Mڭ̵nJ Linux DɭԡAJOڭ̪bAO Linux Dä|{ѧAybW١zALȻ{ ID (ID NO@ոX)C ѩqȻ{ 0 P 1AҥHDƦrFܩbuOFḪeOЦӤwC ӧA ID PbNb /etc/passwd C

쩳X ID OHٰOoڭ̦bĤLA C@ɮ׳㦳y֦HP֦sաzݩʶܡHSաCӵnJϥΪ̦ܤֳ|o ID A@ӬOϥΪ ID (User ID A² UID)B@ӬOs ID (Group ID A² GID)C

ɮצpPOL֦̻PsթOHNOQ UID P GID աIC@ɮ׳|ҿת֦ ID P֦s ID Aڭ̦nɮݩʪݨDɡAtη|̾ /etc/passwd P /etc/group eA UID / GID bPsզW٦AܥXӡIڭ̥iH@ӤpAAiH root vi /etc/passwd AMNA@먭ϥΪ̪ ID HK@ӸXAMAA@먭ؿUݬݭӱb֦ɮסAA|o{ɮת֦HܦF yƦrFzIo˥iHzѤFܡHӬݬݩUҤlG

# 1. ݤ@UAtθ̭S@ӦW dmtsai ΤH
[root@www ~]# grep 'dmtsai' /etc/passwd
dmtsai:x:503:504::/home/dmtsai:/bin/bash   <==OoӱbI
[root@www ~]# ll -d /home/dmtsai
drwx------ 4 dmtsai dmtsai 4096 Feb  6 18:25 /home/dmtsai
# @@@AϥΪ̪쥿O dmtsai I

# 2. ק@UANڭ̪ dmtsai  503 UID אּ 2000 ݬݡG
[root@www ~]# vi /etc/passwd
....(eٲ)....
dmtsai:x:2000:504::/home/dmtsai:/bin/bash <==ק@USr鳡A 503 L
[root@www ~]# ll -d /home/dmtsai
drwx------ 4 503 dmtsai 4096 Feb  6 18:25 /home/dmtsai
# ܮ`ȧaIܦ 503 FH]ɮץu|OƦrӤwI
# ]ڭ̶çAҥHɭP 503 䤣bA]ܼƦrI

# 3. OoN𫍧 2000 ^ӡI
[root@www ~]# vi /etc/passwd
....(eٲ)....
dmtsai:x:503:504::/home/dmtsai:/bin/bash <==^ӡI

A@wnAѪOAWҤlȬOb UID PbʡAb@`B@ Linux DҤUAWʧ@iHKiA oO]tΤWwgܦhƳQإߦsbFAHNקtΤWYDZb UID ܥi|ɭPYǵ{ǵLkiAoNɭPtεLkQB@GC ]vDڡIҥHAAѤFAл֦^ /etc/passwd ̭ANƦr^ӳI

Linux tΤWϥΪ̦pGݭnnJDHo shell ҨӤu@ɡALݭnpiOH ALnbqeQ tty1~tty7 ׺ݾѪ login AÿJbPKX~nJC pGOzLܡAܤ֨ϥΪ̴NonDz ssh oӥ\F (AgAӽ)C AJbKXAtABzFOH

1. M /etc/passwd ̭O_AJbHpGShXApGܫhNӱb UID P GID (b /etc/group ) ŪXӡAt~AӱbaؿP shell ]w]@ŪXF
   
   
2. AӫhOֹKXաIo Linux |iJ /etc/shadow ̭XbP UIDAMֹ@UAJKXPYKXO_۲šH
   
   
3. pG@ OK ܡANiJ Shell ުqoI

jPWpNoˡAҥHAnnJA Linux DɭԡA /etc/passwd P /etc/shadow NntŪ (o]Oܦh̷|NSbg /etc/passwd YhtG)AҥHOApGAnƥ Linux tΪbܡAoɮ״N@wݭnƥ~I

ѤWy{ڭ̤]DAϥΪ̱bӫD`nɮסA@ӬO޲zϥΪ UID/GID nѼƪ /etc/passwd A@ӫhOM޲zKXƪ /etc/shadow oIoɮתeND`ȱoisաI Uڭ̷|²檺гoɮסAԲӪiHѦ man 5 passwd man 5 shadow (1)C

• /etc/passwd ɮ׵c

oɮתcyOo˪GC@泣N@ӱbAXNNXӱbbAtΤI LݭnSOdNOAYܦhbӴNOtΥ`B@ҥnAڭ̥iH²٥LtαbA Ҧp bin, daemon, adm, nobody AoDZbФnHNLOI oɮתeIoˡG

[root@www ~]# head -n 4 /etc/passwd
root:x:0:0:root:/root:/bin/bash  <==@UU
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin

ڭ̥Ӭݤ@UC Linux tγ|Ĥ@ANO root oӨtκ޲z@nFA AiH㪺ݥXӡAC@ϥΡy:zj}A@CөNNAOOG

1. bWG
   NObաIΨӹ UID CҦp root UID NO 0 (ĤT)F
   
   
2. KXG
   Unix tΪKXNOboWIO]oɮתSʬOҦ{dzŪAoˤ@ӫܮeyKXƳQѨA ]ӴNNo쪺KXƵL /etc/shadow FCҥHo̧A|ݨ@ӡy x zAI
   
   
3. UIDG
   oӴNOϥΪѧOXoIq` Linux UID XӭݭnzAѤ@UG
   
   

   id d	ID ϥΪ̯S
   0 (tκ޲z)	UID O 0 ɡANoӱbOytκ޲zzI ҥHAnLbW٤]㦳 root vɡANӱb UID אּ 0 YiC o]NOA@tΤWtκ޲zou root I LAܤijhӱb UID O 0 ա
   1~499 (tαb)	OdtΨϥΪ IDAF 0 ~AL UID vPSʨèS@Cw] 500 HUƦrtΧ@OdbuO@ӲߺDC ѩtΤWҰʪAȧƱϥθpvhB@A]Ʊϥ root hoǪAȡA ҥHڭ̴NonѳoǹB@{֦̱b~CoǨtαbq`OinJA ҥH~|ڭ̦bĤQ@쪺 /sbin/nologin oӯS shell sbC ھڨtαbѨӡAq`tαbSQϤءG 1~99G distributions ۦإߪtαbF 100~499GYϥΪ̦tαbݨDɡAiHϥΪb UIDC
   500~65535 (inJb)	@ϥΪ̥ΪCƹWAثe linux ֤ (2.6.x )wgiH䴩 4294967295 (2^32-1) oj UID XI

   
   Wo˻iHAѤFܡHOA UID 0 ɭԡANO root IҥHЯSOdN@UA /etc/passwd ɮסI
   
   
4. GIDG
   oӻP /etc/group I /etc/group [P /etc/passwd thAuOLOΨӳWdsզWٻP GID ӤwI
   
   
5. ϥΪ̸TG
   o򥻤WèS򭫭nγ~AuOΨӸoӱbNqӤwILApGzѨϥ finger \ɡA oiHѫܦhTOI᭱ chfn O|Ӹo̪C
   
   
6. aؿG
   oOϥΪ̪aؿAHWҡA root aؿb /root AҥH root nJAN|ߨ] /root ؿYաII pGAӱbϥΪŶSOjAAQnNӱbaؿʨLwХhӫ@H SIiHboiקIw]ϥΪ̮aؿb /home/yourIDname
   
   
7. ShellG
   ڭ̦bĤQ@ BASH ܦhAϥΪ̵nJtΫN|o@ Shell ӻPtΪ֤߷qHiϥΪ̪ާ@ȡCw] shell |ϥ bash OHNObowoI o̤ݭn`NOA@ shell iHΨӴNbLko shell ҪnJʧ@INO /sbin/nologin oӪFIo]iHΨӻs@ pop lb̪ƩOI

• /etc/shadow ɮ׵c

ڭ̪Dܦh{B@PvAvP UID/GID I]U{MݭnŪ /etc/passwd AѤPbvC ] /etc/passwd vݳ]w -rw-r--r-- o˪pA MKX][KLAom /etc/passwd ĤGWIoˤ@ӫܮeQߤHhѨA [KLKX]zLɤO}Ѫkh trial and error (ջ~) XӡI

]o˪YAҥHӵoiXNKXʨ /etc/shadow oɮפj}Ӫ޳NA ӥB٥[JܦhKXѼƦb /etc/shadow YOIbo̡Aڭ̥AѤ@UoɮתcyaI /etc/shadow ɮצIoˡG

[root@www ~]# head -n 4 /etc/shadow
root:$1$/30QpE5e$y9N/D0bh6rAACBEz.hqo00:14126:0:99999:7:::  <==U
bin:*:14126:0:99999:7:::
daemon:*:14126:0:99999:7:::
adm:*:14126:0:99999:7:::

򥻤WA shadow P˥Hy:z@jŸApGƤ@ơA|o{@EڡAoE쪺γ~Oo˪G

1. bWG
   ѩKX]ݭnPbڡ]AoɮתĤ@NObAnP /etc/passwd ۦP~I
   
   
2. KXG
   o줺Ƥ~OuKXAӥBOgLsXKX ([K) աI Au|ݨ즳@ǯSŸrNOFIݭnSOdNOAMoǥ[KLKXQѥXӡA Oyzy|zAҥHAoɮתw]vOy-rw-------zΪ̬Oy-r--------zAYu root ~iHŪgNOFIAoHɪ`NAnpߧʤFoɮתvOI
   
   t~AѩUرKXsX޳N@ˡA]PsXtη|yo쪺פۦPC |ҨӻA¦ DES sXtβͪKX״NPثeDΪ MD5 P(2)IMD5 KXש㪺ǡCѩTwsXtβͪKXץ@PA]yAo쪺קܫAӱKXN|(⤣X)zC ܦhnzLoӥ\Abe[W ! * ܱKXסAN|KXyȮɥġzFC
   
   
3. ̪ʱKXG
   oOFyʱKX@ѡzALAܩ_ǧrIbڪҤl|O 14126 OHAoӬO]p Linux ɶOH 1970 ~ 1 1 @ 1 Ӳ֥[A1971 ~ 1 1 h 366 աI o`N@UoӸIWz 14126 NO 2008-09-04 @ѰաIAѥGH ӷQnAѸӤiHϥΥ᭱ chage OIܩQnDYӤֿnơA iϥΦpU{pG
   

   [root@www ~]# echo $(($(date --date="2008/09/04" +%s)/86400+1)) 14126

   WzOA2008/09/04 AQnp⪺A86400 C@ѪơA %s 1970/01/01 HӪֿn`ơC ѩ bash Ȥ䴩ơA]̲׻ݭn[W 1 ɻ 1970/01/01 ѡC
   
   
4. KXiQʪѼG(P 3 ۤ)
   ĥ|OFGoӱbKXb̪@QݭngLXѤ~iHAQܧIpGO 0 ܡA ܱKXHɥiHʪNCoOFȱKXQYǤH@Aӳ]pIpG]w 20 ѪܡAA]wFKXA 20 ѤLkܳoӱKXI
   
   
5. KXݭnsܧ󪺤ѼG(P 3 ۤ)
   g`ܧKXOӦnߺDIFjnDϥΪܧKXAoiHwb̪@KXA bh֤ѼƤݭnAܧKX~CAnboӤѼƤs]wAKXA_hoӱbKXN|yܬLSʡzC ӦpGW 99999 (p⬰ 273 ~) ܡANܡAAKXܧSjʤNC
   
   
6. KXݭnܧeĵiѼG(P 5 ۤ)
   bKXĴ֭n쪺ɭ ( 5 )Atη|̾ڳo쪺]wAoXyĵiz׵oӱbALyAL n ѧAKXNnLFAкɧ֭s]wAKXIzApWҤlAhOKXe 7 ѤAtη|ĵiӥΤC
   
   
7. KXL᪺beɶ(KXĤ)G(P 5 ۤ)
   KXĤys(3)z+ysܧ(5)zALFӴϥΪ̨¨SsKXAӱKXNLFC MKXLOӱb٬OiHΨӶiLu@A]AnJtΨo bash CLpGKXLFA AnJtήɡAtη|jnDAns]wKX~nJ~ϥγAoNOKXLSC
   
   o쪺\OOHObKXLXѫApGϥΪ٬OSnJKXAoӱbKXN|yġzA YӱbA]LkϥθӱKXnJFCn`NKXLPKXĨäۦPC
   
   
8. bĤG
   oӤĤT@ˡAOϥ 1970 ~HӪ`Ƴ]wCoܡG oӱbbWwANLkAϥC NOҿתybġzAɤקAKXO_LAoӡybzAQϥΡI o|Qϥγq`ӬObyOAȡztΤAAiHWw@ӤӱbAϥΰաI
   
   
9. OdG
   ̫@OOdAݥHᦳSs\[JC

|ӨҤlӻnFApڪ dmtsai oӨϥΪ̪KXpUҥܡG

dmtsai:$1$vyUuj.eX$omt6lKJvMcIZHx4H7RI1V.:14299:5:60:7:5:14419:

oܤOHn`NO 14299 O 2009/02/24 CҥH dmtsai oӨϥΪ̪KXNqOG

• ѩKXXGȯVB(ѩXp⦨KXALkѱKXϱ^X)A]ѤWƧڭLko dmstai ڱKXF
  
  
• b̪@ʱKXO 2009/02/24 (14299)F
  
  
• AקKXɶO 5 ѥHA]NO 2009/03/01 He dmtsai קۤvKXFpGϥΪ٬OխnʦۤvKXAtδN|X{o˪TG
  

  You must wait longer to change your password passwd: Authentication token manipulation error

  eiDڭ̡GAnݧ[ɶ~ܧKXNաI
  
  
• ѩKXLwq 60 ѫAYֿnƬG 14299+60=14359AgLpo즹ƥN 2009/04/25C oܡGyϥΪ̥nb 2009/03/01 2009/04/25 60 ѭhקۤvKXAY 2009/04/25 ٬OSܧKXɡAӱKXNŧiLzFI
  
  
• ĵi] 7 ѡAYOKXLe 7 ѡAbҤhN 2009/04/19 ~ 2009/04/25 oCѡC pGϥΪ̤@SKXAbo 7 ѤAun dmtsai nJtδN|o{pUTG
  

  Warning: your password will expire in 5 days

  
  
• pGӱb@ 2009/04/25 SKXAKXNLFCOѩ 5 ѪeѼơA ] dmtsai b 2009/04/30 e٥iHϥ±KXnJDC LnJɷ|X{jKXpAeIUoˡG
  

  You are required to change your password immediately (password aged) WARNING: Your password has expired. You must change your password now and login again! Changing password for user dmtsai. Changing password for dmtsai (current) UNIX password:

  AnJ@±KXHΨ⦸sKXA~}lϥΨtΪU귽CpGAOb 2009/04/30 HեH dmtsai nJܡAN|X{pU~TBLknJA]ɧAKXNĥhաI
  

  Your account has expired; please contact your system administrator

  
  
• pGϥΪ̦b 2009/04/25 HeܧLKXA 3 쪺 14299 ѼƴN|ۧܡA]A Ҧ]|۬۹ܰʳI^_^
  
  
• LרϥΪ̦pʧ@AF 14419 (jO 2009/07/24 k) ӱbNĤF

zLo˪Azӷ|ezѤFaHѩ shadow o˪nʡA]iHNקI bYDZpUAonϥΦUؤkӳBzoɮתI|ҨӻA``ťHaGyڪKXѰOFzA Ϊ̬OyڪKXoQ֧LA@ˤFzAoӮɭԫH

• @Τ᪺KXѰOFGoӳ̮eѨMAШtκ޲zA L|s]wnAKXӤݭnDA±KXIQ root ϥ passwd OӳBzYiC
  
  
• root KXѰOFGoN·ФFI]ALkϥ root nJFI ڭ̪D root KXb /etc/shadow A]AiHϥΦUإi檺k}iJ Linux AhקC Ҧps}iJH@Ҧ(ĤGQ)Atη|Dʪ root v bash A ɦAH passwd קKXYiFΥH Live CD }᱾ڥؿhק /etc/shadowAṊ root KXMšA As} root NαKXYinJInJA֥H passwd Oh]w root KXYiC

{ѤFbɮ /etc/passwd P /etc/shadow AAγ\٬O|ıo_ǡA sժ]wɦb̡H٦Ab /etc/passwd ĥ|椣Oҿת GID ܡHSOԣH 㦹ɴNݭnA /etc/group P /etc/gshadow o

• /etc/group ɮ׵c

oɮ״NObO GID PsզW٪F㳾վ /etc/group eIoˡG

[root@www ~]# head -n 4 /etc/group
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm

oɮרC@N@ӸsաA]OH_y:z@쪺jŸA@|AC@쪺NqOG

1. sզWG
   NOsզWٰաI
   
   
2. sձKXG
   q`ݭn]wAoӳ]wq`Oysպ޲zzϥΪAثeܤ֦oӾ|]wsպ޲zաI P˪AKXwgʨ /etc/gshadow hA]ou|sb@ӡyxzӤwF
   
