2018-05-18课堂笔记
目录
一、用户配置文件和密码配置文件
二、用户组管理
三、用户管理
四、usermod命令
五、用户密码管理
六、mkpasswd命令
七、su命令
八、sudo命令
九、限制root远程登录
一、用户配置文件和密码配置文件
1.用户文件/etc/passwd
[[email protected] ~]# head -n 5 /etc/passwd
//从/etc/passwd文件可以看到,第一行都包括7个字段,第个字段间用":"分隔
//格式 用户名:密码:UID:GID:用户信息说明:用户家目录:shell
//密码字段是加密码后的密码,若为"x",则密码保存在/etc/shadow文件中,如用户没有密码,则为空
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
......中间段信息略
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
hjm:x:5000:5000:HJM:/home/hjm:/bin/bash
2.用户密码文件/etc/shadow
/etc/shadow文件是/etc/passwd的影子文件,这两个文件互补,该文件只有root权限可以读取和操作。
[[email protected] ~]# cat /etc/shadow
//etc/shadow内容包括九个字段,字段间以":"分隔
//格式 用户名:密码:上次密码修改时间:密码不可被修改的天数:密码需要重新修改的天数:密码需要重新修改前的警告期限:密码过期的宽限时间:帐号失效日期:保留
//这里的密码是真正的密码,是经过加密的密文,如果该字段包含!或*,表示该用户无法登录,该字段为空,表示用户登录无需密码,以!号开始,表示密码已经被锁定。
//第三个字段和第八个字段的日期都是使用1970年1月1日作为1
root:$6$wuyQ2nlLIXTI2IPk$99X/7wGl4kR856WTD8tU9QkNjkY3BnlP83pzuROgydZB09Ushf2UmeaeprPdXf46ohfHujbmtGYKxfOyq5L8z.::0:99999:7:::
bin:*:17110:0:99999:7:::
daemon:*:17110:0:99999:7:::
adm:*:17110:0:99999:7:::
lp:*:17110:0:99999:7:::
......中间段信息略
postfix:!!:17641::::::
chrony:!!:17641::::::
sshd:!!:17641::::::
hjm:$6$iB95gZCu1U7k6axG$rsEXykYY1zg/rmdLNEgn/tsG9MjpKIbBX0tiaNNH2c7YcDInGyr5LJNZij/nci0fN.HbYhnyqjEYwBJ4InHWG0::0:99999:7:::
二、用户组管理
1.组配置文件/etc/group
[[email protected] ~]# cat /etc/group
///etc/group包括4个字段,以":"分隔
//格式 用户组名称:用户组密码:GID:用户组成员
//用户组密码如果为x,表示未设置密码。通常无须设置。
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
......中间段信息略
postfix:x:89:
chrony:x:996:
sshd:x:74:
hjm:x:5000:hjm
2.组密码配置文件/etc/gshadow
[[email protected] ~]# cat /etc/gshadow
//在/etc/gshadow文件中,每个用户组独占一行,每行包括4个字段,字段间以":"分隔
//格式 用户组名称:用户组密码:用户组管理者:组成员
//用户组密码是加密后的密码,该字段为空,表示只有组内成员可以拥有该组的权限。
root:::
bin:::
daemon:::
sys:::
adm:::
tty:::
......中间段信息略
postfix:!::
chrony:!::
sshd:!::
hjm:!!::hjm
3.添加组
//新建一个组名为group1的用户组
[[email protected] ~]# groupadd group1
[[email protected] ~]# grep group1 /etc/group /etc/gshadow
/etc/group:group1:x:5001:
/etc/gshadow:group1:!::
//新建一个名为group2的系统组
[[email protected] ~]# groupadd -r group2
[[email protected] ~]# grep group2 /etc/group /etc/gshadow
/etc/group:group2:x:994:
/etc/gshadow:group2:!::
//添加GID为1111的用户组group3
[[email protected] ~]# groupadd -g 1111 group3
[[email protected] ~]# grep group3 /etc/group /etc/gshadow
/etc/group:group3:x:1111:
/etc/gshadow:group3:!::
4.删除组
//删除用户组group3
[[email protected] ~]# groupdel group3
//group3用户组被成功删除
[[email protected] ~]# grep group3 /etc/group /etc/gshadow
//如果用户还存在,无法删除用户的主组
[[email protected] ~]# grep adminuser /etc/passwd
adminuser:x:5001:5002::/home/adminuser:/bin/bash
[[email protected] ~]# grep adminuser /etc/group
adminuser:x:5002:
[[email protected] ~]# groupdel adminuser
groupdel: cannot remove the primary group of user ‘adminuser‘
