In this chapter you will learn how to manage users.
In this chapter, future Linux administrators will learn how to:
add, delete or modify a group; add, delete or modify a user; understand the files associated with users and groups and learn how to manage them; change the owner or the group owner of a file; secure user accounts; change identity.
users
Knowledge: Complexity:
General Group management User management File owners Guest management Securing Advanced management Identity change
Each user must have a group, which is called the user's primary group.
Several users can be part of the same group.
Groups other than the primary group are called the user's supplementary groups.
!!! Note
Each user has a primary group and can be invited into one or more supplementary groups.
Groups and users are managed by their unique numerical identifiers GID and UID.
GID
UID
Both UID and GID are recognized by the kernel, which means that the Super Admin is not necessarily the root user, as long as the uid=0 user is the Super Admin.
The files related to users/groups are:
!!! Danger
You should always use the administration commands instead of manually editing the files.
Modified files, added lines:
/etc/group
/etc/gshadow
groupadd
The groupadd command adds a group to the system.
groupadd [-f] [-g GID] group
Example:
$ sudo groupadd -g 1012 GroupeB
-g GID
-f
-g
-r
SYS_GID_MIN
SYS_GID_MAX
/etc/login.defs
Group naming rules:
Under **Debian**, the administrator should use, except in scripts intended to be portable to all Linux distributions, the `addgroup` and `delgroup` commands as specified in the `man`: ``` $ man addgroup DESCRIPTION adduser and addgroup add users and groups to the system according to command line options and configuration information in /etc/adduser.conf. They are friendlier front ends to the low-level tools like useradd, groupadd and usermod programs, by default, choosing Debian policy conformant UID and GID values, creating a home directory with skeletal configuration, running a custom script, and other features. ```
groupmod
The groupmod command allows you to modify an existing group on the system.
groupmod [-g GID] [-n nom] group
$ sudo groupmod -g 1016 GroupP $ sudo groupmod -n GroupC GroupB
-n name
It is possible to change the name of a group, its GID or both simultaneously.
After modification, the files belonging to the group have an unknown GID. They must be reassigned the new GID.
$ sudo find / -gid 1002 -exec chgrp 1016 {} \;
groupdel
The groupdel command is used to delete an existing group on the system.
groupdel group
$ sudo groupdel GroupC
!!! Tip
When deleting a group, there are two conditions that can occur: * If a user has a unique primary group and you issue the `groupdel` command on that group, you will be prompted that there is a specific user under the group and it cannot be deleted. * If a user belongs to a supplementary group (not the primary group for the user) and that group is not the primary group for another user on the system, then the `groupdel` command will delete the group without any additional prompts. Examples: ```bash Shell > useradd testa Shell > id testa uid=1000(testa) gid=1000(testa) group=1000(testa) Shell > groupdel testa groupdel: cannot remove the primary group of user 'testa' Shell > groupadd -g 1001 testb Shell > usermod -G testb root Shell > id root uid=0(root) gid=0(root) group=0(root),1001(testb) Shell > groupdel testb ```
When you delete a user using the `userdel -r` command, the corresponding primary group is also deleted. The primary group name is usually the same as the username.
Each group has a unique `GID`. A group can be used by multiple users as a supplementary group. By convention, The GID of super administrator is 0. The GIDS reserved for some services or processes are 201~999, which are called system groups or pseudo user groups. The GID for users is usually greater than or equal to 1000. These are related to <font color=red>/etc/login.defs</font>, which we will talk about later. ```bash # Comment line ignored shell > cat /etc/login.defs MAIL_DIR /var/spool/mail UMASK 022 HOME_MODE 0700 PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 UID_MIN 1000 UID_MAX 60000 SYS_UID_MIN 201 SYS_UID_MAX 999 GID_MIN 1000 GID_MAX 60000 SYS_GID_MIN 201 SYS_GID_MAX 999 CREATE_HOME yes USERGROUPS_ENAB yes ENCRYPT_METHOD SHA512 ```
Since a user is necessarily part of a group, it is best to create the groups before adding the users. Therefore, a group may not have any members.
This file contains the group information (separated by :).
:
$ sudo tail -1 /etc/group GroupP:x:516:patrick (1) (2)(3) (4)
x
Each line in the /etc/group file corresponds to a group. The primary user info is stored in /etc/passwd.
/etc/passwd
This file contains the security information about the groups (separated by :).