   
3. GIDG
   NOsժ ID ڡCڭ /etc/passwd ĥ|ϥΪ GID sզWANOѳo̹XӪI
   
   
4. sդ䴩bWG
   ڭ̪D@ӱbiH[JhӸsաAYӱbQn[JsծɡANӱbJoYiC |ҨӻApGڷQn dmtsai ][J root oӸsաAbĤ@檺̫᭱[Wy,dmtsaizA`NnŮA Ϧy root:x:0:root,dmtsai zNiHo

ͧF /etc/passwd, /etc/shadow, /etc/group Aڭ̥iHϥΤ@²檺ϥܨAѤ@U UID / GID PKXYA ϥܦpUC꭫IO /etc/passwd աALƳOھڳoɮתhMXӪC UϤA root UID O 0 A GID ]O 0 Ah /etc/group iHD GID 0 ɪsզWٴNO root C ܩKXM𫟺A| /etc/shadow P /etc/passwd PbW٪@ANOKXoC

1.3.1 Bbɮפ UID/GID PKXʥܷN

ܩb /etc/group nSbĥ|աA]CӨϥΪ̳iH֦hӤ䴩sաAoNnbǮհѪɭԡA ڭ̥iH[JhӪΤ@ˡI ^_^CLo̧Aγ\|ıo_ǪANOGypڦPɥ[JhӸsաAڦb@~ɭԡA쩳OHӸsլǡHz Uڭ̴Nӽͤ@ͳoӡyĸsաzC

• ĸs(effective group)Pls(initial group)

ٰOoCӨϥΪ̦bL /etc/passwd ̭ĥ|榳ҿת GID aH GID NOҿתyls (initial group) zI]NOAϥΪ̤@nJtΡAߨN֦oӸsժvNC |ҨӻAڭ̤W dmtsai oӨϥΪ̪ /etc/passwd P /etc/group ٦ /etc/gshadow epUG

[root@www ~]# usermod -G users dmtsai  <==]wnns
[root@www ~]# grep dmtsai /etc/passwd /etc/group /etc/gshadow
/etc/passwd:dmtsai:x:503:504::/home/dmtsai:/bin/bash
/etc/group:users:x:100:dmtsai  <==nsժ]w
/etc/group:dmtsai:x:504:       <==]OlsաAҥHĥ|줣ݭnJb
/etc/gshadow:users:::dmtsai    <==nsժ]w
/etc/gshadow:dmtsai:!::

JӬݨWoӪAb /etc/passwd ̭Admtsai oӨϥΪ̩ݪsլ GID=504 AjM@U /etc/group o 504 OӦW dmtsai sհաIoNO initial groupC]OlsաA ϥΪ̤@nJN|DʨoAݭnb /etc/group ĥ|gJӱbI

OD initial group LsեiNPFC|WoӨҤlӻAڱN dmtsai [J users oӸsշAѩ users oӸsըëDO dmtsai lsաA]A ڥnb /etc/group oɮפA users @AåBN dmtsai oӱb[Jĥ|A o dmtsai ~[J users oӸsհڡC

boӨҤlA]ڪ dmtsai bPɤ䴩 dmtsai P users oӸsաA ]AbŪ/gJ/ɮ׮ɡAwsճAunO users P dmtsai oӸsվ֦\A dmtsai oӨϥΪ̳֦IoAIHLAoOwwgsbɮצӨA pGѧڭnإߤ@ӷsɮשΪ̬OsؿAаݤ@UAsɮתsլO dmtsai ٬O users HIoNonˬd@UɪĸsդF (effective group)C

• groups: ĻP䴩sժ[

pGڥH dmtsai oӨϥΪ̪nJAӦp󪾹DکҦ䴩sթOH ²ڡAJ groups NiHFI`NAO groups [ s OIGoˡG

[dmtsai@www ~]$ groups
dmtsai users

boӿXTAiD dmtsai oӥΤPݩ dmtsai users oӨӸsաAӥBA Ĥ@ӿXsէYĸs (effective group) FC ]NOAڪĸsլ dmtsai ա㦹ɡApGڥH touch hإߤ@ӷsɡAҦpG y touch test zAoɮת֦̬ dmtsai AӥBsդ]O dmtsai աC

[dmtsai@www ~]$ touch test
[dmtsai@www ~]$ ll
-rw-rw-r-- 1 dmtsai dmtsai 0 Feb 24 17:26 test

oˬO_iHAѤOĸsդFHq`ĸsժ@άObsɮװաI򦳮ĸsլO_ܴH

• newgrp: ĸsժ

pܧ󦳮ĸsթOHNϥ newgrp ڡILϥ newgrp OANOAQnsեOAwg䴩sաC|ҨӻA dmtsai iHb dmtsai/users oӸsնĸsաAO dmtsai Lkĸsզ sshd աIϥΪ觋pUG

[dmtsai@www ~]$ newgrp users
[dmtsai@www ~]$ groups
users dmtsai
[dmtsai@www ~]$ touch test2
[dmtsai@www ~]$ ll
-rw-rw-r-- 1 dmtsai dmtsai 0 Feb 24 17:26 test
-rw-r--r-- 1 dmtsai users  0 Feb 24 17:33 test2

ɡAdmtsai ĸsմN users FC ڭB~ӰQפ@U newgrp oӫOAoӫOiHܧثeϥΪ̪ĸsաA ӥBOt~H@ shell Ӵѳoӥ\AҥHAHWҤlӻA dmtsai oӨϥΪ̥ثeOHt@ shell nJAӥBs shell dmtsai GID users NOFCpGHϥܨӬݴNOpUҥܡG

1.3.2 Bnewgrp B@ܷN

MϥΪ̪ҳ]w(ҦpܼƵL)|vTAOϥΪ̪ysvzN|sQpC Oݭn`NAѩOso@ shell A]pGAQn^쥻ҤAпJ exit ^쥻 shell I

JMpA]NOAunڪΤᦳ䴩sմNOĸsաInFA p@ӱb[JPsմNODҦboCAn[J@ӸsզӤ觋A@ӬOzLtκ޲z (root) Q usermod A[JApG root ӦFӥBAtΦ]wsպ޲zAAiHzLsպ޲zH gpasswd A[JLҺ޲zsդIԲӪ@kdݤU@p`AӤoI

• /etc/gshadow

FܦhyĸsաzAt~A] newgrp oӫOΪkA OApG /etc/gshadow oӳ]wSdoܡA newgrp OLkʧ@OI վ /etc/gshadow eIoˡG

[root@www ~]# head -n 4 /etc/gshadow
root:::root
bin:::root,bin,daemon
daemon:::root,bin,daemon
sys:::root,bin,adm

oɮפP٬OϥΫ_y:zӧ@쪺jrAӥBA|o{Aoɮ״XGP /etc/group @Ҥ@˰ڡIOo˨S㤣LAn`NjNOĤGaĤGOKXA pGKXWOy!zɡAܸӸsդ㦳sպ޲zIܩĥ|]NO䴩bWo o|쪺NqG

1. sզW
2. KXAP˪A}Y ! ܵLXkKXAҥHLsպ޲z
3. sպ޲zb (Tb gpasswd )
4. Ӹsժݱb (P /etc/group eۦPI)

Htκ޲zרӻAo gshadow ̤j\NOإ߸sպ޲zաI 򤰻Osպ޲zOHѩtΤWbi|ܦhAOڭ root i७ɤӦLAҥHϥΪ̷Qn[JYǸsծɡA root γ\|Sź޲zCɦpGإ߸sպ޲zܡAӸsպ޲zNNӱb[Jۤv޲zsդI iHKh root LաILAѩثe sudo uA ҥHoӸsպ޲z\wgܤ֨ϥΤFCڭ̷|b gpasswd гoӹ@C

npb Linux tηsW@ӨϥΪ̰ڡHuO²Fڭ̵nJtήɷ|J (1)bP (2)KXA ҥHإߤ@ӥiΪbP˪]ݭnoӸơCbiHϥ useradd ӷsبϥΪ̡AKXhϥ passwd oӫOIoӫOUFkpUG

• useradd

[root@www ~]# useradd [-u UID] [-g ls] [-G ns] [-mM]\
>  [-c ] [-d aؿ|] [-s shell] ϥΪ̱bW
ﶵPѼơG
-u  G᭱O UID AO@ռƦrCw@ӯSw UID oӱbF
-g  G᭱ӸsզWٴNOڭ̤W쪺 initial group ա
      Ӹsժ GID |Qm /etc/passwd ĥ|줺C
-G  G᭱sզW٫hOoӱb٥iH[JsաC
      oӿﶵPѼƷ|ק /etc/group ƳI
-M  GjInإߨϥΪ̮aؿI(tαbw])
-m  GjInإߨϥΪ̮aؿI(@bw])
-c  GoӴNO /etc/passwd Ĥ檺eաiHHKڭ̳]wա
-d  GwYӥؿaؿAӤnϥιw]ȡCȥϥε|I
-r  Gإߤ@ӨtΪbAoӱb UID | (Ѧ /etc/login.defs)
-s  G᭱@ shell AYSwhw]O /bin/bash ա
-e  G᭱@ӤA榡yYYYY-MM-DDzإigJ shadow ĤKA
      YbĤ骺]woF
-f  G᭱ shadow ĤC춵ءAwKXO_|ġC0ߨ襢ġA
      -1 û(KXu|LӱjnJɭs]wӤwC)

dҤ@GѦҹw]ȫإߤ@ӨϥΪ̡AW٬ vbird1
[root@www ~]# useradd vbird1
[root@www ~]# ll -d /home/vbird1
drwx------ 4 vbird1 vbird1 4096 Feb 25 09:38 /home/vbird1
# w]|إߨϥΪ̮aؿABv 700 IoOII

[root@www ~]# grep vbird1 /etc/passwd /etc/shadow /etc/group
/etc/passwd:vbird1:x:504:505::/home/vbird1:/bin/bash
/etc/shadow:vbird1:!!:14300:0:99999:7:::
/etc/group:vbird1:x:505:    <==w]|إߤ@ӻPb@Ҥ@˪sզW

tΤwgڭ̳WwnD`hw]ȤFAҥHڭ̥iH²檺ϥΡy useradd b zӫإߨϥΪ̧YiC CentOS oǹw]ȥDn|ڭ̳BzXӶءG

• b /etc/passwd ̭إߤ@PbơA]Aإ UID/GID/aؿF
• b /etc/shadow ̭NbKXѼƶJAO|KXF
• b /etc/group ̭[J@ӻPbW٤@Ҥ@˪sզW١F
• b /home Uإߤ@ӻPbPWؿ@ϥΪ̮aؿABv 700

ѩb /etc/shadow ȷ|KXѼƦӤ|[KLKXơA]ڭ̦bإߨϥΪ̱bɡA ٻݭnϥΡy passwd b zӵKX~OFϥΪ̫إߪy{CpGѩSݨDӻݭnܨϥΪ̬ѼƮɡA NonzLWz椤ﶵӶiإߤFAѦҩUרҡG

dҤGG]ڤwDڪtηӸsզW٬ users AB UID 700 äsbA
        Х users lsաAH uid  700 ӫإߤ@ӦW vbird2 b
[root@www ~]# useradd -u 700 -g users vbird2
[root@www ~]# ll -d /home/vbird2
drwx------ 4 vbird2 users 4096 Feb 25 09:59 /home/vbird2

[root@www ~]# grep vbird2 /etc/passwd /etc/shadow /etc/group
/etc/passwd:vbird2:x:700:100::/home/vbird2:/bin/bash
/etc/shadow:vbird2:!!:14300:0:99999:7:::
# ݤ@UAUID P initial group Tܦڭ̻ݭnFI

boӽdҤAڭ̫إߪOw@Ӥwgsbsէ@ϥΪ̪lsաA]sդwgsbA ҥHb /etc/group ̭N|Dʪإ߻PbPWsդFI ~Aڭ̤]wFS UID ӧ@ϥΪ̪M UID IAѤF@bAڭ̨@@ԣOtαb (system account) aI

dҤTGإߤ@ӨtαbAW٬ vbird3
[root@www ~]# useradd -r vbird3
[root@www ~]# ll -d /home/vbird3
ls: /home/vbird3: No such file or directory  <==|Dʫإ߮aؿ

[root@www ~]# grep vbird3 /etc/passwd /etc/shadow /etc/group
/etc/passwd:vbird3:x:100:103::/home/vbird3:/bin/bash
/etc/shadow:vbird3:!!:14300::::::
/etc/group:vbird3:x:103:

ڭ̦bͨ UID ɭԴgL@bӬO 500 HAϥΪ̦ۤvإߪtαbh@O 100 H_⪺C ҥHbo̧ڭ̥[W -r oӿﶵHAtδN|DʱNbPbPWsժ UID/GID wp 500 HUA bרҤhOϥ 100(UID) P 103(GID) oI~AѩtαbDnOΨӶiB@tΩһݪAȪv]wA ҥHtαbw]|Dʫإ߮aؿI

ѳoXӽdҧڭ̤]|DAϥ useradd إߨϥΪ̱bɡA|藍֦aAܤ֧ڭ̴NDUXɮסG

• ϥΪ̱bPKXѼƤ譱ɮסG/etc/passwd, /etc/shadow
• ϥΪ̸sլ譱ɮסG/etc/group, /etc/gshadow
• ϥΪ̪aؿG/home/bW

бФ@UAASQLAy useradd vbird1 z|Dʦb /home/vbird1 إ߰_ϥΪ̪aؿHaؿƥBӦ̡ۭHw]ϥΪO /bin/bash o shell HKXwgWdnF (0:99999:7 @)HIoNon@U useradd ҨϥΪѦɮoI

• useradd Ѧ

useradd w]ȥiHϥΩUkIsXӡG

[root@www ~]# useradd -D
GROUP=100		<==w]s
HOME=/home		<==w]aؿҦbؿ
INACTIVE=-1		<==KXĤAb shadow  7 
EXPIRE=			<==bĤAb shadow  8 
SHELL=/bin/bash		<==w] shell
SKEL=/etc/skel		<==ϥΪ̮aؿeưѦҥؿ
CREATE_MAIL_SPOOL=yes   <==O_DϥΪ̫إ߶lHc(mailbox)

oƨO /etc/default/useradd IsXӪIAiHۦ vim h[ɮתeCftWY͹LdҤ@B@GAWodz]wةҳy欰OOG

• GROUP=100Gsرblsըϥ GID 100
  
  tΤW GID 100 ̧YO users oӸsաA]wثNOs]ϥΪ̱blsլ users o@ӪNC Oڭ̪D CentOS WäOo˪Ab CentOS Ww]sլPbWۦPsC |ҨӻA vbird1 lsլ vbird1 C|o˰ڡHoO]wsժצؤPҭPA oؾOOG
  
  
  • psվGtη|إߤ@ӻPb@˪sյϥΪ̧@lsաC oظsժ]w|OKʡAoO]ϥΪ̳ۤvsաAӥBaؿvN|]w 700 (ȦۤviiJۤvaؿ) GCϥγoؾN|Ѧ GROUP=100 oӳ]wȡCNʪ distributions RHEL, Fedora, CentOS F
    
    
  • @sվGNOH GROUP=100 oӳ]wȧ@sرblsաA]Cӱbݩ users oӸsաA Bw]aؿq`v|Oy drwxr-xr-x ... username users ... zAѩCӱbݩ users sաA]jaiHۤɮaؿƤGCN distributions p SuSEC
  
  ѩڭ̪ CentOS ϥΨpsվA]oӳ]wجO|ͮĪInӺiڡI
  
  
• HOME=/homeGϥΪ̮aؿǥؿ(basedir)
  
  ϥΪ̪aؿq`OPbPWؿAoӥؿN|\b]wȪؿCҥH vbird1 aؿN|b /home/vbird1/ FIܮezѧaI
  
  
• INACTIVE=-1GKXLO_|Ī]w
  
  ڭ̦b shadow ɮ׵c͹LAĤC쪺]wȱN|vTKXLA bh[ɶ٥iϥ±KXnJCoӶشNObwӤưաIpGO 0 NKXLߨ襢ġA pGO -1 hONKXû|ġApGOƦrAp 30 AhNL 30 ѫ~ġC
  
  
• EXPIRE=GbĪ
  
  NO shadow ĤKAAiH]wbbӤNġAӤz|KXDC q`|]wءApGOIO|tΡAγ\oiH]wI
  
  
• SHELL=/bin/bashGw]ϥΪ shell {ɦW
  
  tιw] shell Ngbo̡CpAtά mail server AAƱCӱbuϥ email oH\A Ӥ\ϥΪ̵nJtΨo shell AiHNo̳]w /sbin/nologin Ap@ӡAsتϥΪ̹w]NLknJI ]Khϥ usermod iק諸I
  
