107.1 Manage User and Group Accounts
Candidates should be able to add, remove, suspend and change user accounts.
Key Knowledge Areas
- Add, modify and remove users and groups.
- Manage user/group info in password/group databases.
- Create and manage special purpose and limited accounts.
Linux is a multi-user environment. Each user belongs to one primary group (normally created as default) and possibly to additional groups. Ownership of files in Linux is closely related to user ids and groups. Topic 107.1 prepares you to learn how to add, delete, and manage users and groups. You will also learn about the files in /etc, where user and group information is stored.
Creating New Users
The /usr/sbin/useradd command adds new users to the system and the symbolic link adduser points to it.
Syntax: useradd [options] login-name
Example: add a user with login-name brian
Default values will be used when no options are specified. You can list these values with useradd –D.
Default options listed with useradd –D
GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL=/bin/bash SKEL=/etc/skel
NOTE: This information is also available in the file /etc/default/useradd
The id command can be used to display basic information about user, such as their user ID, their group and any other group they may be part of.
# id brian
uid=503(brian) gid=503(brian) groups=503(brian)
To allow a user to access his or her account the administrator must allocate a password to the user using the passwd tool.
Syntax: passwd login-name
When you press enter, the system will give you a prompt onto which to enter the password. Now the user brian has a password. Because the user was created usign the default settings for the useradd command, the user’s environment such as a home directory, default shell, and his primary group have all been set.
|-c||comment (Full Name)|
|-d||path to home directory|
|-g||initial group (GID). The GID must already exist|
|-G||comma separated list of supplementary groups|
|-s||user’s default shell|
|-p||password (md5 encrypted, use quotes!)|
|-e||account expiry date|
|-k||the skel directory|
|-n||switch off the UPG group scheme|
Working with Groups
Every new user is assigned to an initial (or primary) group. Two conventions exist.
Traditionally this primary group is the same for all users and is called users with a group id (GID) of 100. Many Linux distributions adhere to this convention such as Suse and Debian.
The User Private Group scheme (UPG) was introduced by RedHat and changes this convention without changing the way in which UNIX groups work. With UPG each new user belongs to their own primary group. The group has the same name as the login-name (default), and the GID is in the 500 to 60000 range (same as UIDs).
NOTE: When using the traditional scheme for groups the user’s umask (see LPI 101) is set to 022, whereas in the UPG scheme the umask is set to 002.
Belonging to Groups
A user can belong to any number of groups. However at any one time (when creating a file for example) only one group is the effective group.
The list of all groups a user belongs to is obtained with either the groups or id commands.
Example for user root:
|uid=0(root) gid=0(root) groups=0(root), 1(bin), 2(daemon), 3(sys), 4(adm), 6(disk), 10(wheel), 600(sales)|
|root bin daemon sys adm disk wheel sales|
Joining a group
Joining a group changes the user’s effective group and starts a new session from which the user can then logout. This is done with the newgrp command. The group should exist already.
Example: joining the ict group
If the groups command is issued, the first group on the list would no longer be root but ict.
Creating and deleting groups
The groupaddtool is used to add new groups. It will add an entry in the /etc/group file.
Example: Create the group devel
|-g||assign a GID|
The groupdel tool is used to delete groups. This will remove relevant entries in the /etc/group file.
Example: Delete the group devel
Adding a user to a group
Administration tasks can be carried out with the gpasswd tool. One can add (-a) or remove (-d) users from a group and assign an administrator (-A). The tool was originally designed to set a single password on a group, allowing members of the same group to login with the same password. For security reasons this feature no longer works.
Example: Add andrew to the group devel
|gpasswd -a andrew devel|
The /etc/passwd and /etc/shadow files:
The names of all the users on the system are kept in /etc/passwd. This file has the following structure:
|# Login name
7. The user's shell
These 7 fields are separated by colons. As in the example below.
|george:$1$K05gMbOv$b7ryoKGTd2hDrW2sT.h:Dr G Micheal:/home/georges:/bin/bash|
In order to hide the encrypted passwords from ordinary users you should use a shadow file. The /etc/shadow file then holds the user names and encrypted passwords and is readable only by root.
