用户管理 on Yison's Bloghttps://blog.7ys.top/tags/%E7%94%A8%E6%88%B7%E7%AE%A1%E7%90%86/Recent content in 用户管理 on Yison's BlogHugo -- gohugo.iozh-CNMon, 10 Apr 2017 00:00:00 +0000Linux新建用户与sudo权限https://blog.7ys.top/posts/linux%E6%96%B0%E5%BB%BA%E7%94%A8%E6%88%B7%E4%B8%8Esudo%E6%9D%83%E9%99%90/Mon, 10 Apr 2017 00:00:00 +0000https://blog.7ys.top/posts/linux%E6%96%B0%E5%BB%BA%E7%94%A8%E6%88%B7%E4%B8%8Esudo%E6%9D%83%E9%99%90/<img src="https://blog.7ys.top/" alt="Featured image of post Linux新建用户与sudo权限" /> <blockquote> <p>如何用命令行新建一个带超管权限的账号</p> </blockquote> <h2 id="用户管理基础">用户管理基础 </h2><h3 id="1-创建用户组并指定-gid">1. 创建用户组并指定 GID </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># 创建用户组,指定 GID 为 1002</span> </span></span><span style="display:flex;"><span>sudo groupadd -g <span style="color:#ae81ff">1002</span> www </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 不指定 GID(系统自动分配)</span> </span></span><span style="display:flex;"><span>sudo groupadd www </span></span></code></pre></div><h3 id="2-添加用户并指定-uid">2. 添加用户并指定 UID </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># 创建用户并加入 www 组</span> </span></span><span style="display:flex;"><span>sudo useradd -g www -u <span style="color:#ae81ff">1003</span> -m -s /bin/bash www </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 参数说明:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># -g : 指定主用户组</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># -u : 指定用户 ID</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># -m : 创建用户主目录</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># -s : 指定登录 shell</span> </span></span></code></pre></div><h3 id="3-修改用户密码">3. 修改用户密码 </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo passwd www </span></span></code></pre></div><h3 id="4-删除用户">4. 删除用户 </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># 删除用户(保留主目录)</span> </span></span><span style="display:flex;"><span>sudo userdel www </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 删除用户及其主目录</span> </span></span><span style="display:flex;"><span>sudo userdel -r www </span></span></code></pre></div><h2 id="sudo-权限配置">Sudo 权限配置 </h2><h3 id="添加用户到-sudo-组">添加用户到 sudo 组 </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Debian/Ubuntu 系统</span> </span></span><span style="display:flex;"><span>sudo usermod -a -G sudo www </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># CentOS/RHEL 系统</span> </span></span><span style="display:flex;"><span>sudo usermod -a -G wheel www </span></span></code></pre></div><h3 id="查看用户所属组">查看用户所属组 </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>groups www </span></span><span style="display:flex;"><span><span style="color:#75715e"># 输出: www : www sudo</span> </span></span></code></pre></div><h3 id="ubuntu-系统默认管理员组">Ubuntu 系统默认管理员组 </h3><p>Ubuntu 第一个默认账号加入的组:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>adm cdrom sudo dip plugdev lpadmin sambashare </span></span></code></pre></div><h2 id="完整示例创建-web-服务用户">完整示例:创建 Web 服务用户 </h2><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># 1. 创建用户组</span> </span></span><span style="display:flex;"><span>sudo groupadd -g <span style="color:#ae81ff">1002</span> webapps </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 2. 创建用户</span> </span></span><span style="display:flex;"><span>sudo useradd -g webapps -u <span style="color:#ae81ff">1003</span> -m -s /bin/bash webapp </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 3. 设置密码</span> </span></span><span style="display:flex;"><span>sudo passwd webapp </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 4. 添加 sudo 权限</span> </span></span><span style="display:flex;"><span>sudo usermod -a -G sudo webapp </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 5. 