User and Group Management
Description:
Managing user accounts in linux is of paramount importance as users need an ID just to login to the system. Create, Delete and Change user attributes.
Introduction:
Linux being a multi-user, multitasking operating system, needs every user to possess a user name and a password. So to efficiently use linux we first need to know the process of creation of users and using the created users to logon and logout of the system.
We summaries a few points regarding user accounts.
- Linux operating system is case sensitive. This imposes that we use commands in the lower case to get our work done. Command typed upper-case will throw errors.
- Every on a Linux system needs a user account.
- Every account has right ans privileges that very depending on the command and the directory.
- Linux users are organized into groups.
- In RHEL user accounts are organized in the '/etc/passwd' file.
- Their passwords are made more secure by the use of the '/etc/shadow' file.
- When creating a new account the default parameters are configured in the '/etc/login.defs' file.
- Configuration files are stored in another directory from where the files are copied to the user's home directory while the user is created.
Introduction to files that relate to the users of a system:
/etc/passwd
- Linux users are classified into three types
- Administrative (root)
- Regular
- Service
- The administrative root account is automatically created when you install linux which has administrative privileges for all services on your linux box.
- Regular users have the necessary privileges to perform standard task on linux computer. They can access programs such as word processors, databases and web browsers. They can store files in their home directories only.
- Services such as Apache, ftp, Squid, nail, games, audio etc. have their own individual service accounts.
- each column in the '/etc/passwd' file is delimited by a colon(:)
|
Column |
Function |
Comment |
|
1 |
Username
|
Login name of the account |
|
2 |
Password
|
If this field contains an X, the encrypted password is stored
in /etc/shadow |
|
3 |
UserID
|
A numeric ID for the usr. Assigned by the OS |
|
4 |
GroupID
|
A numeric ID for the default group of the user. Assigned by the
OS |
|
5 |
Extra Information |
Commonly used for the user's ral name. Can be any comment on
the account |
|
6 |
Home directory |
The path to the user's home directory |
|
7 |
Defaulty shell |
The shell the user sees after logging in |
/etc/shadow
- This is the file that holds the password information of the users of the machine.
- It is a read-only file for the root and no permissions are afforded for anyone else. Hence it is more secure.
- If you use standard command to create new users, basic information is also added to this file based on the defaults in the '/etc/login.def
|
Column |
Function |
Comment |
|
1 |
Username
|
Login name |
|
2 |
Password
|
The encrypted password. Blank if the user has no password. A *
signifies a password has not been defined. If the useris disable
from logging in to the system an ! Is displayed. |
|
3 |
Number of days |
Last time the password was chagned in days after january
1,1970 |
|
4 |
Minimum password life |
You can't change the password for at least this amount of time
in days. |
|
5 |
Maximum password life |
You have to change the password after this period of time in
days |
|
6 |
Warning period |
You get a warning this name days before your password expires |
|
7 |
Disable account |
If you don't use your account this many days after your
password expires, you can't log in |
|
8 |
Account expiration |
If you don't use your account by this date, you won't be able
to log in. Maybe in yyyy-mm-dd format or in number of days after
january 1,1970 |
/etc/skel
- Users have a default set of configuration files and directories.
- The default list of these files is located in the '/etc/skel' directory.
- you can see the files by listing the hidden contents of the skel directory.
- All new users will get a copy of these files in their home directories.
|
Files |
Purpose
|
|
.bashrc |
The basic bash cofiguration file. May include a reference to
the general /etc/bashrc |
|
.bash_logout |
A file executed when you exit a bash shell. Can include
commands appropriate for this purpose, such as clearing your
screen |
|
.bash_profile |
Configures the bash start up environment. Appropriate place to
add environment variables or to modify the directories in your
PATH |
|
.gnome* |
Servral directories that include start up setting for the GNOME
desktop environment. For example, details of desktop icons such as
Trash are stored in .gnome-desktop/Trash |
|
.gtkrc |
Adds the bluecurve theme for the default Red Hat GUI |
|
.kde |
A dirctory that includes auto start setting for the K Desktop
environment. Not copied to the users home directories if you
haven't installed KDE in the computer. |
/etc/login.defs
- When you create a new user the basic parameters come from the /etc/login.defs configuration file.
- The version included with RedHat Linux includes settings for
- Email directories
- Password directories
- UserID numbers
- GroupID numbers
- Creating a home directory
Adding Users - Creating and management of user account :
Login/Logout, Shutting down, Restarting a System and using commands to add users
- To logon to the system you should enter username and password
login: username
password: **********
- To create a user
#useradd username ( Read man page for more controlled user creation )
#man useradd
- To set the password for the newly created user
#passwd username
- To log off the system and enter as a new user
#exit
- To shut-down a system
#init 0
#shutdown -h now
#poweroff
- To restart a system
#init 6
#shutdown -r now
#reboot
Editing the /etc/passwd file directly:
- Open the /etc/passwd file for editing using a text editor.
