There are only two levels of Linux users: root and non-root, and some users in Linux, such as apache, mysql, nobody, ftp, etc., are also non-root users, i.e. normal users. And these illusions are caused by another concept: user groups

  • A user must belong to at least one user group
  • A user can belong to more than one user group

The reason for the existence of user groups is still mainly to facilitate the assignment of permissions. While the difference between users themselves and permissions is not very big, the main differences between individual users are.

  • whether they have a password or not
  • home directory (ordinary users can have a home directory named after their user name, which is stored in /home/username, while the root user’s home directory is: /root)
  • shell

Users like nobody, who are used to execute Nginx worker processes, are generally not assigned a password or a shell, and do not even have a home directory. Why don’t you assign a password? If a password is set, the program cannot be used automatically. Since no one will use this user to log in to the system, there is no need to assign a shell. (Note: Actually, technically there is a shell assigned, but the shell assigned is the special shell /sbin/nologin, which does not have any other function, the main function is to prevent you from logging in.)

Linux user and group data

The main repositories of user and group information are the four files in /etc.

  • /etc/passwd is a password file that contains basic information about the user.
  • /etc/shadow is a shadow password file that contains encrypted passwords.
  • /etc/group is a group file that contains basic information about groups and which users belong to them.
  • /etc/gshadow is a shadow group file that contains encrypted group passwords.

The password (/etc/passwd) and group (/etc/group) files are shadowed for security reasons. passwd and group files themselves must be readable by all users, but encrypted passwords should not be readable by all users. Therefore, the shadow files contain encrypted passwords, and these files can only be read by root. suid program provides the necessary authentication access, and this program has root privileges but can be run by any user.

All users can be viewed by looking at /etc/passwd. The following is the user information on my system.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

root❌0:0:root:/root:/bin/bash
bin❌1:1:bin:/bin:/sbin/nologin
daemon❌2:2:daemon:/sbin:/sbin/nologin
adm❌3:4:adm:/var/adm:/sbin/nologin
lp❌4:7:lp:/var/spool/lpd:/sbin/nologin
sync❌5:0:sync:/sbin:/bin/sync
shutdown❌6:0:shutdown:/sbin:/sbin/shutdown
halt❌7:0:halt:/sbin:/sbin/halt
mail❌8:12:mail:/var/spool/mail:/sbin/nologin
operator❌11:0:operator:/root:/sbin/nologin
games❌12💯games:/usr/games:/sbin/nologin
ftp❌14:50:FTP User:/var/ftp:/sbin/nologin
nobody❌99:99:Nobody:/:/sbin/nologin
avahi-autoipd❌170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
systemd-bus-proxy❌999:997:systemd Bus Proxy:/:/sbin/nologin
systemd-network❌998:996:systemd Network Management:/:/sbin/nologin
dbus❌81:81:System message bus:/:/sbin/nologin
polkitd❌997:995:User for polkitd:/:/sbin/nologin
tss❌59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
postfix❌89:89::/var/spool/postfix:/sbin/nologin
sshd❌74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
qw❌1000:1000:qw:/home/qw:/bin/bash

Each line of the file represents a user, and each line is divided by a colon “:” into seven fields, which are structured as follows.

username: password: UID: GID: user full name: home directory: shell

UID.

  • UID 0 root user
  • UID 1 ~ 999 is accounted for pit users, that is, a write can not log in the user (previously the system is 1 ~ 499, just recently changed)
  • UID 1000 above is the normal logable user

GID: previously said a user can belong to more than one user group, but here only one, said the dedicated user group, that is, a user has only one dedicated user group, its affiliation belonging to other user groups is stored in the /etc/group file.

