Linux用户组和权限管理
作者:尹正杰
版权声明:原创作品,谢绝转载!否则将追究法律责任。
一.Linux的安全模型
1>.安全3A
这并不是Linux特有的概念,在很多领域都有3A的概念,比如思科,微软,华为等设备都有安全的概念。大致归类为以下介个术语。
认证(Authentication):
即验明真身,主要是验证您是谁的功能。 授权(Authorization):
授权一般是验证您的身份后,您用的相应权限。 审计(Accouting|Audition):
审计一般是起到监督作用,可以反馈从一些存在的问题,比如安全审计,公司财务审计等等。
2>.用户user
令牌:
token,identity
Linux用户:
Username/UID
管理员:
root,0(需要注意的是,并不是叫root的用户名才是管理员,而是因为它的uid为0)
普通用户:
1-60000编号是自动分配的,但如果我们认为指定用户编号的话是可以超过默认的分配阈值(60000),Linux用户分为系统用户和登录用户。
系统用户:1-499(CentOS6.X),1-999(CentOS7.X),对守护进程获取资源进行权限分配(给运行软件使用的用户,比如:"mysql","apache","hdfs"用户等等)
登录用户:500+(CentOS6.X),1000+(CentOS7.X),交互式登录(一般用来登录操作系统,比如yinzhengjie)
3>.组group
Linux组:
Groupname/GID 管理员组:
root, 普通组:
系统组:-(CentOS6.X),-(CentOS7.X)
普通组:+(CentOS6.X),+(CentOS7.X) Linux组的类别:
用户的主要组(primary group)
用户必须术语一个且只有一个主组
默认创建一个用户后会自动加入一个组名同用户名,且仅包含一个用户,我们也可以称之为该用户的私有组。
用户的附加组(supplementary group)
一个用户可以属于零个或多个辅助组 [[email protected] ~]# id root
uid=(root) gid=(root) groups=(root)
[[email protected] ~]#
4>.用户和组的配置文件
Linux用户和组的主要配置文件:
/etc/passwd:
用户及其属性信息(名称、 UID、主组ID等)
/etc/group:
组及其属性信息
/etc/shadow:
用户密码及其相关属性
/etc/gshadow:
组密码及其相关属性
passwd文件格式如下:
login name:登录用名( wang)
passwd:密码 (x)
UID:用户身份编号 ()
GID:登录默认所在组编号 ()
GECOS:用户全名或注释
home directory:用户主目录 (/home/wang)
shell:用户默认使用shell (/bin/bash) [[email protected] ~]# cat /etc/passwd
root:x:::root:/root:/bin/bash
bin:x:::bin:/bin:/sbin/nologin
daemon:x:::daemon:/sbin:/sbin/nologin
adm:x:::adm:/var/adm:/sbin/nologin
lp:x:::lp:/var/spool/lpd:/sbin/nologin
sync:x:::sync:/sbin:/bin/sync
shutdown:x:::shutdown:/sbin:/sbin/shutdown
halt:x:::halt:/sbin:/sbin/halt
mail:x:::mail:/var/spool/mail:/sbin/nologin
operator:x:::operator:/root:/sbin/nologin
games:x:::games:/usr/games:/sbin/nologin
ftp:x:::FTP User:/var/ftp:/sbin/nologin
nobody:x:::Nobody:/:/sbin/nologin
systemd-network:x:::systemd Network Management:/:/sbin/nologin
dbus:x:::System message bus:/:/sbin/nologin
polkitd:x:::User for polkitd:/:/sbin/nologin
libstoragemgmt:x:::daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin
colord:x:::User for colord:/var/lib/colord:/sbin/nologin
rpc:x:::Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
gluster:x:::GlusterFS daemons:/run/gluster:/sbin/nologin
saslauth:x:::Saslauthd user:/run/saslauthd:/sbin/nologin
abrt:x::::/etc/abrt:/sbin/nologin
rtkit:x:::RealtimeKit:/proc:/sbin/nologin
pulse:x:::PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
radvd:x:::radvd user:/:/sbin/nologin
rpcuser:x:::RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:::Anonymous NFS User:/var/lib/nfs:/sbin/nologin
unbound:x:::Unbound DNS resolver:/etc/unbound:/sbin/nologin
chrony:x::::/var/lib/chrony:/sbin/nologin
qemu:x:::qemu user:/:/sbin/nologin
tss:x:::Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
usbmuxd:x:::usbmuxd user:/:/sbin/nologin
geoclue:x:::User for geoclue:/var/lib/geoclue:/sbin/nologin
ntp:x::::/etc/ntp:/sbin/nologin
sssd:x:::User for sssd:/:/sbin/nologin
setroubleshoot:x::::/var/lib/setroubleshoot:/sbin/nologin
saned:x:::SANE scanner daemon user:/usr/share/sane:/sbin/nologin
gdm:x::::/var/lib/gdm:/sbin/nologin
gnome-initial-setup:x::::/run/gnome-initial-setup/:/sbin/nologin
sshd:x:::Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
avahi:x:::Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
postfix:x::::/var/spool/postfix:/sbin/nologin
tcpdump:x::::/:/sbin/nologin
yinzhengjie:x:::yinzhengjie:/home/yinzhengjie:/bin/bash
[[email protected] ~]#
passwd文件格式
shadow文件格式
登录用名
用户密码:一般用sha512加密
从1970年1月1日起到密码最近一次被更改的时间
密码再过几天可以被变更( 0表示随时可被变更)
密码再过几天必须被变更( 99999表示永不过期)
密码过期前几天系统提醒用户(默认为一周)
密码过期几天后帐号会被锁定
从1970年1月1日算起,多少天后帐号失效 [[email protected] ~]# cat /etc/shadow
root:$$MLowZZoTkB4Lfzlp$6vkz/bmyWgvPZQEtlQ2Fki1EzZpUdcEecxp2rfzJ1IkvE9amik19QYv.6sYgxCiRgCNPRlfESp78KhUWbaKcN/:
::::::bin:*:::::::
daemon:*:::::::
adm:*:::::::
lp:*:::::::
sync:*:::::::
shutdown:*:::::::
halt:*:::::::
mail:*:::::::
operator:*:::::::
games:*:::::::
ftp:*:::::::
nobody:*:::::::
systemd-network:!!:::::::
dbus:!!:::::::
polkitd:!!:::::::
libstoragemgmt:!!:::::::
colord:!!:::::::
rpc:!!:::::::
gluster:!!:::::::
saslauth:!!:::::::
abrt:!!:::::::
rtkit:!!:::::::
pulse:!!:::::::
radvd:!!:::::::
rpcuser:!!:::::::
nfsnobody:!!:::::::
unbound:!!:::::::
chrony:!!:::::::
qemu:!!:::::::
tss:!!:::::::
usbmuxd:!!:::::::
geoclue:!!:::::::
ntp:!!:::::::
sssd:!!:::::::
setroubleshoot:!!:::::::
saned:!!:::::::
gdm:!!:::::::
gnome-initial-setup:!!:::::::
sshd:!!:::::::
avahi:!!:::::::
postfix:!!:::::::
tcpdump:!!:::::::
yinzhengjie:$$9k0Xxx.f$YsthR1XeMhMRhJE7sLrXNecLCRDQDvrnaHkWeBOcWqSUg0d5t2l.cKGmwbJdhY9Y5cpSqk/YZbM.ZS/FGQUeI/:
::::::[[email protected] ~]#
shadow文件格式
group文件格式
群组名称:就是群组名称
群组密码:通常不需要设定,密码是被记录在 /etc/gshadow
GID:就是群组的 ID
以当前组为附加组的用户列表(分隔符为逗号) [[email protected] ~]# cat /etc/group
root:x::
bin:x::
daemon:x::
sys:x::
adm:x::
tty:x::
disk:x::
lp:x::
mem:x::
kmem:x::
wheel:x::
cdrom:x::
mail:x::postfix
man:x::
dialout:x::
floppy:x::
games:x::
tape:x::
video:x::
ftp:x::
lock:x::
audio:x::
nobody:x::
users:x::
utmp:x::
utempter:x::
input:x::
systemd-journal:x::
systemd-network:x::
dbus:x::
polkitd:x::
cgred:x::
printadmin:x::
libstoragemgmt:x::
colord:x::
rpc:x::
dip:x::
gluster:x::
ssh_keys:x::
saslauth:x::
abrt:x::
rtkit:x::
pulse-access:x::
pulse-rt:x::
pulse:x::
radvd:x::
rpcuser:x::
nfsnobody:x::
unbound:x::
chrony:x::
kvm:x::qemu
qemu:x::
tss:x::
libvirt:x::
usbmuxd:x::
geoclue:x::
ntp:x::
sssd:x::
setroubleshoot:x::
saned:x::
gdm:x::
gnome-initial-setup:x::
sshd:x::
slocate:x::
avahi:x::
postdrop:x::
postfix:x::
stapusr:x::
stapsys:x::
stapdev:x::
tcpdump:x::
yinzhengjie:x::yinzhengjie
screen:x::
[[email protected] ~]#
[[email protected] ~]#
group文件格式
gshdow文件格式
群组名称:就是群的名称
群组密码:
组管理员列表:组管理员的列表,更改组密码和成员
以当前组为附加组的用户列表:多个用户间用逗号分隔 [[email protected] ~]# cat /etc/gshadow
root:::
bin:::
daemon:::
sys:::
adm:::
tty:::
disk:::
lp:::
mem:::
kmem:::
wheel:::
cdrom:::
mail:::postfix
man:::
dialout:::
floppy:::
games:::
tape:::
video:::
ftp:::
lock:::
audio:::
nobody:::
users:::
utmp:!::
utempter:!::
input:!::
systemd-journal:!::
systemd-network:!::
dbus:!::
polkitd:!::
cgred:!::
printadmin:!::
libstoragemgmt:!::
colord:!::
rpc:!::
dip:!::
gluster:!::
ssh_keys:!::
saslauth:!::
abrt:!::
rtkit:!::
pulse-access:!::
pulse-rt:!::
pulse:!::
radvd:!::
rpcuser:!::
nfsnobody:!::
unbound:!::
chrony:!::
kvm:!::qemu
qemu:!::
tss:!::
libvirt:!::
usbmuxd:!::
geoclue:!::
ntp:!::
sssd:!::
setroubleshoot:!::
saned:!::
gdm:!::
gnome-initial-setup:!::
sshd:!::
slocate:!::
avahi:!::
postdrop:!::
postfix:!::
stapusr:!::
stapsys:!::
stapdev:!::
tcpdump:!::
yinzhengjie:!!::yinzhengjie
screen:!::
[[email protected] ~]#
[[email protected] ~]#
gshdow文件格式
5>.用户相关操作(对应“/etc/passwd”)
[[email protected] ~]# whatis passwd
passwd () - password file
passwd () - update user's authentication tokens
sslpasswd (1ssl) - compute password hashes
[[email protected] ~]#
[[email protected] ~]# man passwd
PASSWD() Linux Programmer's Manual PASSWD(5) NAME
passwd - password file DESCRIPTION
The /etc/passwd file is a text file that describes user login accounts for the system. It should have
read permission allowed for all users (many utilities, like ls() use it to map user IDs to user‐
names), but write access only for the superuser. In the good old days there was no great problem with this general read permission. Everybody could
read the encrypted passwords, but the hardware was too slow to crack a well-chosen password, and more‐
over the basic assumption used to be that of a friendly user-community. These days many people run
some version of the shadow password suite, where /etc/passwd has an 'x' character in the password
field, and the encrypted passwords are in /etc/shadow, which is readable by the superuser only. If the encrypted password, whether in /etc/passwd or in /etc/shadow, is an empty string, login is
allowed without even asking for a password. Note that this functionality may be intentionally dis‐
abled in applications, or configurable (for example using the "nullok" or "nonull" arguments to
pam_unix.so). If the encrypted password in /etc/passwd is "*NP*" (without the quotes), the shadow record should be
obtained from an NIS+ server. Regardless of whether shadow passwords are used, many system administrators use an asterisk (*) in the
encrypted password field to make sure that this user can not authenticate him- or herself using a
password. (But see NOTES below.) If you create a new login, first put an asterisk (*) in the password field, then use passwd() to set
it. Each line of the file describes a single user, and contains seven colon-separated fields: name:password:UID:GID:GECOS:directory:shell The field are as follows: name This is the user's login name. It should not contain capital letters. password This is either the encrypted user password, an asterisk (*), or the letter 'x'. (See
pwconv() for an explanation of 'x'.) UID The privileged root login account (superuser) has the user ID . GID This is the numeric primary group ID for this user. (Additional groups for the user are
defined in the system group file; see group()). GECOS This field (sometimes called the "comment field") is optional and used only for informa‐
tional purposes. Usually, it contains the full username. Some programs (for example,
finger()) display information from this field. GECOS stands for "General Electric Comprehensive Operating System", which was renamed to
GCOS when GE's large systems division was sold to Honeywell. Dennis Ritchie has reported:
"Sometimes we sent printer output or batch jobs to the GCOS machine. The gcos field in
the password file was a place to stash the information for the $IDENTcard. Not elegant." directory This is the user's home directory: the initial directory where the user is placed after
logging in. The value in this field is used to set the HOME environment variable. shell This is the program to run at login (if empty, use /bin/sh). If set to a nonexistent exe‐
cutable, the user will be unable to login through login(). The value in this field is
used to set the SHELL environment variable. FILES
/etc/passwd NOTES
If you want to create user groups, there must be an entry in /etc/group, or no group will exist. If the encrypted password is set to an asterisk (*), the user will be unable to login using login(),
but may still login using rlogin(), run existing processes and initiate new ones through rsh(),
cron(), at(), or mail filters, etc. Trying to lock an account by simply changing the shell field
yields the same result and additionally allows the use of su(). SEE ALSO
login(), passwd(), su(), getpwent(), getpwnam(), crypt(), group(), shadow() COLOPHON
This page is part of release 3.53 of the Linux man-pages project. A description of the project, and
information about reporting bugs, can be found at http://www.kernel.org/doc/man-pages/. Linux -- PASSWD()
[[email protected] ~]# man 5 passwd
[[email protected] ~]# tail - /etc/passwd
yinzhengjie:x:::yinzhengjie:/home/yinzhengjie:/bin/bash
[[email protected] ~]#
[[email protected] ~]# chfn yinzhengjie #修改用户全名或注释
Changing finger information for yinzhengjie.