If you don't have a shadow file in /etc then you should issue the following command:
|/usr/sbin/pwconv (passwd -> shadow)|
This will leave an 'x' in the 2nd field of /etc/passwd and create the /etc/shadow file. If you don't wish to use shadow passwords you can do so using:
|/usr/sbin/pwunconv (shadow -> passwd)|
Caution: When using a shadow password file the /etc/passwd file may be world readable (644) and the /etc/shadow file must be more restricted (600 or even 400). However, when using pwunconv make sure to change the permissions on /etc/password (600 or 400).
The /etc/group and gshadow files:
In the same way, information about groups is kept in /etc/group. This file has 4 fields separated by colons.
|# Group name
Example /etc/group entry:
|java:x:550:jade, eric, rufus|
As for users there is a /etc/gshadow file that is created when using shadow group passwords. The utilities used to switch backwards and forward from shadow to non-shadow files are as follows:
|/usr/sbin/grpconvcreates the /etc/gshadow file
|/usr/sbin/grpunconvdeletes the gshadow file|
The /etc/login.defs and /etc/skel/ files
The /etc/login.defs file contains the following information:
- the mail spool directory: MAIL_DIR
- password aging controls: PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_MAX_LEN, PASS_WARN_AGE
- max/min values for automatic UID selection in useradd: UID_MIN, UID_MAX
- max/min values for automatic GID selection in groupadd: GID_MIN, GID_MAX
- automatically create a home directory with useradd: CREATE_HOME
The /etc/skel directory contains default files that will be copied to the home directory of newly created users: .bashrc, .bash_profiles, … these can be viewed by Viewing hidden files, in the user's home directory.
Modifying accounts and default settings
All available options while creating a user or a group can be modified. The usermod utility has the following main options:
|-d||the users directory|
|-g||the users initial GID|
|-l||the user's login name|
|-u||the user's UID|
|-s||the default shell.|
Notice these options are the same as for useradd.
In the example below, User brian has been renamed to user2, and his shell is now the TurboC shell, and his home directory has also been changed.
# usermod -l user2 -s /bin/tcsh -d /home/user2 brian
Likewise, you can change details about a group with the groupmod utility. There are mainly two options:
|-n||the group name.|
Locking an account
A user’s account can be locked by prefixing an exclamation mark to the user’s password. This can also be done with the following command line tools:
|passwd -l||passwd -u|
|usermod -L||usermod -U|
When using shadow passwords, replace the x with a * A less useful option is to remove the password entirely with passwd -d. Finally, one can also assign /bin/false to the user’s default shell in /etc/passwd.
Changing the password expiry dates:
By default a user’s password is valid for 99999 days, that is 273,9 years (default PASS_MAX_DAYS). The user is warned for 7 days that his password will expire (default PASS_WARN_AGE) with the following message as he logs in:
Warning: your password will expire in 6 days
There is another password aging policy number that is called PASS_MIN_DAYS. This is the minimum number of days before a user can change his password; it is set to zero by default.
The chage tool allows an administrator to change all these options.
Usage: chage [-l] [-m min_days] [-M max_days] [-W warn] [-I inactive] [-E expire] [-d last_day] user
The first option –l lists the current policy values for a user. We will only discuss the –E option. This locks an account at a given date. The date is either in UNIX days or in YYYY/MM/DD format.
Notice that all these values are stored in the /etc/shadow file, and can be edited directly.
Removing an account
A user’s account may be removed with the userdel command. To make sure that the user’s home directory is also deleted use the -r option.
|userdel -r jade|
Root has a user id of 0, whereas other some users have user id's starting at the UID_MIN value set in /etc/login.defs, usually set to 500 or 1000.
Root is not the only special purpose account on a Linux system. There are others for daemons such as mail, SSH, FTP, news, and others. These accounts can be viewed from the /etc/passwd file.
ntp:x:38:38::/etc/ntp:/sbin/nologin mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: nobody:x:99:99:Nobody:/:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
As you can imagine, special purpose accounts cannot be accessed via regular login. They help to control files and daemons, and as such have a special login shell : /sbin/nologin, or /bin/false. Any login attempts on these shells will automatically fail.
The following is a partial list of the files, terms and utilities that were used.* /etc/passwd