  
• SKEL=/etc/skelGϥΪ̮aؿѦҰǥؿ
  
  oөNNNOwϥΪ̮aؿѦҰǥؿo|ڭ̪dҤ@ҡA vbird1 aؿ /home/vbird1 UơAO /etc/skel ҽƻsLhҥHOAӦpGڷQnsWϥΪ̮ɡAӨϥΪ̪ܼ ~/.bashrc N]wܡAziH /etc/skel/.bashrc hs@UA]iHإ /etc/skel/www oӥؿA򥼨ӷsWϥΪ̫AbLaؿUN| www ӥؿFIoAIH
  
  
• CREATE_MAIL_SPOOL=yesGإߨϥΪ̪ mailbox
  
  AiHϥΡy ll /var/spool/mail/vbird1 zݤ@UA|o{oɮתsbIoNOϥΪ̪lHcI

Foǰ򥻪b]wȤ~A UID/GID ٦KXѼƤSOb̰ѦҪOHNonݤ@U /etc/login.defs աI oɮתeIUoˡG

MAIL_DIR        /var/spool/mail	<==ϥΪ̹w]lHcmؿ

PASS_MAX_DAYS   99999	<==/etc/shadow  5 Ah[ܧKX
PASS_MIN_DAYS   0	<==/etc/shadow  4 Ah[is]wKX
PASS_MIN_LEN    5	<==KX̵urסAwQ pam ҲըNAhĥΡI
PASS_WARN_AGE   7	<==/etc/shadow  6 ALe|ĵi

UID_MIN         500	<==ϥΪ̳̤p UIDANYp 500  UID tΫOd
UID_MAX       60000	<==ϥΪ̯Ϊ̤j UID
GID_MIN         500	<==ϥΪ̦ۭqsժ̤p GIDAp 500 tΫOd
GID_MAX       60000	<==ϥΪ̦ۭqsժ̤j GID

CREATE_HOME     yes	<==b[ -M  -m ɡAO_DʫإߨϥΪ̮aؿH
UMASK           077     <==ϥΪ̮aؿإߪ umask A]v|O 700
USERGROUPS_ENAB yes     <==ϥ userdel RɡAO_|Rls
MD5_CRYPT_ENAB yes      <==KXO_gL MD5 [KBz

oɮ׳WdƫhOpUҥܡG

• mailbox ҦbؿG
  ϥΪ̪w] mailbox ɮשmؿb /var/spool/mailAҥH vbird1 mailbox NOb /var/spool/mail/vbird1 oI
  
  
• shadow KX 4, 5, 6 줺eG
  zL PASS_MAX_DAYS ]wȨӫwIҥHADw] /etc/shadow C@泣|y 0:99999:7 zsbFܡH^_^ILn`NOAѩثeڭ̵nJɧ PAM ҲըӶiKXAҥH PASS_MIN_LEN OĪI
  
  
• UID/GID wƭG
  M Linux ֤ߤ䴩biF 2³² ohӡAL@Dn@Xohbb޲zW]Oܳ·ЪI ҥHbo̴Nw UID/GID diWdNOFCW UID_MIN NOinJtΪ@b̤p UID Aܩ UID_MAX hO̤j UID NC
  
  n`NOAtε@ӱb UID ɡALO (1)Ѧ UID_MIN ]wȨo̤pƭȡF (2) /etc/passwd jM̤j UID ƭȡA N (1) P (2) ۤAX̤jӦA[@NOsb UID FCڭ̤Wwg@X UID 700 vbird2 A pGAϥΡy useradd vbird4 zɡAAq vbird4 UID |Oh֡H׬OG 701 C ҥH 505~699 XNŤUӰաI
  
  ӦpGڬOQnإߨtΥΪbAҥHϥ useradd -r sysaccount o -r ﶵɡAN|y 500 p̤j UID + 1 zNOFC ^_^
  
  
• ϥΪ̮aؿ]wG
  ڭ̨tιw]|ϥΪ̫إ߮aؿHNOoӡyCREATE_HOME = yesz]wȰաIoӳ]wȷ|Abϥ useradd ɡA Dʥ[Jy -m zoӲͮaؿﶵڡIpGQnإߨϥΪ̮aؿANuj[Wy -M zﶵb useradd OɰաIܩإ߮aؿv]wOHNzL umask oӳ]wȰڡI]O 077 w]]wA]ϥΪ̮aؿw]v~|Oy drwx------ zI
  
  
• ϥΪ̧RPKX]wG
  ϥΡyUSERGROUPS_ENAB yeszoӳ]wȪ\OG pGϥ userdel hR@ӱbɡABӱbݪlsդwgSHݩӸsդFA NRӸsA|ҨӻAڭ̭観إ vbird4 oӱbAL|Dʫإ vbird4 oӸsաC Y vbird4 oӸsըèSLbNL[J䴩pUAYϥ userdel vbird4 ɡAӸsդ]|QRNC ܩyMD5_CRYPT_ENAB yeszhܨϥ MD5 ӥ[KKXAӤϥ¦ DES(2) C

{bADաAϥ useradd o{bإ Linux WbɡAܤַ|ѦҡG

• /etc/default/useradd
• /etc/login.defs
• /etc/skel/*

oɮסALA̭nOإ /etc/passwd, /etc/shadow, /etc/group, /etc/gshadow ٦ϥΪ̮aؿNOFҥHApGAAѾӨtιB@AA]OiHʪקoXɮ״NOFC OKIbإߤFAUӳBz@UϥΪ̪KXaI

• passwd

ڭFAϥ useradd إߤFbAbw]pUAӱbOȮɳQꪺA ]NOAӱbOLknJAAiHh@@@ /etc/shadow ĤGNoo ӦpOnHȤHL]wsKXNnFIa]wKXNϥ passwd oI

[root@www ~]# passwd [--stdin]  <==ҦHiϥΨӧۤvKX
[root@www ~]# passwd [-l] [-u] [--stdin] [-S] \
>  [-n ] [-x ] [-w ] [-i ] b <==root \
ﶵPѼơG
--stdin GiHzLӦ۫e@Ӻ޽uơA@KXJA shell script UI
-l  GO Lock NA|N /etc/shadow ĤG̫e[W ! ϱKXġF
-u  GP -l ۹AO Unlock NI
-S  GCXKXѼơAY shadow ɮפjTC
-n  G᭱ѼơAshadow  4 Ah[iקKXѼ
-x  G᭱ѼơAshadow  5 Ah[nʱKX
-w  G᭱ѼơAshadow  6 AKXLeĵiѼ
-i  G᭱yzAshadow  7 AKXĤ

dҤ@G root  vbird2 KX
[root@www ~]# passwd vbird2
Changing password for user vbird2.
New UNIX password: <==o̪JsKXAù|
BAD PASSWORD: it is WAY too short <==KX²ιLu~I
Retype new UNIX password:  <==AJ@P˪KX
passwd: all authentication tokens updated successfully.  <==M٬O\קFI

root GMO̰jHIڭ̭nϥΪ̱KXɡAzL root ӳ]wYiC root iH]wUU˪KXAtδXG@w|IҥHz@@ApPWdҤ@AJKXӵuFA OtΨ¥i vbird2 o˪KX]wCoӬO root ]wGApGOϥΪ̦ۤvnKXOH ]A root ]Oo˭ק諸I

dҤGG vbird2 nJAק vbird2 ۤvKX
[vbird2@www ~]$ passwd   <==᭱S[bANOۤvKXI
Changing password for user vbird2.
Changing password for vbird2
(current) UNIX password: <==o̿Jy즳±KXz
New UNIX password: <==o̿JsKX
BAD PASSWORD: it is based on a dictionary word <==KX礣qLAЦAQӷsKX
New UNIX password: <==o̦AQӨӿJa
Retype new UNIX password: <==qLKXҡIҥHƳoӱKXJ
passwd: all authentication tokens updated successfully. <==L\r

passwd ϥίunܪ`NAרO root ͰڡIbҰWCo̡AOnۤv@bإ߱KXɡA @pǥʹNO|ѰO[WbAGNܦ root ۤvKXA̫.... root KXNoˤhI n@bإ߱KXݭnϥΡy passwd b z榡AϥΡy passwd zܭקۤvKXIUIdUnI

P root POA@bbKXɻݭnJۤv±KX (Y current @)AMAJsKX (New @)C n`NOAKXWdOD`Y檺Aרs distributions jhϥ PAM ҲըӶiKXA]AӵuB KXPbۦPBKXr`r굥A|Q PAM ҲˬdXӦөڵקKXAɷ|AƥX{y New zorI ɽЦAQӷsKXIYX{y Retype z~OAKXQFIƿJsKXåBݨy successfully zorɤ~OקKX\I

ϥΪ̭n]qۤvKX|o·аڡHoO]KXwʰաIpGKX]w²A @ǦߤHhN²檺qAKXAp@ӤHaNiϥΧA@bnJADΨϥΨLD귽A D@|yxZIҥHs distributions OϥθY檺 PAM ҲըӺ޲zKXAoӺ޲zgb /etc/pam.d/passwd Cɮ׻PKXռҲմNOϥΡGpam_cracklib.soAoӼҲշ|KXTA åBN /etc/login.defs PASS_MIN_LEN ]wաI PAM ڭ̦b᭱~򤶲СAo̥ͤ@UA zפWAAKX̦nŦXpUnDG

• KXPbۦPF
• KXɶqnΦr̭|X{rF
• KXݭnWL 8 ӦrF
• KXnϥέӤHTApҡBXBLqܸXF
• KXnϥ²檺YAp 1+1=2A Iamvbird F
• KXɶqϥΤjpgrBƦrBSr($,_,-)զXC

FKtκ޲zAs passwd ٥[JFܦhзNﶵIӤH{̦nΪjNOoӡy --stdin zFI |ҨӻAAQn vbird2 ܧKX abc543CC AiHoˤUFOOI

dҤTGϥ standard input إߥΤ᪺KX
[root@www ~]# echo "abc543CC" | passwd --stdin vbird2
Changing password for user vbird2.
passwd: all authentication tokens updated successfully.

oӰʧ@|sϥΪ̪KXӤΦAʿJInBOKBzAIOoӱKX|OdbOA ӭYtγQ}AHaiHb /root/.bash_history oӱKXOIҥHoӰʧ@q`ȥΦb shell script jqإߨϥΪ̱bIn`NOAoӿﶵäsbҦ distributions A Шϥ man passwd T{A distribution O_䴩ﶵI

pGAQn vbird2 KX㦳۷WhA|ҨӻAn vbird2 C 60 ѻݭnܧKXA KXL 10 ѥϥδNŧibġAӦpBzH

dҥ|G޲z vbird2 KXϨ㦳 60 ܧBKXL 10 ѫbĪ]w
[root@www ~]# passwd -S vbird2
vbird2 PS 2009-02-26 0 99999 7 -1 (Password set, MD5 crypt.)
# WKXإ߮ɶ (2009-02-26)B0 ̤pѼơB99999 ܧѼơB7 ĵi
# PKX| (-1) C

[root@www ~]# passwd -x 60 -i 10 vbird2
[root@www ~]# passwd -S vbird2
vbird2 PS 2009-02-26 0 60 7 10 (Password set, MD5 crypt.)

pGڷQnYӱbȮɵLkϥαKXnJDOH|ҨӻA vbird2 oå̪ѬOJæbDèӡA ҥHڷQnȮoLknJܡA²檺kNOoKXܦXk (shadow 2 ܱ)I BzkN²檺I

dҤG vbird2 bġA[Ao
[root@www ~]# passwd -l vbird2
[root@www ~]# passwd -S vbird2
vbird2 LK 2009-02-26 0 60 7 10 (Password locked.)
# KKIAܦy LK, Lock zFաILknJI
[root@www ~]# grep vbird2 /etc/shadow
vbird2:!!$1$50MnwNFq$oChX.0TPanCq7ecE4HYEi.:14301:0:60:7:10::
# uObo̥[W !! ӤwI

[root@www ~]# passwd -u vbird2
[root@www ~]# grep vbird2 /etc/shadow
vbird2:$1$50MnwNFq$oChX.0TPanCq7ecE4HYEi.:14301:0:60:7:10::
# KX_`I

O_ܦڡIziHۦ޲z@UAbKXѼƳIUڭ̥Χ²檺kӬd\KXѼƳI

• chage

Fϥ passwd -S ~ASԲӪKXѼܥ\OHINO chage FI LΪkpUG

[root@www ~]# chage [-ldEImMW] bW
ﶵPѼơG
-l GCXӱbԲӱKXѼơF
-d G᭱Aק shadow ĤT(̪@KX)A榡 YYYY-MM-DD
-E G᭱Aק shadow ĤK(bĤ)A榡 YYYY-MM-DD
-I G᭱ѼơAק shadow ĤC(KXĤ)
-m G᭱ѼơAק shadow ĥ|(KX̵uOdѼ)
-M G᭱ѼơAק shadow Ĥ(KXh[ݭniܧ)
-W G᭱ѼơAק shadow Ĥ(KXLeĵi)

dҤ@GCX vbird2 ԲӱKXѼ
[root@www ~]# chage -l vbird2
Last password change                               : Feb 26, 2009
Password expires                                   : Apr 27, 2009
Password inactive                                  : May 07, 2009
Account expires                                    : never
Minimum number of days between password change     : 0
Maximum number of days between password change     : 60
Number of days of warning before password expires  : 7

ڭ̦b passwd ФͨFBz vbird2 oӱbKXݩʬy{Aϥ passwd -S oLkݨܲMCpGϥ chage iNզhFIpWҥܡAڭ̥iHMD vbird2 ԲӰѼƩOI pGQnקL]wȡANۤvѦҤWﶵAΪ̦ۦ man chage @UaI^_^

chage @ӥ\ܤIpGAQnyϥΪ̦bĤ@nJɡA jo̤@wnKX~ϥΨtθ귽zAiHQΦpUkӳBzI

dҤGGإߤ@ӦW agetest bAӱbĤ@nJϥιw]KXA
        nLKXAϥηsKX~nJtΨϥ bash 
[root@www ~]# useradd agetest
[root@www ~]# echo "agetest" | passwd --stdin agetest
[root@www ~]# chage -d 0 agetest
# ɦbKXإ߮ɶ|Qאּ 1970/1/1 AҥH|DI

dҤTGեH agetest nJp
You are required to change your password immediately (root enforced)
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user agetest.
Changing password for agetest
(current) UNIX password:  <==oӱbQjnDnKXI

D`aIA|o{ agetest oӱbbĤ@nJɥiHϥλPbPWKXnJA nJɴN|QnDߨKXAKXN|QXtΡCAnJɴNϥηsKXnJFI oӥ\ǮզѮvD`UI]ڭ̤QnDǥͪKXAb즸WҮɴNϥλPǸۦPb/KXǥ͡A o̵nJɦۦ]wo̪KXAp@ӴNקKLPHNϥΧOHbA]OҾǥͪDpۤvKXI

• usermod

ҿ׳oyHAÿzAzOaHҥHoAMɭԷ|ypߡzb useradd ɭԥ[JF~]wơCΪ̬OAbϥ useradd Ao{YǦa٥iHiӳקC ɡAMڭ̥iH /etc/passwd /etc/shadow hק۹쪺ơA LALinux ]ѬOjaӶibƪLթO㨺NO usermod o

[root@www ~]# usermod [-cdegGlsuLU] username
ﶵPѼơG
-c  G᭱bAY /etc/passwd Ĥ檺AiH[J@DZbC
-d  G᭱baؿAYק /etc/passwd ĤF
-e  G᭱A榡O YYYY-MM-DD ]NOb /etc/shadow ĤKưաI
-f  G᭱ѼơA shadow ĤCC
-g  G᭱lsաAק /etc/passwd ĥ|AYO GID I
-G  G᭱nsաAקoӨϥΪ̯䴩sաAק諸O /etc/group o
-a  GP -G XΡAiyW[nsժ䴩zӫDy]wzI
-l  G᭱bW١CYOקbW١A /etc/passwd Ĥ@I
-s  G᭱ Shell ɮסAҦp /bin/bash  /bin/csh C
-u  G᭱ UID ƦrաIY /etc/passwd ĤT檺ơF
-L  GȮɱNϥΪ̪KXᵲALLknJCȧ /etc/shadow KXC
-U  GN /etc/shadow KX檺 ! AѭաI

pGAJӪA|o{ usermod ﶵP useradd D`I oO] usermod ]OΨӷL useradd W[ϥΪ̰ѼƹIL usermod ٬OsWﶵA NO -L P -U ALoӿﶵP passwd -l, -u OۦPIӥB]o|sbҦ distribution IUӡAڭ̽ͽͤ@ܧѼƪҧaI

dҤ@GקϥΪ vbird2 A[WyVBird's testzC
[root@www ~]# usermod -c "VBird's test" vbird2
[root@www ~]# grep vbird2 /etc/passwd
vbird2:x:700:100:VBird's test:/home/vbird2:/bin/bash

dҤGGϥΪ vbird2 oӱbb 2009/12/31 ġC
[root@www ~]# usermod -e "2009-12-31" vbird2
[root@www ~]# grep vbird2 /etc/shadow
vbird2:$1$50MnwNFq$oChX.0TPanCq7ecE4HYEi.:14301:0:60:7:10:14609:

dҤTGڭ̫إ vbird3 oӨtαbɨèSaؿAЫإߥLaؿ
[root@www ~]# ll -d ~vbird3
ls: /home/vbird3: No such file or directory  <==T{@UATSaؿsbI
[root@www ~]# cp -a /etc/skel /home/vbird3
[root@www ~]# chown -R vbird3:vbird3 /home/vbird3
[root@www ~]# chmod 700 /home/vbird3
[root@www ~]# ll -a ~vbird3
drwx------  4 vbird3 vbird3 4096 Sep  4 18:15 .  <==ϥΪ̮aؿv
drwxr-xr-x 11 root   root   4096 Feb 26 11:45 ..
-rw-r--r--  1 vbird3 vbird3   33 May 25  2008 .bash_logout
-rw-r--r--  1 vbird3 vbird3  176 May 25  2008 .bash_profile
-rw-r--r--  1 vbird3 vbird3  124 May 25  2008 .bashrc
drwxr-xr-x  3 vbird3 vbird3 4096 Sep  4 18:11 .kde
drwxr-xr-x  4 vbird3 vbird3 4096 Sep  4 18:15 .mozilla
# ϥ chown -R OFsPaؿUϥΪ/sݩʳ@_ܧ󪺷NF
# ϥ chmod S -R AO]ڭ̶ȭnקؿvӫDɮתvI

• userdel

oӥ\N²FAتbRϥΪ̪ơAӨϥΪ̪ƦG

• ϥΪ̱b/KXѼơG/etc/passwd, /etc/shadow
• ϥΪ̸sլѼơG/etc/group, /etc/gshadow
• ϥΪ̭ӤHɮ׸ơG /home/username, /var/spool/mail/username..

