Hyman's Road of Learning Linux.

1.為用戶添加密碼 [root才能執(zhí)行]

• 1.為新用戶添加密碼{只能是root} {密碼盡可能的復(fù)雜} [0-9][a-Z][aZ] [!@#$%^&]

[root@oldboyedu ~]# passwd hyman1
Changing password for user oldxu. 
New password: 
BAD PASSWORD: The password is a palindrome 
Retype new password: 
passwd: all authentication tokens updated successfully.

• passwd --stdin #非交互式設(shè)定密碼

[root@oldboyedu ~]# echo "hy123" | passwd --stdin hyman1
Changing password for user oldxu. 
passwd: all authentication tokens updated successfully.

• 批量創(chuàng)建用戶,并設(shè)定固定密碼

[root@oldboyedu ~]# cat hy1.sh 
for i in {1..100} 
do    
  useradd test$i    
  echo "123456" | passwd --stdin test$i 
done

2.為用戶變更密碼

• 為用戶變更密碼
  • 1.為自己修改密碼 直接使用passwd注意密碼需要復(fù)雜一 點,并達到8位

  root@haoyu1[15:32:07]~# su - hy1
  [hy1@haoyu1 ~]$ passwd 
  Changing password for user hy1.
  Changing password for hy1.
  (current) UNIX password: 
  New password: 
  Retype new password: 
  passwd: all authentication tokens updated successfully.
  

  • 2.為別人修改密碼 (root) passwd username

  root@haoyu1[15:31:47]~# useradd hy1
  root@haoyu1[15:31:54]~# passwd hy1
  Changing password for user hy1.
  New password: 
  BAD PASSWORD: The password is a palindrome
  Retype new password: 
  passwd: all authentication tokens updated successfully.
  

3.密碼怎么才算復(fù)雜

• 1.使用$RANDOM隨機數(shù)生成密碼

root@haoyu1[15:35:29]~# echo $RANDOM 
19592
root@haoyu1[15:36:14]~# echo $RANDOM | md5sum
4bdacba7c227b64e08938e5d0e22da39  -
root@haoyu1[15:36:22]~# echo $RANDOM | md5sum | cut -c 5-15
abe0dff187c

• 2.mkpasswd生成隨機字符串, -l設(shè)定密碼長度,-d數(shù)字,-c小寫字母,-C大寫字母,-s特殊字符（使用前需要使用yum install -y expect進行安裝相關(guān)軟件包）

root@haoyu1[15:38:49]~# yum install -y expect
-----------------------------------------------------------
root@haoyu1[15:44:52]~# mkpasswd -l 10 -d 2 -c 3 -C 3 -s 2 
3PV:t8/Tbe
root@haoyu1[15:45:29]~# mkpasswd -l 10 -d 2 -c 3 -C 3 -s 2 
EJao]18=zA

總結(jié)：

• 1.為新用戶添加密碼 只有root權(quán)限才可以
• 2.為用戶變更密碼也只有root才可以
• 3.普通用戶只能修改自己的密碼,..無法修改其他人的密碼
• 4.密碼的修改方式有兩種,一種是交互式 非交互

4.用戶的創(chuàng)建流程

在用戶創(chuàng)建的過程需要參考/etc/login.defs和 /etc/default/useradd這兩 個文件，默認參考。

如果在創(chuàng)建用戶時指定了參數(shù)，則會覆蓋 (默認/etc/login.defs和 /etc/default/useradd)。

• 查看/etc/login.defs的內(nèi)容并解釋各項的含義。

root@haoyu1[15:45:33]~# grep "^[a-Z]" /etc/login.defs 
MAIL_DIR    /var/spool/mail
PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_MIN_LEN    5
PASS_WARN_AGE   7
UID_MIN                  1000
UID_MAX                 60000
SYS_UID_MIN               201
SYS_UID_MAX               999
GID_MIN                  1000
GID_MAX                 60000
SYS_GID_MIN               201
SYS_GID_MAX               999
CREATE_HOME yes
UMASK           077
USERGROUPS_ENAB yes
ENCRYPT_METHOD SHA512