$ sudo grep GroupA /etc/gshadow GroupA:$6$2,9,v...SBn160:alain:rockstar (1) (2) (3) (4)
!!! Warning
The name of the group in **/etc/group** and **/etc/gshadow** must correspond one by one, that is, each line in the **/etc/group** file must have a corresponding line in the **/etc/gshadow** file.
An ! in the password indicates that it is locked. Thus, no user can use the password to access the group (since group members do not need it).
!
A user is defined as follows in the /etc/passwd file:
/etc/shadow
/bin/bash
/bin/nologin
There are three types of users:
useradd
The useradd command is used to add a user.
useradd [-u UID] [-g GID] [-d directory] [-s shell] login
$ sudo useradd -u 1000 -g 1013 -d /home/GroupC/carine carine
-u UID
group name
-G GID1,[GID2]...
-d directory
-s shell
-c COMMENT
-U
-M
At creation, the account has no password and is locked.
A password must be assigned to unlock the account.
When the useradd command does not have any options, it appears:
uid
gid
Shell > useradd test1 Shell > tail -n 1 /etc/passwd test1:x:1000:1000::/home/test1:/bin/bash Shell > tail -n 1 /etc/shadow test1:!!:19253:0:99999:7::: Shell > tail -n 1 /etc/group ; tail -n 1 /etc/gshadow test1:x:1000: test1:!::
Account naming rules:
-u
-d
-s
The home directory tree must be created except for the last directory.
The last directory is created by the useradd command, which takes the opportunity to copy the files from /etc/skel into it.
/etc/skel
A user can belong to several groups in addition to their primary group.
$ sudo useradd -u 1000 -g GroupA -G GroupP,GroupC albert
Under **Debian**, you will have to specify the `-m` option to force the creation of the login directory or set the `CREATE_HOME` variable in the `/etc/login.defs` file. In all cases, the administrator should use the `adduser` and `deluser` commands as specified in the `man`, except in scripts intended to be portable to all Linux distributions: ``` $ man useradd DESCRIPTION **useradd** is a low-level utility for adding users. On Debian, administrators should usually use **adduser(8)** instead. ```
Modification of the file /etc/default/useradd.
/etc/default/useradd
useradd -D [-b directory] [-g group] [-s shell]
$ sudo useradd -D -g 1000 -b /home -s /bin/bash
-D
-b directory
-g group
-e
usermod
The usermod command allows to modify a user.
usermod [-u UID] [-g GID] [-d directory] [-m] login
$ sudo usermod -u 1044 carine
Options identical to the useradd command.
-m
-l login
-e YYYY-MM-DD
-L
-a
-G
To be modified, a user must be disconnected and have no running processes.
After changing the identifier, the files belonging to the user have an unknown UID. It must be reassigned to the new UID.
Where 1000 is the old UID and 1044 is the new one. Examples are as follows:
1000
1044
$ sudo find / -uid 1000 -exec chown 1044: {} \;
Locking and unlocking of user account, Examples are as follows:
Shell > usermod -L test1 Shell > grep test1 /etc/shadow test1:!$6$n.hxglA.X5r7X0ex$qCXeTx.kQVmqsPLeuvIQnNidnSHvFiD7bQTxU7PLUCmBOcPNd5meqX6AEKSQvCLtbkdNCn.re2ixYxOeGWVFI0:19259:0:99999:7::: Shell > usermod -U test1
The difference between the -aG option and the -G option can be explained by the following example:
-aG
Shell > useradd test1 Shell > passwd test1 Shell > groupadd groupA ; groupadd groupB ; groupadd groupC ; groupadd groupD Shell > id test1 uid=1000(test1) gid=1000(test1) groups=1000(test1) Shell > gpasswd -a test1 groupA Shell > id test1 uid=1000(test1) gid=1000(test1) groups=1000(test1),1002(groupA) Shell > usermod -G groupB,groupC test1 Shell > id test1 uid=1000(test1) gid=1000(test1) gorups=1000(test1),1003(groupB),1004(groupC) Shell > usermod -aG groupD test1 uid=1000(test1) gid=1000(test1) groups=1000(test1),1003(groupB),1004(groupC),1005(groupD)
userdel
The userdel command allows you to delete a user's account.
$ sudo userdel -r carine
/var/spool/mail/
To be deleted, a user must be logged out and have no running processes.
The userdel command removes the corresponding lines in /etc/passwd, / etc/shadow, /etc/group, /etc/gshadow. As mentioned above, userdel -r will also delete the corresponding primary group of the user.
/ etc/shadow
userdel -r
This file contains user information (separated by :).