Name [yinzhengjie]: jason
Office []: bigdata
Office Phone []:
Home Phone []: Finger information changed.
[[email protected] ~]#
[[email protected] ~]# tail - /etc/passwd
yinzhengjie:x:::jason,bigdata,,:/home/yinzhengjie:/bin/bash
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# df -h | grep /dev/sr0
/dev/sr0 11G 11G % /run/media/root/CentOS x86_64
[[email protected] ~]#
[[email protected] ~]# rpm -ivh /run/media/root/CentOS\ \ x86_64/Packages/finger-0.17-.el7.x86_
.rpm Preparing... ################################# [%]
Updating / installing...
:finger-0.17-.el7 ################################# [%]
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# finger yinzhengjie
Login: yinzhengjie Name: jason
Directory: /home/yinzhengjie Shell: /bin/bash
Office: bigdata, x1- Home Phone: x1-
Last login Wed Aug : (CST) on pts/ from 172.30.1.1
Mail last read Wed Aug : (CST)
No Plan.
[[email protected] ~]#
[[email protected] ~]# chfn yinzhengjie #修改用户全名或注释
[[email protected] ~]# tail - /etc/passwd
yinzhengjie:x:::jason,bigdata,,:/home/yinzhengjie:/bin/bash
[[email protected] ~]#
[[email protected] ~]# getent passwd yinzhengjie #我们不难发现,使用getent命令可以获取指定用户的信息
yinzhengjie:x:::jason,bigdata,,:/home/yinzhengjie:/bin/bash
[[email protected] ~]#
[[email protected] ~]# chsh -s /bin/csh yinzhengjie #我们这里修改shell类型为"/bin/csh"
Changing shell for yinzhengjie.
Shell changed.
[[email protected] ~]#
[[email protected] ~]# getent passwd yinzhengjie
yinzhengjie:x:::jason,bigdata,,:/home/yinzhengjie:/bin/csh
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# chsh -s /bin/csh yinzhengjie #我们这里修改shell类型为"/bin/csh"
6>.用户密码相关操作(对应“/etc/shadow”)
[[email protected] ~]# whatis shadow
shadow () - shadowed password file
shadow () - encrypted password file routines
[[email protected] ~]#
[[email protected] ~]# man shadow
SHADOW() File Formats and Conversions SHADOW() NAME
shadow - shadowed password file DESCRIPTION
shadow is a file which contains the password information for the system's accounts and optional aging
information. This file must not be readable by regular users if password security is to be maintained. Each line of this file contains fields, separated by colons (“:”), in the following order: login name
It must be a valid account name, which exist on the system. encrypted password
Refer to crypt() for details on how this string is interpreted. If the password field contains some string that is not a valid result of crypt(), for instance !
or *, the user will not be able to use a unix password to log in (but the user may log in the
system by other means). This field may be empty, in which case no passwords are required to authenticate as the specified
login name. However, some applications which read the /etc/shadow file may decide not to permit
any access at all if the password field is empty. A password field which starts with a exclamation mark means that the password is locked. The
remaining characters on the line represent the password field before the password was locked. date of last password change
The date of the last password change, expressed as the number of days since Jan , . The value has a special meaning, which is that the user should change her pasword the next time
she will log in the system. An empty field means that password aging features are disabled. minimum password age
The minimum password age is the number of days the user will have to wait before she will be
allowed to change her password again. An empty field and value mean that there are no minimum password age. maximum password age
The maximum password age is the number of days after which the user will have to change her
password. After this number of days is elapsed, the password may still be valid. The user should be asked to
change her password the next time she will log in. An empty field means that there are no maximum password age, no password warning period, and no
password inactivity period (see below). If the maximum password age is lower than the minimum password age, the user cannot change her
password. password warning period
The number of days before a password is going to expire (see the maximum password age above)
during which the user should be warned. An empty field and value mean that there are no password warning period. password inactivity period
The number of days after a password has expired (see the maximum password age above) during which
the password should still be accepted (and the user should update her password during the next
login). After expiration of the password and this expiration period is elapsed, no login is possible using
the current user's password. The user should contact her administrator. An empty field means that there are no enforcement of an inactivity period. account expiration date
The date of expiration of the account, expressed as the number of days since Jan , . Note that an account expiration differs from a password expiration. In case of an acount
expiration, the user shall not be allowed to login. In case of a password expiration, the user is
not allowed to login using her password. An empty field means that the account will never expire.
The value should not be used as it is interpreted as either an account with no expiration, or as
an expiration on Jan , . reserved field
This field is reserved for future use. FILES
/etc/passwd
User account information. /etc/shadow
Secure user account information. /etc/shadow-
Backup file for /etc/shadow. Note that this file is used by the tools of the shadow toolsuite, but not by all user and password
management tools. SEE ALSO
chage(), login(), passwd(), passwd(), pwck(), pwconv(), pwunconv(), su(), sulogin(). shadow-utils 4.1.5.1 // SHADOW()
[[email protected] ~]# man 5 shadow
[[email protected] ~]# getent passwd yinzhengjie #我们发现密码不存在"/etc/passwd"文件中
yinzhengjie:x:::jason,bigdata,,:/home/yinzhengjie:/bin/bash
[[email protected] ~]#
[[email protected] ~]# getent shadow yinzhengjie #CentOS7.X版本中密码存放在"/etc/shadow"文件中
yinzhengjie:$$9k0Xxx.f$YsthR1XeMhMRhJE7sLrXNecLCRDQDvrnaHkWeBOcWqSUg0d5t2l.cKGmwbJdhY9Y5cpSqk/YZbM.ZS/FGQUeI/:
::::::
[[email protected] ~]#
[[email protected] ~]# pwunconv #我们这里使用该命令可以将"/etc/shadow"中存放的密码放入到"/etc/passwd"文件中
[[email protected] ~]#
[[email protected] ~]# getent passwd yinzhengjie #密码的确回归了
yinzhengjie:$$9k0Xxx.f$YsthR1XeMhMRhJE7sLrXNecLCRDQDvrnaHkWeBOcWqSUg0d5t2l.cKGmwbJdhY9Y5cpSqk/YZbM.ZS/FGQUeI/:
::jason,bigdata,,:/home/yinzhengjie:/bin/bash[[email protected] ~]#
[[email protected] ~]# getent shadow yinzhengjie #但是"/etc/shadow"文件中内容都没有了
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# pwunconv #我们这里使用该命令可以将"/etc/shadow"中存放的密码放入到"/etc/passwd"文件中
[[email protected] ~]# getent passwd yinzhengjie
yinzhengjie:$$9k0Xxx.f$YsthR1XeMhMRhJE7sLrXNecLCRDQDvrnaHkWeBOcWqSUg0d5t2l.cKGmwbJdhY9Y5cpSqk/YZbM.ZS/FGQUeI/:
::jason,bigdata,,:/home/yinzhengjie:/bin/bash[[email protected] ~]#
[[email protected] ~]# getent shadow yinzhengjie
[[email protected] ~]#
[[email protected] ~]# pwconv #将用户名和密码分开存放,即将密码存放在"/etc/shadow"文件中,默认就是存放该文件中。
[[email protected] ~]#
[[email protected] ~]# getent shadow yinzhengjie
yinzhengjie:$$9k0Xxx.f$YsthR1XeMhMRhJE7sLrXNecLCRDQDvrnaHkWeBOcWqSUg0d5t2l.cKGmwbJdhY9Y5cpSqk/YZbM.ZS/FGQUeI/:
::::::[[email protected] ~]#
[[email protected] ~]# getent passwd yinzhengjie
yinzhengjie:x:::jason,bigdata,,:/home/yinzhengjie:/bin/bash
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# pwconv #将用户名和密码分开存放,即将密码存放在"/etc/shadow"文件中,默认就是存放该文件中。
[[email protected] ~]# getent shadow yinzhengjie
yinzhengjie:$$9k0Xxx.f$YsthR1XeMhMRhJE7sLrXNecLCRDQDvrnaHkWeBOcWqSUg0d5t2l.cKGmwbJdhY9Y5cpSqk/YZbM.ZS/FGQUeI/:
::::::
[[email protected] ~]#
[[email protected] ~]# usermod -L yinzhengjie #锁定用户
[[email protected] ~]#
[[email protected] ~]# getent shadow yinzhengjie #将用户锁定后,我们发现密码那一列会多出来一个"!"符号,其实它就是用来标记用户是否被锁定的。
yinzhengjie:!$$9k0Xxx.f$YsthR1XeMhMRhJE7sLrXNecLCRDQDvrnaHkWeBOcWqSUg0d5t2l.cKGmwbJdhY9Y5cpSqk/YZbM.ZS/FGQUeI/:
::::::
[[email protected] ~]#
[[email protected] ~]# passwd yinzhengjie #我们修改用户的密码后,会发现密码已经解锁啦!
Changing password for user yinzhengjie.
New password:
BAD PASSWORD: The password is shorter than characters
Retype new password:
passwd: all authentication tokens updated successfully.
[[email protected] ~]#
[[email protected] ~]# getent shadow yinzhengjie
yinzhengjie:$$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:
::::::
[[email protected] ~]#
[[email protected] ~]# usermod -L yinzhengjie #锁定用户
[[email protected] ~]# getent shadow yinzhengjie
yinzhengjie:!$$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:
::::::
[[email protected] ~]#
[[email protected] ~]# usermod -U yinzhengjie #解锁用户
[[email protected] ~]#
[[email protected] ~]# getent shadow yinzhengjie
yinzhengjie:$$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:
::::::
[[email protected] ~]#
[[email protected] ~]# usermod -U yinzhengjie #解锁用户
[[email protected] ~]# getent shadow yinzhengjie
yinzhengjie:$$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:
::::::
[[email protected] ~]#
[[email protected] ~]# chage -M yinzhengjie #修改用户密码过期时间为42天
[[email protected] ~]#
[[email protected] ~]# getent shadow yinzhengjie
yinzhengjie:$$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:
::::::
[[email protected] ~]#
[[email protected] ~]# chage -M 42 yinzhengjie #修改用户密码过期时间为42天
C:\Users\yinzhengjie>net accounts #WINDOWS操作系统默用户也有过期时间
强制用户在时间到期之后多久必须注销?: 从不
密码最短使用期限(天):
密码最长使用期限(天): #默认过期时间为42天
密码长度最小值:
保持的密码历史记录长度: None
锁定阈值: 从不
锁定持续时间(分):
锁定观测窗口(分):
计算机角色: WORKSTATION
命令成功完成。 C:\Users\yinzhengjie>
C:\Users\yinzhengjie>net accounts #WINDOWS操作系统默用户也有过期时间
[[email protected] ~]# getent shadow yinzhengjie
yinzhengjie:$$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:
::::::
[[email protected] ~]#
[[email protected] ~]# chage -I yinzhengjie #指定密码过期后几天用户被锁定,我这里设置的是5天,如果在指定的42天内没有修改密码在5天后用户会被锁定,锁定用户就无法登录操作系统。
[[email protected] ~]#
[[email protected] ~]# getent shadow yinzhengjie
yinzhengjie:$$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:
::::::
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# chage -I 5 yinzhengjie #指定密码过期后几天用户被锁定,我这里设置的是5天,如果在指定的42天内没有修改密码在5天后用户会被锁定,锁定用户就无法登录操作系统。
[[email protected] ~]# getent shadow yinzhengjie
yinzhengjie:$$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:
::::::
[[email protected] ~]#
[[email protected] ~]# chage -E yinzhengjie #指定用户的有效期天数,我这里设置的为365天,但是需要注意的是,它的起始时间是从1970年开始的!
[[email protected] ~]#
[[email protected] ~]# getent shadow yinzhengjie
yinzhengjie:$$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:
::::::
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# chage -E 365 yinzhengjie #指定用户的有效期天数,我这里设置的为365天,但是需要注意的是,它的起始时间是从1970年开始的!
