1066 : :/tmp/sc6 :/bin/bash
  4. [root @sc ~] # su - sc6
  5. [sc6 @sc ~] $ pwd
  6. /tmp/sc6

-g Specify group

  1. [root @sc ~] # useradd -g sc1 sc7
  2. [root @sc ~] # id sc7
  3. uid= 1067(sc7) gid= 1061(sc1) group= 1061(sc1)
  4. [root @sc ~] # tail -1 /etc/passwd
  5. sc7: x: 1067 : 1061 : :/home/sc7 :/bin/bash

-u / --u id Specifies user creation id

  1. #-u is a short option
  2. #--uid is a long option
  3. [root @sc ~] # useradd --uid 2000 sc8
  4. [root @sc ~] # tail -1 /etc/passwd
  5. sc8: x: 2000 : 2000 : :/home/sc8 :/bin/bash

-M does not create and initialize a host directory for the user

  1. [root @kafka01 home] # useradd -M sc4
  2. [root @kafka01 home] # cd /home
  3. [root @kafka01 home] # ls
  4. admin  chaochao  sc1  sc2  sc3
  5. [root @kafka01 home] # tail -1 /etc/passwd
  6. sc4: x: 1005 : 1005 : :/home/sc4 :/bin/bash

-e: Specify account expiration time

  1. [root@kafka01 usergroup] # useradd -e "2021-07-01" sc5
  2. [root@kafka01 usergroup] # su - sc5
  3. # Set sc5 password
  4. [root@kafka01 ~] # passwd sc5
  5. Changing password for user sc5.
  6. New password:
  7. BAD PASSWORD: The password is shorter than 8 characters
  8. Retype new password:
  9. passwd: all authentication tokens updated successfully.
  10. # Remote connection sc5
  11. [root@kafka01 ~] # ssh sc5@
  12. The authenticity of host ' (' can 't be established.
  13. ECDSA key fingerprint is SHA256:BVYuFBUnGylWL8m6WdJS/lO2N4DpkA8l4AGQsx0L6lw.
  14. ECDSA key fingerprint is MD5:f5:3c:e3:98:ed:dd:d8:66:44:3e:41:e5:e9:d4:5f:2d.
  15. Are you sure you want to continue connecting (yes/no)? ^[[A^[[D^[[C
  16. Please type ' yes ' or ' no ': yes
  17. Warning: Permanently added ' 172.26 .41 .201 ' (ECDSA) to the list of known hosts.
  18. sc5@'s password:
  19. Your account has expired; please contact your system administrator
  20. Authentication failed.

-g and-G

-g: The base group name (or GID number) of the specified user

-G: Additional group name (or GID number) for the specified user

  1. [root @kafka01 ~] # useradd -g sc4 -G sc3,sc5 sc6
  2. [root @kafka01 ~] # id sc6
  3. uid= 1007(sc6) gid= 1005(sc4) groups= 1005(sc4), 1004(sc3), 1006(sc5)
  4. [root @kafka01 ~] # less /etc/group
  5. sc1: x: 1002:
  6. sc2: x: 1003:
  7. sc3: x: 1004 :sc6
  8. sc4: x: 1005:
  9. sc5: x: 1006 :sc6

Userdel-r username-->Remove all home and local mail directories

  1. [root @kafka01 usergroup] # cd /home
  2. [root @kafka01 home] # ls
  3. admin  chaochao  sc1  sc2  sc3  sc5  sc6
  4. [root @kafka01 usergroup] # userdel -r sc6
  5. [root @kafka01 usergroup] # cd /home
  6. [root @kafka01 home] # ls
  7. admin  chaochao  sc1  sc2  sc3  sc5
  8. [root @kafka01 home] #

usermod command

Format: usermod [options]... username

Common Command Options

-l: Change the login name of the user account

  1. [root @kafka01 home] # usermod -l sanchuang03 sc3
  2. [root @kafka01 home] # ls
  3. admin  chaochao  sc1  sc2  sc3  sc5
  4. [root @kafka01 home] # tail -1 /etc/passwd
  5. sanchuang03: x: 1004 : 1004 : :/home/sc3 :/bin/bash
  6. [root @kafka01 home] #

-L: Lock user accounts

  1. [root @kafka01 home] # usermod -L sc3
  2. sc3:!! : 18842 : 0 : 99999 : 7 : ::
  3. # Account lockout means adding one before the password!
  4. # This will cause a password mismatch when the user logs in