One of the more special is the password field, unified by x instead, see /etc/passwd will know that at the beginning Linux is the password in this file, because of the consideration of /etc/passwd can be viewed by all, so will be stored in the /etc/shadow file (only root privileges can access), the specific data is as follows.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

root:$6$yp9k7rTFRX76aFP/$RpQ0Q7SIFpKn5jA3vEmpzsMdMDqDjmKQY3qCcVyuVNa1dTOOwJqC0SWCxqsNrZgYiBf5Og94cDR97hGCfd0OX1::0:99999:7:::
bin:*:16659:0:99999:7:::
daemon:*:16659:0:99999:7:::
adm:*:16659:0:99999:7:::
lp:*:16659:0:99999:7:::
sync:*:16659:0:99999:7:::
shutdown:*:16659:0:99999:7:::
halt:*:16659:0:99999:7:::
mail:*:16659:0:99999:7:::
operator:*:16659:0:99999:7:::
games:*:16659:0:99999:7:::
ftp:*:16659:0:99999:7:::
nobody:*:16659:0:99999:7:::
avahi-autoipd:!!:17031::::::
systemd-bus-proxy:!!:17031::::::
systemd-network:!!:17031::::::
dbus:!!:17031::::::
polkitd:!!:17031::::::
tss:!!:17031::::::
postfix:!!:17031::::::
sshd:!!:17031::::::
qw:$6$W1QYF2/.vMB7BPm/$n7GV1D07lcVDhsyGS0xUe66loRTfmFj2vT4TkELQgQGfqDxNn2fGzBYUYj4CgZMhaiNSvvmhW4gubpQxBhr3H0::0:99999:7:::

The structure is as follows.

  • login name: encrypted password (means this user cannot be used to login): password last changed date (linux timestamp): minimum number of password days (0 means it can be changed at any time): maximum number of password days: remind the user a few days before expiration: password unavailable period: account expiration date: reserved bit

Again, take a look at the /etc/group file.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

root❌0:
bin❌1:
daemon❌2:
sys❌3:
adm❌4:
tty❌5:
disk❌6:
lp❌7:
mem❌8:
kmem❌9:
wheel❌10:
cdrom❌11:
mail❌12:postfix
man❌15:
dialout❌18:
floppy❌19:
games❌20:
tape❌30:
video❌39:
ftp❌50:
lock❌54:
audio❌63:
nobody❌99:
users❌100:
utmp❌22:
utempter❌35:
ssh_keys❌999:
avahi-autoipd❌170:
input❌998:
systemd-journal❌190:
systemd-bus-proxy❌997:
systemd-network❌996:
dbus❌81:
polkitd❌995:
dip❌40:
tss❌59:
postdrop❌90:
postfix❌89:
sshd❌74:
qw❌1000:qw

The structure is as follows.

Group name: User group password: GID: User name within the user group

User group passwords are rarely used in normal use and are stored in /etc/gshadow.

The user group file is special for “user names in user group”, which is actually a list of users under this group, each user is separated by a comma “,”; this field can be empty; if the field is empty, it means that the user group is the user name of GID.

sudo privileges

Ordinary users have very low privileges, even to install software on the system. Many times you can temporarily give privileges to ordinary users, which is sudo (add sudo before the command). For example.

1

sudo cat /etc/shadow

This is different from Ubuntu and Fedora, which are mainly desktop versions. If you want to give users root privileges, you need to change the /etc/sudoers file and modify its contents.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118

## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
## 
## This file must be edited with the 'visudo' command.

## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using 
## wildcards for entire domains) or IP addresses instead.
# Host_Alias     FILESERVERS = fs1, fs2
# Host_Alias     MAILSERVERS = smtp, smtp2

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname 
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem


## Command Aliases
## These are groups of related commands...

## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable

## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp 

## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

#
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear. 
#         You have to run "ssh -t hostname sudo <cmd>".
#
Defaults    requiretty

#
# Refuse to run if unable to disable echo on the tty. This setting should also be
# changed in order to be able to use sudo without a tty. See requiretty above.
#
Defaults   !visiblepw

#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults    always_set_home

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults   env_keep += "HOME"

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on 
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
##     user    MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere 
root    ALL=(ALL)     ALL

## Allows members of the 'sys' group to run networking, software, 
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
%wheel    ALL=(ALL)    ALL

## Same thing without a password
# %wheel    ALL=(ALL)    NOPASSWD: ALL

## Allows members of the users group to mount and unmount the 
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

To add sudo privileges to no users, simply refer to.