[[email protected] ~]# passwd --help
Usage: passwd [OPTION...] <accountName>
-k, --keep-tokens 保留未过期的身份验证令牌-d, --delete 删除指定用户密码-l, --lock 锁定指定用户-u, --unlock 解锁指定用户-e, --expire 强制用户下次登录修改密码-f, --force 强制操作
-x, --maximum=DAYS 最大使用期限
-n, --minimum=DAYS 指定最短使用期限
-w, --warning=DAYS 提前多少天开始警告用户
-i, --inactive=DAYS 非活动期限
-S, --status 报告指定用户的密码状态
--stdin 从标准输入接受用户密码 Help options:
-?, --help Show this help message
--usage Display brief usage message
[[email protected] ~]#
[[email protected] ~]# echo bigdata
bigdata
[[email protected] ~]#
[[email protected] ~]# echo bigdata | passwd --stdin yinzhengjie
Changing password for user yinzhengjie.
passwd: all authentication tokens updated successfully.
[[email protected] ~]#
[[email protected] ~]# echo bigdata | passwd --stdin yinzhengjie &> /dev/null #生产环境修改密码方式
[[email protected] ~]#
[[email protected] ~]# echo bigdata | passwd --stdin yinzhengjie &> /dev/null #生产环境修改密码方式
[[email protected] ~]# getent shadow yinzhengjie
yinzhengjie:$$kXs/Ht35$1zMelm2cS78cwxBq14kzZzsQrQShIBX0ADXTvb7rkX0.LXYhF1cORtDAnvqacoIdQipj33u1tHbEPGv3RbTuJ.:::
::::
[[email protected] ~]#
[[email protected] ~]# passwd -l yinzhengjie #将用户锁定
Locking password for user yinzhengjie.
passwd: Success
[[email protected] ~]#
[[email protected] ~]# getent shadow yinzhengjie #注意观察密码前多了2个"!"
yinzhengjie:!!$$kXs/Ht35$1zMelm2cS78cwxBq14kzZzsQrQShIBX0ADXTvb7rkX0.LXYhF1cORtDAnvqacoIdQipj33u1tHbEPGv3RbTuJ.::
:::::
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# passwd -l yinzhengjie #将用户锁定
[[email protected] ~]# getent shadow yinzhengjie
yinzhengjie:!!$$kXs/Ht35$1zMelm2cS78cwxBq14kzZzsQrQShIBX0ADXTvb7rkX0.LXYhF1cORtDAnvqacoIdQipj33u1tHbEPGv3RbTuJ.::
:::::
[[email protected] ~]#
[[email protected] ~]# passwd -u yinzhengjie #将用户解锁
Unlocking password for user yinzhengjie.
passwd: Success
[[email protected] ~]#
[[email protected] ~]# getent shadow yinzhengjie
yinzhengjie:$$kXs/Ht35$1zMelm2cS78cwxBq14kzZzsQrQShIBX0ADXTvb7rkX0.LXYhF1cORtDAnvqacoIdQipj33u1tHbEPGv3RbTuJ.:::
::::
[[email protected] ~]#
[[email protected] ~]# passwd -u yinzhengjie #将用户解锁
[[email protected] ~]# getent shadow yinzhengjie
yinzhengjie:$$kXs/Ht35$1zMelm2cS78cwxBq14kzZzsQrQShIBX0ADXTvb7rkX0.LXYhF1cORtDAnvqacoIdQipj33u1tHbEPGv3RbTuJ.:::
::::
[[email protected] ~]#
[[email protected] ~]# passwd -e yinzhengjie #让用户密码过期,下次用户登录后需要立即更改密码才行。
Expiring password for user yinzhengjie.
passwd: Success
[[email protected] ~]#
[[email protected] ~]# getent shadow yinzhengjie
yinzhengjie:$$kXs/Ht35$1zMelm2cS78cwxBq14kzZzsQrQShIBX0ADXTvb7rkX0.LXYhF1cORtDAnvqacoIdQipj33u1tHbEPGv3RbTuJ.::::
:::
[[email protected] ~]#
[[email protected] ~]# passwd -e yinzhengjie #让用户密码过期,下次用户登录后需要立即更改密码才行。
7>.用户组相关操作(对应“/etc/group”)
[[email protected] ~]# whereis group
group: /etc/group /usr/share/man/man5/group..gz
[[email protected] ~]#
[[email protected] ~]# man group
GROUP() Linux Programmer's Manual GROUP(5) NAME
group - user group file DESCRIPTION
The /etc/group file is a text file that defines the groups on the system. There is one entry per
line, with the following format: group_name:password:GID:user_list The fields are as follows: group_name the name of the group. password the (encrypted) group password. If this field is empty, no password is needed. GID the numeric group ID. user_list a list of the usernames that are members of this group, separated by commas. FILES
/etc/group BUGS
As the .2BSD initgroups() man page says: No-one seems to keep /etc/group up-to-date. SEE ALSO
login(), newgrp(), getgrent(), getgrnam(), passwd() COLOPHON
This page is part of release 3.53 of the Linux man-pages project. A description of the project, and
information about reporting bugs, can be found at http://www.kernel.org/doc/man-pages/. Linux -- GROUP()
[[email protected] ~]# man group
8>.用户组密码相关操作(对应“/etc/gshadow”)
[[email protected] ~]# whereis gshadow
gshadow: /etc/gshadow /usr/include/gshadow.h /usr/share/man/man5/gshadow..gz
[[email protected] ~]#
[[email protected] ~]# man gshadow
GSHADOW() File Formats and Conversions GSHADOW() NAME
gshadow - shadowed group file DESCRIPTION
/etc/gshadow contains the shadowed information for group accounts. This file must not be readable by regular users if password security is to be maintained. Each line of this file contains the following colon-separated fields: group name
It must be a valid group name, which exist on the system. encrypted password
Refer to crypt() for details on how this string is interpreted. If the password field contains some string that is not a valid result of crypt(), for instance !
or *, users will not be able to use a unix password to access the group (but group members do not
need the password). The password is used when an user who is not a member of the group wants to gain the permissions
of this group (see newgrp()). This field may be empty, in which case only the group members can gain the group permissions. A password field which starts with a exclamation mark means that the password is locked. The
remaining characters on the line represent the password field before the password was locked. This password supersedes any password specified in /etc/group. administrators
It must be a comma-separated list of user names. Administrators can change the password or the members of the group. Administrators also have the same permissions as the members (see below). members
It must be a comma-separated list of user names. Members can access the group without being prompted for a password. You should use the same list of users as in /etc/group. FILES
/etc/group
Group account information. /etc/gshadow
Secure group account information. SEE ALSO
gpasswd(), group(), grpck(), grpconv(), newgrp(). shadow-utils 4.1.5.1 // GSHADOW()
[[email protected] ~]# man gshadow
[[email protected] ~]# cat /etc/gshadow | grep yinzhengjie
yinzhengjie:!!::yinzhengjie
[[email protected] ~]#
[[email protected] ~]# gpasswd yinzhengjie #我们可以给组加密
Changing the password for group yinzhengjie
New Password:
Re-enter new password:
[[email protected] ~]#
[[email protected] ~]# cat /etc/gshadow | grep yinzhengjie
yinzhengjie:$$D/VCeiXW$ZQjYDmM29epe6gYQh670NhKCc2CzrgO190qnQ2JDuV04qltsIAD5ZdiC.A.hKFNZn5DDvnNxuzmLMVoX8T.pp0:yinzhengjie
[[email protected] ~]#
[[email protected] ~]# gpasswd yinzhengjie #我们可以给组加密,不推荐使用
9>.密码策略
密码加密
加密机制:
加密:明文--> 密文
解密:密文--> 明文
单向加密:哈希算法,原文不同,密文必不同
相同算法定长输出,获得密文不可逆推出原始数据
雪崩效应:初始条件的微小改变,引起结果的巨大改变
md5: message digest, 128bits
sha1: secure hash algorithm, 160bits
sha224: 224bits
sha256: 256bits
sha384: 384bits
sha512: 512bits
更改加密算法:
authconfig --passalgo=sha256 --update 密码的复杂性策略
足够长
使用数字、大写字母、小写字母及特殊字符中至少3种
使用随机密码
定期更换,不要使用最近曾经使用过的密码 密码期限示意图如下所示。
10>.用户(组)及密码(组)文件操作
一般情况下不推荐大家直接去修改文件,容易出现格式错误的情况。如果你非要用修改文件的格式的方法去修改用户及密码的配置文件,推荐使用以下工具,它们会带有语法检查的功能。
vipw:
相当于"vi /etc/passwd",只不过该命令有语法检查的功能。
如果使用"vipw -s"相当于"vi /etc/shadow",也有语法检查功能。
vigr:
相当于"vi /etc/group",也有语法检查功能。
如果使用"vigr -s"相当于"vi /etc/gshadow",也有语法检查功能。
pwck:
检查"/etc/passwd"配置文件,比如验证用户是否有家目录等,执行后会有相应的提示信息。 grpck:
见擦汗"/etc/group"配置文件,详情请参考“grpck --help”
二.用户和组管理命令
用户管理命令
useradd
usermod
userdel 组帐号维护命令
groupadd
groupmod
groupdel
1>.用户创建: useradd
[[email protected] ~]# useradd -h
Usage: useradd [options] LOGIN
useradd -D
useradd -D [options] Options:
-b, --base-dir BASE_DIR base directory for the home directory of the
new account
-c, --comment COMMENT 指定用户的注释信息
-d, --home-dir HOME_DIR 以指定的(不存在)路径为家目录
-D, --defaults print or change default useradd configuration
-e, --expiredate EXPIRE_DATE expiration date of the new account
-f, --inactive INACTIVE password inactivity period of the new account
-g, --gid GROUP 指明用户所属基本组,可为组名,也可以使用GID
-G, --groups GROUPS 为用户指明附加组,组须事先存在
-h, --help display this help message and exit
-k, --skel SKEL_DIR use this alternative skeleton directory
-K, --key KEY=VALUE override /etc/login.defs defaults
-l, --no-log-init do not add the user to the lastlog and
faillog databases
-m, --create-home 创建用户的家(主)目录,用于系统用户
-M, --no-create-home 不创建家目录,用于非系统用户
-N, --no-user-group 不创建私用组作为主组,使用users组做主组。
-o, --non-unique 配合"-u"选线,不检查UID的唯一性
-p, --password PASSWORD encrypted password of the new account
-r, --system 创建系统用户,注意CentOS6.X系统的UID小于500,CentOS7.X系统的UID小于1000
-R, --root CHROOT_DIR directory to chroot into
-s, --shell SHELL 指明用户的默认shell程序,可用列表在"/etc/shells"文件中
-u, --uid UID user ID of the new account
-U, --user-group create a group with the same name as the user
-Z, --selinux-user SEUSER use a specific SEUSER for the SELinux user mapping [[email protected] ~]#
[[email protected] ~]# useradd -h
[[email protected] ~]# useradd -D #显示默认设置
GROUP=
HOME=/home
INACTIVE=-
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
[[email protected] ~]#
[[email protected] ~]# cat /etc/default/useradd #以上用户的默认设置均来自该文件
# useradd defaults file
GROUP=100 #组编号默认为100,即为user组
HOME=/home #家目录位置
INACTIVE=-1 #密码过期策略过期后的宽限期,默认是永远宽限,即"-1"。
EXPIRE= #指定用户的过期时间,即账户的有限使用时间。
SHELL=/bin/bash #指定默认的登录shell类型
SKEL=/etc/skel #指定家目录的默认数据
CREATE_MAIL_SPOOL=yes [[email protected] ~]#
[[email protected] ~]# cat /etc/login.defs #用户默认配置信息
#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
# # *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail # Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS
PASS_MIN_DAYS
PASS_MIN_LEN
PASS_WARN_AGE #
# Min/max values for automatic uid selection in useradd
#
UID_MIN
UID_MAX
# System accounts
SYS_UID_MIN
SYS_UID_MAX #
# Min/max values for automatic gid selection in groupadd
#
GID_MIN
GID_MAX
# System accounts
SYS_GID_MIN
SYS_GID_MAX #
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local #
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME yes # The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to .