-U: Unlock user accounts

  1. [root @kafka01 home] # usermod -p 123456 sc3
  2. [root @kafka01 home] # usermod -U sc3
  3. [root @kafka01 home] # less /etc/shadow
  4. sc3: 123456 : 18843 : 0 : 99999 : 7 : : :

The following options have the same meaning as the useradd command



1. Write to create sanchuang01-sanchuang25

2. Write batch deletion sanchuang01-25, deletion exists, deletion does not exist, output does not exist


Method One

  1. [root@kafka01 usergroup] # cat
  2. #!/bin/bash
  4. for i in $( seq -w 1 25)
  5. do
  6.     if id sanchuang $i &>/dev/null
  7.     then
  8.         echo "sanchuang$i has exsted"
  9.     else
  10.         useradd sanchuang $i
  11.         echo "sanchuang$i Created successfully"
  12.     fi
  13. done

Method 2:

  1. #!/bin/bash
  2. id sanchuang $i  &>/dev/null && echo "user sanchuang$i Already exists" || useradd sanchuang $i
  3. Delete:
  4. #!/bin/bash
  6. for i in $( seq -w 1 20)
  7. do
  8.     id sanchuang $i &>/dev/null && userdel -r sanchuang $i &  echo "sanchuang$i Deleted" || echo "sanchuang$i Non-existent"
  9. done

passwd command

Format: passwd [options]... username

Common Command Options

-d: Empty the user's password so that it can switch users without a password

-l: Lock the user account number

-S: View the status of the user account (whether locked)

-u: unlock user account number

--stdin: Receive another command, stdout, to set the password for stdin standard input

root users can modify all user passwords without requiring complexity

Ordinary users can only change their passwords, requiring complexity

[root@mysql-binary mail]# passwd sanchuang2

Change the password of user sanchuang2.

New password:

Invalid password: password less than 8 characters

Re-enter the new password:

passwd: All authentication tokens have been successfully updated.

[root@mysql-binary mail]# passwd -l sanchuang2

Lock the password for user sanchuang2.

passwd: Operation successful

#usermod and passwd lock accounts are both shadow-encrypted field information that modifies the accounts so that their passwords do not match when they log on and reach a locked state

#usermod plus one!

#passwd plus two!

group related commands

groupadd New Group

groupdel delete group

[root@kafka01 ~]# groupadd -g 20001 g1

[root@kafka01 ~]# less /etc/group

[root@kafka01 ~]# tail -1 /etc/group


[root@kafka01 ~]# groupdel g1

[root@kafka01 ~]# tail -1 /etc/group


groupadd command

Format: group add [-g GID] group account name

groupdel command

Format: groupdel group account name

[root@mysql-binary ~]# groupadd -g 5000 sanle

[root@mysql-binary ~]# less /etc/group

[root@mysql-binary ~]# groupdel sanle

[root@mysql-binary ~]# less /etc/group

groupmod command

Purpose: Set group name and group id

Format: groupmod [options]... group account name

Common Command Options

-n: modify the group name

-g: modify group id

selinux(security Linux)

A security program in #linux system

#There are many default rules

#For example, useradd can only create a home directory at/home

# SELINUXTYPE= can take one of three values:

#     targeted - Targeted processes are protected,

#     minimum - Modification of targeted policy. Only selected processes are protected.

#     mls - Multi Level Security protection.



#No fish till water is clear--open one eye-selinux-no sand in eyes

selinux rules are very large and cumbersome and are generally turned off in daily work

Temporarily Closed

[ sc6@sc ~]$getenforce #Get the status of selinux


[ sc6@sc ~]$setenforce 0 #Temporarily set to relaxed 0-->Temporarily close 1--->on behalf of enforcing

setenforce: SELinux is disabled

Permanent shutdown

[sc6@sc ~]$ vim /etc/selinux/config


Server restart will take effect

Directories and files about users and groups

passwd and shadow

/etc/passwd to store user information related files

/etc/shadow to store user password related files

Two backup files: /etc/passwd- /etc/shadow-

Group related files

/etc/group -->Stores group information

/etc/gshadow -->Stores the group password

/etc/group-and/etc/gshadow-backup files


New user, copy to user's home directory

-rw-r--r--.  1 root root   18 Oct 31  2018 .bash_logout

-rw-r--r--.  1 root root  193 Oct 31  2018 .bash_profile

-rw-r--r--.  1 root root  231 Oct 31  2018 .bashrc

The above three files are three scripts, which execute at special times

.bash_logout user executes each time he or she logs out

.bash_profile user performs user personalized environment configuration each time they log on

