L120: Linux System Administration II

Managing Groups and Users

Yüklə 1,05 Mb.

səhifə	4/16
tarix	11.10.2017
ölçüsü	1,05 Mb.
	#4275

1 2 3 4 5 6 7 8 9 ... 16

1. Creating new users
2. Working with groups
3. Configuration files
4. Command options
5. Modifying accounts and default settings
6. Exercises and Summary

Managing Groups and Users

Prerequisites

None

Goals

Manage user accounts

Manage group accounts

Modify accounts settings

1. Creating new users

Step 1: Create an account
The /usr/sbin/useradd command adds new users to the system and the symbolic link adduser points to it.

Syntax:

useradd [options] login-name

Example: add a user with login-name rufus

useradd rufus

Default values will be used when no options are specified. You can list these values with useradd –D.

Default options listed with useradd –D

GROUP=100

HOME=/home

INACTIVE=-1

EXPIRE=

SHELL=/bin/bash

SKEL=/etc/skel
Notice that this information is also available in the file /etc/default/useradd

Step 2: Activate the account with a new password
To allow a user to access his or her account the administrator must allocate a password to the user using the passwd tool.

Syntax:

passwd login-name

These steps create a new user. This has also defined the user’s environment such as a home directory and a default shell. The user has also been assigned to a group, his primary group.

2. Working with groups

Every new user is assigned to an initial (or primary) group. Two conventions exist.

Traditionally this primary group is the same for all users and is called users with a group id (GID) of 100. Many Linux distributions adhere to this convention such as Suse and Debian.
The User Private Group scheme (UPG) was introduced by RedHat and changes this convention without changing the way in which UNIX groups work. With UPG each new user belongs to their own primary group. The group has the same name as the login-name (default), and the GID is in the 500 to 60000 range (same as UIDs).
As a consequence, when using the traditional scheme for groups the user’s umask (see LPI 101) is set to 022, whereas in the UPG scheme the umask is set to 002.

Belonging to groups

A user can belong to any number of groups. However at any one time (when creating a file for example) only one group is the effective group.

The list of all groups a user belongs to is obtained with either the groups or id commands.

Example for user root:

List all ID's:

► uid=0(root) gid=0(root) groups=0(root), 1(bin), 2(daemon), 3(sys), 4(adm), 6(disk), 10(wheel), 600(sales)

List all groups:

groups

► root bin daemon sys adm disk wheel sales

Joining a group
Joining a group changes the user’s effective group and starts a new session from which the user can then logout. This is done with the newgrp command.

Example: joining the sales group

newgrp sales

If the groups command is issued, the first group on the list would no longer be root but sales.

Creating and deleting groups
The groupadd tool is used to add new groups. It will add an entry in the /etc/group file.

Example: Create the group devel

groupadd devel

The groupdel tool is used to delete groups. This will remove relevant entries in the /etc/group file.

Example: Delete the group devel

groupdel devel

Adding a user to a group
Administration tasks can be carried out with the gpasswd tool. One can add (-a) or remove (-d) users from a group and assign an administrator (-A). The tool was originally designed to set a single password on a group, allowing members of the same group to login with the same password. For security reasons this feature no longer works.

Example: Add rufus to the group devel

gpasswd -a rufus devel

3. Configuration files

The /etc/passwd and /etc/shadow files:
The names of all the users on the system are kept in /etc/passwd. This file has the following stucture:

Password (or x if using a shadow file)

The UID

The GID

Text description for the user
The user's home directory
The user's shell

These 7 fields are separated by colons. As in the example below.

/etc/passwd entry with encrypted passwd:

george:$1$K05gMbOv$b7ryoKGTd2h:505:505:Dr G Michael:/home/georges:/bin/bash

In order to hide the encrypted passwords from ordinary users you should use a shadow file. The /etc/shadow file then holds the user names and encrypted passwords and is readable only by root.

If you don't have a shadow file in /etc then you should issue the following command:

/usr/sbin/pwconv (passwd -> shadow)

This will leave an 'x' in the 2^nd field of /etc/passwd and create the /etc/shadow file. If you don't wish to use shadow passwords you can do so using

/usr/sbin/pwunconv (shadow -> passwd)

Caution: When using a shadow password file the /etc/passwd file may be world readable (644) and the /etc/shadow file must be more restricted (600 or even 400). However when using pwunconv make sure to change the permissions on /etc/password (600 or 400).

The /etc/group and gshadow files:
In the same way, information about groups is kept in /etc/group. This file has 4 fields separated by colons.

