사용자 관리
- 사용자 관련 파일
root@nc7:~# tail -5 /etc/passwd - 계정에 대한 종합정보
it2:x:1006:1008::/home/it2:/bin/sh
it3:x:1007:1009::/home/it3:/bin/sh
k5:x:1008:1010::/home/k5:/bin/bash
sam:x:1009:1011::/home/sam:/bin/bash
sung:x:1010:1012::/home/sung:/bin/bash
sung: x: 1010: 1012: :/home/sung: /bin/bash
<계정명> <pw> <UID> <GID> <계정의 홈 디렉터리> <로그인 쉘>
root@nc7:~# tail -5 /etc/group - Group에 대한 정보
it3:x:1009:
k5:x:1010:
sam:x:1011:
sung:x:1012:
START:x:1013:
root@nc7:~# useradd sam - 사용자 pw 생성
root@nc7:~# passwd sam
New password:
Retype new password:
passwd: password updated successfully
root@nc7:~# chown sam a1 - a1의 user을 변경
root@nc7:~# chown sung a2 - a2의 user을 변경
root@nc7:~#
root@nc7:~# l
total 60
-rw------- 1 root root 4043 Apr 28 12:40 .bash_history
-rw-r--r-- 1 root root 3389 Apr 28 13:37 .bashrc
drwx------ 3 root root 4096 Apr 27 19:22 .cache/
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile
drwx------ 2 root root 4096 Apr 27 19:21 .ssh/
drwxr-xr-x 2 root root 4096 Apr 27 19:32 .vim/
-rw------- 1 root root 9821 Apr 28 14:34 .viminfo
-rw-r--r-- 1 root root 134 Apr 27 19:33 .vimrc
---x-w--wx 1 sam root 184 Apr 28 13:38 a1*
--wx-w---x 1 sung root 29 Apr 28 13:38 a2*
d--x-w--wx 2 root root 4096 Apr 28 13:38 d1/
d-wx-w---x 2 root root 4096 Apr 28 13:38 d2/
drwxr-xr-x 2 root root 4096 Apr 28 13:38 d5/
root@nc7:~# chgrp START d1 - 그룹 변경
root@nc7:~# chgrp START d2
root@nc7:~# nl /etc/group | tail -3 - 그룹에 정상적으로 묶임
65 sam:x:1011:
66 sung:x:1012:
67 START:x:1013:
- 사용자 관리
root@nc7:~# useradd - root 권한의 최대,
Usage: useradd [options] LOGIN
useradd -D
useradd -D [options]
Options: - root에서만 가능한 useradd 옵션들
--badnames do not check for bad names
-b, --base-dir BASE_DIR base directory for the home directory of the
new account
--btrfs-subvolume-home use BTRFS subvolume for home directory
-c, --comment COMMENT GECOS field of the new account
<-d, --home-dir HOME_DIR home directory of the new account>
-D, --defaults print or change default useradd configuration
-e, --expiredate EXPIRE_DATE expiration date of the new account
-f, --inactive INACTIVE password inactivity period of the new account
-g, --gid GROUP name or ID of the primary group of the new
account
<-G, --groups GROUPS list of supplementary groups of the new >
account
-h, --help display this help message and exit
-k, --skel SKEL_DIR use this alternative skeleton directory
-K, --key KEY=VALUE override /etc/login.defs defaults
-l, --no-log-init do not add the user to the lastlog and
faillog databases
<-m, --create-home create the user's home directory >
-M, --no-create-home do not create the user's home directory
-N, --no-user-group do not create a group with the same name as
the user
-o, --non-unique allow to create users with duplicate
(non-unique) UID
-p, --password PASSWORD encrypted password of the new account
-r, --system create a system account
-R, --root CHROOT_DIR directory to chroot into
-P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files
<-s, --shell SHELL login shell of the new account >
-u, --uid UID user ID of the new account
-U, --user-group create a group with the same name as the user
-Z, --selinux-user SEUSER use a specific SEUSER for the SELinux user mapping
--extrausers Use the extra users database
root@nc7:~# useradd -D - default 값
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/sh - 기본 shell은 /bin/sh로 지정 = 타계정 접속시 $ 표시 확인
SKEL=/etc/skel
CREATE_MAIL_SPOOL=no
root@nc7:~# nl /etc/default/useradd
1 # Default values for useradd(8)
2 #
3 # The SHELL variable specifies the default login shell on your
4 # system.
