Ict-innovation/LPI/107.1

From Wikibooks, open books for an open world
Jump to navigation Jump to search

107.1 Manage User and Group Accounts[edit | edit source]

Candidates should be able to add, remove, suspend and change user accounts.


Key Knowledge Areas

  • Add, modify and remove users and groups.
  • Manage user/group info in password/group databases.
  • Create and manage special purpose and limited accounts.

Linux is a multi-user environment. Each user belongs to one primary group (normally created as default) and possibly to additional groups. Ownership of files in Linux is closely related to user ids and groups. Topic 107.1 prepares you to learn how to add, delete, and manage users and groups. You will also learn about the files in /etc, where user and group information is stored.

Creating New Users[edit | edit source]

The /usr/sbin/useradd command adds new users to the system and the symbolic link adduser points to it.

Syntax: useradd [options] login-name

Example: add a user with login-name brian

useradd brian

Default values will be used when no options are specified. You can list these values with useradd –D.

Default options listed with useradd –D

GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel    


NOTE: This information is also available in the file /etc/default/useradd

The id command can be used to display basic information about user, such as their user ID, their group and any other group they may be part of.

# id brian

uid=503(brian) gid=503(brian) groups=503(brian)

To allow a user to access his or her account the administrator must allocate a password to the user using the passwd tool.

Syntax: passwd login-name

When you press enter, the system will give you a prompt onto which to enter the password. Now the user brian has a password. Because the user was created using the default settings for the useradd command, the user’s environment such as a home directory, default shell, and his primary group have all been set.

useradd (options)

-c comment (Full Name)
-d path to home directory
-g initial group (GID). The GID must already exist
-G comma separated list of supplementary groups
-u user’s UID
-s user’s default shell
-p password (md5 encrypted, use quotes!)
-e account expiry date
-k the skel directory
-n switch off the UPG group scheme

Working with Groups[edit | edit source]

Every new user is assigned to an initial (or primary) group. Two conventions exist.

Traditionally this primary group is the same for all users and is called users with a group id (GID) of 100. Many Linux distributions adhere to this convention such as Suse and Debian.

The User Private Group scheme (UPG) was introduced by RedHat and changes this convention without changing the way in which UNIX groups work. With UPG each new user belongs to their own primary group. The group has the same name as the login-name (default), and the GID is in the 500 to 60000 range (same as UIDs).

NOTE: When using the traditional scheme for groups the user’s umask (see LPI 101) is set to 022, whereas in the UPG scheme the umask is set to 002.


Belonging to Groups

A user can belong to any number of groups. However at any one time (when creating a file for example) only one group is the effective group.

The list of all groups a user belongs to is obtained with either the groups or id commands.

Example for user root:

id
uid=0(root) gid=0(root) groups=0(root), 1(bin), 2(daemon), 3(sys), 4(adm), 6(disk), 10(wheel), 600(sales)


groups
root bin daemon sys adm disk wheel sales

Joining a group

Joining a group changes the user’s effective group and starts a new session from which the user can then logout. This is done with the newgrp command. The group should exist already.

Example: joining the ict group

newgrp ict

If the groups command is issued, the first group on the list would no longer be root but ict.

Creating and deleting groups

The groupadd tool is used to add new groups. It will add an entry in the /etc/group file.

Example: Create the group devel

groupadd devel


groupadd (options)

-g assign a GID

The groupdel tool is used to delete groups. This will remove relevant entries in the /etc/group file.

Example: Delete the group devel

[[Image:]]groupdel devel

Adding a user to a group

Administration tasks can be carried out with the gpasswd tool. One can add (-a) or remove (-d) users from a group and assign an administrator (-A). The tool was originally designed to set a single password on a group, allowing members of the same group to login with the same password. For security reasons this feature no longer works.

Example: Add andrew to the group devel

gpasswd -a andrew devel

Configuration files

The /etc/passwd and /etc/shadow files:

The names of all the users on the system are kept in /etc/passwd. This file has the following structure:

# Login name
  1. Password (or x if using a shadow file)
  1. The UID
  1. The GID
  1. Text description for the user
  2. The user's home directory

7. The user's shell

These 7 fields are separated by colons. As in the example below.

george:$1$K05gMbOv$b7ryoKGTd2hDrW2sT.h:Dr G Micheal:/home/georges:/bin/bash

Shadow Passwords

In order to hide the encrypted passwords from ordinary users you should use a shadow file. The /etc/shadow file then holds the user names and encrypted passwords and is readable only by root.

