• Linux用户组和权限管理


                  Linux用户组和权限管理

                                               作者:尹正杰

    版权声明:原创作品,谢绝转载!否则将追究法律责任。

     

    一.Linux的安全模型

    1>.安全3A

      这并不是Linux特有的概念,在很多领域都有3A的概念,比如思科,微软,华为等设备都有安全的概念。大致归类为以下介个术语。
        认证(Authentication):
            即验明真身,主要是验证您是谁的功能。

        授权(Authorization):
            授权一般是验证您的身份后,您用的相应权限。

        审计(Accouting|Audition):
            审计一般是起到监督作用,可以反馈从一些存在的问题,比如安全审计,公司财务审计等等。

    2>.用户user

    令牌:
      token,identity
    Linux用户:
      Username/UID
    管理员:
      root,0(需要注意的是,并不是叫root的用户名才是管理员,而是因为它的uid为0)
    普通用户:
      1-60000编号是自动分配的,但如果我们认为指定用户编号的话是可以超过默认的分配阈值(60000),Linux用户分为系统用户和登录用户。
      系统用户:1-499(CentOS6.X),1-999(CentOS7.X),对守护进程获取资源进行权限分配(给运行软件使用的用户,比如:"mysql","apache","hdfs"用户等等)
      登录用户:500+(CentOS6.X),1000+(CentOS7.X),交互式登录(一般用来登录操作系统,比如yinzhengjie)

    3>.组group

    Linux组:
      Groupname/GID
    
    管理员组:
      root,0
    
    普通组:
      系统组:1-499(CentOS6.X),1-999(CentOS7.X)
      普通组:500+(CentOS6.X),1000+(CentOS7.X)
    
    Linux组的类别:
      用户的主要组(primary group)
        用户必须术语一个且只有一个主组
        默认创建一个用户后会自动加入一个组名同用户名,且仅包含一个用户,我们也可以称之为该用户的私有组。
      用户的附加组(supplementary group)
        一个用户可以属于零个或多个辅助组
    
    [root@node101.yinzhengjie.org.cn ~]# id root
    uid=0(root) gid=0(root) groups=0(root)
    [root@node101.yinzhengjie.org.cn ~]#

    4>.用户和组的配置文件

    Linux用户和组的主要配置文件:
      /etc/passwd
          用户及其属性信息(名称、 UID、主组ID等)   
    /etc/group:
          组及其属性信息   
    /etc/shadow:
          用户密码及其相关属性   
    /etc/gshadow:
          组密码及其相关属性
    passwd文件格式如下:
        login name:登录用名( wang)
        passwd:密码 (x)
        UID:用户身份编号 (1000)
        GID:登录默认所在组编号 (1000)
        GECOS:用户全名或注释
        home directory:用户主目录 (/home/wang)
        shell:用户默认使用shell (/bin/bash)
    
    
    [root@node101.yinzhengjie.org.cn ~]# cat /etc/passwd
    root:x:0:0:root:/root:/bin/bash
    bin:x:1:1:bin:/bin:/sbin/nologin
    daemon:x:2:2:daemon:/sbin:/sbin/nologin
    adm:x:3:4:adm:/var/adm:/sbin/nologin
    lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
    sync:x:5:0:sync:/sbin:/bin/sync
    shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
    halt:x:7:0:halt:/sbin:/sbin/halt
    mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
    operator:x:11:0:operator:/root:/sbin/nologin
    games:x:12:100:games:/usr/games:/sbin/nologin
    ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
    nobody:x:99:99:Nobody:/:/sbin/nologin
    systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
    dbus:x:81:81:System message bus:/:/sbin/nologin
    polkitd:x:999:998:User for polkitd:/:/sbin/nologin
    libstoragemgmt:x:998:995:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin
    colord:x:997:994:User for colord:/var/lib/colord:/sbin/nologin
    rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
    gluster:x:996:993:GlusterFS daemons:/run/gluster:/sbin/nologin
    saslauth:x:995:76:Saslauthd user:/run/saslauthd:/sbin/nologin
    abrt:x:173:173::/etc/abrt:/sbin/nologin
    rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin
    pulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
    radvd:x:75:75:radvd user:/:/sbin/nologin
    rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
    nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
    unbound:x:994:989:Unbound DNS resolver:/etc/unbound:/sbin/nologin
    chrony:x:993:988::/var/lib/chrony:/sbin/nologin
    qemu:x:107:107:qemu user:/:/sbin/nologin
    tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
    usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
    geoclue:x:992:986:User for geoclue:/var/lib/geoclue:/sbin/nologin
    ntp:x:38:38::/etc/ntp:/sbin/nologin
    sssd:x:991:985:User for sssd:/:/sbin/nologin
    setroubleshoot:x:990:984::/var/lib/setroubleshoot:/sbin/nologin
    saned:x:989:983:SANE scanner daemon user:/usr/share/sane:/sbin/nologin
    gdm:x:42:42::/var/lib/gdm:/sbin/nologin
    gnome-initial-setup:x:988:982::/run/gnome-initial-setup/:/sbin/nologin
    sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
    avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
    postfix:x:89:89::/var/spool/postfix:/sbin/nologin
    tcpdump:x:72:72::/:/sbin/nologin
    yinzhengjie:x:1000:1000:yinzhengjie:/home/yinzhengjie:/bin/bash
    [root@node101.yinzhengjie.org.cn ~]# 
    passwd文件格式
    shadow文件格式
        登录用名
        用户密码:一般用sha512加密
        从1970年1月1日起到密码最近一次被更改的时间
        密码再过几天可以被变更( 0表示随时可被变更)
        密码再过几天必须被变更( 99999表示永不过期)
        密码过期前几天系统提醒用户(默认为一周)
        密码过期几天后帐号会被锁定
        从1970年1月1日算起,多少天后帐号失效
    
    
    [root@node101.yinzhengjie.org.cn ~]# cat /etc/shadow
    root:$6$MLowZZoTkB4Lfzlp$6vkz/bmyWgvPZQEtlQ2Fki1EzZpUdcEecxp2rfzJ1IkvE9amik19QYv.6sYgxCiRgCNPRlfESp78KhUWbaKcN/:
    :0:99999:7:::bin:*:17834:0:99999:7:::
    daemon:*:17834:0:99999:7:::
    adm:*:17834:0:99999:7:::
    lp:*:17834:0:99999:7:::
    sync:*:17834:0:99999:7:::
    shutdown:*:17834:0:99999:7:::
    halt:*:17834:0:99999:7:::
    mail:*:17834:0:99999:7:::
    operator:*:17834:0:99999:7:::
    games:*:17834:0:99999:7:::
    ftp:*:17834:0:99999:7:::
    nobody:*:17834:0:99999:7:::
    systemd-network:!!:18109::::::
    dbus:!!:18109::::::
    polkitd:!!:18109::::::
    libstoragemgmt:!!:18109::::::
    colord:!!:18109::::::
    rpc:!!:18109:0:99999:7:::
    gluster:!!:18109::::::
    saslauth:!!:18109::::::
    abrt:!!:18109::::::
    rtkit:!!:18109::::::
    pulse:!!:18109::::::
    radvd:!!:18109::::::
    rpcuser:!!:18109::::::
    nfsnobody:!!:18109::::::
    unbound:!!:18109::::::
    chrony:!!:18109::::::
    qemu:!!:18109::::::
    tss:!!:18109::::::
    usbmuxd:!!:18109::::::
    geoclue:!!:18109::::::
    ntp:!!:18109::::::
    sssd:!!:18109::::::
    setroubleshoot:!!:18109::::::
    saned:!!:18109::::::
    gdm:!!:18109::::::
    gnome-initial-setup:!!:18109::::::
    sshd:!!:18109::::::
    avahi:!!:18109::::::
    postfix:!!:18109::::::
    tcpdump:!!:18109::::::
    yinzhengjie:$6$9k0Xxx.f$YsthR1XeMhMRhJE7sLrXNecLCRDQDvrnaHkWeBOcWqSUg0d5t2l.cKGmwbJdhY9Y5cpSqk/YZbM.ZS/FGQUeI/:1
    8122:0:99999:7:::[root@node101.yinzhengjie.org.cn ~]# 
    shadow文件格式
    group文件格式
        群组名称:就是群组名称
        群组密码:通常不需要设定,密码是被记录在 /etc/gshadow
        GID:就是群组的 ID
        以当前组为附加组的用户列表(分隔符为逗号)
    
    
    
    [root@node101.yinzhengjie.org.cn ~]# cat /etc/group
    root:x:0:
    bin:x:1:
    daemon:x:2:
    sys:x:3:
    adm:x:4:
    tty:x:5:
    disk:x:6:
    lp:x:7:
    mem:x:8:
    kmem:x:9:
    wheel:x:10:
    cdrom:x:11:
    mail:x:12:postfix
    man:x:15:
    dialout:x:18:
    floppy:x:19:
    games:x:20:
    tape:x:33:
    video:x:39:
    ftp:x:50:
    lock:x:54:
    audio:x:63:
    nobody:x:99:
    users:x:100:
    utmp:x:22:
    utempter:x:35:
    input:x:999:
    systemd-journal:x:190:
    systemd-network:x:192:
    dbus:x:81:
    polkitd:x:998:
    cgred:x:997:
    printadmin:x:996:
    libstoragemgmt:x:995:
    colord:x:994:
    rpc:x:32:
    dip:x:40:
    gluster:x:993:
    ssh_keys:x:992:
    saslauth:x:76:
    abrt:x:173:
    rtkit:x:172:
    pulse-access:x:991:
    pulse-rt:x:990:
    pulse:x:171:
    radvd:x:75:
    rpcuser:x:29:
    nfsnobody:x:65534:
    unbound:x:989:
    chrony:x:988:
    kvm:x:36:qemu
    qemu:x:107:
    tss:x:59:
    libvirt:x:987:
    usbmuxd:x:113:
    geoclue:x:986:
    ntp:x:38:
    sssd:x:985:
    setroubleshoot:x:984:
    saned:x:983:
    gdm:x:42:
    gnome-initial-setup:x:982:
    sshd:x:74:
    slocate:x:21:
    avahi:x:70:
    postdrop:x:90:
    postfix:x:89:
    stapusr:x:156:
    stapsys:x:157:
    stapdev:x:158:
    tcpdump:x:72:
    yinzhengjie:x:1000:yinzhengjie
    screen:x:84:
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    group文件格式
    gshdow文件格式
        群组名称:就是群的名称
        群组密码:
        组管理员列表:组管理员的列表,更改组密码和成员
        以当前组为附加组的用户列表:多个用户间用逗号分隔
    
    
    
    
    [root@node101.yinzhengjie.org.cn ~]# cat /etc/gshadow
    root:::
    bin:::
    daemon:::
    sys:::
    adm:::
    tty:::
    disk:::
    lp:::
    mem:::
    kmem:::
    wheel:::
    cdrom:::
    mail:::postfix
    man:::
    dialout:::
    floppy:::
    games:::
    tape:::
    video:::
    ftp:::
    lock:::
    audio:::
    nobody:::
    users:::
    utmp:!::
    utempter:!::
    input:!::
    systemd-journal:!::
    systemd-network:!::
    dbus:!::
    polkitd:!::
    cgred:!::
    printadmin:!::
    libstoragemgmt:!::
    colord:!::
    rpc:!::
    dip:!::
    gluster:!::
    ssh_keys:!::
    saslauth:!::
    abrt:!::
    rtkit:!::
    pulse-access:!::
    pulse-rt:!::
    pulse:!::
    radvd:!::
    rpcuser:!::
    nfsnobody:!::
    unbound:!::
    chrony:!::
    kvm:!::qemu
    qemu:!::
    tss:!::
    libvirt:!::
    usbmuxd:!::
    geoclue:!::
    ntp:!::
    sssd:!::
    setroubleshoot:!::
    saned:!::
    gdm:!::
    gnome-initial-setup:!::
    sshd:!::
    slocate:!::
    avahi:!::
    postdrop:!::
    postfix:!::
    stapusr:!::
    stapsys:!::
    stapdev:!::
    tcpdump:!::
    yinzhengjie:!!::yinzhengjie
    screen:!::
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    gshdow文件格式

    5>.用户相关操作(对应/etc/passwd”)

    [root@node101.yinzhengjie.org.cn ~]# whatis passwd
    passwd (5)           - password file                  
    passwd (1)           - update user's authentication tokens
    sslpasswd (1ssl)     - compute password hashes
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# man 5 passwd
    PASSWD(5)                                 Linux Programmer's Manual                                 PASSWD(5)
    
    NAME
           passwd - password file
    
    DESCRIPTION
           The /etc/passwd file is a text file that describes user login accounts for the system.  It should have
           read permission allowed for all users (many utilities, like ls(1) use it to  map  user  IDs  to  user‐
           names), but write access only for the superuser.
    
           In  the  good  old days there was no great problem with this general read permission.  Everybody could
           read the encrypted passwords, but the hardware was too slow to crack a well-chosen password, and more‐
           over  the  basic  assumption used to be that of a friendly user-community.  These days many people run
           some version of the shadow password suite, where /etc/passwd has an  'x'  character  in  the  password
           field, and the encrypted passwords are in /etc/shadow, which is readable by the superuser only.
    
           If  the  encrypted  password,  whether  in /etc/passwd or in /etc/shadow, is an empty string, login is
           allowed without even asking for a password.  Note that this functionality may  be  intentionally  dis‐
           abled  in  applications,  or  configurable  (for  example  using the "nullok" or "nonull" arguments to
           pam_unix.so).
    
           If the encrypted password in /etc/passwd is "*NP*" (without the quotes), the shadow record  should  be
           obtained from an NIS+ server.
    
           Regardless of whether shadow passwords are used, many system administrators use an asterisk (*) in the
           encrypted password field to make sure that this user can not authenticate  him-  or  herself  using  a
           password.  (But see NOTES below.)
    
           If  you create a new login, first put an asterisk (*) in the password field, then use passwd(1) to set
           it.
    
