密码
1. 为新用户添加密码(只有root才能执行)
交互式添加密码
[root@node2~]# useradd ennan
[root@node2~]# passwd ennan
Changing password for user ennan.
New password:
BAD PASSWORD: The password is a palindrome
Retype new password:
passwd: all authentication tokens updated successfully.
非交互式添加密码
[root@node2~]# echo "qwert" | passwd --stdin ennan
Changing password for user ennan.
passwd: all authentication tokens updated successfully.
通过脚本,批量添加用户
[root@node2~]# cat user.sh
for i in {1..100}
do
useradd test$i
echo "123456" | passwd --stdin test$i
done
2. 为用户变更密码
- 为别人修改密码(只用root才能执行)
[root@node2~]# passwd test50
Changing password for user test50.
New password:
BAD PASSWORD: The password is a palindrome
Retype new password:
passwd: all authentication tokens updated successfully.
- 为自己修改密码(自己就可以)
[test50@node2 ~]$ passwd
Changing password for user test50.
Changing password for test50.
(current) UNIX password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
3. 生成复杂的密码
通过$RANDOM随机生成密码
[ennan@node2 ~]$ echo $RANDOM | md5sum | cut -c 6-15
45de81b10c
# $RANDOM生成随机数,将随机数通过md5加密,取加密后的6-15字符
通过mkpasswd随机生成密码
[root@node2~]# yum install expect -y
# 安装扩展包
[ennan@node2 ~]$ mkpasswd
RObm2sf3-
[root@node2~]# mkpasswd -l 10 -d 3 -c 2 -C 3 -s 2
# -l 密码长度 -d 数字个数 -c 小写字母个数 -C 大写字母个数 -s 特殊字符个数
pS6q37(FE+
用户创建的流程
在用户创建的过程需要参考/etc/login.defs和/etc/default/useradd这两
个文件。如果在创建用户时指定了参数,则会覆盖/etc/login.defs和/etc/default/useradd相关内容。
- /etc/login.defs相关配置内容
[root@node2~]# egrep -v "^$|#" /etc/login.defs
MAIL_DIR /var/spool/mail 邮箱地址
PASS_MAX_DAYS 99999 密码最长使用天数
PASS_MIN_DAYS 0 密码最短使用天数
PASS_MIN_LEN 5 密码的长度
PASS_WARN_AGE 7 密码到期前7天警告
UID_MIN 1000 UID从1000开始
UID_MAX 60000 UID从6w结束
SYS_UID_MIN 201 系统用户UID从201开始
SYS_UID_MAX 999 系统用户UID最大到999
GID_MIN 1000 GID从1000开始
GID_MAX 60000 GID最大到6w结束
SYS_GID_MIN 201 系统GID从201开始
SYS_GID_MAX 999 系统GID醉倒到999结束
CREATE_HOME yes 给用户创建家目录
UMASK 077
USERGROUPS_ENAB yes
ENCRYPT_METHOD SHA512
- 2.1. /etc/default/useradd相关配置内容
[root@node2~]# egrep -v "^$|#" /etc/default/useradd
GROUP=100
HOME=/home 用户默认的家目录
INACTIVE=-1 用户不失效
EXPIRE= 过期时间
SHELL=/bin/bash 默认登陆shell
SKEL=/etc/skel 默认用户拷贝的环境变量
CREATE_MAIL_SPOOL=yes 创建邮箱
用户组的管理
创建用户组
创建GID为666的用户组g1
[root@node2~]# groupadd -g 666 g1
[root@node2~]# grep "666" /etc/group
g1:x:666:
创建系统用户组g2
[root@node2~]# groupadd -r g2
[root@node2~]# grep "g2" /etc/group
g2:x:665:
修改用户组
将g1的GID改为777
[root@node2~]# groupmod -g 777 g1
[root@node2~]# grep "g1" /etc/group
g1:x:777:
将g1的用户名修改为gg
[root@node2~]# groupmod g1 -n gg
[root@node2~]# grep "777" /etc/group
gg:x:777:
删除用户组
如果要删除基本组,需要先删除组内的用户才可以删除该组
例1 删除图中所有用户和组
用户和组
[root@node2~]# groupadd dawang
[root@node2~]# groupadd laowang
[root@node2~]# useradd xiaowang
[root@node2~]# useradd gd -g laowang
[root@node2~]# usermod xiaowang -G laowang,dawang
[root@node2~]# id xiaowang
uid=3106(xiaowang) gid=3106(xiaowang) groups=3106(xiaowang),6674(dawang),6675(laowang)
[root@node2~]# userdel xiaowang
# 先删除用户xiaowang及其所属组
[root@node2~]# groupdel dawang
# 删除用户组dawang
[root@node2~]# userdel gd
# 删除用户gd及其所属组
[root@node2~]# groupdel laowang
# 删除用户组laowang
用户提权
su提权
su - username属于登陆式shell,su username属于非登陆式shell,区别在于加载的环境变量不一样.
su - 属于登录式shell,会加载全部的环境变量
[root@node2~]# su - root
Last login: Tue Aug 6 14:55:23 CST 2019 from 192.168.16.44 on pts/2
/etc/profile
/etc/profile.d/1.sh
~/.bash_profile!
