Description: Candidates should be able to add, remove, suspend and change user accounts.
Key Knowledge Areas:
Add, modify and remove users and groups
Manage user/group info in password/group databases
Create and manage special purpose and limited accounts
Terms and Utilities:
The passwd command changes passwords for user accounts. A normal user can only change the password for their own account, but the superuser can change the password for any account.
[email protected]:~$ passwdChanging password for user1.(current) UNIX password:Enter new UNIX password:Retype new UNIX password:passwd: password updated successfully
Before a normal user can change their own password, they must first enter their current password for verification. (The superuser can bypass this step when changing another user's password.)
After the current password has been verified, passwd checks to see if the user is allowed to change their password at this time or not. Then user is then prompted twice.
Next, the password is tested for complexity.passwords should consist of at least 6 characters.
The root user can change any users password to anything (weak passwords) without providing their current password:
[email protected]:~# passwd user1Enter new UNIX password:Retype new UNIX password:passwd: password updated successfully
Groups can also have passwords, which you set with the
gpasswdcommand, but it is not used at all!
We have learned that Linux is a multiuser system.Recall that we can log in as one user and become another user by using the su or sudo commands.
Linux also has the concept of groups .
each user belongs to one primary group and possibly to additional groups.
Each file belongs to one user and one group
We learn how to create, delete, and manage users and groups.
We add a user to a Linux system with the
useradd <options> <username_or_login>
home directory of the new account
create the user's home directory
login shell of the new account
add to Additional Groups
comment, most of the time user's actual name
In most distributions useradd creates home directory for the new user but we can make sure using -m switch. example(ubunru 16):
[email protected]:~# useradd -m -d /home/user3 -c "Dear user3" -s /bin/bash user3
We can use the
usermod command to modify a user account. we can use most of the options that you use with
useradd, except that you cannot create or populate a new home directory for the user.
usermod <options> <username_or_login>
lock the user account
unlock the user account
force use GROUP as new primary group
new list of Additional GROUPS ( user will be removed from all previous Additional groups )
append the user to the Additional GROUPS(without removing him/her from other groups)
uid=1003(user3) gid=1003(user3) groups=1003(user3)[email protected]:~# usermod -g user1 user3uid=1003(user3) gid=1001(user1) groups=1001(user1),1003(user3)[email protected]:~# usermod -G user2 user3uid=1003(user3) gid=1001(user1) groups=1001(user1),1002(user2)[email protected]:~# usermod -aG payam user3uid=1003(user3) gid=1001(user1) groups=1001(user1),1000(payam),1002(user2)###lets turn back to the deafult settings[email protected]:~# usermod -g user3 -G user3 user3uid=1003(user3) gid=1003(user3) groups=1003(user3)
We can delete a user with the
userdel <options> <username_or_login>
userdel by default does not remove user's home directory.
force removal of files
remove home directory and mail spool
[email protected]:~# userdel -f -r user3userdel: user3 mail spool (/var/mail/user3) not found
Similarly, we can add or delete groups with the
groupadd [options] group
use GID for the new group
exit successfully if the group already exists, and cancel -g if the GID is already used
use this encrypted password for the new group
[email protected]:~# groupadd -g 666 group1[email protected]:~# groupadd -g 666 group1groupadd: group 'group1' already exists[email protected]:~# echo $?9[email protected]:~# groupadd -f -g 666 group1[email protected]:~# echo $?0
When you need to modify group information, use the
groupmod [options] GROUP
change the group name
change the group ID
In fact, the
groupdel command to delete a group requires only the group name; it has no options. You cannot delete any group that is the primary group of a user.
[email protected]:~# groupdel newgroup1
Note: If root deletes a group with members, people wont be deleted! They will just wont be the members of that group anymore.
When we run ‘useradd‘ command in Linux terminal, it performs following major things:
It edits /etc/passwd, /etc/shadow, /etc/group and /etc/gshadow files for the newly created User account.
Creates and populate a home directory for the new user.
Sets permissions and ownerships to home directory.
What are those files?
/etc/passwd is the password file containing basic information about users.
[email protected]:~# tail /etc/passwdpulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/falsertkit:x:118:126:RealtimeKit,,,:/proc:/bin/falsesaned:x:119:127::/var/lib/saned:/bin/falseusbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/falsepayam:x:1000:1000:ubuntu16.04.3-1,,,:/home/payam:/bin/bashuser1:x:1001:1001::/home/user1:sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologinmysql:x:122:129:MySQL Server,,,:/nonexistent:/bin/falseuser2:x:1002:1002::/home/user2:postfix:x:123:130::/var/spool/postfix:/bin/false
it has one line for each user in the system. the format of it is :
Username: should be between 1 and 32 characters
Password (will be discussed)
User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups.
Group ID (GID): The primary group ID (stored in /etc/group file)
The comment field. It allow you to add extra information about the users such as user’s full name, phone number etc. This field use by finger command.
Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell. It does not have to be a shell.
There are some users with /sbin/nologin shell, They are actually system accounts that run a service and no one can interactively login using them. Some times it has been set to /bin/false.
Every user should have read access to /etc/passwd :
[email protected]:~# ls -l /etc/passwd-rw-r--r-- 1 root root 2469 Feb 12 02:53 /etc/passwd
In old days there was a place that all users information even the user's password, and it is not so hard thick about security issue that it caused. To solve the problem /etc/shadow was invented. An x character indicates that encrypted password is stored in /etc/shadow file
The /etc/shadow file contains encrypted passwords, along with password- and account-expiration information.