           Each line of the file describes a single user, and contains seven colon-separated fields:
    
                  name:password:UID:GID:GECOS:directory:shell
    
           The field are as follows:
    
           name        This is the user's login name.  It should not contain capital letters.
    
           password    This is either the encrypted user password, an asterisk (*),  or  the  letter  'x'.   (See
                       pwconv(8) for an explanation of 'x'.)
    
           UID         The privileged root login account (superuser) has the user ID 0.
    
           GID         This  is  the numeric primary group ID for this user.  (Additional groups for the user are
                       defined in the system group file; see group(5)).
    
           GECOS       This field (sometimes called the "comment field") is optional and used only  for  informa‐
                       tional  purposes.   Usually,  it  contains the full username.  Some programs (for example,
                       finger(1)) display information from this field.
    
                       GECOS stands for "General Electric Comprehensive Operating System", which was  renamed  to
                       GCOS when GE's large systems division was sold to Honeywell.  Dennis Ritchie has reported:
                       "Sometimes we sent printer output or batch jobs to the GCOS machine.  The  gcos  field  in
                       the password file was a place to stash the information for the $IDENTcard.  Not elegant."
    
           directory   This  is  the  user's home directory: the initial directory where the user is placed after
                       logging in.  The value in this field is used to set the HOME environment variable.
    
           shell       This is the program to run at login (if empty, use /bin/sh).  If set to a nonexistent exe‐
                       cutable,  the  user  will be unable to login through login(1).  The value in this field is
                       used to set the SHELL environment variable.
    
    FILES
           /etc/passwd
    
    NOTES
           If you want to create user groups, there must be an entry in /etc/group, or no group will exist.
    
           If the encrypted password is set to an asterisk (*), the user will be unable to login using  login(1),
           but  may  still  login  using  rlogin(1), run existing processes and initiate new ones through rsh(1),
           cron(8), at(1), or mail filters, etc.  Trying to lock an account by simply changing  the  shell  field
           yields the same result and additionally allows the use of su(1).
    
    SEE ALSO
           login(1), passwd(1), su(1), getpwent(3), getpwnam(3), crypt(3), group(5), shadow(5)
    
    COLOPHON
           This  page  is part of release 3.53 of the Linux man-pages project.  A description of the project, and
           information about reporting bugs, can be found at http://www.kernel.org/doc/man-pages/.
    
    Linux                                             2012-05-03                                        PASSWD(5)
    [root@node101.yinzhengjie.org.cn ~]# man 5 passwd
    [root@node101.yinzhengjie.org.cn ~]# tail -1 /etc/passwd
    yinzhengjie:x:1000:1000:yinzhengjie:/home/yinzhengjie:/bin/bash
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chfn yinzhengjie                   #修改用户全名或注释
    Changing finger information for yinzhengjie.
    Name [yinzhengjie]: jason
    Office []: bigdata
    Office Phone []: 10086
    Home Phone []: 10010
    
    Finger information changed.
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# tail -1 /etc/passwd
    yinzhengjie:x:1000:1000:jason,bigdata,10086,10010:/home/yinzhengjie:/bin/bash
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# df -h  | grep /dev/sr0 
    /dev/sr0                  11G   11G     0 100% /run/media/root/CentOS 7 x86_64
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# rpm -ivh /run/media/root/CentOS 7 x86_64/Packages/finger-0.17-52.el7.x86_
    64.rpm Preparing...                          ################################# [100%]
    Updating / installing...
       1:finger-0.17-52.el7               ################################# [100%]
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# finger yinzhengjie
    Login: yinzhengjie                Name: jason
    Directory: /home/yinzhengjie            Shell: /bin/bash
    Office: bigdata, x1-0086        Home Phone: x1-0010
    Last login Wed Aug 14 12:46 (CST) on pts/4 from 172.30.1.1
    Mail last read Wed Aug 14 12:50 2019 (CST)
    No Plan.
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chfn yinzhengjie             #修改用户全名或注释
    [root@node101.yinzhengjie.org.cn ~]# tail -1 /etc/passwd
    yinzhengjie:x:1000:1000:jason,bigdata,10086,10010:/home/yinzhengjie:/bin/bash
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# getent passwd yinzhengjie      #我们不难发现,使用getent命令可以获取指定用户的信息
    yinzhengjie:x:1000:1000:jason,bigdata,10086,10010:/home/yinzhengjie:/bin/bash
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chsh -s /bin/csh yinzhengjie     #我们这里修改shell类型为"/bin/csh"
    Changing shell for yinzhengjie.
    Shell changed.
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# getent passwd yinzhengjie
    yinzhengjie:x:1000:1000:jason,bigdata,10086,10010:/home/yinzhengjie:/bin/csh
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chsh -s /bin/csh yinzhengjie     #我们这里修改shell类型为"/bin/csh"

    6>.用户密码相关操作(对应“/etc/shadow”)

    [root@node101.yinzhengjie.org.cn ~]# whatis shadow
    shadow (5)           - shadowed password file
    shadow (3)           - encrypted password file routines
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# man 5 shadow
    SHADOW(5)                                File Formats and Conversions                               SHADOW(5)
    
    NAME
           shadow - shadowed password file
    
    DESCRIPTION
           shadow is a file which contains the password information for the system's accounts and optional aging
           information.
    
           This file must not be readable by regular users if password security is to be maintained.
    
           Each line of this file contains 9 fields, separated by colons (“:”), in the following order:
    
           login name
               It must be a valid account name, which exist on the system.
    
           encrypted password
               Refer to crypt(3) for details on how this string is interpreted.
    
               If the password field contains some string that is not a valid result of crypt(3), for instance !
               or *, the user will not be able to use a unix password to log in (but the user may log in the
               system by other means).
    
               This field may be empty, in which case no passwords are required to authenticate as the specified
               login name. However, some applications which read the /etc/shadow file may decide not to permit
               any access at all if the password field is empty.
    
               A password field which starts with a exclamation mark means that the password is locked. The
               remaining characters on the line represent the password field before the password was locked.
    
           date of last password change
               The date of the last password change, expressed as the number of days since Jan 1, 1970.
    
               The value 0 has a special meaning, which is that the user should change her pasword the next time
               she will log in the system.
    
               An empty field means that password aging features are disabled.
    
           minimum password age
               The minimum password age is the number of days the user will have to wait before she will be
               allowed to change her password again.
    
               An empty field and value 0 mean that there are no minimum password age.
    
           maximum password age
               The maximum password age is the number of days after which the user will have to change her
               password.
    
               After this number of days is elapsed, the password may still be valid. The user should be asked to
               change her password the next time she will log in.
    
               An empty field means that there are no maximum password age, no password warning period, and no
               password inactivity period (see below).
    
               If the maximum password age is lower than the minimum password age, the user cannot change her
               password.
    
           password warning period
               The number of days before a password is going to expire (see the maximum password age above)
               during which the user should be warned.
    
               An empty field and value 0 mean that there are no password warning period.
    
           password inactivity period
               The number of days after a password has expired (see the maximum password age above) during which
               the password should still be accepted (and the user should update her password during the next
               login).
    
               After expiration of the password and this expiration period is elapsed, no login is possible using
               the current user's password. The user should contact her administrator.
    
               An empty field means that there are no enforcement of an inactivity period.
    
           account expiration date
               The date of expiration of the account, expressed as the number of days since Jan 1, 1970.
    
               Note that an account expiration differs from a password expiration. In case of an acount
               expiration, the user shall not be allowed to login. In case of a password expiration, the user is
               not allowed to login using her password.
    
               An empty field means that the account will never expire.
               The value 0 should not be used as it is interpreted as either an account with no expiration, or as
               an expiration on Jan 1, 1970.
    
           reserved field
               This field is reserved for future use.
    
    FILES
           /etc/passwd
               User account information.
    
           /etc/shadow
               Secure user account information.
    
           /etc/shadow-
               Backup file for /etc/shadow.
    
               Note that this file is used by the tools of the shadow toolsuite, but not by all user and password
               management tools.
    
    SEE ALSO
           chage(1), login(1), passwd(1), passwd(5), pwck(8), pwconv(8), pwunconv(8), su(1), sulogin(8).
    
    shadow-utils 4.1.5.1                              10/30/2018                                        SHADOW(5)
    [root@node101.yinzhengjie.org.cn ~]# man 5 shadow
    [root@node101.yinzhengjie.org.cn ~]# getent  passwd yinzhengjie            #我们发现密码不存在"/etc/passwd"文件中
    yinzhengjie:x:1000:1000:jason,bigdata,10086,10010:/home/yinzhengjie:/bin/bash
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# getent  shadow yinzhengjie            #CentOS7.X版本中密码存放在"/etc/shadow"文件中
    yinzhengjie:$6$9k0Xxx.f$YsthR1XeMhMRhJE7sLrXNecLCRDQDvrnaHkWeBOcWqSUg0d5t2l.cKGmwbJdhY9Y5cpSqk/YZbM.ZS/FGQUeI/:1
    8142:0:99999:7:::
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# pwunconv                       #我们这里使用该命令可以将"/etc/shadow"中存放的密码放入到"/etc/passwd"文件中
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# getent  passwd yinzhengjie            #密码的确回归了
    yinzhengjie:$6$9k0Xxx.f$YsthR1XeMhMRhJE7sLrXNecLCRDQDvrnaHkWeBOcWqSUg0d5t2l.cKGmwbJdhY9Y5cpSqk/YZbM.ZS/FGQUeI/:1
    000:1000:jason,bigdata,10086,10010:/home/yinzhengjie:/bin/bash[root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# getent  shadow yinzhengjie            #但是"/etc/shadow"文件中内容都没有了
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# pwunconv                  #我们这里使用该命令可以将"/etc/shadow"中存放的密码放入到"/etc/passwd"文件中
    [root@node101.yinzhengjie.org.cn ~]# getent  passwd yinzhengjie
    yinzhengjie:$6$9k0Xxx.f$YsthR1XeMhMRhJE7sLrXNecLCRDQDvrnaHkWeBOcWqSUg0d5t2l.cKGmwbJdhY9Y5cpSqk/YZbM.ZS/FGQUeI/:1
    000:1000:jason,bigdata,10086,10010:/home/yinzhengjie:/bin/bash[root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# getent  shadow yinzhengjie
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# pwconv                   #将用户名和密码分开存放,即将密码存放在"/etc/shadow"文件中,默认就是存放该文件中。
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# getent  shadow yinzhengjie
    yinzhengjie:$6$9k0Xxx.f$YsthR1XeMhMRhJE7sLrXNecLCRDQDvrnaHkWeBOcWqSUg0d5t2l.cKGmwbJdhY9Y5cpSqk/YZbM.ZS/FGQUeI/:1
    8142:0:99999:7:::[root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# getent  passwd yinzhengjie
    yinzhengjie:x:1000:1000:jason,bigdata,10086,10010:/home/yinzhengjie:/bin/bash
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# pwconv                   #将用户名和密码分开存放,即将密码存放在"/etc/shadow"文件中,默认就是存放该文件中。
    [root@node101.yinzhengjie.org.cn ~]# getent  shadow yinzhengjie
    yinzhengjie:$6$9k0Xxx.f$YsthR1XeMhMRhJE7sLrXNecLCRDQDvrnaHkWeBOcWqSUg0d5t2l.cKGmwbJdhY9Y5cpSqk/YZbM.ZS/FGQUeI/:1
    8142:0:99999:7:::
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# usermod -L yinzhengjie      #锁定用户
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# getent  shadow yinzhengjie    #将用户锁定后,我们发现密码那一列会多出来一个"!"符号,其实它就是用来标记用户是否被锁定的。
    yinzhengjie:!$6$9k0Xxx.f$YsthR1XeMhMRhJE7sLrXNecLCRDQDvrnaHkWeBOcWqSUg0d5t2l.cKGmwbJdhY9Y5cpSqk/YZbM.ZS/FGQUeI/:
    18142:0:99999:7:::
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# passwd yinzhengjie        #我们修改用户的密码后,会发现密码已经解锁啦!
    Changing password for user yinzhengjie.
    New password: 
    BAD PASSWORD: The password is shorter than 8 characters
    Retype new password: 
    passwd: all authentication tokens updated successfully.
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie
    yinzhengjie:$6$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:1
    8142:0:99999:7:::
    [root@node101.yinzhengjie.org.cn ~]#
    [root@node101.yinzhengjie.org.cn ~]# usermod -L yinzhengjie          #锁定用户
    [root@node101.yinzhengjie.org.cn ~]# getent  shadow yinzhengjie
    yinzhengjie:!$6$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:
    18142:0:99999:7:::
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# usermod -U yinzhengjie        #解锁用户
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# getent  shadow yinzhengjie
    yinzhengjie:$6$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:1
    8142:0:99999:7:::
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# usermod -U yinzhengjie          #解锁用户
    [root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie
    yinzhengjie:$6$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:1
    8142:0:99999:7:::
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chage -M 42 yinzhengjie          #修改用户密码过期时间为42天
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie
    yinzhengjie:$6$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:1
    8142:0:42:7:::
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chage -M 42 yinzhengjie          #修改用户密码过期时间为42天
    C:Usersyinzhengjie>net accounts                   #WINDOWS操作系统默用户也有过期时间  
    强制用户在时间到期之后多久必须注销?:     从不
    密码最短使用期限(天):                    0
    密码最长使用期限(天):                    42        #默认过期时间为42天
    密码长度最小值:                          0
    保持的密码历史记录长度:                  None
    锁定阈值:                                从不
    锁定持续时间(分):                        30
    锁定观测窗口(分):                        30
    计算机角色:                              WORKSTATION
    命令成功完成。
    
