Product SiteDocumentation Site

8.4. 用户与群组数据库

用户清单通常保存在 /etc/passwd 文件内,把哈希编码后的密码保存在 /etc/shadow 文件内。这两个文件都是纯文本档,以简单的格式保存,可以用文本编辑器读取与修改。每个用户占一行,其字段以冒号分隔 (“:”)。

8.4.1. 用户清单:/etc/passwd

/etc/passwd 文件内的字段清单:
  • 登录,例如 rhertzog;
  • password: this is a password encrypted by a one-way function (crypt), relying on DES, MD5, SHA-256 or SHA-512. The special value “x” indicates that the encrypted password is stored in /etc/shadow;
  • uid:用于辨识用户的不重复数字;
  • gid:用户主要群组 (Debian 的默认值系为每个用户创建一个群组) 的不重复号码;
  • GECOS:通常保存用户全名的数据栏;
  • 登入目录,用于保存用户的个人文件 (环境变量 $HOME 通常指向此处);
  • 登录时运行的程序。通常是命令解译器 (shell),若指定为 /bin/false (不做任何事并立即回到控制),则用户无法登录。
As mentioned before, one can edit this file directly. But there are more elegant ways to apply changes, which are described in 第 8.4.3 节 “修改既有的帐号或密码”.

8.4.2. 隐藏与加密的密码档:/etc/shadow

/etc/shadow 文件含以下的字段:
  • 登录;
  • 加密的密码;
  • 管理密码期限的字段。
One can expire passwords using this file or set the time until the account is disabled after the password has expired.

8.4.3. 修改既有的帐号或密码

The following commands allow modification of the information stored in specific fields of the user databases: passwd permits a regular user to change their password, which in turn, updates the /etc/shadow file (chpasswd allows administrators to update passwords for a list of users in batch mode); chfn (CHange Full Name), reserved for the super-user (root), modifies the GECOS field. chsh (CHange SHell) allows the user to change their login shell; however, available choices will be limited to those listed in /etc/shells; the administrator, on the other hand, is not bound by this restriction and can set the shell to any program of their choosing.
最后,chage (CHange AGE) 命令允许管理者变更密码的有效期 (-l 用户 选项列出现在的设置)。用 passwd -e 用户 命令强迫密码失效,要求用户登录时变更密码才能继续使用。
Besides these tools, the usermod command allows to modify all the details mentioned above.

8.4.4. 帐号禁用

You may find yourself needing to “disable an account” (lock out a user), as a disciplinary measure, for the purposes of an investigation, or simply in the event of a prolonged or definitive absence of a user. A disabled account means the user cannot login or gain access to the machine. The account remains intact on the machine and no files or data are deleted; it is simply inaccessible. This is accomplished by using the command passwd -l user (lock). Re-enabling the account is done in similar fashion, with the -u option (unlock). This, however, only prevents password-based logins by the user. The user might still be able to access the system using an SSH key (if configured). To prevent even this possibility you have to expire the account as well using either chage -E 1user or usermod -e 1 user (giving a value of -1 in either of these commands will reset the expiration date to never). To (temporarily) disable all user accounts just create the file /etc/nologin.
You can disable a user account not only by locking it as described above, but also by changing its default login shell (chsh -s shell user). With the latter changed to /usr/sbin/nologin, a user gets a polite message informing that a login is not possible, while /bin/false just exits while returning false. There is no switch to restore the previous shell. You have to get and keep that information before you change the setting. These shells are often used for system users which do not require any login availability.

8.4.5. 群组清单:/etc/group

群组列在 /etc/group 文件内,类似 /etc/passwd 文件的纯文本数据库,包括以下的字段:
  • 群组名称;
  • 密码 (可选):只在加入群组时会用到 (使用 newgrpsg 命令,见专栏 基本知识 在多个群组工作);
  • gid:不重复的群组识别码;
  • 成员清单:属于此群组的用户名清单,以逗号分隔。
addgroupdelgroup 命令可以添加或删除群组。groupmod 命令修改群组的信息 (其 gid 或辨识码)。命令 gpasswd group 可变更群组的密码,gpasswd -r group 命令可删除群组的密码。