UMASK # This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes # Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512 [[email protected] ~]#
[[email protected] ~]# cat /etc/login.defs #用户默认配置信息
[[email protected] ~]# getent group users
users:x::
[[email protected] ~]#
[[email protected] ~]# useradd -N tom #不创建私有组作为主组,使用users组作为主组
[[email protected] ~]#
[[email protected] ~]# id tom
uid=(tom) gid=(users) groups=(users)
[[email protected] ~]#
[[email protected] ~]# ls -a /etc/skel/
. .. .bash_logout .bash_profile .bashrc .mozilla
[[email protected] ~]#
[[email protected] ~]# ls -a /home/tom/ #我们不难发现,创建的用户家目录存在的数据和我们在"/etc/default/useradd"配置文件中的"SKEL"属性一致。
. .. .bash_logout .bash_profile .bashrc .mozilla
[[email protected] ~]#
[[email protected] ~]# useradd -N tom #不创建私有组作为主组,使用users组作为主组
[[email protected] ~]# useradd -r mysql -s /sbin/nologin #使用"-r"命令就不会去创建默认的家目录了,因为它创建的是一个系统用户。我们使用"-s"选项来指定用户的登录shell类型。
[[email protected] ~]#
[[email protected] ~]# id mysql #很明显,在CentOS7.X版本系统的UID是小于1000的,这个在"/etc/login.defs"文件中有相应的记录。
uid=(mysql) gid=(mysql) groups=(mysql)
[[email protected] ~]#
[[email protected] ~]# getent passwd mysql
mysql:x::::/home/mysql:/sbin/nologin
[[email protected] ~]#
[[email protected] ~]# useradd -r mysql -s /sbin/nologin #使用"-r"命令就不会去创建默认的家目录了,因为它创建的是一个系统用户。我们使用"-s"选项来指定用户的登录shell类型。
[[email protected] ~]#
[[email protected] ~]# useradd -u jason #创建jason用户并指定其UID为10086
[[email protected] ~]#
[[email protected] ~]# id jason
uid=(jason) gid=(jason) groups=(jason)
[[email protected] ~]#
[[email protected] ~]# getent passwd jason
jason:x::::/home/jason:/bin/bash
[[email protected] ~]#
[[email protected] ~]# useradd -u 10086 jason #创建jason用户并指定其UID为10086
[[email protected] ~]# id yinzhengjie #我们直到默认情况下,每个用户都有唯一的一个UID,如果想要创建2个不同的用户名但UID一样的情况,并让这两个用户都拥有同一个UID的权限就得需要使用相应的useradd选项。
uid=(yinzhengjie) gid=(yinzhengjie) groups=(yinzhengjie)
[[email protected] ~]#
[[email protected] ~]# useradd -u -o jenny #使用"-o"选线,咱们这里创建了2个不同的用户名,但是UID却是一样的,如果你想要两个不同用户名使用同一个UID权限的话就可用这样干。
[[email protected] ~]#
[[email protected] ~]# getent passwd jenny #由于Linux识别用户是基于UID来识别的,我们发现如果设置2个同UID的不同用户名可能会产生信息混乱的情况。因此还是谨慎使用呀~
jenny:x::::/home/jenny:/bin/bash
[[email protected] ~]#
[[email protected] ~]# id jenny
uid=(yinzhengjie) gid=(yinzhengjie) groups=(yinzhengjie)
[[email protected] ~]#
[[email protected] ~]# ll /home/ #两个用户的家目录还是不一样的哟
total
drwx------. jason jason Sep : jason
drwx------. yinzhengjie jenny Sep : jenny
drwx------. tom users Sep : tom
drwx------. yinzhengjie yinzhengjie Aug : yinzhengjie
[[email protected] ~]#
[[email protected] ~]# useradd -u 1000 -o jenny #使用"-o"选线,咱们这里创建了2个不同的用户名,但是UID却是一样的,如果你想要两个不同用户名使用同一个UID权限的话就可用这样干。
[[email protected] ~]# getent group yinzhengjie
yinzhengjie:x::yinzhengjie
[[email protected] ~]#
[[email protected] ~]# id yinzhengjie
uid=(yinzhengjie) gid=(yinzhengjie) groups=(yinzhengjie)
[[email protected] ~]#
[[email protected] ~]# useradd -g yinzhengjie danny #创建一个danny用户,并指定其组为"yinzhengjie",即并不会使用默认的同名组。
[[email protected] ~]#
[[email protected] ~]# id danny
uid=(danny) gid=(yinzhengjie) groups=(yinzhengjie)
[[email protected] ~]#
[[email protected] ~]# useradd -g yinzhengjie danny #创建一个danny用户,并指定其组为"yinzhengjie",即并不会使用默认的同名组。
[[email protected] ~]# useradd -g root -G yinzhengjie,jason,jenny yzj #创建yzj用户,让其主组归为root组,附加组为yinzhengjie,jason,jenny各组,有点类似于咱们运维工程师,在企业身兼数职。
[[email protected] ~]#
[[email protected] ~]# id yzj
uid=(yzj) gid=(root) groups=(root),(yinzhengjie),(jason),(jenny)
[[email protected] ~]#
[[email protected] ~]# groupmems -l -g yinzhengjie #查看yinzhengjie这个组有哪些用户
yinzhengjie yzj
[[email protected] ~]#
[[email protected] ~]# groupmems -l -g jason
yzj
[[email protected] ~]#
[[email protected] ~]# groupmems -l -g jenny
yzj
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# groups yzj #查看yzj这大概用户有哪些组,一般排在第一个为主组,后面的均为附加组。
yzj : root yinzhengjie jason jenny
[[email protected] ~]#
[[email protected] ~]# ll /home/ #需要注意的是,尽管一个用户可用被加入到多个组,但是用户的家目录依旧属于主组,如下所示。
total
drwx------. danny yinzhengjie Sep : danny
drwx------. jason jason Sep : jason
drwx------. jenny jenny Sep : jenny
drwx------. tom users Sep : tom
drwx------. yinzhengjie yinzhengjie Aug : yinzhengjie
drwx------. yzj root Sep : yzj
[[email protected] ~]#
[[email protected] ~]# useradd -g root -G yinzhengjie,jason,jenny yzj #创建yzj用户,让其主组归为root组,附加组为yinzhengjie,jason,jenny各组,有点类似于咱们运维工程师,在企业身兼数职。
[[email protected] ~]# mkdir /data
[[email protected] ~]#
[[email protected] ~]# useradd -d /data/bigdata hdfs #创建用户并指定其家目录为"/data/bigdata"
[[email protected] ~]#
[[email protected] ~]# ll /data/
total
drwx------. hdfs hdfs Sep : bigdata
[[email protected] ~]#
[[email protected] ~]# ll /data/bigdata/ -a #很显然,家目录的默认数据和"/etc/skel"目录是一致的哟
total
drwx------. hdfs hdfs Sep : .
drwxr-xr-x. root root Sep : ..
-rw-r--r--. hdfs hdfs Oct .bash_logout
-rw-r--r--. hdfs hdfs Oct .bash_profile
-rw-r--r--. hdfs hdfs Oct .bashrc
drwxr-xr-x. hdfs hdfs Aug : .mozilla
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# ll /etc/skel/ -a
total
drwxr-xr-x. root root Apr .
drwxr-xr-x. root root Sep : ..
-rw-r--r--. root root Oct .bash_logout
-rw-r--r--. root root Oct .bash_profile
-rw-r--r--. root root Oct .bashrc
drwxr-xr-x. root root Aug : .mozilla
[[email protected] ~]#
[[email protected] ~]# useradd -d /data/bigdata hdfs #创建用户并指定其家目录为"/data/bigdata"
[[email protected] ~]# ll /home/
total
drwx------. danny yinzhengjie Sep : danny
drwx------. jason jason Sep : jason
drwx------. jenny jenny Sep : jenny
drwx------. tom users Sep : tom
drwx------. yinzhengjie yinzhengjie Aug : yinzhengjie
drwx------. yzj root Sep : yzj
[[email protected] ~]#
[[email protected] ~]# useradd -r -m apache #我们知道使用“-r”是创建系统用户,该参数不会创建相应的家目录,如果非要强行创建,则可以使用"-m"选项。
[[email protected] ~]#
[[email protected] ~]# ll /home/
total
drwx------. apache apache Sep : apache
drwx------. danny yinzhengjie Sep : danny
drwx------. jason jason Sep : jason
drwx------. jenny jenny Sep : jenny
drwx------. tom users Sep : tom
drwx------. yinzhengjie yinzhengjie Aug : yinzhengjie
drwx------. yzj root Sep : yzj
[[email protected] ~]#
[[email protected] ~]# id apache
uid=(apache) gid=(apache) groups=(apache)
[[email protected] ~]#
[[email protected] ~]# useradd -r -m apache #我们知道使用“-r”是创建系统用户,该参数不会创建相应的家目录,如果非要强行创建,则可以使用"-m"选项。
[[email protected] ~]# ll /home/
total
drwx------. apache apache Sep : apache
drwx------. danny yinzhengjie Sep : danny
drwx------. jason jason Sep : jason
drwx------. jenny jenny Sep : jenny
drwx------. tom users Sep : tom
drwx------. yinzhengjie yinzhengjie Aug : yinzhengjie
drwx------. yzj root Sep : yzj
[[email protected] ~]#
[[email protected] ~]# useradd -M dengziqi #创建用户时不允许创建家目录。
[[email protected] ~]#
[[email protected] ~]# ll /home/
total
drwx------. apache apache Sep : apache
drwx------. danny yinzhengjie Sep : danny
drwx------. jason jason Sep : jason
drwx------. jenny jenny Sep : jenny
drwx------. tom users Sep : tom
drwx------. yinzhengjie yinzhengjie Aug : yinzhengjie
drwx------. yzj root Sep : yzj
[[email protected] ~]#
[[email protected] ~]# id dengziqi
uid=(dengziqi) gid=(dengziqi) groups=(dengziqi)
[[email protected] ~]#
[[email protected] ~]# getent passwd dengziqi
dengziqi:x::::/home/dengziqi:/bin/bash
[[email protected] ~]#
[[email protected] ~]# useradd -M dengziqi #创建用户时不允许创建家目录。
[[email protected] ~]# ll /home/
total
drwx------. apache apache Sep : apache
drwx------. danny yinzhengjie Sep : danny
drwx------. hadoop hadoop Sep : hadoop
drwx------. jason jason Sep : jason
drwx------. jenny jenny Sep : jenny
drwx------. tom users Sep : tom
drwx------. yinzhengjie yinzhengjie Aug : yinzhengjie
[[email protected] ~]#
[[email protected] ~]# cat user.txt #这个格式咱们可以参考"/etc/passwd"格式即可
hadoop101:x:::hdfs user101:/home/hadoop101:/bin/csh
hadoop102:x:::hdfs user102:/home/hadoop102:/bin/bash
hadoop103:x:::hdfs user103:/home/hadoop103:/bin/csh
[[email protected] ~]#
[[email protected] ~]# newusers user.txt #newusers可以按照"/etc/passwd"格式来批量创建用户。
[[email protected] ~]#
[[email protected] ~]# tail - /etc/passwd #很明显用户被创建成功啦
hadoop101:x:::hdfs user101:/home/hadoop101:/bin/csh
hadoop102:x:::hdfs user102:/home/hadoop102:/bin/bash
hadoop103:x:::hdfs user103:/home/hadoop103:/bin/csh
[[email protected] ~]#
[[email protected] ~]# ll /home/ #也生成了对应的用户家目录
total
drwx------. apache apache Sep : apache
drwx------. danny yinzhengjie Sep : danny
drwx------. hadoop hadoop Sep : hadoop
drwx------. hadoop101 hadoop101 Sep : hadoop101
drwx------. hadoop102 hadoop102 Sep : hadoop102
drwx------. hadoop103 hadoop103 Sep : hadoop103
drwx------. jason jason Sep : jason
drwx------. jenny jenny Sep : jenny
drwx------. tom users Sep : tom
drwx------. yinzhengjie yinzhengjie Aug : yinzhengjie
[[email protected] ~]#
[[email protected] ~]# newusers user.txt #newusers可以按照"/etc/passwd"格式来批量创建用户。
[[email protected] ~]# tail - /etc/shadow
hadoop101:$$0wBgf/Cr$vYRQzifVMrxaXwlsn/7FxsS/Ekjw4x.aNElIIMgyvsCT6.7KQmG2DGNKJtyx./.ARcLOGW09035OH9g/NZ4A8.:
::::::hadoop102:$$g6O4GJL21PZH$TMZGml4bo1BVBWEpE145mvxjlYzYIDDpKXweFzUbeoGeIdckN3bDnRAtOzdWwOXaWsyxxW39hzAGhcRSumHZH/
:::::::hadoop103:$$cCnLp/tV0jS/$5AST/AOjMOrd5EIWRoDek2uR1VPHyCMCM7iHLJXjmxrvq5z5AFpMSt1Letqt7FTv1PSkg51MEPm4sH66hux/r1
:::::::
[[email protected] ~]#
[[email protected] ~]# cat passwd.txt #保存密码格式
hadoop101:yinzhengjie
hadoop102:yinzhengjie
hadoop103:yinzhengjie
[[email protected] ~]#
[[email protected] ~]# cat passwd.txt | chpasswd #批量修改用户密码
[[email protected] ~]#
[[email protected] ~]# tail - /etc/shadow
hadoop101:$$dDpTknD8SzSKoq$mgvwwy03zUFurrxw6GKvhkUClLL7r/Hsb5Jg1XzVF1KimXDHDlAZiqoma0GDTBYdgtC7Mav86w.CwiLqklHI
y0:::::::hadoop102:$$LDGCW/7daOR/Pm$5YqXe6HXW22RQRjDp/xHnuMTfzdEekP0vcf9oPs7o2M.OD24HE24CEu5lO2TlNrH1WXIhzaMMkkGTyfFnn7R
V/:::::::hadoop103:$$CBgr./2XG$HC4Y2YHYiRar76y9QLHp.qY3I3lG.mn.z2qLSm.jUES3QCDqgGAgYQ7PrHNsX9VCYOn9jjLPBIBPwcBAcY4jW0:
::::::
[[email protected] ~]#
[[email protected] ~]# cat passwd.txt | chpasswd #批量修改用户密码
2>.用户属性修改: usermod
[[email protected] ~]# usermod -h
Usage: usermod [options] LOGIN Options:
-c, --comment COMMENT 新的注释信息
-d, --home HOME_DIR 新家目录不会自动创建;若要创建新家目录并移动原家目录数据,同时使用"-m"选项
-e, --expiredate EXPIRE_DATE 用来指明用户账号过期日期
-f, --inactive INACTIVE 设置非活动期限
-g, --gid GROUP 新的主组
-G, --groups GROUPS 新的附加组,原来的附加组见会被覆盖;若保留原有,则要同时使用通过"-a"选项
-a, --append append the user to the supplemental GROUPS
mentioned by the -G option without removing
