用户与组管理
一、用户与组的关系
-
每个用户至少属于一个组,其中包括一个默认组(initial login group)和0到多个附属组
-
用户拥有所属组的权限,同时也拥有自己独立的权限
二、root管理组与用户
(1)创建与删除组和用户
//创建组mygroup1 [root@iZwz9catu2mrq92b07d1d0Z ~]# groupadd mygroup1 //创建用户cjh(默认组mygroup1) [root@iZwz9catu2mrq92b07d1d0Z ~]# useradd -g mygroup1 cjh //设置用户密码 [root@iZwz9catu2mrq92b07d1d0Z ~]# passwd cjh Changing password for user cjh. New password: Retype new password: passwd: all authentication tokens updated successfully. //删除用户u_test [root@iZwz9catu2mrq92b07d1d0Z ~]# userdel -r u_test //删除组g_test(若组内仍有用户关联,则删除失败) [root@iZwz9catu2mrq92b07d1d0Z ~]# groupdel g_test
(2)组信息修改
//修改组名为test2 [root@iZwz9catu2mrq92b07d1d0Z ~]# groupmod -n test2 test //修改组id为520 [root@iZwz9catu2mrq92b07d1d0Z ~]# groupmod -g 520 test2
(3)用户信息修改
//修改用户的默认组为mygroup2 [root@iZwz9catu2mrq92b07d1d0Z ~]# usermod -g mygroup2 cjh //给用户新增附属组mygroup1 [root@iZwz9catu2mrq92b07d1d0Z ~]# usermod -aG mygroup1 cjh [root@iZwz9catu2mrq92b07d1d0Z ~]# id cjh uid=503(cjh) gid=506(mygroup2) groups=506(mygroup2),505(mygroup1)
(4)设置组管理员(使普通用户也能参与组管理)
//设置用户cjh为用户组mygroup2的管理员(多个管理员用英文逗号隔开) [root@iZwz9catu2mrq92b07d1d0Z ~]# gpasswd -A cjh mygroup2 [root@iZwz9catu2mrq92b07d1d0Z ~]# cat /etc/gshadow ... mygroup2:!:cjh:
(5)普通用户(组管理员)管理组
//给组新增用户cjh22 [cjh@iZwz9catu2mrq92b07d1d0Z ~]$ gpasswd -a cjh22 mygroup2 Adding user cjh22 to group mygroup2 [cjh@iZwz9catu2mrq92b07d1d0Z ~]$ cat /etc/group ... mygroup2:x:506:cjh,cjh22 //移除组内用户cjh22 [cjh@iZwz9catu2mrq92b07d1d0Z ~]$ gpasswd -d cjh22 mygroup2 Removing user cjh22 from group mygroup2 [cjh@iZwz9catu2mrq92b07d1d0Z ~]$ cat /etc/group ... mygroup2:x:506:cjh //设置组密码 [root@iZwz9catu2mrq92b07d1d0Z ~]# gpasswd mygroup2 Changing the password for group mygroup2 New Password: Re-enter new password: //仅允许组成员登入该群组 [root@iZwz9catu2mrq92b07d1d0Z ~]# gpasswd -R mygroup2
附录
[root@iZwz9catu2mrq92b07d1d0Z ~]# man usermod
-a, --append
Add the user to the supplementary group(s). Use only with the -G option.
-G, --groups GROUP1[,GROUP2,...[,GROUPN]]]
A list of supplementary groups which the user is also a member of. Each group is separated from the next
by a comma, with no intervening whitespace. The groups are subject to the same restrictions as the group
given with the -g option.
If the user is currently a member of a group which is not listed, the user will be removed from the group. This behaviour can be changed via the -a option, which appends the user to the current supplementary group list.
译:用户将从没有被列出来的当前附属组中移除,结合参数 -a 的使用可以使修改的行为变成新增。
[root@iZwz9catu2mrq92b07d1d0Z ~]# man gpasswd
gpasswd called by a group administrator with a group name only prompts for the new password of the group.
If a password is set the members can still use newgrp(1) without a password, and non-members must supply the
password.