Linux用户组和权限管理

流过昼夜 提交于 2020-12-22 06:13:35

              Linux用户组和权限管理

                                           作者:尹正杰

版权声明:原创作品,谢绝转载!否则将追究法律责任。

 

 

一.Linux的安全模型

1>.安全3A

  这并不是Linux特有的概念,在很多领域都有3A的概念,比如思科,微软,华为等设备都有安全的概念。大致归类为以下介个术语。
    认证(Authentication):
        即验明真身,主要是验证您是谁的功能。

    授权(Authorization):
        授权一般是验证您的身份后,您用的相应权限。

    审计(Accouting|Audition):
        审计一般是起到监督作用,可以反馈从一些存在的问题,比如安全审计,公司财务审计等等。

2>.用户user

令牌:
  token,identity
Linux用户:
  Username/UID
管理员:
  root,0(需要注意的是,并不是叫root的用户名才是管理员,而是因为它的uid为0)
普通用户:
  1-60000编号是自动分配的,但如果我们认为指定用户编号的话是可以超过默认的分配阈值(60000),Linux用户分为系统用户和登录用户。
  系统用户:1-499(CentOS6.X),1-999(CentOS7.X),对守护进程获取资源进行权限分配(给运行软件使用的用户,比如:"mysql","apache","hdfs"用户等等)
  登录用户:500+(CentOS6.X),1000+(CentOS7.X),交互式登录(一般用来登录操作系统,比如yinzhengjie)

3>.组group

Linux组:
  Groupname/GID

管理员组:
  root,0

普通组:
  系统组:1-499(CentOS6.X),1-999(CentOS7.X)
  普通组:500+(CentOS6.X),1000+(CentOS7.X)

Linux组的类别:
  用户的主要组(primary group)
    用户必须术语一个且只有一个主组
    默认创建一个用户后会自动加入一个组名同用户名,且仅包含一个用户,我们也可以称之为该用户的私有组。
  用户的附加组(supplementary group)
    一个用户可以属于零个或多个辅助组

[root@node101.yinzhengjie.org.cn ~]# id root
uid=0(root) gid=0(root) groups=0(root)
[root@node101.yinzhengjie.org.cn ~]#

4>.用户和组的配置文件

Linux用户和组的主要配置文件:
  /etc/passwd
      用户及其属性信息(名称、 UID、主组ID等)   
/etc/group:
      组及其属性信息   
/etc/shadow:
      用户密码及其相关属性   
/etc/gshadow:
      组密码及其相关属性
passwd文件格式如下:
    login name:登录用名( wang)
    passwd:密码 (x)
    UID:用户身份编号 (1000)
    GID:登录默认所在组编号 (1000)
    GECOS:用户全名或注释
    home directory:用户主目录 (/home/wang)
    shell:用户默认使用shell (/bin/bash)


[root@node101.yinzhengjie.org.cn ~]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
libstoragemgmt:x:998:995:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin
colord:x:997:994:User for colord:/var/lib/colord:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
gluster:x:996:993:GlusterFS daemons:/run/gluster:/sbin/nologin
saslauth:x:995:76:Saslauthd user:/run/saslauthd:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin
pulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
radvd:x:75:75:radvd user:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
unbound:x:994:989:Unbound DNS resolver:/etc/unbound:/sbin/nologin
chrony:x:993:988::/var/lib/chrony:/sbin/nologin
qemu:x:107:107:qemu user:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
geoclue:x:992:986:User for geoclue:/var/lib/geoclue:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
sssd:x:991:985:User for sssd:/:/sbin/nologin
setroubleshoot:x:990:984::/var/lib/setroubleshoot:/sbin/nologin
saned:x:989:983:SANE scanner daemon user:/usr/share/sane:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
gnome-initial-setup:x:988:982::/run/gnome-initial-setup/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
yinzhengjie:x:1000:1000:yinzhengjie:/home/yinzhengjie:/bin/bash
[root@node101.yinzhengjie.org.cn ~]#
passwd文件格式
shadow文件格式
    登录用名
    用户密码:一般用sha512加密
    从1970年1月1日起到密码最近一次被更改的时间
    密码再过几天可以被变更( 0表示随时可被变更)
    密码再过几天必须被变更( 99999表示永不过期)
    密码过期前几天系统提醒用户(默认为一周)
    密码过期几天后帐号会被锁定
    从1970年1月1日算起,多少天后帐号失效


[root@node101.yinzhengjie.org.cn ~]# cat /etc/shadow
root:$6$MLowZZoTkB4Lfzlp$6vkz/bmyWgvPZQEtlQ2Fki1EzZpUdcEecxp2rfzJ1IkvE9amik19QYv.6sYgxCiRgCNPRlfESp78KhUWbaKcN/:
:0:99999:7:::bin:*:17834:0:99999:7:::
daemon:*:17834:0:99999:7:::
adm:*:17834:0:99999:7:::
lp:*:17834:0:99999:7:::
sync:*:17834:0:99999:7:::
shutdown:*:17834:0:99999:7:::
halt:*:17834:0:99999:7:::
mail:*:17834:0:99999:7:::
operator:*:17834:0:99999:7:::
games:*:17834:0:99999:7:::
ftp:*:17834:0:99999:7:::
nobody:*:17834:0:99999:7:::
systemd-network:!!:18109::::::
dbus:!!:18109::::::
polkitd:!!:18109::::::
libstoragemgmt:!!:18109::::::
colord:!!:18109::::::
rpc:!!:18109:0:99999:7:::
gluster:!!:18109::::::
saslauth:!!:18109::::::
abrt:!!:18109::::::
rtkit:!!:18109::::::
pulse:!!:18109::::::
radvd:!!:18109::::::
rpcuser:!!:18109::::::
nfsnobody:!!:18109::::::
unbound:!!:18109::::::
chrony:!!:18109::::::
qemu:!!:18109::::::
tss:!!:18109::::::
usbmuxd:!!:18109::::::
geoclue:!!:18109::::::
ntp:!!:18109::::::
sssd:!!:18109::::::
setroubleshoot:!!:18109::::::
saned:!!:18109::::::
gdm:!!:18109::::::
gnome-initial-setup:!!:18109::::::
sshd:!!:18109::::::
avahi:!!:18109::::::
postfix:!!:18109::::::
tcpdump:!!:18109::::::
yinzhengjie:$6$9k0Xxx.f$YsthR1XeMhMRhJE7sLrXNecLCRDQDvrnaHkWeBOcWqSUg0d5t2l.cKGmwbJdhY9Y5cpSqk/YZbM.ZS/FGQUeI/:1
8122:0:99999:7:::[root@node101.yinzhengjie.org.cn ~]#
shadow文件格式
group文件格式
    群组名称:就是群组名称
    群组密码:通常不需要设定,密码是被记录在 /etc/gshadow
    GID:就是群组的 ID
    以当前组为附加组的用户列表(分隔符为逗号)



[root@node101.yinzhengjie.org.cn ~]# cat /etc/group
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mem:x:8:
kmem:x:9:
wheel:x:10:
cdrom:x:11:
mail:x:12:postfix
man:x:15:
dialout:x:18:
floppy:x:19:
games:x:20:
tape:x:33:
video:x:39:
ftp:x:50:
lock:x:54:
audio:x:63:
nobody:x:99:
users:x:100:
utmp:x:22:
utempter:x:35:
input:x:999:
systemd-journal:x:190:
systemd-network:x:192:
dbus:x:81:
polkitd:x:998:
cgred:x:997:
printadmin:x:996:
libstoragemgmt:x:995:
colord:x:994:
rpc:x:32:
dip:x:40:
gluster:x:993:
ssh_keys:x:992:
saslauth:x:76:
abrt:x:173:
rtkit:x:172:
pulse-access:x:991:
pulse-rt:x:990:
pulse:x:171:
radvd:x:75:
rpcuser:x:29:
nfsnobody:x:65534:
unbound:x:989:
chrony:x:988:
kvm:x:36:qemu
qemu:x:107:
tss:x:59:
libvirt:x:987:
usbmuxd:x:113:
geoclue:x:986:
ntp:x:38:
sssd:x:985:
setroubleshoot:x:984:
saned:x:983:
gdm:x:42:
gnome-initial-setup:x:982:
sshd:x:74:
slocate:x:21:
avahi:x:70:
postdrop:x:90:
postfix:x:89:
stapusr:x:156:
stapsys:x:157:
stapdev:x:158:
tcpdump:x:72:
yinzhengjie:x:1000:yinzhengjie
screen:x:84:
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#
group文件格式
gshdow文件格式
    群组名称:就是群的名称
    群组密码:
    组管理员列表:组管理员的列表,更改组密码和成员
    以当前组为附加组的用户列表:多个用户间用逗号分隔




[root@node101.yinzhengjie.org.cn ~]# cat /etc/gshadow
root:::
bin:::
daemon:::
sys:::
adm:::
tty:::
disk:::
lp:::
mem:::
kmem:::
wheel:::
cdrom:::
mail:::postfix
man:::
dialout:::
floppy:::
games:::
tape:::
video:::
ftp:::
lock:::
audio:::
nobody:::
users:::
utmp:!::
utempter:!::
input:!::
systemd-journal:!::
systemd-network:!::
dbus:!::
polkitd:!::
cgred:!::
printadmin:!::
libstoragemgmt:!::
colord:!::
rpc:!::
dip:!::
gluster:!::
ssh_keys:!::
saslauth:!::
abrt:!::
rtkit:!::
pulse-access:!::
pulse-rt:!::
pulse:!::
radvd:!::
rpcuser:!::
nfsnobody:!::
unbound:!::
chrony:!::
kvm:!::qemu
qemu:!::
tss:!::
libvirt:!::
usbmuxd:!::
geoclue:!::
ntp:!::
sssd:!::
setroubleshoot:!::
saned:!::
gdm:!::
gnome-initial-setup:!::
sshd:!::
slocate:!::
avahi:!::
postdrop:!::
postfix:!::
stapusr:!::
stapsys:!::
stapdev:!::
tcpdump:!::
yinzhengjie:!!::yinzhengjie
screen:!::
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#
gshdow文件格式

5>.用户相关操作(对应/etc/passwd”)

[root@node101.yinzhengjie.org.cn ~]# whatis passwd
passwd (5)           - password file                  
passwd (1)           - update user's authentication tokens
sslpasswd (1ssl)     - compute password hashes
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# man 5 passwd
PASSWD(5)                                 Linux Programmer's Manual                                 PASSWD(5)

NAME
       passwd - password file

DESCRIPTION
       The /etc/passwd file is a text file that describes user login accounts for the system.  It should have
       read permission allowed for all users (many utilities, like ls(1) use it to  map  user  IDs  to  user‐
       names), but write access only for the superuser.

       In  the  good  old days there was no great problem with this general read permission.  Everybody could
       read the encrypted passwords, but the hardware was too slow to crack a well-chosen password, and more‐
       over  the  basic  assumption used to be that of a friendly user-community.  These days many people run
       some version of the shadow password suite, where /etc/passwd has an  'x'  character  in  the  password
       field, and the encrypted passwords are in /etc/shadow, which is readable by the superuser only.

       If  the  encrypted  password,  whether  in /etc/passwd or in /etc/shadow, is an empty string, login is
       allowed without even asking for a password.  Note that this functionality may  be  intentionally  dis‐
       abled  in  applications,  or  configurable  (for  example  using the "nullok" or "nonull" arguments to
       pam_unix.so).

       If the encrypted password in /etc/passwd is "*NP*" (without the quotes), the shadow record  should  be
       obtained from an NIS+ server.

       Regardless of whether shadow passwords are used, many system administrators use an asterisk (*) in the
       encrypted password field to make sure that this user can not authenticate  him-  or  herself  using  a
       password.  (But see NOTES below.)

       If  you create a new login, first put an asterisk (*) in the password field, then use passwd(1) to set
       it.

       Each line of the file describes a single user, and contains seven colon-separated fields:

              name:password:UID:GID:GECOS:directory:shell

       The field are as follows:

       name        This is the user's login name.  It should not contain capital letters.

       password    This is either the encrypted user password, an asterisk (*),  or  the  letter  'x'.   (See
                   pwconv(8) for an explanation of 'x'.)

       UID         The privileged root login account (superuser) has the user ID 0.

       GID         This  is  the numeric primary group ID for this user.  (Additional groups for the user are
                   defined in the system group file; see group(5)).

       GECOS       This field (sometimes called the "comment field") is optional and used only  for  informa‐
                   tional  purposes.   Usually,  it  contains the full username.  Some programs (for example,
                   finger(1)) display information from this field.

                   GECOS stands for "General Electric Comprehensive Operating System", which was  renamed  to
                   GCOS when GE's large systems division was sold to Honeywell.  Dennis Ritchie has reported:
                   "Sometimes we sent printer output or batch jobs to the GCOS machine.  The  gcos  field  in
                   the password file was a place to stash the information for the $IDENTcard.  Not elegant."

       directory   This  is  the  user's home directory: the initial directory where the user is placed after
                   logging in.  The value in this field is used to set the HOME environment variable.

       shell       This is the program to run at login (if empty, use /bin/sh).  If set to a nonexistent exe‐
                   cutable,  the  user  will be unable to login through login(1).  The value in this field is
                   used to set the SHELL environment variable.

