CentOS 7 user account configuration original
CentOS 7 user account configuration
**Description: **
1、 This blog post records the configuration of CentOS 7 user accounts, including adding users, adding user groups, deleting users, and deleting user groups. This includes analyzing user configuration files, directories, and thinking about security.
2、 In terms of user configuration, CentOS 7 feels no different from previous versions.
Part One Get to Know the User
The Centos 7 system is minimally installed, and the default configuration is that no other users are created. As a server operating system, general users are generally used for safety. This involves the creation and deletion of users and user groups.
In addition, like other versions of Linux, CentOS 7 has configuration files and directories for corresponding users, as follows:
/etc/passwd //User account information, you can see the user name/etc/shadow //User account encrypted information, including but not limited to/etc/Information in passwd/etc/group //Group account information, you can see the group name/etc/gshadow //Group account security information, including but not limited to/etc/Information in the group/etc/default/useradd //Default value at account creation/etc/skel///Directory containing default files,The specific role is unclear/etc/login.defs //The default configuration of security, with the above/etc/default/useradd is different
Let's take a look at the more important configuration file /etc/default/useradd, the content is as follows:
# useradd defaults file
GROUP=100//Starting GID value
HOME=/home //Home directory location
INACTIVE=-1//Effective time, negative value is permanent, positive number represents the number of days
EXPIRE=
SHELL=/bin/bash //shell path
SKEL=/etc/skel //Default configuration file path
CREATE_MAIL_SPOOL=yes //Whether to create a mail pool, the specific role will be learned later
Let's take a look at the /etc/login.defs file again, the key contents are as follows:
MAIL_DIR /var/spool/mail
...
# Password aging controls:Password period configuration
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 8
PASS_WARN_AGE 7...
# Min/max values for automatic uid selection in useradd minimum/Maximum UID setting
#
UID_MIN 1000//The UID of the user we created starts from 1000
UID_MAX 60000....
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 1000
GID_MAX 60000....
CREATE_HOME yes //Whether to create a home directory...
# Use SHA512 to encrypt password.//Use SHA512 encryption
ENCRYPT_METHOD SHA512
It can be seen from the content of the file that /etc/login.defs is a relatively macro configuration that focuses on security.
Here are some commonly used commands in the actual process:
useradd //Add user
passwd //Set password for user
userdel //delete users
usermod //Modify user information
groupadd //Add user group
groupdel //Delete user group
groupmod //Modify user group information
groups //Display the user group to which the user of the current process belongs
Part 2 Create User
Example 1: The simplest way to create a user
Execute the following commands:
useradd test
passwd test
The example is shown in the figure, and the system will restrict the password, such as length and complexity, but does not affect the creation. It can be understood as a "warm reminder".
Such a user named test has been created. Let's look at the properties.
Execute command: id test //View user information
We found that the test uid=1000, gid=1000, located in the test user group, indicating that a new user lacking parameters will create a new user group with the same name as the user name and join it by default. We also noticed the UID and GID values and the default Keep the same in the configuration file, it can be seen that the configuration file is effective, you can also create a new user, look at the value of UID, GID, you will see that it is 1001. You can try it. We can switch to the /home directory and see the user directory, which is consistent with the configuration file settings.
Example 2: Create account with parameters
In the previous example, we used the default configuration, but set the user name and password. This time we manually set UID, GID, etc. First, let's take a look at the parameters of useradd, as follows:
- b,--base-dir BASE_The base directory of the home directory of the new DIR account
- c,--comment COMMENT GECOS field of the new account
- d,--home-dir HOME_The main directory of the new DIR account
- D,--defaults display or change the default useradd configuration
- e,--expiredate EXPIRE_DATE The expiration date of the new account
- f,--inactive INACTIVE Password inactive period of the new account
- g,--gid GROUP The name or ID of the new account master group
- G,--groups GROUPS Additional group list for new accounts
- h,--help display this help information and launch
- k,--skel SKEL_DIR uses this directory as the skeleton directory
- K,--key KEY=VALUE not used/etc/login.Default value in defs
- l,--no-log-init do not add this user to the recent login and login failure database
- m,--create-home creates the user's home directory
- M,--no-create-home does not create the user's home directory
- N,--no-user-group does not create a group with the same name
- o,--non-unique allows creating users with duplicate UIDs
- p,--password PASSWORD The encrypted new account password
- r,--system Create a system account
- R,--root CHROOT_DIR chroot to the directory
- s,--shell SHELL The login shell of the new account
- u,--uid UID User ID of the new account
- U,--user-group Create a group with the same name as the user
- Z,--selinux-user SEUSER specifies SEUSER for SELinux user mapping
Create a new user test4 with UID=501, GID=600, 30-day validity, and home directory /home/test5.