.bashrc is executed every time a user enters a new environment

Configure these files in your #home directory for the current user only

Commonly used for personalization

  1. [sc1 @kafka01 ~]$ ls -al
  2. total 24
  3. drwx ------  2 sc1  sc1  4096 Aug  4 16:49 .
  4. drwxr -xr -x. 8 root root 4096 Aug  4 16: 23 ..
  5. -rw -------  1 sc1  sc1    44 Aug  5 09:57 .bash_history
  6. -rw -r --r--  1 sc1  sc1    18 Oct 31  2018 .bash_logout
  7. -rw -r --r--  1 sc1  sc1   193 Oct 31  2018 .bash_profile
  8. -rw -r --r--  1 sc1  sc1   231 Oct 31  2018 .bashrc

.bash_history Record History Commands Used Before Logging Out

User Default Property Settings File

/etc/login.defs file

Initial property settings for the account

Set UID and GID ranges for normal users, etc.


PASS_MAX_DAYS 99999 #Default password expiration days




linux encryption

sha512 algorithm is used by default

Hash algorithm (Hash)--"hash value evaluation

Map any length of input to a fixed length output that is a hash value

Is a one-way encryption technology

hash algorithm: md5 sha1 Sha2 sha256 sha512

less /etc/shaodw


Use $to split into three fields:

The first field 6 represents the sha512 (hash) algorithm

Second Field Salt Value

Hash value after third field encryption

Password field: $Encryption algorithm id$Salt value$True ciphertext

The crypt function of the kernel is used for the crypt implementation at the bottom level of encryption

>>> import crypt

>>> crypt.crypt("123456","$6$hd8RxF9i")





View local and remote login users

The difference between su and su -

  1. [root @kafka01 usergroup] # su sc1
  2. [sc1 @kafka01 usergroup] $ pwd
  3. /lianxi/usergroup
  4. [sc1 @kafka01 usergroup] $ exit
  5. exit
  6. [root @kafka01 usergroup] # su - sc1
  7. Last login: Thu Aug  5 09: 56: 17 CST 2021 on pts/ 0
  8. [sc1 @kafka01 ~] $ pwd
  9. /home/sc1

su switches the user, does not switch the user environment, does not change the current variable

su - is a variable to switch to the user

su can only get root's execute permissions, not environment variables, but su - is to switch to root and get root's environment variables and execute permissions

vsftpd service and local users

#ftp is a file transfer service used to upload and download files for file sharing

1. Service Installation

  yum install  vsftpd

2. Start Services

  [root@mysql-binary xulilin]# service vsftpd restart

3. Install Client

Yum install LFTP ftp-y #These are both FTP clients

The vsftpd service in #centos8 does not allow anonymous users to log on by default

#Modify the configuration in /etc/vsftpd/vsftpd.conf if you want to log on using anonymous users (ftp)


Restart vsftpd service after modifying configuration file

After login, read the ftp user's home directory file in the system by default

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

ftp: Text Transfer Protocol

Common ftp commands:

Upload file:put

Download file:get


Switch Path: cd

  1. [root@kafka01 sc3]# service vsftpd restart
  2. Redirecting to /bin/systemctl restart vsftpd.service
  3. [root@kafka01 sc3]# ftp 172.26. 41.201
  4. Connected to 172.26. 41.201 ( 172.26. 41.201).
  5. 220 (vsFTPd 3.0. 2)
  6. Name ( 172.26. 41.201:root): ftp
  7. 331 Please specify the password.
  8. Password:
  9. 230 Login successful.
  10. Remote system type is UNIX.
  11. Using binary mode to transfer files.
  12. ftp> ^C

Anonymous and local users can log on to the ftp service, and they can only operate files or folders in their home directory after logging in.

Three types of users:

1. Anonymous users

2. Local Users

3. Virtual Users

How can 10,000 machines be managed?