ӫOykD`²G

[root@www ~]# userdel [-r] username
ﶵPѼơG
-r  GsPϥΪ̪aؿ]@_R

dҤ@GR vbird2 AsPaؿ@_R
[root@www ~]# userdel -r vbird2

oӫOUFɭԭnpߤFIq`ڭ̭n@ӱbɭԡAAiHʪN /etc/passwd P /etc/shadow YӱbYiI@ӨApGӱbuOyȮɤҥzܡAN /etc/shadow YbĤ (ĤK) ]w 0 NiHӱbLkϥΡAOҦӱbƳ|dUӡI ϥ userdel ɾq`OyAuTwnӥΤbDWϥΥƤFIz

t~AϥΪ̦pGbtΤWާ@L@}lFAӨϥΪ̨btΤi|tLɮתC |ҨӻALlHc (mailbox) Ϊ̬OҦʤu@Ƶ{ (crontab, Q) ɮסC ҥHApGQn㪺NYӱb㪺A̦niHbUF userdel -r username eA Hy find / -user username zdXӨtΤݩ username ɮסAMA[HRaI

׬O useradd/usermod/userdel AOtκ޲zүϥΪOA pGڬO@먭ϥΪ̡AڬO_FKX~ANLkLƩOH MOաIo̧ڭ̤дXӤ@먭ϥΪ̱`ΪbܧPd߫OoI

• finger

finger rNqOGyzΪ̬OyzNCo finger iHd\ܦhϥΪ̬TI jOb /etc/passwd oɮ׸̭TաIڭ̴NˬdˬdϥΪ̸TaI

[root@www ~]# finger [-s] username
ﶵPѼơG
-s  GȦCXϥΪ̪bBWB׺ݾNPnJɶF
-m  GCXP᭱bۦP̡AӤOQγ (]AW)

dҤ@G[ vbird1 ϥΪ̬bݩ
[root@www ~]# finger vbird1
Login: vbird1                           Name: (null)
Directory: /home/vbird1                 Shell: /bin/bash
Never logged in.
No mail.
No Plan.

ѩ finger \AL|NϥΪ̪ݩʦCXӡIpWҥܡALCXӪXGO /etc/passwd ɮ׸̭FCCXTpUG

• LoginGϥΪ̱bAY /etc/passwd Ĥ@F
• NameGWAY /etc/passwd Ĥ(κ٬)F
• DirectoryGNOaؿFF
• ShellGNOϥΪ Shell ɮשҦbF
• Never logged in.Gfigner ٷ|լdϥΪ̵nJDpI
• No mail.Gլd /var/spool/mail HcơF
• No Plan.Gլd ~vbird1/.plan ɮסAñNɮרXӻI

LO_d\ Mail P Plan hPvFI] Mail / Plan OPϥΪ̦ۤvv]wA root MiHd\ϥΪ̪oǸTAO vbird1 Nod vbird3 TA ] /var/spool/mail/vbird3 P /home/vbird3/ vOO 660, 700 A vbird1 MNLkd\I o˸iHzѧaH~Aڭ̥iHإߦۤvQn檺wwpeAMA̦hOۤvݪIiHo˰G

dҤGGQ vbird1 إߦۤvpe
[vbird1@www ~]$ echo "I will study Linux during this year." > ~/.plan
[vbird1@www ~]$ finger vbird1
Login: vbird1                           Name: (null)
Directory: /home/vbird1                 Shell: /bin/bash
Never logged in.
No mail.
Plan:
I will study Linux during this year.

dҤTGXثebtΤWnJϥΪ̻PnJɶ
[vbird1@www ~]$ finger
Login     Name       Tty      Idle  Login Time   Office     Office Phone
root      root       tty1           Feb 26 09:53
vbird1               tty2           Feb 26 15:21

bdҤTAڭ̵o{XTٷ| Office, Office Phone TAoǸTnpOOH Uڭ̷| chfn oӫOIӬݬݦpקϥΪ̪ finger ƧaI

• chfn

chfn IOG change finger NIoNϥΤkpUG

[root@www ~]# chfn [-foph] [bW]
ﶵPѼơG
-f  G᭱㪺jWF
-o  Gz줽ǪжXF
-p  G줽ǪqܸXF
-h  Ga̪qܸXI

dҤ@Gvbird1 ۤv@UۤvTI
[vbird1@www ~]$ chfn
Changing finger information for vbird1.
Password:                        <==T{AҥHJۤvKX
Name []: VBird Tsai test         <==JAQne{W
Office []: Dic in Ksu. Tainan    <==줽ǸX
Office Phone []: 06-2727175#356  <==줽ǹq
Home Phone []: 06-1234567        <==a̹qܸX

Finger information changed.
[vbird1@www ~]$ grep vbird1 /etc/passwd
vbird1:x:504:505:VBird Tsai test,Dic in Ksu. Tainan,06-2727175#356,06-1234567:
/home/vbird1:/bin/bash
# NOĤA̭Φhӡy , zjNOFI

[vbird1@www ~]$ finger vbird1
Login: vbird1                           Name: VBird Tsai test
Directory: /home/vbird1                 Shell: /bin/bash
Office: Dic in Ksu. Tainan              Office Phone: 06-2727175#356
Home Phone: 06-1234567
On since Thu Feb 26 15:21 (CST) on tty2
No mail.
Plan:
I will study Linux during this year.
# NOWSre{ǦaO chfn ҭקXӪI

oӫObADOADܦhΤA_h˯uOΤ۳oӵ{IoNIO bbs YAyӤHݩʡz@ӸưաIL٬OiHۤv@IרOΨӴۤvưաI ^_^

• chsh

oNO change shell ²gIϥΤkN²FI

[vbird1@www ~]$ chsh [-ls]
ﶵPѼơG
-l  GCXثetΤWiΪ shell ANO /etc/shells eI
-s  G]wקۤv Shell o

dҤ@G vbird1 CXtΤWҦXk shellAåBw csh ۤv shell
[vbird1@www ~]$ chsh -l
/bin/sh
/bin/bash
/sbin/nologin  <==ҿסGXkinJ Shell NOoNI
/bin/tcsh
/bin/csh       <==oNO C shell աI
/bin/ksh
# WTNOڭ̦b bash ͨ쪺 /etc/shells աI

[vbird1@www ~]$ chsh -s /bin/csh; grep vbird1 /etc/passwd
Changing shell for vbird1.
Password:  <==T{AпJ vbird1 KX
Shell changed.
vbird1:x:504:505:VBird Tsai test,Dic in Ksu. Tainan,06-2727175#356,06-1234567:
/home/vbird1:/bin/csh

[vbird1@www ~]$ chsh -s /bin/bash
# էAߨ^ӡI

[vbird1@www ~]$ ll $(which chsh)
-rws--x--x 1 root root 19128 May 25  2008 /usr/bin/chsh

׬O chfn P chsh AO@ϥΪ̭ק /etc/passwd oӨtɪIҥHAqqAoɮתvOH @wO SUID \աIݨo̡AQeI oNO Linux Dzߤk ^_^

• id

id oӫOhiHd߬YHΦۤv UID/GID TALѼƤ]֡ALA ݭnOϥϥ id NCXo ^_^

[root@www ~]# id [username]

dҤ@Gd\ root ۤv ID TI
[root@www ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),
10(wheel) context=root:system_r:unconfined_t:SystemLow-SystemHigh
# WTOP@檺ơI]A| UID/GID HΤ䴩ҦsաI
# ܩ᭱ context=... hO SELinux eAnz|LI

dҤGGd\@U vbird1 a
[root@www ~]# id vbird1
uid=504(vbird1) gid=505(vbird1) groups=505(vbird1) context=root:system_r:
unconfined_t:SystemLow-SystemHigh

[root@www ~]# id vbird100
id: vbird100: No such user  <== id oӫO]iHΨӧP_tΤWLYbI

OKIAѤFbsWBRBʻPd߫AAӧڭ̥iH@sժeFC 򥻤WAsժePoɮצG/etc/group, /etc/gshadowC sժe²AOWɮתsWBקPӤwA LApGA[WĸsժA newgrp P gpasswd hiOI

• groupadd

[root@www ~]# groupadd [-g gid] [-r] sզW
ﶵPѼơG
-g  G᭱YӯSw GID AΨӪY GID 
-r  GإߨtθsհաIP /etc/login.defs  GID_MIN C

dҤ@Gsؤ@ӸsաAW٬ group1
[root@www ~]# groupadd group1
[root@www ~]# grep group1 /etc/group /etc/gshadow
/etc/group:group1:x:702:
/etc/gshadow:group1:!::
# sժ GID ]O| 500 HW̤j GID+1 ӨMwI

gYǪШ|VmUͨAFϥΪ̪ UID/GID Ao̫ijsتPϥΪ̨psյLLsծɡAϥΤp 500 HU GID yC ]NOApGnإ߸sժܡA̦nϥΡy groupadd -r sզWz觋ӫإ߰աI LAoաIݧAۤvoI

• groupmod

usermod AoӫOȬObi group ѼƪקӤwC

[root@www ~]# groupmod [-g gid] [-n group_name] sզW
ﶵPѼơG
-g  GקJ GID ƦrF
-n  GקJsզW

dҤ@GNWӫOإߪ group1 W٧אּ mygroup A GID  201
[root@www ~]# groupmod -g 201 -n mygroup group1
[root@www ~]# grep mygroup /etc/group /etc/gshadow
/etc/group:mygroup:x:201:
/etc/gshadow:mygroup:!::

LA٬OyѸܡAnHN GID Aeytθ귽óI

• groupdel

III groupdel ۵MNObRsժoΪk²G

[root@www ~]# groupdel [groupname]

dҤ@GN𫍧 mygroup RI
[root@www ~]# groupdel mygroup

dҤGGYnR vbird1 oӸsժܡH
[root@www ~]# groupdel vbird1
groupdel: cannot remove user's primary group.

mygroup iHRAO vbird1 NROH]²AyYӱb (/etc/passwd) initial group ϥθӸsաIz pGd\@UAA|o{b /etc/passwd vbird1 ĥ|檺 GID NO /etc/group vbird1 Ӹsժ GID AҥHoAMLkR_h vbird1 oӨϥΪ̵nJtΫA N|䤣 GID AiO|yܤjxZIpGwnR vbird1 oӸsթOH AynT{ /etc/passwd bSHϥθӸsէ@ initial group z~IҥHAAiHG

• ק vbird1 GID AΪ̬OG
• R vbird1 oӨϥΪ̡C

• gpasswdGsպ޲z\

pGtκ޲zӦLFAɭPYDZbQn[JYӱM׮ɧ䤣HIoӮɭԥiHإߡysպ޲zzI Osպ޲zOHNOYӸsը㦳@Ӻ޲zAoӸsպ޲ziH޲zDZbiH[J/XӸsաI npyإߤ@Ӹsպ޲zzOHNonzL gpasswd oI

# tκ޲z(root)ʧ@G
[root@www ~]# gpasswd groupname
[root@www ~]# gpasswd [-A user1,...] [-M user3,...] groupname
[root@www ~]# gpasswd [-rR] groupname
ﶵPѼơG
    GYSѼƮɡAܵ groupname @ӱKX(/etc/gshadow)
-A  GN groupname Dvѫ᭱ϥΪ̺޲z(Ӹsժ޲z)
-M  GNYDZb[JoӸsշI
-r  GN groupname KX
-R  G groupname KX楢

# sպ޲z(Group administrator)ʧ@G
[someone@www ~]$ gpasswd [-ad] user groupname
ﶵPѼơG
-a  GNYϥΪ̥[J groupname oӸsշI
-d  GNYϥΪ̲X groupname oӸsշC

dҤ@Gإߤ@ӷssաAW٬ testgroup Bsե vbird1 ޲zG
[root@www ~]# groupadd testgroup  <==إ߸s
[root@www ~]# gpasswd testgroup   <==oӸsդ@ӱKXaI
Changing the password for group testgroup
New Password:
Re-enter new password:
# J⦸KXNFI
[root@www ~]# gpasswd -A vbird1 testgroup  <==[Jsպ޲z vbird1
[root@www ~]# grep testgroup /etc/group /etc/gshadow
/etc/group:testgroup:x:702:
/etc/gshadow:testgroup:$1$I5ukIY1.$o5fmW.cOsc8.K.FHAFLWg0:vbird1:
# ܦaI vbird1 h֦ testgroup DvIIODաI

dҤGGH vbird1 nJtΡAåBL[J vbird1, vbird3  testgroup 
[vbird1@www ~]$ id
uid=504(vbird1) gid=505(vbird1) groups=505(vbird1) ....
# ݱoXӡAvbird1 |[J testgroup sճI

[vbird1@www ~]$ gpasswd -a vbird1 testgroup
[vbird1@www ~]$ gpasswd -a vbird3 testgroup
[vbird1@www ~]$ grep testgroup /etc/group
testgroup:x:702:vbird1,vbird3

ܦ쪺@ӤpaIڭ̥iH testgroup @ӥiH}sաAMإ߰_sպ޲zA sպ޲ziHhӡCboӮרҤAڱN vbird1 ]w testgroup sպ޲zAҥH vbird1 NiHۦW[sզoIIIMAӸsզNϥ newgrp o

b޲zOHNظmXӱbNFIɭԧڭ̻ݭnҶq@DWi঳hӱbbPu@I |ҨӻAbjǥЮɡAڭ̾ǮժMDͬOݭnժAoǦP@ժPǶnۭק𫍧ɮסA OPɳoǦPǤSݭnOdۤvpKơA]}aؿOAyCӦpOnH Aڭ̩UѴXӨҤljaҬݬoG

Ȥ@GªWYNȡA]ڭ̻ݭnbƦpUAAӦp@H

BzkpUҥܡG

# BzbݩʪơG
[root@www ~]# groupadd mygroup1
[root@www ~]# useradd -G mygroup1 -c "1st user" myuser1
[root@www ~]# useradd -G mygroup1 -c "2nd user" myuser2
[root@www ~]# useradd -c "3rd user" -s /sbin/nologin myuser3

# ABzbKXݩʪơG
[root@www ~]# echo "password" | passwd --stdin myuser1
[root@www ~]# echo "password" | passwd --stdin myuser2
[root@www ~]# echo "password" | passwd --stdin myuser3

n`NaDnGmyuser1 P myuser2 䴩nsաAӸsդo|sbA]ݭnʫإߥLI M myuser3 OyinJtΡzbA]ݭnϥ /sbin/nologin o shell ӵAo˸ӱbNLknJoI oˬO_zѰڡIUӦAӰQפ@ǪҡIpGOMDҸӦps@H

ȤGGڪϥΪ pro1, pro2, pro3 OP@ӱM׭pe}oHAڷQnoTӥΤbP@ӥؿUu@A oTӥΤ٬O֦ۤvaؿP򥻪psաC]ڭnoӱM׭peb /srv/projecta ؿU}oA iHpiH

# 1. ]oTӱb|إߡAiإߤ@ӦW projecta sաA
#    AoTӥΤ[J䦸nsժ䴩YiG
[root@www ~]# groupadd projecta
[root@www ~]# useradd -G projecta -c "projecta user" pro1
[root@www ~]# useradd -G projecta -c "projecta user" pro2
[root@www ~]# useradd -G projecta -c "projecta user" pro3
[root@www ~]# echo "password" | passwd --stdin pro1
[root@www ~]# echo "password" | passwd --stdin pro2
[root@www ~]# echo "password" | passwd --stdin pro3