him/her from other groups
-h, --help display this help message and exit
-l, --login NEW_LOGIN 新的名字
-L, --lock lock指定用户,在"/etc/shadow"密码栏的增加"!"符号。
-m, --move-home move contents of the home directory to the
new location (use only with -d)
-o, --non-unique allow using duplicate (non-unique) UID
-p, --password PASSWORD use encrypted password for the new password
-R, --root CHROOT_DIR directory to chroot into
-s, --shell SHELL 新的默认SHELL
-u, --uid UID 指定新的UID
-U, --unlock unlock指定用户,将"/etc/shadow"密码栏的"!"符号拿掉。
-Z, --selinux-user SEUSER new SELinux user mapping for the user account [[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# usermod -h
[[email protected] ~]# getent passwd jenny
jenny:x::::/home/jenny:/bin/bash
[[email protected] ~]#
[[email protected] ~]# id jenny
uid=(yinzhengjie) gid=(yinzhengjie) groups=(yinzhengjie)
[[email protected] ~]#
[[email protected] ~]# usermod -u jenny #修改jenny用户的UID,注意修改用户的UID时该用户不能登录哟,否则可能会报错。
[[email protected] ~]#
[[email protected] ~]# id jenny
uid=(jenny) gid=(jenny) groups=(jenny)
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# getent passwd jenny
jenny:x::::/home/jenny:/bin/bash
[[email protected] ~]#
[[email protected] ~]# usermod -u 10087 jenny #修改jenny用户的UID,注意修改用户的UID时该用户不能登录哟,否则可能会报错。
[[email protected] ~]# getent passwd hdfs #注意观察hdfs用户的家目录及uid
hdfs:x::::/data/bigdata:/bin/bash
[[email protected] ~]#
[[email protected] ~]# id hdfs
uid=(hdfs) gid=(hdfs) groups=(hdfs)
[[email protected] ~]#
[[email protected] ~]# ll /home/
total
drwx------. apache apache Sep : apache
drwx------. danny yinzhengjie Sep : danny
drwx------. jason jason Sep : jason
drwx------. jenny jenny Sep : jenny
drwx------. tom users Sep : tom
drwx------. yinzhengjie yinzhengjie Aug : yinzhengjie
drwx------. yzj root Sep : yzj
[[email protected] ~]#
[[email protected] ~]# usermod -l hadoop hdfs -d /home/hadoop #我们将hdfs用户更名为hadoop用户并指定家目录为"/home/hadoop",但此时并不会自动生成相应的家目录,需要咱们手动操作。
[[email protected] ~]#
[[email protected] ~]# ll /home/
total
drwx------. apache apache Sep : apache
drwx------. danny yinzhengjie Sep : danny
drwx------. jason jason Sep : jason
drwx------. jenny jenny Sep : jenny
drwx------. tom users Sep : tom
drwx------. yinzhengjie yinzhengjie Aug : yinzhengjie
drwx------. yzj root Sep : yzj
[[email protected] ~]#
[[email protected] ~]# mv /data/bigdata/ /home/hadoop #因此我们需要手动将"hdfs"用户的家目录迁移至"hadoop"指定的家目录路径。
[[email protected] ~]#
[[email protected] ~]# ll /home/
total
drwx------. apache apache Sep : apache
drwx------. danny yinzhengjie Sep : danny
drwx------. hadoop hdfs Sep : hadoop
drwx------. jason jason Sep : jason
drwx------. jenny jenny Sep : jenny
drwx------. tom users Sep : tom
drwx------. yinzhengjie yinzhengjie Aug : yinzhengjie
drwx------. yzj root Sep : yzj
[[email protected] ~]#
[[email protected] ~]# id hadoop
uid=(hadoop) gid=(hdfs) groups=(hdfs)
[[email protected] ~]#
[[email protected] ~]# getent passwd hadoop #观察hadoop的家目录和uid是否和原来的hdfs用户一致
hadoop:x::::/home/hadoop:/bin/bash
[[email protected] ~]#
[[email protected] ~]# usermod -l hadoop hdfs -d /home/hadoop #我们将hdfs用户更名为hadoop用户并指定家目录为"/home/hadoop",但此时并不会自动生成相应的家目录,需要咱们手动操作。
[[email protected] ~]# tail - /etc/passwd
danny:x::::/home/danny:/bin/bash
yzj:x::::/home/yzj:/bin/bash
apache:x::::/home/apache:/bin/bash
dengziqi:x::::/home/dengziqi:/bin/bash
hadoop:x::::/home/hadoop:/bin/bash
[[email protected] ~]#
[[email protected] ~]# id yzj
uid=(yzj) gid=(root) groups=(root),(yinzhengjie),(jason),(jenny)
[[email protected] ~]#
[[email protected] ~]# groups yzj
yzj : root yinzhengjie jason jenny
[[email protected] ~]#
[[email protected] ~]# usermod -aG dengziqi,hadoop yzj #我们为"yzj"用户新追加附加组"dengziqi"和"hadoop"组
[[email protected] ~]#
[[email protected] ~]# id yzj
uid=(yzj) gid=(root) groups=(root),(yinzhengjie),(jason),(jenny),(dengziqi),(hadoop)
[[email protected] ~]#
[[email protected] ~]# groups yzj
yzj : root yinzhengjie jason jenny dengziqi hadoop
[[email protected] ~]#
[[email protected] ~]# usermod -aG dengziqi,hadoop yzj #我们为"yzj"用户新追加附加组"dengziqi"和"hadoop"组
[[email protected] ~]# id yzj
uid=(yzj) gid=(root) groups=(root),(yinzhengjie),(jason),(jenny),(dengziqi),(hado
op)[[email protected] ~]#
[[email protected] ~]# groups yzj
yzj : root yinzhengjie jason jenny dengziqi hadoop
[[email protected] ~]#
[[email protected] ~]# usermod -G "" yzj #清空所有附加组,注意没有"-a"选项啦
[[email protected] ~]#
[[email protected] ~]# id yzj
uid=(yzj) gid=(root) groups=(root)
[[email protected] ~]#
[[email protected] ~]# groups yzj
yzj : root
[[email protected] ~]#
[[email protected] ~]# usermod -G "" yzj #清空所有附加组,注意没有"-a"选项啦
3>.删除用户:userdel
[[email protected] ~]# userdel -h #查看"userdel"命令的帮助信息
Usage: userdel [options] LOGIN Options:
-f, --force force some actions that would fail otherwise
e.g. removal of user still logged in
or files, even if not owned by the user
-h, --help display this help message and exit
-r, --remove remove home directory and mail spool
-R, --root CHROOT_DIR directory to chroot into
-Z, --selinux-user remove any SELinux user mapping for the user [[email protected] ~]#
[[email protected] ~]# userdel -h #查看"userdel"命令的帮助信息
[[email protected] ~]# ll /home/
total
drwx------. apache apache Sep : apache
drwx------. danny yinzhengjie Sep : danny
drwx------. hadoop hadoop Sep : hadoop
drwx------. jason jason Sep : jason
drwx------. jenny jenny Sep : jenny
drwx------. tom users Sep : tom
drwx------. yinzhengjie yinzhengjie Aug : yinzhengjie
drwx------. yzj root Sep : yzj
[[email protected] ~]#
[[email protected] ~]# getent passwd yzj
yzj:x::::/home/yzj:/bin/bash
[[email protected] ~]#
[[email protected] ~]# userdel -r yzj #删除用户及其家目录(生产环境慎用,有可能该员工已经离职但其数据可能对其它同时有用)
[[email protected] ~]#
[[email protected] ~]# ll /home/
total
drwx------. apache apache Sep : apache
drwx------. danny yinzhengjie Sep : danny
drwx------. hadoop hadoop Sep : hadoop
drwx------. jason jason Sep : jason
drwx------. jenny jenny Sep : jenny
drwx------. tom users Sep : tom
drwx------. yinzhengjie yinzhengjie Aug : yinzhengjie
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# userdel -r yzj #删除用户及其家目录(生产环境慎用,有可能该员工已经离职但其数据可能对其它同时有用)
4>.查看用户相关的ID信息
[[email protected] ~]# id postfix #查看"postfix"用户相关的ID信息,如果用户不存在会提示"no such user"相关错误信息。
uid=(postfix) gid=(postfix) groups=(postfix),(mail)
[[email protected] ~]#
[[email protected] ~]# id -u postfix #显示“postfix”用户的UID [[email protected] ~]#
[[email protected] ~]# id -g postfix #显示"postfix"用户的GID [[email protected] ~]#
[[email protected] ~]# id -G postfix #显示"postfix"用户所属的组的ID(包括附加组) [[email protected] ~]#
[[email protected] ~]# id -nG postfix #显示组的名称,"-n"参数需要和"ugG"参数配合使用
postfix mail
[[email protected] ~]#
5>.切换用户或以其他用户身份执行命令(su命令的前提是要知道对方的用户密码,除非你直接使用root用户)
[[email protected] ~]# echo $PATH
/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
[[email protected] ~]#
[[email protected] ~]# cd /data/
[[email protected] /data]#
[[email protected] /data]# pwd
/data
[[email protected] /data]#
[[email protected] /data]# su yinzhengjie #不完全切换,即切换后的用户依旧保留上一个用户的环境变量和工作目录
[[email protected] /data]$
[[email protected] /data]$ pwd #我们不难发现工作目录并没有变化,切换用户后并没有到"yinzhengjie"用户的家目录中
/data
[[email protected] /data]$
[[email protected] /data]$ echo $PATH #注意观察当前的环境变量并非"yinzhengjie"用户,而是"root"用户的
/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
[[email protected] /data]$
[[email protected] /data]$ exit #退出当前登录
exit
[[email protected] /data]#
[[email protected] /data]# su yinzhengjie #不完全切换,即切换后的用户依旧保留上一个用户的环境变量和工作目录
[[email protected] ~]# echo $PATH
/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
[[email protected] ~]#
[[email protected] ~]# cd /data/
[[email protected] /data]#
[[email protected] /data]# su -l yinzhengjie #完全切换,即切换到该用户的家目录且环境变量也会跟着变化,相当于使用ssh服务连接的效果。
Last login: Thu Sep :: CST on pts/
[[email protected] ~]$
[[email protected] ~]$ echo $PATH #环境变量发生了变化
/usr/lib64/qt-3.3/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/yinzhengjie/.local/bin:/home/yinzhengjie/bin
[[email protected] ~]$
[[email protected] ~]$ pwd #工作目录也变为"yinzhengjie"用户的家目录啦
/home/yinzhengjie
[[email protected] ~]$
[[email protected] ~]$ exit #退出当前用户
logout
[[email protected] /data]#
[[email protected] /data]#
[[email protected] /data]# su -l yinzhengjie #完全切换,即切换到该用户的家目录且环境变量也会跟着变化,相当于使用ssh服务连接的效果。
[[email protected] ~]# echo $PATH
/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
[[email protected] ~]#
[[email protected] ~]# cd /data/
[[email protected] /data]#
[[email protected] /data]# su - yinzhengjie #完全切换用户,其实等效于"su -l yinzhengjie"
Last login: Thu Sep :: CST on pts/
[[email protected] ~]$
[[email protected] ~]$ echo $PATH
/usr/lib64/qt-3.3/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/yinzhengjie/.local/bin:/home/
yinzhengjie/bin[[email protected] ~]$
[[email protected] ~]$ pwd
/home/yinzhengjie
[[email protected] ~]$
[[email protected] ~]$ exit
logout
[[email protected] /data]#
[[email protected] /data]#
[[email protected] /data]# su - yinzhengjie #完全切换用户,其实等效于"su -l yinzhengjie"
[[email protected] ~]$ su -l -c 'getent passwd hadoop' #注意,-l后面我没有指定用户名,默认就会切换到root用户。使用-c表示切换到root用户并执行一条命令即可,执行完毕并不会切换到root用户身份。
Password:
hadoop:x::::/home/hadoop:/bin/bash
[[email protected] ~]$
6>.创建组:groupadd
[[email protected] ~]# groupadd -h
Usage: groupadd [options] GROUP Options:
-f, --force exit successfully if the group already exists,
and cancel -g if the GID is already used
-g, --gid GID 指明GID号
-h, --help display this help message and exit
-K, --key KEY=VALUE override /etc/login.defs defaults
-o, --non-unique allow to create groups with duplicate
(non-unique) GID
-p, --password PASSWORD use this encrypted password for the new group
-r, --system 创建系统组,CentOS6.X:ID < ,CentOS7.X:ID<
-R, --root CHROOT_DIR directory to chroot into [[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# groupadd -h
[[email protected] ~]# groupadd yarn #创建一个yarn组
[[email protected] ~]#
[[email protected] ~]# getent group yarn
yarn:x::
[[email protected] ~]#
7>.组属性修改: groupmod
[[email protected] ~]# groupmod -h
Usage: groupmod [options] GROUP Options:
-g, --gid GID 新的GID
-h, --help display this help message and exit
-n, --new-name NEW_GROUP 新名字
-o, --non-unique allow to use a duplicate (non-unique) GID
-p, --password PASSWORD change the password to this (encrypted)
PASSWORD
-R, --root CHROOT_DIR directory to chroot into [[email protected] ~]#
[[email protected] ~]# groupmod -h
