The list of users is usually stored in the /etc/passwd file, while the /etc/shadow file stores hashed passwords. Both are text files, in a relatively simple format, which can be read and modified with a text editor. Each user is listed there on a line with several fields separated with a colon (“:”).
在 /etc/passwd 文件内的字段清单:
登录,例如 rhertzog;
password:就是密码加密的单向函数 (crypt),使用 DES、MD5、SHA-256 或 SHA-512。以特别符号 “x” 表示加密后的密码保存在/etc/shadow;
uid:用于辨识个别用户的不重复数字;
gid:用户主要群组 (Debian 的默认值系为每个用户创建一个群组) 的不重复号码;
GECOS:通常保存用户全名的数据栏;
登录文件夹,用于保存用户的个人文件 (环境变量 $HOME 通常指向此处);
登录时运行的程序。通常是命令解译器 (shell),若指定为 /bin/false (不做任何事并立即回到控制),则用户无法登录。
8.4.2. 隐藏与加密的密码档:/etc/shadow
The /etc/shadow 文件含以下的字段:
The following commands allow modification of the information stored in specific fields of the user databases: passwd permits a regular user to change their password, which in turn, updates the /etc/shadow file; chfn (CHange Full Name), reserved for the super-user (root), modifies the GECOS field. chsh (CHange SHell) allows the user to change their login shell; however, available choices will be limited to those listed in /etc/shells; the administrator, on the other hand, is not bound by this restriction and can set the shell to any program of their choosing.
最后,chage (CHange AGE) 命令允许管理者变更密码的有效期 (-l 用户 选项列出现在的设置)。以 passwd -e 用户 命令强迫密码失效,要求用户登录时变更密码才能继续使用。
有时需要 “禁用一个帐号” (关闭某用户),基于纪律考量、调查、或用户太久未登录。被禁用的帐号表示该用户不能登录或近用该机器。帐号还在机器内且文件与数据都未被删除木;只是不能使用。以 passwd -l 用户 (锁定) 命令就能够达成。以同样的方式另个选项 -u (解锁) 就可恢复该帐号。
群组列在 /etc/group 文件内,单纯的文本数据库类似 /etc/passwd 文件,包括以下的字段:
群组名称;
密码 (选项):加入群组会用到 (以
newgrp 或
sg 命令,见专栏
基本 在多个群组工作);
gid:不重复的群组辨识码;
成员清单:属于此群组的用户名清单,以逗点区隔。
The addgroup and delgroup commands add or delete a group, respectively. The groupmod command modifies a group's information (its gid or identifier). The command gpasswd group changes the password for the group, while the gpasswd -r group command deletes it.