    
    C:Usersyinzhengjie>
    C:Usersyinzhengjie>net accounts                          #WINDOWS操作系统默用户也有过期时间 
    [root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie
    yinzhengjie:$6$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:1
    8142:0:42:7:::
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chage -I 5 yinzhengjie          #指定密码过期后几天用户被锁定,我这里设置的是5天,如果在指定的42天内没有修改密码在5天后用户会被锁定,锁定用户就无法登录操作系统。
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie
    yinzhengjie:$6$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:1
    8142:0:42:7:5::
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chage -I 5 yinzhengjie          #指定密码过期后几天用户被锁定,我这里设置的是5天,如果在指定的42天内没有修改密码在5天后用户会被锁定,锁定用户就无法登录操作系统。
    [root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie
    yinzhengjie:$6$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:1
    8142:0:42:7:5::
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chage -E 365 yinzhengjie          #指定用户的有效期天数,我这里设置的为365天,但是需要注意的是,它的起始时间是从1970年开始的!
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie
    yinzhengjie:$6$/VZc0Ls3$oLkoTdEE3Gmm0fr6eY3uWBNdcRdzTlgphDp20SI0STjpomDKyrPIKZ7fFicPce8FtcrcPRDACP0HJ7mqI9t741:1
    8142:0:42:7:5:365:
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chage -E 365 yinzhengjie         #指定用户的有效期天数,我这里设置的为365天,但是需要注意的是,它的起始时间是从1970年开始的!
    [root@node101.yinzhengjie.org.cn ~]# passwd --help
    Usage: passwd [OPTION...] <accountName>
      -k, --keep-tokens       保留未过期的身份验证令牌-d, --delete            删除指定用户密码-l, --lock              锁定指定用户-u, --unlock            解锁指定用户-e, --expire            强制用户下次登录修改密码-f, --force             强制操作
      -x, --maximum=DAYS      最大使用期限
      -n, --minimum=DAYS      指定最短使用期限
      -w, --warning=DAYS      提前多少天开始警告用户
      -i, --inactive=DAYS     非活动期限
      -S, --status            报告指定用户的密码状态
      --stdin                 从标准输入接受用户密码
    
    Help options:
      -?, --help              Show this help message
      --usage                 Display brief usage message
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# echo bigdata
    bigdata
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# echo bigdata | passwd --stdin yinzhengjie
    Changing password for user yinzhengjie.
    passwd: all authentication tokens updated successfully.
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# echo bigdata | passwd --stdin yinzhengjie &> /dev/null       #生产环境修改密码方式
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# echo bigdata | passwd --stdin yinzhengjie &> /dev/null       #生产环境修改密码方式
    [root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie
    yinzhengjie:$6$kXs/Ht35$1zMelm2cS78cwxBq14kzZzsQrQShIBX0ADXTvb7rkX0.LXYhF1cORtDAnvqacoIdQipj33u1tHbEPGv3RbTuJ.:18142:0:
    42:7:5:365:
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# passwd -l yinzhengjie      #将用户锁定
    Locking password for user yinzhengjie.
    passwd: Success
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie    #注意观察密码前多了2个"!"
    yinzhengjie:!!$6$kXs/Ht35$1zMelm2cS78cwxBq14kzZzsQrQShIBX0ADXTvb7rkX0.LXYhF1cORtDAnvqacoIdQipj33u1tHbEPGv3RbTuJ.:18142:
    0:42:7:5:365:
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# passwd -l yinzhengjie                           #将用户锁定
    [root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie
    yinzhengjie:!!$6$kXs/Ht35$1zMelm2cS78cwxBq14kzZzsQrQShIBX0ADXTvb7rkX0.LXYhF1cORtDAnvqacoIdQipj33u1tHbEPGv3RbTuJ.:18142:
    0:42:7:5:365:
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# passwd -u yinzhengjie                           #将用户解锁
    Unlocking password for user yinzhengjie.
    passwd: Success
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie
    yinzhengjie:$6$kXs/Ht35$1zMelm2cS78cwxBq14kzZzsQrQShIBX0ADXTvb7rkX0.LXYhF1cORtDAnvqacoIdQipj33u1tHbEPGv3RbTuJ.:18142:0:
    42:7:5:365:
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# passwd -u yinzhengjie                           #将用户解锁
    [root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie
    yinzhengjie:$6$kXs/Ht35$1zMelm2cS78cwxBq14kzZzsQrQShIBX0ADXTvb7rkX0.LXYhF1cORtDAnvqacoIdQipj33u1tHbEPGv3RbTuJ.:18142:0:
    42:7:5:365:
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# passwd -e yinzhengjie                            #让用户密码过期,下次用户登录后需要立即更改密码才行。
    Expiring password for user yinzhengjie.
    passwd: Success
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# getent shadow yinzhengjie
    yinzhengjie:$6$kXs/Ht35$1zMelm2cS78cwxBq14kzZzsQrQShIBX0ADXTvb7rkX0.LXYhF1cORtDAnvqacoIdQipj33u1tHbEPGv3RbTuJ.:0:0:42:7
    :5:365:
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# passwd -e yinzhengjie                           #让用户密码过期,下次用户登录后需要立即更改密码才行。

    7>.用户组相关操作(对应/etc/group”)

    [root@node101.yinzhengjie.org.cn ~]# whereis group
    group: /etc/group /usr/share/man/man5/group.5.gz
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# man group
    GROUP(5)                                  Linux Programmer's Manual                                  GROUP(5)
    
    NAME
           group - user group file
    
    DESCRIPTION
           The  /etc/group  file  is  a  text file that defines the groups on the system.  There is one entry per
           line, with the following format:
    
                  group_name:password:GID:user_list
    
           The fields are as follows:
    
           group_name  the name of the group.
    
           password    the (encrypted) group password.  If this field is empty, no password is needed.
    
           GID         the numeric group ID.
    
           user_list   a list of the usernames that are members of this group, separated by commas.
    
    FILES
           /etc/group
    
    BUGS
           As the 4.2BSD initgroups(3) man page says: No-one seems to keep /etc/group up-to-date.
    
    SEE ALSO
           login(1), newgrp(1), getgrent(3), getgrnam(3), passwd(5)
    
    COLOPHON
           This page is part of release 3.53 of the Linux man-pages project.  A description of the  project,  and
           information about reporting bugs, can be found at http://www.kernel.org/doc/man-pages/.
    
    Linux                                             2010-10-21                                         GROUP(5)
    [root@node101.yinzhengjie.org.cn ~]# man group

    8>.用户组密码相关操作(对应“/etc/gshadow”)

    [root@node101.yinzhengjie.org.cn ~]# whereis gshadow
    gshadow: /etc/gshadow /usr/include/gshadow.h /usr/share/man/man5/gshadow.5.gz
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# man gshadow
    GSHADOW(5)                               File Formats and Conversions                              GSHADOW(5)
    
    NAME
           gshadow - shadowed group file
    
    DESCRIPTION
           /etc/gshadow contains the shadowed information for group accounts.
    
           This file must not be readable by regular users if password security is to be maintained.
    
           Each line of this file contains the following colon-separated fields:
    
           group name
               It must be a valid group name, which exist on the system.
    
           encrypted password
               Refer to crypt(3) for details on how this string is interpreted.
    
               If the password field contains some string that is not a valid result of crypt(3), for instance !
               or *, users will not be able to use a unix password to access the group (but group members do not
               need the password).
    
               The password is used when an user who is not a member of the group wants to gain the permissions
               of this group (see newgrp(1)).
    
               This field may be empty, in which case only the group members can gain the group permissions.
    
               A password field which starts with a exclamation mark means that the password is locked. The
               remaining characters on the line represent the password field before the password was locked.
    
               This password supersedes any password specified in /etc/group.
    
           administrators
               It must be a comma-separated list of user names.
    
               Administrators can change the password or the members of the group.
    
               Administrators also have the same permissions as the members (see below).
    
           members
               It must be a comma-separated list of user names.
    
               Members can access the group without being prompted for a password.
    
               You should use the same list of users as in /etc/group.
    
    FILES
           /etc/group
               Group account information.
    
           /etc/gshadow
               Secure group account information.
    
    SEE ALSO
      gpasswd(5), group(5), grpck(8), grpconv(8), newgrp(1).
    
    shadow-utils 4.1.5.1                              10/30/2018                                       GSHADOW(5)
    [root@node101.yinzhengjie.org.cn ~]# man gshadow
    [root@node101.yinzhengjie.org.cn ~]# cat /etc/gshadow | grep yinzhengjie
    yinzhengjie:!!::yinzhengjie
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# gpasswd yinzhengjie        #我们可以给组加密
    Changing the password for group yinzhengjie
    New Password: 
    Re-enter new password: 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat /etc/gshadow | grep yinzhengjie
    yinzhengjie:$6$D/VCeiXW$ZQjYDmM29epe6gYQh670NhKCc2CzrgO190qnQ2JDuV04qltsIAD5ZdiC.A.hKFNZn5DDvnNxuzmLMVoX8T.pp0:yinzhengjie
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# gpasswd yinzhengjie        #我们可以给组加密,不推荐使用

    9>.密码策略

    密码加密
      加密机制:
        加密:明文--> 密文
        解密:密文--> 明文
      单向加密:哈希算法,原文不同,密文必不同
        相同算法定长输出,获得密文不可逆推出原始数据
        雪崩效应:初始条件的微小改变,引起结果的巨大改变
        md5: message digest, 128bits
        sha1: secure hash algorithm, 160bits
        sha224: 224bits
        sha256: 256bits
        sha384: 384bits
        sha512: 512bits
      更改加密算法:
        authconfig --passalgo=sha256 --update
    
    密码的复杂性策略
      足够长
      使用数字、大写字母、小写字母及特殊字符中至少3种
      使用随机密码
      定期更换,不要使用最近曾经使用过的密码
    
    密码期限示意图如下所示。

    10>.用户(组)及密码(组)文件操作

      一般情况下不推荐大家直接去修改文件,容易出现格式错误的情况。如果你非要用修改文件的格式的方法去修改用户及密码的配置文件,推荐使用以下工具,它们会带有语法检查的功能。
        vipw:
          相当于"vi /etc/passwd",只不过该命令有语法检查的功能。
          如果使用"vipw -s"相当于"vi /etc/shadow",也有语法检查功能。
      
        vigr:
          相当于"vi /etc/group",也有语法检查功能。
          如果使用"vigr -s"相当于"vi /etc/gshadow",也有语法检查功能。   
        pwck:
          检查"/etc/passwd"配置文件,比如验证用户是否有家目录等,执行后会有相应的提示信息。

        grpck:
          见擦汗"/etc/group"配置文件,详情请参考“grpck --help”

    二.用户和组管理命令

    用户管理命令
        useradd
        usermod
        userdel
    
    组帐号维护命令
        groupadd
        groupmod
        groupdel

    1>.用户创建: useradd 

    [root@node101.yinzhengjie.org.cn ~]# useradd -h
    Usage: useradd [options] LOGIN
           useradd -D
           useradd -D [options]
    
    Options:
      -b, --base-dir BASE_DIR       base directory for the home directory of the
                                    new account
      -c, --comment COMMENT         指定用户的注释信息
      -d, --home-dir HOME_DIR       以指定的(不存在)路径为家目录
      -D, --defaults                print or change default useradd configuration
      -e, --expiredate EXPIRE_DATE  expiration date of the new account
      -f, --inactive INACTIVE       password inactivity period of the new account
      -g, --gid GROUP               指明用户所属基本组,可为组名,也可以使用GID
      -G, --groups GROUPS           为用户指明附加组,组须事先存在
      -h, --help                    display this help message and exit
      -k, --skel SKEL_DIR           use this alternative skeleton directory
      -K, --key KEY=VALUE           override /etc/login.defs defaults
      -l, --no-log-init             do not add the user to the lastlog and
                                    faillog databases
      -m, --create-home             创建用户的家(主)目录,用于系统用户
      -M, --no-create-home          不创建家目录,用于非系统用户
      -N, --no-user-group           不创建私用组作为主组,使用users组做主组。
      -o, --non-unique              配合"-u"选线,不检查UID的唯一性
      -p, --password PASSWORD       encrypted password of the new account
      -r, --system                  创建系统用户,注意CentOS6.X系统的UID小于500,CentOS7.X系统的UID小于1000
      -R, --root CHROOT_DIR         directory to chroot into
      -s, --shell SHELL             指明用户的默认shell程序,可用列表在"/etc/shells"文件中
      -u, --uid UID                 user ID of the new account
      -U, --user-group              create a group with the same name as the user
      -Z, --selinux-user SEUSER     use a specific SEUSER for the SELinux user mapping
    
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# useradd -h
    [root@node101.yinzhengjie.org.cn ~]# useradd -D               #显示默认设置
    GROUP=100
    HOME=/home
    INACTIVE=-1
    EXPIRE=
    SHELL=/bin/bash
    SKEL=/etc/skel
    CREATE_MAIL_SPOOL=yes
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat /etc/default/useradd       #以上用户的默认设置均来自该文件
    # useradd defaults file
    GROUP=100           #组编号默认为100,即为user组
    HOME=/home          #家目录位置
    INACTIVE=-1          #密码过期策略过期后的宽限期,默认是永远宽限,即"-1"。
    EXPIRE=            #指定用户的过期时间,即账户的有限使用时间。
    SHELL=/bin/bash       #指定默认的登录shell类型
    SKEL=/etc/skel        #指定家目录的默认数据
    CREATE_MAIL_SPOOL=yes
    
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat /etc/login.defs                                                     #用户默认配置信息
    #
    # Please note that the parameters in this configuration file control the
    # behavior of the tools from the shadow-utils component. None of these
    # tools uses the PAM mechanism, and the utilities that use PAM (such as the
    # passwd command) should therefore be configured elsewhere. Refer to
    # /etc/pam.d/system-auth for more information.
    #
    
    # *REQUIRED*
    #   Directory where mailboxes reside, _or_ name of file, relative to the
    #   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
    #   QMAIL_DIR is for Qmail
    #
    #QMAIL_DIR    Maildir
    MAIL_DIR    /var/spool/mail
    #MAIL_FILE    .mail
    
    # Password aging controls:
    #
    #    PASS_MAX_DAYS    Maximum number of days a password may be used.
    #    PASS_MIN_DAYS    Minimum number of days allowed between password changes.
    #    PASS_MIN_LEN    Minimum acceptable password length.
    #    PASS_WARN_AGE    Number of days warning given before a password expires.
    #
    PASS_MAX_DAYS    99999
    PASS_MIN_DAYS    0
    PASS_MIN_LEN    5
    PASS_WARN_AGE    7
    