# 2. }lإߦMת}oؿG
[root@www ~]# mkdir /srv/projecta
[root@www ~]# chgrp projecta /srv/projecta
[root@www ~]# chmod 2770 /srv/projecta
[root@www ~]# ll -d /srv/projecta
drwxrws--- 2 root projecta 4096 Feb 27 11:29 /srv/projecta

ѩ󦹱M׭peu pro1, pro2, pro3 TӤHϥΡAҥH /srv/projecta v]w@wnT~I ҥHӥؿsդ@wO projecta AOv|O 2770 OٰOoĤCͨ쪺 SGID aHFTӨϥΪ̯ۭק𫍧ɮסA o SGID OnsbIpGso̳zѡAKKIzb޲zwg@w{תoI ^_^

UӦӧxZDoͤFIpȤ@ myuser1 O projecta oӱMתUzALݭnoӱMתeA OLyiHקzMץؿơIӦpOnHAγ\iHo˰G

• N myuser1 [J projecta oӸsժ䴩AOo˷| myuser1 㦳㪺 /srv/projecta ϥvA myuser1 OiHRӥؿUƪIoˬODF
• N /srv/projecta vאּ 2775 A myuser1 iHiJd\ơCɷ|oͩҦLHiiJӥؿd\xZI o]Oڭ̭nҡC

unRIDzΪ Linux vLkwYӭӤH]wMݪvܡHOiHաIUӧڭ̴Nӽͽͳoӥ\aI

ACL O Access Control List YgADnتObѶDzΪ owner,group,others read,write,execute v~ӳv]wCACL iHw@ϥΪ̡A@ɮשΥؿӶi r,w,x vWdAݭnSvϥΪpD`UC

ACL DniHwǤ譱ӱvOHLDniHwXӶءG

• ϥΪ (user)GiHwϥΪ̨ӳ]wvF
• s (group)GwsլHӳ]wvF
• w]ݩ (mask)G٥iHwbӥؿUbإ߷sɮ/ؿɡAWdsƪw]vF

nFAAӬݬݦpAɮרtΥiH䴩 ACL aI

ѩ ACL ODzΪ Unix-like @~tvB~䴩ءA]nϥ ACL nɮרtΪ䴩~Cثejɮרtγ䴩 ACL \A]A ReiserFS, EXT2/EXT3, JFS, XFS Cbڭ̪ CentOS 5.x Aw]ϥ Ext3 OҰ ACL 䴩IܩݧAɮרtάO_䴩 ACL iHoˬݡG

[root@www ~]# mount  <==d\Ѽƪ\
/dev/hda2 on / type ext3 (rw)
/dev/hda3 on /home type ext3 (rw)
# LسNLٲFI]ڭ̥unݳoӸ˸mCSݨ acl I

[root@www ~]# dumpe2fs -h /dev/hda2  <== superblock ehd
....(eٲ)....
Default mount options:    user_xattr acl
....(᭱ٲ)....

mount ¥hd\oiHݨڪءAѩثes distributions ``|Dʥ[JYǹw]\A pWҥܡA CentOS 5.x bw]pU (Default mount options:) NA[J acl 䴩FI pGAtιw]|A[W acl 䴩OHAiHo˰G

[root@www ~]# mount -o remount,acl /
[root@www ~]# mount
/dev/hda2 on / type ext3 (rw,acl)
# o˴N[JFIOpGQnC}ͮġANo˰G

[root@www ~]# vi /etc/fstab
LABEL=/1   /   ext3    defaults,acl    1 1

pGATwΪ̬O|ϥ dumpe2fs [AɮרtΡAijNWz /etc/fstab ̭eק@UYiI

nFAA filesystem Ұ ACL 䴩AUӸӦp]wP[ ACL OH ²AQγoӫONiHFG

• getfaclGoYɮ/ؿ ACL ]wءF
• setfaclG]wYӥؿ/ɮת ACL WdC

ڭ̨@@@ setfacl pϥΧaI

• setfacl OΪk

[root@www ~]# setfacl [-bkRd] [{-m|-x} aclѼ] ؼɦW
ﶵPѼơG
-m G]w acl ѼƵɮרϥΡAiP -x XΡF
-x GR acl ѼơAiP -m XΡF
-b GҦ ACL ]wѼơF
-k Gw] ACL ѼơAҿתyw]zѼƩdҤСF
-R Gj]w acl AY]Aؿ|Q]w_ӡF
-d G]wyw] acl ѼơzNIuؿġAbӥؿsتƷ|ޥΦw]

Wͨ쪺O acl ﶵ\Ap]w ACL SvOHSv]wkܦhA ڭ̥ӽͽͳ̱`ANOw@ϥΪ̪]w觋G

# 1. wSwϥΪ̪觋G
# ]wWdGy u:[ϥΪ̱bC]:[rwx] zAҦpw vbird1 vWd rx G
[root@www ~]# touch acl_test1
[root@www ~]# ll acl_test1
-rw-r--r-- 1 root root 0 Feb 27 13:28 acl_test1
[root@www ~]# setfacl -m u:vbird1:rx acl_test1
[root@www ~]# ll acl_test1
-rw-r-xr--+ 1 root root 0 Feb 27 13:28 acl_test1
# vhF + ABP쥻v (644) ݰ_ӮtܤjInpd\OH

[root@www ~]# setfacl -m u::rwx acl_test1
[root@www ~]# ll acl_test1
-rwxr-xr--+ 1 root root 0 Feb 27 13:28 acl_test1
# LϥΪ̦CAN]wɮ׾̡֦AҥHW root v rwx FI

Wzʧ@²檺 ACL ]wAQΡy u:ϥΪ:v z觋ӳ]wաI]weХ[W -m oӿﶵC pG@ɮ׳]wF ACL ѼƫALvN|hX@ + FIOɧAݨ쪺vPviN|I~tI np[OHNzL getfacl aI

• getfacl OΪk

[root@www ~]# getfacl filename
ﶵPѼơG
getfacl ﶵXGP setfacl ۦPIҥHo̴NKhFﶵڡI

# ЦCXڭ̳]w acl_test1 veG
[root@www ~]# getfacl acl_test1
# file: acl_test1   <==ɦWӤwI
# owner: root       <==ɮת̡֦AY ll ݨ쪺ĤTϥΪ
# group: root       <==ɮתݸsաAY ll ݨ쪺ĥ|s
user::rwx           <==ϥΪ̦COŪANɮ׾֦̪v
user:vbird1:r-x     <==w vbird1 v]w rx AP̨֦äPI
group::r--          <==wɮ׸sժv]wȦ r 
mask::r-x           <==ɮ׹w]v (mask)
other::r--          <==LH֦voI

WƫD`ed\aHܪƫe[W # ANoɮתw]ݩʡA]AɦWBɮ׾֦̻PɮשݸsաC UX{ user, group, mask, other hOݩ󤣦PϥΪ̡BsջPv(mask)]wȡC HWGӬݡAڭ̭]w vbird1 oɮר㦳 r P x vաIoˬݪܡH pGݪܡAUڭ̦bըL setfacl ]waI

# 2. wSwsժ觋G
# ]wWdGy g:[sզC]:[rwx] zAҦpw mygroup1 vWd rx G
[root@www ~]# setfacl -m g:mygroup1:rx acl_test1
[root@www ~]# getfacl acl_test1
# file: acl_test1
# owner: root
# group: root
user::rwx
user:vbird1:r-x
group::r--
group:mygroup1:r-x  <==o̴NOsWIhFoӸsժv]wI
mask::r-x
other::r--

򥻤WAsջPϥΪ̪]wèSӤjtաIpWҥܡAD`eAѷNqCLAAӷ|ıo_ǪOA mask OFڡHLIOyvzNILNqOG ϥΪ̩θsթҳ]wvnsb mask v]wd򤺤~|ͮġAYyv (effective permission)z ڭ|ӨҤlӬݡApUҥܡG

# 3. w靈v mask ]w觋G
# ]wWdGy m:[rwx] zAҦpw𫍧ɮ׳WdȦ r G
[root@www ~]# setfacl -m m:r acl_test1
[root@www ~]# getfacl acl_test1
# file: acl_test1
# owner: root
# group: root
user::rwx
user:vbird1:r-x        #effective:r-- <==vbird1+masksb̡AȦ r ӤwI
group::r--
group:mygroup1:r-x     #effective:r--
mask::r--
other::r--

z@Avbird1 P mask Xo{Ȧ r sbA] vbird1 Ȩ㦳 r vӤwAäsb x vIoNO mask \FIڭ̥iHzLϥ mask ӳWd̤j\vANקKp߶}YvLϥΪ̩θsդFC LAq`ON mask ]w rwx աIMAO̾ڤPϥΪ/sեhWdo̪vNOFC

# 1. լݬݡAϥ myuser1 _iJӥؿH
[myuser1@www ~]$ cd /srv/projecta
-bash: cd: /srv/projecta: Permission denied  <==TꤣiiJI

# 2. }l root ӳ]w@UӥؿvaI
[root@www ~]# setfacl -m u:myuser1:rx /srv/projecta
[root@www ~]# getfacl /srv/projecta
# file: srv/projecta
# owner: root
# group: projecta
user::rwx
user:myuser1:r-x  <==٬OnݬݦS]w\I
group::rwx
mask::rwx
other::---

# 3. ٬Oonϥ myuser1 hլݬݵGI
[myuser1@www ~]$ cd /srv/projecta
[myuser1@www projecta]$ ll -a
drwxrws---+ 2 root projecta 4096 Feb 27 11:29 .  <==TiHdɦW
drwxr-xr-x  4 root root     4096 Feb 27 11:29 ..

[myuser1@www projecta]$ touch testing
touch: cannot touch `testing': Permission denied <==TꤣiHgJI

W]wڭ̴NFeȤGݨDIo²OIUڭ̨Ӵդ@UApGڥ root Ϊ̬O pro1 h /srv/projecta W[ɮשΥؿɡAɮשΥؿO_㦳 ACL ]wH NNOAACL v]wO_Qؿҡy~ӡHzլݬݡG

[root@www ~]# cd /srv/projecta
[root@www ~]# touch abc1
[root@www ~]# mkdir abc2
[root@www ~]# ll -d abc*
-rw-r--r-- 1 root projecta    0 Feb 27 14:37 abc1
drwxr-sr-x 2 root projecta 4096 Feb 27 14:37 abc2

AiH㪺o{Av᭱S + ANo acl ݩʨèS~ӳIpGAQn acl bؿUƳ~Ӫ\ANopUo˰FI

# 4. ww]v]w觋G
# ]wWdGy d:[ug]:ϥΪ̦C:[rwx] z

#  myuser1 b /srv/projecta U@㦳 rx w]vI
[root@www ~]# setfacl -m d:u:myuser1:rx /srv/projecta
[root@www ~]# getfacl /srv/projecta
# file: srv/projecta
# owner: root
# group: projecta
user::rwx
user:myuser1:r-x
group::rwx
mask::rwx
other::---
default:user::rwx
default:user:myuser1:r-x
default:group::rwx
default:mask::rwx
default:other::---

[root@www ~]# cd /srv/projecta
[root@www projecta]# touch zzz1
[root@www projecta]# mkdir zzz2
[root@www projecta]# ll -d zzz*
-rw-rw----+ 1 root projecta    0 Feb 27 14:57 zzz1
drwxrws---+ 2 root projecta 4096 Feb 27 14:57 zzz2
# ݧaIT꦳~ӳIMڭ̨ϥ getfacl AT{ݬݡI

[root@www projecta]# getfacl zzz2
# file: zzz2
# owner: root
# group: projecta
user::rwx
user:myuser1:r-x
group::rwx
mask::rwx
other::---
default:user::rwx
default:user:myuser1:r-x
default:group::rwx
default:mask::rwx
default:other::---

zLoӡywؿӳ]ww] ACL v]wȡzءAڭ̥iHoݩ~Ө즸ؿUOI D`KڡIpGQn ACL ݩʥSnpBzHzLy setfacl -b ɦW zYiաI ²FINt~ФFIЦۦմէaI

su O²檺OFALiHi󨭥IkpUG

[root@www ~]# su [-lm] [-c O] [username]
ﶵPѼơG
-   G¨ϥ - py su - zNϥ login-shell ܼɮŪ觋ӵnJtΡF
      YϥΪ̦W٨S[WhAhN root C
-l  GP - A᭱ݭn[ϥΪ̱bI]O login-shell 觋C
-m  G-m P -p O@˪AܡyϥΥثeҳ]wAӤŪsϥΪ̪]wɡz
-c  Gȶi@OAҥH -c ᭱iH[WOI

WX{eĤQ@͹L login-shell ]wŪ觋ApGAѰOOԣFA Х^hĤQ@@@A^ӧaIo su ΪkAS[WӴy - ztܦhI ]A login-shell P non-login shell ܼŪkCoڭ̥H@ӤpҤlӻaI

dҤ@G]A쥻O vbird1 AQnϥ non-login shell 觋ܦ root
[vbird1@www ~]$ su       <==`NܦrAO vbird1 I
Password:                <==o̿J root KXI
[root@www vbird1]# id    <==ܦrؿO vbird1 I
uid=0(root) gid=0(root) groups=0(root),1(bin),...   <==TO root I
[root@www vbird1]# env | grep 'vbird1'
USER=vbird1
PATH=/usr/local/bin:/bin:/usr/bin:/home/vbird1/bin  <==oӼvT̤jI
MAIL=/var/spool/mail/vbird1                         <==쪺 mailbox O vbird1
PWD=/home/vbird1                                    <==ëD root aؿ
LOGNAME=vbird1
# MA UID wgO㦳 root AOݨWXTܡH
# ٬O@ܼƬ쥻 vbird1 AҥHܦh٬OLkQΡC
[root@www vbird1]# exit   <==o˥iH} su ҡI

¨ϥΡy su z root AŪܼƳ]w觋 non-login shell 觋Aoؤ觋ܦh쥻ܼƤ|QA רOڭ̤e͹Lܦh PATH oܼơAѩSܦ root (@ /sbin, /usr/sbin ؿSQ]ti)A ]ܦh root DΪONuϥε|Ӱ櫣CL٦ MAIL oܼơAAJ mail ɡA 쪺l󳺵M٬O vbird1 AӤO root lIO_ıoܩ_ǰڡIҥHɡAаȥϥΦpUdҤGG

dҤGGϥ login shell 觋 root [ܼ
[vbird1@www ~]$ su -
Password:   <==o̿J root KXI
[root@www ~]# env | grep root
USER=root
MAIL=/var/spool/mail/root
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
PWD=/root
HOME=/root
LOGNAME=root
# AѮtFaHUܴ root ɡAOo̦nϥ su - I
[root@www ~]# exit   <==o˥iH} su ҡI

Wz@kOϥΪ̪ܦ root ö}lާ@tΡApGQn} root honQ exit }~C ڦpGuOQny@ӥu root ~i檺OAB槹N_쥻zOHNiH[W -c oӿﶵoI аѦҩUdҤTI

dҤTGvbird1 Qny head -n 3 /etc/shadow z@ABw root KX
[vbird1@www ~]$ head -n 3 /etc/shadow
head: cannot open `/etc/shadow' for reading: Permission denied
[vbird1@www ~]$ su - -c "head -n 3 /etc/shadow"
Password: <==o̿J root KXI
root:$1$/30QpEWEBEZXRD0bh6rAABCEQD.BAH0:14126:0:99999:7:::
bin:*:14126:0:99999:7:::
daemon:*:14126:0:99999:7:::
[vbird1@www ~]$ <==`NݡA٬O vbird1 I~ϥªitξާ@I

ѩ /etc/shadow vYAɮ׶Ȧ root iHd\CFd\ɮסAҥHڭ̥nϥ root u@C ڥuQni@ӫOӤwAɴNϥWykaInAUӡApGڬO root Ϊ̬OLHA Qnܧ󦨬YǯSbAiHϥΦpUkӤI

dҥ|G쥻O vbird1 oӨϥΪ̡AQnܴ dmtsai ɡH
[vbird1@www ~]$ su -l dmtsai
Password: <==o̿J dmtsai KXI
[dmtsai@www ~]$ su -
Password: <==o̿J root KXI
[root@www ~]# id sshd
uid=74(sshd) gid=74(sshd) groups=74(sshd) ... <==T꦳sbH
[root@www ~]# su -l sshd
This account is currently not available.      <==MHLkH
[root@www ~]# finger sshd
Login: sshd                             Name: Privilege-separated SSH
Directory: /var/empty/sshd              Shell: /sbin/nologin
[root@www ~]# exit    <==}ĤG su 
[dmtsai@www ~]$ exit  <==}Ĥ@ su 
[vbird1@www ~]$ exit  <==o~O̪쪺ҡI 

su No²檺ЧA`@ULΪkOo˪G

• Yn㪺sϥΪ̪ҡAnϥΡy su - username zΡy su -l username zA ~|sP PATH/USER/MAIL ܼƳনsϥΪ̪ҡF
  