1
2

## Allow root to run any commands anywhere 
root    ALL=(ALL)     ALL

Add the following.

1
2
3

## Allow root to run any commands anywhere 
root    ALL=(ALL)     ALL
qw    ALL=(ALL)     ALL

If you want to add sudo privileges to a user group then: (with an extra % unlike for users)

1
2

## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL

Another way is to add users who do not need to enter the root password, i.e. have root privileges, by adding the following.

1

qw    ALL=(ALL)     NOPASSWD:ALL

It is also possible to set exactly which execution privileges are available, with the following rules.

authorized users host=[(which users or user groups to switch to)] [whether password authentication is required] command1, [(which users or user groups to switch to)] [whether password authentication is required] [command2], [(which users or user groups to switch to)] [whether password authentication is required] [command3] ……

By default the first time you use sudo, you need to enter the root password, if you execute sudo again within 5 minutes you don’t need to enter the password again, after 5 minutes you need to enter it again. This time is also configurable by adding the following to sudoers.

1

Defaults:用户名 timestamp_timeout=20

where the unit is minutes, and if it is set to 0, it means that the password has to be entered every time.

User and group common operations

Adding users

The useradd command is used to create a new system user in Linux. useradd can be used to create a user account. After the account is created, passwd is used to set the password for the account. The account can be deleted with userdel. The account created with the useradd command is actually saved in the /etc/passwd text file.

Syntax : useradd(option)(parameter)

Options.

  • -c<comment>: Add the comment text. The comment text will be saved in the comment field of passwd
  • -d<login directory>: Specify the directory where the user will start when logging in.
  • -D: change the preset value
  • -e<expiration date>: Specify the expiration date of the account.
  • -f<buffer days>: Specifies how many days after the password expires the account will be closed
  • -g<group>: Specify the group to which the user belongs
  • -G<groups>: Specify additional groups the user belongs to
  • -m: Automatically create the user’s login directory
  • -M: Do not automatically create the user’s login directory
  • -n: cancel the creation of groups with the user’s name
  • -r: create system account
  • -s: specify the shell that the user will use after logging in
  • -u: specify the user id

Example.

1

sudo useradd username -m -s /sbin/nologin -d /home/username -g groupname

Where.

  • -s /sbin/nologin set no login
  • -d Set user home directory
  • -g user group
  • -m Create user directory

Modify user password

The passwd command is used to set user authentication information, including user password, password expiration time, etc. It can be used by system administrators to manage the passwords of system users. Only the administrator can specify the user name, general users can only change their own passwords.

Syntax: passwd(option)(parameter)

Options

  • -d: removes the password, available only to the system administrator.
  • -f: enforce.
  • -k: set the password to be updated only after it has expired.
  • -l: lock the password.
  • -s: lists information about the password, available only to the system administrator; * -u: unlocks the password.
  • -u: unlock the locked account.

Ordinary users who want to change their passwords can just run passwd directly. If you create a new user and then want to create a password for the new user, use the passwd username, taking care to create it with the privileges of the root user.

Modify user information

The usermod command is used to modify basic user information. usermod does not allow you to change the name of a user account that is online. When the usermod command is used to change the user id, you must make sure that the user is not running any programs on the computer. You will need to manually change the user’s crontab file. You also need to manually change the user’s at work file. To use NIS server, you need to change the NIS settings on the server.

Syntax: usermod(option)(parameter)

Options

  • -c<comment>: Modify the comment text of the user account.
  • -d<login directory>: Modifies the directory where the user logs in.
  • -e<expiration date>: modifies the expiration date of the account.
  • -f<buffer days>: modifies how many days after the password expires the account will be closed.
  • -g<groups>: modifies the groups to which the user belongs.
  • -G<groups>; modifies the additional groups to which the user belongs.
  • -l<account name>: modify the name of the user’s account.
  • -L: lock the user’s password to make it invalid.
  • -s<shell>: modify the shell that the user uses when logged in.
  • -u<uid>: modify the user ID.
  • -U:unlock password.

Example, adding newuser2 to the group staff.

1

usermod -G staff newuser2

Reference.