Linux新建用户配置文件 /etc/login.defs 详解

/etc/login.defs 是设置用户帐号限制的文件。该文件里的配置对root用户无效。/etc/login.defs 文件用于在 Linux 创建用户时，对用户的一些基本属性做默认设置，例如指定用户 UID 和 GID 的范围，用户的过期时间，密码的最大长度，等等。

需要注意的是，该文件的用户默认配置对 root 用户无效。并且，当此文件中的配置与 /etc/passwd 和 /etc/shadow 文件中的用户信息有冲突时，系统会以/etc/passwd 和 /etc/shadow 为准。

如果/etc/shadow文件里有相同的选项，则以/etc/shadow里的设置为准，也就是说/etc/shadow的配置优先级高于/etc/login.defs

读者可自行使用 vim /etc/login.defs 命令查看该文件中的内容，表 1 中对文件中的各个选项做出了具体的解释。

表 1 /etc/login.defs文件内容

设置项	含义
MAIL_DIR /var/spool/mail	创建用户时，系统会在目录 /var/spool/mail 中创建一个用户邮箱，比如 lamp 用户的邮箱是 /var/spool/mail/lamp。
PASS_MAX_DAYS 99999	密码有效期，99999 是自 1970 年 1 月 1 日起密码有效的天数，相当于 273 年，可理解为密码始终有效。
PASS_MIN_DAYS 0	表示自上次修改密码以来，最少隔多少天后用户才能再次修改密码，默认值是 0。
PASS_MIN_LEN 5	指定密码的最小长度，默认不小于 5 位，但是现在用户登录时验证已经被 PAM 模块取代，所以这个选项并不生效。
PASS_WARN_AGE 7	指定在密码到期前多少天，系统就开始通过用户密码即将到期，默认为 7 天。
UID_MIN 500	指定最小 UID 为 500，也就是说，添加用户时，默认 UID 从 500 开始。注意，如果手工指定了一个用户的 UID 是 550，那么下一个创建的用户的 UID 就会从 551 开始，哪怕 500~549 之间的 UID 没有使用。
UID_MAX 60000	指定用户最大的 UID 为 60000。
GID_MIN 500	指定最小 GID 为 500，也就是在添加组时，组的 GID 从 500 开始。
GID_MAX 60000	用户 GID 最大为 60000。
CREATE_HOME yes	指定在创建用户时，是否同时创建用户主目录，yes 表示创建，no 则不创建，默认是 yes。
UMASK 077	用户主目录的权限默认设置为 077。
USERGROUPS_ENAB yes	指定删除用户的时候是否同时删除用户组，准备地说，这里指的是删除用户的初始组，此项的默认值为 yes。
ENCRYPT_METHOD SHA512	指定用户密码采用的加密规则，默认采用 SHA512，这是新的密码加密模式，原先的 Linux 只能用 DES 或 MD5 加密。