FILES
       /etc/passwd

NOTES
       If you want to create user groups, there must be an entry in /etc/group, or no group will exist.

       If the encrypted password is set to an asterisk (*), the user will be unable to login using  login(1),
       but  may  still  login  using  rlogin(1), run existing processes and initiate new ones through rsh(1),
       cron(8), at(1), or mail filters, etc.  Trying to lock an account by simply changing  the  shell  field
       yields the same result and additionally allows the use of su(1).

SEE ALSO
       login(1), passwd(1), su(1), getpwent(3), getpwnam(3), crypt(3), group(5), shadow(5)

COLOPHON
       This  page  is part of release 3.53 of the Linux man-pages project.  A description of the project, and
       information about reporting bugs, can be found at http://www.kernel.org/doc/man-pages/.

Linux                                             2012-05-03                                        PASSWD(5)
[root@node101.yinzhengjie.org.cn ~]# man 5 passwd
[root@node101.yinzhengjie.org.cn ~]# tail -1 /etc/passwd
yinzhengjie:x:1000:1000:yinzhengjie:/home/yinzhengjie:/bin/bash
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# chfn yinzhengjie                   #修改用户全名或注释
Changing finger information for yinzhengjie.
Name [yinzhengjie]: jason
Office []: bigdata
Office Phone []: 10086
Home Phone []: 10010

Finger information changed.
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# tail -1 /etc/passwd
yinzhengjie:x:1000:1000:jason,bigdata,10086,10010:/home/yinzhengjie:/bin/bash
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# df -h  | grep /dev/sr0 
/dev/sr0                  11G   11G     0 100% /run/media/root/CentOS 7 x86_64
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# rpm -ivh /run/media/root/CentOS\ 7\ x86_64/Packages/finger-0.17-52.el7.x86_
64.rpm Preparing...                          ################################# [100%]
Updating / installing...
   1:finger-0.17-52.el7               ################################# [100%]
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# finger yinzhengjie
Login: yinzhengjie                Name: jason
Directory: /home/yinzhengjie            Shell: /bin/bash
Office: bigdata, x1-0086        Home Phone: x1-0010
Last login Wed Aug 14 12:46 (CST) on pts/4 from 172.30.1.1
Mail last read Wed Aug 14 12:50 2019 (CST)
No Plan.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# chfn yinzhengjie             #修改用户全名或注释
[root@node101.yinzhengjie.org.cn ~]# tail -1 /etc/passwd
yinzhengjie:x:1000:1000:jason,bigdata,10086,10010:/home/yinzhengjie:/bin/bash
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# getent passwd yinzhengjie      #我们不难发现,使用getent命令可以获取指定用户的信息
yinzhengjie:x:1000:1000:jason,bigdata,10086,10010:/home/yinzhengjie:/bin/bash
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# chsh -s /bin/csh yinzhengjie     #我们这里修改shell类型为"/bin/csh"
Changing shell for yinzhengjie.
Shell changed.
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# getent passwd yinzhengjie
yinzhengjie:x:1000:1000:jason,bigdata,10086,10010:/home/yinzhengjie:/bin/csh
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# chsh -s /bin/csh yinzhengjie     #我们这里修改shell类型为"/bin/csh"

6>.用户密码相关操作(对应“/etc/shadow”)

[root@node101.yinzhengjie.org.cn ~]# whatis shadow
shadow (5)           - shadowed password file
shadow (3)           - encrypted password file routines
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# man 5 shadow
SHADOW(5)                                File Formats and Conversions                               SHADOW(5)

NAME
       shadow - shadowed password file

DESCRIPTION
       shadow is a file which contains the password information for the system's accounts and optional aging
       information.

       This file must not be readable by regular users if password security is to be maintained.

       Each line of this file contains 9 fields, separated by colons (“:”), in the following order:

       login name
           It must be a valid account name, which exist on the system.

       encrypted password
           Refer to crypt(3) for details on how this string is interpreted.

           If the password field contains some string that is not a valid result of crypt(3), for instance !
           or *, the user will not be able to use a unix password to log in (but the user may log in the
           system by other means).

           This field may be empty, in which case no passwords are required to authenticate as the specified
           login name. However, some applications which read the /etc/shadow file may decide not to permit
           any access at all if the password field is empty.

           A password field which starts with a exclamation mark means that the password is locked. The
           remaining characters on the line represent the password field before the password was locked.

       date of last password change
           The date of the last password change, expressed as the number of days since Jan 1, 1970.

           The value 0 has a special meaning, which is that the user should change her pasword the next time
           she will log in the system.

           An empty field means that password aging features are disabled.

       minimum password age
           The minimum password age is the number of days the user will have to wait before she will be
           allowed to change her password again.

           An empty field and value 0 mean that there are no minimum password age.

       maximum password age
           The maximum password age is the number of days after which the user will have to change her
           password.

           After this number of days is elapsed, the password may still be valid. The user should be asked to
           change her password the next time she will log in.

           An empty field means that there are no maximum password age, no password warning period, and no
           password inactivity period (see below).

           If the maximum password age is lower than the minimum password age, the user cannot change her
           password.

       password warning period
           The number of days before a password is going to expire (see the maximum password age above)
           during which the user should be warned.

           An empty field and value 0 mean that there are no password warning period.

       password inactivity period
           The number of days after a password has expired (see the maximum password age above) during which
           the password should still be accepted (and the user should update her password during the next
           login).

           After expiration of the password and this expiration period is elapsed, no login is possible using
           the current user's password. The user should contact her administrator.

           An empty field means that there are no enforcement of an inactivity period.

       account expiration date
           The date of expiration of the account, expressed as the number of days since Jan 1, 1970.

           Note that an account expiration differs from a password expiration. In case of an acount
           expiration, the user shall not be allowed to login. In case of a password expiration, the user is
           not allowed to login using her password.

           An empty field means that the account will never expire.
           The value 0 should not be used as it is interpreted as either an account with no expiration, or as
           an expiration on Jan 1, 1970.

       reserved field
           This field is reserved for future use.

FILES
       /etc/passwd
           User account information.

       /etc/shadow
           Secure user account information.

       /etc/shadow-
           Backup file for /etc/shadow.

           Note that this file is used by the tools of the shadow toolsuite, but not by all user and password
           management tools.

SEE ALSO
       chage(1), login(1), passwd(1), passwd(5), pwck(8), pwconv(8), pwunconv(8), su(1), sulogin(8).

shadow-utils 4.1.5.1                              10/30/2018                                        SHADOW(5)
[root@node101.yinzhengjie.org.cn ~]# man 5 shadow
[root@node101.yinzhengjie.org.cn ~]# getent  passwd yinzhengjie            #我们发现密码不存在"/etc/passwd"文件中
yinzhengjie:x:1000:1000:jason,bigdata,10086,10010:/home/yinzhengjie:/bin/bash
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# getent  shadow yinzhengjie            #CentOS7.X版本中密码存放在"/etc/shadow"文件中
yinzhengjie:$6$9k0Xxx.f$YsthR1XeMhMRhJE7sLrXNecLCRDQDvrnaHkWeBOcWqSUg0d5t2l.cKGmwbJdhY9Y5cpSqk/YZbM.ZS/FGQUeI/:1
8142:0:99999:7:::
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# pwunconv                       #我们这里使用该命令可以将"/etc/shadow"中存放的密码放入到"/etc/passwd"文件中
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# getent  passwd yinzhengjie            #密码的确回归了
yinzhengjie:$6$9k0Xxx.f$YsthR1XeMhMRhJE7sLrXNecLCRDQDvrnaHkWeBOcWqSUg0d5t2l.cKGmwbJdhY9Y5cpSqk/YZbM.ZS/FGQUeI/:1
000:1000:jason,bigdata,10086,10010:/home/yinzhengjie:/bin/bash[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# getent  shadow yinzhengjie            #但是"/etc/shadow"文件中内容都没有了
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# pwunconv                  #我们这里使用该命令可以将"/etc/shadow"中存放的密码放入到"/etc/passwd"文件中
[root@node101.yinzhengjie.org.cn ~]# getent  passwd yinzhengjie
yinzhengjie:$6$9k0Xxx.f$YsthR1XeMhMRhJE7sLrXNecLCRDQDvrnaHkWeBOcWqSUg0d5t2l.cKGmwbJdhY9Y5cpSqk/YZbM.ZS/FGQUeI/:1
000:1000:jason,bigdata,10086,10010:/home/yinzhengjie:/bin/bash[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# getent  shadow yinzhengjie
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# pwconv                   #将用户名和密码分开存放,即将密码存放在"/etc/shadow"文件中,默认就是存放该文件中。
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# getent  shadow yinzhengjie
yinzhengjie:$6$9k0Xxx.f$YsthR1XeMhMRhJE7sLrXNecLCRDQDvrnaHkWeBOcWqSUg0d5t2l.cKGmwbJdhY9Y5cpSqk/YZbM.ZS/FGQUeI/:1
8142:0:99999:7:::[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# getent  passwd yinzhengjie
yinzhengjie:x:1000:1000:jason,bigdata,10086,10010:/home/yinzhengjie:/bin/bash
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# pwconv                   #将用户名和密码分开存放,即将密码存放在"/etc/shadow"文件中,默认就是存放该文件中。
[root@node101.yinzhengjie.org.cn ~]# getent  shadow yinzhengjie
yinzhengjie:$6$9k0Xxx.f$YsthR1XeMhMRhJE7sLrXNecLCRDQDvrnaHkWeBOcWqSUg0d5t2l.cKGmwbJdhY9Y5cpSqk/YZbM.ZS/FGQUeI/:1
8142:0:99999:7:::
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# usermod -L yinzhengjie      #锁定用户
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# getent  shadow yinzhengjie    #将用户锁定后,我们发现密码那一列会多出来一个"!"符号,其实它就是用来标记用户是否被锁定的。
yinzhengjie:!$6$9k0Xxx.f$YsthR1XeMhMRhJE7sLrXNecLCRDQDvrnaHkWeBOcWqSUg0d5t2l.cKGmwbJdhY9Y5cpSqk/YZbM.ZS/FGQUeI/:
18142:0:99999:7:::
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# passwd yinzhengjie        #我们修改用户的密码后,会发现密码已经解锁啦!
Changing password for user yinzhengjie.
New password: 
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie
yinzhengjie:$6$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:1
8142:0:99999:7:::
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# usermod -L yinzhengjie          #锁定用户
[root@node101.yinzhengjie.org.cn ~]# getent  shadow yinzhengjie
yinzhengjie:!$6$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:
18142:0:99999:7:::
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# usermod -U yinzhengjie        #解锁用户
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# getent  shadow yinzhengjie
yinzhengjie:$6$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:1
8142:0:99999:7:::
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# usermod -U yinzhengjie          #解锁用户
[root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie
yinzhengjie:$6$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:1
8142:0:99999:7:::
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# chage -M 42 yinzhengjie          #修改用户密码过期时间为42天
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie
yinzhengjie:$6$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:1
8142:0:42:7:::
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# chage -M 42 yinzhengjie          #修改用户密码过期时间为42天
C:\Users\yinzhengjie>net accounts                   #WINDOWS操作系统默用户也有过期时间  
强制用户在时间到期之后多久必须注销?:     从不
密码最短使用期限(天):                    0
密码最长使用期限(天):                    42        #默认过期时间为42天
密码长度最小值:                          0
保持的密码历史记录长度:                  None
锁定阈值:                                从不
锁定持续时间(分):                        30
锁定观测窗口(分):                        30
计算机角色:                              WORKSTATION
命令成功完成。


C:\Users\yinzhengjie>
C:\Users\yinzhengjie>net accounts                          #WINDOWS操作系统默用户也有过期时间 
[root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie
yinzhengjie:$6$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:1
8142:0:42:7:::
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# chage -I 5 yinzhengjie          #指定密码过期后几天用户被锁定,我这里设置的是5天,如果在指定的42天内没有修改密码在5天后用户会被锁定,锁定用户就无法登录操作系统。
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie
yinzhengjie:$6$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:1
8142:0:42:7:5::
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# chage -I 5 yinzhengjie          #指定密码过期后几天用户被锁定,我这里设置的是5天,如果在指定的42天内没有修改密码在5天后用户会被锁定,锁定用户就无法登录操作系统。
[root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie
yinzhengjie:$6$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:1
8142:0:42:7:5::
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# chage -E 365 yinzhengjie          #指定用户的有效期天数,我这里设置的为365天,但是需要注意的是,它的起始时间是从1970年开始的!
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie
yinzhengjie:$6$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:1
8142:0:42:7:5:365:
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# chage -E 365 yinzhengjie         #指定用户的有效期天数,我这里设置的为365天,但是需要注意的是,它的起始时间是从1970年开始的!
[root@node101.yinzhengjie.org.cn ~]# passwd --help
Usage: passwd [OPTION...] <accountName>
  -k, --keep-tokens       保留未过期的身份验证令牌-d, --delete            删除指定用户密码-l, --lock              锁定指定用户-u, --unlock            解锁指定用户-e, --expire            强制用户下次登录修改密码-f, --force             强制操作
  -x, --maximum=DAYS      最大使用期限
  -n, --minimum=DAYS      指定最短使用期限
  -w, --warning=DAYS      提前多少天开始警告用户
  -i, --inactive=DAYS     非活动期限
  -S, --status            报告指定用户的密码状态
  --stdin                 从标准输入接受用户密码