$ sudo head -1 /etc/passwd root:x:0:0:root:/root:/bin/bash (1)(2)(3)(4)(5) (6) (7)
This file contains the users' security information (separated by :).
$ sudo tail -1 /etc/shadow root:$6$...:15399:0:99999:7::: (1) (2) (3) (4) (5) (6)(7,8,9)
ENCRYPT_METHOD
PASS_MIN_DAYS
PASS_MAX_DAYS
PASS_WARN_AGE
For each line in the `/etc/passwd` file there must be a corresponding line in the `/etc/shadow` file.
For time stamp and date conversion, please refer to the following command format:
# The timestamp is converted to a date, "17718" indicates the timestamp to be filled in. Shell > date -d "1970-01-01 17718 days" # The date is converted to a timestamp, "2018-07-06" indicates the date to be filled in. Shell > echo $(($(date --date="2018-07-06" +%s)/86400+1))
All files necessarily belong to one user and one group.
The primary group of the user creating the file is, by default, the group that owns the file.
chown
The chown command allows you to change the owners of a file.
chown [-R] [-v] login[:group] file
Examples:
$ sudo chown root myfile $ sudo chown albert:GroupA myfile
-R
-v
To change only the owner user:
$ sudo chown albert file
To modify only the owner group:
$ sudo chown :GroupA file
Changing the user and owner group:
$ sudo chown albert:GroupA file
In the following example the group assigned will be the primary group of the specified user.
$ sudo chown albert: file
Change the owner and group of all files in a directory
$ sudo chown -R albert:GroupA /dir1
chgrp
The chgrp command allows you to change the owner group of a file.
chgrp [-R] [-v] group file
$ sudo chgrp group1 file
It is possible to apply to a file an owner and an owner group by taking as reference those of another file:
chown [options] --reference=RRFILE FILE
For example:
chown --reference=/etc/groups /etc/passwd
gpasswd
The command gpasswd allows to manage a group.
gpasswd [option] group
$ sudo gpasswd -A alain GroupA [alain]$ gpasswd -a patrick GroupA
-a USER
-A USER,...
-d USER
-M USER,...
The command gpasswd -M acts as a modification, not an addition.
gpasswd -M
# gpasswd GroupeA New Password: Re-enter new password:
!!! note
In addition to using `gpasswd -a` to add users to a group, you can also use the `usermod -G` or `usermod -AG` mentioned earlier.
id
The id command displays the group names of a user.
id USER
$ sudo id alain uid=1000(alain) gid=1000(GroupA) groupes=1000(GroupA),1016(GroupP)
newgrp
The newgrp command can select a group from the user's supplementary groups as the user's new temporary primary group. The newgrp command every time you switch a user's primary group, there will be a new child shell(child process). Be careful! child shell and sub shell are different.
newgrp [secondarygroups]
Shell > useradd test1 Shell > passwd test1 Shell > groupadd groupA ; groupadd groupB Shell > usermod -G groupA,groupB test1 Shell > id test1 uid=1000(test1) gid=1000(test1) groups=1000(test1),1001(groupA),1002(groupB) Shell > echo $SHLVL ; echo $BASH_SUBSHELL 1 0 Shell > su - test1 Shell > touch a.txt Shell > ll -rw-rw-r-- 1 test1 test1 0 10月 7 14:02 a.txt Shell > echo $SHLVL ; echo $BASH_SUBSHELL 1 0 # Generate a new child shell Shell > newgrp groupA Shell > touch b.txt Shell > ll -rw-rw-r-- 1 test1 test1 0 10月 7 14:02 a.txt -rw-r--r-- 1 test1 groupA 0 10月 7 14:02 b.txt Shell > echo $SHLVL ; echo $BASH_SUBSHELL 2 0 # You can exit the child shell using the `exit` command Shell > exit Shell > logout Shell > whoami root
passwd
The passwd command is used to manage a password.
passwd [-d] [-l] [-S] [-u] [login]
Shell > passwd -l albert Shell > passwd -n 60 -x 90 -w 80 -i 10 patrick
-l
-S
-n DAYS
-x DAYS
-w DAYS
-i DAYS
Use password -l, that is, add "!!" at the beginning of the password field of the user corresponding to /etc/shadow.
password -l
[alain]$ passwd
$ sudo passwd alain
The `passwd` command is available to users to change their password (the old password is requested). The administrator can change the passwords of all users without restriction.
They will have to comply with the security restrictions.