root@linuxidc:/home/linuxidc/linuxidc.com# cat /etc/login.defs

#

# /etc/login.defs - Configuration control definitions for the login package.

#

# Three items must be defined:  MAIL_DIR, ENV_SUPATH, and ENV_PATH.

# If unspecified, some arbitrary (and possibly incorrect) value will

# be assumed.  All other items are optional - if not specified then

# the described action or option will be inhibited.

#

# Comment lines (lines beginning with "#") and blank lines are ignored.

#

# Modified for Linux.  --marekm

# REQUIRED for useradd/userdel/usermod

#  Directory where mailboxes reside, _or_ name of file, relative to the

#  home directory.  If you _do_ define MAIL_DIR and MAIL_FILE,

#  MAIL_DIR takes precedence.

#

#  Essentially:

#      - MAIL_DIR defines the location of users mail spool files

#        (for mbox use) by appending the username to MAIL_DIR as defined

#        below.

#      - MAIL_FILE defines the location of the users mail spool files as the

#        fully-qualified filename obtained by prepending the user home

#        directory before $MAIL_FILE

#

# NOTE: This is no more used for setting up users MAIL environment variable

#      which is, starting from shadow 4.0.12-1 in Debian, entirely the

#      job of the pam_mail PAM modules

#      See default PAM configuration files provided for

#      login, su, etc.

#

# This is a temporary situation: setting these variables will soon

# move to /etc/default/useradd and the variables will then be

# no more supported

MAIL_DIR        /var/mail # 创建用户时，要在目录/var/spool/mail中创建一个用户mail文件；

#MAIL_FILE      .mail

#

# Enable logging and display of /var/log/faillog login failure info.

# This option conflicts with the pam_tally PAM module.

#

FAILLOG_ENAB  yes #

登录错误记录到日志

#

# Enable display of unknown usernames when login failures are recorded.

#

# WARNING: Unknown usernames may become world readable.

# See #290803 and #298773 for details about how this could become a security

# concern

LOG_UNKFAIL_ENAB no #

在建立用户时是否创建邮箱

#

# Enable logging of successful logins

#

LOG_OK_LOGINS  no

#

# Enable "syslog" logging of su activity - in addition to sulog file logging.

# SYSLOG_SG_ENAB does the same for newgrp and sg.

#

SYSLOG_SU_ENAB  yes # 当限定超级用户管理日志时使用。

SYSLOG_SG_ENAB  yes #

当限定超级用户组管理日志时使用

#

# If defined, all su activity is logged to this file.

#

#SULOG_FILE /var/log/sulog

#

# If defined, file which maps tty line to TERM environment parameter.

# Each line of the file is in a format something like "vt100  tty01".

#

#TTYTYPE_FILE /etc/ttytype

#

# If defined, login failures will be logged here in a utmp format

# last, when invoked as lastb, will read /var/log/btmp, so...

#

FTMP_FILE /var/log/btmp

#

# If defined, the command name to display when running "su -".  For

# example, if this is defined as "su" then a "ps" will display the

# command is "-su".  If not defined, then "ps" would display the

# name of the shell actually being run, e.g. something like "-sh".

#

SU_NAME  su #

使用户在使用su命令后用ps查看相关进程时显示的是-su而不是-sh。

#

# If defined, file which inhibits all the usual chatter during the login

# sequence.  If a full pathname, then hushed mode will be enabled if the

# user's name or shell are found in the file.  If not a full pathname, then

# hushed mode will be enabled if the file exists in the user's home directory.

#

HUSHLOGIN_FILE .hushlogin # 打开该选项可以掩盖登录信息,也就是在login(登录)过程中不显示/etc/motd中的信息。

#HUSHLOGIN_FILE /etc/hushlogins

#

# *REQUIRED*  The default PATH settings, for superuser and normal users.

#

# (they are minimal, add the rest in the shell startup files)

ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

#

# Terminal permissions

#

# TTYGROUP Login tty will be assigned this group ownership.

# TTYPERM  Login tty will be set to this permission.

#

# If you have a "write" program which is "setgid" to a special group

# which owns the terminals, define TTYGROUP to the group number and

# TTYPERM to 0620.  Otherwise leave TTYGROUP commented out and assign

# TTYPERM to either 622 or 600.

#

# In Debian /usr/bin/bsd-write or similar programs are setgid tty

# However, the default and recommended value for TTYPERM is still 0600

# to not allow anyone to write to anyone else console or terminal

# Users can still allow other people to write them by issuing

# the "mesg y" command.

TTYGROUP tty

TTYPERM  0600  #设置用户登陆时的tty权限。

#

# Login configuration initializations:

#

# ERASECHAR Terminal ERASE character ('\010' = backspace).

# KILLCHAR Terminal KILL character ('\025' = CTRL/U).

# UMASK  Default "umask" value.

#

# The ERASECHAR and KILLCHAR are used only on System V machines.

#

# UMASK is the default umask value for pam_umask and is used by

# useradd and newusers to set the mode of the new home directories.

# 022 is the "historical" value in Debian for UMASK

# 027, or even 077, could be considered better for privacy

# There is no One True Answer here : each sysadmin must make up his/her

# mind.

#

# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value

# for private user groups, i. e. the uid is the same as gid, and username is

# the same as the primary group name: for these, the user permissions will be

# used as group permissions, e. g. 022 will become 002.

#

# Prefix these values with "0" to get octal, "0x" to get hexadecimal.

#

ERASECHAR 0177

KILLCHAR 025

UMASK  022

#

# Password aging controls:

#

# PASS_MAX_DAYS Maximum number of days a password may be used.

# PASS_MIN_DAYS Minimum number of days allowed between password changes.

# PASS_WARN_AGE Number of days warning given before a password expires.

#

PASS_MAX_DAYS 99999 # 用户的密码不过期最多的天数；

