Prerequisites
Goals
1. Creating new users
Step 1: Create an account
The /usr/sbin/useradd command adds new users to the system and the symbolic link adduser points to it.
Syntax:
useradd [options] login-name
Example: add a user with login-name rufus
useradd rufus
|
Default values will be used when no options are specified. You can list these values with useradd –D.
Default options listed with useradd –D
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
Notice that this information is also available in the file /etc/default/useradd
Step 2: Activate the account with a new password
To allow a user to access his or her account the administrator must allocate a password to the user using the passwd tool.
Syntax:
passwd login-name
These steps create a new user. This has also defined the user’s environment such as a home directory and a default shell. The user has also been assigned to a group, his primary group.
2. Working with groups
Every new user is assigned to an initial (or primary) group. Two conventions exist.
Traditionally this primary group is the same for all users and is called users with a group id (GID) of 100. Many Linux distributions adhere to this convention such as Suse and Debian.
The User Private Group scheme (UPG) was introduced by RedHat and changes this convention without changing the way in which UNIX groups work. With UPG each new user belongs to their own primary group. The group has the same name as the login-name (default), and the GID is in the 500 to 60000 range (same as UIDs).
As a consequence, when using the traditional scheme for groups the user’s umask (see LPI 101) is set to 022, whereas in the UPG scheme the umask is set to 002.
Belonging to groups
A user can belong to any number of groups. However at any one time (when creating a file for example) only one group is the effective group.
The list of all groups a user belongs to is obtained with either the groups or id commands.
Example for user root:
List all ID's:
id
| -
► uid=0(root) gid=0(root) groups=0(root), 1(bin), 2(daemon), 3(sys), 4(adm), 6(disk), 10(wheel), 600(sales)
|
List all groups:
groups
| -
► root bin daemon sys adm disk wheel sales
|
Joining a group
Joining a group changes the user’s effective group and starts a new session from which the user can then logout. This is done with the newgrp command.
Example: joining the sales group
|
newgrp sales
|
If the groups command is issued, the first group on the list would no longer be root but sales.
Creating and deleting groups
The groupadd tool is used to add new groups. It will add an entry in the /etc/group file.
Example: Create the group devel
groupadd devel
|
The groupdel tool is used to delete groups. This will remove relevant entries in the /etc/group file.
Example: Delete the group devel
groupdel devel
|
Adding a user to a group
Administration tasks can be carried out with the gpasswd tool. One can add (-a) or remove (-d) users from a group and assign an administrator (-A). The tool was originally designed to set a single password on a group, allowing members of the same group to login with the same password. For security reasons this feature no longer works.
Example: Add rufus to the group devel
gpasswd -a rufus devel
| 3. Configuration files
The /etc/passwd and /etc/shadow files:
The names of all the users on the system are kept in /etc/passwd. This file has the following stucture:
-
Login name
-
Password (or x if using a shadow file)
-
The UID
-
The GID
-
Text description for the user
-
The user's home directory
-
The user's shell
|
These 7 fields are separated by colons. As in the example below.
/etc/passwd entry with encrypted passwd:
george:$1$K05gMbOv$b7ryoKGTd2h:505:505:Dr G Michael:/home/georges:/bin/bash
|
In order to hide the encrypted passwords from ordinary users you should use a shadow file. The /etc/shadow file then holds the user names and encrypted passwords and is readable only by root.
If you don't have a shadow file in /etc then you should issue the following command:
/usr/sbin/pwconv (passwd -> shadow)
|
This will leave an 'x' in the 2nd field of /etc/passwd and create the /etc/shadow file. If you don't wish to use shadow passwords you can do so using
/usr/sbin/pwunconv (shadow -> passwd)
|
Caution: When using a shadow password file the /etc/passwd file may be world readable (644) and the /etc/shadow file must be more restricted (600 or even 400). However when using pwunconv make sure to change the permissions on /etc/password (600 or 400).
The /etc/group and gshadow files:
In the same way, information about groups is kept in /etc/group. This file has 4 fields separated by colons.