    #
    # Min/max values for automatic uid selection in useradd
    #
    UID_MIN                  1000
    UID_MAX                 60000
    # System accounts
    SYS_UID_MIN               201
    SYS_UID_MAX               999
    
    #
    # Min/max values for automatic gid selection in groupadd
    #
    GID_MIN                  1000
    GID_MAX                 60000
    # System accounts
    SYS_GID_MIN               201
    SYS_GID_MAX               999
    
    #
    # If defined, this command is run when removing a user.
    # It should remove any at/cron/print jobs etc. owned by
    # the user to be removed (passed as the first argument).
    #
    #USERDEL_CMD    /usr/sbin/userdel_local
    
    #
    # If useradd should create home directories for users by default
    # On RH systems, we do. This option is overridden with the -m flag on
    # useradd command line.
    #
    CREATE_HOME    yes
    
    # The permission mask is initialized to this value. If not specified, 
    # the permission mask will be initialized to 022.
    UMASK           077
    
    # This enables userdel to remove user groups if no members exist.
    #
    USERGROUPS_ENAB yes
    
    # Use SHA512 to encrypt password.
    ENCRYPT_METHOD SHA512 
    
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat /etc/login.defs               #用户默认配置信息
    [root@node101.yinzhengjie.org.cn ~]# getent group users
    users:x:100:
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# useradd -N tom      #不创建私有组作为主组,使用users组作为主组
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# id  tom
    uid=1001(tom) gid=100(users) groups=100(users)
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ls -a /etc/skel/
    .  ..  .bash_logout  .bash_profile  .bashrc  .mozilla
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ls -a /home/tom/        #我们不难发现,创建的用户家目录存在的数据和我们在"/etc/default/useradd"配置文件中的"SKEL"属性一致。
    .  ..  .bash_logout  .bash_profile  .bashrc  .mozilla
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# useradd -N tom                  #不创建私有组作为主组,使用users组作为主组
    [root@node101.yinzhengjie.org.cn ~]# useradd -r mysql -s /sbin/nologin      #使用"-r"命令就不会去创建默认的家目录了,因为它创建的是一个系统用户。我们使用"-s"选项来指定用户的登录shell类型。
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# id mysql                      #很明显,在CentOS7.X版本系统的UID是小于1000的,这个在"/etc/login.defs"文件中有相应的记录。
    uid=987(mysql) gid=981(mysql) groups=981(mysql)
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# getent passwd mysql
    mysql:x:987:981::/home/mysql:/sbin/nologin
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# useradd -r mysql -s /sbin/nologin       #使用"-r"命令就不会去创建默认的家目录了,因为它创建的是一个系统用户。我们使用"-s"选项来指定用户的登录shell类型。
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# useradd -u 10086 jason            #创建jason用户并指定其UID为10086
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# id jason
    uid=10086(jason) gid=10086(jason) groups=10086(jason)
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# getent passwd jason
    jason:x:10086:10086::/home/jason:/bin/bash
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# useradd -u 10086 jason              #创建jason用户并指定其UID为10086
    [root@node101.yinzhengjie.org.cn ~]# id yinzhengjie                   #我们直到默认情况下,每个用户都有唯一的一个UID,如果想要创建2个不同的用户名但UID一样的情况,并让这两个用户都拥有同一个UID的权限就得需要使用相应的useradd选项。
    uid=1000(yinzhengjie) gid=1000(yinzhengjie) groups=1000(yinzhengjie)
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# useradd -u 1000 -o jenny             #使用"-o"选线,咱们这里创建了2个不同的用户名,但是UID却是一样的,如果你想要两个不同用户名使用同一个UID权限的话就可用这样干。
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# getent passwd jenny                          #由于Linux识别用户是基于UID来识别的,我们发现如果设置2个同UID的不同用户名可能会产生信息混乱的情况。因此还是谨慎使用呀~
    jenny:x:1000:10087::/home/jenny:/bin/bash
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# id jenny
    uid=1000(yinzhengjie) gid=1000(yinzhengjie) groups=1000(yinzhengjie)
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /home/                      #两个用户的家目录还是不一样的哟
    total 0
    drwx------. 3 jason       jason        78 Sep  3 17:08 jason
    drwx------. 3 yinzhengjie jenny        78 Sep  3 17:12 jenny
    drwx------. 3 tom         users        78 Sep  3 16:41 tom
    drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# useradd -u 1000 -o jenny             #使用"-o"选线,咱们这里创建了2个不同的用户名,但是UID却是一样的,如果你想要两个不同用户名使用同一个UID权限的话就可用这样干。
    [root@node101.yinzhengjie.org.cn ~]# getent group yinzhengjie
    yinzhengjie:x:1000:yinzhengjie
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# id yinzhengjie
    uid=1000(yinzhengjie) gid=1000(yinzhengjie) groups=1000(yinzhengjie)
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# useradd -g yinzhengjie danny          #创建一个danny用户,并指定其组为"yinzhengjie",即并不会使用默认的同名组。
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# id danny
    uid=10088(danny) gid=1000(yinzhengjie) groups=1000(yinzhengjie)
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# useradd -g yinzhengjie danny           #创建一个danny用户,并指定其组为"yinzhengjie",即并不会使用默认的同名组。
    [root@node101.yinzhengjie.org.cn ~]# useradd -g root -G yinzhengjie,jason,jenny yzj    #创建yzj用户,让其主组归为root组,附加组为yinzhengjie,jason,jenny各组,有点类似于咱们运维工程师,在企业身兼数职。
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# id yzj
    uid=10089(yzj) gid=0(root) groups=0(root),1000(yinzhengjie),10086(jason),10087(jenny)
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# groupmems -l -g yinzhengjie                #查看yinzhengjie这个组有哪些用户
    yinzhengjie  yzj 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# groupmems -l -g jason
    yzj 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# groupmems -l -g jenny
    yzj 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# groups yzj                          #查看yzj这大概用户有哪些组,一般排在第一个为主组,后面的均为附加组。
    yzj : root yinzhengjie jason jenny
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /home/                                            #需要注意的是,尽管一个用户可用被加入到多个组,但是用户的家目录依旧属于主组,如下所示。
    total 0
    drwx------. 3 danny       yinzhengjie  78 Sep  3 17:28 danny
    drwx------. 3 jason       jason        78 Sep  3 17:08 jason
    drwx------. 3 jenny       jenny        78 Sep  3 17:12 jenny
    drwx------. 3 tom         users        78 Sep  3 16:41 tom
    drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
    drwx------. 3 yzj         root         78 Sep  3 17:32 yzj
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# useradd -g root -G yinzhengjie,jason,jenny yzj  #创建yzj用户,让其主组归为root组,附加组为yinzhengjie,jason,jenny各组,有点类似于咱们运维工程师,在企业身兼数职。
    [root@node101.yinzhengjie.org.cn ~]# mkdir /data
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# useradd -d /data/bigdata hdfs            #创建用户并指定其家目录为"/data/bigdata"
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /data/
    total 0
    drwx------. 3 hdfs hdfs 78 Sep  3 17:41 bigdata
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /data/bigdata/ -a                  #很显然,家目录的默认数据和"/etc/skel"目录是一致的哟
    total 12
    drwx------. 3 hdfs hdfs  78 Sep  3 17:41 .
    drwxr-xr-x. 3 root root  21 Sep  3 17:41 ..
    -rw-r--r--. 1 hdfs hdfs  18 Oct 31  2018 .bash_logout
    -rw-r--r--. 1 hdfs hdfs 193 Oct 31  2018 .bash_profile
    -rw-r--r--. 1 hdfs hdfs 231 Oct 31  2018 .bashrc
    drwxr-xr-x. 4 hdfs hdfs  39 Aug  1 21:58 .mozilla
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /etc/skel/ -a
    total 24
    drwxr-xr-x.   3 root root   78 Apr 11  2018 .
    drwxr-xr-x. 146 root root 8192 Sep  3 17:41 ..
    -rw-r--r--.   1 root root   18 Oct 31  2018 .bash_logout
    -rw-r--r--.   1 root root  193 Oct 31  2018 .bash_profile
    -rw-r--r--.   1 root root  231 Oct 31  2018 .bashrc
    drwxr-xr-x.   4 root root   39 Aug  1 21:58 .mozilla
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# useradd -d /data/bigdata hdfs            #创建用户并指定其家目录为"/data/bigdata"
    [root@node101.yinzhengjie.org.cn ~]# ll /home/
    total 0
    drwx------. 3 danny       yinzhengjie  78 Sep  3 17:28 danny
    drwx------. 3 jason       jason        78 Sep  3 17:08 jason
    drwx------. 3 jenny       jenny        78 Sep  3 17:12 jenny
    drwx------. 3 tom         users        78 Sep  3 16:41 tom
    drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
    drwx------. 3 yzj         root         78 Sep  3 17:32 yzj
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# useradd -r -m apache              #我们知道使用“-r”是创建系统用户,该参数不会创建相应的家目录,如果非要强行创建,则可以使用"-m"选项。
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /home/
    total 0
    drwx------. 3 apache      apache       78 Sep  3 17:51 apache
    drwx------. 3 danny       yinzhengjie  78 Sep  3 17:28 danny
    drwx------. 3 jason       jason        78 Sep  3 17:08 jason
    drwx------. 3 jenny       jenny        78 Sep  3 17:12 jenny
    drwx------. 3 tom         users        78 Sep  3 16:41 tom
    drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
    drwx------. 3 yzj         root         78 Sep  3 17:32 yzj
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# id apache
    uid=986(apache) gid=980(apache) groups=980(apache)
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# useradd -r -m apache                  #我们知道使用“-r”是创建系统用户,该参数不会创建相应的家目录,如果非要强行创建,则可以使用"-m"选项。
    [root@node101.yinzhengjie.org.cn ~]# ll /home/
    total 0
    drwx------. 3 apache      apache       78 Sep  3 17:51 apache
    drwx------. 3 danny       yinzhengjie  78 Sep  3 17:28 danny
    drwx------. 3 jason       jason        78 Sep  3 17:08 jason
    drwx------. 3 jenny       jenny        78 Sep  3 17:12 jenny
    drwx------. 3 tom         users        78 Sep  3 16:41 tom
    drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
    drwx------. 3 yzj         root         78 Sep  3 17:32 yzj
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# useradd -M dengziqi                #创建用户时不允许创建家目录。
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /home/
    total 0
    drwx------. 3 apache      apache       78 Sep  3 17:51 apache
    drwx------. 3 danny       yinzhengjie  78 Sep  3 17:28 danny
    drwx------. 3 jason       jason        78 Sep  3 17:08 jason
    drwx------. 3 jenny       jenny        78 Sep  3 17:12 jenny
    drwx------. 3 tom         users        78 Sep  3 16:41 tom
    drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
    drwx------. 3 yzj         root         78 Sep  3 17:32 yzj
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# id dengziqi
    uid=10091(dengziqi) gid=10091(dengziqi) groups=10091(dengziqi)
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# getent passwd dengziqi
    dengziqi:x:10091:10091::/home/dengziqi:/bin/bash
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# useradd -M dengziqi                  #创建用户时不允许创建家目录。
    [root@node101.yinzhengjie.org.cn ~]# ll /home/
    total 0
    drwx------. 3 apache      apache       78 Sep  3 17:51 apache
    drwx------. 3 danny       yinzhengjie  78 Sep  3 17:28 danny
    drwx------. 3 hadoop      hadoop       78 Sep  3 17:41 hadoop
    drwx------. 3 jason       jason        78 Sep  3 17:08 jason
    drwx------. 3 jenny       jenny        78 Sep  3 17:12 jenny
    drwx------. 3 tom         users        78 Sep  3 16:41 tom
    drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat user.txt             #这个格式咱们可以参考"/etc/passwd"格式即可
    hadoop101:x:2019:2019:hdfs user101:/home/hadoop101:/bin/csh
    hadoop102:x:2020:2020:hdfs user102:/home/hadoop102:/bin/bash
    hadoop103:x:2021:2021:hdfs user103:/home/hadoop103:/bin/csh
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# newusers user.txt           #newusers可以按照"/etc/passwd"格式来批量创建用户。
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# tail -3 /etc/passwd          #很明显用户被创建成功啦
    hadoop101:x:2019:2019:hdfs user101:/home/hadoop101:/bin/csh
    hadoop102:x:2020:2020:hdfs user102:/home/hadoop102:/bin/bash
    hadoop103:x:2021:2021:hdfs user103:/home/hadoop103:/bin/csh
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /home/                #也生成了对应的用户家目录
    total 0
    drwx------. 3 apache      apache       78 Sep  3 17:51 apache
    drwx------. 3 danny       yinzhengjie  78 Sep  3 17:28 danny
    drwx------. 3 hadoop      hadoop       78 Sep  3 17:41 hadoop
    drwx------. 2 hadoop101   hadoop101     6 Sep  5 09:36 hadoop101
    drwx------. 2 hadoop102   hadoop102     6 Sep  5 09:36 hadoop102
    drwx------. 2 hadoop103   hadoop103     6 Sep  5 09:36 hadoop103
    drwx------. 3 jason       jason        78 Sep  3 17:08 jason
    drwx------. 3 jenny       jenny        78 Sep  3 17:12 jenny
    drwx------. 3 tom         users        78 Sep  3 16:41 tom
    drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# newusers user.txt                    #newusers可以按照"/etc/passwd"格式来批量创建用户。
    [root@node101.yinzhengjie.org.cn ~]# tail -3 /etc/shadow
    hadoop101:$6$0wBgf/Cr$vYRQzifVMrxaXwlsn/7FxsS/Ekjw4x.aNElIIMgyvsCT6.7KQmG2DGNKJtyx./.ARcLOGW09035OH9g/NZ4A8.:181
    44:0:99999:7:::hadoop102:$6$g6O4GJL21PZH$TMZGml4bo1BVBWEpE145mvxjlYzYIDDpKXweFzUbeoGeIdckN3bDnRAtOzdWwOXaWsyxxW39hzAGhcRSumHZH/
    :18144:0:99999:7:::hadoop103:$6$cCnLp/tV0jS/$5AST/AOjMOrd5EIWRoDek2uR1VPHyCMCM7iHLJXjmxrvq5z5AFpMSt1Letqt7FTv1PSkg51MEPm4sH66hux/r1
    :18144:0:99999:7:::
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat passwd.txt             #保存密码格式
    hadoop101:yinzhengjie
    hadoop102:yinzhengjie
    hadoop103:yinzhengjie
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat passwd.txt | chpasswd       #批量修改用户密码
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# tail -3 /etc/shadow
    hadoop101:$6$dDpTknD8SzSKoq$mgvwwy03zUFurrxw6GKvhkUClLL7r/Hsb5Jg1XzVF1KimXDHDlAZiqoma0GDTBYdgtC7Mav86w.CwiLqklHI
    y0:18144:0:99999:7:::hadoop102:$6$LDGCW/7daOR/Pm$5YqXe6HXW22RQRjDp/xHnuMTfzdEekP0vcf9oPs7o2M.OD24HE24CEu5lO2TlNrH1WXIhzaMMkkGTyfFnn7R
    V/:18144:0:99999:7:::hadoop103:$6$CBgr./2XG$HC4Y2YHYiRar76y9QLHp.qY3I3lG.mn.z2qLSm.jUES3QCDqgGAgYQ7PrHNsX9VCYOn9jjLPBIBPwcBAcY4jW0:18
    144:0:99999:7:::
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cat passwd.txt | chpasswd               #批量修改用户密码