//将组中的用户移走后,可删除该组
[[email protected] ~]# groupadd newgroup
[[email protected] ~]# usermod -g newgroup adminuser
[[email protected] ~]# groupdel adminuser
//成功删除
[[email protected] ~]# grep adminuser /etc/group
三、用户管理
1.新建用户
可使用useradd命令建立用户帐户和创建用户的起始目录,但只有超级用户才有权限。
useradd命令加添用户时,如不加任何参数,则系统将根据默认的参数来添加用户(/etc/login.defs和/etc/default/useradd,/etc/skel/*)
//不加任何参数,以系统默认值建立一个用户admin
[[email protected] ~]# useradd admin
[[email protected] ~]# grep admin /etc/passwd /etc/shadow /etc/group /etc/gshadow
/etc/passwd:admin:x:5002:5002::/home/admin:/bin/bash
/etc/shadow:admin:!!:17670:0:99999:7:::
/etc/group:admin:x:5002:
/etc/gshadow:admin:!::
[[email protected] ~]# ls -la /home/admin
total 12
drwx------ 2 admin admin 62 May 19 16:26 .
drwxr-xr-x. 5 root root 47 May 19 16:26 ..
-rw-r--r-- 1 admin admin 18 Aug 3 2017 .bash_logout
-rw-r--r-- 1 admin admin 193 Aug 3 2017 .bash_profile
-rw-r--r-- 1 admin admin 231 Aug 3 2017 .bashrc
//添加用户user1,设置其真实名字"a common user",其家目录在/opt/user1下,让其归属为组admin,root成员,其shell类型为tcsh
/etc/passwd:user1:x:5003:5004:a common user:/opt/user1:/bin/tcsh
/etc/shadow:user1:!!:17670:0:99999:7:::
/etc/group:root:x:0:user1
/etc/group:admin:x:5002:user1
/etc/group:user1:x:5004:
/etc/gshadow:root:::user1
/etc/gshadow:admin:!::user1
/etc/gshadow:user1:!::
// 添加自定义用户ID为5005的用户user2
[[email protected] ~]# useradd -u 5005 user2
[[email protected] ~]# grep user2 /etc/passwd
user2:x:5005:5005::/home/user2:/bin/bash
//新建用户时不生成家目录
[[email protected] ~]# useradd -M user3
[[email protected] ~]# ls -al /home/user3
//说明家目录文件夹不存在
ls: cannot access /home/user3: No such file or directory
//但是user3是有家目录的,只是家目录文件夹不存在,可以手动创建
[[email protected] ~]# grep user3 /etc/passwd
user3:x:5006:5006::/home/user3:/bin/bash
[[email protected]luequark ~]# su - user3
su: warning: cannot change directory to /home/user3: No such file or directory
-bash-4.2$
2.删除用户
[[email protected] ~]# grep user2 /etc/passwd
user2:x:5005:5005::/home/user2:/bin/bash
//不带参数,删除用户user2, 家目录还在
[[email protected] ~]# userdel user2
[[email protected] ~]# grep user2 /etc/passwd
[[email protected] ~]#
[[email protected] ~]# ls -ld /home/user2
drwx------ 2 5005 5005 62 May 19 17:45 /home/user2
//带参数-r,删除用户的同时,删除其家目录
[[email protected] ~]# grep admin /etc/passwd
admin:x:5002:5002::/home/admin:/bin/bash
[[email protected] ~]# ls -ld /home/admin
drwx------ 2 admin admin 62 May 19 16:26 /home/admin
[[email protected] ~]# userdel -r admin
[[email protected] ~]# grep admin /etc/passwd
[[email protected] ~]#
[[email protected] ~]# ls -ld /home/admin
ls: cannot access /home/admin: No such file or directory
四、Usermod
usermod的作用:修改用户类型、所归属的组,修改用户密码的有效期,还能修改登录名
常用选项
-g 修改用户的所属组
//用户nico的主组id为5007,主组名:nico
