Linux Basics/User management
User management functions
- Functions: adding, deleting user, setting password, modifying
- Adding user: adduser(under Ubuntu), useradd
useradd [options] username
-u number: setting the user id (UID)
-g group: setting group membership
-d /home/user: setting HOME folder to /home/user.
-s /bin/bash: default shell (here the user gets bash as default
-G group1, group2: separating them with commas, if the user is member of other groups
-m -k /home/existing <username>: it creates the home folder based on an existing user's home folder.
- -m switch refers to create home directory, -k indicates where we want to copy the default files from (e.g. /etc/skel -> the skeleton folder of the home folder)
so the command looks like this:
useradd -c "test account" -u 1001 -g users -G info,sysadmin -d /home/test -s /bin/bash -m -k /etc/skel test
User information: getent
getent passwd <username>
If we want to get information about infotech group:
getent group infotech
Location of user data: /etc/passwd
Content of /etc/passwd is like:
Passwd file's entries are separated with comma, and the explanation of the fields are the following:
- Encrypted password.
- User ID(uid).
- Group ID (gid).
- Full name and other information
- Home folder
- Selected shell
Content of /etc/shadow file is like:
As with the passwd file, each field in the shadow file is also separated with ":" colon characters, and are as follows
- Username, up to 8 characters. Case-sensitive, usually all lowercase. A direct match to the username in the /etc/passwd file.
- Password, 13 character encrypted. A blank entry (eg. ::) indicates a password is not required to log in (usually a bad idea), and a ``*'' entry (eg. :*:) indicates the account has been disabled.
- The number of days (since January 1, 1970) since the password was last changed.
- The number of days before password may be changed (0 indicates it may be changed at any time)
- The number of days after which password must be changed (99999 indicates user can keep his or her password unchanged for many, many years)
- The number of days to warn user of an expiring password (7 for a full week)
- The number of days after password expires that account is disabled
- The number of days since January 1, 1970 that an account has been disabled
- A reserved field for possible future use
Changing user rules: chage
We can regulate with changing it when will the password of a user expires.
For example, output of chage -l joska will display the data for it:
Last password change : Feb 28, 2019 Password expires : never Password inactive : never Account expires : never Minimum number of days between pasword change : 0 Maximum number of days between pasword change : 99999 Number of days of warning before password expires : 7
We want joska user's password to expire in 10 days:
chage -M 10 joska
When will we want joska's password to expire?
chage -E "2019-12-31" joska
Lockdown after inactive days
We lock joska's password after 10 inactive days.
chage -I 10 joska chage --inactive 10 joska
User password: passwd
Changing own password:
With superuser privilege we can change anybody's password:
# passwd username
Storing password encrypted: /etc/shadow
Modifying user data: chfn
We need finger package for it.
# chfn -f János janos # chfn --full-name "Nagy János" janos
- -f, --full-name
- -o, --office -- office room number
- -p, --office-phone - office phone number
- -h, --home-phone - home phone number
Deleting user: deluser, userdel
It's recommended to regulate it with help of /etc/deluser.conf, We should look up deluser.conf(5) manual.
deluser --remove-home deluser --remove-all-files deluser --backup deluser –backup-to
Handling user groups
Creating group: addgroup, groupadd
Location of group data: /etc/group
/etc/group file can be edited manually (text editor, mcedit, nano etc) by root.
A group is created with every user's name (like in case of kathy user a kathy group is created).
Adding to group:
gpasswd -a kathy infotech
- We add kathy to infotech group
gpasswd -d kathy infotech
- We delete kathy from infotech group
Handling user groups (and user data)
- Changing user accounts.
Adding user mary to infotech group:
usermod -a -G infotech mary
(For -a the group name is appended, so the other group remains for that user. If we omit -a, then all the existing groups the user is assigned in gets deleted for that user.
Usermod command's other switches:
- -u value user: it changes user ID (UID)
- -g group user: it changes user group (e.g. usermod -g infotech mari)
- -G group1,group2: it adds the user to the given groups (but without appending)
usermod -G human,economy,sysadmin mary
- -L user: it locks the access of the user / bans the user (so you can't log in)
usermod -L -e 1970-01-01 mary (expiration date can be older than the current date) (--lock)
- -e value: expire date (--expiredate)
- -U user: unlocks the ban from the user
- -d user: setting new home folder (--home)
- -s user: setting shell (--shell)
Requesting information about the user.
id id -nG
User accounts and handling "default"
User account settings
In /etc/login.defs directory/file there can be set some properties for users. For example, where should the user emails be stored.
Logging failed logins into /var/log/faillog file:
Logging unknown usernames in case of failed logins:
Logging successful logins:
Controlling passwords. By default, when it's gonna expire, when the user can change it, what's the minimum length of the password, and when the warning should be:
PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7
User ID minimum and maximum ID's in case of useradd:
UID_MIN 1000 UID_MAX 60000
Minimum and maximum number group IDs:
GID_MIN 1000 GID_MAX 60000
Denying login after this number of fails:
The length of lockdown after exceeding the number of unsuccessful logins:
/etc/default folder contains it.
# useradd defaults file GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL=/bin/bash SKEL=/etc/skel CREATE_MAIL_SPOOL=yes
- /etc/skel folder contains the base home directory's content.