Help options:
  -?, --help              Show this help message
  --usage                 Display brief usage message
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# echo bigdata
bigdata
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# echo bigdata | passwd --stdin yinzhengjie
Changing password for user yinzhengjie.
passwd: all authentication tokens updated successfully.
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# echo bigdata | passwd --stdin yinzhengjie &> /dev/null       #生产环境修改密码方式
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# echo bigdata | passwd --stdin yinzhengjie &> /dev/null       #生产环境修改密码方式
[root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie
yinzhengjie:$6$kXs/Ht35$1zMelm2cS78cwxBq14kzZzsQrQShIBX0ADXTvb7rkX0.LXYhF1cORtDAnvqacoIdQipj33u1tHbEPGv3RbTuJ.:18142:0:
42:7:5:365:
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# passwd -l yinzhengjie      #将用户锁定
Locking password for user yinzhengjie.
passwd: Success
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie    #注意观察密码前多了2个"!"
yinzhengjie:!!$6$kXs/Ht35$1zMelm2cS78cwxBq14kzZzsQrQShIBX0ADXTvb7rkX0.LXYhF1cORtDAnvqacoIdQipj33u1tHbEPGv3RbTuJ.:18142:
0:42:7:5:365:
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# passwd -l yinzhengjie                           #将用户锁定
[root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie
yinzhengjie:!!$6$kXs/Ht35$1zMelm2cS78cwxBq14kzZzsQrQShIBX0ADXTvb7rkX0.LXYhF1cORtDAnvqacoIdQipj33u1tHbEPGv3RbTuJ.:18142:
0:42:7:5:365:
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# passwd -u yinzhengjie                           #将用户解锁
Unlocking password for user yinzhengjie.
passwd: Success
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie
yinzhengjie:$6$kXs/Ht35$1zMelm2cS78cwxBq14kzZzsQrQShIBX0ADXTvb7rkX0.LXYhF1cORtDAnvqacoIdQipj33u1tHbEPGv3RbTuJ.:18142:0:
42:7:5:365:
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# passwd -u yinzhengjie                           #将用户解锁
[root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie
yinzhengjie:$6$kXs/Ht35$1zMelm2cS78cwxBq14kzZzsQrQShIBX0ADXTvb7rkX0.LXYhF1cORtDAnvqacoIdQipj33u1tHbEPGv3RbTuJ.:18142:0:
42:7:5:365:
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# passwd -e yinzhengjie                            #让用户密码过期,下次用户登录后需要立即更改密码才行。
Expiring password for user yinzhengjie.
passwd: Success
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie
yinzhengjie:$6$kXs/Ht35$1zMelm2cS78cwxBq14kzZzsQrQShIBX0ADXTvb7rkX0.LXYhF1cORtDAnvqacoIdQipj33u1tHbEPGv3RbTuJ.:0:0:42:7
:5:365:
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# passwd -e yinzhengjie                           #让用户密码过期,下次用户登录后需要立即更改密码才行。

7>.用户组相关操作(对应/etc/group”)

[root@node101.yinzhengjie.org.cn ~]# whereis group
group: /etc/group /usr/share/man/man5/group.5.gz
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# man group
GROUP(5)                                  Linux Programmer's Manual                                  GROUP(5)

NAME
       group - user group file

DESCRIPTION
       The  /etc/group  file  is  a  text file that defines the groups on the system.  There is one entry per
       line, with the following format:

              group_name:password:GID:user_list

       The fields are as follows:

       group_name  the name of the group.

       password    the (encrypted) group password.  If this field is empty, no password is needed.

       GID         the numeric group ID.

       user_list   a list of the usernames that are members of this group, separated by commas.

FILES
       /etc/group

BUGS
       As the 4.2BSD initgroups(3) man page says: No-one seems to keep /etc/group up-to-date.

SEE ALSO
       login(1), newgrp(1), getgrent(3), getgrnam(3), passwd(5)

COLOPHON
       This page is part of release 3.53 of the Linux man-pages project.  A description of the  project,  and
       information about reporting bugs, can be found at http://www.kernel.org/doc/man-pages/.

Linux                                             2010-10-21                                         GROUP(5)
[root@node101.yinzhengjie.org.cn ~]# man group

8>.用户组密码相关操作(对应“/etc/gshadow”)

[root@node101.yinzhengjie.org.cn ~]# whereis gshadow
gshadow: /etc/gshadow /usr/include/gshadow.h /usr/share/man/man5/gshadow.5.gz
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# man gshadow
GSHADOW(5)                               File Formats and Conversions                              GSHADOW(5)

NAME
       gshadow - shadowed group file

DESCRIPTION
       /etc/gshadow contains the shadowed information for group accounts.

       This file must not be readable by regular users if password security is to be maintained.

       Each line of this file contains the following colon-separated fields:

       group name
           It must be a valid group name, which exist on the system.

       encrypted password
           Refer to crypt(3) for details on how this string is interpreted.

           If the password field contains some string that is not a valid result of crypt(3), for instance !
           or *, users will not be able to use a unix password to access the group (but group members do not
           need the password).

           The password is used when an user who is not a member of the group wants to gain the permissions
           of this group (see newgrp(1)).

           This field may be empty, in which case only the group members can gain the group permissions.

           A password field which starts with a exclamation mark means that the password is locked. The
           remaining characters on the line represent the password field before the password was locked.

           This password supersedes any password specified in /etc/group.

       administrators
           It must be a comma-separated list of user names.

           Administrators can change the password or the members of the group.

           Administrators also have the same permissions as the members (see below).

       members
           It must be a comma-separated list of user names.

           Members can access the group without being prompted for a password.

           You should use the same list of users as in /etc/group.

FILES
       /etc/group
           Group account information.

       /etc/gshadow
           Secure group account information.

SEE ALSO
  gpasswd(5), group(5), grpck(8), grpconv(8), newgrp(1).

shadow-utils 4.1.5.1                              10/30/2018                                       GSHADOW(5)
[root@node101.yinzhengjie.org.cn ~]# man gshadow
[root@node101.yinzhengjie.org.cn ~]# cat /etc/gshadow | grep yinzhengjie
yinzhengjie:!!::yinzhengjie
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# gpasswd yinzhengjie        #我们可以给组加密
Changing the password for group yinzhengjie
New Password: 
Re-enter new password: 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# cat /etc/gshadow | grep yinzhengjie
yinzhengjie:$6$D/VCeiXW$ZQjYDmM29epe6gYQh670NhKCc2CzrgO190qnQ2JDuV04qltsIAD5ZdiC.A.hKFNZn5DDvnNxuzmLMVoX8T.pp0:yinzhengjie
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# gpasswd yinzhengjie        #我们可以给组加密,不推荐使用

9>.密码策略

密码加密
  加密机制:
    加密:明文--> 密文
    解密:密文--> 明文
  单向加密:哈希算法,原文不同,密文必不同
    相同算法定长输出,获得密文不可逆推出原始数据
    雪崩效应:初始条件的微小改变,引起结果的巨大改变
    md5: message digest, 128bits
    sha1: secure hash algorithm, 160bits
    sha224: 224bits
    sha256: 256bits
    sha384: 384bits
    sha512: 512bits
  更改加密算法:
    authconfig --passalgo=sha256 --update

密码的复杂性策略
  足够长
  使用数字、大写字母、小写字母及特殊字符中至少3种
  使用随机密码
  定期更换,不要使用最近曾经使用过的密码

密码期限示意图如下所示。

10>.用户(组)及密码(组)文件操作

  一般情况下不推荐大家直接去修改文件,容易出现格式错误的情况。如果你非要用修改文件的格式的方法去修改用户及密码的配置文件,推荐使用以下工具,它们会带有语法检查的功能。
    vipw:
      相当于"vi /etc/passwd",只不过该命令有语法检查的功能。
      如果使用"vipw -s"相当于"vi /etc/shadow",也有语法检查功能。
  
    vigr:
      相当于"vi /etc/group",也有语法检查功能。
      如果使用"vigr -s"相当于"vi /etc/gshadow",也有语法检查功能。   
    pwck:
      检查"/etc/passwd"配置文件,比如验证用户是否有家目录等,执行后会有相应的提示信息。

    grpck:
      见擦汗"/etc/group"配置文件,详情请参考“grpck --help”

 

二.用户和组管理命令

用户管理命令
    useradd
    usermod
    userdel

组帐号维护命令
    groupadd
    groupmod
    groupdel

1>.用户创建: useradd 

[root@node101.yinzhengjie.org.cn ~]# useradd -h
Usage: useradd [options] LOGIN
       useradd -D
       useradd -D [options]

Options:
  -b, --base-dir BASE_DIR       base directory for the home directory of the
                                new account
  -c, --comment COMMENT         指定用户的注释信息
  -d, --home-dir HOME_DIR       以指定的(不存在)路径为家目录
  -D, --defaults                print or change default useradd configuration
  -e, --expiredate EXPIRE_DATE  expiration date of the new account
  -f, --inactive INACTIVE       password inactivity period of the new account
  -g, --gid GROUP               指明用户所属基本组,可为组名,也可以使用GID
  -G, --groups GROUPS           为用户指明附加组,组须事先存在
  -h, --help                    display this help message and exit
  -k, --skel SKEL_DIR           use this alternative skeleton directory
  -K, --key KEY=VALUE           override /etc/login.defs defaults
  -l, --no-log-init             do not add the user to the lastlog and
                                faillog databases
  -m, --create-home             创建用户的家(主)目录,用于系统用户
  -M, --no-create-home          不创建家目录,用于非系统用户
  -N, --no-user-group           不创建私用组作为主组,使用users组做主组。
  -o, --non-unique              配合"-u"选线,不检查UID的唯一性
  -p, --password PASSWORD       encrypted password of the new account
  -r, --system                  创建系统用户,注意CentOS6.X系统的UID小于500,CentOS7.X系统的UID小于1000
  -R, --root CHROOT_DIR         directory to chroot into
  -s, --shell SHELL             指明用户的默认shell程序,可用列表在"/etc/shells"文件中
  -u, --uid UID                 user ID of the new account
  -U, --user-group              create a group with the same name as the user
  -Z, --selinux-user SEUSER     use a specific SEUSER for the SELinux user mapping

[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# useradd -h
[root@node101.yinzhengjie.org.cn ~]# useradd -D               #显示默认设置
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# cat /etc/default/useradd       #以上用户的默认设置均来自该文件
# useradd defaults file
GROUP=100           #组编号默认为100,即为user组
HOME=/home          #家目录位置
INACTIVE=-1          #密码过期策略过期后的宽限期,默认是永远宽限,即"-1"。
EXPIRE=            #指定用户的过期时间,即账户的有限使用时间。
SHELL=/bin/bash       #指定默认的登录shell类型
SKEL=/etc/skel        #指定家目录的默认数据
CREATE_MAIL_SPOOL=yes

[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /etc/login.defs                                                     #用户默认配置信息
#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#

# *REQUIRED*
#   Directory where mailboxes reside, _or_ name of file, relative to the
#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
#   QMAIL_DIR is for Qmail
#
#QMAIL_DIR    Maildir
MAIL_DIR    /var/spool/mail
#MAIL_FILE    .mail

# Password aging controls:
#
#    PASS_MAX_DAYS    Maximum number of days a password may be used.
#    PASS_MIN_DAYS    Minimum number of days allowed between password changes.
#    PASS_MIN_LEN    Minimum acceptable password length.
#    PASS_WARN_AGE    Number of days warning given before a password expires.
#
PASS_MAX_DAYS    99999
PASS_MIN_DAYS    0
PASS_MIN_LEN    5
PASS_WARN_AGE    7

#
# Min/max values for automatic uid selection in useradd
#
UID_MIN                  1000
UID_MAX                 60000
# System accounts
SYS_UID_MIN               201
SYS_UID_MAX               999

#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN                  1000
GID_MAX                 60000
# System accounts
SYS_GID_MIN               201
SYS_GID_MAX               999

#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD    /usr/sbin/userdel_local

#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME    yes

# The permission mask is initialized to this value. If not specified, 
# the permission mask will be initialized to 022.
UMASK           077

# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes

# Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512 

[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /etc/login.defs               #用户默认配置信息
[root@node101.yinzhengjie.org.cn ~]# getent group users
users:x:100:
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# useradd -N tom      #不创建私有组作为主组,使用users组作为主组
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# id  tom
uid=1001(tom) gid=100(users) groups=100(users)
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ls -a /etc/skel/
.  ..  .bash_logout  .bash_profile  .bashrc  .mozilla
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ls -a /home/tom/        #我们不难发现,创建的用户家目录存在的数据和我们在"/etc/default/useradd"配置文件中的"SKEL"属性一致。
.  ..  .bash_logout  .bash_profile  .bashrc  .mozilla
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# useradd -N tom                  #不创建私有组作为主组,使用users组作为主组
[root@node101.yinzhengjie.org.cn ~]# useradd -r mysql -s /sbin/nologin      #使用"-r"命令就不会去创建默认的家目录了,因为它创建的是一个系统用户。我们使用"-s"选项来指定用户的登录shell类型。
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# id mysql                      #很明显,在CentOS7.X版本系统的UID是小于1000的,这个在"/etc/login.defs"文件中有相应的记录。
uid=987(mysql) gid=981(mysql) groups=981(mysql)
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# getent passwd mysql
mysql:x:987:981::/home/mysql:/sbin/nologin
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# useradd -r mysql -s /sbin/nologin       #使用"-r"命令就不会去创建默认的家目录了,因为它创建的是一个系统用户。我们使用"-s"选项来指定用户的登录shell类型。
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# useradd -u 10086 jason            #创建jason用户并指定其UID为10086
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# id jason
uid=10086(jason) gid=10086(jason) groups=10086(jason)
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# getent passwd jason
jason:x:10086:10086::/home/jason:/bin/bash
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# useradd -u 10086 jason              #创建jason用户并指定其UID为10086
[root@node101.yinzhengjie.org.cn ~]# id yinzhengjie                   #我们直到默认情况下,每个用户都有唯一的一个UID,如果想要创建2个不同的用户名但UID一样的情况,并让这两个用户都拥有同一个UID的权限就得需要使用相应的useradd选项。
uid=1000(yinzhengjie) gid=1000(yinzhengjie) groups=1000(yinzhengjie)
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# useradd -u 1000 -o jenny             #使用"-o"选线,咱们这里创建了2个不同的用户名,但是UID却是一样的,如果你想要两个不同用户名使用同一个UID权限的话就可用这样干。
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# getent passwd jenny                          #由于Linux识别用户是基于UID来识别的,我们发现如果设置2个同UID的不同用户名可能会产生信息混乱的情况。因此还是谨慎使用呀~
jenny:x:1000:10087::/home/jenny:/bin/bash
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# id jenny
uid=1000(yinzhengjie) gid=1000(yinzhengjie) groups=1000(yinzhengjie)
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll /home/                      #两个用户的家目录还是不一样的哟
total 0
drwx------. 3 jason       jason        78 Sep  3 17:08 jason
drwx------. 3 yinzhengjie jenny        78 Sep  3 17:12 jenny
drwx------. 3 tom         users        78 Sep  3 16:41 tom
drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# useradd -u 1000 -o jenny             #使用"-o"选线,咱们这里创建了2个不同的用户名,但是UID却是一样的,如果你想要两个不同用户名使用同一个UID权限的话就可用这样干。
[root@node101.yinzhengjie.org.cn ~]# getent group yinzhengjie
yinzhengjie:x:1000:yinzhengjie
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# id yinzhengjie
uid=1000(yinzhengjie) gid=1000(yinzhengjie) groups=1000(yinzhengjie)
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# useradd -g yinzhengjie danny          #创建一个danny用户,并指定其组为"yinzhengjie",即并不会使用默认的同名组。
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# id danny
uid=10088(danny) gid=1000(yinzhengjie) groups=1000(yinzhengjie)
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# useradd -g yinzhengjie danny           #创建一个danny用户,并指定其组为"yinzhengjie",即并不会使用默认的同名组。
[root@node101.yinzhengjie.org.cn ~]# useradd -g root -G yinzhengjie,jason,jenny yzj    #创建yzj用户,让其主组归为root组,附加组为yinzhengjie,jason,jenny各组,有点类似于咱们运维工程师,在企业身兼数职。
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# id yzj
uid=10089(yzj) gid=0(root) groups=0(root),1000(yinzhengjie),10086(jason),10087(jenny)
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# groupmems -l -g yinzhengjie                #查看yinzhengjie这个组有哪些用户
yinzhengjie  yzj 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# groupmems -l -g jason
yzj 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# groupmems -l -g jenny
yzj 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# groups yzj                          #查看yzj这大概用户有哪些组,一般排在第一个为主组,后面的均为附加组。
yzj : root yinzhengjie jason jenny
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll /home/                                            #需要注意的是,尽管一个用户可用被加入到多个组,但是用户的家目录依旧属于主组,如下所示。
total 0
drwx------. 3 danny       yinzhengjie  78 Sep  3 17:28 danny
drwx------. 3 jason       jason        78 Sep  3 17:08 jason
drwx------. 3 jenny       jenny        78 Sep  3 17:12 jenny
drwx------. 3 tom         users        78 Sep  3 16:41 tom
drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
drwx------. 3 yzj         root         78 Sep  3 17:32 yzj
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# useradd -g root -G yinzhengjie,jason,jenny yzj  #创建yzj用户,让其主组归为root组,附加组为yinzhengjie,jason,jenny各组,有点类似于咱们运维工程师,在企业身兼数职。
[root@node101.yinzhengjie.org.cn ~]# mkdir /data
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# useradd -d /data/bigdata hdfs            #创建用户并指定其家目录为"/data/bigdata"
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll /data/
total 0
drwx------. 3 hdfs hdfs 78 Sep  3 17:41 bigdata
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll /data/bigdata/ -a                  #很显然,家目录的默认数据和"/etc/skel"目录是一致的哟
total 12
drwx------. 3 hdfs hdfs  78 Sep  3 17:41 .
drwxr-xr-x. 3 root root  21 Sep  3 17:41 ..
-rw-r--r--. 1 hdfs hdfs  18 Oct 31  2018 .bash_logout
-rw-r--r--. 1 hdfs hdfs 193 Oct 31  2018 .bash_profile
-rw-r--r--. 1 hdfs hdfs 231 Oct 31  2018 .bashrc
drwxr-xr-x. 4 hdfs hdfs  39 Aug  1 21:58 .mozilla
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll /etc/skel/ -a
total 24
drwxr-xr-x.   3 root root   78 Apr 11  2018 .
drwxr-xr-x. 146 root root 8192 Sep  3 17:41 ..
-rw-r--r--.   1 root root   18 Oct 31  2018 .bash_logout
-rw-r--r--.   1 root root  193 Oct 31  2018 .bash_profile
-rw-r--r--.   1 root root  231 Oct 31  2018 .bashrc
drwxr-xr-x.   4 root root   39 Aug  1 21:58 .mozilla
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# useradd -d /data/bigdata hdfs            #创建用户并指定其家目录为"/data/bigdata"
[root@node101.yinzhengjie.org.cn ~]# ll /home/
total 0
drwx------. 3 danny       yinzhengjie  78 Sep  3 17:28 danny
drwx------. 3 jason       jason        78 Sep  3 17:08 jason
drwx------. 3 jenny       jenny        78 Sep  3 17:12 jenny
drwx------. 3 tom         users        78 Sep  3 16:41 tom
drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
drwx------. 3 yzj         root         78 Sep  3 17:32 yzj
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# useradd -r -m apache              #我们知道使用“-r”是创建系统用户,该参数不会创建相应的家目录,如果非要强行创建,则可以使用"-m"选项。
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll /home/
total 0
drwx------. 3 apache      apache       78 Sep  3 17:51 apache
drwx------. 3 danny       yinzhengjie  78 Sep  3 17:28 danny
drwx------. 3 jason       jason        78 Sep  3 17:08 jason
drwx------. 3 jenny       jenny        78 Sep  3 17:12 jenny
drwx------. 3 tom         users        78 Sep  3 16:41 tom
drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
drwx------. 3 yzj         root         78 Sep  3 17:32 yzj
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# id apache
uid=986(apache) gid=980(apache) groups=980(apache)
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# useradd -r -m apache                  #我们知道使用“-r”是创建系统用户,该参数不会创建相应的家目录,如果非要强行创建,则可以使用"-m"选项。
[root@node101.yinzhengjie.org.cn ~]# ll /home/
total 0
drwx------. 3 apache      apache       78 Sep  3 17:51 apache
drwx------. 3 danny       yinzhengjie  78 Sep  3 17:28 danny
drwx------. 3 jason       jason        78 Sep  3 17:08 jason
drwx------. 3 jenny       jenny        78 Sep  3 17:12 jenny
drwx------. 3 tom         users        78 Sep  3 16:41 tom
drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
drwx------. 3 yzj         root         78 Sep  3 17:32 yzj
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# useradd -M dengziqi                #创建用户时不允许创建家目录。
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll /home/
total 0
drwx------. 3 apache      apache       78 Sep  3 17:51 apache
drwx------. 3 danny       yinzhengjie  78 Sep  3 17:28 danny
drwx------. 3 jason       jason        78 Sep  3 17:08 jason
drwx------. 3 jenny       jenny        78 Sep  3 17:12 jenny
drwx------. 3 tom         users        78 Sep  3 16:41 tom
drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
drwx------. 3 yzj         root         78 Sep  3 17:32 yzj
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# id dengziqi
uid=10091(dengziqi) gid=10091(dengziqi) groups=10091(dengziqi)
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# getent passwd dengziqi
dengziqi:x:10091:10091::/home/dengziqi:/bin/bash
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# useradd -M dengziqi                  #创建用户时不允许创建家目录。
[root@node101.yinzhengjie.org.cn ~]# ll /home/
total 0
drwx------. 3 apache      apache       78 Sep  3 17:51 apache
drwx------. 3 danny       yinzhengjie  78 Sep  3 17:28 danny
drwx------. 3 hadoop      hadoop       78 Sep  3 17:41 hadoop
drwx------. 3 jason       jason        78 Sep  3 17:08 jason
drwx------. 3 jenny       jenny        78 Sep  3 17:12 jenny
drwx------. 3 tom         users        78 Sep  3 16:41 tom
drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# cat user.txt             #这个格式咱们可以参考"/etc/passwd"格式即可
hadoop101:x:2019:2019:hdfs user101:/home/hadoop101:/bin/csh
hadoop102:x:2020:2020:hdfs user102:/home/hadoop102:/bin/bash
hadoop103:x:2021:2021:hdfs user103:/home/hadoop103:/bin/csh
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# newusers user.txt           #newusers可以按照"/etc/passwd"格式来批量创建用户。
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# tail -3 /etc/passwd          #很明显用户被创建成功啦
hadoop101:x:2019:2019:hdfs user101:/home/hadoop101:/bin/csh
hadoop102:x:2020:2020:hdfs user102:/home/hadoop102:/bin/bash
hadoop103:x:2021:2021:hdfs user103:/home/hadoop103:/bin/csh
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll /home/                #也生成了对应的用户家目录
total 0
drwx------. 3 apache      apache       78 Sep  3 17:51 apache
drwx------. 3 danny       yinzhengjie  78 Sep  3 17:28 danny
drwx------. 3 hadoop      hadoop       78 Sep  3 17:41 hadoop
drwx------. 2 hadoop101   hadoop101     6 Sep  5 09:36 hadoop101
drwx------. 2 hadoop102   hadoop102     6 Sep  5 09:36 hadoop102
drwx------. 2 hadoop103   hadoop103     6 Sep  5 09:36 hadoop103
drwx------. 3 jason       jason        78 Sep  3 17:08 jason
drwx------. 3 jenny       jenny        78 Sep  3 17:12 jenny
drwx------. 3 tom         users        78 Sep  3 16:41 tom
drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# newusers user.txt                    #newusers可以按照"/etc/passwd"格式来批量创建用户。
[root@node101.yinzhengjie.org.cn ~]# tail -3 /etc/shadow
hadoop101:$6$0wBgf/Cr$vYRQzifVMrxaXwlsn/7FxsS/Ekjw4x.aNElIIMgyvsCT6.7KQmG2DGNKJtyx./.ARcLOGW09035OH9g/NZ4A8.:181
44:0:99999:7:::hadoop102:$6$g6O4GJL21PZH$TMZGml4bo1BVBWEpE145mvxjlYzYIDDpKXweFzUbeoGeIdckN3bDnRAtOzdWwOXaWsyxxW39hzAGhcRSumHZH/
:18144:0:99999:7:::hadoop103:$6$cCnLp/tV0jS/$5AST/AOjMOrd5EIWRoDek2uR1VPHyCMCM7iHLJXjmxrvq5z5AFpMSt1Letqt7FTv1PSkg51MEPm4sH66hux/r1
:18144:0:99999:7:::
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# cat passwd.txt             #保存密码格式
hadoop101:yinzhengjie
hadoop102:yinzhengjie
hadoop103:yinzhengjie
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# cat passwd.txt | chpasswd       #批量修改用户密码
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# tail -3 /etc/shadow
hadoop101:$6$dDpTknD8SzSKoq$mgvwwy03zUFurrxw6GKvhkUClLL7r/Hsb5Jg1XzVF1KimXDHDlAZiqoma0GDTBYdgtC7Mav86w.CwiLqklHI
y0:18144:0:99999:7:::hadoop102:$6$LDGCW/7daOR/Pm$5YqXe6HXW22RQRjDp/xHnuMTfzdEekP0vcf9oPs7o2M.OD24HE24CEu5lO2TlNrH1WXIhzaMMkkGTyfFnn7R
V/:18144:0:99999:7:::hadoop103:$6$CBgr./2XG$HC4Y2YHYiRar76y9QLHp.qY3I3lG.mn.z2qLSm.jUES3QCDqgGAgYQ7PrHNsX9VCYOn9jjLPBIBPwcBAcY4jW0:18
144:0:99999:7:::
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat passwd.txt | chpasswd               #批量修改用户密码