• 查看/etc/default/useradd的內(nèi)容并解釋各項的含義。

root@haoyu1[15:49:58]~# cat /etc/default/useradd 
# useradd defaults file
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes

5.用戶組的管理

• 沒有指定組的情況下：默認會創(chuàng)建一個與用戶同名的組，簡稱私有組。
• 指定組的情況下：-g 指定一個基本組,基本組必須先存在。
• 附加組：-G 指定。（基本組或私有組無法滿足需求時，添加一個附加組，繼承該組的權(quán)限。）

1./etc/group配置文件內(nèi)容解釋：

root@haoyu1[16:01:24]~# head -1 /etc/group
root:x:0: #以:作為分隔符，總共4列

2./etc/gshadow配置文件內(nèi)容解釋：

root@haoyu1[16:17:09]~# head -1 /etc/gshadow
root:::   #以:作為分隔符，總共4列

3.創(chuàng)建組 groupadd [-g GID] groupname

root@haoyu1[16:18:42]~# groupadd haoyu1
root@haoyu1[16:25:12]~# groupadd -g 4567 haoyu2
-----------------------------------------------------------
root@haoyu1[16:25:47]~# grep "4567" /etc/group
haoyu2:x:4567:

4.修改組 groupmod

• -g 修改組gid

root@haoyu1[16:26:03]~# groupmod -g 1234 haoyu1
root@haoyu1[16:28:09]~# grep "1234" /etc/group
haoyu1:x:1234:

• -n 修改組名稱

root@haoyu1[16:28:22]~# groupmod haoyu2 -n hy2
root@haoyu1[16:28:47]~# grep "hy2" /etc/group
hy2:x:4567:

5.刪除組如果要刪除基本組，需要先刪除基本組中的用戶才可以刪除該組。

實驗圖：

練習

root@haoyu1[16:42:21]~# groupadd dahao
root@haoyu1[16:42:29]~# groupadd laohao

root@haoyu1[16:42:35]~# useradd xiaohao
root@haoyu1[16:42:42]~# useradd hy -g laohao
root@haoyu1[16:42:52]~# usermod xiaohao -G laohao,dahao
-----------------------------------------------------------
root@haoyu1[16:43:12]~# id xiaohao
uid=6669(xiaohao) gid=6671(xiaohao) groups=6671(xiaohao),6669(dahao),6670(laohao)
root@haoyu1[16:43:41]~# userdel -r xiaohao
root@haoyu1[16:43:48]~# groupdel dahao
root@haoyu1[16:43:54]~# groupdel laohao
groupdel: cannot remove the primary group of user 'hy'
root@haoyu1[16:43:59]~# userdel -r hy
root@haoyu1[16:44:37]~# groupdel laohao

6.用戶提權(quán)

• su 切換用戶如果切換用戶，需要知道用戶的密碼，不是很安全。
• sudo 提權(quán)( root事先分配好權(quán)限 --> 關(guān)聯(lián)用戶 ) 安全方便但是復(fù)雜。

基本概念：

• 1.交互式 需要不停的交互
• 2.非交互式
• 3.登錄式shell 需要用戶名以及密碼開啟bash窗口
• 4.非登錄式shell 不需要用戶名和密碼即可開啟bash窗口

su - username 屬于登陸式shell，su username 屬于非登陸式shell，區(qū)別 在于加載的環(huán)境變量不一樣。

su - username 屬于登錄式shell 會加載全部的環(huán)境變量
su username 屬于非登錄式shell 會加載部分環(huán)境變量(很有 可能就會出現(xiàn)錯誤清空)

• su 切換有缺點

  • 需要知道用戶對應(yīng)的密碼
  • 說明不是很安全

• sudo提權(quán)

