Linux Admin 简明教程
Linux Admin - User Management
在讨论用户管理时,我们必须了解以下三个重要术语:
When discussing user management, we have three important terms to understand −
-
Users
-
Groups
-
Permissions
我们已经详尽讨论了对文件和文件夹应用的权限。在本章中,我们将讨论用户和组。
We have already discussed in-depth permissions as applied to files and folders. In this chapter, let’s discuss about users and groups.
CentOS Users
在 CentOS 中,有两种类型的帐号:
In CentOS, there are two types accounts −
-
System accounts − Used for a daemon or other piece of software.
-
Interactive accounts − Usually assigned to a user for accessing system resources.
这两种用户类型之间的主要区别在于:
The main difference between the two user types is −
-
System accounts are used by daemons to access files and directories. These will usually be disallowed from interactive login via shell or physical console login.
-
Interactive accounts are used by end-users to access computing resources from either a shell or physical console login.
基于此对用户的基本了解,现在让我们为会计部的 Bob Jones 创建一个新用户。使用 adduser 命令添加新用户。
With this basic understanding of users, let’s now create a new user for Bob Jones in the Accounting Department. A new user is added with the adduser command.
以下是 adduser 一些常见选项 −
Following are some adduser common switches −
Switch |
Action |
-c |
Adds comment to the user account |
-m |
Creates user home directory in default location, if nonexistent |
-g |
Default group to assign the user |
-n |
Does not create a private group for the user, usually a group with username |
-M |
Does not create a home directory |
-s |
Default shell other than /bin/bash |
-u |
Specifies UID (otherwise assigned by the system) |
-G |
Additional groups to assign the user to |
创建新用户时,使用 -c、-m、-g、-n 选项如下 −
When creating a new user, use the -c, -m, -g, -n switches as follows −
[root@localhost Downloads]# useradd -c "Bob Jones Accounting Dept Manager"
-m -g accounting -n bjones现在让我们看看是否创建了新用户 −
Now let’s see if our new user has been created −
[root@localhost Downloads]# id bjones
(bjones) gid = 1001(accounting) groups = 1001(accounting)
[root@localhost Downloads]# grep bjones /etc/passwd
bjones:x:1001:1001:Bob Jones Accounting Dept Manager:/home/bjones:/bin/bash
[root@localhost Downloads]#现在我们需使用 passwd 命令启用新帐户 −
Now we need to enable the new account using the passwd command −
[root@localhost Downloads]# passwd bjones
Changing password for user bjones.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@localhost Downloads]#未启用用户帐户,允许用户登录系统。
The user account is not enabled allowing the user to log into the system.
Disabling User Accounts
有几种方法可用于禁用系统上的帐户。这些方法包括手动编辑 /etc/passwd 文件。也可以使用 passwd 命令和 -l 选项。这两种方法都有一个重大缺陷:如果用户拥有 ssh 访问权限并使用 RSA 密钥进行身份验证,则他们仍然可以使用这种方法登录。
There are several methods to disable accounts on a system. These range from editing the /etc/passwd file by hand. Or even using the passwd command with the *-l*switch. Both of these methods have one big drawback: if the user has ssh access and uses an RSA key for authentication, they can still login using this method.
现在我们用 chage 命令,将密码过期日期更改为前面的日期。另外,最好在帐户上注明禁用原因。
Now let’s use the chage command, changing the password expiry date to a previous date. Also, it may be good to make a note on the account as to why we disabled it.
[root@localhost Downloads]# chage -E 2005-10-01 bjones
[root@localhost Downloads]# usermod -c "Disabled Account while Bob out of the country
for five months" bjones
[root@localhost Downloads]# grep bjones /etc/passwd
bjones:x:1001:1001:Disabled Account while Bob out of the country for four
months:/home/bjones:/bin/bash
[root@localhost Downloads]#Manage Groups
在 Linux 中管理组,能让管理员方便地将用户合并到容器中,对所有组成员应用适用权限集。例如,会计中的所有用户可能需要访问相同的文件。因此,我们创建一个会计组,添加会计用户。
Managing groups in Linux makes it convenient for an administrator to combine the users within containers applying permission-sets applicable to all group members. For example, all users in Accounting may need access to the same files. Thus, we make an accounting group, adding Accounting users.