5 # Similar to DSHELL in adduser. However, we use "sh" here because
6 # useradd is a low level utility and should be as general
7 # as possible
8 SHELL=/bin/sh - shell 연결 확인
9 #
10 # The default group for users
11 # 100=users on Debian systems
12 # Same as USERS_GID in adduser
13 # This argument is used when the -n flag is specified.
14 # The default behavior (when -n and -g are not specified) is to create a
15 # primary user group with the same name as the user being added to the
16 # system.
17 # GROUP=100
18 #
19 # The default home directory. Same as DHOME for adduser
20 # HOME=/home
21 #
22 # The number of days after a password expires until the account
23 # is permanently disabled
24 # INACTIVE=-1
25 #
26 # The default expire date
27 # EXPIRE=
28 #
29 # The SKEL variable specifies the directory containing "skeletal" user
30 # files; in other words, files such as a sample .profile that will be
31 # copied to the new user's home directory when it is created.
32 # SKEL=/etc/skel
33 #
34 # Defines whether the mail spool should be created while
35 # creating the account
36 # CREATE_MAIL_SPOOL=yes
root@nc7:~# useradd k3
root@nc7:~# passwd k3
New password:
Retype new password:
passwd: password updated successfully
root@nc7:~# mkdir /etc/skel/TTT
root@nc7:~# date > /etc/skel/a1
root@nc7:~# useradd k4
root@nc7:~# passwd k4
New password:
Retype new password:
passwd: password updated successfully
$ pwd - k4로 접속했을시 /bin/sh 쉘로 정상 실행
/home/k4
$ ls
TTT a1 - /etc/skell 밑에 생성한 TTT 파일 생성 확인
$
rot@nc7:~# finger k1 - user 정보 보기
Login: k1 Name:
Directory: /home/k1 Shell: /bin/bash
On since Fri Apr 28 10:18 (KST) on pts/7 from 10.0.2.2
34 minutes 24 seconds idle
No mail.
No Plan.
root@nc7:~# finger k2
Login: k2 Name: il
Directory: /home/k2 Shell: /bin/bash
Office: 501, 010-1234-5678 Home Phone: 010-1234-6788
On since Fri Apr 28 10:13 (KST) on pts/6 from 10.0.2.2
24 minutes 17 seconds idle
No mail.
No Plan.
root@nc7:~# chfn k1 - 사용자 정보 입력하기
Changing the user information for k1
Enter the new value, or press ENTER for the default
Full Name []: ilil
Room Number []:
Work Phone []:
Home Phone []:
Other []:
root@nc7:~# userdel -r k1 - 로그인 되어있기에 삭제 불가
userdel: user k1 is currently used by process 1388
root@nc7:~# userdel -r k1
userdel: k1 mail spool (/var/mail/k1) not found
userdel: /home/k1 not owned by k1, not removing
root@nc7:~# tail -4 /etc/passwd - 정상적으로 삭제가 되었음을 확인
tomcat:x:999:999:Apache Tomcat:/var/lib/tomcat:/usr/sbin/nologin
k2:x:1002:1002:il,501,010-1234-5678,010-1234-6788,010-1234-5678:/home/k2:/bin/bash
k3:x:1003:1003::/home/k3:/bin/sh
k4:x:1004:1004::/home/k4:/bin/sh
root@nc7:~# nl /etc/passwd
1 root:x:0:0:root:/root:/bin/bash
2 daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
3 bin:x:2:2:bin:/bin:/usr/sbin/nologin
,,,
33 k3:x:1003:1003::/home/k3:/bin/sh
34 k4:x:1004:1004::/home/k4:/bin/sh
root@nc7:~# userdel k2
root@nc7:~# nl /etc/shadow
1 root:*:19405:0:99999:7:::
2 daemon:*:19405:0:99999:7:::
3 bin:*:19405:0:99999:7:::
,,,
25 sshd:*:19405:0:99999:7:::
26 usbmux:*:19474:0:99999:7:::
27 j:$6$E4UXUc2NC9Kgi7Xy$yvINee0CkMy4OwkjLbNOrWvHJCCyTApxN0tsaWWEkAWdGq91RkTdvwZggUMv5T95qhY.7qnfpi0e8nBU/hSdD0:19474:0:99999:7:::
28 mysql:!:19474:0:99999:7:::
29 smmta:*:19474:0:99999:7:::
30 smmsp:*:19474:0:99999:7:::
31 tomcat:!*:19474::::::
32 k3:$y$j9T$K7t0u9gefb7WRq1p2e1zR/$ZjGCYw1TR8qRnSimDrbgn.YRXUs4XkYrCoeVgF67iJB:19475:0:99999:7:::
33 k4:$y$j9T$AGhLfZDmkYwqBqN4SA8mk/$ziqhfFodOri/ArZXv5xvl1iYF4cj76nloWFhfK67hbB:19475:0:99999:7:::
- useradd 명령이 기본값 변경
root@nc7:~# vi /etc/login.defs - useradd시 자동으로 home_dir 생성
13 CREATE_HOME yes -추가
root@nc7:~# usermod -s /bin/bash /k4 - 계정과 연결된 shell 변경
root@nc7:~# nl /etc/default/useradd - 계정 생성시 연결될 shell 변경
1 # Default values for useradd(8)
2 #
3 # The SHELL variable specifies the default login shell on your
4 # system.