2>.用户属性修改: usermod

[root@node101.yinzhengjie.org.cn ~]# usermod -h
Usage: usermod [options] LOGIN

Options:
  -c, --comment COMMENT         新的注释信息
  -d, --home HOME_DIR           新家目录不会自动创建;若要创建新家目录并移动原家目录数据,同时使用"-m"选项
  -e, --expiredate EXPIRE_DATE  用来指明用户账号过期日期
  -f, --inactive INACTIVE       设置非活动期限
  -g, --gid GROUP               新的主组
  -G, --groups GROUPS           新的附加组,原来的附加组见会被覆盖;若保留原有,则要同时使用通过"-a"选项
  -a, --append                  append the user to the supplemental GROUPS
                                mentioned by the -G option without removing
                                him/her from other groups
  -h, --help                    display this help message and exit
  -l, --login NEW_LOGIN         新的名字
  -L, --lock                    lock指定用户,在"/etc/shadow"密码栏的增加"!"符号。
  -m, --move-home               move contents of the home directory to the
                                new location (use only with -d)
  -o, --non-unique              allow using duplicate (non-unique) UID
  -p, --password PASSWORD       use encrypted password for the new password
  -R, --root CHROOT_DIR         directory to chroot into
  -s, --shell SHELL             新的默认SHELL
  -u, --uid UID                 指定新的UID
  -U, --unlock                  unlock指定用户,将"/etc/shadow"密码栏的"!"符号拿掉。
  -Z, --selinux-user SEUSER     new SELinux user mapping for the user account

[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# usermod -h
[root@node101.yinzhengjie.org.cn ~]# getent passwd jenny
jenny:x:1000:10087::/home/jenny:/bin/bash
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# id jenny
uid=1000(yinzhengjie) gid=1000(yinzhengjie) groups=1000(yinzhengjie)
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# usermod -u 10087 jenny        #修改jenny用户的UID,注意修改用户的UID时该用户不能登录哟,否则可能会报错。
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# id jenny
uid=10087(jenny) gid=10087(jenny) groups=10087(jenny)
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# getent passwd jenny
jenny:x:10087:10087::/home/jenny:/bin/bash
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# usermod -u 10087 jenny        #修改jenny用户的UID,注意修改用户的UID时该用户不能登录哟,否则可能会报错。
[root@node101.yinzhengjie.org.cn ~]# getent passwd hdfs      #注意观察hdfs用户的家目录及uid
hdfs:x:10090:10090::/data/bigdata:/bin/bash
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# id hdfs
uid=10090(hdfs) gid=10090(hdfs) groups=10090(hdfs)
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll /home/
total 0
drwx------. 3 apache      apache       78 Sep  3 17:51 apache
drwx------. 3 danny       yinzhengjie  78 Sep  3 17:28 danny
drwx------. 3 jason       jason        78 Sep  3 17:08 jason
drwx------. 3 jenny       jenny        78 Sep  3 17:12 jenny
drwx------. 3 tom         users        78 Sep  3 16:41 tom
drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
drwx------. 3 yzj         root         78 Sep  3 17:32 yzj
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# usermod -l hadoop hdfs -d /home/hadoop      #我们将hdfs用户更名为hadoop用户并指定家目录为"/home/hadoop",但此时并不会自动生成相应的家目录,需要咱们手动操作。
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll /home/
total 0
drwx------. 3 apache      apache       78 Sep  3 17:51 apache
drwx------. 3 danny       yinzhengjie  78 Sep  3 17:28 danny
drwx------. 3 jason       jason        78 Sep  3 17:08 jason
drwx------. 3 jenny       jenny        78 Sep  3 17:12 jenny
drwx------. 3 tom         users        78 Sep  3 16:41 tom
drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
drwx------. 3 yzj         root         78 Sep  3 17:32 yzj
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# mv /data/bigdata/ /home/hadoop          #因此我们需要手动将"hdfs"用户的家目录迁移至"hadoop"指定的家目录路径。
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll /home/
total 0
drwx------. 3 apache      apache       78 Sep  3 17:51 apache
drwx------. 3 danny       yinzhengjie  78 Sep  3 17:28 danny
drwx------. 3 hadoop      hdfs         78 Sep  3 17:41 hadoop
drwx------. 3 jason       jason        78 Sep  3 17:08 jason
drwx------. 3 jenny       jenny        78 Sep  3 17:12 jenny
drwx------. 3 tom         users        78 Sep  3 16:41 tom
drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
drwx------. 3 yzj         root         78 Sep  3 17:32 yzj
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# id hadoop
uid=10090(hadoop) gid=10090(hdfs) groups=10090(hdfs)
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# getent passwd hadoop          #观察hadoop的家目录和uid是否和原来的hdfs用户一致
hadoop:x:10090:10090::/home/hadoop:/bin/bash
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# usermod -l hadoop hdfs -d /home/hadoop      #我们将hdfs用户更名为hadoop用户并指定家目录为"/home/hadoop",但此时并不会自动生成相应的家目录,需要咱们手动操作。
[root@node101.yinzhengjie.org.cn ~]# tail -5 /etc/passwd
danny:x:10088:1000::/home/danny:/bin/bash
yzj:x:10089:0::/home/yzj:/bin/bash
apache:x:986:980::/home/apache:/bin/bash
dengziqi:x:10091:10091::/home/dengziqi:/bin/bash
hadoop:x:10090:10090::/home/hadoop:/bin/bash
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# id yzj
uid=10089(yzj) gid=0(root) groups=0(root),1000(yinzhengjie),10086(jason),10087(jenny)
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# groups yzj
yzj : root yinzhengjie jason jenny
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# usermod -aG dengziqi,hadoop yzj        #我们为"yzj"用户新追加附加组"dengziqi""hadoop"组
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# id yzj
uid=10089(yzj) gid=0(root) groups=0(root),1000(yinzhengjie),10086(jason),10087(jenny),10091(dengziqi),10090(hadoop)
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# groups yzj
yzj : root yinzhengjie jason jenny dengziqi hadoop
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# usermod -aG dengziqi,hadoop yzj        #我们为"yzj"用户新追加附加组"dengziqi"和"hadoop"组
[root@node101.yinzhengjie.org.cn ~]# id yzj
uid=10089(yzj) gid=0(root) groups=0(root),1000(yinzhengjie),10086(jason),10087(jenny),10091(dengziqi),10090(hado
op)[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# groups yzj
yzj : root yinzhengjie jason jenny dengziqi hadoop
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# usermod -G "" yzj      #清空所有附加组,注意没有"-a"选项啦
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# id yzj
uid=10089(yzj) gid=0(root) groups=0(root)
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# groups yzj
yzj : root
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# usermod -G "" yzj                 #清空所有附加组,注意没有"-a"选项啦

3>.删除用户:userdel

[root@node101.yinzhengjie.org.cn ~]# userdel -h          #查看"userdel"命令的帮助信息
Usage: userdel [options] LOGIN

Options:
  -f, --force                   force some actions that would fail otherwise
                                e.g. removal of user still logged in
                                or files, even if not owned by the user
  -h, --help                    display this help message and exit
  -r, --remove                  remove home directory and mail spool
  -R, --root CHROOT_DIR         directory to chroot into
  -Z, --selinux-user            remove any SELinux user mapping for the user

[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# userdel -h              #查看"userdel"命令的帮助信息
[root@node101.yinzhengjie.org.cn ~]# ll /home/
total 0
drwx------. 3 apache      apache       78 Sep  3 17:51 apache
drwx------. 3 danny       yinzhengjie  78 Sep  3 17:28 danny
drwx------. 3 hadoop      hadoop       78 Sep  3 17:41 hadoop
drwx------. 3 jason       jason        78 Sep  3 17:08 jason
drwx------. 3 jenny       jenny        78 Sep  3 17:12 jenny
drwx------. 3 tom         users        78 Sep  3 16:41 tom
drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
drwx------. 3 yzj         root         78 Sep  3 17:32 yzj
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# getent passwd yzj
yzj:x:10089:0::/home/yzj:/bin/bash
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# userdel -r yzj        #删除用户及其家目录(生产环境慎用,有可能该员工已经离职但其数据可能对其它同时有用)
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll /home/
total 0
drwx------. 3 apache      apache       78 Sep  3 17:51 apache
drwx------. 3 danny       yinzhengjie  78 Sep  3 17:28 danny
drwx------. 3 hadoop      hadoop       78 Sep  3 17:41 hadoop
drwx------. 3 jason       jason        78 Sep  3 17:08 jason
drwx------. 3 jenny       jenny        78 Sep  3 17:12 jenny
drwx------. 3 tom         users        78 Sep  3 16:41 tom
drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# userdel -r yzj            #删除用户及其家目录(生产环境慎用,有可能该员工已经离职但其数据可能对其它同时有用)

4>.查看用户相关的ID信息 

[root@node101.yinzhengjie.org.cn ~]# id postfix             #查看"postfix"用户相关的ID信息,如果用户不存在会提示"no such user"相关错误信息。
uid=89(postfix) gid=89(postfix) groups=89(postfix),12(mail)
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# id -u postfix            #显示“postfix”用户的UID
89
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# id -g postfix            #显示"postfix"用户的GID
89
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# id -G postfix            #显示"postfix"用户所属的组的ID(包括附加组)
89 12
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# id -nG postfix           #显示组的名称,"-n"参数需要和"ugG"参数配合使用
postfix mail
[root@node101.yinzhengjie.org.cn ~]#

5>.切换用户或以其他用户身份执行命令(su命令的前提是要知道对方的用户密码,除非你直接使用root用户) 

[root@node101.yinzhengjie.org.cn ~]# echo $PATH
/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# cd /data/
[root@node101.yinzhengjie.org.cn /data]# 
[root@node101.yinzhengjie.org.cn /data]# pwd
/data
[root@node101.yinzhengjie.org.cn /data]# 
[root@node101.yinzhengjie.org.cn /data]# su yinzhengjie      #不完全切换,即切换后的用户依旧保留上一个用户的环境变量和工作目录
[yinzhengjie@node101.yinzhengjie.org.cn /data]$ 
[yinzhengjie@node101.yinzhengjie.org.cn /data]$ pwd         #我们不难发现工作目录并没有变化,切换用户后并没有到"yinzhengjie"用户的家目录中
/data
[yinzhengjie@node101.yinzhengjie.org.cn /data]$ 
[yinzhengjie@node101.yinzhengjie.org.cn /data]$ echo $PATH    #注意观察当前的环境变量并非"yinzhengjie"用户,而是"root"用户的
/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
[yinzhengjie@node101.yinzhengjie.org.cn /data]$ 
[yinzhengjie@node101.yinzhengjie.org.cn /data]$ exit        #退出当前登录
exit
[root@node101.yinzhengjie.org.cn /data]#
[root@node101.yinzhengjie.org.cn /data]# su yinzhengjie        #不完全切换,即切换后的用户依旧保留上一个用户的环境变量和工作目录
[root@node101.yinzhengjie.org.cn ~]# echo $PATH
/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# cd /data/
[root@node101.yinzhengjie.org.cn /data]# 
[root@node101.yinzhengjie.org.cn /data]# su -l yinzhengjie      #完全切换,即切换到该用户的家目录且环境变量也会跟着变化,相当于使用ssh服务连接的效果。
Last login: Thu Sep  5 10:15:15 CST 2019 on pts/0
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ echo $PATH        #环境变量发生了变化
/usr/lib64/qt-3.3/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/yinzhengjie/.local/bin:/home/yinzhengjie/bin
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ pwd            #工作目录也变为"yinzhengjie"用户的家目录啦
/home/yinzhengjie
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ exit            #退出当前用户
logout
[root@node101.yinzhengjie.org.cn /data]# 
[root@node101.yinzhengjie.org.cn /data]#
[root@node101.yinzhengjie.org.cn /data]# su -l yinzhengjie      #完全切换,即切换到该用户的家目录且环境变量也会跟着变化,相当于使用ssh服务连接的效果。
[root@node101.yinzhengjie.org.cn ~]# echo $PATH
/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# cd /data/
[root@node101.yinzhengjie.org.cn /data]# 
[root@node101.yinzhengjie.org.cn /data]# su - yinzhengjie      #完全切换用户,其实等效于"su -l yinzhengjie"
Last login: Thu Sep  5 10:15:42 CST 2019 on pts/0
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ echo $PATH
/usr/lib64/qt-3.3/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/yinzhengjie/.local/bin:/home/
yinzhengjie/bin[yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ pwd
/home/yinzhengjie
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ exit 
logout
[root@node101.yinzhengjie.org.cn /data]# 
[root@node101.yinzhengjie.org.cn /data]#
[root@node101.yinzhengjie.org.cn /data]# su - yinzhengjie      #完全切换用户,其实等效于"su -l yinzhengjie"
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ su -l -c 'getent passwd hadoop'    #注意,-l后面我没有指定用户名,默认就会切换到root用户。使用-c表示切换到root用户并执行一条命令即可,执行完毕并不会切换到root用户身份。
Password: 
hadoop:x:10090:10090::/home/hadoop:/bin/bash
[yinzhengjie@node101.yinzhengjie.org.cn ~]$