PASS_MIN_DAYS 0 # 密码修改之间最小的天数；

PASS_WARN_AGE 7 #

密码失效前多少天在用户登录时通知用户修改密码

#

# Min/max values for automatic uid selection in useradd

#

UID_MIN    1000 # 最小UID为1000，也就是说添加用户时，UID是从1000开始的；

UID_MAX   60000 # 最大UID为60000；

# System accounts

#SYS_UID_MIN    100

#SYS_UID_MAX    999

#

# Min/max values for automatic gid selection in groupadd

#

GID_MIN    1000 # 最小用户组ID号

GID_MAX   60000 # 最大用户组ID

# System accounts

#SYS_GID_MIN    100

#SYS_GID_MAX    999

#

# Max number of login retries if password is bad. This will most likely be

# overriden by PAM, since the default pam_unix module has it's own built

# in of 3 retries. However, this is a safe fallback in case you are using

# an authentication module that does not enforce PAM_MAXTRIES.

#

LOGIN_RETRIES  5

#

# Max time in seconds for login

#

LOGIN_TIMEOUT  60

#

# Which fields may be changed by regular users using chfn - use

# any combination of letters "frwh" (full name, room number, work

# phone, home phone).  If not defined, no changes are allowed.

# For backward compatibility, "yes" = "rwh" and "no" = "frwh".

#

CHFN_RESTRICT  rwh

#

# Should login be allowed if we can't cd to the home directory?

# Default in no.

#

DEFAULT_HOME yes #

是否创用户家目录，要求创建；

#

# If defined, this command is run when removing a user.

# It should remove any at/cron/print jobs etc. owned by

# the user to be removed (passed as the first argument).

#

#USERDEL_CMD /usr/sbin/userdel_local

#

# Enable setting of the umask group bits to be the same as owner bits

# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is

# the same as gid, and username is the same as the primary group name.

#

# If set to yes, userdel will remove the user's group if it contains no

# more members, and useradd will create by default a group with the name

# of the user.

#

USERGROUPS_ENAB yes

#

# Instead of the real user shell, the program specified by this parameter

# will be launched, although its visible name (argv[0]) will be the shell's.

# The program may do whatever it wants (logging, additional authentification,

# banner, ...) before running the actual shell.

#

# FAKE_SHELL /bin/fakeshell

#

# If defined, either full pathname of a file containing device names or

# a ":" delimited list of device names.  Root logins will be allowed only

# upon these devices.

#

# This variable is used by login and su.

#

#CONSOLE /etc/consoles

#CONSOLE console:tty01:tty02:tty03:tty04

#

# List of groups to add to the user's supplementary group set

# when logging in on the console (as determined by the CONSOLE

# setting).  Default is none.

#

# Use with caution - it is possible for users to gain permanent

# access to these groups, even when not logged in on the console.

# How to do it is left as an exercise for the reader...

#

# This variable is used by login and su.

#

#CONSOLE_GROUPS  floppy:audio:cdrom

#

# If set to "yes", new passwords will be encrypted using the MD5-based

# algorithm compatible with the one used by recent releases of FreeBSD.

# It supports passwords of unlimited length and longer salt strings.

# Set to "no" if you need to copy encrypted passwords to other systems

# which don't understand the new algorithm.  Default is "no".

#

# This variable is deprecated. You should use ENCRYPT_METHOD.

#

#MD5_CRYPT_ENAB no

#

# If set to MD5 , MD5-based algorithm will be used for encrypting password

# If set to SHA256, SHA256-based algorithm will be used for encrypting password

# If set to SHA512, SHA512-based algorithm will be used for encrypting password

# If set to DES, DES-based algorithm will be used for encrypting password (default)

# Overrides the MD5_CRYPT_ENAB option

#

# Note: It is recommended to use a value consistent with

# the PAM modules configuration.

#

ENCRYPT_METHOD SHA512 #

加密模式

#

# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512.

#

# Define the number of SHA rounds.

# With a lot of rounds, it is more difficult to brute forcing the password.

# But note also that it more CPU resources will be needed to authenticate

# users.

#

# If not specified, the libc will choose the default number of rounds (5000).

# The values must be inside the 1000-999999999 range.

# If only one of the MIN or MAX values is set, then this value will be used.

# If MIN > MAX, the highest value will be used.

#

# SHA_CRYPT_MIN_ROUNDS 5000

# SHA_CRYPT_MAX_ROUNDS 5000

################# OBSOLETED BY PAM ##############

#      #

# These options are now handled by PAM. Please #

# edit the appropriate file in /etc/pam.d/ to #

# enable the equivelants of them.

#

###############

#MOTD_FILE

#DIALUPS_CHECK_ENAB

#LASTLOG_ENAB

#MAIL_CHECK_ENAB

#OBSCURE_CHECKS_ENAB

#PORTTIME_CHECKS_ENAB

#SU_WHEEL_ONLY

#CRACKLIB_DICTPATH

#PASS_CHANGE_TRIES

#PASS_ALWAYS_WARN

#ENVIRON_FILE

#NOLOGINS_FILE

#ISSUE_FILE

#PASS_MIN_LEN

#PASS_MAX_LEN

#ULIMIT

#ENV_HZ

#CHFN_AUTH

#CHSH_AUTH

#FAIL_DELAY

################# OBSOLETED #######################

#        #

# These options are no more handled by shadow.    #

#                                                #

# Shadow utilities will display a warning if they #

# still appear.                                  #

#                                                #

###################################################

# CLOSE_SESSIONS

# LOGIN_STRING

# NO_PASSWORD_CONSOLE

# QMAIL_DIR

更多Linux命令相关信息见 Linux命令大全 专题页面 https://www.linuxidc.com/topicnews.aspx?tid=16

Linux公社的RSS地址 ： https://www.linuxidc.com/rssFeed.aspx

本文永久更新链接地址： https://www.linuxidc.com/Linux/2019-05/158732.htm