5 # Similar to DSHELL in adduser. However, we use "sh" here because
6 # useradd is a low level utility and should be as general
7 # as possible
8 SHELL=/bin/bash - 계정 생성시 연결 shell은 /bin/bash로 연결 확인
9 #
10 # The default group for users
11 # 100=users on Debian systems
12 # Same as USERS_GID in adduser
13 # This argument is used when the -n flag is specified.
14 # The default behavior (when -n and -g are not specified) is to create a
15 # primary user group with the same name as the user being added to the
16 # system.
17 # GROUP=100
18 #
19 # The default home directory. Same as DHOME for adduser
20 # HOME=/home
21 #
22 # The number of days after a password expires until the account
23 # is permanently disabled
24 # INACTIVE=-1
25 #
26 # The default expire date
27 # EXPIRE=
28 #
29 # The SKEL variable specifies the directory containing "skeletal" user
30 # files; in other words, files such as a sample .profile that will be
31 # copied to the new user's home directory when it is created.
32 # SKEL=/etc/skel
33 #
34 # Defines whether the mail spool should be created while
35 # creating the account
36 # CREATE_MAIL_SPOOL=yes
root@nc7:~# finger k4
Login: k4 Name: ilil
Directory: /home/k4 Shell: /bin/bash - 변경 확인
On since Fri Apr 28 10:18 (KST) on pts/7 from 10.0.2.2
35 minutes 13 seconds idle
No mail.
No Plan.
- 특정 사용자 로그인 금지
root@nc7:~# usermod -L k4
login as: k4 - user에게 LOCK이 정상적으로 걸림
k4@127.0.0.1's password:
Access denied
k4@127.0.0.1's password:
Access denied
k4@127.0.0.1's password:
k4@127.0.0.1's password:
root@nc7:~# usermod -U k4 -정상적으로 로그인
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-71-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
Last login: Fri Apr 28 10:38:12 2023 from 10.0.2.2
$- 사용자 용량 제한
root@nc7:~# edquota -t -quota유예기간 설정
1 Grace period before enforcing soft limits for users:
2 Time units may be: days, hours, minutes, or seconds
3 Filesystem Block grace period Inode grace period
4 /dev/sda5 7days 7days
root@nc7:~# edquota -u k5
1 Disk quotas for user k5 (uid 1008):
2 Filesystem blocks soft hard inodes soft hard
3 /dev/sda5 28 0 0 9 0 0
root@nc7:~# edquota -u k5
1 Disk quotas for user k5 (uid 1008):
2 Filesystem blocks soft hard inodes soft hard
3 /dev/sda5 28 20000 25000 9 0 0
root@nc7:~# repquota -a
*** Report for user quotas on device /dev/sda5
Block grace time: 7days; Inode grace time: 7days
Block limits File limits
User used soft hard grace used soft hard grace
----------------------------------------------------------------------
root -- 24 0 0 3 0 0
j -- 28 0 0 10 0 0
k3 -- 24 0 0 7 0 0
k4 -- 32 0 0 9 0 0
it1 -- 24 0 0 7 0 0
it2 -- 24 0 0 7 0 0
it3 -- 24 0 0 7 0 0
k5 -- 28 20000 25000 9 0 0 ★ - 완료
#1002 -- 28 0 0 8 0 0
root@il7:~# edquota -p k5 k4 k3
root@il7:~# repquota -a
*** Report for user quotas on device /dev/sda5
Block grace time: 7days; Inode grace time: 7days
Block limits File limits
User used soft hard grace used soft hard grace
----------------------------------------------------------------------
root -- 20 0 0 2 0 0
j -- 28 0 0 10 0 0
k1 -- 16 0 0 4 2000000 200000
k3 -- 20 0 0 6 2000000 200000
#1002 -- 28 0 0 8 0 0
k3 -- 24 20000 25000 7 0 0
k4 -- 32 20000 25000 9 0 0
it1 -- 24 0 0 7 0 0
it2 -- 24 0 0 7 0 0
it3 -- 24 0 0 7 0 0
k5 -- 28 20000 25000 9 0 0 ★ - 완료
#1002 -- 28 0 0 8 0 0
- 계정 변경
k5@nc7:~$ whoami
k5
k5@nc7:~$ quota
Disk quotas for user k5 (uid 1008):
Filesystem blocks quota limit grace files quota limit grace
/dev/sda5 28 20000 25000 9 0 0
k5@nc7:~$ du -sh ~
du: cannot read directory '/home/k5/var/lib/snapd/void': Permission denied
370M /home/k5 - 최종 용량
k5@nc7:~$ cp -r /var .