When managing user accounts by shell script, it may be useful to set a default password after creating the user.
This can be done by passing the password to the passwd command.
$ sudo echo "azerty,1" | passwd --stdin philippe
The password is entered in clear text, `passwd` takes care of encrypting it.
chage
The chage command is change user password expiry information.
chage [-d date] [-E date] [-I days] [-l] [-m days] [-M days] [-W days] [login]
$ sudo chage -m 60 -M 90 -W 80 -I 10 alain
-I DAYS
-m DAYS
-M DAYS
-d LAST_DAY
-E EXPIRE_DATE
-W WARN_DAYS
# The `chage` command also offers an interactive mode. $ sudo chage philippe # The `-d` option forces the password to be changed at login. $ sudo chage -d 0 philippe
Configuration files:
Editing the `/etc/default/useradd` file is done with the `useradd` command. The other files are to be modified with a text editor.
This file contains the default data settings.
When creating a user, if the options are not specified, the system uses the default values defined in `/etc/default/useradd`.
This file is modified by the command useradd -D (useradd -D entered without any other option displays the contents of the /etc/default/useradd file).
useradd -D
Shell > grep -v ^# /etc/default/useradd GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL=/bin/bash SKEL=/etc/skel CREATE_MAIL_SPOOL=yes
GROUP
HOME
INACTIVE
-1
EXPIRE
SHELL
SKEL
CREATE_MAIL_SPOOL
If you do not need a primary group with the same name when creating users, you can do this:
Shell > useradd -N test2 Shell > id test2 uid=1001(test2) gid=100(users) groups=100(users)
# Comment line ignored shell > cat /etc/login.defs MAIL_DIR /var/spool/mail UMASK 022 HOME_MODE 0700 PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 UID_MIN 1000 UID_MAX 60000 SYS_UID_MIN 201 SYS_UID_MAX 999 GID_MIN 1000 GID_MAX 60000 SYS_GID_MIN 201 SYS_GID_MAX 999 CREATE_HOME yes USERGROUPS_ENAB yes ENCRYPT_METHOD SHA512
UMASK 022: This means that the permission to create a file is 755 (rwxr-xr-x). However, for the sake of security, GNU/Linux does not have x permission for newly created files, this restriction applies to root(uid=0) and ordinary users(uid>=1000). For example:
UMASK 022
Shell > touch a.txt Shell > ll -rw-r--r-- 1 root root 0 Oct 8 13:00 a.txt
HOME_MODE 0700: The permissions of an ordinary user's home directory. Does not work for root's home directory.
HOME_MODE 0700
Shell > ll -d /root dr-xr-x---. 10 root root 4096 Oct 8 13:12 /root Shell > ls -ld /home/test1/ drwx------ 2 test1 test1 4096 Oct 8 13:10 /home/test1/
USERGROUPS_ENAB yes: "When you delete a user using the userdel -r command, the corresponding primary group is also deleted." Why? That's the reason.
USERGROUPS_ENAB yes
When a user is created, their home directory and environment files are created. You can think of the files in the /etc/skel/ directory as the file templates you need to create users.
/etc/skel/
These files are automatically copied from the /etc/skel directory.
.bash_logout
.bash_profile
.bashrc
All files and directories placed in this directory will be copied to the user tree when they are created.
su
The su command allows you to change the identity of the connected user.
su [-] [-c command] [login]
$ sudo su - alain [albert]$ su - root -c "passwd alain"
-
-c
If the login is not specified, it will be root.
root
Standard users will have to type the password for the new identity.
You can use the `exit`/`logout` command to exit users who have been switched. It should be noted that after switching users, there is no new `child shell` or `sub shell`, for example: ``` Shell > whoami root Shell > echo $SHLVL ; echo $BASH_SUBSHELL 1 0 Shell > su - test1 Shell > echo $SHLVL ; echo $BASH_SUBSHELL 1 0 ```
Attention please! su and su - are different, as shown in the following example:
su -
Shell > whoami test1 Shell > su root Shell > pwd /home/test1 Shell > env ... USER=test1 PWD=/home/test1 HOME=/root MAIL=/var/spool/mail/test1 LOGNAME=test1 ...
Shell > whoami test1 Shell > su - root Shell > pwd /root Shell > env ... USER=root PWD=/root HOME=/root MAIL=/var/spool/mail/root LOGNAME=root ...
So, when you want to switch users, remember not to lose the -. Because the necessary environment variable files are not loaded, there may be problems running some programs.
Next Chapter