Environment Normalization--Operating System Unification, Host Name Specification

Network Partitioning

Automation and monitoring based on infrastructure specifications


1. How do I know if a user exists on a linux system?

id or/etc/passwd

2. How to disable a user from logging on to the linux system

Usermod-L lock

Usermod-e Sets the expiration time

usermod -s /sbin/nologin (bin/false)

3. How to know which groups a user belongs to



/etc/group fourth field showing which user's affiliated group is this group

4. How do you know which users are now logged in to linux? Which users have logged on to the Linux system?

#Log on to the linux system

who w users

#ever logged on

last lastlog

5. How to reset the password for the user

echo password|passwd username

6. linux's root password has been forgotten

Enter single user mode

1. Turn on, press any key to stop the startup interface, then select the corresponding kernel, press e to edit

2. Find the root line and replace ro with rw init=/sysroot/bin/bash

3. Press Ctrl-x to enter single user mode

4. chroot/sysroot/

5. LANG=en, change the password echo "1234567"|passwd root --stdin or enter passwd

7. How to kick out users who are already logged in to the system? And prevent it from landing again?

1. Find the process number (ps, who am i) and kill it

[root@kafka01 ~]# w

 16:50:21 up 2 days,  5:33,  2 users,  load average: 0.00, 0.01, 0.05

USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT

root     pts/0   16:36    5.00s  0.00s  0.00s w

root     pts/1   16:50    2.00s  0.00s  0.00s -bash

[root@kafka01 ~]# pkill -kill -t pts/1

pkill can kill a specified pseudo-terminal

2. Kick the suspected root login user and change the password immediately

3.sshd—>/etc/hosts.deny hosts.allow -->ip

4./etc/ssh /sshd_ Config -->DenyUsers -->Users

8. How to Make Ordinary User root User

1. Modify passwd file directly, change user's uid to 0, perform shutdown test

(2) usermod-u 0-o user name, add-o option, otherwise the prompt already exists.

9. Create directories/tech/cali and/tech/sanle, which are used to store the host directories of user accounts in project groups, respectively.

Add group accounts cali and sanle for the two project groups, with GID numbers 1001 and 1002, respectively. Add group account number tech for Technology Department, GID number is 200;

Add two users, B1 and b2, respectively, requiring their basic group to be Cali and their additional group to be tech. The Host Directory uses folders with the same name as the account number in the / tech/cali directory (for example, the host directory of B1 users/tech/cali/b1); Among them, the B2 user account settings will expire after 12-31, 2012;

Add two users, A1 and a2, requiring their basic group to be Sanle and the additional group to be tech. Host directories use folders in the / tech/sanle directory with the same name as the account number (e.g. A1 user's host directory / tech/cali/a1); Where the shell for A2 user account login is/bin/ksh

All new user passwords are 123456;

  1. [root @chaochao ~] # mkdir -p /tech/cali /tech/sanle
  2. [root @chaochao ~] # groupadd -g 1001 /tech/cali
  3. groupadd: "/tech/cali"Not a valid group name
  4. [root @chaochao ~] # groupadd -g 1001 cali
  5. groupadd: GID " 1001"Already exists
  6. [root @chaochao ~] # groupadd -g 1002 cali
  7. [root @chaochao ~] # groupadd -g 1003 sanle
  8. [root @chaochao ~] # groupadd -g 200 tech
  9. [root @chaochao ~] # useradd -g cali -G tech -d /tech/cali/b1 b1
  10. [root @chaochao ~] # useradd -g cali -G tech -d /tech/cali/b2 -e "2012-12-31" b2
  11. [root @chaochao ~] # useradd -g sanle -G tech -d /tech/sanle/a1  a1
  12. [root @chaochao ~] # useradd -g sanle -G tech -d /tech/sanle/a2 -s /bin/ksh a2
  13. [root @chaochao ~] # echo 123456|passwd a1 --stdin
  14. Change User a1 Password.
  15. passwd: All authentication tokens have been successfully updated.
  16. [root @chaochao ~] # echo 123456|passwd a2 --stdin
  17. Change User a2 Password.
  18. passwd: All authentication tokens have been successfully updated.
  19. [root @chaochao ~] # echo 123456|passwd b1 --stdin
  20. Change User b1 Password.
  21. passwd: All authentication tokens have been successfully updated.
  22. [root @chaochao ~] # echo 123456|passwd b2 --stdin
  23. Change User b2 Password.
  24. passwd: All authentication tokens have been successfully updated.
  25. [root @chaochao ~] # less /etc/passwd
  26. b1: x: 1002 : 1002 : :/tech/cali/b1 :/bin/bash
  27. b2: x: 1003 : 1002 : :/tech/cali/b2 :/bin/bash
  28. a1: x: 1004 : 1003 : :/tech/sanle/a1 :/bin/bash
  29. a2: x: 1005 : 1003 : :/tech/sanle/a2 :/bin/ksh

Tags: Linux server

Posted by cockney on Sun, 14 Aug 2022 23:12:11 +0530