在大多数情况下,任何需要特殊权限的内容都应该在组中完成。此方法通常会比仅对一个用户应用特殊权限节省时间。例如,Sally 负责报告,并且只有 Sally 需要访问某些文件以进行报告。然而,如果 Sally 有天生病而 Bob 需做报告怎么办?或者对报告的需求增长怎么办?当建立一个组时,管理员只需执行一次。在需求更改或扩展时应用添加用户。
For the most part, anything requiring special permissions should be done in a group. This approach will usually save time over applying special permissions to just one user. Example, Sally is in-charge of reports and only Sally needs access to certain files for reporting. However, what if Sally is sick one day and Bob does reports? Or the need for reporting grows? When a group is made, an Administrator only needs to do it once. The add users is applied as needs change or expand.
以下是用于管理组的一些常见命令 −
Following are some common commands used for managing groups −
-
chgrp
-
groupadd
-
groups
-
usermod
chgrp − 更改文件或目录的组所有权。
chgrp − Changes the group ownership for a file or directory.
让我们为会计组人员创建一个目录来存储文件并为文件创建子目录。
Let’s make a directory for people in the accounting group to store files and create directories for files.
[root@localhost Downloads]# mkdir /home/accounting
[root@localhost Downloads]# ls -ld /home/accounting
drwxr-xr-x. 2 root root 6 Jan 13 10:18 /home/accounting
[root@localhost Downloads]#接下来,让我们将组所有权赋予会计组。
Next, let’s give group ownership to the accounting group.
[root@localhost Downloads]# chgrp -v accounting /home/accounting/
changed group of ‘/home/accounting/’ from root to accounting
[root@localhost Downloads]# ls -ld /home/accounting/
drwxr-xr-x. 2 root accounting 6 Jan 13 10:18 /home/accounting/
[root@localhost Downloads]#现在,会计组中的每个人都具有对 /home/accounting 的读取和执行权限。他们还需要写入权限。
Now, everyone in the accounting group has read and execute permissions to /home/accounting. They will need write permissions as well.
[root@localhost Downloads]# chmod g+w /home/accounting/
[root@localhost Downloads]# ls -ld /home/accounting/
drwxrwxr-x. 2 root accounting 6 Jan 13 10:18 /home/accounting/
[root@localhost Downloads]#由于会计组可能会处理敏感文件,我们需要对其他或世界应用一些限制性权限。
Since the accounting group may deal with sensitive documents, we need to apply some restrictive permissions for other or world.
[root@localhost Downloads]# chmod o-rx /home/accounting/
[root@localhost Downloads]# ls -ld /home/accounting/
drwxrwx---. 2 root accounting 6 Jan 13 10:18 /home/accounting/
[root@localhost Downloads]#groupadd − 用于创建新组。
groupadd − Used to make a new group.
Switch |
Action |
-g |
Specifies a GID for the group |
-K |
Overrides specs for GID in /etc/login.defs |
-o |
Allows overriding non-unique group id disallowance |
-p |
Group password, allowing the users to activate themselves |
让我们创建一个名为 secret 的新组。我们将为组添加一个密码,允许用户使用已知密码添加自己。
Let’s make a new group called secret. We will add a password to the group, allowing the users to add themselves with a known password.
[root@localhost]# groupadd secret
[root@localhost]# gpasswd secret
Changing the password for group secret
New Password:
Re-enter new password:
[root@localhost]# exit
exit
[centos@localhost ~]$ newgrp secret
Password:
[centos@localhost ~]$ groups
secret wheel rdc
[centos@localhost ~]$在实际中,组密码并不常用。辅助组是足够的,并且在其他用户之间共享密码并不是一个很好的安全实践。
In practice, passwords for groups are not used often. Secondary groups are adequate and sharing passwords amongst other users is not a great security practice.
groups 命令用于显示用户属于哪个组。在对我们当前用户进行一些更改后,我们将使用它。
The groups command is used to show which group a user belongs to. We will use this, after making some changes to our current user.
usermod 用于更新帐户属性。
usermod is used to update account attributes.
以下是常见 usermod 开关。
Following are the common usermod switches.
Switch |
Action |
-a |
Appends, adds user to supplementary groups, only with the -G option |
-c |
Comment, updatesthe user comment value |
-d |
Home directory, updates the user’s home directory |
-G |
Groups, adds or removesthe secondary user groups |
-g |
Group, default primary group of the user |
[root@localhost]# groups centos
centos : accounting secret
[root@localhost]#
[root@localhost]# usermod -a -G wheel centos
[root@localhost]# groups centos
centos : accounting wheel secret
[root@localhost]#