    2>.用户属性修改: usermod

    [root@node101.yinzhengjie.org.cn ~]# usermod -h
    Usage: usermod [options] LOGIN
    
    Options:
      -c, --comment COMMENT         新的注释信息
      -d, --home HOME_DIR           新家目录不会自动创建;若要创建新家目录并移动原家目录数据,同时使用"-m"选项
      -e, --expiredate EXPIRE_DATE  用来指明用户账号过期日期
      -f, --inactive INACTIVE       设置非活动期限
      -g, --gid GROUP               新的主组
      -G, --groups GROUPS           新的附加组,原来的附加组见会被覆盖;若保留原有,则要同时使用通过"-a"选项
      -a, --append                  append the user to the supplemental GROUPS
                                    mentioned by the -G option without removing
                                    him/her from other groups
      -h, --help                    display this help message and exit
      -l, --login NEW_LOGIN         新的名字
      -L, --lock                    lock指定用户,在"/etc/shadow"密码栏的增加"!"符号。
      -m, --move-home               move contents of the home directory to the
                                    new location (use only with -d)
      -o, --non-unique              allow using duplicate (non-unique) UID
      -p, --password PASSWORD       use encrypted password for the new password
      -R, --root CHROOT_DIR         directory to chroot into
      -s, --shell SHELL             新的默认SHELL
      -u, --uid UID                 指定新的UID
      -U, --unlock                  unlock指定用户,将"/etc/shadow"密码栏的"!"符号拿掉。
      -Z, --selinux-user SEUSER     new SELinux user mapping for the user account
    
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# usermod -h
    [root@node101.yinzhengjie.org.cn ~]# getent passwd jenny
    jenny:x:1000:10087::/home/jenny:/bin/bash
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# id jenny
    uid=1000(yinzhengjie) gid=1000(yinzhengjie) groups=1000(yinzhengjie)
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# usermod -u 10087 jenny        #修改jenny用户的UID,注意修改用户的UID时该用户不能登录哟,否则可能会报错。
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# id jenny
    uid=10087(jenny) gid=10087(jenny) groups=10087(jenny)
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# getent passwd jenny
    jenny:x:10087:10087::/home/jenny:/bin/bash
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# usermod -u 10087 jenny        #修改jenny用户的UID,注意修改用户的UID时该用户不能登录哟,否则可能会报错。
    [root@node101.yinzhengjie.org.cn ~]# getent passwd hdfs      #注意观察hdfs用户的家目录及uid
    hdfs:x:10090:10090::/data/bigdata:/bin/bash
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# id hdfs
    uid=10090(hdfs) gid=10090(hdfs) groups=10090(hdfs)
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /home/
    total 0
    drwx------. 3 apache      apache       78 Sep  3 17:51 apache
    drwx------. 3 danny       yinzhengjie  78 Sep  3 17:28 danny
    drwx------. 3 jason       jason        78 Sep  3 17:08 jason
    drwx------. 3 jenny       jenny        78 Sep  3 17:12 jenny
    drwx------. 3 tom         users        78 Sep  3 16:41 tom
    drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
    drwx------. 3 yzj         root         78 Sep  3 17:32 yzj
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# usermod -l hadoop hdfs -d /home/hadoop      #我们将hdfs用户更名为hadoop用户并指定家目录为"/home/hadoop",但此时并不会自动生成相应的家目录,需要咱们手动操作。
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /home/
    total 0
    drwx------. 3 apache      apache       78 Sep  3 17:51 apache
    drwx------. 3 danny       yinzhengjie  78 Sep  3 17:28 danny
    drwx------. 3 jason       jason        78 Sep  3 17:08 jason
    drwx------. 3 jenny       jenny        78 Sep  3 17:12 jenny
    drwx------. 3 tom         users        78 Sep  3 16:41 tom
    drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
    drwx------. 3 yzj         root         78 Sep  3 17:32 yzj
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# mv /data/bigdata/ /home/hadoop          #因此我们需要手动将"hdfs"用户的家目录迁移至"hadoop"指定的家目录路径。
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /home/
    total 0
    drwx------. 3 apache      apache       78 Sep  3 17:51 apache
    drwx------. 3 danny       yinzhengjie  78 Sep  3 17:28 danny
    drwx------. 3 hadoop      hdfs         78 Sep  3 17:41 hadoop
    drwx------. 3 jason       jason        78 Sep  3 17:08 jason
    drwx------. 3 jenny       jenny        78 Sep  3 17:12 jenny
    drwx------. 3 tom         users        78 Sep  3 16:41 tom
    drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
    drwx------. 3 yzj         root         78 Sep  3 17:32 yzj
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# id hadoop
    uid=10090(hadoop) gid=10090(hdfs) groups=10090(hdfs)
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# getent passwd hadoop          #观察hadoop的家目录和uid是否和原来的hdfs用户一致
    hadoop:x:10090:10090::/home/hadoop:/bin/bash
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# usermod -l hadoop hdfs -d /home/hadoop      #我们将hdfs用户更名为hadoop用户并指定家目录为"/home/hadoop",但此时并不会自动生成相应的家目录,需要咱们手动操作。
    [root@node101.yinzhengjie.org.cn ~]# tail -5 /etc/passwd
    danny:x:10088:1000::/home/danny:/bin/bash
    yzj:x:10089:0::/home/yzj:/bin/bash
    apache:x:986:980::/home/apache:/bin/bash
    dengziqi:x:10091:10091::/home/dengziqi:/bin/bash
    hadoop:x:10090:10090::/home/hadoop:/bin/bash
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# id yzj
    uid=10089(yzj) gid=0(root) groups=0(root),1000(yinzhengjie),10086(jason),10087(jenny)
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# groups yzj
    yzj : root yinzhengjie jason jenny
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# usermod -aG dengziqi,hadoop yzj        #我们为"yzj"用户新追加附加组"dengziqi""hadoop"组
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# id yzj
    uid=10089(yzj) gid=0(root) groups=0(root),1000(yinzhengjie),10086(jason),10087(jenny),10091(dengziqi),10090(hadoop)
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# groups yzj
    yzj : root yinzhengjie jason jenny dengziqi hadoop
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# usermod -aG dengziqi,hadoop yzj        #我们为"yzj"用户新追加附加组"dengziqi"和"hadoop"组
    [root@node101.yinzhengjie.org.cn ~]# id yzj
    uid=10089(yzj) gid=0(root) groups=0(root),1000(yinzhengjie),10086(jason),10087(jenny),10091(dengziqi),10090(hado
    op)[root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# groups yzj
    yzj : root yinzhengjie jason jenny dengziqi hadoop
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# usermod -G "" yzj      #清空所有附加组,注意没有"-a"选项啦
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# id yzj
    uid=10089(yzj) gid=0(root) groups=0(root)
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# groups yzj
    yzj : root
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# usermod -G "" yzj                 #清空所有附加组,注意没有"-a"选项啦

    3>.删除用户:userdel

    [root@node101.yinzhengjie.org.cn ~]# userdel -h          #查看"userdel"命令的帮助信息
    Usage: userdel [options] LOGIN
    
    Options:
      -f, --force                   force some actions that would fail otherwise
                                    e.g. removal of user still logged in
                                    or files, even if not owned by the user
      -h, --help                    display this help message and exit
      -r, --remove                  remove home directory and mail spool
      -R, --root CHROOT_DIR         directory to chroot into
      -Z, --selinux-user            remove any SELinux user mapping for the user
    
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# userdel -h              #查看"userdel"命令的帮助信息
    [root@node101.yinzhengjie.org.cn ~]# ll /home/
    total 0
    drwx------. 3 apache      apache       78 Sep  3 17:51 apache
    drwx------. 3 danny       yinzhengjie  78 Sep  3 17:28 danny
    drwx------. 3 hadoop      hadoop       78 Sep  3 17:41 hadoop
    drwx------. 3 jason       jason        78 Sep  3 17:08 jason
    drwx------. 3 jenny       jenny        78 Sep  3 17:12 jenny
    drwx------. 3 tom         users        78 Sep  3 16:41 tom
    drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
    drwx------. 3 yzj         root         78 Sep  3 17:32 yzj
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# getent passwd yzj
    yzj:x:10089:0::/home/yzj:/bin/bash
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# userdel -r yzj        #删除用户及其家目录(生产环境慎用,有可能该员工已经离职但其数据可能对其它同时有用)
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /home/
    total 0
    drwx------. 3 apache      apache       78 Sep  3 17:51 apache
    drwx------. 3 danny       yinzhengjie  78 Sep  3 17:28 danny
    drwx------. 3 hadoop      hadoop       78 Sep  3 17:41 hadoop
    drwx------. 3 jason       jason        78 Sep  3 17:08 jason
    drwx------. 3 jenny       jenny        78 Sep  3 17:12 jenny
    drwx------. 3 tom         users        78 Sep  3 16:41 tom
    drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# userdel -r yzj            #删除用户及其家目录(生产环境慎用,有可能该员工已经离职但其数据可能对其它同时有用)

    4>.查看用户相关的ID信息 

    [root@node101.yinzhengjie.org.cn ~]# id postfix             #查看"postfix"用户相关的ID信息,如果用户不存在会提示"no such user"相关错误信息。
    uid=89(postfix) gid=89(postfix) groups=89(postfix),12(mail)
    [root@node101.yinzhengjie.org.cn ~]#
    [root@node101.yinzhengjie.org.cn ~]# id -u postfix            #显示“postfix”用户的UID
    89
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# id -g postfix            #显示"postfix"用户的GID
    89
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# id -G postfix            #显示"postfix"用户所属的组的ID(包括附加组)
    89 12
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# id -nG postfix           #显示组的名称,"-n"参数需要和"ugG"参数配合使用
    postfix mail
    [root@node101.yinzhengjie.org.cn ~]# 

    5>.切换用户或以其他用户身份执行命令(su命令的前提是要知道对方的用户密码,除非你直接使用root用户) 

    [root@node101.yinzhengjie.org.cn ~]# echo $PATH
    /usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cd /data/
    [root@node101.yinzhengjie.org.cn /data]# 
    [root@node101.yinzhengjie.org.cn /data]# pwd
    /data
    [root@node101.yinzhengjie.org.cn /data]# 
    [root@node101.yinzhengjie.org.cn /data]# su yinzhengjie      #不完全切换,即切换后的用户依旧保留上一个用户的环境变量和工作目录
    [yinzhengjie@node101.yinzhengjie.org.cn /data]$ 
    [yinzhengjie@node101.yinzhengjie.org.cn /data]$ pwd         #我们不难发现工作目录并没有变化,切换用户后并没有到"yinzhengjie"用户的家目录中
    /data
    [yinzhengjie@node101.yinzhengjie.org.cn /data]$ 
    [yinzhengjie@node101.yinzhengjie.org.cn /data]$ echo $PATH    #注意观察当前的环境变量并非"yinzhengjie"用户,而是"root"用户的
    /usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
    [yinzhengjie@node101.yinzhengjie.org.cn /data]$ 
    [yinzhengjie@node101.yinzhengjie.org.cn /data]$ exit        #退出当前登录
    exit
    [root@node101.yinzhengjie.org.cn /data]# 
    [root@node101.yinzhengjie.org.cn /data]# su yinzhengjie        #不完全切换,即切换后的用户依旧保留上一个用户的环境变量和工作目录
    [root@node101.yinzhengjie.org.cn ~]# echo $PATH
    /usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cd /data/
    [root@node101.yinzhengjie.org.cn /data]# 
    [root@node101.yinzhengjie.org.cn /data]# su -l yinzhengjie      #完全切换,即切换到该用户的家目录且环境变量也会跟着变化,相当于使用ssh服务连接的效果。
    Last login: Thu Sep  5 10:15:15 CST 2019 on pts/0
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ echo $PATH        #环境变量发生了变化
    /usr/lib64/qt-3.3/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/yinzhengjie/.local/bin:/home/yinzhengjie/bin
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ pwd            #工作目录也变为"yinzhengjie"用户的家目录啦
    /home/yinzhengjie
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ exit            #退出当前用户
    logout
    [root@node101.yinzhengjie.org.cn /data]# 
    [root@node101.yinzhengjie.org.cn /data]# 
    [root@node101.yinzhengjie.org.cn /data]# su -l yinzhengjie      #完全切换,即切换到该用户的家目录且环境变量也会跟着变化,相当于使用ssh服务连接的效果。
    [root@node101.yinzhengjie.org.cn ~]# echo $PATH
    /usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# cd /data/
    [root@node101.yinzhengjie.org.cn /data]# 
    [root@node101.yinzhengjie.org.cn /data]# su - yinzhengjie      #完全切换用户,其实等效于"su -l yinzhengjie"
    Last login: Thu Sep  5 10:15:42 CST 2019 on pts/0
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ echo $PATH
    /usr/lib64/qt-3.3/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/yinzhengjie/.local/bin:/home/
    yinzhengjie/bin[yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ pwd
    /home/yinzhengjie
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ exit 
    logout
    [root@node101.yinzhengjie.org.cn /data]# 
    [root@node101.yinzhengjie.org.cn /data]# 
    [root@node101.yinzhengjie.org.cn /data]# su - yinzhengjie      #完全切换用户,其实等效于"su -l yinzhengjie"
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ su -l -c 'getent passwd hadoop'    #注意,-l后面我没有指定用户名,默认就会切换到root用户。使用-c表示切换到root用户并执行一条命令即可,执行完毕并不会切换到root用户身份。
    Password: 
    hadoop:x:10090:10090::/home/hadoop:/bin/bash
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ 

