Product SiteDocumentation Site

8.4. 使用者與群組資料庫

The list of users is usually stored in the /etc/passwd file, while the /etc/shadow file stores hashed passwords. Both are text files, in a relatively simple format, which can be read and modified with a text editor. Each user is listed there on a line with several fields separated with a colon (“:”).

8.4.1. 使用者清單:/etc/passwd

/etc/passwd 檔案內的欄位清單:
  • 登入,例如 rhertzog
  • password: this is a password encrypted by a one-way function (crypt), relying on DES, MD5, SHA-256 or SHA-512. The special value “x” indicates that the encrypted password is stored in /etc/shadow;
  • uid:用於辨識個別使用者的不重複數字;
  • gid:使用者主要群組 (Debian 的預設值係為每個使用者建立一個群組) 的不重複號碼;
  • GECOS:通常儲存使用者全名的資料欄;
  • 登入資料夾,用於儲存使用者的個人檔案 (環境變數 $HOME 通常指向此處);
  • 登入時執行的程式。通常是命令解譯器 (shell),若指定為 /bin/false (不做任何事並立即回到控制),則使用者無法登入。
As mentioned before, one can edit this file directly. But there are more elegant ways to apply changes, which are described in 節 8.4.3, “修改既有的帳號或密碼”.

8.4.2. 隱藏與加密的密碼檔:/etc/shadow

The /etc/shadow 檔案含以下的欄位:
  • 登入;
  • 加密的密碼;
  • 管理密碼期限的欄位。
One can expire passwords using this file or set the time until the account is disabled after the password has expired.

8.4.3. 修改既有的帳號或密碼

The following commands allow modification of the information stored in specific fields of the user databases: passwd permits a regular user to change their password, which in turn, updates the /etc/shadow file (chpasswd allows administrators to update passwords for a list of users in batch mode); chfn (CHange Full Name), reserved for the super-user (root), modifies the GECOS field. chsh (CHange SHell) allows the user to change their login shell; however, available choices will be limited to those listed in /etc/shells; the administrator, on the other hand, is not bound by this restriction and can set the shell to any program of their choosing.
最後,chage (CHange AGE) 命令允許管理者變更密碼的有效期 (-l 使用者 選項列出現在的設定)。以 passwd -e 使用者 命令強迫密碼失效,要求使用者登錄時變更密碼才能繼續使用。
Besides these tools the usermod command allows to modify all the details mentioned above.

8.4.4. 帳號禁用

You may find yourself needing to “disable an account” (lock out a user), as a disciplinary measure, for the purposes of an investigation, or simply in the event of a prolonged or definitive absence of a user. A disabled account means the user cannot login or gain access to the machine. The account remains intact on the machine and no files or data are deleted; it is simply inaccessible. This is accomplished by using the command passwd -l user (lock). Re-enabling the account is done in similar fashion, with the -u option (unlock). This, however, only prevents password-based logins by the user. The user might still be able to access the system using an SSH key (if configured). To prevent even this possibility you have to expire the account as well using either chage -E 1user or usermod -e 1 user (giving a value of -1 in either of these commands will reset the expiration date to never). To (temporarily) disable all user accounts just create the file /etc/nologin.
You can disable a user account not only by locking it as described above, but also by changing its default login shell (chsh -s shell user). With the latter changed to /usr/sbin/nologin, a user gets a polite message informing that a login is not possible, while /bin/false just exits while returning false. There is no switch to restore the previous shell. You have to get and keep that information before you change the setting. These shells are often used for system users which do not require any login availability.

8.4.5. 群組清單:/etc/group

群組列在 /etc/group 檔案內,單純的文字資料庫類似 /etc/passwd 檔案,包括以下的欄位:
  • 群組名稱;
  • 密碼 (選項):加入群組會用到 (以 newgrpsg 命令,見專欄 基本 在多個群組工作);
  • gid:不重複的群組辨識碼;
  • 成員清單:屬於此群組的使用者名稱清單,以逗點區隔。
The addgroup and delgroup commands add or delete a group, respectively. The groupmod command modifies a group's information (its gid or identifier). The command gpasswd group changes the password for the group, while the gpasswd -r group command deletes it.