-
Group name
-
The group password (or x if gshadow file exists)
-
The GID
-
A comma separated list of members
|
Example /etc/group entry:
java:x:550:jade, eric, rufus
|
As for users there is a /etc/gshadow file that is created when using shadow group passwords. The utilities used to switch backwards and forward from shadow to non-shadow files are as follow
/usr/sbin/grpconv creates the /etc/gshadow file
|
The /etc/login.defs and /etc/skel/ files
The /etc/login.defs file contains the following information:
-
the mail spool directory:
MAIL_DIR
PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_MAX_LEN, PASS_WARN_AGE
-
max/min values for automatic UID selection in useradd:
UID_MIN, UID_MAX
-
max/min values for automatic GID selection in groupadd:
GID_MIN, GID_MAX
-
automatically create a home directory with useradd:
CREATE_HOME
The /etc/skel directory contains default files that will be copied to the home directory of newly created users: .bashrc, .bash_profiles, ...
4. Command options
useradd (options)
-
-c
|
comment (Full Name)
|
-d
|
path to home directory
|
-g
|
initial group (GID). The GID must already exist
|
-G
|
comma separated list of supplementary groups
|
-u
|
user’s UID
|
-s
|
user’s default shell
|
-p
|
password (md5 encrypted, use quotes!)
|
-e
|
account expiry date
|
-k
|
the skel directory
|
-n
|
switch off the UPG group scheme
|
groupadd (options)
-
5. Modifying accounts and default settings
All available options while creating a user or a group can be modified. The usermod utility has the following main options:
usermod (options)
-
-d
|
the users directory
|
-g
|
the users initial GID
|
-l
|
the user's login name
|
-u
|
the user's UID
|
-s
|
the default shell.
|
Notice these options are the same as for useradd.
Likewise, you can change details about a group with the groupmod utility. There are mainly two options:
groupmod (options)
-
-g
|
the GID
|
-n
|
the group name.
|
Locking an account
-
A user’s account can be locked by prefixing an exclamation mark to the user’s password. This can also be done with the following command line tools:
-
Lock
|
Unlock
|
passwd -l
|
passwd -u
|
usermod -L
|
usermod -U
|
-
When using shadow passwords, replace the x with a *
-
A less useful option is to remove the password entirely with passwd -d.
-
Finally, one can also assign /bin/false to the user’s default shell in /etc/passwd.
Changing the password expiry dates:
By default a user’s password is valid for 99999 days, that is 273,9 years (default PASS_MAX_DAYS). The user is warned for 7 days that his password will expire (default PASS_WARN_AGE) with the following message as he logs in:
Warning: your password will expire in 6 days
There is another password aging policy number that is called PASS_MIN_DAYS. This is the minimum number of days before a user can change his password; it is set to zero by default.
The chage tool allows an administrator to change all these options.
Usage: chage [ -l ] [ -m min_days ] [ -M max_days ] [ -W warn ]
[ -I inactive ] [ -E expire ] [ -d last_day ] user
The first option –l lists the current policy values for a user. We will only discuss the –E option. This locks an account at a given date. The date is either in UNIX days or in YYYY/MM/DD format.
Notice that all these values are stored in the /etc/shadow file, and can be edited directly.
Removing an account:
A user’s account may be removed with the userdel command line. To make sure that the user’s home directory is also deleted use the -r option.
userdel -r jade
|
6. Exercises and Summary
Files
File
|
Description
|
/etc/group
|
contains the names of all the groups on the system
|
/etc/gshadow
|
contains (optionally) passwords associated to a group
|
/etc/login.defs
|
contains predefined values needed when adding a new user such as the minimum and maximum UID and GID, the minimum password length, etc
|
/etc/passwd
|
passwd(5) – text file that contains a list of the system’s accounts, giving for each account some useful information like user ID, group ID, home directory, shell, etc. Often, it also contains the encryptedpasswords for each account. It should have general read permission (many utilities, like ls(1) use it to map user IDs to user names), but write access only for the superuser
|
/etc/shadow
|
shadow(5) – contains the encrypted password information for user’s accounts and optional the password aging information
|
/etc/skel/
|
directory containing files and directories to be copied into the home directory of every newly created user
|
Commands
Commands
|
Description
|
chage
|
chage(1) – changes a user's password expiry information
|
gpasswd
|
gpasswd(1) – administer the /etc/group file
|
groupadd
|
add a new group to the system
|
groupmod
|
modify an exiting group
|
groups
|
print out all the groups a user belongs to
|
id
|
print out the UID as well as the GIDs of all the groups a user belongs to
|
passwd
|
change the password for an account
|
useradd
|
add a new user to the system
|
usermod
|
modify an existing user account
|
Dostları ilə paylaş: |