1. Add a password for the user [root to perform]
- 1 to add a new user password can only be {root} {password as complex as} [0-9] [aZ] [aZ] [! @ # $% ^ &] *
[root@yinwucheng ~]# passwd oldxu
Changing password for user oldxu.
New password:
BAD PASSWORD: The password is a palindrome
Retype new password:
passwd: all authentication tokens updated
successfully.
passwd --stdin 非交互式设定密码
[root@yinwucheng ~]# echo "123" | passwd --stdin oldxu
Changing password for user oldxu.
passwd: all authentication tokens updated
successfully.2. Create a batch user, and set a fixed password
[root@yinwucheng ~]# cat user.sh
for i in {1..100}
do
useradd test$i
echo "123456" | passwd --stdin test$i
done3. Change the password for the user
2.1 为自己修改密码 (ok) 直接使用passwd 注意密码需要复杂一点,并达到8位
2.2 为别人修改密码 (root) passwd username
2.3 密码怎么才算复杂
[root@yinwucheng ~]# echo $RANDOM | md5sum |cut -c 5-15
9320a6f282d
2.mkpasswd生成随机字符串, -l设定密码长度,-d数子,-c小写字母,-C大写字母,-s特殊字符
[root@yinwucheng ~]# mkpasswd -l 10 -d 2 -c 3 -C 3 -s 2
mQR1u^=q5Y
lastpass 在线 支持 windows MacOS Iphone 浏览器插件 Android
总结:
1.为新用户添加密码 只有root权限才可以
2.为用户变更密码也只有root才可以
3.普通用户只能修改自己的密码,..无法修改其他人的密码
4.密码的修改方式有两种,一种是交互式 非交互4. The user creation process
In the process of user-created need to refer /etc/login.defs and / etc / default / useradd these two files, the default reference.
If the parameter is specified when creating the user will be overwritten (default /etc/login.defs and / etc / default / useradd)
[root@yinwucheng ~]# grep "^[a-Z]" /etc/login.defs
MAIL_DIR /var/spool/mail #创建的邮箱所在的位置
PASS_MAX_DAYS 99999 #密码最长使用的天数
PASS_MIN_DAYS 0 #密码最短时间的天数The user group management
PASS_MIN_LEN 5 #密码的长度
PASS_WARN_AGE 7 #密码到期前7天警告
UID_MIN 1000 #uid 从1000开始
UID_MAX 60000 #uid从6w结束
SYS_UID_MIN 201 #系统用户的uid 从201
开始
SYS_UID_MAX 999 #系统用户的uid最大到
999
GID_MIN 1000
GID_MAX 60000
SYS_GID_MIN 201
SYS_GID_MAX 999
CREATE_HOME yes #给用户创建家目录,创建
在/home
UMASK 077
USERGROUPS_ENAB yes
ENCRYPT_METHOD SHA512[root@yinwucheng ~]# cat /etc/default/useradd
# useradd defaults file
GROUP=100 #当用户创建用户时不指定组,并
且/etc/login.defs中USERGROUPS_ENAB为no时, 用户默认创建给分
配一个gid为100的组.
HOME=/home #用户默认的家目录
INACTIVE=-1 #用户不失效
EXPIRE= #过期时间
SHELL=/bin/bash #默认登录shell
SKEL=/etc/skel #默认用户拷贝的环境变量
CREATE_MAIL_SPOOL=yes #创建邮箱
1.创建组 groupadd [-g GID] groupname
[root@yinwucheng ~]# groupadd zhuzhu
[root@yinwucheng ~]# groupadd -g 6666 gougou
[root@yinwucheng ~]# grep "6666" /etc/group
gougou:x:6666:6. Create a system group
[root@yinwucheng ~]# groupadd -r maomao
[root@yinwucheng ~]# grep "maomao" /etc/group
maomao:x:993:
2.修改组 groupmod
-g 修改组gid
[root@yinwucheng ~]# groupmod -g 7777 gougou
[root@yinwucheng ~]# grep "7777" /etc/group
gougou:x:7777:
-n 修改组名称
[root@yinwucheng ~]# groupmod gougou -n gg
[root@yinwucheng ~]# grep "7777" /etc/group
gg:x:7777:7. Delete Group To delete a basic group, you need to delete the user basic group can delete the group.
