1. User Management
1. View User Information
# View all users
cat /etc/passwd # Basic user information
getent passwd # Compatible with LDAP and other authentication methods
# View currently logged-in users
who # Simple view
w # Detailed information (including activity)
users # Show only usernames
# View specific user information
id username # Show UID/GID/Group
finger username # Detailed user information (requires installation)
2. Create User
sudo useradd -m -s /bin/bash -c "User Description" username
# Option explanation:
# -m Create home directory
# -s Specify shell
# -c Comment information
# More user-friendly command (recommended)
sudo adduser username # Interactive creation (Debian-based)
3. Modify User Attributes
sudo usermod -aG sudo username # Add sudo privileges
sudo usermod -s /sbin/nologin username # Disable login
sudo usermod -L username # Lock account
sudo usermod -U username # Unlock account
4. Delete User
sudo userdel -r username # -r also deletes home directory and mail
5. Password Management
sudo passwd username # Set/modify password
sudo chage -l username # View password expiration information
sudo chage -E 2024-12-31 username # Set account expiration date
2. Group Management
1. View Group Information
cat /etc/group
getent group
groups username # View groups the user belongs to
2. Create/Delete Group
sudo groupadd developers
sudo groupdel developers
3. Manage Group Members
sudo gpasswd -a username developers # Add user to group
sudo gpasswd -d username developers # Remove user from group
sudo usermod -g primarygroup username # Change primary group
4. Set Group Administrator
sudo gpasswd -A username developers # Specify group administrator
3. Permission Control
1. Basic File Permissions
chmod u+rwx,g+rx,o-rwx file # User read/write/execute / Group read/execute / Others no permissions
chmod 750 directory/ # User rwx / Group rx / Others no permissions
# Numeric permission correspondence:
# 4(r) + 2(w) + 1(x) = 7
# For example: 755 = rwxr-xr-x
2. Special Permissions
chmod u+s file # Set SUID (run as owner when executed)
chmod g+s directory # Set SGID (new files inherit group)
chmod +t /shared/ # Set sticky bit (only owner can delete)
3. ACL Advanced Permissions
# View ACL permissions
getfacl /path/to/file
# Set ACL
setfacl -m u:username:rwx /path # Add permissions for user
setfacl -m g:groupname:r-x /path # Add permissions for group
setfacl -x u:username /path # Remove specific ACL entry
4. Sudo Permission Management
1. Configure sudoers
sudo visudo # Safely edit /etc/sudoers
Typical Configuration:
# Allow user to execute all commands
username ALL=(ALL:ALL) ALL
# Allow group to execute specific commands
%developers ALL=(root) /usr/bin/apt, /usr/bin/systemctl
2. Passwordless sudo
username ALL=(ALL) NOPASSWD: ALL
3. Restrict Command Parameters
username ALL=(root) /bin/kill, /usr/bin/apt, !/usr/bin/apt *remove*
5. Login Restrictions
1. Restrict Login Shell
sudo usermod -s /sbin/nologin username # Disable interactive login
sudo usermod -s /bin/false username # Completely disable
2. Restrict Login Time
# Edit /etc/security/time.conf
username;*;*;Wk0800-1700
3. Restrict Concurrent Logins
# Edit /etc/security/limits.conf
username hard maxlogins 2
6. Batch User Management
1. Batch Create Users
# Use newusers command
echo"user1:x:1001:1001::/home/user1:/bin/bash" | sudo newusers
# Batch create from file
sudo newusers users.list
2. Batch Modify Passwords
# Use chpasswd
echo"username:newpassword" | sudo chpasswd
# Batch modify from file
sudo chpasswd < passwords.list
3. Batch Add Groups
for user in user1 user2 user3; do
sudo usermod -aG developers $user
done
7. Security Best Practices
-
Password Policy:
# Edit /etc/login.defs PASS_MAX_DAYS 90 PASS_MIN_DAYS 7 PASS_WARN_AGE 14 # Install pam_cracklib sudo apt install libpam-cracklib -
Audit Users:
sudo lastlog # View last login sudo grep 'Failed password' /var/log/auth.log # View failed attempts -
Principle of Least Privilege:
-
Create dedicated users for services (e.g.,
<span>www-data</span>for web services) -
Use
<span>sudo</span>instead of directly using root
8. Troubleshooting
1. User Cannot Login
# Check items:
cat /etc/passwd | grep username # Confirm user exists
ls -ld /home/username/ # Check home directory permissions
sudo grep username /etc/shadow # Check password status
2. Permission Issues
# Check process:
id username # Confirm user group
getfacl /path # Check ACL
sudo -u username ls /path # Simulate user operation
3. Sudo Errors
# Common reasons:
# 1. User not in sudoers file
# 2. Command path not in secure path
# 3. Command explicitly denied
9. Common Command Quick Reference
|
Operation |
Command |
|---|---|
|
Create User |
|
|
Modify Group |
|
|
Delete User |
|
|
View Permissions |
|
|
Modify Permissions |
|
|
Change Owner |
|
|
Set ACL |
|
By mastering these commands, you can:
-
Efficiently manage system users and permissions
-
Implement fine-grained access control
-
Quickly troubleshoot account-related issues
-
Build a secure user management system