Linux用户管理
一、用户管理基本操作
1. 增加用户
#新增用户
adduser zy
#设置密码
passwd zy2. 删除用户
userdel -r zy3. 锁定用户
#锁定 不允许改用用户登录
usermod -L zy
#解锁
usermod -U zy4. 改变用户的家目录
usermod -d /home/zy_home -m zy-d:指定新的家目录
-m:移动原来的文件到新的家目录
二、存储Linux用户信息的关键文件
1. passwd文件
/etc/passwd 文件记录了Linux系统中所有用户的信息,是系统的关键安全文件之一。
以zy用户分析:
zy:x:1000:1000:Zhang Yin,123,123,:/home/zy:/bin/bash
字段的含义如下:
用户名(Username):zy,表示用户的登录名或用户名。
密码标志(Password Flag):x,表示用户的密码存储在密码文件中(通常是/etc/shadow文件)而不是在/etc/passwd文件中。
用户ID(User ID):1000,是一个唯一的数字标识符,用于标识用户。
组ID(Group ID):1000,是用户所属的主要用户组的数字标识符。
用户信息(User Information):Zhang Yin,123,123,这是一段用户的描述信息,可以包含用户的全名、电话号码等。这个字段通常不是系统所依赖的字段。
用户主目录(Home Directory):/home/zy,表示用户的主目录路径,即用户登录后默认所在的目录。
登录Shell(Login Shell):/bin/bash,是用户登录后默认使用的shell,即命令行解释器。
root@hecs-82704:/home# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
guest:x:0:0:guest:/home/guest:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
syslog:x:107:113::/home/syslog:/usr/sbin/nologin
uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin
tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
dnsmasq:x:113:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
_chrony:x:114:119:Chrony daemon,,,:/var/lib/chrony:/usr/sbin/nologin
lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
fwupd-refresh:x:115:120:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
redis:x:116:121::/var/lib/redis:/usr/sbin/nologin
zy:x:1000:1000:Zhang Yin,123,123,:/home/zy:/bin/bash
minmin:x:1001:1001:si minmin,,,:/home/minmin2:/bin/bash
2. shadow文件
同样分析zy用户:
zy:$y$j9T$p1AM/pRv37qUWwjV/ruhb/$mj52Y23b3oKIBSjV6FIKRz351Xby3jA9PoFONLkl947:19565:0:99999:7:::
字段的含义如下:
用户名(Username):zy,与/etc/passwd文件中的用户名对应。
密码哈希值(Password Hash):用户密码的哈希值,用于验证用户密码的正确性。密码哈希值的具体格式和算法取决于系统配置。
上次密码更改日期(Last Password Change):19565,表示距离上一次密码更改的天数。
密码到期前的警告天数(Password Expiry Warning):0,表示在密码到期前多少天开始发出警告。
密码有效期(Password Validity):99999,表示密码的有效期,即密码需要在多少天之内更改一次。
密码过期后的宽限期(Password Inactivity Period):7,表示密码过期后的宽限期,在这个宽限期内用户仍然可以登陆,但必须立即更改密码。
账号过期日期(Account Expiration Date):空字段,表示账号的过期日期,如果有设置则表示账号将在该日期之后被禁用。
root@hecs-82704:/home# cat /etc/shadow
root:$y$j9T$Yy9CADGW7QDSlMP16lL4v.$.gPBpmeWp7nEVFaddePnDMTQ2ldv4KFoyVcJBY656K/:19565:0:99999:7:::
guest:$1$OINcNiRr$av3XJYcvbycCHfM96lPcY0:19564:0:99999:7:::
daemon:*:19213:0:99999:7:::
bin:*:19213:0:99999:7:::
sys:*:19213:0:99999:7:::
sync:*:19213:0:99999:7:::
games:*:19213:0:99999:7:::
man:*:19213:0:99999:7:::
lp:*:19213:0:99999:7:::
mail:*:19213:0:99999:7:::
news:*:19213:0:99999:7:::
uucp:*:19213:0:99999:7:::
proxy:*:19213:0:99999:7:::
www-data:*:19213:0:99999:7:::
backup:*:19213:0:99999:7:::
list:*:19213:0:99999:7:::
irc:*:19213:0:99999:7:::
gnats:*:19213:0:99999:7:::
nobody:*:19213:0:99999:7:::
_apt:*:19213:0:99999:7:::
systemd-network:*:19213:0:99999:7:::
systemd-resolve:*:19213:0:99999:7:::
messagebus:*:19213:0:99999:7:::
systemd-timesync:*:19213:0:99999:7:::