6>.创建组:groupadd

[root@node101.yinzhengjie.org.cn ~]# groupadd -h
Usage: groupadd [options] GROUP

Options:
  -f, --force                   exit successfully if the group already exists,
                                and cancel -g if the GID is already used
  -g, --gid GID                 指明GID号
  -h, --help                    display this help message and exit
  -K, --key KEY=VALUE           override /etc/login.defs defaults
  -o, --non-unique              allow to create groups with duplicate
                                (non-unique) GID
  -p, --password PASSWORD       use this encrypted password for the new group
  -r, --system                  创建系统组,CentOS6.X:ID < 500,CentOS7.X:ID<1000
  -R, --root CHROOT_DIR         directory to chroot into

[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# groupadd -h
[root@node101.yinzhengjie.org.cn ~]# groupadd yarn          #创建一个yarn组
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# getent group yarn
yarn:x:10092:
[root@node101.yinzhengjie.org.cn ~]#

7>.组属性修改: groupmod 

[root@node101.yinzhengjie.org.cn ~]# groupmod -h
Usage: groupmod [options] GROUP

Options:
  -g, --gid GID                 新的GID
  -h, --help                    display this help message and exit
  -n, --new-name NEW_GROUP      新名字
  -o, --non-unique              allow to use a duplicate (non-unique) GID
  -p, --password PASSWORD       change the password to this (encrypted)
                                PASSWORD
  -R, --root CHROOT_DIR         directory to chroot into

[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# groupmod -h
[root@node101.yinzhengjie.org.cn ~]# ll /home/              #注意观察"hadoop"用户的组名是"hdfs"
total 0
drwx------. 3 apache      apache       78 Sep  3 17:51 apache
drwx------. 3 danny       yinzhengjie  78 Sep  3 17:28 danny
drwx------. 3 hadoop      hdfs         78 Sep  3 17:41 hadoop
drwx------. 3 jason       jason        78 Sep  3 17:08 jason
drwx------. 3 jenny       jenny        78 Sep  3 17:12 jenny
drwx------. 3 tom         users        78 Sep  3 16:41 tom
drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
drwx------. 3 yzj         root         78 Sep  3 17:32 yzj
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# id hadoop
uid=10090(hadoop) gid=10090(hdfs) groups=10090(hdfs)
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# groupmod -n hadoop hdfs      #将"hdfs"组名改为"hadoop"
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# id hadoop
uid=10090(hadoop) gid=10090(hadoop) groups=10090(hadoop)
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll /home/            #注意查看hadoop用户的组名也跟着变为"hadoop"
total 0
drwx------. 3 apache      apache       78 Sep  3 17:51 apache
drwx------. 3 danny       yinzhengjie  78 Sep  3 17:28 danny
drwx------. 3 hadoop      hadoop       78 Sep  3 17:41 hadoop
drwx------. 3 jason       jason        78 Sep  3 17:08 jason
drwx------. 3 jenny       jenny        78 Sep  3 17:12 jenny
drwx------. 3 tom         users        78 Sep  3 16:41 tom
drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
drwx------. 3 yzj         root         78 Sep  3 17:32 yzj
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# groupmod -n hadoop hdfs      #将"hdfs"组名改为"hadoop"

8>.组属性删除: groupdel

[root@node101.yinzhengjie.org.cn ~]# groupdel -h
Usage: groupdel [options] GROUP

Options:
  -h, --help                    display this help message and exit
  -R, --root CHROOT_DIR         directory to chroot into

[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# groupdel -h
[root@node101.yinzhengjie.org.cn ~]# getent group yarn
yarn:x:10092:
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# usermod -aG yarn yinzhengjie            #给"yinzhengjie"用户添加一个附加组“yarn”
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# id yinzhengjie
uid=1000(yinzhengjie) gid=1000(yinzhengjie) groups=1000(yinzhengjie),10092(yarn)
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# groupdel yarn                      #删除yarn组
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# id yinzhengjie
uid=1000(yinzhengjie) gid=1000(yinzhengjie) groups=1000(yinzhengjie)
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# groupdel yarn             #删除yarn组

9>.更改组密码:gpasswd

[root@node101.yinzhengjie.org.cn ~]# gpasswd -h
Usage: gpasswd [option] GROUP

Options:
  -a, --add USER                  将user添加只指定组中
  -d, --delete USER               从指定组中移除用户user
  -h, --help                      display this help message and exit
  -Q, --root CHROOT_DIR           directory to chroot into
  -r, --delete-password           remove the GROUP's password
  -R, --restrict                  restrict access to GROUP to its members
  -M, --members USER,...          set the list of members of GROUP
  -A, --administrators ADMIN,...   设置有管理权限的用户列表
                              
Except for the -A and -M options, the options cannot be combined.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# gpasswd -h
[root@node101.yinzhengjie.org.cn ~]# tail -5 /etc/group
dengziqi:x:10091:
hadoop:x:10090:
hadoop101:x:2019:
hadoop102:x:2020:
hadoop103:x:2021:
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# groups hadoop
hadoop : hadoop
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# gpasswd -a hadoop dengziqi        #将hadoop用户加入到"dengziqi"组中
Adding user hadoop to group dengziqi
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# groups hadoop
hadoop : hadoop dengziqi
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# gpasswd -a hadoop dengziqi        #将hadoop用户加入到"dengziqi"组中
[root@node101.yinzhengjie.org.cn ~]# groups hadoop
hadoop : hadoop dengziqi
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# gpasswd -d hadoop dengziqi        #从"dengziqi"组中移除"hadoop"用户
Removing user hadoop from group dengziqi
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# groups hadoop
hadoop : hadoop
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# gpasswd -d hadoop dengziqi        #从"dengziqi"组中移除"hadoop"用户
[root@node101.yinzhengjie.org.cn ~]# getent gshadow root
root:::
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# gpasswd root                #为root组加密
Changing the password for group root
New Password: 
Re-enter new password: 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# getent gshadow root
root:$6$fjzxSJCBrD/Vfp$PP75U2hnYoxkhPddZs95KhDVnAxM1XqgFnIRlEgKXDyMVgCQ1tgVXHypFn8WvVxY0e5bA7xWBVGjlLQLDgaka.::
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# gpasswd root                #为root组加密
[root@node101.yinzhengjie.org.cn ~]# getent gshadow root
root:$6$fjzxSJCBrD/Vfp$PP75U2hnYoxkhPddZs95KhDVnAxM1XqgFnIRlEgKXDyMVgCQ1tgVXHypFn8WvVxY0e5bA7xWBVGjlLQLDgaka.::
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# gpasswd -r root              #为root组清楚密码
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# getent gshadow root
root:::
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# gpasswd -r root              #为root组清楚密码
[root@node101.yinzhengjie.org.cn ~]# id hadoop          #查看hadoop用户组信息
uid=10090(hadoop) gid=10090(hadoop) groups=10090(hadoop),10091(dengziqi)
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# su - hadoop
Last login: Thu Sep  5 11:48:15 CST 2019 on pts/0
[hadoop@node101.yinzhengjie.org.cn ~]$ 
[hadoop@node101.yinzhengjie.org.cn ~]$ touch a.txt
[hadoop@node101.yinzhengjie.org.cn ~]$ 
[hadoop@node101.yinzhengjie.org.cn ~]$ ll 
total 0
-rw-rw-r--. 1 hadoop hadoop 0 Sep  5 11:54 a.txt
[hadoop@node101.yinzhengjie.org.cn ~]$ 
[hadoop@node101.yinzhengjie.org.cn ~]$ groups           #查看组信息
hadoop dengziqi
[hadoop@node101.yinzhengjie.org.cn ~]$ 
[hadoop@node101.yinzhengjie.org.cn ~]$ newgrp dengziqi      #我们临时将附加组("dengziqi")切换为主组
[hadoop@node101.yinzhengjie.org.cn ~]$ 
[hadoop@node101.yinzhengjie.org.cn ~]$ groups            
dengziqi hadoop
[hadoop@node101.yinzhengjie.org.cn ~]$ 
[hadoop@node101.yinzhengjie.org.cn ~]$ touch b.txt         #创建文件,发现文件的所属组为"dengziqi"
[hadoop@node101.yinzhengjie.org.cn ~]$ 
[hadoop@node101.yinzhengjie.org.cn ~]$ ll
total 0
-rw-rw-r--. 1 hadoop hadoop   0 Sep  5 11:54 a.txt
-rw-r--r--. 1 hadoop dengziqi 0 Sep  5 11:54 b.txt
[hadoop@node101.yinzhengjie.org.cn ~]$ 
[hadoop@node101.yinzhengjie.org.cn ~]$ exit 
exit
[hadoop@node101.yinzhengjie.org.cn ~]$ exit 
logout
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# su - hadoop
Last login: Thu Sep  5 11:53:56 CST 2019 on pts/0
[hadoop@node101.yinzhengjie.org.cn ~]$ 
[hadoop@node101.yinzhengjie.org.cn ~]$ touch c.txt            #当我们退出后,再次登录发现临时修改的附加组提示主组的操作失效啦~
[hadoop@node101.yinzhengjie.org.cn ~]$ 
[hadoop@node101.yinzhengjie.org.cn ~]$ ll
total 0
-rw-rw-r--. 1 hadoop hadoop   0 Sep  5 11:54 a.txt
-rw-r--r--. 1 hadoop dengziqi 0 Sep  5 11:54 b.txt
-rw-rw-r--. 1 hadoop hadoop   0 Sep  5 11:54 c.txt
[hadoop@node101.yinzhengjie.org.cn ~]$
[hadoop@node101.yinzhengjie.org.cn ~]$ newgrp dengziqi              #我们临时将附加组("dengziqi")切换为主组

10>.更改和查看组成员

[root@node101.yinzhengjie.org.cn ~]# groupmems -h
Usage: groupmems [options] [action]

Options:
  -g, --group groupname         更改为指定组(只有root)
-R, --root CHROOT_DIR         directory to chroot into

Actions:
  -a, --add username            指定用户加入组
  -d, --delete username         从组中删除用户
  -h, --help                    display this help message and exit
  -p, --purge                   从组中清楚所有成员
  -l, --list                    显示组成员列表
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -l
yinzhengjie 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -a root        #将root用户加入"yinzhengjie"组中
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -l
yinzhengjie  root 
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -a root        #将root用户加入"yinzhengjie"组中
[root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -l          #查看组中成员
yinzhengjie  root 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -d root       #从"yinzhengjie"组中删除"root"用户
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -l
yinzhengjie 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -d root         #从"yinzhengjie"组中删除"root"用户
[root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -l
yinzhengjie  root 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -p            #清空组成员,只能清空附加组,不能清空主组
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -l
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# id yinzhengjie
uid=1000(yinzhengjie) gid=1000(yinzhengjie) groups=1000(yinzhengjie)
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -p           #清空组成员,只能清空附加组,不能清空主组

11>.小试牛刀

案例一:创建用户gentoo,附加组为bin和root,默认shell为/bin/csh,注释信息为"Gentoo Distribution"

案例二:创建下面的用户、组和组成员关系   名字为webs 的组   用户nginx, 使用webs作为附加组   用户varnish,使用webs作为附加组   用户mysql,不可交互登录系统,且不是webs的成员, nginx, varnish,mysql的用户名密码都是"yinzhengjie"
[root@node101.yinzhengjie.org.cn ~]# useradd -s /bin/csh -c "Gentoo Distribution" -G bin,root gentoo
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# groups gentoo
gentoo : gentoo root bin
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# id gentoo
uid=10092(gentoo) gid=10092(gentoo) groups=10092(gentoo),0(root),1(bin)
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#
案例一参考
[root@node101.yinzhengjie.org.cn ~]# groupadd webs
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# useradd -G webs nginx
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# useradd -G webs varnish
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# useradd -s /sbin/nologin mysql
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# echo "yinzhengjie" | passwd --stdin nginx
Changing password for user nginx.
passwd: all authentication tokens updated successfully.
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# echo "yinzhengjie" | passwd --stdin varnish
Changing password for user varnish.
passwd: all authentication tokens updated successfully.
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# echo "yinzhengjie" | passwd --stdin mysql
Changing password for user mysql.
passwd: all authentication tokens updated successfully.
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#
案例二参考

 

三.文件权限

1>.文件属性

2>.修改文件的属主和属组

文件属性操作
    chown 设置文件的所有者
    chgrp 设置文件的属组信息
[root@node101.yinzhengjie.org.cn ~]# chown --help
Usage: chown [OPTION]... [OWNER][:[GROUP]] FILE...
  or:  chown [OPTION]... --reference=RFILE FILE...
Change the owner and/or group of each FILE to OWNER and/or GROUP.
With --reference, change the owner and group of each FILE to those of RFILE.