[[email protected] ~]# ll /home/ #注意观察"hadoop"用户的组名是"hdfs"
total
drwx------. apache apache Sep : apache
drwx------. danny yinzhengjie Sep : danny
drwx------. hadoop hdfs Sep : hadoop
drwx------. jason jason Sep : jason
drwx------. jenny jenny Sep : jenny
drwx------. tom users Sep : tom
drwx------. yinzhengjie yinzhengjie Aug : yinzhengjie
drwx------. yzj root Sep : yzj
[[email protected] ~]#
[[email protected] ~]# id hadoop
uid=(hadoop) gid=(hdfs) groups=(hdfs)
[[email protected] ~]#
[[email protected] ~]# groupmod -n hadoop hdfs #将"hdfs"组名改为"hadoop"
[[email protected] ~]#
[[email protected] ~]# id hadoop
uid=(hadoop) gid=(hadoop) groups=(hadoop)
[[email protected] ~]#
[[email protected] ~]# ll /home/ #注意查看hadoop用户的组名也跟着变为"hadoop"
total
drwx------. apache apache Sep : apache
drwx------. danny yinzhengjie Sep : danny
drwx------. hadoop hadoop Sep : hadoop
drwx------. jason jason Sep : jason
drwx------. jenny jenny Sep : jenny
drwx------. tom users Sep : tom
drwx------. yinzhengjie yinzhengjie Aug : yinzhengjie
drwx------. yzj root Sep : yzj
[[email protected] ~]#
[[email protected] ~]# groupmod -n hadoop hdfs #将"hdfs"组名改为"hadoop"
8>.组属性删除: groupdel
[[email protected] ~]# groupdel -h
Usage: groupdel [options] GROUP Options:
-h, --help display this help message and exit
-R, --root CHROOT_DIR directory to chroot into [[email protected] ~]#
[[email protected] ~]# groupdel -h
[[email protected] ~]# getent group yarn
yarn:x::
[[email protected] ~]#
[[email protected] ~]# usermod -aG yarn yinzhengjie #给"yinzhengjie"用户添加一个附加组“yarn”
[[email protected] ~]#
[[email protected] ~]# id yinzhengjie
uid=(yinzhengjie) gid=(yinzhengjie) groups=(yinzhengjie),(yarn)
[[email protected] ~]#
[[email protected] ~]# groupdel yarn #删除yarn组
[[email protected] ~]#
[[email protected] ~]# id yinzhengjie
uid=(yinzhengjie) gid=(yinzhengjie) groups=(yinzhengjie)
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# groupdel yarn #删除yarn组
9>.更改组密码:gpasswd
[[email protected] ~]# gpasswd -h
Usage: gpasswd [option] GROUP Options:
-a, --add USER 将user添加只指定组中
-d, --delete USER 从指定组中移除用户user
-h, --help display this help message and exit
-Q, --root CHROOT_DIR directory to chroot into
-r, --delete-password remove the GROUP's password
-R, --restrict restrict access to GROUP to its members
-M, --members USER,... set the list of members of GROUP
-A, --administrators ADMIN,... 设置有管理权限的用户列表 Except for the -A and -M options, the options cannot be combined.
[[email protected] ~]#
[[email protected] ~]# gpasswd -h
[[email protected] ~]# tail - /etc/group
dengziqi:x::
hadoop:x::
hadoop101:x::
hadoop102:x::
hadoop103:x::
[[email protected] ~]#
[[email protected] ~]# groups hadoop
hadoop : hadoop
[[email protected] ~]#
[[email protected] ~]# gpasswd -a hadoop dengziqi #将hadoop用户加入到"dengziqi"组中
Adding user hadoop to group dengziqi
[[email protected] ~]#
[[email protected] ~]# groups hadoop
hadoop : hadoop dengziqi
[[email protected] ~]#
[[email protected] ~]# gpasswd -a hadoop dengziqi #将hadoop用户加入到"dengziqi"组中
[[email protected] ~]# groups hadoop
hadoop : hadoop dengziqi
[[email protected] ~]#
[[email protected] ~]# gpasswd -d hadoop dengziqi #从"dengziqi"组中移除"hadoop"用户
Removing user hadoop from group dengziqi
[[email protected] ~]#
[[email protected] ~]# groups hadoop
hadoop : hadoop
[[email protected] ~]#
[[email protected] ~]# gpasswd -d hadoop dengziqi #从"dengziqi"组中移除"hadoop"用户
[[email protected] ~]# getent gshadow root
root:::
[[email protected] ~]#
[[email protected] ~]# gpasswd root #为root组加密
Changing the password for group root
New Password:
Re-enter new password:
[[email protected] ~]#
[[email protected] ~]# getent gshadow root
root:$$fjzxSJCBrD/Vfp$PP75U2hnYoxkhPddZs95KhDVnAxM1XqgFnIRlEgKXDyMVgCQ1tgVXHypFn8WvVxY0e5bA7xWBVGjlLQLDgaka.::
[[email protected] ~]#
[[email protected] ~]# gpasswd root #为root组加密
[[email protected] ~]# getent gshadow root
root:$$fjzxSJCBrD/Vfp$PP75U2hnYoxkhPddZs95KhDVnAxM1XqgFnIRlEgKXDyMVgCQ1tgVXHypFn8WvVxY0e5bA7xWBVGjlLQLDgaka.::
[[email protected] ~]#
[[email protected] ~]# gpasswd -r root #为root组清楚密码
[[email protected] ~]#
[[email protected] ~]# getent gshadow root
root:::
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# gpasswd -r root #为root组清楚密码
[[email protected] ~]# id hadoop #查看hadoop用户组信息
uid=(hadoop) gid=(hadoop) groups=(hadoop),(dengziqi)
[[email protected] ~]#
[[email protected] ~]# su - hadoop
Last login: Thu Sep :: CST on pts/
[[email protected] ~]$
[[email protected] ~]$ touch a.txt
[[email protected] ~]$
[[email protected] ~]$ ll
total
-rw-rw-r--. hadoop hadoop Sep : a.txt
[[email protected] ~]$
[[email protected] ~]$ groups #查看组信息
hadoop dengziqi
[[email protected] ~]$
[[email protected] ~]$ newgrp dengziqi #我们临时将附加组("dengziqi")切换为主组
[[email protected] ~]$
[[email protected] ~]$ groups
dengziqi hadoop
[[email protected] ~]$
[[email protected] ~]$ touch b.txt #创建文件,发现文件的所属组为"dengziqi"
[[email protected] ~]$
[[email protected] ~]$ ll
total
-rw-rw-r--. hadoop hadoop Sep : a.txt
-rw-r--r--. hadoop dengziqi Sep : b.txt
[[email protected] ~]$
[[email protected] ~]$ exit
exit
[[email protected] ~]$ exit
logout
[[email protected] ~]#
[[email protected] ~]# su - hadoop
Last login: Thu Sep :: CST on pts/
[[email protected] ~]$
[[email protected] ~]$ touch c.txt #当我们退出后,再次登录发现临时修改的附加组提示主组的操作失效啦~
[[email protected] ~]$
[[email protected] ~]$ ll
total
-rw-rw-r--. hadoop hadoop Sep : a.txt
-rw-r--r--. hadoop dengziqi Sep : b.txt
-rw-rw-r--. hadoop hadoop Sep : c.txt
[[email protected] ~]$
[[email protected] ~]$ newgrp dengziqi #我们临时将附加组("dengziqi")切换为主组
10>.更改和查看组成员
[[email protected] ~]# groupmems -h
Usage: groupmems [options] [action] Options:
-g, --group groupname 更改为指定组(只有root)
-R, --root CHROOT_DIR directory to chroot into Actions:
-a, --add username 指定用户加入组
-d, --delete username 从组中删除用户
-h, --help display this help message and exit
-p, --purge 从组中清楚所有成员
-l, --list 显示组成员列表
[[email protected] ~]#
[[email protected] ~]# groupmems -g yinzhengjie -l
yinzhengjie
[[email protected] ~]#
[[email protected] ~]# groupmems -g yinzhengjie -a root #将root用户加入"yinzhengjie"组中
[[email protected] ~]#
[[email protected] ~]# groupmems -g yinzhengjie -l
yinzhengjie root
[[email protected] ~]#
[[email protected] ~]# groupmems -g yinzhengjie -a root #将root用户加入"yinzhengjie"组中
[[email protected] ~]# groupmems -g yinzhengjie -l #查看组中成员
yinzhengjie root
[[email protected] ~]#
[[email protected] ~]# groupmems -g yinzhengjie -d root #从"yinzhengjie"组中删除"root"用户
[[email protected] ~]#
[[email protected] ~]# groupmems -g yinzhengjie -l
yinzhengjie
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# groupmems -g yinzhengjie -d root #从"yinzhengjie"组中删除"root"用户
[[email protected] ~]# groupmems -g yinzhengjie -l
yinzhengjie root
[[email protected] ~]#
[[email protected] ~]# groupmems -g yinzhengjie -p #清空组成员,只能清空附加组,不能清空主组
[[email protected] ~]#
[[email protected] ~]# groupmems -g yinzhengjie -l
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# id yinzhengjie
uid=(yinzhengjie) gid=(yinzhengjie) groups=(yinzhengjie)
[[email protected] ~]#
[[email protected] ~]# groupmems -g yinzhengjie -p #清空组成员,只能清空附加组,不能清空主组
11>.小试牛刀
案例一:创建用户gentoo,附加组为bin和root,默认shell为/bin/csh,注释信息为"Gentoo Distribution"
案例二:创建下面的用户、组和组成员关系
名字为webs 的组
用户nginx, 使用webs作为附加组
用户varnish,使用webs作为附加组
用户mysql,不可交互登录系统,且不是webs的成员, nginx, varnish,mysql的用户名密码都是"yinzhengjie"
[[email protected] ~]# useradd -s /bin/csh -c "Gentoo Distribution" -G bin,root gentoo
[[email protected] ~]#
[[email protected] ~]# groups gentoo
gentoo : gentoo root bin
[[email protected] ~]#
[[email protected] ~]# id gentoo
uid=(gentoo) gid=(gentoo) groups=(gentoo),(root),(bin)
[[email protected] ~]#
[[email protected] ~]#
案例一参考
[[email protected] ~]# groupadd webs
[[email protected] ~]#
[[email protected] ~]# useradd -G webs nginx
[[email protected] ~]#
[[email protected] ~]# useradd -G webs varnish
[[email protected] ~]#
[[email protected] ~]# useradd -s /sbin/nologin mysql
[[email protected] ~]#
[[email protected] ~]# echo "yinzhengjie" | passwd --stdin nginx
Changing password for user nginx.
passwd: all authentication tokens updated successfully.
[[email protected] ~]#
[[email protected] ~]# echo "yinzhengjie" | passwd --stdin varnish
Changing password for user varnish.
passwd: all authentication tokens updated successfully.
[[email protected] ~]#
[[email protected] ~]# echo "yinzhengjie" | passwd --stdin mysql
Changing password for user mysql.
passwd: all authentication tokens updated successfully.
[[email protected] ~]#
[[email protected] ~]#
案例二参考
三.文件权限
1>.文件属性
2>.修改文件的属主和属组
文件属性操作
chown 设置文件的所有者
chgrp 设置文件的属组信息
[[email protected] ~]# chown --help
Usage: chown [OPTION]... [OWNER][:[GROUP]] FILE...
or: chown [OPTION]... --reference=RFILE FILE...
Change the owner and/or group of each FILE to OWNER and/or GROUP.
With --reference, change the owner and group of each FILE to those of RFILE. -c, --changes like verbose but report only when a change is made
-f, --silent, --quiet suppress most error messages
-v, --verbose output a diagnostic for every file processed
--dereference affect the referent of each symbolic link (this is
the default), rather than the symbolic link itself
-h, --no-dereference affect symbolic links instead of any referenced file
(useful only on systems that can change the
ownership of a symlink)
--from=CURRENT_OWNER:CURRENT_GROUP
change the owner and/or group of each file only if
its current owner and/or group match those specified
here. Either may be omitted, in which case a match
is not required for the omitted attribute
--no-preserve-root do not treat '/' specially (the default)
--preserve-root fail to operate recursively on '/'
--reference=RFILE use RFILE's owner and group rather than
specifying OWNER:GROUP values
-R, --recursive operate on files and directories recursively The following options modify how a hierarchy is traversed when the -R
option is also specified. If more than one is specified, only the final
one takes effect. -H if a command line argument is a symbolic link
to a directory, traverse it
-L traverse every symbolic link to a directory
encountered
-P do not traverse any symbolic links (default) --help display this help and exit
--version output version information and exit Owner is unchanged if missing. Group is unchanged if missing, but changed
to login group if implied by a ':' following a symbolic OWNER.