/etc/bashrc!
/etc/bashrc!
su属于非登录式shell,会加载部分环境变量
[root@node2~]# su root
/etc/bashrc!
/etc/bashrc!
/etc/profile.d/1.sh
su切换的缺点:需要知道用户名对应的密码,很不安全。
sudo提权
1. 针对单用户进行sudo权限设置
普通用户执行yum命令,不能成功。
[test1@node2 ~]$ sudo yum install wget
[sudo] password for test1:
test1 is not in the sudoers file. This incident will be reported.
用root用户执行visudo命令,对用户进行权限设置
[root@node2~]# visudo
# 修改配置
[root@node2~]# visudo -c
# 检查文件
/etc/sudoers: parsed OK
添加如下信息
visudo
登陆到test1用户,检查用户的权限
[test1@node2 ~]$ sudo -l
[sudo] password for test1:
Matching Defaults entries for test1 on node2:
.......
.......
.......
User test1 may run the following commands on node2:
(ALL) /usr/bin/yum
利用sudo执行yum命令,可以成功执行
[test1@node2 ~]$ sudo yum install wget
Loaded plugins: fastestmirror
Repository base is listed more than once in the configuration
Repository updates is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Repository centosplus is listed more than once in the configuration
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
Package wget-1.14-18.el7_6.1.x86_64 already installed and latest version
Nothing to do
2. 使用sudo中自带的别名操作, 将多个用户定义成一个组
用root用户执行visudo命令,对用户进行权限设置
[root@node2~]# visudo
# 修改配置
[root@node2~]# visudo -c
# 检查文件
/etc/sudoers: parsed OK
visudo主要添加了以下的内容
root ALL=(ALL) ALL
# 设置组别名,test2和test3为OPS组;test4为DEV组。
User_Alias OPS = test2,test3
User_Alias DEV = test4
# 设置命令别名,NETWORKING为ifconfig和ping的别名
Cmnd_Alias NETWORKING = /sbin/ifconfig, /bin/ping
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/yum
Cmnd_Alias STORAGE = /bin/mount, /bin/umount
# 将组的别名和命令别名对应起来
OPS ALL=(ALL) NETWORKING,SOFTWARE,STORAGE
DEV ALL=(ALL) NETWORKING
设置别名及权限
用test3用户登陆系统,查看权限
[test3@node2 ~]$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for test3:
Matching Defaults entries for test3 on node2:
.......
.......
.......
User test3 may run the following commands on node2:
(ALL) /sbin/ifconfig, /bin/ping, /bin/rpm, /usr/bin/yum,
/bin/mount, /bin/umount
用test4用户登陆系统,查看权限
[test4@node2 ~]$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for test4:
Matching Defaults entries for test4 on node2:
.......
.......
.......
User test4 may run the following commands on node2:
(ALL) /sbin/ifconfig, /bin/ping
3. 使用groupadd添加组,然后给组分配sudo的权限,如果有新
用户加入,直接将用户添加到该组。
将用户添加到对应的组中
[root@node2~]# groupadd group_dev
[root@node2~]# groupadd group_op
[root@node2~]# usermod test5 -G group_dev
[root@node2~]# usermod test6 -G group_dev
[root@node2~]# usermod test7 -G group_op
[root@node2~]# id test5
uid=3010(test5) gid=3010(test5) groups=3010(test5),6674(group_dev)
[root@node2~]# id test6
uid=3011(test6) gid=3011(test6) groups=3011(test6),6674(group_dev)
[root@node2~]# id test7
uid=3012(test7) gid=3012(test7) groups=3012(test7),6675(group_op)
修改visudo文件
[root@node2~]# visudo
# 修改配置
[root@node2~]# visudo -c
# 检查文件
/etc/sudoers: parsed OK
visudo主要添加了以下的内容
Cmnd_Alias NETWORKING = /sbin/ifconfig, /bin/ping
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/yum
Cmnd_Alias STORAGE = /bin/mount, /bin/umount
# %代表组,如果不加%,系统会认为是一个用户名
%group_dev ALL=(ALL) NETWORKING,STORAGE
%group_op ALL=(ALL) SOFTWARE
登陆到test6查看用户的权限
[test6@node2 ~]$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for test6:
Matching Defaults entries for test6 on node2:
.......
.......
.......
User test6 may run the following commands on node2:
(ALL) /sbin/ifconfig, /bin/ping, /bin/mount, /bin/umount
用test7用户登陆系统,查看权限
[test7@node2 ~]$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for test7:
Matching Defaults entries for test7 on node2:
.......
.......
.......
User test7 may run the following commands on node2:
(ALL) /bin/rpm, /usr/bin/yum
sudo执行流程
sudo执行流程
网友评论