  • 1.預(yù)先分配好權(quán)限
  • 2.在關(guān)聯(lián)對應(yīng)的用戶

第一種方式：使用sudo中自帶的別名操作，將多個用戶定義成一個組。

• 進入sudo的配置文件 visudo

root@haoyu1[16:59:21]~# visudo
visudo: /etc/sudoers.tmp unchanged

• 1.使用sudo定義分組,這個系統(tǒng)group沒什么關(guān)系

User_Alias OPS = haoyu1,hyman1  
User_Alias DEV = hy1

• 2.定義可執(zhí)行的命令組,便于后續(xù)調(diào)用

Cmnd_Alias NETWORKING = /sbin/ifconfig, /bin/ping 
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/yum 
Cmnd_Alias SERVICES = /sbin/service, /usr/bin/systemctl start 
Cmnd_Alias STORAGE = /bin/mount, /bin/umount 
Cmnd_Alias DELEGATING = /bin/chown, /bin/chmod, /bin/chgrp 
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

• 3.使用sudo開始分配權(quán)限

OPS  ALL=(ALL) NETWORKING,SOFTWARE,SERVICES,STORAGE,DELEGATING,PROCESSES 
DEV  ALL=(ALL) SOFTWARE,PROCESSES

• 4.登陸對應(yīng)的用戶使用 sudo -l 驗證權(quán)限

第二種方式：使用groupadd添加組，然后給組分配sudo的權(quán)限，如果有新用戶加入，直接將用戶添加到該組。

• 1.添加兩個真實的系統(tǒng)組, group_1 group_2

root@haoyu1[17:12:30]~# groupadd group_1
root@haoyu1[17:12:51]~# groupadd group_2

• 2.添加兩個用戶, group_1(hyman_a hyman_b) group_2(hyman_c hyman_d)

root@haoyu1[17:14:30]~# useradd hyman_a -G group_1 
root@haoyu1[17:14:30]~# useradd hyman_b -G group_1
root@haoyu1[17:14:30]~# useradd hyman_c -G group_2
root@haoyu1[17:14:30]~# useradd hyman_d -G group_2

• 3.記得添加密碼

root@haoyu1[17:15:50]~# echo "1" | passwd --stdin hyman_a 
Changing password for user hyman_a.
passwd: all authentication tokens updated successfully.
root@haoyu1[17:15:51]~# echo "1" | passwd --stdin hyman_b 
Changing password for user hyman_b.
passwd: all authentication tokens updated successfully.
root@haoyu1[17:15:51]~# echo "1" | passwd --stdin hyman_c 
Changing password for user hyman_c.
passwd: all authentication tokens updated successfully.
root@haoyu1[17:15:51]~# echo "1" | passwd --stdin hyman_d
Changing password for user hyman_d.
passwd: all authentication tokens updated successfully.

• 4.在sudo中配置規(guī)則
  • 進入sudo的配置文件 visudo

  root@haoyu1[17:09:30]~# visudo
  visudo: /etc/sudoers.tmp unchanged
  

Cmnd_Alias NETWORKING = /sbin/ifconfig, /bin/ping
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/yum
Cmnd_Alias SERVICES = /sbin/service, /usr/bin/systemctl start
Cmnd_Alias STORAGE = /bin/mount, /bin/umount
Cmnd_Alias DELEGATING = /bin/chown, /bin/chmod, /bin/chgrp
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

%group_1 ALL=(ALL) SOFTWARE
%group_2 ALL=(ALL) SOFTWARE,PROCESSES

• 5.檢查sudo是否配置有錯

root@haoyu1[17:19:22]~# visudo -c
/etc/sudoers: parsed OK

• 6.檢查user_a,和user_d的sudo權(quán)限

[hyman_a@haoyu1 ~]$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for hyman_a: 
Matching Defaults entries for hyman_a on haoyu1:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User hyman_a may run the following commands on haoyu1:
    (ALL) /bin/rpm, /usr/bin/yum


-----------------------------------------------------------


[hyman_d@haoyu1 ~]$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for hyman_d: 
Matching Defaults entries for hyman_d on haoyu1:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User hyman_d may run the following commands on haoyu1:
    (ALL) /bin/rpm, /usr/bin/yum, /bin/nice, /bin/kill, /usr/bin/kill,
        /usr/bin/killall