Groups and User Management
From Colwiki.org
Upon completion of this module you will be able to:
|
Contents |
Creating new users
Step 1: Create an account
The /usr/sbin/useradd command adds new users to the system and the symbolic link adduser points to it.
Syntax: useradd [options] login-name
Example: add a user with login-name rufus
useradd rufus
Default values will be used when no options are specified. You can list these values with useradd –D.
Default options listed with useradd –D GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL=/bin/bash SKEL=/etc/skel
Notice that this information is also available in the file /etc/default/useradd
Step 2: Activate the account with a new password
To allow a user to access his or her account the administrator must allocate a password to the user using the passwd tool.
Syntax: passwd login-name
These steps create a new user. This has also defined the user’s environment such as a home directory and a default shell. The user has also been assigned to a group, his primary group.
Working with groups
Every new user is assigned to an initial (or primary) group. Two conventions exist. Traditionally this primary group is the same for all users and is called users with a group id (GID) of 100. Many Linux distributions adhere to this convention such as Suse and Debian.
The User Private Group scheme (UPG) was introduced by RedHat and changes this convention without changing the way in which UNIX groups work. With UPG each new user belongs to their own primary group. The group has the same name as the login-name (default), and the GID is in the 500 to 60000 range (same as UIDs). As a consequence, when using the traditional scheme for groups the user’s umask (see LPI 101) is set to 022, whereas in the UPG scheme the umask is set to 002.
Belonging to groups
A user can belong to any number of groups. However at any one time (when creating a file for example) only one group is the effective group. The list of all groups a user belongs to is obtained with either the groups or id commands.
Example for user root:
List all ID's:
id ➔► uid=0(root) gid=0(root) groups=0(root), 1(bin), 2(daemon), 3(sys), 4(adm), 6(disk), 10(wheel), 600(sales)
List all groups: groups ➔► root bin daemon sys adm disk wheel sales
Joining a group
Joining a group changes the user’s effective group and starts a new session from which the user can then logout. This is done with the newgrp command. Example: joining the sales group
newgrp sales
If the groups command is issued, the first group on the list would no longer be root but sales.
Creating a new group
The groupadd tool is used to administer groups. This will add an entry in the /etc/group file.
Example: Create the group devel
groupadd devel
Adding a user to a group
Administration tasks can be carried out with the gpasswd tool. One can add (-a) or remove (-d) users from a group and assign an administrator (-A). The tool was originally designed to set a single password on a group, allowing members of the same group to login with the same password. For security reasons this feature no longer works.
Example: Add rufus to the group devel
gpasswd -a rufus devel
Configurations files
The /etc/passwd and /etc/shadow files:
The names of all the users on the system are kept in /etc/passwd. This file has the following stucture:
- Login name
- Password (or x if using a shadow file)
- The UID
- The GID
- Text description for the user
- The user's home directory
- The user's shell
These 7 fields are separated by colons. As in the example below.
/etc/passwd entry with encrypted passwd:
george:$1$K05gMbOv$b7ryoKGTd2hDrW2sT.h:Dr G Micheal:/home/georges:/bin/bash
In order to hide the encrypted passwords from ordinary users you should use a shadow file. The /etc/shadow file then holds the user names and encrypted passwords and is readable only by root.
If you don't have a shadow file in /etc then you should issue the following command:
/usr/sbin/pwconv (passwd -> shadow)
This will leave an 'x' in the 2nd field of /etc/passwd and create the /etc/shadow file. If you don't wish to use shadow passwords you can do so using
/usr/sbin/pwunconv (shadow -> passwd)
Caution: When using a shadow password file the /etc/passwd file may be world readable (644) and the /etc/shadow file must be more restritcted (600 or even 400). Howvever when using pwunconv make sure to change the permissions on /etc/password (600 or 400).
The /etc/group and gshadow files
In the same way, information about groups is kept in /etc/group. This file has 4 fields separated by colons.
- Group name
- The group password (or x if gshadow file exists)
- The GID
- A comma separated list of members
Example /etc/group entry:
java:x:550:jade, eric, rufus
As for users there is a /etc/gshadow file that is created when using shadow group passwords. The utilities used to switch backwards and forward from shadow to non-shadow files are as follow
/usr/sbin/grpconv creates the /etc/gshadow file
/usr/sbin/grpunconv deletes the gshadow file
The /etc/login.defs and /etc/skel/ files. The /etc/login.defs file contains the following information:
the mail spool directory: MAIL_DIR 1. password aging controls: PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_MAX_LEN, PASS_WARN_AGE • max/min values for automatic UID selection in useradd: UID_MIN, UID_MAX • max/min values for automatic GID selection in groupadd: GID_MIN, GID_MAX • automatically create a home directory with useradd: CREATE_HOME
The /etc/skel directory contains default files that will be copied to the home directory of newly created users: .bashrc, .bash_profiles, ...
Command Options
useradd (options) -c comment (Full Name) -d path to home directory -g initial group (GID). The GID must already exist -G comma separated list of supplementary groups -u user’s UID -s user’s default shell -p password (md5 encrypted, use quotes!) -e account expiry date -k the skel directory -n switch off the UPG group scheme
groupadd (options) -g assign a GID
Modifying accounts and default settings
All available options while creating a user or a group can be modified. The usermod utility has the following main options: usermod (options)
-d the users directory -g the users initial GID -l the user's login name -u the user's UID -s the default shell.
Notice these options are the same as for useradd. Likewise, you can change details about a group with the groupmod utility. There are mainly two options: groupmod (options)
-g the GID -n the group name.
Locking an account
A user’s account can be locked by prefixing an exclamation mark to the user’s password. This can also be done with the following command line tools:
Lock Unlock passwd –l passwd -u usermod -L usermod -U
- When using shadow passwords, replace the x with a *
- A less useful option is to remove the password entirely with passwd -d.
- Finally, one can also assign /bin/false to the user’s default shell in /etc/passwd.
Changing the password expiry dates
By default a user’s password is valid for 99999 days, that is 2739 years (default PASS_MAX_DAYS). The user is warned for 7 days that his password will expire (default PASS_WARN_AGE) with the following message as he logs in:
Warning: your password will expire in 6 days
There is another password aging policy number that is called PASS_MIN_DAYS. This is the minimum number of days before a user can change his password; it is set to zero by default.
The chage tool allows an administrator to change all these options.
Usage: chage [ -l ] [ -m min_days ] [ -M max_days ] [ -W warn ] [ -I inactive ] [ -E expire ] [ -d last_day ] user
The first option –l lists the current policy values for a user. We will only discuss the –E option. This locks an account at a given date. The date is either in UNIX days or in YYYY/MM/DD format.Notice that all these values are stored in the /etc/shadow file, and can be edited directly.
Removing an account
A user’s account may be removed with the userdel command line. To make sure that the user’s home directory is also deleted use the -r option.
userdel -r jade
| In this module you learned have learned how to manage users and groups within a Linux system. This is a crucial part of a Linux system administrator and is essential to the security of your system to clearly define access rights. This you shall see when we look at the “Security of a Linux System” |
|
Creating users
-Does the new directory need to be created? -Is the content of /etc/skel copied to the new directory? -Can the contents of the old home directory still be accessed by user tux? -Use usermod to add tux to the group wheel. Working with groups
Conifiguration files
Modifying an Account
Changing default settings
|
This work is licenced under a Creative Commons - By Attribution Licence - Share Alike License.