k5@nc7:~$ mkdir dddd - 용량 부족으로 정상적인 용량 제한이 걸림을 확인
mkdir: cannot create directory ‘dddd’: Disk quota exceeded- 용량 복사
root@nc7:~# edquota -u it1
1 Disk quotas for user it1 (uid 1005):
2 Filesystem blocks soft hard inodes soft hard
3 /dev/sda5 24 20000 12340 7 0 0
root@nc7:~# edquota -p it1 it2 it3 - quota 복사
root@nc7:~# repquota -a
*** Report for user quotas on device /dev/sda5
Block grace time: 7days; Inode grace time: 7days
Block limits File limits
User used soft hard grace used soft hard grace
----------------------------------------------------------------------
root -- 24 0 0 3 0 0
j -- 28 0 0 10 0 0
k3 -- 24 0 0 7 0 0
k4 -- 32 0 0 9 0 0
it1 -- 24 20000 12340 7 0 0
it2 -- 24 20000 12340 7 0 0 ★
it3 -- 24 20000 12340 7 0 0 ★
k5 -- 28 20000 25000 9 0 0
#1002 -- 28 0 0 8 0 0
정상적으로 복사됨을 확인소유권, 허가권
drwxr-xr-x 2 root root 4096 Apr 28 15:47 d5
<권한> <링크수> <소유주> <소유그룹> <size> <접근날짜> <파일명>- 소유권 변경
root@nc7:~# useradd sam
root@nc7:~# passwd sam
New password:
Retype new password:
passwd: password updated successfully
root@nc7:~# useradd sung
root@nc7:~# passwd sung
New password:
Retype new password:
passwd: password updated successfully
root@nc7:~# groupadd START
root@nc7:~# tail -5 /etc/passwd
it2:x:1006:1008::/home/it2:/bin/sh
it3:x:1007:1009::/home/it3:/bin/sh
k5:x:1008:1010::/home/k5:/bin/bash
sam:x:1009:1011::/home/sam:/bin/bash
sung:x:1010:1012::/home/sung:/bin/bash
root@nc7:~# tail -5 /etc/group
it3:x:1009:
k5:x:1010:
sam:x:1011:
sung:x:1012:
START:x:1013:
root@nc7:~# l
total 60
,,,
---x-w--wx 1 root root 184 Apr 28 13:38 a1*
--wx-w---x 1 root root 29 Apr 28 13:38 a2*
d--x-w--wx 2 root root 4096 Apr 28 13:38 d1/
d-wx-w---x 2 root root 4096 Apr 28 13:38 d2/
drwxr-xr-x 2 root root 4096 Apr 28 13:38 d5/
root@nc7:~# chown sam a1 - a1의 user을 변경
root@nc7:~# chown sung a2 - a2의 user을 변경
root@nc7:~#
root@nc7:~# l
total 60
-rw------- 1 root root 4043 Apr 28 12:40 .bash_history
-rw-r--r-- 1 root root 3389 Apr 28 13:37 .bashrc
drwx------ 3 root root 4096 Apr 27 19:22 .cache/
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile
drwx------ 2 root root 4096 Apr 27 19:21 .ssh/
drwxr-xr-x 2 root root 4096 Apr 27 19:32 .vim/
-rw------- 1 root root 9821 Apr 28 14:34 .viminfo
-rw-r--r-- 1 root root 134 Apr 27 19:33 .vimrc
---x-w--wx 1 sam root 184 Apr 28 13:38 a1*
--wx-w---x 1 sung root 29 Apr 28 13:38 a2*
d--x-w--wx 2 root root 4096 Apr 28 13:38 d1/
d-wx-w---x 2 root root 4096 Apr 28 13:38 d2/
drwxr-xr-x 2 root root 4096 Apr 28 13:38 d5/
root@nc7:~# chgrp START d1
root@nc7:~# chgrp START d2
root@nc7:~# nl /etc/group | tail -3 - 그룹 생성
65 sam:x:1011:
66 sung:x:1012:
67 START:x:1013:
root@nc7:~# l
total 60
---x-w--wx 1 sam root 184 Apr 28 13:38 a1*