    6>.创建组:groupadd

    [root@node101.yinzhengjie.org.cn ~]# groupadd -h
    Usage: groupadd [options] GROUP
    
    Options:
      -f, --force                   exit successfully if the group already exists,
                                    and cancel -g if the GID is already used
      -g, --gid GID                 指明GID号
      -h, --help                    display this help message and exit
      -K, --key KEY=VALUE           override /etc/login.defs defaults
      -o, --non-unique              allow to create groups with duplicate
                                    (non-unique) GID
      -p, --password PASSWORD       use this encrypted password for the new group
      -r, --system                  创建系统组,CentOS6.X:ID < 500,CentOS7.X:ID<1000
      -R, --root CHROOT_DIR         directory to chroot into
    
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# groupadd -h
    [root@node101.yinzhengjie.org.cn ~]# groupadd yarn          #创建一个yarn组
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# getent group yarn
    yarn:x:10092:
    [root@node101.yinzhengjie.org.cn ~]# 

    7>.组属性修改: groupmod 

    [root@node101.yinzhengjie.org.cn ~]# groupmod -h
    Usage: groupmod [options] GROUP
    
    Options:
      -g, --gid GID                 新的GID
      -h, --help                    display this help message and exit
      -n, --new-name NEW_GROUP      新名字
      -o, --non-unique              allow to use a duplicate (non-unique) GID
      -p, --password PASSWORD       change the password to this (encrypted)
                                    PASSWORD
      -R, --root CHROOT_DIR         directory to chroot into
    
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# groupmod -h
    [root@node101.yinzhengjie.org.cn ~]# ll /home/              #注意观察"hadoop"用户的组名是"hdfs"
    total 0
    drwx------. 3 apache      apache       78 Sep  3 17:51 apache
    drwx------. 3 danny       yinzhengjie  78 Sep  3 17:28 danny
    drwx------. 3 hadoop      hdfs         78 Sep  3 17:41 hadoop
    drwx------. 3 jason       jason        78 Sep  3 17:08 jason
    drwx------. 3 jenny       jenny        78 Sep  3 17:12 jenny
    drwx------. 3 tom         users        78 Sep  3 16:41 tom
    drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
    drwx------. 3 yzj         root         78 Sep  3 17:32 yzj
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# id hadoop
    uid=10090(hadoop) gid=10090(hdfs) groups=10090(hdfs)
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# groupmod -n hadoop hdfs      #将"hdfs"组名改为"hadoop"
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# id hadoop
    uid=10090(hadoop) gid=10090(hadoop) groups=10090(hadoop)
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /home/            #注意查看hadoop用户的组名也跟着变为"hadoop"
    total 0
    drwx------. 3 apache      apache       78 Sep  3 17:51 apache
    drwx------. 3 danny       yinzhengjie  78 Sep  3 17:28 danny
    drwx------. 3 hadoop      hadoop       78 Sep  3 17:41 hadoop
    drwx------. 3 jason       jason        78 Sep  3 17:08 jason
    drwx------. 3 jenny       jenny        78 Sep  3 17:12 jenny
    drwx------. 3 tom         users        78 Sep  3 16:41 tom
    drwx------. 5 yinzhengjie yinzhengjie 128 Aug 14 12:46 yinzhengjie
    drwx------. 3 yzj         root         78 Sep  3 17:32 yzj
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# groupmod -n hadoop hdfs      #将"hdfs"组名改为"hadoop"

    8>.组属性删除: groupdel

    [root@node101.yinzhengjie.org.cn ~]# groupdel -h
    Usage: groupdel [options] GROUP
    
    Options:
      -h, --help                    display this help message and exit
      -R, --root CHROOT_DIR         directory to chroot into
    
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# groupdel -h
    [root@node101.yinzhengjie.org.cn ~]# getent group yarn
    yarn:x:10092:
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# usermod -aG yarn yinzhengjie            #给"yinzhengjie"用户添加一个附加组“yarn”
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# id yinzhengjie
    uid=1000(yinzhengjie) gid=1000(yinzhengjie) groups=1000(yinzhengjie),10092(yarn)
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# groupdel yarn                      #删除yarn组
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# id yinzhengjie
    uid=1000(yinzhengjie) gid=1000(yinzhengjie) groups=1000(yinzhengjie)
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# groupdel yarn             #删除yarn组

    9>.更改组密码:gpasswd

    [root@node101.yinzhengjie.org.cn ~]# gpasswd -h
    Usage: gpasswd [option] GROUP
    
    Options:
      -a, --add USER                  将user添加只指定组中
      -d, --delete USER               从指定组中移除用户user
      -h, --help                      display this help message and exit
      -Q, --root CHROOT_DIR           directory to chroot into
      -r, --delete-password           remove the GROUP's password
      -R, --restrict                  restrict access to GROUP to its members
      -M, --members USER,...          set the list of members of GROUP
      -A, --administrators ADMIN,...   设置有管理权限的用户列表
                                  
    Except for the -A and -M options, the options cannot be combined.
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# gpasswd -h
    [root@node101.yinzhengjie.org.cn ~]# tail -5 /etc/group
    dengziqi:x:10091:
    hadoop:x:10090:
    hadoop101:x:2019:
    hadoop102:x:2020:
    hadoop103:x:2021:
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# groups hadoop
    hadoop : hadoop
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# gpasswd -a hadoop dengziqi        #将hadoop用户加入到"dengziqi"组中
    Adding user hadoop to group dengziqi
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# groups hadoop
    hadoop : hadoop dengziqi
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# gpasswd -a hadoop dengziqi        #将hadoop用户加入到"dengziqi"组中
    [root@node101.yinzhengjie.org.cn ~]# groups hadoop
    hadoop : hadoop dengziqi
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# gpasswd -d hadoop dengziqi        #从"dengziqi"组中移除"hadoop"用户
    Removing user hadoop from group dengziqi
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# groups hadoop
    hadoop : hadoop
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# gpasswd -d hadoop dengziqi        #从"dengziqi"组中移除"hadoop"用户
    [root@node101.yinzhengjie.org.cn ~]# getent gshadow root
    root:::
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# gpasswd root                #为root组加密
    Changing the password for group root
    New Password: 
    Re-enter new password: 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# getent gshadow root
    root:$6$fjzxSJCBrD/Vfp$PP75U2hnYoxkhPddZs95KhDVnAxM1XqgFnIRlEgKXDyMVgCQ1tgVXHypFn8WvVxY0e5bA7xWBVGjlLQLDgaka.::
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# gpasswd root                #为root组加密
    [root@node101.yinzhengjie.org.cn ~]# getent gshadow root
    root:$6$fjzxSJCBrD/Vfp$PP75U2hnYoxkhPddZs95KhDVnAxM1XqgFnIRlEgKXDyMVgCQ1tgVXHypFn8WvVxY0e5bA7xWBVGjlLQLDgaka.::
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# gpasswd -r root              #为root组清楚密码
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# getent gshadow root
    root:::
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# gpasswd -r root              #为root组清楚密码
    [root@node101.yinzhengjie.org.cn ~]# id hadoop          #查看hadoop用户组信息
    uid=10090(hadoop) gid=10090(hadoop) groups=10090(hadoop),10091(dengziqi)
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# su - hadoop
    Last login: Thu Sep  5 11:48:15 CST 2019 on pts/0
    [hadoop@node101.yinzhengjie.org.cn ~]$ 
    [hadoop@node101.yinzhengjie.org.cn ~]$ touch a.txt
    [hadoop@node101.yinzhengjie.org.cn ~]$ 
    [hadoop@node101.yinzhengjie.org.cn ~]$ ll 
    total 0
    -rw-rw-r--. 1 hadoop hadoop 0 Sep  5 11:54 a.txt
    [hadoop@node101.yinzhengjie.org.cn ~]$ 
    [hadoop@node101.yinzhengjie.org.cn ~]$ groups           #查看组信息
    hadoop dengziqi
    [hadoop@node101.yinzhengjie.org.cn ~]$ 
    [hadoop@node101.yinzhengjie.org.cn ~]$ newgrp dengziqi      #我们临时将附加组("dengziqi")切换为主组
    [hadoop@node101.yinzhengjie.org.cn ~]$ 
    [hadoop@node101.yinzhengjie.org.cn ~]$ groups            
    dengziqi hadoop
    [hadoop@node101.yinzhengjie.org.cn ~]$ 
    [hadoop@node101.yinzhengjie.org.cn ~]$ touch b.txt         #创建文件,发现文件的所属组为"dengziqi"
    [hadoop@node101.yinzhengjie.org.cn ~]$ 
    [hadoop@node101.yinzhengjie.org.cn ~]$ ll
    total 0
    -rw-rw-r--. 1 hadoop hadoop   0 Sep  5 11:54 a.txt
    -rw-r--r--. 1 hadoop dengziqi 0 Sep  5 11:54 b.txt
    [hadoop@node101.yinzhengjie.org.cn ~]$ 
    [hadoop@node101.yinzhengjie.org.cn ~]$ exit 
    exit
    [hadoop@node101.yinzhengjie.org.cn ~]$ exit 
    logout
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# su - hadoop
    Last login: Thu Sep  5 11:53:56 CST 2019 on pts/0
    [hadoop@node101.yinzhengjie.org.cn ~]$ 
    [hadoop@node101.yinzhengjie.org.cn ~]$ touch c.txt            #当我们退出后,再次登录发现临时修改的附加组提示主组的操作失效啦~
    [hadoop@node101.yinzhengjie.org.cn ~]$ 
    [hadoop@node101.yinzhengjie.org.cn ~]$ ll
    total 0
    -rw-rw-r--. 1 hadoop hadoop   0 Sep  5 11:54 a.txt
    -rw-r--r--. 1 hadoop dengziqi 0 Sep  5 11:54 b.txt
    -rw-rw-r--. 1 hadoop hadoop   0 Sep  5 11:54 c.txt
    [hadoop@node101.yinzhengjie.org.cn ~]$ 
    [hadoop@node101.yinzhengjie.org.cn ~]$ newgrp dengziqi              #我们临时将附加组("dengziqi")切换为主组

    10>.更改和查看组成员

    [root@node101.yinzhengjie.org.cn ~]# groupmems -h
    Usage: groupmems [options] [action]
    
    Options:
      -g, --group groupname         更改为指定组(只有root)
    -R, --root CHROOT_DIR         directory to chroot into
    
    Actions:
      -a, --add username            指定用户加入组
      -d, --delete username         从组中删除用户
      -h, --help                    display this help message and exit
      -p, --purge                   从组中清楚所有成员
      -l, --list                    显示组成员列表
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -l
    yinzhengjie 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -a root        #将root用户加入"yinzhengjie"组中
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -l
    yinzhengjie  root 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -a root        #将root用户加入"yinzhengjie"组中
    [root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -l          #查看组中成员
    yinzhengjie  root 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -d root       #从"yinzhengjie"组中删除"root"用户
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -l
    yinzhengjie 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -d root         #从"yinzhengjie"组中删除"root"用户
    [root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -l
    yinzhengjie  root 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -p            #清空组成员,只能清空附加组,不能清空主组
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -l
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# id yinzhengjie
    uid=1000(yinzhengjie) gid=1000(yinzhengjie) groups=1000(yinzhengjie)
    [root@node101.yinzhengjie.org.cn ~]#
    [root@node101.yinzhengjie.org.cn ~]# groupmems -g yinzhengjie -p           #清空组成员,只能清空附加组,不能清空主组

    11>.小试牛刀

    案例一:创建用户gentoo,附加组为bin和root,默认shell为/bin/csh,注释信息为"Gentoo Distribution"
    
    案例二:创建下面的用户、组和组成员关系   名字为webs 的组   用户nginx, 使用webs作为附加组   用户varnish,使用webs作为附加组   用户mysql,不可交互登录系统,且不是webs的成员, nginx, varnish,mysql的用户名密码都是"yinzhengjie"
    [root@node101.yinzhengjie.org.cn ~]# useradd -s /bin/csh -c "Gentoo Distribution" -G bin,root gentoo
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# groups gentoo
    gentoo : gentoo root bin
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# id gentoo
    uid=10092(gentoo) gid=10092(gentoo) groups=10092(gentoo),0(root),1(bin)
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    案例一参考
    [root@node101.yinzhengjie.org.cn ~]# groupadd webs
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# useradd -G webs nginx
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# useradd -G webs varnish
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# useradd -s /sbin/nologin mysql
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# echo "yinzhengjie" | passwd --stdin nginx
    Changing password for user nginx.
    passwd: all authentication tokens updated successfully.
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# echo "yinzhengjie" | passwd --stdin varnish
    Changing password for user varnish.
    passwd: all authentication tokens updated successfully.
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# echo "yinzhengjie" | passwd --stdin mysql
    Changing password for user mysql.
    passwd: all authentication tokens updated successfully.
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    案例二参考

    三.文件权限

    1>.文件属性

    2>.修改文件的属主和属组

    文件属性操作
        chown 设置文件的所有者
        chgrp 设置文件的属组信息
    [root@node101.yinzhengjie.org.cn ~]# chown --help
    Usage: chown [OPTION]... [OWNER][:[GROUP]] FILE...
      or:  chown [OPTION]... --reference=RFILE FILE...
    Change the owner and/or group of each FILE to OWNER and/or GROUP.
    With --reference, change the owner and group of each FILE to those of RFILE.
    