pollinate:*:19213:0:99999:7:::
sshd:*:19213:0:99999:7:::
syslog:*:19213:0:99999:7:::
uuidd:*:19213:0:99999:7:::
tcpdump:*:19213:0:99999:7:::
tss:*:19213:0:99999:7:::
landscape:*:19213:0:99999:7:::
usbmux:*:19398:0:99999:7:::
dnsmasq:*:19398:0:99999:7:::
_chrony:*:19398:0:99999:7:::
lxd:!:19398::::::
fwupd-refresh:*:19398:0:99999:7:::
redis:*:19556:0:99999:7:::
zy:$y$j9T$p1AM/pRv37qUWwjV/ruhb/$mj52Y23b3oKIBSjV6FIKRz351Xby3jA9PoFONLkl947:19565:0:99999:7:::
minmin:$y$j9T$Liweofrn.XY5wiWn91K4J0$RhyKTm9HR0N4FKOdwmAaSAG1Q0GbQ0QDOt1uSEK/gT6:19569:0:99999:7:::
三、用户特权管理
1. 限定可以使用su的用户
默认情况下,任何普通用户只要知道root的密码,都可以通过su 编程root权限。
编辑 /etc/pam.d/su 文件:
在
su文件中,配置了以下内容:
auth sufficient pam_rootok.so:允许root用户使用su命令切换用户而无需密码。注释掉的
auth required pam_wheel.so:要求用户在使用su命令之前必须是wheel组的成员。可以通过添加group=foo来指定其他组。注释掉的
auth sufficient pam_wheel.so trust:允许wheel组的成员使用su命令而无需密码。注释掉的
auth required pam_wheel.so deny group=nosu:禁止特定组的成员使用su命令。注释掉的
account requisite pam_time.so:用于根据时间限制su命令的使用。
session required pam_limits.so:根据/etc/security/limits.conf文件设置用户限制。
root@hecs-82704:/etc/pam.d# cat su
#
# The PAM configuration file for the Shadow `su' service
#
# This allows root to su without passwords (normal operation)
auth sufficient pam_rootok.so
# Uncomment this to force users to be a member of group wheel
# before they can use `su'. You can also add "group=foo"
# to the end of this line if you want to use a group other
# than the default "wheel" (but this may have side effect of
# denying "root" user, unless she's a member of "foo" or explicitly
# permitted earlier by e.g. "sufficient pam_rootok.so").
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
# auth required pam_wheel.so
# Uncomment this if you want wheel members to be able to
# su without a password.
# auth sufficient pam_wheel.so trust
# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
# auth required pam_wheel.so deny group=nosu
# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on su usage.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account requisite pam_time.so
# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
#
# parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session required pam_env.so readenv=1 envfile=/etc/default/locale
# Defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user
# also removes the user's mail spool file.
# See comments in /etc/login.defs
#
# "nopen" stands to avoid reporting new mail when su'ing to another user
session optional pam_mail.so nopen
# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session required pam_limits.so
# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-session
四、设置history时间戳
vim /etc/bashrc添加如下内容:
HISTTIMEFORMAT="%Y%m%d %T"
这样使用history命令,前面就打上了时间戳标记:
770 2023-07-31 12:50:06 zy vim /etc/bashrc
771 2023-07-31 12:51:35 zy cat /etc/bashrc
772 2023-07-31 12:51:50 zy history