  
• pGȷQn@ root OAiHQΡy su - -c "O" z觋ӳBzF
  
  
• ϥ root ϥΪ̮ɡAäݭnJsϥΪ̪KXF

Mϥ su ܤKաALIOAڪDOhH@ުҮɡApGjanϥ su Ӥ root A򤣴NCӤHonD root KXAo˱KXӦhHDi|yXhA ܤOIHzL sudo ӳBzYiI

۹ su ݭnAѷsϥΪ̱KX (``Oݭn root KX)A sudo hȻݭnۤvKXYiI ƦܥiH]wݭnKXYi sudo OIѩ sudo iHAHLΤ᪺O (q`Oϥ root ӰO)A]ëDҦH sudo A ӬOȦWd /etc/sudoers Τ~ sudo oӫOIo򯫩_AUN@@ sudo pϥΡH

• sudo OΪk

ѩ@}ltιw]Ȧ root iH sudo A]Udҧڭ̥H root ӰAͨ visudo ɡAAH@ϥΪ̨ӰQרL sudo ΪkaI sudo ykpUG

[root@www ~]# sudo [-b] [-u sϥΪ̱b]
ﶵPѼơG
-b  GN򪺫OItΦۦAӤPثe shell ͼvT
-u  G᭱iHϥΪ̡AYLhN root C

dҤ@GAQnH sshd b /tmp Uإߤ@ӦW mysshd ɮ
[root@www ~]# sudo -u sshd touch /tmp/mysshd
[root@www ~]# ll /tmp/mysshd
-rw-r--r-- 1 sshd sshd 0 Feb 28 17:42 /tmp/mysshd
# SOdNAoɮתvO sshd ҫإߪpI

dҤGGAQnH vbird1 إ ~vbird1/www é𫟺إ index.html ɮ
[root@www ~]# sudo -u vbird1 sh -c "mkdir ~vbird1/www; cd ~vbird1/www; \
>  echo 'This is index.html file' > index.html"
[root@www ~]# ll -a ~vbird1/www
drwxr-xr-x 2 vbird1 vbird1 4096 Feb 28 17:51 .
drwx------ 5 vbird1 vbird1 4096 Feb 28 17:51 ..
-rw-r--r-- 1 vbird1 vbird1   24 Feb 28 17:51 index.html
# n`NAإߪ̪O vbird1 ABڭ̨ϥ sh -c "@O" Ӱ檺I

sudo iHAӶiYȡAҦpWӽdҡCdҤ@Aڭ̪ root ϥ sshd vhiYȡI n`NA]ڭ̵LkϥΡy su - sshd zhtαb (]tαb shell O /sbin/nologin)A oӮɭ sudo uOL X nΤFIߨH sshd vb /tmp UإɮסId\@UɮvANAѷNqաI ܩdҤGhϥΦhO (zL ; өOi)Aϥ sh -c kӰ@sꪺOA puOnKI

O sudo w]Ȧ root ϥΰڡIOH] sudo Oo˪y{G

1. ϥΪ̰ sudo ɡAtΩ /etc/sudoers ɮפjMӨϥΪ̬O_ sudo vF
2. YϥΪ̨㦳i sudo vAKϥΪ̡yJϥΪ̦ۤvKXzӽT{F
3. YKXJ\AK}li sudo 򱵪O( root sudo ɡAݭnJKX)F
4. YP̨ۦPA]ݭnJKXC

ҥHAsudo 檺IOGy_ϥ sudo n /etc/sudoers ]wȡA ӥiϥ sudo ̬OzLJϥΪ̦ۤvKXӰ򪺫OzIѩ_ϥλP /etc/sudoers A ҥHڭ̷Mnhs sudoers ɮװաILA]ɮתeO@wWdA]ϥ vi hsOnC ɡAڭ̱onzL visudo hקoɮ׳I

• visudo P /etc/sudoers

qWڭ̥iHDAF root ~LbAYQnϥ sudo ݩ root vOAh root ݭnϥ visudo hק /etc/sudoers AӱbϥΥγ root O\Cnϥ visudo OHoO] /etc/sudoers O]wykApG]w~|yLkϥ sudo O}GC]~|ϥ visudo hקA æb}קeɡAtη|h /etc/sudoers ykNOFC

@ӻAvisudo ]w觋X²檺kAUڭ̥HX²檺ҤlӤOG

1. @ϥΪ̥ii root ҦOAP sudoers ɮ׻ykG
   
   pڭ̭n vbird1 oӱbiHϥ root OAiH²檺o˶iקYiG
   

   [root@www ~]# visudo ....(eٲ).... root ALL=(ALL) ALL <==o@Ajb 76 楪k vbird1 ALL=(ALL) ALL <==o@OAnsWI ....(eٲ)....

   aI visudo uOQ vi N /etc/sudoers ɮשIsXӶiקӤwAҥHoɮ״NO /etc/sudoers աI oɮת]w²ApWҥܡApGA 76 ( root ]w) kAݨ쪺ƴNOG
   

   ϥΪ̱b nJ̪ӷDW=(i) iUFO root ALL=(ALL) ALL <==oOw]

   Wo@檺|ӤNqOG
   
   
   1. tΪӱbiHϥ sudo oӫONAw] root oӱbF
   2. oӱbѭDsu쥻 Linux DANOoӱbiOѭ@DsuLӪA oӳ]wȥiHwΤݹq(HΤ᪺N)Cw] root iӦۥ@D
   3. oӱbiH򨭥ӤUF򪺫OAw] root iHHF
   4. iθӨUFOHoӫOаȥϥε|gC w] root iH󨭥BiONC
   
   ALL OSrAN󨭥BDΫONCҥHAڷQ vbird1 iHi󨭥OA NpPWSrgˡANOƻsWzw]Ȩ@AAN root 令 vbird1 YiڡI ɡyvbird1 רӦۭDnJALiHܴHABiHitΤWOzNC ק粒xs} viAåH vbird1 nJtΫAipUլݬݡG
   

   [vbird1@www ~]$ tail -n 1 /etc/shadow <==`NIO vbird1 tail: cannot open `/etc/shadow' for reading: Permission denied # ]O root IҥHMd /etc/shadow [vbird1@www ~]$ sudo tail -n 1 /etc/shadow <==zL sudo We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. <==o̶ȬO@ǻPĵܶ #2) Think before you type. #3) With great power comes great responsibility. Password: <==`NڡIo̿JOy vbird1 ۤvKX z pro3:$1$GfinyJgZ$9J8IdrBXXMwZIauANg7tW0:14302:0:99999:7::: # ݡIvbird1 MiHd shadow I

   `NFaIvbird1 JۤvKXN root OIҥHAtκ޲zMnA vbird1 oӥΤ᪺yަuz~I_hHK]w@ӨϥΪ̡ALcdtΫHt~A@Ӥ@ӳ]wӳ·ФFA णϥθsժ觋ӳ]wOHѦҩU觋aC
   
   
2. QθsեHΧKKX\Bz visudo
   
   ڭ̦begإ߹L pro1, pro2, pro3 AoTӥΤ_zLsժ\oTӤHiH޲ztΡH iHAӥB²IP˧ڭ̨ϥιڮרҨӻG
   

   [root@www ~]# visudo <==P˪AШϥ root ]w ....(eٲ).... %wheel ALL=(ALL) ALL <==jb 84 楪kAбNo檺 # I # b̥[W % AN᭱O@ӡysաzNI粒xs} [root@www ~]# usermod -a -G wheel pro1 <==N pro1 [J wheel 䴩

   W]wȷ|yy[J wheel oӸsժϥΪ̡ANϥ sudo 󨭥Ӿާ@OzNC AMiHN wheel AۤvQnsզWCUӡAФO pro1 pro2 լݬ sudo B@C
   

   [pro1@www ~]$ sudo tail -n 1 /etc/shadow <==`NO pro1 ....(eٲ).... Password: <==J pro1 KXI pro3:$1$GfinyJgZ$9J8IdrBXXMwZIauANg7tW0:14302:0:99999:7::: [pro2@www ~]$ sudo tail -n 1 /etc/shadow <==`NO pro2 Password: pro2 is not in the sudoers file. This incident will be reported. # JӬݿ~TLOo pro2 b /etc/sudoers ]wI

   o˲zѸsդFaHpGAQn pro3 ]䴩o sudo ܡAݭnsϥ visudo AunQ usermod hק pro3 sդ䴩A wheel ]䴩 pro3 ܡALNi sudo oI ²aILAJMڭ̳Ho sudo ΤFA_ѡyݭnKXYiϥ sudo zOH NzLpU觋G
   

   [root@www ~]# visudo <==P˪AШϥ root ]w ....(eٲ).... %wheel ALL=(ALL) NOPASSWD: ALL <==jb 87 楪kAбN # I # b̥[W % AN᭱O@ӡysաzNI粒xs}

   IO NOPASSWD աIrOKKXJNI
   
   
3. Oާ@G
   
   WI|ϥΪ̯Q root iƱIo`OӦnpGڷQnϥΪ̶ȯi泡tΥȡA 軡AtΤW myuser1 ȯ root קLϥΪ̪KXɡAYyϥΪ̶ȯϥ passwd oӫO root קLΤ᪺KXzɡAAӦp󼶼gOHiHo˰G
   

   [root@www ~]# visudo <==`NO root myuser1 ALL=(root) /usr/bin/passwd <==̫Oȥε|

   W]wȫOymyuser1 iH root ϥ passwd oӫOzNC𫟺n`NOG O쥲ng|~I_h visudo |X{yk~po͡I ~AW]wODIڭ̨ϥΩUOާ@zAѡG
   

   [myuser1@www ~]$ sudo passwd myuser3 <==`NAO myuser1 Password: <==J myuser1 KX Changing password for user myuser3. <==U諸O myuser3 KXIoˬOT New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. [myuser1@www ~]$ sudo passwd Changing password for user root. <==I|h root KXH

   ưڡIڭ̳M root KXQ myuser3 ܤFIU root ^ӳLknJt...L\H ҥHڭ̥nϥΪ̪OѼơIק諸kNWz@G
   

   [root@www ~]# visudo <==`NO root myuser1 ALL=(root) !/usr/bin/passwd, /usr/bin/passwd [A-Za-z]*, \ !/usr/bin/passwd root

   ѩù@gAڱNogAҥHWĤ@̫[Wϱ׽uoC[Wĸy ! zNyizNC ]Wo@|ܦGiHy passwd NrzAOy passwd zPy passwd root zoӫOҥ~I p@ myuser1 NLk root KXFIo˳oϥΪ̥iH㦳 root OUAקLΤ᪺KXA ӥB]HN root KXIܦγBI
   
   
4. zLOWظm visudoG
   
   pWzĤTIApGڦ 15 ӥΤݭn[J𫍧޲zCAڬO_nNWz]wgJ 15 ڡH ӥBpGQnקROΪ̬OsWROɡAڨC泣ݭns]wAܳ·УIS²檺觋H OIzLOWYiIڭ visudo OWiHOyOOWBbOWBDOWzCLo̧ڭ̶ȤбbOWA L]wȦ쪺ܡAiHۦ檱I
   
   ]ڪ pro1, pro2, pro3 P myuser1, myuser2 n[JWzKX޲z sudo CA ڥiHХߤ@ӱbOW٬ ADMPW W١AMNoӦWٳBz@UYiCBz觋pUG
   

   [root@www ~]# visudo <==`NO root User_Alias ADMPW = pro1, pro2, pro3, myuser1, myuser2 Cmnd_Alias ADMPWCOM = !/usr/bin/passwd, /usr/bin/passwd [A-Za-z]*, \ !/usr/bin/passwd root ADMPW ALL=(root) ADMPWCOM

   ڳzL User_Alias إߥX@ӷsbAoӱbW٤@wnϥΤjgrӳBzA]A Cmnd_Alias(ROOW)BHost_Alias(ӷDW٧OW) ݭnϥΤjgrIo ADMPW N᭱ǹڱbC Ӹӱbi檺ONpP ADMPWCOM ᭱ҫwˡIW̫@hgJoӧOW (bPOOW)A ӭnקɡAڥunק User_Alias H Cmnd_Alias oYiI]w譱|²榳uʳI
   
   
5. sudo ɶjDG
   
   γ\zwgo{FANOApGڨϥΦP@ӱbbuɶƾާ@ sudo ӹB@OܡA bĤG sudo ɡAäݭnJۤvKXIsudo ٬O|TB@IOH Ĥ@ sudo ݭnJKXAOߥѩϥΪ̼Ȯ}yAH]ӧAyϥΧAbާ@tΤGC ҥHݭnAJ@KXsT{@C
   
   ⦸ sudo jbAA sudo ɴNݭnAJKXFA oO]tά۫HAb|}A@~AҥH sudo OP@ӤHIIIIuOܤHʤƪ]pڡ ^_^CLpG⦸ sudo ާ@jWL 5 ANonsJ@AKXF (4)
   
   t~n`NOA]ϥΤ@bɡAzפW|ϥΨ /sbin, /usr/sbin ؿOAҥH $PATH ܼƤ|toǥؿA]ܦh޲zOݭnϥε|ӤUFI
   
   
6. sudo ft su ϥΤ觋G
   
   ܦhɭԧڭ̻ݭnjqܦh root u@AҥH@ϥ sudo ıoܷУISkϥ sudo ft su A @fNର root AӥB٥ΨϥΪ̦ۤvKXܦ root OHOIӥBk²檺|AQI ڭ̫إߤ@ ADMINS bOWAMo˰G
   

   [root@www ~]# visudo User_Alias ADMINS = pro1, pro2, pro3, myuser1 ADMINS ALL=(root) /bin/su -

   UӡAWz pro1, pro2, pro3, myuser1 o|ӤHAunJy sudo su - zåBJyۤvKXzA ߨܦ root I root KX|~yAϥΪ̪޲z]ܪD`KI o]OȤWhH@ޤ@Dɱ``ϥΪޥOIo˺޲zTKAL٬Onjդ@UjeA NOyoǧA[JϥΪ̡AOAHΤzI

b@}Y passwd ɮ׵c̭ڭ̴N͹LtαboNAoN઺ shell NOϥ /sbin/nologin AIbtαbOݭnnJIҥHڭ̴NLoӵLknJXk shellC ϥΤFo shell ΤYϦFKXAAQnnJɥL]LknJA]|X{pUTG

This account is currently not available.

ڭ̩ҿתyLknJzȬOGyoӨϥΪ̵Lkϥ bash ΨL shell ӵnJtΡzӤwA äOoӱbNLkϥΨLtθ귽I |ҨӻAUӨtαbACLu@ lp oӱbb޲zA WWW Aȥ apache oӱbb޲zA L̳iHitε{Ǫu@AOyNOLknJDzӤwաI^_^

ӨרӷQApGڪ Linux DѪOlAȡAҥHAbo Linux DWbA jOΨӦDHӤwAäݭnnJDOI oӮɭԡAڭ̴NiHҼ{¨ϥ mail bH /sbin/nologin L̪ shell A oˡA̰_XڪDQշQnnJtΥHo shell ҮɡAiHڵӱbOI

t~ApGڷQnYӨ㦳 /sbin/nologin ϥΪ̪DAL̤nJDɡA ڥiHإߡy /etc/nologin.txt zoɮסA åBboɮפnJ]AUoӨϥΪ̷QnnJtήɡA ùWX{N|O /etc/nologin.txt oɮתeAӤOw]eFI

[root@www ~]# vi /etc/nologin.txt
This account is system account or mail account.
Please DO NOT use this account to login my Linux server.

