Background
查看当前用户
$ whoami
用户和密码
在 linux 系统中,所创建的用户帐号和其相关信息 (密码除外) 均是存放在 /etc/passwd 配置文件中。
由于所有用户对 passwd 文件均有读取的权限,因此密码信息并未保存在该文件中,而是保存在了 /etc/shadow 的配置文件中(将原密码采用 MD5 加密后存储)。
在 passwd 文件中,一行定义一个用户帐号,每行均由多个不同的字段构成,各字段值间用 “:” 分隔,每个字段均代表该帐号某方面的信息。
/etc/passwd
$ sudo cat /etc/passwd
sudo: unable to resolve host sg2-shopee-cloud-devvm-test-10-143-202-22
root:x:0:0:root:/root:/usr/bin/zsh
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
...
The /etc/passwd file is a text file that describes user login accounts for the system. It should have read permission allowed for all users (many utilities, like ls(1) use it to map user IDs to usernames), but write access only for the superuser.
In the good old days there was no great problem with this general read permission. Everybody could read the encrypted passwords, but the hardware was too slow to crack a well-chosen password, and moreover the basic assumption used to be that of a friendly user-community. These days many people run some version of the shadow password suite, where /etc/passwd has an ‘x’ character in the password field, and the encrypted passwords are in /etc/shadow, which is readable by the superuser only.
If the encrypted password, whether in /etc/passwd or in /etc/shadow, is an empty string, login is allowed without even asking for a password. Note that this functionality may be intentionally disabled in applications, or configurable (for example using the “nullok” or “nonull” arguments to pam_unix.so).
Each line of the file describes a single user, and contains seven colon-separated fields:
name:password:UID:GID:GECOS:directory:shell
The field are as follows:
- name
- password
- UID
- GID
- GECOS
- directory
- shell
/etc/shadow
$ sudo cat /etc/shadow
root:$6$idMHNPf7Yk1VFojR$/Au0IL/HkHquUNeJd6Yn9AkmP7FbpPx9swrBm98LTmfdNpFlg.q/37HZuotq4KztKejjBeVNW0Z1dgtNujnk4/:18030:0:99999:7:::
daemon:*:18030:0:99999:7:::
bin:*:18030:0:99999:7:::
...
shadow is a file which contains the password information for the system’s accounts and optional aging information.
This file must not be readable by regular users if password security is to be maintained.
Each line of this file contains 9 fields, separated by colons (“:”), in the following order:
-
login name
-
encrypted password
-
date of last password change
-
minimum password age
-
maximum password age
-
password warning period
-
password inactivity period
-
account expiration date
-
reserved field
From https://man7.org/linux/man-pages/man5/shadow.5.html
用户组
用户组帐号信息保存在 /etc/group 配置文件中,任何用户均可以读取。用户组的真实密码保存在 /etc/gshadow 配置文件中。
/etc/group
$ sudo cat /etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog,ubuntu
...
The /etc/group file is a text file that defines the groups on the system. There is one entry per line, with the following format:
group_name:password:GID:user_list
The fields are as follows:
- group_name
- password
- GID
- user_list
用户管理
useradd - 添加用户
$ useradd [user_nma]
# Create new user belonging to additional groups (mind the lack of whitespace)
$ useradd --groups group1,group2 name
usermod - 设置用户属性
# Change a user's name:
$ usermod -l [newname] [user]
# Add user to supplementary groups (mind the whitespace):
$ usermod -a -G [group1,group2] [user]
# Add a user to supplementary groups (mind the lack of whitespace):
$ sudo usermod --append --groups group1,group2,... username
# 修改用户,使其属于root组
$ usermod -g root <user>
passwd - 修改用户密码
# Change the password of the current user interactively:
$ passwd
# Change the password of the current user:
$ passwd new_password
# Change the password of the specified user:
$ passwd username new_password
# Get the current status of the user:
$ passwd -S
用户组管理
groupadd - 创建用户组
# Create a new Linux group:
$ groupadd group_name
groupmod - 修改用户组
# Change the group name:
$ groupmod -n new_group_name old_group_name
groupdel - 删除用户组
# Delete an existing group:
$ groupdel group_name
gpasswd - 管理用户所属组
# Add a user to the named group:
$ gpasswd -a user group
# Remove a user from the named group:
$ gpasswd -d user group
Reference
- https://man7.org/linux/man-pages/man1/passwd.1.html
- https://man7.org/linux/man-pages/man8/usermod.8.html
- https://man7.org/linux/man-pages/man8/groupadd.8.html
- https://man7.org/linux/man-pages/man5/group.5.html
- https://zhuanlan.zhihu.com/p/38136194
- https://man7.org/linux/man-pages/man5/passwd.5.html