If you don't have a shadow file in /etc then you should issue the following command:

/usr/sbin/pwconv (passwd -> shadow)

This will leave an 'x' in the 2nd field of /etc/passwd and create the /etc/shadow file. If you don't wish to use shadow passwords you can do so using:

/usr/sbin/pwunconv (shadow -> passwd)

Caution: When using a shadow password file the /etc/passwd file may be world readable (644) and the /etc/shadow file must be more restricted (600 or even 400). However, when using pwunconv make sure to change the permissions on /etc/password (600 or 400).

The /etc/group and gshadow files:

In the same way, information about groups is kept in /etc/group. This file has 4 fields separated by colons.

# Group name
  1. The group password (or x if gshadow file exists)
  2. The GID
  3. A comma separated list of members

Example /etc/group entry:

java:x:550:jade, eric, rufus

As for users there is a /etc/gshadow file that is created when using shadow group passwords. The utilities used to switch backwards and forward from shadow to non-shadow files are as follows:

/usr/sbin/grpconvcreates the /etc/gshadow file


/usr/sbin/grpunconvdeletes the gshadow file

The /etc/login.defs and /etc/skel/ files

The /etc/login.defs file contains the following information:

  • the mail spool directory: MAIL_DIR
  • password aging controls: PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_MAX_LEN, PASS_WARN_AGE
  • max/min values for automatic UID selection in useradd: UID_MIN, UID_MAX
  • max/min values for automatic GID selection in groupadd: GID_MIN, GID_MAX
  • automatically create a home directory with useradd: CREATE_HOME


The /etc/skel directory contains default files that will be copied to the home directory of newly created users: .bashrc, .bash_profiles, … these can be viewed by Viewing hidden files, in the user's home directory.

Modifying accounts and default settings[edit | edit source]

All available options while creating a user or a group can be modified. The usermod utility has the following main options:


usermod (options)

-d the users directory
-g the users initial GID
-l the user's login name
-u the user's UID
-s the default shell.

Notice these options are the same as for useradd.

In the example below, User brian has been renamed to user2, and his shell is now the TurboC shell, and his home directory has also been changed.

# usermod -l user2 -s /bin/tcsh -d /home/user2 brian

Likewise, you can change details about a group with the groupmod utility. There are mainly two options:

-g the GID
-n the group name.

Locking an account

A user’s account can be locked by prefixing an exclamation mark to the user’s password. This can also be done with the following command line tools:

Lock Unlock
passwd -l passwd -u
usermod -L usermod -U

When using shadow passwords, replace the x with a * A less useful option is to remove the password entirely with passwd -d. Finally, one can also assign /bin/false to the user’s default shell in /etc/passwd.

Changing the password expiry dates:

By default a user’s password is valid for 99999 days, that is 273,9 years (default PASS_MAX_DAYS). The user is warned for 7 days that his password will expire (default PASS_WARN_AGE) with the following message as he logs in:


Warning: your password will expire in 6 days

There is another password aging policy number that is called PASS_MIN_DAYS. This is the minimum number of days before a user can change his password; it is set to zero by default.

The chage tool allows an administrator to change all these options.

Usage: chage [-l] [-m min_days] [-M max_days] [-W warn] [-I inactive] [-E expire] [-d last_day] user

The first option –l lists the current policy values for a user. We will only discuss the –E option. This locks an account at a given date. The date is either in UNIX days or in YYYY/MM/DD format.

Notice that all these values are stored in the /etc/shadow file, and can be edited directly.

Removing an account

A user’s account may be removed with the userdel command. To make sure that the user’s home directory is also deleted use the -r option.

userdel -r jade


Special-purpose accounts

Root has a user id of 0, whereas other some users have user id's starting at the UID_MIN value set in /etc/login.defs, usually set to 500 or 1000.

Root is not the only special purpose account on a Linux system. There are others for daemons such as mail, SSH, FTP, news, and others. These accounts can be viewed from the /etc/passwd file.

ntp:x:38:38::/etc/ntp:/sbin/nologin mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: nobody:x:99:99:Nobody:/:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

As you can imagine, special purpose accounts cannot be accessed via regular login. They help to control files and daemons, and as such have a special login shell : /sbin/nologin, or /bin/false. Any login attempts on these shells will automatically fail.



The following is a partial list of the files, terms and utilities that were used.* /etc/passwd

  • /etc/shadow
  • /etc/group
  • /etc/skel
  • chage[check spelling]
  • groupadd
  • groupdel
  • groupmod
  • passwd
  • useradd
  • userdel
  • usermod


Previous Chapter | Next Chapter