  -c, --changes          like verbose but report only when a change is made
  -f, --silent, --quiet  suppress most error messages
  -v, --verbose          output a diagnostic for every file processed
      --dereference      affect the referent of each symbolic link (this is
                         the default), rather than the symbolic link itself
  -h, --no-dereference   affect symbolic links instead of any referenced file
                         (useful only on systems that can change the
                         ownership of a symlink)
      --from=CURRENT_OWNER:CURRENT_GROUP
                         change the owner and/or group of each file only if
                         its current owner and/or group match those specified
                         here.  Either may be omitted, in which case a match
                         is not required for the omitted attribute
      --no-preserve-root  do not treat '/' specially (the default)
      --preserve-root    fail to operate recursively on '/'
      --reference=RFILE  use RFILE's owner and group rather than
                         specifying OWNER:GROUP values
  -R, --recursive        operate on files and directories recursively

The following options modify how a hierarchy is traversed when the -R
option is also specified.  If more than one is specified, only the final
one takes effect.

  -H                     if a command line argument is a symbolic link
                         to a directory, traverse it
  -L                     traverse every symbolic link to a directory
                         encountered
  -P                     do not traverse any symbolic links (default)

      --help     display this help and exit
      --version  output version information and exit

Owner is unchanged if missing.  Group is unchanged if missing, but changed
to login group if implied by a ':' following a symbolic OWNER.
OWNER and GROUP may be numeric as well as symbolic.

Examples:
  chown root /u        Change the owner of /u to "root".
  chown root:staff /u  Likewise, but also change its group to "staff".
  chown -hR root /u    Change the owner of /u and subfiles to "root".

GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
For complete documentation, run: info coreutils 'chown invocation'
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# chown --help
[root@node101.yinzhengjie.org.cn ~]# chgrp --help
Usage: chgrp [OPTION]... GROUP FILE...
  or:  chgrp [OPTION]... --reference=RFILE FILE...
Change the group of each FILE to GROUP.
With --reference, change the group of each FILE to that of RFILE.

  -c, --changes          like verbose but report only when a change is made
  -f, --silent, --quiet  suppress most error messages
  -v, --verbose          output a diagnostic for every file processed
      --dereference      affect the referent of each symbolic link (this is
                         the default), rather than the symbolic link itself
  -h, --no-dereference   affect symbolic links instead of any referenced file
                         (useful only on systems that can change the
                         ownership of a symlink)
      --no-preserve-root  do not treat '/' specially (the default)
      --preserve-root    fail to operate recursively on '/'
      --reference=RFILE  use RFILE's group rather than specifying a
                         GROUP value
  -R, --recursive        operate on files and directories recursively

The following options modify how a hierarchy is traversed when the -R
option is also specified.  If more than one is specified, only the final
one takes effect.

  -H                     if a command line argument is a symbolic link
                         to a directory, traverse it
  -L                     traverse every symbolic link to a directory
                         encountered
  -P                     do not traverse any symbolic links (default)

      --help     display this help and exit
      --version  output version information and exit

Examples:
  chgrp staff /u      Change the group of /u to "staff".
  chgrp -hR staff /u  Change the group of /u and subfiles to "staff".

GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
For complete documentation, run: info coreutils 'chgrp invocation'
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# chgrp --help
[root@node101.yinzhengjie.org.cn ~]# ll
total 4
-rw-r--r--. 1 root root 26 Sep  5 14:22 file.txt
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# chown yinzhengjie file.txt       #修改文件的属主为"yinzhengjie"用户
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll
total 4
-rw-r--r--. 1 yinzhengjie root 26 Sep  5 14:22 file.txt
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# chown yinzhengjie file.txt       #修改文件的属主为"yinzhengjie"用户
[root@node101.yinzhengjie.org.cn ~]# ll
total 4
-rw-r--r--. 1 yinzhengjie root 26 Sep  5 14:22 file.txt
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# chgrp bin file.txt           #修改文件的所属组
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll
total 4
-rw-r--r--. 1 yinzhengjie bin 26 Sep  5 14:22 file.txt
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# chgrp bin file.txt            #修改文件的所属组
[root@node101.yinzhengjie.org.cn ~]# ll
total 4
-rw-r--r--. 1 yinzhengjie bin 26 Sep  5 14:22 file.txt
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# chown root:yinzhengjie file.txt     #其实使用chown命令也是可以修改属主和属组的,需要用":"来分割
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll
total 4
-rw-r--r--. 1 root yinzhengjie 26 Sep  5 14:22 file.txt
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# chown root:yinzhengjie file.txt     #其实使用chown命令也是可以修改属主和属组的,需要用":"来分割
[root@node101.yinzhengjie.org.cn ~]# ll -R
.:
total 4
-rw-r--r--. 1 root yinzhengjie 26 Sep  5 14:22 file.txt
drwxr-xr-x. 2 root root        32 Sep  5 14:44 home

./home:
total 0
-rw-r--r--. 1 root root 0 Sep  5 14:44 a.txt
-rw-r--r--. 1 root root 0 Sep  5 14:44 b.txt
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# chown -R yinzhengjie.yinzhengjie home      #递归修改某一个目录及其子文件的属主和数组
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll -R
.:
total 4
-rw-r--r--. 1 root        yinzhengjie 26 Sep  5 14:22 file.txt
drwxr-xr-x. 2 yinzhengjie yinzhengjie 32 Sep  5 14:44 home

./home:
total 0
-rw-r--r--. 1 yinzhengjie yinzhengjie 0 Sep  5 14:44 a.txt
-rw-r--r--. 1 yinzhengjie yinzhengjie 0 Sep  5 14:44 b.txt
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# chown -R yinzhengjie.yinzhengjie home      #递归修改某一个目录及其子文件的属主和数组
[root@node101.yinzhengjie.org.cn ~]# ll
total 4
-rw-r--r--. 1 root yinzhengjie 26 Sep  5 14:22 file.txt
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# touch file2.txt
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll
total 4
-rw-r--r--. 1 root root         0 Sep  5 15:03 file2.txt
-rw-r--r--. 1 root yinzhengjie 26 Sep  5 14:22 file.txt
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# chown --reference file.txt file2.txt       #让file2.txt文件和"file.txt"文件权限一致。
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll
total 4
-rw-r--r--. 1 root yinzhengjie  0 Sep  5 15:03 file2.txt
-rw-r--r--. 1 root yinzhengjie 26 Sep  5 14:22 file.txt
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# chown --reference file.txt file2.txt       #让file2.txt文件和"file.txt"文件权限一致。

3>.文件权限操作: chmod

文件的权限主要针对三类对象进行定义
  owner 属主, u
  group 属组, g
  other 其他, o

每个文件针对每类访问者都定义了三种权限
  r Readable
  w Writable
  x eXcutable

文件:
  r 可使用文件查看类工具获取其内容
  w 可修改其内容
  x 可以把此文件提请内核启动为一个进程

目录:
  r 可以使用ls查看此目录中文件列表
  w 可在此目录中创建文件,也可删除此目录中的文件
  x 可以使用ls -l查看此目录中文件元数据(须配合r),可以cd进入此目录
  X 只给目录x权限,不给文件x权限

[root@node101.yinzhengjie.org.cn ~]# chmod --help
Usage: chmod [OPTION]... MODE[,MODE]... FILE...
  or:  chmod [OPTION]... OCTAL-MODE FILE...
  or:  chmod [OPTION]... --reference=RFILE FILE...
Change the mode of each FILE to MODE.
With --reference, change the mode of each FILE to that of RFILE.

  -c, --changes          like verbose but report only when a change is made
  -f, --silent, --quiet  suppress most error messages
  -v, --verbose          output a diagnostic for every file processed
      --no-preserve-root  do not treat '/' specially (the default)
      --preserve-root    fail to operate recursively on '/'
      --reference=RFILE  use RFILE's mode instead of MODE values
  -R, --recursive        change files and directories recursively
      --help     display this help and exit
      --version  output version information and exit

Each MODE is of the form '[ugoa]*([-+=]([rwxXst]*|[ugo]))+|[-+=][0-7]+'.

GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
For complete documentation, run: info coreutils 'chmod invocation'
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# chmod --help
[root@node101.yinzhengjie.org.cn ~]# cp -a /etc/shadow ./
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll
total 4
-r--------. 1 root root 2464 Sep  5 13:55 shadow
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# chmod u+rw,g+r shadow       #给属主增加rw权限,给属组加r权限
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll
total 4
-rw-r-----. 1 root root 2464 Sep  5 13:55 shadow
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# chmod u+rw,g+r shadow       #给属主增加rw权限,给属组加r权限
[root@node101.yinzhengjie.org.cn ~]# ll
total 4
-rw-r-----. 1 root root 2464 Sep  5 13:55 shadow
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# chmod o=w shadow          #给其它人用户加w权限
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll
total 4
-rw-r---w-. 1 root root 2464 Sep  5 13:55 shadow
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# chmod o=w shadow          #给其它人用户加w权限
[root@node101.yinzhengjie.org.cn ~]# ll /bin/ls
-rwxr-xr-x. 1 root root 117680 Oct 31  2018 /bin/ls
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# chmod a-x /bin/ls          #我们为ls命令减去执行权限,我们发现ls命令将无法执行啦!
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll /bin/ls
bash: /usr/bin/ls: Permission denied
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# chmod a+x /bin/ls
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll /bin/ls
-rwxr-xr-x. 1 root root 117680 Oct 31  2018 /bin/ls
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# chmod a-x /bin/ls         #我们为ls命令减去执行权限,我们发现ls命令将无法执行啦!

4>.新建文件和目录的默认权限 

[root@node101.yinzhengjie.org.cn ~]# help umask
umask: umask [-p] [-S] [mode]
    Display or set file mode mask.
    
    Sets the user file-creation mask to MODE.  If MODE is omitted, prints
    the current value of the mask.
    
    If MODE begins with a digit, it is interpreted as an octal number;
    otherwise it is a symbolic mode string like that accepted by chmod(1).
    
    Options:
      -p    if MODE is omitted, output in a form that may be reused as input
      -S    makes the output symbolic; otherwise an octal number is output
    
    Exit Status:
    Returns success unless MODE is invalid or an invalid option is given.
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# umask         #root用户的默认umask值为022
0022
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# su - yinzhengjie
Last login: Thu Sep  5 16:38:53 CST 2019 on pts/0
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ umask     #普通用户的默认umask值为002
0002
[yinzhengjie@node101.yinzhengjie.org.cn ~]$
[root@node101.yinzhengjie.org.cn ~]# help umask
[root@node101.yinzhengjie.org.cn ~]# umask 
0022
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# umask -S      #模式方式显示
u=rwx,g=rx,o=rx
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# umask -S      #模式方式显示
[root@node101.yinzhengjie.org.cn ~]# umask 
0022
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# umask -p      #输出可悲调用
umask 0022
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# umask -p      #输出可悲调用
[root@node101.yinzhengjie.org.cn ~]# umask 
0022
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# umask 754      #命令行中修改umask的属性,临时生效,若想要永久生效需要将修改指令写入"~/.bashrc"文件
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# umask 
0754
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# exit         #我们退出终端后发现就不生效啦!
logout

Connection closed by foreign host.

Disconnected from remote host(node101.yinzhengjie.org.cn) at 17:05:27.

Type `help' to learn how to use Xshell prompt.
[c:\~]$ 
Reconnecting in 1 seconds. Press any key to exit local shell.
.