[[email protected] ~]# grep nico /etc/passwd
nico:x:5007:5007::/home/nico:/bin/bash
[[email protected] ~]# grep 5007 /etc/group
nico:x:5007:
//变更nico主组为newgroup
[[email protected] ~]# usermod -g newgroup nico
[[email protected] ~]# id nico
uid=5007(nico) gid=5003(newgroup) groups=5003(newgroup)
//用户nico的主组已经变更为newgroup
-G 增加用户的附属组
[[email protected] ~]# id nico
uid=5007(nico) gid=5003(newgroup) groups=5003(newgroup)
[[email protected] ~]# usermod -G nico nico
[[email protected] ~]# id nico
uid=5007(nico) gid=5003(newgroup) groups=5003(newgroup),5007(nico)
-u 修改用户的uid
[[email protected] ~]# id nico
uid=5007(nico) gid=5003(newgroup) groups=5003(newgroup),5007(nico)
[[email protected] ~]# usermod -u 5008 nico
[[email protected] ~]# id nico
uid=5008(nico) gid=5003(newgroup) groups=5003(newgroup),5007(nico)
-L 锁定用户
//密码字段第一位不为!,说明用户没有锁定
[[email protected] ~]# grep nico /etc/shadow
nico:$6$Q52VYIOk$MhEHOcBLqPSiAwz.j4K.74mvfSuYKhluACR25QOrsn6yRRWEBOeP8fN6s1KWObm0IJcdah5wrXkuize5Anlgn1:17670:0:99999:7:::
//锁定用户
[[email protected] ~]# usermod -L nico
[[email protected] ~]# grep nico /etc/shadow
nico:!$6$Q52VYIOk$MhEHOcBLqPSiAwz.j4K.74mvfSuYKhluACR25QOrsn6yRRWEBOeP8fN6s1KWObm0IJcdah5wrXkuize5Anlgn1:17670:0:99999:7:::
-U 解锁用户
[[email protected] ~]# grep nico /etc/shadow
nico:!$6$Q52VYIOk$MhEHOcBLqPSiAwz.j4K.74mvfSuYKhluACR25QOrsn6yRRWEBOeP8fN6s1KWObm0IJcdah5wrXkuize5Anlgn1:17670:0:99999:7:::
[[email protected] ~]# usermod -U nico
[[email protected] ~]# grep nico /etc/shadow
nico:$6$Q52VYIOk$MhEHOcBLqPSiAwz.j4K.74mvfSuYKhluACR25QOrsn6yRRWEBOeP8fN6s1KWObm0IJcdah5wrXkuize5Anlgn1:17670:0:99999:7:::
-l修改用户登录名
-d修改用户家目录
//将kennminn用户改名为shelly,并将其家目录转移到/opt/shelly
[[email protected] ~]# usermod -d /opt/shelly -m -l shelly -U kennminn
[[email protected] ~]# ls -ld /opt/shelly/
drwx------ 2 shelly kennminn 62 May 19 19:58 /opt/shelly/
[[email protected] ~]# groupadd shelly
[[email protected] ~]# chown -R shelly.shelly /opt/shelly
[[email protected] ~]# ls -ld /opt/shelly/
drwx------ 2 shelly shelly 62 May 19 19:58 /opt/shelly/
五、用户密码管理
可以用passwd命令来实现对用户密码的管理
//交互式修改用户密码
[[email protected] ~]# useradd nico
[[email protected] ~]# passwd nico
Changing password for user nico.
New password: //输入密码
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: //再次输入密码
passwd: all authentication tokens updated successfully.
//非交互式修改用户密码方法1
[[email protected] ~]# echo ‘12345‘ | passwd --stdin nico
Changing password for user nico.
passwd: all authentication tokens updated successfully.
//非交互式修改用户密码方法2
[[email protected] ~]# echo -e "123456\n123456" | passwd nico
Changing password for user nico.
New password: BAD PASSWORD: The password is shorter than 8 characters
Retype new password: passwd: all authentication tokens updated successfully.