      -c, --changes          like verbose but report only when a change is made
      -f, --silent, --quiet  suppress most error messages
      -v, --verbose          output a diagnostic for every file processed
          --dereference      affect the referent of each symbolic link (this is
                             the default), rather than the symbolic link itself
      -h, --no-dereference   affect symbolic links instead of any referenced file
                             (useful only on systems that can change the
                             ownership of a symlink)
          --from=CURRENT_OWNER:CURRENT_GROUP
                             change the owner and/or group of each file only if
                             its current owner and/or group match those specified
                             here.  Either may be omitted, in which case a match
                             is not required for the omitted attribute
          --no-preserve-root  do not treat '/' specially (the default)
          --preserve-root    fail to operate recursively on '/'
          --reference=RFILE  use RFILE's owner and group rather than
                             specifying OWNER:GROUP values
      -R, --recursive        operate on files and directories recursively
    
    The following options modify how a hierarchy is traversed when the -R
    option is also specified.  If more than one is specified, only the final
    one takes effect.
    
      -H                     if a command line argument is a symbolic link
                             to a directory, traverse it
      -L                     traverse every symbolic link to a directory
                             encountered
      -P                     do not traverse any symbolic links (default)
    
          --help     display this help and exit
          --version  output version information and exit
    
    Owner is unchanged if missing.  Group is unchanged if missing, but changed
    to login group if implied by a ':' following a symbolic OWNER.
    OWNER and GROUP may be numeric as well as symbolic.
    
    Examples:
      chown root /u        Change the owner of /u to "root".
      chown root:staff /u  Likewise, but also change its group to "staff".
      chown -hR root /u    Change the owner of /u and subfiles to "root".
    
    GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
    For complete documentation, run: info coreutils 'chown invocation'
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chown --help
    [root@node101.yinzhengjie.org.cn ~]# chgrp --help
    Usage: chgrp [OPTION]... GROUP FILE...
      or:  chgrp [OPTION]... --reference=RFILE FILE...
    Change the group of each FILE to GROUP.
    With --reference, change the group of each FILE to that of RFILE.
    
      -c, --changes          like verbose but report only when a change is made
      -f, --silent, --quiet  suppress most error messages
      -v, --verbose          output a diagnostic for every file processed
          --dereference      affect the referent of each symbolic link (this is
                             the default), rather than the symbolic link itself
      -h, --no-dereference   affect symbolic links instead of any referenced file
                             (useful only on systems that can change the
                             ownership of a symlink)
          --no-preserve-root  do not treat '/' specially (the default)
          --preserve-root    fail to operate recursively on '/'
          --reference=RFILE  use RFILE's group rather than specifying a
                             GROUP value
      -R, --recursive        operate on files and directories recursively
    
    The following options modify how a hierarchy is traversed when the -R
    option is also specified.  If more than one is specified, only the final
    one takes effect.
    
      -H                     if a command line argument is a symbolic link
                             to a directory, traverse it
      -L                     traverse every symbolic link to a directory
                             encountered
      -P                     do not traverse any symbolic links (default)
    
          --help     display this help and exit
          --version  output version information and exit
    
    Examples:
      chgrp staff /u      Change the group of /u to "staff".
      chgrp -hR staff /u  Change the group of /u and subfiles to "staff".
    
    GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
    For complete documentation, run: info coreutils 'chgrp invocation'
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chgrp --help
    [root@node101.yinzhengjie.org.cn ~]# ll
    total 4
    -rw-r--r--. 1 root root 26 Sep  5 14:22 file.txt
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chown yinzhengjie file.txt       #修改文件的属主为"yinzhengjie"用户
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll
    total 4
    -rw-r--r--. 1 yinzhengjie root 26 Sep  5 14:22 file.txt
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chown yinzhengjie file.txt       #修改文件的属主为"yinzhengjie"用户
    [root@node101.yinzhengjie.org.cn ~]# ll
    total 4
    -rw-r--r--. 1 yinzhengjie root 26 Sep  5 14:22 file.txt
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chgrp bin file.txt           #修改文件的所属组
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll
    total 4
    -rw-r--r--. 1 yinzhengjie bin 26 Sep  5 14:22 file.txt
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chgrp bin file.txt            #修改文件的所属组
    [root@node101.yinzhengjie.org.cn ~]# ll
    total 4
    -rw-r--r--. 1 yinzhengjie bin 26 Sep  5 14:22 file.txt
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chown root:yinzhengjie file.txt     #其实使用chown命令也是可以修改属主和属组的,需要用":"来分割
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll
    total 4
    -rw-r--r--. 1 root yinzhengjie 26 Sep  5 14:22 file.txt
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chown root:yinzhengjie file.txt     #其实使用chown命令也是可以修改属主和属组的,需要用":"来分割
    [root@node101.yinzhengjie.org.cn ~]# ll -R
    .:
    total 4
    -rw-r--r--. 1 root yinzhengjie 26 Sep  5 14:22 file.txt
    drwxr-xr-x. 2 root root        32 Sep  5 14:44 home
    
    ./home:
    total 0
    -rw-r--r--. 1 root root 0 Sep  5 14:44 a.txt
    -rw-r--r--. 1 root root 0 Sep  5 14:44 b.txt
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chown -R yinzhengjie.yinzhengjie home      #递归修改某一个目录及其子文件的属主和数组
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll -R
    .:
    total 4
    -rw-r--r--. 1 root        yinzhengjie 26 Sep  5 14:22 file.txt
    drwxr-xr-x. 2 yinzhengjie yinzhengjie 32 Sep  5 14:44 home
    
    ./home:
    total 0
    -rw-r--r--. 1 yinzhengjie yinzhengjie 0 Sep  5 14:44 a.txt
    -rw-r--r--. 1 yinzhengjie yinzhengjie 0 Sep  5 14:44 b.txt
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chown -R yinzhengjie.yinzhengjie home      #递归修改某一个目录及其子文件的属主和数组
    [root@node101.yinzhengjie.org.cn ~]# ll
    total 4
    -rw-r--r--. 1 root yinzhengjie 26 Sep  5 14:22 file.txt
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# touch file2.txt
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll
    total 4
    -rw-r--r--. 1 root root         0 Sep  5 15:03 file2.txt
    -rw-r--r--. 1 root yinzhengjie 26 Sep  5 14:22 file.txt
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chown --reference file.txt file2.txt       #让file2.txt文件和"file.txt"文件权限一致。
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll
    total 4
    -rw-r--r--. 1 root yinzhengjie  0 Sep  5 15:03 file2.txt
    -rw-r--r--. 1 root yinzhengjie 26 Sep  5 14:22 file.txt
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chown --reference file.txt file2.txt       #让file2.txt文件和"file.txt"文件权限一致。

    3>.文件权限操作: chmod

    文件的权限主要针对三类对象进行定义
      owner 属主, u
      group 属组, g
      other 其他, o
    
    每个文件针对每类访问者都定义了三种权限
      r Readable
      w Writable
      x eXcutable
    
    文件:
      r 可使用文件查看类工具获取其内容
      w 可修改其内容
      x 可以把此文件提请内核启动为一个进程
    
    目录:
      r 可以使用ls查看此目录中文件列表
      w 可在此目录中创建文件,也可删除此目录中的文件
      x 可以使用ls -l查看此目录中文件元数据(须配合r),可以cd进入此目录
      X 只给目录x权限,不给文件x权限

    [root@node101.yinzhengjie.org.cn ~]# chmod --help
    Usage: chmod [OPTION]... MODE[,MODE]... FILE...
      or:  chmod [OPTION]... OCTAL-MODE FILE...
      or:  chmod [OPTION]... --reference=RFILE FILE...
    Change the mode of each FILE to MODE.
    With --reference, change the mode of each FILE to that of RFILE.
    
      -c, --changes          like verbose but report only when a change is made
      -f, --silent, --quiet  suppress most error messages
      -v, --verbose          output a diagnostic for every file processed
          --no-preserve-root  do not treat '/' specially (the default)
          --preserve-root    fail to operate recursively on '/'
          --reference=RFILE  use RFILE's mode instead of MODE values
      -R, --recursive        change files and directories recursively
          --help     display this help and exit
          --version  output version information and exit
    
    Each MODE is of the form '[ugoa]*([-+=]([rwxXst]*|[ugo]))+|[-+=][0-7]+'.
    
    GNU coreutils online help: <http://www.gnu.org/software/coreutils/>
    For complete documentation, run: info coreutils 'chmod invocation'
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chmod --help
    [root@node101.yinzhengjie.org.cn ~]# cp -a /etc/shadow ./
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll
    total 4
    -r--------. 1 root root 2464 Sep  5 13:55 shadow
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chmod u+rw,g+r shadow       #给属主增加rw权限,给属组加r权限
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll
    total 4
    -rw-r-----. 1 root root 2464 Sep  5 13:55 shadow
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chmod u+rw,g+r shadow       #给属主增加rw权限,给属组加r权限
    [root@node101.yinzhengjie.org.cn ~]# ll
    total 4
    -rw-r-----. 1 root root 2464 Sep  5 13:55 shadow
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chmod o=w shadow          #给其它人用户加w权限
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll
    total 4
    -rw-r---w-. 1 root root 2464 Sep  5 13:55 shadow
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chmod o=w shadow          #给其它人用户加w权限
    [root@node101.yinzhengjie.org.cn ~]# ll /bin/ls
    -rwxr-xr-x. 1 root root 117680 Oct 31  2018 /bin/ls
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chmod a-x /bin/ls          #我们为ls命令减去执行权限,我们发现ls命令将无法执行啦!
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /bin/ls
    bash: /usr/bin/ls: Permission denied
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chmod a+x /bin/ls
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /bin/ls
    -rwxr-xr-x. 1 root root 117680 Oct 31  2018 /bin/ls
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chmod a-x /bin/ls         #我们为ls命令减去执行权限,我们发现ls命令将无法执行啦!

    4>.新建文件和目录的默认权限 

    [root@node101.yinzhengjie.org.cn ~]# help umask
    umask: umask [-p] [-S] [mode]
        Display or set file mode mask.
        
        Sets the user file-creation mask to MODE.  If MODE is omitted, prints
        the current value of the mask.
        
        If MODE begins with a digit, it is interpreted as an octal number;
        otherwise it is a symbolic mode string like that accepted by chmod(1).
        
        Options:
          -p    if MODE is omitted, output in a form that may be reused as input
          -S    makes the output symbolic; otherwise an octal number is output
        
        Exit Status:
        Returns success unless MODE is invalid or an invalid option is given.
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# umask         #root用户的默认umask值为022
    0022
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# su - yinzhengjie
    Last login: Thu Sep  5 16:38:53 CST 2019 on pts/0
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ umask     #普通用户的默认umask值为002
    0002
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
    [root@node101.yinzhengjie.org.cn ~]# help umask
    [root@node101.yinzhengjie.org.cn ~]# umask 
    0022
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# umask -S      #模式方式显示
    u=rwx,g=rx,o=rx
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# umask -S      #模式方式显示
    [root@node101.yinzhengjie.org.cn ~]# umask 
    0022
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# umask -p      #输出可悲调用
    umask 0022
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# umask -p      #输出可悲调用
    [root@node101.yinzhengjie.org.cn ~]# umask 
    0022
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# umask 754      #命令行中修改umask的属性,临时生效,若想要永久生效需要将修改指令写入"~/.bashrc"文件
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# umask 
    0754
    [root@node101.yinzhengjie.org.cn ~]#
    [root@node101.yinzhengjie.org.cn ~]# exit         #我们退出终端后发现就不生效啦!
    logout
    
    Connection closed by foreign host.
    
    Disconnected from remote host(node101.yinzhengjie.org.cn) at 17:05:27.
    
    Type `help' to learn how to use Xshell prompt.
    [c:~]$ 
    Reconnecting in 1 seconds. Press any key to exit local shell.
    .
    
    Host 'node101.yinzhengjie.org.cn' resolved to 172.30.1.101.
    Connecting to 172.30.1.101:22...
    Connection established.
    To escape to local shell, press 'Ctrl+Alt+]'.
    