# vim /etc/passwd
- Start a new line. the easiest way to do this is by copying the applicable information from a current user.
- Substitute the information of your choice to create the new user.
- For example change the user name as testuser, UID as 1010, GID as 1010, full name as "This is a test user" ( less the quotes), /home/testuser as the home directory.
- Save and Exit.
- Open the /etc/shadow file for editing using a test editor.
# vim /etc/shadow
- Create a new line by copying the applicable information from a current user.
- Change the group name as testuser and GID as 1010.
- Save and exit.
- Set up your new user's home directory.
#mkdir -p /home/testuser
- Give the new user access to his home directory.
# chown testuser:testuser /home/testuser
- Assign a new password with passwd command
# su -testuser
- Copy the basic initialization files which are normally stored in the /etc/skel directory.
#cp -r /etc/skel/ /home/testuser
#cd /home/testuser
#mv /etc/skel/* . ---------------------------> (ignore error message)
#mv /etc/skel/.* .
#rmdir skel
- Change the Ownership of the files and directories copied to the home directory of the user.
#chown testuser:testuser /home/testuser /home/testuser
- Logout from the user's account.
- Assuming you're using the default shadow password suite, run the pwconv and grpconv commands.
Deleting user account by deleting entries in the files:
- Delete the user's entry from the /etc/passed file.
- Delete the user's entry from the /etc/group file.
- Delete the user's entry from the /etc/shadow file.
- Delete the user's entry from the /etc/gshadow file.
- Delete the user's home directory after saving the files you need.
Commands:
Useradd -u 1010 -g 1010 -s /bin/bash -d /home/testuser -m testuser
#useradd username
#useradd -u UID username
#useradd -g GID username
#useradd -G username
#useradd -c username
#useradd -s username
#useradd -e username
#useradd -d username
#useradd -m username {to create the home directory if it does not exist}
Usermod -l -L -U:
usermod -l {to change the user login name}
usermod -L { to lock a user account}
usermod -U {to unlock user accounts}
change:
chage -m { sets minimum life of password to days}
chage -M { sets maximum life of password to days}
chage -I {sets the number of days that an account can be
inactive before it is locked}
chage -W {sets an advance warning in says of an upcaming
mandatory password change}
chage -l {list the current user password information. can be
used by regular users on their own accounts}
The Shadow password Suite:
- The Shadow Password Suite features all of the commands related to managing Linux users and groups.
- By default RedHat Linux uses this suite to provide additional security through encrypting passwords in the /etc/shadow and the /etc/gshadow files.
- These files require commands to convert passwords to and from the companion /etc/passwd and the /etc/group configuration files.
- These encrypted password files have more restrictive permissions than /etc/passwd or /etc/group; only the root user is allowed to only view these files and they are not writable by default.
Converting User Passwords:
- Two commands are associated with converting user password in the shadow password suite.
pwconv
pwunconv
pwconv:
- Converts an existing /etc/passwd file. Passwords that currently exist in the /etc/passwd are replaced by a "x" the encrypted password, username, and the other relevant information are transferred to the /etc/shadow file.
- If you've recently added new users by editing the /etc/passwd file in a text editor you must run this command again to convert the passwords associated with any new users.
pwunconv:
- Password are transferred back to the /etc/passwd, and the /etc/shadow file is deleted.
- Be careful as this also deletes any password aging information.
/etc/group:
- Every linux user is assigned to a group.
- By default every user gets their own private group.
- This file has four columns as follows
|
Column |
Function |
Comment |
|
1 |
Group name |
By default red hat users are members of a group with their
username |
|
2 |
Password |
If you see and 'x' in this column, see /etc/gshadow for the
actual encrypted password |
|
3 |
GroupID
|
By default redhat users have a GID same as their UID |
|
4 |
Members
|
Includes the usrnames of others that are the members of the
group |
/etc/gshadow:
- The RHEl /etc/gshadow configuration file for the group is analogous to the /etc/shadow file for users.
- It specifies an encrypted password for applicable group, as well as administrators with privileges for a specific group.
- This file has four columns as follows
|
Column |
Function |
Comment |
|
1 |
Group name |
You can create additional groups. |
|
2 |
Password
|
The encrypted group password, added with the gpasswd command. |
|
3 |
Group Administrator |
The user is allowed to manage users in that group. |
|
4 |
Group Members |
Includes the usernames that are the members of the same group. |
Group Commands:
- #groupadd -g GID
- #groupadd -n
- #groupdel
- #groups < username> {displays the group memberships that the
- #id { to get ID information}