//删除用户密码
[[email protected] ~]# passwd -d nico
Removing password for user nico.
passwd: Success
//锁定用户帐户
[[email protected] ~]# passwd -l nico
Locking password for user nico.
passwd: Success
//解锁用户帐户
[[email protected] ~]# passwd -u nico
Unlocking password for user nico.
passwd: Success
六、mkpasswd
mkpasswd是一种密码生成工具,可生成随机复杂密码。
最小化安装默认没有mkpasswd命令,需安装expect软件包
//expect软件包安装
[[email protected] ~]# yum -y install expect-5.45-14.el7_1.x86_64
常见用法
-l 指定密码长度,默认长度为9
//不带参数生成默认长度为9的随机密码
[[email protected] ~]# mkpasswd
av‘lZ8zY4
//带l参数生成指定长度的密码
[[email protected] ~]# mkpasswd -l 12
a1ivcnRXh%0m
-s 指定新生成密码中特殊字符的最小个数,默认为1
[[email protected] ~]# mkpasswd -s 3
?sA<04gN*
-d 指定新生成密码中数字的最小个数,默认为2
[[email protected] ~]# mkpasswd -d 3
W1yn&k7V5
七、su命令
通过su命令可以在用户之间切换,root用户向普通户切换无需密码,普通用户切换到其他用户需要密码。
常见用法
普通用户切换到root用户
//普通用户切换到root用户,不带"-"时,环境变量不会切换。
[[email protected] ~]$ su root
Password:
[[email protected] hjm]# pwd
/home/hjm
//普通用户切换到root用户,带"-"时,环境变量会切换
[[email protected] ~]$ su - root
Password:
Last login: Sat May 19 21:37:43 CST 2018 from 192.168.1.9 on pts/0
[[email protected] ~]# pwd
/root
以指定身份运行一条命令
[[email protected] ~]$ su - -c "head -n 5 /etc/passwd" root
Password:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
若要切换到的用户没有家目,则使用系统的默认配置
[[email protected] ~]# grep user6 /etc/passwd
user6:x:5012:5013::/home/user6:/bin/bash
[[email protected] ~]# ls -ld /home/user6
ls: cannot access /home/user6: No such file or directory
[[email protected] ~]# su - user6
su: warning: cannot change directory to /home/user6: No such file or directory
-bash-4.2$
//可手动生成用户家目录文件夹并拷贝/etc/skel下的默认配置文件到相应目录,
[[email protected] ~]$ cp /etc/skel/* /home/user6
[[email protected] ~]# su - user6
[[email protected] ~]$
八、sudo
sudo允许系统管理员让普通用户执行一些或全部的root命令。
sudo通过/etc/sudoers进行授权,编辑文件时最好用visudo,它会进行简单语法检查。
授权普通用户使用root的部分命令
//授权hjm用户使用root用户的ls,cat权限
......上部略
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
hjm ALL=(ALL) /usr/bin/ls,/usr/bin/cat
......略
//授权的ls可以查看root家目录下的文件
[[email protected] ~]$ ls /root/
ls: cannot open directory /root/: Permission denied
[[email protected] ~]$ sudo /usr/bin/ls /root/
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for hjm:
anaconda-ks.cfg bbbb day.jpg default.jpg demo dir2 fd1 morning.jpg named.pipe night.jpg path_demo pxe_config
[[email protected] ~]$ cat /root/f1.txt
cat: /root/f1.txt: Permission denied
[[email protected] ~]$ sudo /usr/bin/cat /root/f1.txt
#version=DEVEL
# System authorization information
auth --enableshadow --passalgo=sha512
visudo中用户别名
......
User_Alias ADMINS = hjm, nico
ADMINS ALL=(ALL) /usr/bin/ls,/usr/bin/cat
......
//验证hjm用户可以使用root的ls命令
[[email protected] ~]# su - hjm
Last login: Sat May 19 22:25:17 CST 2018 on pts/0
[[email protected] ~]$ ls /root/
ls: cannot open directory /root/: Permission denied
[[email protected] ~]$ sudo /usr/bin/ls /root/
[sudo] password for hjm:
anaconda-ks.cfg bbbb day.jpg default.jpg demo dir2 f1.txt fd1 morning.jpg named.pipe night.jpg path_demo pxe_config
//验证nico用户可以使用root的ls命令
[[email protected] ~]$ su - nico
Password:
Last login: Sat May 19 19:32:49 CST 2018 on pts/0
Last failed login: Sat May 19 22:49:36 CST 2018 on pts/0
There were 2 failed login attempts since the last successful login.
