[root@kid ~]# finger root
Login: root Name: root
Directory: /root Shell: /bin/bash
On since Sun Aug 2822:03 (CST) on tty1 20 hours 7 minutes idle
On since Mon Aug 2915:39 (CST) on pts/1 from 10.0.0.1
4 seconds idle
Last login Mon Aug 2917:53 (CST) on pts/0 from 10.0.0.1
No mail.
No Plan.
________________________________________________________________________
登录名:root 名称:root
目录:/root Shell:/bin/bash
自8月28日星期日22:03(美国中部时间)起,tty1 20小时7分钟空闲
自8月29日星期一15:39(CST)起,从10.0.0.1开始在pts/1上
4秒空闲
最后一次登录:8月29日星期一17:53(CST)从10.0.0.1开始在pts/0上
没有邮件。
没有计划。
chfn命令修改用户信息(其实是修改注释),示例:chfnUserName
[root@kid ~]# chfn root
Changing finger information for root.
Name [root]: root
Office []: python
Office Phone []: 21
Home Phone []: 10086
Finger information changed.
[root@kid ~]# finger root
Login: root Name: root
Directory: /root Shell: /bin/bash
# 多了这一行备注
Office: python, 21 Home Phone: x1-0086
On since Sun Aug 2822:03 (CST) on tty1 20 hours 10 minutes idle
On since Mon Aug 2915:39 (CST) on pts/1 from 10.0.0.1
3 seconds idle
Last login Mon Aug 2917:53 (CST) on pts/0 from 10.0.0.1
No mail.
No Plan.
# 添加分组students f1 f2 (之前创建过qz就不要再执行了新增qz用户的命令了)[root@kid ~]# groupadd students[root@kid ~]# groupadd f1[root@kid ~]# groupadd f2# 新增用户(指定基本组 students)[root@kid ~]# useradd -u 5001 -g students -G f1,f2 -c "2022 new student" -s /bin/bash qz # 查查用户信息[root@kid ~]# id qzuid=5001(qz)gid=1000(students)groups=1000(students),1001(f1),1002(f2)# 删除用户附加组 [root@kid ~]# groupdel f1[root@kid ~]# groupdel f2[root@kid ~]# id qzuid=5001(qz)gid=1000(students)groups=1000(students)# 无法删除用户基本组(这个组被用户占用中...) [root@kid ~]# groupdel students
groupdel: cannot remove the primary group of user 'qz'# 删除用户qz[root@kid ~]# userdel -r qz# 查看qz的基本组students(这个组不上私有组是基本组, 私有组的组名与用户名一样...)[root@kid ~]# cat /etc/group | grep 'students'
students:x:1001:
# 删除qz的基本组students[root@kid ~]# groupdel students
# 新建用户没有指定基本组则会默认创建私有组(私有组的组名与用户名一致)[root@kid ~]# useradd xxx[root@kid ~]# id xxxuid=1000(xxx)gid=1003(xxx)groups=1003(xxx)# 删除私有组 (这个组被用户占用中...) [root@kid ~]# groupdel xxx
groupdel: cannot remove the primary group of user 'xxx'# 删除用户 [root@kid ~]# userdel xxx# 查看私有组xxx(已经被移除)[root@kid ~]# cat /etc/group | grep 'xxx'
9.6 设置组密码
设置组密码命令:gpasswd
# 创建分组[root@kid ~]# groupadd devops # 设置组密码[root@kid ~]# gpasswd devops
Changing the password for group devops
New Password: 123
Re-enter new password: 123
# 快速配置sudo方式 # 切换到普通用户[root@kid ~]# su - qq
Last login: Mon Aug 2922:29:06 CST 2022 on pts/0
[qq@kid ~]$ pwd
/home/qq
# 查看日志文件[qq@kid ~]$ tail -f /var/log/secure
# 提示没有权限
tail: cannot open ‘/var/log/secure’ for reading: Permission denied
tail: no files remaining
# 在root下把qq用户加到wheel组中 wheel拥有一些权限[root@kid ~]# usermod qq -G wheel # 检查普通用户能提权的命令 [qq@kid root]$ sudo -l
[sudo] password for qq:
Matching Defaults entries for qq on kid:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
# 用户qq可以在kid上运行以下命令:
User qq may run the following commands on kid:
# (全部)全部(ALL) ALL
# 为qq用户设置密码123[root@kid ~]# passwd qq
Changing password for user qq.
New password: 123# 忽略这个提示
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 123
passwd: all authentication tokens updated successfully.
# 切换用户[root@node1 ~]$ sudotail -f /var/log/secure # sudo 审计日志 [qq@kid ~]$ sudotail -f /var/log/secure
# 提示
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.#2) Think before you type.#3) With great power comes great responsibility.#1) 尊重他人的隐私。#2) 在你打字之前先想一想。#3) 权力越大,责任越大。# 输入当前账户的密码不上root的密码, 如果没有密码会提示, 直接回车会提示 Sorry, try again.[sudo] password for qq: 123# 日志的内容
Aug 2922:41:41 kid su: pam_unix(su-l:session): session opened for user qq by root(uid=0)
Aug 2922:42:12 kid sudo: pam_unix(sudo:auth): authentication failure;logname=root uid=1000euid=0tty=/dev/pts/0 ruser=qq rhost=user=qq
# 3.登陆对应的用户使用 sudo -l 验证权限 [root@kid ~]# su - ops1# 查看权限[ops1@kid ~]$ sudo -l
# 提示权限越大责任越大...
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.#2) Think before you type.#3) With great power comes great responsibility.# 输入用户密码[sudo] password for ops1:
Matching Defaults entries for ops1 on kid:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset,
env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR
USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
# 用户ops1可以在kid上运行以下命令:(刚才配置的所有命令, dev就不测试了)
User ops1 may run the following commands on kid:
(ALL) /sbin/ifconfig, /bin/ping, /bin/rpm, /usr/bin/yum, /sbin/service, /usr/bin/systemctl
start, /bin/kill, /usr/bin/kill, /usr/bin/killall