[root@yinwucheng ~]# groupadd dawang
[root@yinwucheng ~]# groupadd laowang
[root@yinwucheng ~]# useradd xiaowang
[root@yinwucheng ~]# useradd gb -g laowang
[root@yinwucheng ~]# usermod xiaowang -G laowang,dawang
[root@yinwucheng ~]# id xiaowang
uid=6775(xiaowang) gid=7778(xiaowang)
groups=7778(xiaowang),7779(dawang),7780(laowang)
[root@yinwucheng ~]# userdel -r xiaowang
[root@yinwucheng ~]# groupdel dawang
[root@yinwucheng ~]# groupdel laowang
groupdel: cannot remove the primary group of user 'gb'
[root@yinwucheng ~]# userdel -r gb
[root@yinwucheng ~]# groupdel laowang8. User privilege escalation
su Switch user If you switch a user needs to know the user's password, not very safe
sudo mention the right (root well in advance assign permissions -> associated with the user) safe and convenient but complex
1. Interactive require constant interaction
2. Non-interactive
3 Log on type shell requires a user name and password bash open window
4. non-style shell does not require login user name and password to open the window bash
su - username belongs to the landing-style shell, su username is a non-landing type shell, load the difference is that the environment variables Different.
su - username belongs to the login shell will load all type of environment variables
su username is a non-login shell type loaded part of the environment variables (most likely there will be errors empty)
9. sudo privilege escalation
1. preallocated rights
2. In the user associated with the corresponding
3. elevated permissions too, whether there are ways to limit the usage rights only open a command? Other commands do not allow?
1. The first way: using alias sudo comes operation, a plurality of users defined as a group
[root@yinwucheng ~]# visudo
1.使用sudo定义分组,这个系统group没什么关系
User_Alias OPS = oldboy,oldgirl
User_Alias DEV = alex
2.定义可执行的命令组,便于后续调用
Cmnd_Alias NETWORKING = /sbin/ifconfig, /bin/ping
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/yum
Cmnd_Alias SERVICES = /sbin/service,
/usr/bin/systemctl start
Cmnd_Alias STORAGE = /bin/mount, /bin/umount
Cmnd_Alias DELEGATING = /bin/chown, /bin/chmod,
/bin/chgrp
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill,
/usr/bin/kill, /usr/bin/killall
3.使用sudo开始分配权限
OPS ALL=(ALL)
NETWORKING,SOFTWARE,SERVICES,STORAGE,DELEGATING,PROCES
SES
DEV ALL=(ALL) SOFTWARE,PROCESSES
4.登陆对应的用户使用 sudo -l 验证权限. ##### 2 second approach: using groupadd Add Group, and then assign permissions to groups of sudo, if a new user is added directly to add users to the group.
1.添加两个真实的系统组, group_dev group_op
[root@yinwucheng ~]# groupadd group_dev
[root@yinwucheng ~]# groupadd group_op
2.添加两个用户, group_dev(user_a user_b)
group_op(user_c user_d)
[root@yinwucheng ~]# useradd user_a -G group_dev
[root@yinwucheng ~]# useradd user_b -G group_dev
[root@yinwucheng ~]# useradd user_c -G group_op
[root@yinwucheng ~]# useradd user_d -G group_op
3.记得添加密码
[root@yinwucheng ~]# echo "1" | passwd --stdin user_a
[root@yinwucheng ~]# echo "1" | passwd --stdin user_b
[root@yinwucheng ~]# echo "1" | passwd --stdin user_c
[root@yinwucheng ~]# echo "1" | passwd --stdin user_d
4.在sudo中配置规则
[root@yinwucheng ~]# visudo
Cmnd_Alias NETWORKING = /sbin/ifconfig, /bin/ping
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/yum
Cmnd_Alias SERVICES = /sbin/service,
/usr/bin/systemctl start
Cmnd_Alias STORAGE = /bin/mount, /bin/umount
Cmnd_Alias DELEGATING = /bin/chown, /bin/chmod,
/bin/chgrp
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill,/usr/bin/kill, /usr/bin/killall
%group_dev ALL=(ALL) SOFTWARE
%group_op ALL=(ALL) SOFTWARE,PROCESSES
5.检查sudo是否配置有错
[root@yinwucheng ~]# visudo -c
/etc/sudoers: parsed OK
6.检查user_a,和user_d的sudo权限
[user_a@yinwucheng ~]$ sudo -l
User user_a may run the following commands on www:
(ALL) /bin/rpm, /usr/bin/yum
[user_d@yinwucheng ~]$ sudo -l
User user_d may run the following commands on www:
(ALL) /bin/rpm, /usr/bin/yum, /bin/nice,
/bin/kill, /usr/bin/kilToday Summary:
1. passwd command to set a password ---- >>>
2. The user creation process [understand]
3. Basic Management Group
- 创建组 useradd
- 修改组 usermod
- 删除组 userdel4. su and su - difference ---- >>> loaded environment variable is not the same
5. sudo privilege escalation
- 有管理人员来分配权限 visudo | visduo -c 检查语法
- 普通用户仅需要检查自身的sudo权限即可 sudo -l