--wx-w---x 1 sung root 29 Apr 28 13:38 a2*
d--x-w--wx 2 root START 4096 Apr 28 13:38 d1/
d-wx-w---x 2 root START 4096 Apr 28 13:38 d2/
drwxr-xr-x 2 root root 4096 Apr 28 13:38 d5/
root@nc7:~# chown sung:START a1
root@nc7:~# chown sam.sung a2
root@nc7:~# l
total 60
-rw------- 1 root root 4043 Apr 28 12:40 .bash_history
-rw-r--r-- 1 root root 3389 Apr 28 13:37 .bashrc
drwx------ 3 root root 4096 Apr 27 19:22 .cache/
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile
drwx------ 2 root root 4096 Apr 27 19:21 .ssh/
drwxr-xr-x 2 root root 4096 Apr 27 19:32 .vim/
-rw------- 1 root root 9821 Apr 28 14:34 .viminfo
-rw-r--r-- 1 root root 134 Apr 27 19:33 .vimrc
---x-w--wx 1 sung START 184 Apr 28 13:38 a1*
--wx-w---x 1 sam sung 29 Apr 28 13:38 a2*
d--x-w--wx 2 root START 4096 Apr 28 13:38 d1/
d-wx-w---x 2 root START 4096 Apr 28 13:38 d2/
drwxr-xr-x 2 root root 4096 Apr 28 13:38 d5/
root@nc7:~# chmod 700 /y1
root@nc7:~# chmod 701 /y2
root@nc7:~# chmod 705 /y3
root@nc7:~# chmod 707 /y4
root@nc7:~# chmod 1707 /y5
root@nc7:~# cp /etc/b* /y2 2>/dev/null
root@nc7:~# cp /etc/b* /y3 2>/dev/null
root@nc7:~# cp /etc/b* /y4 2>/dev/null
root@nc7:~# cp /etc/b* /y5 2>/dev/null
root@nc7:~# cp /etc/b* /y{2..5} 2>/dev/null
l /
drwx------ 2 root root 4096 Apr 28 14:46 y1/
drwx-----x 2 root root 4096 Apr 28 14:50 y2/
drwx---r-x 2 root root 4096 Apr 28 14:50 y3/
drwx---rwx 2 root root 4096 Apr 28 14:50 y4/
drwx---rwt 2 root root 4096 Apr 28 14:51 y5/
umask
사용자가 파일 생성시 자동으로 권한을 조정하는 값
기본적 uamsk
root@il:~# umask 0022rwx - rwx -rwx = 777
- 022
755 = directory
-111 (x-x-x) = directory 접근 권한 제한하기 위해
644= file
root@il:~# mkdir aa
root@il:~# touch bb
root@il:~# ls -l
total 20
drwxr-xr-x 2 root root 4096 Apr 30 14:22 aa - directory = 755
-rw-r--r-- 1 root root 0 Apr 30 14:23 bb - file = 644- Sticky Bit
- Sticky Bit를 사용하는 이유는 작업상 타인의 파일삭제를 방지하기 위함이다.
- 이 권한은 폴더에만 내릴 수 있다.
- Sticky Bit로 지정된 폴더에 있는 파일들은 주인과 관리자만이 삭제 가능하다.
- 파일 속성 변경 = root 고유 명령어
root@il:~# cal >a
root@il:~# date >b
root@il:~# lsattr
--------------e------- ./b
--------------e------- ./k5
--------------e------- ./a
--------------e------- ./snap
root@il:~# chattr +i a
root@il:~# chattr +a b
root@il:~# lsattr
-----a--------e------- ./b
--------------e------- ./k5
----i---------e------- ./a
--------------e------- ./snap
root@il:~# rm a - error
rm: cannot remove 'a': Operation not permitted
root@il:~# rm b - error
rm: cannot remove 'b': Operation not permitted
root@il:~# who >> a - error
-bash: a: Operation not permitted
root@il:~# who >> b
root@il:~# chattr +i a
root@il:~# chattr +a b
root@il:~# lsattr
-----a--------e------- ./b
--------------e------- ./k5
----i---------e------- ./a
--------------e------- ./snap
☁️ 좋아요!