Group name
The group password (or x if gshadow file exists)
The GID
A comma separated list of members

Example /etc/group entry:

java:x:550:jade, eric, rufus

As for users there is a /etc/gshadow file that is created when using shadow group passwords. The utilities used to switch backwards and forward from shadow to non-shadow files are as follow

/usr/sbin/grpconv creates the /etc/gshadow file

/usr/sbin/grpunconv deletes the gshadow file

The /etc/login.defs and /etc/skel/ files

The /etc/login.defs file contains the following information:

the mail spool directory:

MAIL_DIR

password aging controls:

PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_MAX_LEN, PASS_WARN_AGE

max/min values for automatic UID selection in useradd:

UID_MIN, UID_MAX

max/min values for automatic GID selection in groupadd:

GID_MIN, GID_MAX

automatically create a home directory with useradd:

CREATE_HOME
The /etc/skel directory contains default files that will be copied to the home directory of newly created users: .bashrc, .bash_profiles, ...

4. Command options

useradd (options)

-c	comment (Full Name)
-d	path to home directory
-g	initial group (GID). The GID must already exist
-G	comma separated list of supplementary groups
-u	user’s UID
-s	user’s default shell
-p	password (md5 encrypted, use quotes!)
-e	account expiry date
-k	the skel directory
-n	switch off the UPG group scheme

groupadd (options)

-g	assign a GID

5. Modifying accounts and default settings

All available options while creating a user or a group can be modified. The usermod utility has the following main options:

usermod (options)

-d	the users directory
-g	the users initial GID
-l	the user's login name
-u	the user's UID
-s	the default shell.

Notice these options are the same as for useradd.

Likewise, you can change details about a group with the groupmod utility. There are mainly two options:
groupmod (options)

-g	the GID
-n	the group name.

Locking an account

A user’s account can be locked by prefixing an exclamation mark to the user’s password. This can also be done with the following command line tools:

Lock	Unlock
passwd -l	passwd -u
usermod -L	usermod -U

When using shadow passwords, replace the x with a *

A less useful option is to remove the password entirely with passwd -d.

Finally, one can also assign /bin/false to the user’s default shell in /etc/passwd.

Changing the password expiry dates:
By default a user’s password is valid for 99999 days, that is 273,9 years (default PASS_MAX_DAYS). The user is warned for 7 days that his password will expire (default PASS_WARN_AGE) with the following message as he logs in:
Warning: your password will expire in 6 days
There is another password aging policy number that is called PASS_MIN_DAYS. This is the minimum number of days before a user can change his password; it is set to zero by default.
The chage tool allows an administrator to change all these options.
Usage: chage [ -l ] [ -m min_days ] [ -M max_days ] [ -W warn ]

[ -I inactive ] [ -E expire ] [ -d last_day ] user

The first option –l lists the current policy values for a user. We will only discuss the –E option. This locks an account at a given date. The date is either in UNIX days or in YYYY/MM/DD format.
Notice that all these values are stored in the /etc/shadow file, and can be edited directly.

Removing an account:
A user’s account may be removed with the userdel command line. To make sure that the user’s home directory is also deleted use the -r option.

userdel -r jade

6. Exercises and Summary

Files

File	Description
/etc/group	contains the names of all the groups on the system
/etc/gshadow	contains (optionally) passwords associated to a group
/etc/login.defs	contains predefined values needed when adding a new user such as the minimum and maximum UID and GID, the minimum password length, etc
/etc/passwd	passwd(5) – text file that contains a list of the system’s accounts, giving for each account some useful information like user ID, group ID, home directory, shell, etc. Often, it also contains the encryptedpasswords for each account. It should have general read permission (many utilities, like ls(1) use it to map user IDs to user names), but write access only for the superuser
/etc/shadow	shadow(5) – contains the encrypted password information for user’s accounts and optional the password aging information
/etc/skel/	directory containing files and directories to be copied into the home directory of every newly created user

Commands

Commands	Description
chage	chage(1) – changes a user's password expiry information
gpasswd	gpasswd(1) – administer the /etc/group file
groupadd	add a new group to the system
groupmod	modify an exiting group
groups	print out all the groups a user belongs to
id	print out the UID as well as the GIDs of all the groups a user belongs to
passwd	change the password for an account
useradd	add a new user to the system
usermod	modify an existing user account

Yüklə 1,05 Mb.

Dostları ilə paylaş:

1 2 3 4 5 6 7 8 9 ... 16