[root@www ~]# su - myuser3
This account is system account or mail account.
Please DO NOT use this account to login my Linux server.
[root@www ~]#

bLhAڭ̷Qn@ӨϥΪ̶i{ (authentication)AonnDϥΪ̿JbKXA MzLۦ漶g{ӧP_ӱbKXO_TC]]pAڭ̱``oϥΤPӧP_bKXA ҥHd@DW֦hӦUO{ҨtΡA]ybKXiणPBҰDI FѨMoӰD]F PAM (Pluggable Authentication Modules, OJҲ) I

PAM iHO@Mε{ (Application Programming Interface, API)ALѤF@sꪺҾAunϥΪ̱NҶqݨDi PAM A PAM N^ϥΪҪG (\Υ)Cѩ PAM ȬO@MҪASiHѵL{ҩIsޥΡA]קAϥΤ{AiHϥ PAM ӶiҡAp@ӡANbKXΪ̬OL觋Ҩ㦳@PGI]{]pvKBzҪDI (5)

5.2.1B PAM ҲջPL{

pWzϥܡA PAM O@ӿWߪ API sbAun{ݨDɡAiHV PAM oXҭnDqA PAM gL@sꪺҫANҪG^ӵ{AMӵ{NQҪGӶiinJܨLLkϥΪTC o]NOAAiHbg{ɭԱN PAM Ҳժ\[JANQ PAM ҥ\oC ]ثeܦh{|Q PAM IҥHڭ̤~nӾDzߥLڡI

PAM ΨӶiҪƺ٬Ҳ (Modules)AC PAM Ҳժ\ೣӬۦPC|ҨӻA ٰOoڭ̦bϥ passwd OɡApGHKJrW䪺쪺rA passwd N|^~TFIoOOHoNO PAM pam_cracklib.so Ҳժ\ILP_ӱKXO_br̭I æ^KXק{AɴNAѧAKXjפFC

ҥHAAݭnP_O_brKXrɡANiHϥ pam_cracklib.so oӼҲըҡI îھҪ^GӼgA{OIo˻AiHz PAM \FaHSI PAM Ҳդ]Oܭn@I

PAM ǥѤ@ӻP{ۦPɦW]wɨӶi@sꪺ{ҤRݨDCڭ̦P˥H passwd oӫOIs PAM ӻnFC A passwd Ao{Is PAM y{OG

1. ϥΪ̶}l /usr/bin/passwd o{AÿJKXF
2. passwd Is PAM ҲնiҡF
3. PAM Ҳշ| /etc/pam.d/ MP{ (passwd) PW]wɡF
4. ̾ /etc/pam.d/passwd ]wAޥά PAM ҲճvBiҤRF
5. NҵG (\BѥHΨLT) ^ǵ passwd o{F
6. passwd o{|ھ PAM ^ǪGMwU@Ӱʧ@ (sJsKXΪ̳qLҡI)

qWYAڭ̷|DIO /etc/pam.d/ ̭]wɡAHγ]wɩҩIs PAM Ҳնi檺Ҥu@I JM@ͨ passwd oӱKXקOAڭ̴NӬݬ /etc/pam.d/passwd oӳ]wɪeO˧aI

[root@www ~]# cat /etc/pam.d/passwd
#%PAM-1.0  <==PAMӤwI
auth       include      system-auth <==C@泣O@ҪL{
account    include      system-auth
password   include      system-auth
O   з     PAM ҲջPӼҲժѼ

boӳ]wɷAFĤ@ŧi PAM ~ALy # z}YOѡAӨC@泣O@ӿWߪҬy{A C@iHϤTAOOO(type)Bз(flag)BPAMҲջPӼҲժѼơC Uڭ̥ӽͽOPзdzoⶵƧaI

• Ĥ@GO (Type)

ODn|ءAOpUG

• auth
  O authentication ({) YgAҥHoODnΨϥΪ̪ҡAoOq`OݭnKX窥A ҥH򱵪ҲլOΨϥΪ̪C
  
  
• account
  account (b) hjObi authorization (v)AoOhDnbϥΪ̬O_㦳TϥvA |ҨӻAAϥΤ@ӹLKXӵnJɡAMNLkTnJFC
  
  
• session
  session O|ijNAҥH session ޲zNOϥΪ̦bonJ (ΨϥγoӫO) APAM ҵҳ]wC oOq`ΦbOϥΪ̵nJPnXɪTIҦpApGA``ϥ su Ϊ̬O sudo OܡA ӥiHb /var/log/secure ̭o{ܦh pam AӥBOƬOysession open, session closezTI
  
  
• password
  password NOKXIҥHoODnbҪ׭qu@A|ҨӻANOק/ܧKXաI

o|Ҫq`OǪAL]ҥ~NOFC |Ǫ]OA(1)ڭ`OonҨ (auth) A (2)tΤ~ǥѨϥΪ̪AvPv]w (account)AӥB(3)nJPnXҤ~ݭn]wA ]~ݭnOnJPnXT (session)CpGbB@ݭnKX׭qɡA(4)~ password OCo˻_ӡA ۵MOݭnIǧaI

• ĤGGҪX (control flag)

yҪX(control flag)zSOH²檺ALNOyҳqLзǡzաI obޱҪ觋ADn]|ر觋G

• required
  ҭY\ha success (\) лxAYѫha failure лxAצ\Υѳ|~Ҭy{C ѩҬy{iH~iA]۷Qƪn (log) Ao]O PAM ̱`ϥ required ]C
  
  
• requisite
  Yҥѫhߨ^{ failure лxAòפҬy{CYҦ\ha success лx~Ҭy{C oӶػP required ̤jtANb󥢱Ѫɭ٭nn~ҤUhHѩ requisite OѴNפA ]ѮɩҲͪ PAM TNLkzL򪺼ҲըӰOFC
  
  
• sufficient
  YҦ\hߨ^ success {AòפҬy{FYҥѫha failure лx~Ҭy{C oNP requisits nۤϡI
  
  
• optional
  oӼҲձؤjhObܰTӤwAäOΦbҤ譱C

pGNoDZXХHϥܪ觋tX\P_øϡA|IUoˡG

5.3.1B PAM XЩҳy^y{

{B@L{JҮɤ~|hIs PAM A PAM ҤSܦhPAPXЩҦ^TäۦPC pWϩҥܡA requisite ѴN^Fä|~A sufficient hO\N^F]|~C ܩҵҦ^Tq`Oysucces failure zӤwA򪺬y{ٻݭnӵ{P_~~C

ͧF]wɪykA{bڭ̨Ӭd\@U CentOS 5.x Ѫ PAM w]ɮתeOԣaI ѩڭ̱``ݭnzLUؤ觋nJ (login) tΡA]NӬݬݵnJһݭn PAM y{G

[root@www ~]# cat /etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    include      system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions...
session    required     pam_selinux.so open
session    optional     pam_keyinit.so force revoke
# ڭ̥iHݨA login ]Ish system-auth AҥHUCXӳ]w

[root@www ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth     required     pam_env.so
auth     sufficient   pam_unix.so nullok try_first_pass
auth     requisite    pam_succeed_if.so uid >= 500 quiet
auth     required     pam_deny.so

account  required     pam_unix.so
account  sufficient   pam_succeed_if.so uid < 500 quiet
account  required     pam_permit.so

password requisite    pam_cracklib.so try_first_pass retry=3
password sufficient   pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required     pam_deny.so

session  optional     pam_keyinit.so revoke
session  required     pam_limits.so
session  [success=1 default=ignore] pam_succeed_if.so service in crond quiet \
                      use_uid
session  required     pam_unix.so

WoӪϥΨD`h PAM ҲաACӼҲժ\ೣӬۦPAԲӪҲձiHbAtΤG

• /etc/pam.d/*GCӵ{ӧO PAM ]wɡF
• /lib/security/*GPAM ҲɮתکmؿF
• /etc/security/*GL PAM Ҫ]wɡF
• /usr/share/doc/pam-*/GԲӪ PAM C

ҦpϥΥ update L CentOS 5.2 Apam_nologin ɦbG /usr/share/doc/pam-0.99.6.2/txts/README.pam_nologinCAiHۦd\@UӼҲժ\C o̶²椶дXӸ`ϥΪҲաAԲӪTٱonzVOd\ѦҮѩOI ^_^

• pam_securetty.soG
  tκ޲z (root) uqw (secure) ׺ݾnJFO׺ݾHҦp tty1, tty2 NODzΪ׺ݾ˸mW١Cw׺ݾ]wOH Ngb /etc/securetty oɮפCAiHd\@UɮסA ND root iHq tty1~tty7 nJAoLkzL telnet nJ Linux DFI
  
  
• pam_nologin.soG
  oӼҲեiH@ϥΪ̬O_nJDΡC /etc/nologin oɮצsbɡAhҦ@ϥΪ̧LkAnJtΤFIY /etc/nologin sbAh@ϥΪ̦bnJɡA bL̪׺ݾW|NɮתeܥXӡIҥHA`pUAoɮӬOsbtΤC oӼҲչ root HΤwgnJtΤ@bèSvTC
  
  
• pam_selinux.soG
  SELinux OӰw{ǨӶiӳ޲zv\ASELinux oNڭ̷|bĤQCɭԦAӸԲӽͽסCѩ SELinux |vTϥΪ̰{vA]ڭ̧Q PAM ҲաAN SELinux ȮAҳqLA AHҰʡI
  
  
• pam_console.soG
  tΥX{YǰDAΪ̬OYǮɨAݭnϥίS׺ݤ (Ҧp RS232 ׺ݳsu]) nJDɡA oӼҲեiHUBz@ɮvDAϥΪ̥iHzLS׺ݤ (console) QnJtΡC
  
  
• pam_loginuid.soG
  ڭ̪DtαbP@b UID OPI@b UID j 500 ~XzC ]AFҨϥΪ̪ UID uOڭ̩һݭnƭȡAiHϥγoӼҲըӶiWdI
  
  
• pam_env.soG
  Ψӳ]wܼƪ@ӼҲաApGAݭnB~ܼƳ]wAiHѦ /etc/security/pam_env.conf oɮתԲӻC
  
  
• pam_unix.soG
  oOӫܽBnҲաAoӼҲեiHΦbҶq{ҥ\AiHΦbvqbv޲zA iHΦb|ijqnɰOAƦܤ]iHΦbKXsqID`״I\I oӼҲզbϥαo۷WcI
  
  
• pam_cracklib.soG
  iHΨKXjסI]AKXO_br夤AKXJXѴN_su\AOoҲմѪI oNܭnI
  
  
• pam_limits.soG
  ٰOoڭ̦bQ@ͨ쪺 ulimit ܡH ꨺NOoӼҲմѪOI٦hӳ]wiHѦҡG /etc/security/limits.conf C

AѤFoǼҲժjP\AkǡAQפ@U login PAM Ҿy{Oo˪G

1. Ҷq (auth)GA(a)|gL pam_securetty.so P_ApGϥΪ̬O root ɡAh|Ѧ /etc/securetty ]wF U(b)gL pam_env.so ]wB~ܼơFA(c)zL pam_unix.so KXAYqLh^ login {FYqLh(d)~򩹤UH pam_succeed_if.so P_ UID O_j 500 AYp 500h^ѡA_hAU (e)H pam_deny.so ڵsuC
   
   
2. vq (account)G(a)H pam_nologin.so P_ /etc/nologin O_sbAYsbh\@ϥΪ̵nJF (b)UӥH pam_unix ib޲zAAH (c) pam_succeed_if.so P_ UID O_p 500 AYp 500 hOnTC(d)̫H pam_permit.so \ӱbnJC
   
   
3. KXq (password)G(a)H pam_cracklib.so ]wKXȯտ~ 3 F(b)UӥH pam_unix.so zL md5, shadow \iKXAYqLh^ login {AYqLh (c)H pam_deny.so ڵnJC
   
   
4. |ijq (session)G(a)H pam_selinux.so Ȯ SELinuxF(b)ϥ pam_limits.so ]wnϥΪ̯ާ@tθ귽F (c)nJ\}lOTbnɤF (d)H pam_loginuid.so WdP UID vF(e)} pam_selinux.so \C

`ANO̾O (type) ӬݡAM login ]wȥhd\ApGX{y include system-auth z N system-auth ɮפۦPOAhoB~Ҭy{NOFCMAU@OA̲ױNҦҶ]I No PAM ҰաI

gLo˪Ҭy{A{bADԣ /etc/nologin sb|DA]|DAϥΤ@ǻݳsuɡA ѬOLkϥ root nJDFaHSIoO PAM ҲմѪ\աI

Fe@p`ͨ쪺 /etc/securetty |vT root inJw׺ݾA /etc/nologin |vT@ϥΪ̬O_nJ\ध~Aڭ̤]D PAM ]wɦb /etc/pam.d A b /usr/share/doc/pam-() AҲչڦb /lib/security/ C٦S PAM ɮשOH OADnb /etc/security oӥؿIڭ̩UдXӥi|Ψ쪺]wɳI

• limits.conf

ڭ̦bĤQ@ͨ쪺 ulimit \तA FקϥΪ̪ ~/.bashrc ]wɤ~Atκ޲ziHΤ@ǥ PAM Ӻ޲zI NO /etc/security/limits.conf oɮת]wFCoɮת]w²AAiHۦѦҤ@UɮפeC ڭ̳o̶ȧ@²檺СG

dҤ@Gvbird1 oӥΤuإ 100MB ɮסABj 90MB |ĵi
[root@www ~]# vi /etc/security/limits.conf
vbird1	soft		fsize		 90000
vbird1	hard		fsize		100000
#b   ̾	 	
# Ĥ@쬰bAΪ̬OsաIYsիheݭn[W @ AҦp @projecta
# ĤG쬰̾ڡAOY(hard)A٬OȬĵi(soft)F
# ĤT쬰AҤɮ׮eqA
# ĥ|쬰ȡAbҤ쬰 KBC
# YH vbird1 nJAipUާ@h|X{I

[vbird1@www ~]$ ulimit -a
....(eٲ)....
file size               (blocks, -f) 90000
....(᭱ٲ)....

[vbird1@www ~]$ dd if=/dev/zero of=test bs=1M count=110
File size limit exceeded
[vbird1@www ~]$ ll -k test
-rw-rw-r-- 1 vbird1 vbird1 90000 Mar  4 11:30 test
# GMF

dҤGG pro1 oӸsաACȯ঳@ӨϥΪ̵nJt (maxlogins)
[root@www ~]# vi /etc/security/limits.conf
@pro1   hard   maxlogins   1
# pGnϥθsե\઺ܡAoӥ\Glsդ~ijI
# ӦpGAզh pro1 nJɡAĤGӥHNLknJFC
# ӥBb /var/log/secure ɮפٷ|X{pUTG
# pam_limits(login:session): Too many logins (max 1) for pro1

oɮ׮쪺AӥBO]wNͮĤFAAέsҰʥAȪI O PAM ӯSaAѩLOb{Isɤ~H]wA]Aק粒ơA wnJtΤϥΪ̬OSĪGAnLAnJɤ~|ͮijIt~A Wz]wЦbէߨѱA_hUoӨϥΪ̵nJN|oͨdz\DաI ^_^

• /var/log/secure, /var/log/messages

pGoͥLknJΪ̬Oͤ@ǧALkw~ɡAѩ PAM Ҳճ|NưOb /var/log/secure AҥHoͤFDаȥɮפhdߤ@UDII|ҨӻA ڭ̦b limits.conf ФdҤGANͨhnJ~iH /var/log/secure d\FI o˧A]NDĤG pro1 LknJաI^_^

pdߤ@ӨϥΪ̪ƩOHo٤²Aڭ̤eNLF id, finger OFAiHzAѨ@ӨϥΪ̪TաIQnDϥΪ̨쩳ԣɭԵnJOH ²iHϥ last ˬdڡIoӪNڭ̤]b ĤQ@ bash LFA ziHۦeѦҰڡI²檺ܡC

pGAQnDثewnJbtΤWϥΪ̩OHiHzL w who Ӭd߳IpUdҩҥܡG

[root@www ~]# w
 13:13:56 up 13:00,  1 user,  load average: 0.08, 0.02, 0.01
USER   TTY    FROM            LOGIN@   IDLE   JCPU   PCPU WHAT
root   pts/1  192.168.1.100   11:04    0.00s  0.36s  0.00s -bash
vbird1 pts/2  192.168.1.100   13:15    0.00s  0.06s  0.02s w
# Ĥ@ܥثeɶB} (up) h[AXӨϥΪ̦btΤWtF
# ĤGuOUӶتA
# ĤTHACN@ӨϥΪ̡CpWҥܡAroot nJèo׺ݾW pts/1 NC

[root@www ~]# who
root     pts/1        2009-03-04 11:04 (192.168.1.100)
vbird1   pts/2        2009-03-04 13:15 (192.168.1.100)

t~ApGzQnDCӱb̪nJɶAhiHϥ lastlog oӫOI lastlog |hŪ /var/log/lastlog ɮסAGNƿXpUG

[root@www ~]# lastlog
Username    Port   From           Latest
root        pts/1  192.168.1.100  Wed Mar  4 11:04:22 +0800 2009
bin                                        **Never logged in**
....(ٲ)....
vbird1      pts/2  192.168.1.100  Wed Mar  4 13:15:56 +0800 2009
....(HUٲ)....

o˴NDCӱb̪nJɶo ^_^

ڬO_iHtΤWϥΪ̽ͤѻaOHMiHաIQ write oӫOYiC write iHNTǵoI|ҨӻAڭ̪ Linux ثe vbird1 P root ӤHbuWA ڪ root n vbird1 ܡAiHo˰G

[root@www ~]# write ϥΪ̱b [ϥΪ̩Ҧb׺ݤ]

[root@www ~]# who
root     pts/1    2009-03-04 11:04 (192.168.1.100)
vbird1   pts/2    2009-03-04 13:15 (192.168.1.100)  <==ݨ vbird1 buW

[root@www ~]# write vbird1 pts/2
Hello, there:
Please don't do anything wrong...  <==oO root gTI
# ɡAЫU [crtl]-d ӵJCɦb vbird1 eA|X{G

Message from root@www.vbird.tsai on pts/1 at 13:23 ...
Hello, there:
Please don't do anything wrong...
EOF

ǩǡߨ|T^ vbird1 IL...... vbird1 bdơAzI oǰT|ߨ襕_ vbird1 쥻u@IҥHApG vbird1 oӤHQnTAUFoӰʧ@G

[vbird1@www ~]$ mesg n
[vbird1@www ~]$ mesg
is n

LAo mesg \ root ǰeӪTSתOIҥHpGO root ǰeTA vbird1 ٬OonUC OpG root mesg O n A vbird1 g root T|ܳoˡG

[vbird1@www ~]$ write root
write: root has messages disabled

AѥGHpGQnѶ}ܡAAUFy mesg y zNnաIQnDثe mesg AAUFy mesg zYiIAIH ۹ write OȰw@ӨϥΪ̨Ӷǡy²TzAڭ٥iHyҦtΤWϥΪ̶ǰe²T (s)z pUFH wall YiڡILyk]O²檺I

[root@www ~]# wall "I will shutdown my linux server..."