Host 'node101.yinzhengjie.org.cn' resolved to 172.30.1.101.
Connecting to 172.30.1.101:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

Last login: Thu Sep 5 16:51:50 2019 from 172.30.1.1
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# umask         #重新登录终端会发现umask的值并没有发生改变
0022
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# umask 754      #命令行中修改umask的属性,临时生效,若想要永久生效需要将修改指令写入"~/.bashrc"文件,也可以放在全局的"/etc/bashrc"文件中!
umask值可以用来保留在创建文件权限。
    新建文件的默认权限: 666-umask,如果所得结果某位存在执行(奇数)权限,则将其权限+1
    新建目录的默认权限: 777-umask

非特权用户umask是002 ,root的umask 是022 


举个例子:
  比如 umask的值是754,我们通过上面的公式得出
    新建的文件默认权限 : 666 - 754 => -112(得出的结果有奇数,需要进行加1操作) =>022
    新建的目录默认权限 : 777 - 754 => 023
  
  计算机是如何使用umask值的呢?
    666转换二进制为:"110 110 110"
    754转换二进制为:"111 101 100"(对应的位置为1则表示遮掩,需要和666二进制所对应位进行运算,若位1则取反,若为0则不变)
              000 010 010(使用八进制表示即022,和上面计算结果一直)
    
    777转换二进制为:"111 111 111"
    754转换二进制为:"111 101 100"(对应的位置为1则表示遮掩,需要和666二进制所对应位进行运算,若位1则取反,若为0则不变)
             000 010 011(使用八进制表示即023,和上面计算结果一直)

  为了验证结果是否正确,可以观察下面的实战操作。
[root@node101.yinzhengjie.org.cn ~]# umask         #root用户默认的umask值
0022
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# touch a.txt     #创建一个空文件并查看其文件默认权限
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll
total 0
-rw-r--r--. 1 root root 0 Sep  5 16:38 a.txt
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# umask 754      #我们修改root用户的umask值后,并观察创建的文件或目录对应的默认权限。
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# touch b.txt
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll
total 0
-rw-r--r--. 1 root root 0 Sep  5 16:38 a.txt
-----w--w-. 1 root root 0 Sep  5 16:38 b.txt
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# mkdir home
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll
total 0
-rw-r--r--. 1 root root 0 Sep 5 16:38 a.txt
-----w--w-. 1 root root 0 Sep 5 16:38 b.txt
d----w--wx. 2 root root 6 Sep 5 16:43 home
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# umask 754      #我们修改root用户的umask值后,并观察创建的文件或目录对应的默认权限。

5>.小试牛刀

当用户docker对/testdir 目录无执行权限时,意味着无法做哪些操作?
    当用户mongodb对/testdir 目录无读权限时,意味着无法做哪些操作?
    当用户redis 对/testdir 目录无写权限时,该目录下的只读文件file1是否可修改和删除?
    当用户zabbix对/testdir 目录有写和执行权限时,该目录下的只读文件file1是否可修改和删除?
    复制/etc/fstab文件到/var/tmp下,设置文件所有者为tomcat读写权限,所属组为apps组有读写权限,其他人无权限
    误删除了用户git的家目录,请重建并恢复该用户家目录及相应的权限属性

 

四.Linux文件系统上的特殊权限

1>.SUID权限(让有权限运行该程序文件的用户临时拥有该程序属主的权限,系统默认的"passwd"就有suid权限,默认数字权限为"4")

[yinzhengjie@node101.yinzhengjie.org.cn ~]$ cat  /etc/shadow | tail -3        #我们发现普通用户是无法查看"/etc/shadow"文件内容的
cat: /etc/shadow: Permission denied
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ exit                      #于是我们退出当前用户
logout
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll /usr/bin/cat                    #观察cat命令,属主是root用户,而且cat命令的属主是有x权限的
-rwxr-xr-x. 1 root root 54160 Oct 31  2018 /usr/bin/cat
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# chmod u+s /usr/bin/cat                #我们给cat命令添加x权限 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll /usr/bin/cat                   #我们发现属主的x权限被s权限覆盖啦
-rwsr-xr-x. 1 root root 54160 Oct 31  2018 /usr/bin/cat
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# su - yinzhengjie                  #我们再一次切换到普通用户
Last login: Thu Sep  5 17:11:01 CST 2019 on pts/0
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ cat  /etc/shadow | tail -3        #神奇的一幕发生了,我们竟然可以访问"/etc/shadow"文件啦
nginx:$6$.KUKZqRu$sCk.tYEAzZowA44d42qgaK.cQmpa16IPSIYX0CnON/SSCteb2PI77T21qOHDTrT01fAh2tD1/Ta6IE2m5EnkI/:18144:0:99999:7:::
varnish:$6$gF6mgxv2$JtJHT.B7IqUU3MA6JZYQkbFBhqukF918goBIYIwm0hTFmcwdf6i.x2JX2Wzgz42dyEhkj/cdbMmUJi9XBhZY60:18144:0:99999:7:::
mysql:$6$qWljHcJp$HtPeHnCjgOXh..Kno96j5BsS2ULUtpjb1yGznrkMdN2V7OVoTKLclY1Jaxe.Ryl32UWUox17Ux/Iw6s6dQviB0:18144:0:99999:7:::
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ exit 
logout
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll /usr/bin/cat
-rwsr-xr-x. 1 root root 54160 Oct 31 2018 /usr/bin/cat
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# chmod u-s /usr/bin/cat            #生产环境建议大家不要随意给命令公家加suid权限,我们这里了解即可,做完实验我就回滚之前的操作啦!如果我们对vim添加了"suid"权限,那么Linux所有的普通用户都可以修改Linux中任意文件啦!谨慎操作!!!
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll /usr/bin/cat
-rwxr-xr-x. 1 root root 54160 Oct 31 2018 /usr/bin/cat
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#

2>.SGID权限(同理,让有权限运行该程序文件的用户临时拥有该程序属组的权限,默认数字权限为"2")

[root@node101.yinzhengjie.org.cn ~]# groupadd devops                #我们这里创建了一个devops的用户组
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# useradd -g devops jason           #我们将jason用户加入devops组
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# id jason                          #查看jason组
uid=1002(jason) gid=1001(devops) groups=1001(devops)
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# mkdir /data
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# chgrp devops /data
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll -d /data/                  #大家注意观察这里的"/data"的权限
drwxr-xr-x. 2 root devops 6 Sep 10 06:33 /data/
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# chmod 3770 /data/               #我们为“/data”添加suid权限和sticky权限,注意观察文件的权限变化
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll -d /data/     
drwxrws--T. 2 root devops 6 Sep 10 06:33 /data/
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# touch /data/root.txt              #我们使用root用户创建一个文件
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# su -l jason
Last login: Tue Sep 10 06:31:59 PDT 2019 on pts/0
[jason@node101.yinzhengjie.org.cn ~]$ 
[jason@node101.yinzhengjie.org.cn ~]$ touch /data/jason.txt            #我们使用在"devops"组中的jason用户创建一个文件
[jason@node101.yinzhengjie.org.cn ~]$ 
[jason@node101.yinzhengjie.org.cn ~]$ exit 
logout
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# id yinzhengjie                  
uid=1000(yinzhengjie) gid=1000(yinzhengjie) groups=1000(yinzhengjie)
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# su - yinzhengjie
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ touch /data/yinzhengjie.txt      #这里无法创建,原因想必大家也知道,因为该用户是非devops组的普通用户,即other组用户无w权限,操作被拒绝啦!
touch: cannot touch ‘/data/yinzhengjie.txt’: Permission denied
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ exit 
logout
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll /data/                    #不难发现,不管是root用户还是jason用户创建的文件都归devops组所有,这就是SGID的魅力所在。
total 0
-rw-r--r--. 1 jason devops 0 Sep 10 06:34 jason.txt
-rw-r--r--. 1 root  devops 0 Sep 10 06:34 root.txt
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#

3>.Sticky

[root@node101.yinzhengjie.org.cn ~]# mkdir /data
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# touch /data/{1..5}.txt
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# chmod 757 /data      #我们给other角色有w权限,这意味着other组的成员都可以对该目录的文件进行删除操作,尽管它不能访问该目录下的文件内容
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll -d /data/
drwxr-xrwx. 2 root root 71 Sep  5 17:31 /data/
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll /data/          #我们发现里面全部都是root用户的文件,其它用户是仅有读取权限的。
total 0
-rw-r--r--. 1 root root 0 Sep  5 17:31 1.txt
-rw-r--r--. 1 root root 0 Sep  5 17:31 2.txt
-rw-r--r--. 1 root root 0 Sep  5 17:31 3.txt
-rw-r--r--. 1 root root 0 Sep  5 17:31 4.txt
-rw-r--r--. 1 root root 0 Sep  5 17:31 5.txt
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# su -l yinzhengjie
Last login: Thu Sep  5 17:30:35 CST 2019 on pts/0
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ rm -f /data/1.txt     #我们发现切换到普通用户后,可以随意删除root用户创建的文件,这不科学呀!!!怎么解决这个问题呢?
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ rm -f /data/3.txt 
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ rm -f /data/5.txt 
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ exit 
logout
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll /data/              #我们发现文件的确是被删除啦!!!
total 0
-rw-r--r--. 1 root root 0 Sep  5 17:31 2.txt
-rw-r--r--. 1 root root 0 Sep  5 17:31 4.txt
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# chmod 757 /data  #我们给other角色有w权限,这意味着other组的成员都可以对该目录的文件进行删除操作,尽管它不能访问该目录下的文件内容(抛出问题)
[root@node101.yinzhengjie.org.cn ~]# ll /data/
total 0
-rw-r--r--. 1 root root 0 Sep  5 17:31 2.txt
-rw-r--r--. 1 root root 0 Sep  5 17:31 4.txt
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll -d /data/
drwxr-xrwx. 2 root root 32 Sep  5 17:32 /data/
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# chmod o+t /data/          #等效与"chmod 1757 /data/"
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# ll -d /data/
drwxr-xrwt. 2 root root 32 Sep  5 17:32 /data/
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# su -l yinzhengjie
Last login: Thu Sep  5 17:32:03 CST 2019 on pts/0
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ rm -f /data/2.txt     #我们发现普通用户尽管对"/data"目录有w权限,发现它依旧无法删除不属于它管理的文件
rm: cannot remove ‘/data/2.txt’: Operation not permitted
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ rm -f /data/4.txt 
rm: cannot remove ‘/data/4.txt’: Operation not permitted
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ ll /data/
total 0
-rw-r--r--. 1 root root 0 Sep  5 17:31 2.txt
-rw-r--r--. 1 root root 0 Sep  5 17:31 4.txt
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ touch /data/jason.txt    #手动创建文件
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ ll /data/
total 0
-rw-r--r--. 1 root root 0 Sep 5 17:31 2.txt
-rw-r--r--. 1 root root 0 Sep 5 17:31 4.txt
-rw-rw-r--. 1 yinzhengjie yinzhengjie 0 Sep 5 17:43 jason.txt
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ rm -f /data/jason.txt     #发现删除自己的文件还是轻而易举的
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
[yinzhengjie@node101.yinzhengjie.org.cn ~]$ ll /data/
total 0
-rw-r--r--. 1 root root 0 Sep 5 17:31 2.txt
-rw-r--r--. 1 root root 0 Sep 5 17:31 4.txt
[yinzhengjie@node101.yinzhengjie.org.cn ~]$

4>.总结

SUID:
  作用于二进制可执行程序,当用户执行此程序时,将会临时继承此程序所有者的权限。

SGID:
  作用于二进制可执行程序,当用户执行此程序时,将会继承此程序所属组的权限。
  作用于目录,当用户在此目录下创建文件时,文件的所属组会自动继承此目录的所属组。
STICKY:
  作用于目录,用户只能删除自己的文件。(当然root用户除外,我们探讨权限一般情况都会自动忽略root用户,因为root用户是管理员用户)

5>.设置文件特定属性

chattr +i   不能删除,改名,更改
chattr +a   只能追加内容
lsattr     显示特定属性
[root@node101.yinzhengjie.org.cn ~]# chattr +i /etc/passwd                  #我们给"/etc/passwd"文件添加"i"属性后,发现我们无法对文件进行删除,改名,甚至修改该文件内容。但是root查看里面内容还是可以的。
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# rm -f /etc/passwd
rm: cannot remove ‘/etc/passwd’: Operation not permitted
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# mv /etc/passwd /etc/passwd-`date +%F`
mv: cannot move ‘/etc/passwd’ to ‘/etc/passwd-2019-09-10’: Operation not permitted
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# echo "尹正杰到此一游" >> /etc/passwd
-bash: /etc/passwd: Permission denied
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# useradd bigdata
useradd: cannot open /etc/passwd
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# lsattr /etc/passwd            #查看该文件的特定属性
----i----------- /etc/passwd
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# chattr -i /etc/passwd          #我们为该文件删除其特定的i属性,发现就可以对文件进行修改操作啦
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# lsattr /etc/passwd   
---------------- /etc/passwd
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# useradd bigdata      
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# id bigdata
uid=1003(bigdata) gid=1003(bigdata) groups=1003(bigdata)
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# chattr +i /etc/passwd                  #我们给"/etc/passwd"文件添加"i"属性后,发现我们无法对文件进行删除,改名,甚至修改该文件内容。但是root查看里面内容还是可以的。
[root@node101.yinzhengjie.org.cn ~]# lsattr /etc/passwd                  
---------------- /etc/passwd
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# chattr +a /etc/passwd                #我们给"/etc/passwd"文件添加"a"属性后,发现我们无法对文件进行修改操作,但是可以追加或查看内容!
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# lsattr /etc/passwd   
-----a---------- /etc/passwd
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# useradd hadoop                    #我们都知道创建用户其实就是在修改"/etc/passwd"文件呢,很明显创建用户失败这意味着无法修改文件内容
useradd: cannot open /etc/passwd
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# echo "hadoop" >> /etc/passwd            #大师追加文件内容确实可以的
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# tail -2 /etc/passwd                  #发现追加成功啦!
bigdata:x:1003:1003::/home/bigdata:/bin/bash
hadoop
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# chattr -a /etc/passwd                #赶紧把"a"属性去掉,然后把刚刚修改的内容还原了,切记把上面的"hadoop"字符串追加内容从"/etc/passwd"文件中删除,避免系统启动时出错。
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# lsattr /etc/passwd               
---------------- /etc/passwd
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# chattr +a /etc/passwd                  #我们给"/etc/passwd"文件添加"a"属性后,发现我们无法对文件进行修改操作,但是可以追加或查看内容!

 

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!