OWNER and GROUP may be numeric as well as symbolic. Examples:
chown root /u Change the owner of /u to "root".
chown root:staff /u Likewise, but also change its group to "staff".
chown -hR root /u Change the owner of /u and subfiles to "root". GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
For complete documentation, run: info coreutils 'chown invocation'
[[email protected] ~]#
[[email protected] ~]# chown --help
[[email protected] ~]# chgrp --help
Usage: chgrp [OPTION]... GROUP FILE...
or: chgrp [OPTION]... --reference=RFILE FILE...
Change the group of each FILE to GROUP.
With --reference, change the group of each FILE to that of RFILE. -c, --changes like verbose but report only when a change is made
-f, --silent, --quiet suppress most error messages
-v, --verbose output a diagnostic for every file processed
--dereference affect the referent of each symbolic link (this is
the default), rather than the symbolic link itself
-h, --no-dereference affect symbolic links instead of any referenced file
(useful only on systems that can change the
ownership of a symlink)
--no-preserve-root do not treat '/' specially (the default)
--preserve-root fail to operate recursively on '/'
--reference=RFILE use RFILE's group rather than specifying a
GROUP value
-R, --recursive operate on files and directories recursively The following options modify how a hierarchy is traversed when the -R
option is also specified. If more than one is specified, only the final
one takes effect. -H if a command line argument is a symbolic link
to a directory, traverse it
-L traverse every symbolic link to a directory
encountered
-P do not traverse any symbolic links (default) --help display this help and exit
--version output version information and exit Examples:
chgrp staff /u Change the group of /u to "staff".
chgrp -hR staff /u Change the group of /u and subfiles to "staff". GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
For complete documentation, run: info coreutils 'chgrp invocation'
[[email protected] ~]#
[[email protected] ~]# chgrp --help
[[email protected] ~]# ll
total
-rw-r--r--. root root Sep : file.txt
[[email protected] ~]#
[[email protected] ~]# chown yinzhengjie file.txt #修改文件的属主为"yinzhengjie"用户
[[email protected] ~]#
[[email protected] ~]# ll
total
-rw-r--r--. yinzhengjie root Sep : file.txt
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# chown yinzhengjie file.txt #修改文件的属主为"yinzhengjie"用户
[[email protected] ~]# ll
total
-rw-r--r--. yinzhengjie root Sep : file.txt
[[email protected] ~]#
[[email protected] ~]# chgrp bin file.txt #修改文件的所属组
[[email protected] ~]#
[[email protected] ~]# ll
total
-rw-r--r--. yinzhengjie bin Sep : file.txt
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# chgrp bin file.txt #修改文件的所属组
[[email protected] ~]# ll
total
-rw-r--r--. yinzhengjie bin Sep : file.txt
[[email protected] ~]#
[[email protected] ~]# chown root:yinzhengjie file.txt #其实使用chown命令也是可以修改属主和属组的,需要用":"来分割
[[email protected] ~]#
[[email protected] ~]# ll
total
-rw-r--r--. root yinzhengjie Sep : file.txt
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# chown root:yinzhengjie file.txt #其实使用chown命令也是可以修改属主和属组的,需要用":"来分割
[[email protected] ~]# ll -R
.:
total
-rw-r--r--. root yinzhengjie Sep : file.txt
drwxr-xr-x. root root Sep : home ./home:
total
-rw-r--r--. root root Sep : a.txt
-rw-r--r--. root root Sep : b.txt
[[email protected] ~]#
[[email protected] ~]# chown -R yinzhengjie.yinzhengjie home #递归修改某一个目录及其子文件的属主和数组
[[email protected] ~]#
[[email protected] ~]# ll -R
.:
total
-rw-r--r--. root yinzhengjie Sep : file.txt
drwxr-xr-x. yinzhengjie yinzhengjie Sep : home ./home:
total
-rw-r--r--. yinzhengjie yinzhengjie Sep : a.txt
-rw-r--r--. yinzhengjie yinzhengjie Sep : b.txt
[[email protected] ~]#
[[email protected] ~]# chown -R yinzhengjie.yinzhengjie home #递归修改某一个目录及其子文件的属主和数组
[[email protected] ~]# ll
total
-rw-r--r--. root yinzhengjie Sep : file.txt
[[email protected] ~]#
[[email protected] ~]# touch file2.txt
[[email protected] ~]#
[[email protected] ~]# ll
total
-rw-r--r--. root root Sep : file2.txt
-rw-r--r--. root yinzhengjie Sep : file.txt
[[email protected] ~]#
[[email protected] ~]# chown --reference file.txt file2.txt #让file2.txt文件和"file.txt"文件权限一致。
[[email protected] ~]#
[[email protected] ~]# ll
total
-rw-r--r--. root yinzhengjie Sep : file2.txt
-rw-r--r--. root yinzhengjie Sep : file.txt
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# chown --reference file.txt file2.txt #让file2.txt文件和"file.txt"文件权限一致。
3>.文件权限操作: chmod
文件的权限主要针对三类对象进行定义
owner 属主, u
group 属组, g
other 其他, o 每个文件针对每类访问者都定义了三种权限
r Readable
w Writable
x eXcutable 文件:
r 可使用文件查看类工具获取其内容
w 可修改其内容
x 可以把此文件提请内核启动为一个进程 目录:
r 可以使用ls查看此目录中文件列表
w 可在此目录中创建文件,也可删除此目录中的文件
x 可以使用ls -l查看此目录中文件元数据(须配合r),可以cd进入此目录
X 只给目录x权限,不给文件x权限
[[email protected] ~]# chmod --help
Usage: chmod [OPTION]... MODE[,MODE]... FILE...
or: chmod [OPTION]... OCTAL-MODE FILE...
or: chmod [OPTION]... --reference=RFILE FILE...
Change the mode of each FILE to MODE.
With --reference, change the mode of each FILE to that of RFILE. -c, --changes like verbose but report only when a change is made
-f, --silent, --quiet suppress most error messages
-v, --verbose output a diagnostic for every file processed
--no-preserve-root do not treat '/' specially (the default)
--preserve-root fail to operate recursively on '/'
--reference=RFILE use RFILE's mode instead of MODE values
-R, --recursive change files and directories recursively
--help display this help and exit
--version output version information and exit Each MODE is of the form '[ugoa]*([-+=]([rwxXst]*|[ugo]))+|[-+=][0-7]+'. GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
For complete documentation, run: info coreutils 'chmod invocation'
[[email protected] ~]#
[[email protected] ~]# chmod --help
[[email protected] ~]# cp -a /etc/shadow ./
[[email protected] ~]#
[[email protected] ~]# ll
total
-r--------. root root Sep : shadow
[[email protected] ~]#
[[email protected] ~]# chmod u+rw,g+r shadow #给属主增加rw权限,给属组加r权限
[[email protected] ~]#
[[email protected] ~]# ll
total
-rw-r-----. root root Sep : shadow
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# chmod u+rw,g+r shadow #给属主增加rw权限,给属组加r权限
[[email protected] ~]# ll
total
-rw-r-----. root root Sep : shadow
[[email protected] ~]#
[[email protected] ~]# chmod o=w shadow #给其它人用户加w权限
[[email protected] ~]#
[[email protected] ~]# ll
total
-rw-r---w-. root root Sep : shadow
[[email protected] ~]#
[[email protected] ~]# chmod o=w shadow #给其它人用户加w权限
[[email protected] ~]# ll /bin/ls
-rwxr-xr-x. root root Oct /bin/ls
[[email protected] ~]#
[[email protected] ~]# chmod a-x /bin/ls #我们为ls命令减去执行权限,我们发现ls命令将无法执行啦!
[[email protected] ~]#
[[email protected] ~]# ll /bin/ls
bash: /usr/bin/ls: Permission denied
[[email protected] ~]#
[[email protected] ~]# chmod a+x /bin/ls
[[email protected] ~]#
[[email protected] ~]# ll /bin/ls
-rwxr-xr-x. root root Oct /bin/ls
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# chmod a-x /bin/ls #我们为ls命令减去执行权限,我们发现ls命令将无法执行啦!
4>.新建文件和目录的默认权限
[[email protected] ~]# help umask
umask: umask [-p] [-S] [mode]
Display or set file mode mask. Sets the user file-creation mask to MODE. If MODE is omitted, prints
the current value of the mask. If MODE begins with a digit, it is interpreted as an octal number;
otherwise it is a symbolic mode string like that accepted by chmod(). Options:
-p if MODE is omitted, output in a form that may be reused as input
-S makes the output symbolic; otherwise an octal number is output Exit Status:
Returns success unless MODE is invalid or an invalid option is given.
[[email protected] ~]#
[[email protected] ~]# umask #root用户的默认umask值为022 [[email protected] ~]#
[[email protected] ~]# su - yinzhengjie
Last login: Thu Sep :: CST on pts/
[[email protected] ~]$
[[email protected] ~]$ umask #普通用户的默认umask值为002 [[email protected] ~]$
[[email protected] ~]# help umask
[[email protected] ~]# umask [[email protected] ~]#
[[email protected] ~]# umask -S #模式方式显示
u=rwx,g=rx,o=rx
[[email protected] ~]#
[[email protected] ~]# umask -S #模式方式显示
[[email protected] ~]# umask [[email protected] ~]#
[[email protected] ~]# umask -p #输出可悲调用
umask
[[email protected] ~]#
[[email protected] ~]# umask -p #输出可悲调用
[[email protected] ~]# umask [[email protected] ~]#
[[email protected] ~]# umask #命令行中修改umask的属性,临时生效,若想要永久生效需要将修改指令写入"~/.bashrc"文件
[[email protected] ~]#
[[email protected] ~]# umask [[email protected] ~]#
[[email protected] ~]# exit #我们退出终端后发现就不生效啦!
logout Connection closed by foreign host. Disconnected from remote host(node101.yinzhengjie.org.cn) at ::. Type `help' to learn how to use Xshell prompt.
[c:\~]$
Reconnecting in seconds. Press any key to exit local shell.
. Host 'node101.yinzhengjie.org.cn' resolved to 172.30.1.101.
Connecting to 172.30.1.101:...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'. Last login: Thu Sep :: from 172.30.1.1
[[email protected] ~]#
[[email protected] ~]# umask #重新登录终端会发现umask的值并没有发生改变 [[email protected] ~]#
[[email protected] ~]# umask 754 #命令行中修改umask的属性,临时生效,若想要永久生效需要将修改指令写入"~/.bashrc"文件,也可以放在全局的"/etc/bashrc"文件中!
umask值可以用来保留在创建文件权限。
新建文件的默认权限: -umask,如果所得结果某位存在执行(奇数)权限,则将其权限+
新建目录的默认权限: -umask 非特权用户umask是002 ,root的umask 是022 举个例子:
比如 umask的值是754,我们通过上面的公式得出
新建的文件默认权限 : - => -(得出的结果有奇数,需要进行加1操作) =>
新建的目录默认权限 : - =>
计算机是如何使用umask值的呢?
666转换二进制为:"110 110 110"
754转换二进制为:"111 101 100"(对应的位置为1则表示遮掩,需要和666二进制所对应位进行运算,若位1则取反,若为0则不变)
(使用八进制表示即022,和上面计算结果一直)
777转换二进制为:"111 111 111"
754转换二进制为:"111 101 100"(对应的位置为1则表示遮掩,需要和666二进制所对应位进行运算,若位1则取反,若为0则不变)
000 010 011(使用八进制表示即023,和上面计算结果一直) 为了验证结果是否正确,可以观察下面的实战操作。
[[email protected] ~]# umask #root用户默认的umask值 [[email protected] ~]#
[[email protected] ~]# touch a.txt #创建一个空文件并查看其文件默认权限
[[email protected] ~]#
[[email protected] ~]# ll
total
-rw-r--r--. root root Sep : a.txt
[[email protected] ~]#
[[email protected] ~]# umask #我们修改root用户的umask值后,并观察创建的文件或目录对应的默认权限。
[[email protected] ~]#
[[email protected] ~]# touch b.txt
[[email protected] ~]#
[[email protected] ~]# ll
total
-rw-r--r--. root root Sep : a.txt
-----w--w-. root root Sep : b.txt
[[email protected] ~]#
[[email protected] ~]# mkdir home
[[email protected] ~]#
[[email protected] ~]# ll
total
-rw-r--r--. root root Sep : a.txt
-----w--w-. root root Sep : b.txt
d----w--wx. root root Sep : home
[[email protected] ~]#
[[email protected] ~]# umask 754 #我们修改root用户的umask值后,并观察创建的文件或目录对应的默认权限。
5>.小试牛刀
当用户docker对/testdir 目录无执行权限时,意味着无法做哪些操作?