command:
groupadd -g 600 test3 //Create GID=600 user group test3
useradd -u 501-g 600-f 30-m -d /home/test5 test4
When we open the user file /etc/passwd or id test4 again, we will see our own configuration.
uid=501(test4) gid=600(test3) group=600(test3)
The third part changes user settings
Different users need different permissions, have different SHELL, whether to allow login. In this part, you need to use the usermod command to modify the user configuration. We created a test account in the previous example, and the default SHELL is /bin/bash, which can be logged in.
Login prohibited:
usermod -s /sbin/nologin test //-s specifies the shell
Modify user name:
usermod -l test88 test //-l New username
In addition, you can also view the parameter practice such as home directory, expiration days, change group, lock user, and unlock user.
Part IV Delete user/group
When we create a user/group with errors, we may delete the user/group and then recreate it. We use the userdel command to delete users.
Excuting an order:
[ root@localhost home]# userdel test
[ root@localhost home]# useradd test
useradd: Warning: This home directory already exists.
Do not copy any files from the skel directory to it.
Creating mailbox file:File already exists
This problem occurred because when we deleted users, the system did not delete related files and directories for security reasons. Let's check the userdel parameter:
Usage: userdel[Options]log in
Options:
- f,--force force some actions that would fail otherwise
e.g. removal of user still logged in
or files, even if not owned by the user
- h,--help display this help information and launch
- r,--remove delete home directory and mail pool
- R,--root CHROOT_DIR chroot to the directory
- Z,--selinux-user deletes all SELinux user mappings for the user
We can use the parameter -rf to delete the relevant file directory. This step is dangerous. It is not clear whether there is a rollback operation.
Excuting an order:
[ root@localhost home]# userdel -rf test
[ root@localhost home]# useradd test
In this way, there will be no prompts.
Part 5 User Security Configuration
In operating system security, user permissions and file permissions are also very important. Now just record a few small points. This time the main purpose is to prohibit root users from connecting, and general users to use sudo commands to raise their rights. In the last step, we created a test user. When we enter the sudo command, the following prompt will be displayed:
test is not in the sudoers file. This matter will be reported.
To solve this problem, we only need to add the user test in /etc/sudoers, the code is as follows:
//Find the following line and add it below.....
root ALL=(ALL) ALL
test ALL=(ALL) ALL //This line is added
This should solve the problem.
New addition: Re-installed a CentOS 7 in the virtual machine, experimented a bit, and it was indeed successful. The following are the /etc/sudoers attributes:
**You can see that with setUID permission, any user has x (execute) permission, so you can execute the sudo command. The following content is regarded as an understanding of setUID permissions. **
ps. Because the other parts have been set according to the information on the Internet, but it doesn't feel affected, the revised part and its purpose are posted below
//Modify file/usr/bin/sudo user and user group
chown root:root /usr/bin/sudo
//The modification authority is 4755, of which 4 represents execution as the file owner
chmod 4755/usr/bin/sudo
The above command means to change the owner of the file /usr/bin/sudo to root, and execute it as root when it is executed. This is also the meaning of '4'. If you do not configure "4755" to 755 when setting permissions, this error will occur.
sudo: The effective user ID is not 0. Does sudo belong to root and set the setuid bit?
The solution is to run as root (uid=0) as just mentioned.
In the actual environment, in order to prevent hackers from brute force cracking the root account, we usually prohibit the root account SSH remote connection. The operation is as follows:
//modify/etc/ssh/sshd.config file,
will
# PermitRootLogin yes
change into
PermitRootLogin no
//Restart the sshd service
systemctl restart sshd.service
Note: CentOS 7 cancels the service usage. Although it can still be used in some cases, I will use systemctl first.
In addition, I think the most important thing is the distribution of permissions between different users. Leave it temporarily, and add notes based on the actual situation later.
Everyone, you can also configure it according to the parameters and actual conditions. Everyone can communicate with each other.
( adsbygoogle = window.adsbygoogle || []).push({});
Recommended Posts