[email protected]:~# ls -l /etc/shadow-rw-r----- 1 root shadow 1609 Feb 12 02:53 /etc/shadow
Lets see what's inside that:
[email protected]:~# tail /etc/shadowpulse:*:17379:0:99999:7:::rtkit:*:17379:0:99999:7:::saned:*:17379:0:99999:7:::usbmux:*:17379:0:99999:7:::payam:$1$jYgAdos4$Je8la0839ZRVgazhnBpDv1:17496:0:99999:7:::user1:$6$c9PN.175$.t.CG0E0Gtr/trq4pqquSe1BemMjB6Zc3E0ExUOVufuTkPNe3BSRv3DyUuXFHPiAbEujzuSMCeMsCbpg8cV2j.:17749:0:99999:7:::sshd:*:17749:0:99999:7:::mysql:!:17867:0:99999:7:::user2:$6$kN2DNYrP$XmM/3ONRnrTCuTTBxCwVBlVW9E4tVRc02JbRHPhwj128Q6aUIcUq4gxw2r74gopOs2J0HqNxuiBiqgAlkmuwV1:18290:0:99999:7:::postfix:*:18300:0:99999:7:::
Note: !! means user can not log in with any passwords. Most of service accounts are like this.
Passwords can be encrypted with one of several encryption algorithms. Older systems used DES or MD5, but modern systems typically use Blowfish, SHA-256, or SHA-512, or possibly MD5. Regardless of encryption algorithm, passwords are salted so that two otherwise identical passwords do not generate the same encrypted value.
Username : It is your login name.
Password : It is your encrypted password. The password should be minimum 8-12 characters long including special characters, digits, lower case alphabetic and more. Usually password format is set to
$id$salt$hashed, The $id is the algorithm used On GNU/Linux as follows: $1$ is MD5 $2a$ is Blowfish $2y$ is Blowfish $5$ is SHA-256 $6$ is SHA-512
Last password change (lastchanged) : Days since Jan 1, 1970 that password was last changed
Minimum : The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password
Maximum : The maximum number of days the password is valid (after that user is forced to change his/her password)
Warn : The number of days before password is to expire that user is warned that his/her password must be changed
Inactive : The number of days after password expires that account is disabled
Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used.
The last 6 fields provides password aging and account lockout features. You need to use the chage command to setup password aging.
chage command is used to view and change the user password expiry information. This command is used when the login is to be provided for a user for limited amount of time or when it is necessary to change the login password time to time.
chage [options] LOGIN
Options:-d, --lastday LAST_DAY set date of last password change to LAST_DAY-E, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE-h, --help display this help message and exit-I, --inactive INACTIVE set password inactive after expirationto INACTIVE-l, --list show account aging information-m, --mindays MIN_DAYS set minimum number of days before passwordchange to MIN_DAYS-M, --maxdays MAX_DAYS set maximim number of days before passwordchange to MAX_DAYS-R, --root CHROOT_DIR directory to chroot into-W, --warndays WARN_DAYS set expiration warning days to WARN_DAYS
chage without any options lets do editing all items interactively ,lets try -l option on user1:
[email protected]:~# chage -l user1Last password change : Aug 06, 2018Password expires : neverPassword inactive : neverAccount expires : neverMinimum number of days between password change : 0Maximum number of days between password change : 99999Number of days of warning before password expires : 7
chage -d 0 user-namewill force user to change his password in next login.
passwd can also change or reset the account's validity period — how much time can pass before the password expires and must be changed.
/etc/group is the group file containing basic information about groups and which users belong to them. It contains one line for each group in the system.
[email protected]:~# tail /etc/grouprtkit:x:126:saned:x:127:payam:x:1000:sambashare:x:128:payamuser1:x:1001:mysql:x:129:user2:x:1002:postfix:x:130:postdrop:x:131:mysecuregroup:x:1003:
group_name: It is the name of group. If you run ls -l command, you will see this name printed in the group field.
Password: Generally password is not used, hence it is empty/blank. It can store encrypted password. This is useful to implement privileged groups.
Group ID (GID): Each user must be assigned a group ID. You can see this number in your /etc/passwd file.
Group List: It is a list of user names of users who are members of the group. The user names, must be separated by commas.
[email protected]:~# ls -l /etc/group-rw-r--r-- 1 root root 1077 Feb 12 03:58 /etc/group
Like /etc/passwd file, /etc/group is shadowed for security reasons and must be world readable, but encrypted passwords should not be world readable.
groups password are stored in /etc/gshadow file which is readable only by root.
[email protected]:~# ls -l /etc/gshadow-rw-r----- 1 root shadow 902 Feb 12 03:58 /etc/gshadow[email protected]:~# tail /etc/gshadowrtkit:!::saned:!::payam:!::sambashare:!::payamuser1:!::mysql:!::user2:!::postfix:!::postdrop:!::mysecuregroup:Aa12345::
its format is :
Group name:Encrypted password:Group administrators: Group members
! :groups can have passwords but it have never been used in any distribution!
getent is a Linux command that helps the user to get the entries in a number of important text files called databases.
getent database [key ...]
we use the getent command for processing groups and user information, instead of manually reading /etc/passwd, /etc/groups.
[email protected]:~# getent passwd payampayam:x:1000:1000:ubuntu16.04.3-1,,,:/home/payam:/bin/bash[email protected]:~# getent group payampayam:x:1000:
do not forget to use id command.
Bonus: Commands and options for changing user accounts
Lock or suspend the account.
Unlock the account.
Disable account by setting it passwordless
Set the expiration date for an account.
The minimum password lifetime in days.
The maximum password lifetime in days.
The number of days of warning before a password must be changed.
The number of days after a password expires until the account is disabled.
Output a short message about the current account status.