验证</span> </span></span><span style="display:flex;"><span>su - webapp </span></span><span style="display:flex;"><span>sudo ls /root </span></span></code></pre></div><h2 id="sudoers-文件配置">Sudoers 文件配置 </h2><h3 id="编辑-sudoers-文件">编辑 sudoers 文件 </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># 安全的编辑方式(会检查语法)</span> </span></span><span style="display:flex;"><span>sudo visudo </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 直接编辑(不推荐)</span> </span></span><span style="display:flex;"><span>sudo nano /etc/sudoers </span></span></code></pre></div><h3 id="常用配置示例">常用配置示例 </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># 允许用户执行所有命令(无需密码)</span> </span></span><span style="display:flex;"><span>username ALL<span style="color:#f92672">=(</span>ALL<span style="color:#f92672">)</span> NOPASSWD: ALL </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 允许用户执行所有命令(需要密码)</span> </span></span><span style="display:flex;"><span>username ALL<span style="color:#f92672">=(</span>ALL<span style="color:#f92672">)</span> ALL </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 允许用户执行特定命令</span> </span></span><span style="display:flex;"><span>username ALL<span style="color:#f92672">=(</span>ALL<span style="color:#f92672">)</span> /usr/bin/systemctl restart nginx, /usr/bin/systemctl stop nginx </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 限制只有特定 IP 可以使用 sudo</span> </span></span><span style="display:flex;"><span>username 192.168.1.100<span style="color:#f92672">=(</span>ALL<span style="color:#f92672">)</span> ALL </span></span></code></pre></div><h3 id="用户组权限配置">用户组权限配置 </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># 允许 sudo 组所有成员执行命令</span> </span></span><span style="display:flex;"><span>%sudo ALL<span style="color:#f92672">=(</span>ALL:ALL<span style="color:#f92672">)</span> ALL </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 允许 wheel 组无密码 sudo(CentOS)</span> </span></span><span style="display:flex;"><span>%wheel ALL<span style="color:#f92672">=(</span>ALL<span style="color:#f92672">)</span> NOPASSWD: ALL </span></span></code></pre></div><h2 id="查看和管理">查看和管理 </h2><h3 id="查看所有用户">查看所有用户 </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cat /etc/passwd | grep -v nologin | grep -v false </span></span></code></pre></div><h3 id="查看所有用户组">查看所有用户组 </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cat /etc/group </span></span></code></pre></div><h3 id="锁定解锁用户">锁定/解锁用户 </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># 锁定用户(禁止登录)</span> </span></span><span style="display:flex;"><span>sudo passwd -l username </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 解锁用户</span> </span></span><span style="display:flex;"><span>sudo passwd -u username </span></span></code></pre></div><h3 id="设置用户过期时间">设置用户过期时间 </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># 设置账户过期日期</span> </span></span><span style="display:flex;"><span>sudo usermod -e 2025-12-31 username </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 查看账户过期信息</span> </span></span><span style="display:flex;"><span>sudo chage -l username </span></span></code></pre></div><h2 id="常见问题">常见问题 </h2><h3 id="q-为什么新用户无法使用-sudo">Q: 为什么新用户无法使用 sudo? </h3><p>A: 检查用户是否在正确的管理员组中:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Ubuntu</span> </span></span><span style="display:flex;"><span>groups username <span style="color:#75715e"># 应该包含 sudo</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># CentOS</span> </span></span><span style="display:flex;"><span>groups username <span style="color:#75715e"># 应该包含 wheel</span> </span></span></code></pre></div><h3 id="q-如何免密使用-sudo">Q: 如何免密使用 sudo? </h3><p>A: 编辑 sudoers 添加 NOPASSWD:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo visudo </span></span><span style="display:flex;"><span><span style="color:#75715e"># 添加:username ALL=(ALL) NOPASSWD: ALL</span> </span></span></code></pre></div><h2 id="最佳实践">最佳实践 </h2><ol> <li><strong>不要给普通用户 root 权限</strong> - 只授予必要的最小权限</li> <li><strong>使用用户组管理权限</strong> - 便于批量管理</li> <li><strong>禁用 root 远程登录</strong> - 提高服务器安全性</li> <li><strong>记录 sudo 操作日志</strong> - 审计用户行为</li> </ol> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># 启用 sudo 日志(Debian/Ubuntu)</span> </span></span><span style="display:flex;"><span>sudo visudo </span></span><span style="display:flex;"><span><span style="color:#75715e"># 添加:Defaults logfile=&#34;/var/log/sudo.log&#34;</span> </span></span></code></pre></div>