[[email protected] ~]$ ls /root/
ls: cannot open directory /root/: Permission denied
[[email protected] ~]$ sudo /usr/bin/ls /root/
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for nico:
anaconda-ks.cfg bbbb day.jpg default.jpg demo dir2 f1.txt fd1 morning.jpg named.pipe night.jpg path_demo pxe_config
visudo中命令别名设置
......省略
Cmnd_Alias ALIAS_CMD = /usr/bin/ls, /usr/bin/cat
......省略
//NOPASSWD表示用户无需输入密码
ADMINS ALL=(ALL) NOPASSWD:ALIAS_CMD
......省略
//验证hjm用户可以不输入密码直接使用/root的ls命令
[[email protected] ~]# su - hjm
Last login: Sat May 19 22:44:43 CST 2018 on pts/0
[[email protected] ~]$ ls /root/
ls: cannot open directory /root/: Permission denied
[[email protected] ~]$ sudo /usr/bin/ls /root/
anaconda-ks.cfg bbbb day.jpg default.jpg demo dir2 f1.txt fd1 morning.jpg named.pipe night.jpg path_demo pxe_config
//验证nico用户无需输入密码可以直接使用/root的ls命令
[[email protected] ~]$ su - nico
Password:
Last login: Sat May 19 22:49:43 CST 2018 on pts/0
[[email protected] ~]$ ls /root/
ls: cannot open directory /root/: Permission denied
[[email protected] ~]$ sudo /usr/bin/ls /root/
anaconda-ks.cfg bbbb day.jpg default.jpg demo dir2 f1.txt fd1 morning.jpg named.pipe night.jpg path_demo pxe_config
管理员组wheel
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
//添加用户到wheel组
[[email protected] ~]# usermod -a -G wheel shelly
[[email protected] ~]# grep shelly /etc/group
wheel:x:10:shelly
shelly:x:5012:
[[email protected] ~]# su -shelly
su: failed to execute helly: No such file or directory
[[email protected] ~]# su - shelly
[[email protected] ~]$ ls /root
ls: cannot open directory /root: Permission denied
[[email protected] ~]$ sudo /usr/bin/ls /root/
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for shelly:
anaconda-ks.cfg bbbb day.jpg default.jpg demo dir2 f1.txt fd1 morning.jpg named.pipe night.jpg path_demo pxe_config
九、限制root用户远程登录
鉴于直接使用Root用户登录所具有的高风险性,为避免误操作引起的事故,根据权限最小化原则,应尽量使用普通用户远程登录,只有在需要root用户权限的时候切换到root用户身份。执行完回退至普通用户。可采用如下方案:
//1. 通过visudo编辑/etc/sudoers文件,将需要切换到root用户设置到同一个别名
User_Alias ADMINS = hjm, nico
//2. 允许这些用户免密执行root用户的/usr/bin/su命令
ADMINS ALL=(ALL) NOPASSWD:/usr/bin/su
//这样普通用户不用知道root密码也可以切换到root用户身份,执行完也可以回退至本身的帐户
[[email protected] ~]$ sudo /usr/bin/su -
Last login: Sat May 19 23:35:30 CST 2018 on pts/0
[[email protected] ~]#
[[email protected] ~]# exit
logout
[[email protected] ~]$
//3.限制root用户不能远程ssh登录
[[email protected] ~]# sed -ni s/#PermitRootLogin\ yes/PermitRootLogin\ no/p /etc/ssh/sshd_config
[[email protected] ~]# grep PermitRootLogin !$
grep PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin no
//4.重启sshd 服务
[[email protected] ~]# systemctl restart sshd.service
此时再以root用户远程密码登录,服务器拒绝登录。
此时再以普通用户登录,可正常登录
Connecting to 192.168.1.211:22...
Connection established.
To escape to local shell, press ‘Ctrl+Alt+]‘.
Last login: Sat May 19 23:39:10 2018
[[email protected] ~]$
//需要时可以通过sudo /usr/bin/su - 切换至root用户身份
[[email protected] ~]$ sudo /usr/bin/su -
Last login: Sat May 19 23:44:09 CST 2018 on pts/0
Last failed login: Sat May 19 23:58:44 CST 2018 from 192.168.1.9 on ssh:notty
There were 11 failed login attempts since the last successful login.
[[email protected] ~]#
原文地址:https://www.cnblogs.com/minn/p/9062217.html