MAN|o{ҦH|o²TOI

ϥ wall, write nϥΪ̦buW~iASL觋pڡH OC Linux DWϥΪ̳㦳@ mailbox ܡH ڭ̥i_HHϥΪ̰ڡIIMiHڡIڭ̥iHHB mailbox HOI @ӻA mailbox |mb /var/spool/mail ̭A@ӱb@ mailbox (ɮ)C |ҨӻAڪ vbird1 N㦳 /var/spool/mail/vbird1 o mailbox I

ڸӦpHXHOHNϥ mail oӫOYiIoӫOΪk²檺AoˤUFGy mail username@localhost -s "lD" zYiI @ӻApGOHWϥΪ̡A򥻤WAsy @localhost zμgաI |ҨӻAڥH root HH vbird1 AHDOy nice to meet you zAhG

[root@www ~]# mail vbird1 -s "nice to meet you"
Hello, D.M. Tsai
Nice to meet you in the network.
You are so nice.  byebye!
.    <==o̫ܭnAɡA̫@JpI . YiI
Cc:  <==o̬OҿתyƥzAݭnHLHAҥH [Enter]
[root@www ~]#  <==X{ܦrAܿJFI

p@ӡAANwgHX@ʫH vbird1 oϥΪoAӥBAӫHDG nice to meet youAH󤺮eNpPW쪺CLAAγ\|ıo mail oӵ{nΡ ]bHsgL{ApGgrӫU Enter iJAe@檺ƫRI HSYաIڭ̨ϥθƬyɦVڡIIQΨӤp󪺲Ÿ ( < ) NiHFNLJnDFC]NOAAiH vi NH󤺮esnA MAH mail vbird1 -s "nice to meet you" < filename ӱNɮפeǿYiC

W쪺OyHHzDApGOnHOHIP˪ϥ mail ڡI ]ڥH vbird1 nJDAMJ mail A|o줰H

[vbird1@www ~]$ mail
Mail version 8.1 6/6/93.  Type ? for help.
"/var/spool/mail/vbird1": 1 message 1 new
>N  1 root@www.vbird.tsai   Wed Mar  4 13:36  18/663   "nice to meet you"
&  <==o̥iHJܦhOApGnd\AJ ? YiI

b mail ܦrO & ŸAOdFJ mail AڥiHݨڦ@ʫHA oʫH󪺫e > NثeBzHAӦbjŸk䨺 N NӫʫH|ŪLA pGڷQnDo mail OǡAiHb & Jy ? zANiHݨpUeG

& ?
    Mail   Commands
t <message list>                type messages
n                               goto and type next message
e <message list>                edit messages
f <message list>                give head lines of messages
d <message list>                delete messages
s <message list> file           append messages to file
u <message list>                undelete messages
R <message list>                reply to message senders
r <message list>                reply to message senders and all recipients
pre <message list>              make messages go back to /usr/spool/mail
m <user list>                   mail to specific users
q                               quit, saving unresolved messages in mbox
x                               quit, do not remove system mailbox
h                               print out active message headers
!                               shell escape
cd [directory]                  chdir to directory or home if none given

<message list> OCʶl󪺥䨺ӼƦrաIӴXӤ`OOG

ѩŪLHYϥΡy q z} mail ɡA|NӫH󲾰ʨ ~/mbox AҥHAiHo˷QG /var/spool/mail/vbird1 vbird1 ysXzA /home/vbird1/mbox hyXzNC pŪ /home/vbird1/mbox OHNϥΡymail -f /home/vbird1/mboxzYiC

JMnʭקb]wɡA@ˬdsաBbONiDڡ רOӱKXഫ pwconv pwuconv oӪNinܩOIUڭ̵yLФ@UoǫOaI

• pwck

pwck oӫObˬd /etc/passwd oӱb]wɤTAPڪaؿO_sbTA ٥iH /etc/passwd /etc/shadow TO_@PAt~ApG /etc/passwd ~ɡA|ܨϥΪ̭׭qC @ӻAڥuOQγoӪNˬdڪJO_TNOFC

[root@www ~]# pwck
user adm: directory /var/adm does not exist
user uucp: directory /var/spool/uucp does not exist
user gopher: directory /var/gopher does not exist

@IWȬOiڡAoDZbèSaؿAѩ󨺨DZbjOtαbA T]ݭnaؿAҥHAOy`~IzIzLC ^_^C ۹sˬdiHϥ grpck oӫOաI

• pwconv

oӫODnتObyN /etc/passwd bPKXAʨ /etc/shadow Iz Unix tηèS /etc/shadow OAҥHAϥΪ̪nJKXOb /etc/passwd ĤGAӬFtΦwA~NKXƲʨ /etc/shadow Cϥ pwconv AiHG

• /etc/passwd /etc/shadow AY /etc/passwd sbbèS /etc/shadow KXɡAh pwconv |h /etc/login.defs άKXơAëإ߸ӱb /etc/shadow ơF
  
  
• Y /etc/passwd sb[K᪺KXƮɡAh pwconv |NӱKX沾ʨ /etc/shadow AñN쥻 /etc/passwd ۹KXܦ x I

@ӻApGz`ϥ useradd W[ϥΪ̮ɡAϥ pwconv ä|󪺰ʧ@A] /etc/passwd P /etc/shadow ä|WzIDڡI ^_^CLApGʳ]wbAo pwconv NܭnoI

• pwunconv

۹ pwconv A pwunconv hOyN /etc/shadow KXƼg^ /etc/passwd A åBR /etc/shadow ɮסCzoӫObA̦nnϥΰաI ]L|NA /etc/shadow RIpGAѰOƥAS|ϥ pwconv ܡAYOI

• chpasswd

chpasswd OӮ쪺OALiHyŪJ[KeKXAåBgL[KA N[K᪺KXgJ /etc/shadow CzoӫOܱ`QϥΦbjqظmbpI LiH Standard input ŪJơACƪ榡Oy username:password zC |ҨӻAڪtηӨϥΪ̱b dmtsai AڷQnsLKX (update) A pLKXO abcdefg ܡAڥiHo˰G

[root@www ~]# echo "dmtsai:abcdefg" | chpasswd -m

_aIo˴NiHsFOIbw]pA chpasswd ϥΪO DES [Kkӥ[KA ڭ̥iHϥ chpasswd -m Өϥ CentOS 5.x w] MD5 [KkCoӫOMwgܦnΤFAL CentOS 5.x wgѤFy passwd --stdin zﶵAѹ껡Ao chpasswd iHϥΤFCҼ{Lo| --stdin passwd oӫOAҥHz٬OonAѤ@UoӫOγ~I

bڭAѤF UID/GID PbYA򥻤WAzAѤFAԣڭ̤ijϥί¼ƦrbFI]ܦhɭԡAtη|dMռƦrOybz٬Oy UID zAoOܦnա]]AbYǪUAOSkϥμƦrӫإ߱bCҦpb Red Hat 9 ҤA ϥΡy useradd 1234 zL|ܡy useradd: invalid user name '1234' zAѤFܡH

LAɭԡAxRO @_@ ٬Oonإ߳o譱bAӦpOnH IMiHʨӫإ߳o˪bաILAFtΦw_A٬Oijϥί¼ƦrbաI ]AUdҷAڭ̨ϥΤʪ觋ӫإߤ@ӦW normaluser bA ӥBoӱbݩ normalgroup oӸsաCOKIӨBJӦpOnOH ѫeӬݡAzAѤFbPsլOP /etc/group, /etc/shadow, /etc/passwd, /etc/gshadow A]AӰʧ@Oo˪G

1. إߩһݭns ( vi /etc/group )F
2. N /etc/group P /etc/gshadow PB ( grpconv )F
3. إ߱bUݩ ( vi /etc/passwd )F
4. N /etc/passwd P /etc/shadow PB ( pwconv )F
5. إ߸ӱbKX ( passwd accountname )F
6. إߨϥΪ̮aؿ ( cp -a /etc/skel /home/accountname )F
7. ϥΪ̮aؿݩ ( chown -R accountname.group /home/accountname )C

1. إ߸s normalgroup A] 520 o GID SQϥΡIåBPB gshadow
[root@www ~]# vi /etc/group
# b̫@[JUo@I
normalgroup:x:520:
[root@www ~]# grpconv
[root@www ~]# grep 'normalgroup' /etc/group /etc/gshadow
/etc/group:normalgroup:x:520:
/etc/gshadow:normalgroup:x::
# ̫Tw /etc/group, /etc/gshadow sboӸsդ~IdwsoI

2. إ normaluser oӱbA] UID 700 SQϥαI
[root@www ~]# vi /etc/passwd
# b̫@[JUo@I
normaluser:x:700:520::/home/normaluser:/bin/bash

3. PBƱKXAåBإ߸ӨϥΪ̪KX
[root@www ~]# pwconv
[root@www ~]# grep 'normaluser' /etc/passwd /etc/shadow
/etc/passwd:normaluser:x:700:520::/home/normaluser:/bin/bash
/etc/shadow:normaluser:x:14307:0:99999:7:::
# Tw /etc/passwd, /etc/shadow t normaluser TFIOKX٤
[root@www ~]# passwd normaluser
Changing password for user normaluser.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

4. إߨϥΪ̮aؿAåB׭qvI
[root@www ~]# cp -a /etc/skel /home/normaluser
[root@www ~]# chown -R normaluser:normalgroup /home/normaluser
[root@www ~]# chmod 700 /home/normaluser

OháIo˴NdwF@ӱb]wFI qHAAiHإߥW٪bo㤣LA٬Oijz]w@ǫܩǫܩǪbWٰաI

ѩ CentOS 5.x passwd wgѤF --stdin \A]pGڭ̥iHѱbKXܡA N²檺ظm_ڭ̪bKXFCUs@@²檺 script ӰsWΤ᪺\I

[root@www ~]# vi account1.sh
#!/bin/bash
# o{Ψӫإ߷sWbA\঳G
# 1. ˬd account1.txt O_sbAñNɮפbXF
# 2. إߤWzɮתbF
# 3. NWzbKX׭qyjĤ@iJݭnקKXz榡C
# 2009/03/04    VBird
export PATH=/bin:/sbin:/usr/bin:/usr/sbin

# ˬd account1.txt O_sb
if [ ! -f account1.txt ]; then
        echo "һݭnbɮפsbAЫإ account1.txt AC@ӱbW"
        exit 1
fi

usernames=$(cat account1.txt)

for username in $usernames
do
        useradd $username                         <==sWb
        echo $username | passwd --stdin $username <==PbۦPKX
        chage -d 0 $username                      <==jnJקKX
done

Uӥunإ account1.txt oɮקYiIإ߳oɮ׸̭@QAAiHۦإ߸ɮסI eC@@ӱbC`NA̲תG|OCӱb㦳PbۦPKXAB즸nJA ns]wKX~AnJϥΨtθ귽I

[root@www ~]# vi account1.txt
std01
std02
std03
std04
std05
std06
std07
std08
std09
std10

[root@www ~]# sh account1.sh
Changing password for user std01.
passwd: all authentication tokens updated successfully.
....(᭱ٲ)....

o²檺}AiHbpUsUG

• http://vbird.org.cn/linux_basic/0410accountmanager/account1.sh

t~A script Ob zh_TW.big5 ytUإߪApGAݭnনUX (utf8) sX榡A ФUWzɮ׫AQĤQͨ쪺 iconv ӳBzytDI

e@p`ewgiHܦhBͪbظmkFALAYǮɭԤWz script ٬Oܳ·СI ]ݭnʽs account1.txt IpGOǮճoؾǸD`bɡAS֪סH ~ApGݭnCӯZŦPݩ@ӸsաAPZŪsդPASӦpظmHoO·аաI

ثeܦhѤjqإ߱buAҦpxnߪsjvG

• http://news.ols3.net/techdoc/old/howtouse_cmpwd101.htm

ѪnΪ cmpwd {AOpTjv{ȨѾdzNϥΡA@ӤHOLvϥΪ(ѦҤWzsv)C LAڭ̤]iHQ²檺 script ڭ̹FIҦpUo{A L浲GPpTjvѪ{thաO]ڬOH useradd ӷsWA ҥHAYϤA UID A]OiHAΪա{SOG

• w]\ϥί¼Ʀr觋إ߱bF
• i[J~ŨӰϤbF
• i]wb_lXPbƶqF
• رKXإߤ觋AiHPbۦPε{ۦHüƫإ߱KXɡC

k]²檺nRЦۦѦҪաIAhϥήɽЪ`NAnbaϥΪDWiաA]..... o{|jqإ߱bI^_^

#!/bin/bash
#
# o{DnbzإߤjqbΡAhϥΤkаѦҡG
# http://vbird.org.cn/linux_basic/0410accountmanager.php#manual_amount
#
# {ۦ}oAb CentOS 5.x WϥΨSDA
# Oҵ|oͿ~IϥήɡAЦۦt᭷I
#
# History:
# 2005/09/05    VBird   ~gAϥάݬݥ
# 2009/03/04    VBird   [J@ǻytקPAקKXͤ觋 ( openssl)
export LANG=zh_TW.big5
export PATH=/sbin:/usr/sbin:/bin:/usr/bin
accountfile="user.passwd"

# 1. ibJI
echo ""
echo "Ҧpڭ̱Xs|ުǸG 4960c001  4960c060 AG"
echo "b}YNX         G4"
echo "bhũΦ~Ŭ       G960c"
echo "XƦrƬ(001~060)G3"
echo "b}lX         G1"
echo "bƶq             G60"
echo ""
read -p "b}YNX ( Input title name, ex> std )======> " username_start
read -p "bhũΦ~ ( Input degree, ex> 1 or enter )=> " username_degree
read -p "XƦr ( Input \# of digital )======> " nu_nu
read -p "_lX ( Input start number, ex> 520 )========> " nu_start
read -p "bƶq ( Input amount of users, ex> 100 )=====> " nu_amount
read -p "KXз 1) PbۦP 2)üƦۭq ==============> " pwm
if [ "$username_start" == "" ]; then
        echo "SJ}YNXAAI" ; exit 1
fi
# P_Ʀrt
testing0=$(echo $nu_nu     | grep '[^0-9]' )
testing1=$(echo $nu_amount | grep '[^0-9]' )
testing2=$(echo $nu_start  | grep '[^0-9]' )
if [ "$testing0" != "" -o "$testing1" != "" -o "$testing2" != "" ]; then
        echo "JXաIDƦreI" ; exit 1
fi
if [ "$pwm" != "1" ]; then
        pwm="2"
fi

# 2. }lXbPKXɮסI
[ -f "$accountfile" ] && mv $accountfile "$accountfile"$(date +%Y%m%d)
nu_end=$(($nu_start+$nu_amount-1))
for (( i=$nu_start; i<=$nu_end; i++ ))
do
        nu_len=${#i}
        if [ $nu_nu -lt $nu_len ]; then
                echo "ƭȪ($i->$nu_len)wgA]w($nu_nu)٤jI"
                echo "{Lk~"
                exit 1
        fi
        nu_diff=$(( $nu_nu - $nu_len ))
        if [ "$nu_diff" != "0" ]; then
                nu_nn=0000000000
                nu_nn=${nu_nn:1:$nu_diff}
        fi
        account=${username_start}${username_degree}${nu_nn}${i}
        if [ "$pwm" == "1" ]; then
                password="$account"
        else
                password=$(openssl rand -base64 6)
        fi
        echo "$account":"$password" | tee -a "$accountfile"
done

# 3. }lإ߱bPKXI
cat "$accountfile" | cut -d':' -f1 | xargs -n 1 useradd -m
chpasswd < "$accountfile"
pwconv
echo "OKIإߧI"

pGݭnإߦP@ZŨ㦳P@sժܡAiHϥ groupadd إ߸sիA NӸsե[Jy cat "$accountfile" | cut -d':' -f1 | xargs -n 1 useradd -m -g groupname zIo}iHbUsUG

• http://vbird.org.cn/linux_basic/0410accountmanager/account2.sh

pGȬOզӤwAQnNإߪϥΪ̾ӧRAhiHϥΦpU}ӶiRI

[root@www ~]# vi delaccount2.sh
#!/bin/bash
usernames=$(cat user.passwd | cut -d ':' -f 1)
for username in $usernames
do
	echo "userdel -r $username"
	userdel -r $username
done
[root@www ~]# sh delaccount2.sh

`Ab޲zOܭnIƱWjaIUաI