    Last login: Thu Sep 5 16:51:50 2019 from 172.30.1.1
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# umask         #重新登录终端会发现umask的值并没有发生改变
    0022
    [root@node101.yinzhengjie.org.cn ~]#
    [root@node101.yinzhengjie.org.cn ~]# umask 754      #命令行中修改umask的属性,临时生效,若想要永久生效需要将修改指令写入"~/.bashrc"文件,也可以放在全局的"/etc/bashrc"文件中!
    umask值可以用来保留在创建文件权限。
        新建文件的默认权限: 666-umask,如果所得结果某位存在执行(奇数)权限,则将其权限+1
        新建目录的默认权限: 777-umask
    
    非特权用户umask是002 ,root的umask 是022 
    
    
    举个例子:
      比如 umask的值是754,我们通过上面的公式得出
        新建的文件默认权限 : 666 - 754 => -112(得出的结果有奇数,需要进行加1操作) =>022
        新建的目录默认权限 : 777 - 754 => 023
      
      计算机是如何使用umask值的呢?
        666转换二进制为:"110 110 110"
        754转换二进制为:"111 101 100"(对应的位置为1则表示遮掩,需要和666二进制所对应位进行运算,若位1则取反,若为0则不变)
                  000 010 010(使用八进制表示即022,和上面计算结果一直)
        
        777转换二进制为:"111 111 111"
        754转换二进制为:"111 101 100"(对应的位置为1则表示遮掩,需要和666二进制所对应位进行运算,若位1则取反,若为0则不变)
                 000 010 011(使用八进制表示即023,和上面计算结果一直)

      为了验证结果是否正确,可以观察下面的实战操作。
    [root@node101.yinzhengjie.org.cn ~]# umask         #root用户默认的umask值
    0022
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# touch a.txt     #创建一个空文件并查看其文件默认权限
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll
    total 0
    -rw-r--r--. 1 root root 0 Sep  5 16:38 a.txt
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# umask 754      #我们修改root用户的umask值后,并观察创建的文件或目录对应的默认权限。
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# touch b.txt
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll
    total 0
    -rw-r--r--. 1 root root 0 Sep  5 16:38 a.txt
    -----w--w-. 1 root root 0 Sep  5 16:38 b.txt
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# mkdir home
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll
    total 0
    -rw-r--r--. 1 root root 0 Sep 5 16:38 a.txt
    -----w--w-. 1 root root 0 Sep 5 16:38 b.txt
    d----w--wx. 2 root root 6 Sep 5 16:43 home
    [root@node101.yinzhengjie.org.cn ~]#
    [root@node101.yinzhengjie.org.cn ~]# umask 754      #我们修改root用户的umask值后,并观察创建的文件或目录对应的默认权限。

    5>.小试牛刀

        当用户docker对/testdir 目录无执行权限时,意味着无法做哪些操作?
        当用户mongodb对/testdir 目录无读权限时,意味着无法做哪些操作?
        当用户redis 对/testdir 目录无写权限时,该目录下的只读文件file1是否可修改和删除?
        当用户zabbix对/testdir 目录有写和执行权限时,该目录下的只读文件file1是否可修改和删除?
        复制/etc/fstab文件到/var/tmp下,设置文件所有者为tomcat读写权限,所属组为apps组有读写权限,其他人无权限
        误删除了用户git的家目录,请重建并恢复该用户家目录及相应的权限属性

    四.Linux文件系统上的特殊权限

    1>.SUID权限(让有权限运行该程序文件的用户临时拥有该程序属主的权限,系统默认的"passwd"就有suid权限,默认数字权限为"4")

    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ cat  /etc/shadow | tail -3        #我们发现普通用户是无法查看"/etc/shadow"文件内容的
    cat: /etc/shadow: Permission denied
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ exit                      #于是我们退出当前用户
    logout
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /usr/bin/cat                    #观察cat命令,属主是root用户,而且cat命令的属主是有x权限的
    -rwxr-xr-x. 1 root root 54160 Oct 31  2018 /usr/bin/cat
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chmod u+s /usr/bin/cat                #我们给cat命令添加x权限 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /usr/bin/cat                   #我们发现属主的x权限被s权限覆盖啦
    -rwsr-xr-x. 1 root root 54160 Oct 31  2018 /usr/bin/cat
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# su - yinzhengjie                  #我们再一次切换到普通用户
    Last login: Thu Sep  5 17:11:01 CST 2019 on pts/0
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ cat  /etc/shadow | tail -3        #神奇的一幕发生了,我们竟然可以访问"/etc/shadow"文件啦
    nginx:$6$.KUKZqRu$sCk.tYEAzZowA44d42qgaK.cQmpa16IPSIYX0CnON/SSCteb2PI77T21qOHDTrT01fAh2tD1/Ta6IE2m5EnkI/:18144:0:99999:7:::
    varnish:$6$gF6mgxv2$JtJHT.B7IqUU3MA6JZYQkbFBhqukF918goBIYIwm0hTFmcwdf6i.x2JX2Wzgz42dyEhkj/cdbMmUJi9XBhZY60:18144:0:99999:7:::
    mysql:$6$qWljHcJp$HtPeHnCjgOXh..Kno96j5BsS2ULUtpjb1yGznrkMdN2V7OVoTKLclY1Jaxe.Ryl32UWUox17Ux/Iw6s6dQviB0:18144:0:99999:7:::
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ exit 
    logout
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /usr/bin/cat
    -rwsr-xr-x. 1 root root 54160 Oct 31 2018 /usr/bin/cat
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chmod u-s /usr/bin/cat            #生产环境建议大家不要随意给命令公家加suid权限,我们这里了解即可,做完实验我就回滚之前的操作啦!如果我们对vim添加了"suid"权限,那么Linux所有的普通用户都可以修改Linux中任意文件啦!谨慎操作!!!
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /usr/bin/cat
    -rwxr-xr-x. 1 root root 54160 Oct 31 2018 /usr/bin/cat
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]#

    2>.SGID权限(同理,让有权限运行该程序文件的用户临时拥有该程序属组的权限,默认数字权限为"2")

    [root@node101.yinzhengjie.org.cn ~]# groupadd devops                #我们这里创建了一个devops的用户组
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# useradd -g devops jason           #我们将jason用户加入devops组
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# id jason                          #查看jason组
    uid=1002(jason) gid=1001(devops) groups=1001(devops)
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# mkdir /data
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chgrp devops /data
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll -d /data/                  #大家注意观察这里的"/data"的权限
    drwxr-xr-x. 2 root devops 6 Sep 10 06:33 /data/
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chmod 3770 /data/               #我们为“/data”添加suid权限和sticky权限,注意观察文件的权限变化
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll -d /data/     
    drwxrws--T. 2 root devops 6 Sep 10 06:33 /data/
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# touch /data/root.txt              #我们使用root用户创建一个文件
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# su -l jason
    Last login: Tue Sep 10 06:31:59 PDT 2019 on pts/0
    [jason@node101.yinzhengjie.org.cn ~]$ 
    [jason@node101.yinzhengjie.org.cn ~]$ touch /data/jason.txt            #我们使用在"devops"组中的jason用户创建一个文件
    [jason@node101.yinzhengjie.org.cn ~]$ 
    [jason@node101.yinzhengjie.org.cn ~]$ exit 
    logout
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# id yinzhengjie                  
    uid=1000(yinzhengjie) gid=1000(yinzhengjie) groups=1000(yinzhengjie)
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# su - yinzhengjie
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ touch /data/yinzhengjie.txt      #这里无法创建,原因想必大家也知道,因为该用户是非devops组的普通用户,即other组用户无w权限,操作被拒绝啦!
    touch: cannot touch ‘/data/yinzhengjie.txt’: Permission denied
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ exit 
    logout
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /data/                    #不难发现,不管是root用户还是jason用户创建的文件都归devops组所有,这就是SGID的魅力所在。
    total 0
    -rw-r--r--. 1 jason devops 0 Sep 10 06:34 jason.txt
    -rw-r--r--. 1 root  devops 0 Sep 10 06:34 root.txt
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 

    3>.Sticky

    [root@node101.yinzhengjie.org.cn ~]# mkdir /data
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# touch /data/{1..5}.txt
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chmod 757 /data      #我们给other角色有w权限,这意味着other组的成员都可以对该目录的文件进行删除操作,尽管它不能访问该目录下的文件内容
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll -d /data/
    drwxr-xrwx. 2 root root 71 Sep  5 17:31 /data/
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /data/          #我们发现里面全部都是root用户的文件,其它用户是仅有读取权限的。
    total 0
    -rw-r--r--. 1 root root 0 Sep  5 17:31 1.txt
    -rw-r--r--. 1 root root 0 Sep  5 17:31 2.txt
    -rw-r--r--. 1 root root 0 Sep  5 17:31 3.txt
    -rw-r--r--. 1 root root 0 Sep  5 17:31 4.txt
    -rw-r--r--. 1 root root 0 Sep  5 17:31 5.txt
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# su -l yinzhengjie
    Last login: Thu Sep  5 17:30:35 CST 2019 on pts/0
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ rm -f /data/1.txt     #我们发现切换到普通用户后,可以随意删除root用户创建的文件,这不科学呀!!!怎么解决这个问题呢?
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ rm -f /data/3.txt 
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ rm -f /data/5.txt 
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ exit 
    logout
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll /data/              #我们发现文件的确是被删除啦!!!
    total 0
    -rw-r--r--. 1 root root 0 Sep  5 17:31 2.txt
    -rw-r--r--. 1 root root 0 Sep  5 17:31 4.txt
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chmod 757 /data  #我们给other角色有w权限,这意味着other组的成员都可以对该目录的文件进行删除操作,尽管它不能访问该目录下的文件内容(抛出问题)
    [root@node101.yinzhengjie.org.cn ~]# ll /data/
    total 0
    -rw-r--r--. 1 root root 0 Sep  5 17:31 2.txt
    -rw-r--r--. 1 root root 0 Sep  5 17:31 4.txt
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll -d /data/
    drwxr-xrwx. 2 root root 32 Sep  5 17:32 /data/
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chmod o+t /data/          #等效与"chmod 1757 /data/"
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# ll -d /data/
    drwxr-xrwt. 2 root root 32 Sep  5 17:32 /data/
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# su -l yinzhengjie
    Last login: Thu Sep  5 17:32:03 CST 2019 on pts/0
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ rm -f /data/2.txt     #我们发现普通用户尽管对"/data"目录有w权限,发现它依旧无法删除不属于它管理的文件
    rm: cannot remove ‘/data/2.txt’: Operation not permitted
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ rm -f /data/4.txt 
    rm: cannot remove ‘/data/4.txt’: Operation not permitted
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ ll /data/
    total 0
    -rw-r--r--. 1 root root 0 Sep  5 17:31 2.txt
    -rw-r--r--. 1 root root 0 Sep  5 17:31 4.txt
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ touch /data/jason.txt    #手动创建文件
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ ll /data/
    total 0
    -rw-r--r--. 1 root root 0 Sep 5 17:31 2.txt
    -rw-r--r--. 1 root root 0 Sep 5 17:31 4.txt
    -rw-rw-r--. 1 yinzhengjie yinzhengjie 0 Sep 5 17:43 jason.txt
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ rm -f /data/jason.txt     #发现删除自己的文件还是轻而易举的
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ 
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$ ll /data/
    total 0
    -rw-r--r--. 1 root root 0 Sep 5 17:31 2.txt
    -rw-r--r--. 1 root root 0 Sep 5 17:31 4.txt
    [yinzhengjie@node101.yinzhengjie.org.cn ~]$

    4>.总结

    SUID:
      作用于二进制可执行程序,当用户执行此程序时,将会临时继承此程序所有者的权限。
    
    SGID:
      作用于二进制可执行程序,当用户执行此程序时,将会继承此程序所属组的权限。
      作用于目录,当用户在此目录下创建文件时,文件的所属组会自动继承此目录的所属组。
    STICKY:
      作用于目录,用户只能删除自己的文件。(当然root用户除外,我们探讨权限一般情况都会自动忽略root用户,因为root用户是管理员用户)

    5>.设置文件特定属性

    chattr +i   不能删除,改名,更改
    chattr +a   只能追加内容
    lsattr     显示特定属性
    [root@node101.yinzhengjie.org.cn ~]# chattr +i /etc/passwd                  #我们给"/etc/passwd"文件添加"i"属性后,发现我们无法对文件进行删除,改名,甚至修改该文件内容。但是root查看里面内容还是可以的。
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# rm -f /etc/passwd
    rm: cannot remove ‘/etc/passwd’: Operation not permitted
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# mv /etc/passwd /etc/passwd-`date +%F`
    mv: cannot move ‘/etc/passwd’ to ‘/etc/passwd-2019-09-10’: Operation not permitted
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# echo "尹正杰到此一游" >> /etc/passwd
    -bash: /etc/passwd: Permission denied
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# useradd bigdata
    useradd: cannot open /etc/passwd
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# lsattr /etc/passwd            #查看该文件的特定属性
    ----i----------- /etc/passwd
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chattr -i /etc/passwd          #我们为该文件删除其特定的i属性,发现就可以对文件进行修改操作啦
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# lsattr /etc/passwd   
    ---------------- /etc/passwd
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# useradd bigdata      
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# id bigdata
    uid=1003(bigdata) gid=1003(bigdata) groups=1003(bigdata)
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chattr +i /etc/passwd                  #我们给"/etc/passwd"文件添加"i"属性后,发现我们无法对文件进行删除,改名,甚至修改该文件内容。但是root查看里面内容还是可以的。
    [root@node101.yinzhengjie.org.cn ~]# lsattr /etc/passwd                  
    ---------------- /etc/passwd
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chattr +a /etc/passwd                #我们给"/etc/passwd"文件添加"a"属性后,发现我们无法对文件进行修改操作,但是可以追加或查看内容!
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# lsattr /etc/passwd   
    -----a---------- /etc/passwd
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# useradd hadoop                    #我们都知道创建用户其实就是在修改"/etc/passwd"文件呢,很明显创建用户失败这意味着无法修改文件内容
    useradd: cannot open /etc/passwd
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# echo "hadoop" >> /etc/passwd            #大师追加文件内容确实可以的
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# tail -2 /etc/passwd                  #发现追加成功啦!
    bigdata:x:1003:1003::/home/bigdata:/bin/bash
    hadoop
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chattr -a /etc/passwd                #赶紧把"a"属性去掉,然后把刚刚修改的内容还原了,切记把上面的"hadoop"字符串追加内容从"/etc/passwd"文件中删除,避免系统启动时出错。
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# lsattr /etc/passwd               
    ---------------- /etc/passwd
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# 
    [root@node101.yinzhengjie.org.cn ~]# chattr +a /etc/passwd                  #我们给"/etc/passwd"文件添加"a"属性后,发现我们无法对文件进行修改操作,但是可以追加或查看内容!
  • 相关阅读:
    HTML入门学习
    C#结课报告
    Xaml 页面布局学习
    cocos2dx使用pthread注意事项[zt]
    张艾迪(创始人):期待改变世界的力量
    张艾迪(创始人):年少创业与干净的我
    张艾迪(创始人):工作的时候
    张艾迪(创始人):出现在世界224C之前的这些时间
    张艾迪(创始人):世界前三大互联网公司
    张艾迪(创始人):世界前三大互联网巨头公司
  • 原文地址:https://www.cnblogs.com/yinzhengjie/p/11354810.html
Copyright © 2020-2023  润新知