当用户mongodb对/testdir 目录无读权限时,意味着无法做哪些操作?
当用户redis 对/testdir 目录无写权限时,该目录下的只读文件file1是否可修改和删除?
当用户zabbix对/testdir 目录有写和执行权限时,该目录下的只读文件file1是否可修改和删除?
复制/etc/fstab文件到/var/tmp下,设置文件所有者为tomcat读写权限,所属组为apps组有读写权限,其他人无权限
误删除了用户git的家目录,请重建并恢复该用户家目录及相应的权限属性
四.Linux文件系统上的特殊权限
1>.SUID权限(让有权限运行该程序文件的用户临时拥有该程序属主的权限,系统默认的"passwd"就有suid权限,默认数字权限为"4")
[[email protected] ~]$ cat /etc/shadow | tail - #我们发现普通用户是无法查看"/etc/shadow"文件内容的
cat: /etc/shadow: Permission denied
[[email protected] ~]$
[[email protected] ~]$ exit #于是我们退出当前用户
logout
[[email protected] ~]#
[[email protected] ~]# ll /usr/bin/cat #观察cat命令,属主是root用户,而且cat命令的属主是有x权限的
-rwxr-xr-x. root root Oct /usr/bin/cat
[[email protected] ~]#
[[email protected] ~]# chmod u+s /usr/bin/cat #我们给cat命令添加x权限
[[email protected] ~]#
[[email protected] ~]# ll /usr/bin/cat #我们发现属主的x权限被s权限覆盖啦
-rwsr-xr-x. root root Oct /usr/bin/cat
[[email protected] ~]#
[[email protected] ~]# su - yinzhengjie #我们再一次切换到普通用户
Last login: Thu Sep :: CST on pts/
[[email protected] ~]$
[[email protected] ~]$ cat /etc/shadow | tail - #神奇的一幕发生了,我们竟然可以访问"/etc/shadow"文件啦
nginx:$$.KUKZqRu$sCk.tYEAzZowA44d42qgaK.cQmpa16IPSIYX0CnON/SSCteb2PI77T21qOHDTrT01fAh2tD1/Ta6IE2m5EnkI/:::::::
varnish:$$gF6mgxv2$JtJHT.B7IqUU3MA6JZYQkbFBhqukF918goBIYIwm0hTFmcwdf6i.x2JX2Wzgz42dyEhkj/cdbMmUJi9XBhZY60:::::::
mysql:$$qWljHcJp$HtPeHnCjgOXh..Kno96j5BsS2ULUtpjb1yGznrkMdN2V7OVoTKLclY1Jaxe.Ryl32UWUox17Ux/Iw6s6dQviB0:::::::
[[email protected] ~]$
[[email protected] ~]$
[[email protected] ~]$ exit
logout
[[email protected] ~]#
[[email protected] ~]# ll /usr/bin/cat
-rwsr-xr-x. root root Oct /usr/bin/cat
[[email protected] ~]#
[[email protected] ~]# chmod u-s /usr/bin/cat #生产环境建议大家不要随意给命令公家加suid权限,我们这里了解即可,做完实验我就回滚之前的操作啦!如果我们对vim添加了"suid"权限,那么Linux所有的普通用户都可以修改Linux中任意文件啦!谨慎操作!!!
[[email protected] ~]#
[[email protected] ~]# ll /usr/bin/cat
-rwxr-xr-x. root root Oct /usr/bin/cat
[[email protected] ~]#
[[email protected] ~]#
2>.SGID权限(同理,让有权限运行该程序文件的用户临时拥有该程序属组的权限,默认数字权限为"2")
[[email protected] ~]# groupadd devops #我们这里创建了一个devops的用户组
[[email protected] ~]#
[[email protected] ~]# useradd -g devops jason #我们将jason用户加入devops组
[[email protected] ~]#
[[email protected] ~]# id jason #查看jason组
uid=(jason) gid=(devops) groups=(devops)
[[email protected] ~]#
[[email protected] ~]# mkdir /data
[[email protected] ~]#
[[email protected] ~]# chgrp devops /data
[[email protected] ~]#
[[email protected] ~]# ll -d /data/ #大家注意观察这里的"/data"的权限
drwxr-xr-x. root devops Sep : /data/
[[email protected] ~]#
[[email protected] ~]# chmod /data/ #我们为“/data”添加suid权限和sticky权限,注意观察文件的权限变化
[[email protected] ~]#
[[email protected] ~]# ll -d /data/
drwxrws--T. root devops Sep : /data/
[[email protected] ~]#
[[email protected] ~]# touch /data/root.txt #我们使用root用户创建一个文件
[[email protected] ~]#
[[email protected] ~]# su -l jason
Last login: Tue Sep :: PDT on pts/
[[email protected] ~]$
[[email protected] ~]$ touch /data/jason.txt #我们使用在"devops"组中的jason用户创建一个文件
[[email protected] ~]$
[[email protected] ~]$ exit
logout
[[email protected] ~]#
[[email protected] ~]# id yinzhengjie
uid=(yinzhengjie) gid=(yinzhengjie) groups=(yinzhengjie)
[[email protected] ~]#
[[email protected] ~]# su - yinzhengjie
[[email protected] ~]$
[[email protected] ~]$ touch /data/yinzhengjie.txt #这里无法创建,原因想必大家也知道,因为该用户是非devops组的普通用户,即other组用户无w权限,操作被拒绝啦!
touch: cannot touch ‘/data/yinzhengjie.txt’: Permission denied
[[email protected] ~]$
[[email protected] ~]$
[[email protected] ~]$ exit
logout
[[email protected] ~]#
[[email protected] ~]# ll /data/ #不难发现,不管是root用户还是jason用户创建的文件都归devops组所有,这就是SGID的魅力所在。
total
-rw-r--r--. jason devops Sep : jason.txt
-rw-r--r--. root devops Sep : root.txt
[[email protected] ~]#
[[email protected] ~]#
3>.Sticky
[[email protected] ~]# mkdir /data
[[email protected] ~]#
[[email protected] ~]# touch /data/{..}.txt
[[email protected] ~]#
[[email protected] ~]# chmod /data #我们给other角色有w权限,这意味着other组的成员都可以对该目录的文件进行删除操作,尽管它不能访问该目录下的文件内容
[[email protected] ~]#
[[email protected] ~]# ll -d /data/
drwxr-xrwx. root root Sep : /data/
[[email protected] ~]#
[[email protected] ~]# ll /data/ #我们发现里面全部都是root用户的文件,其它用户是仅有读取权限的。
total
-rw-r--r--. root root Sep : .txt
-rw-r--r--. root root Sep : .txt
-rw-r--r--. root root Sep : .txt
-rw-r--r--. root root Sep : .txt
-rw-r--r--. root root Sep : .txt
[[email protected] ~]#
[[email protected] ~]# su -l yinzhengjie
Last login: Thu Sep :: CST on pts/
[[email protected] ~]$
[[email protected] ~]$ rm -f /data/.txt #我们发现切换到普通用户后,可以随意删除root用户创建的文件,这不科学呀!!!怎么解决这个问题呢?
[[email protected] ~]$ rm -f /data/.txt
[[email protected] ~]$ rm -f /data/.txt
[[email protected] ~]$
[[email protected] ~]$ exit
logout
[[email protected] ~]#
[[email protected] ~]# ll /data/ #我们发现文件的确是被删除啦!!!
total
-rw-r--r--. root root Sep : .txt
-rw-r--r--. root root Sep : .txt
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# chmod 757 /data #我们给other角色有w权限,这意味着other组的成员都可以对该目录的文件进行删除操作,尽管它不能访问该目录下的文件内容(抛出问题)
[[email protected] ~]# ll /data/
total
-rw-r--r--. root root Sep : .txt
-rw-r--r--. root root Sep : .txt
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# ll -d /data/
drwxr-xrwx. root root Sep : /data/
[[email protected] ~]#
[[email protected] ~]# chmod o+t /data/ #等效与"chmod 1757 /data/"
[[email protected] ~]#
[[email protected] ~]# ll -d /data/
drwxr-xrwt. root root Sep : /data/
[[email protected] ~]#
[[email protected] ~]# su -l yinzhengjie
Last login: Thu Sep :: CST on pts/
[[email protected] ~]$
[[email protected] ~]$ rm -f /data/.txt #我们发现普通用户尽管对"/data"目录有w权限,发现它依旧无法删除不属于它管理的文件
rm: cannot remove ‘/data/.txt’: Operation not permitted
[[email protected] ~]$
[[email protected] ~]$ rm -f /data/.txt
rm: cannot remove ‘/data/.txt’: Operation not permitted
[[email protected] ~]$
[[email protected] ~]$ ll /data/
total
-rw-r--r--. root root Sep : .txt
-rw-r--r--. root root Sep : .txt
[[email protected] ~]$
[[email protected] ~]$ touch /data/jason.txt #手动创建文件
[[email protected] ~]$
[[email protected] ~]$ ll /data/
total
-rw-r--r--. root root Sep : .txt
-rw-r--r--. root root Sep : .txt
-rw-rw-r--. yinzhengjie yinzhengjie Sep : jason.txt
[[email protected] ~]$
[[email protected] ~]$ rm -f /data/jason.txt #发现删除自己的文件还是轻而易举的
[[email protected] ~]$
[[email protected] ~]$ ll /data/
total
-rw-r--r--. root root Sep : .txt
-rw-r--r--. root root Sep : .txt
[[email protected] ~]$
4>.总结
SUID:
作用于二进制可执行程序,当用户执行此程序时,将会临时继承此程序所有者的权限。 SGID:
作用于二进制可执行程序,当用户执行此程序时,将会继承此程序所属组的权限。
作用于目录,当用户在此目录下创建文件时,文件的所属组会自动继承此目录的所属组。
STICKY:
作用于目录,用户只能删除自己的文件。(当然root用户除外,我们探讨权限一般情况都会自动忽略root用户,因为root用户是管理员用户)
5>.设置文件特定属性
chattr +i 不能删除,改名,更改
chattr +a 只能追加内容
lsattr 显示特定属性
[[email protected] ~]# chattr +i /etc/passwd #我们给"/etc/passwd"文件添加"i"属性后,发现我们无法对文件进行删除,改名,甚至修改该文件内容。但是root查看里面内容还是可以的。
[[email protected] ~]#
[[email protected] ~]# rm -f /etc/passwd
rm: cannot remove ‘/etc/passwd’: Operation not permitted
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# mv /etc/passwd /etc/passwd-`date +%F`
mv: cannot move ‘/etc/passwd’ to ‘/etc/passwd---’: Operation not permitted
[[email protected] ~]#
[[email protected] ~]# echo "尹正杰到此一游" >> /etc/passwd
-bash: /etc/passwd: Permission denied
[[email protected] ~]#
[[email protected] ~]# useradd bigdata
useradd: cannot open /etc/passwd
[[email protected] ~]#
[[email protected] ~]# lsattr /etc/passwd #查看该文件的特定属性
----i----------- /etc/passwd
[[email protected] ~]#
[[email protected] ~]# chattr -i /etc/passwd #我们为该文件删除其特定的i属性,发现就可以对文件进行修改操作啦
[[email protected] ~]#
[[email protected] ~]# lsattr /etc/passwd
---------------- /etc/passwd
[[email protected] ~]#
[[email protected] ~]# useradd bigdata
[[email protected] ~]#
[[email protected] ~]# id bigdata
uid=(bigdata) gid=(bigdata) groups=(bigdata)
[[email protected] ~]#
[[email protected] ~]# chattr +i /etc/passwd #我们给"/etc/passwd"文件添加"i"属性后,发现我们无法对文件进行删除,改名,甚至修改该文件内容。但是root查看里面内容还是可以的。
[[email protected] ~]# lsattr /etc/passwd
---------------- /etc/passwd
[[email protected] ~]#
[[email protected] ~]# chattr +a /etc/passwd #我们给"/etc/passwd"文件添加"a"属性后,发现我们无法对文件进行修改操作,但是可以追加或查看内容!
[[email protected] ~]#
[[email protected] ~]# lsattr /etc/passwd
-----a---------- /etc/passwd
[[email protected] ~]#
[[email protected] ~]# useradd hadoop #我们都知道创建用户其实就是在修改"/etc/passwd"文件呢,很明显创建用户失败这意味着无法修改文件内容
useradd: cannot open /etc/passwd
[[email protected] ~]#
[[email protected] ~]# echo "hadoop" >> /etc/passwd #大师追加文件内容确实可以的
[[email protected] ~]#
[[email protected] ~]# tail - /etc/passwd #发现追加成功啦!
bigdata:x::::/home/bigdata:/bin/bash
hadoop
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# chattr -a /etc/passwd #赶紧把"a"属性去掉,然后把刚刚修改的内容还原了,切记把上面的"hadoop"字符串追加内容从"/etc/passwd"文件中删除,避免系统启动时出错。
[[email protected] ~]#
[[email protected] ~]# lsattr /etc/passwd
---------------- /etc/passwd
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# chattr +a /etc/passwd #我们给"/etc/passwd"文件添加"a"属性后,发现我们无法对文件进行修改操作,但是可以追加或查看内容!