107.1. Manage user and group accounts and related system files
107.1 Manage user and group accounts and related system files
Weight: 5
Description: Candidates should be able to add, remove, suspend and change user accounts.
Key Knowledge Areas:
Add, modify and remove users and groups
Manage user/group info in password/group databases
Create and manage special purpose and limited accounts
Terms and Utilities:
/etc/passwd
/etc/shadow
/etc/group
/etc/skel/
chage
getent
groupadd
groupdel
groupmod
passwd
useradd
userdel
usermod
Changing password
passwd
The passwd command changes passwords for user accounts. A normal user can only change the password for their own account, but the superuser can change the password for any account.
Before a normal user can change their own password, they must first enter their current password for verification. (The superuser can bypass this step when changing another user's password.)
After the current password has been verified, passwd checks to see if the user is allowed to change their password at this time or not. Then user is then prompted twice.
Next, the password is tested for complexity.passwords should consist of at least 6 characters.
The root user can change any users password to anything (weak passwords) without providing their current password:
Groups can also have passwords, which you set with the
gpasswd
command, but it is not used at all!
Users and Groups
We have learned that Linux is a multiuser system.Recall that we can log in as one user and become another user by using the su or sudo commands.
Linux also has the concept of groups .
each user belongs to one primary group and possibly to additional groups.
Each file belongs to one user and one group
We learn how to create, delete, and manage users and groups.
Managing users
useradd
We add a user to a Linux system with the useradd
command.
switch
description
-d
home directory of the new account
-m
create the user's home directory
-s
login shell of the new account
-G
add to Additional Groups
-c
comment, most of the time user's actual name
In most distributions useradd creates home directory for the new user but we can make sure using -m switch. example(ubunru 16):
/etc/skel
usermod
We can use the usermod
command to modify a user account. we can use most of the options that you use with useradd
, except that you cannot create or populate a new home directory for the user.
switch
description
-L
lock the user account
-U
unlock the user account
-g
force use GROUP as new primary group
-G
new list of Additional GROUPS ( user will be removed from all previous Additional groups )
-aG
append the user to the Additional GROUPS(without removing him/her from other groups)
userdel
We can delete a user with the userdel
command.
userdel by default does not remove user's home directory.
switch
description
-f
force removal of files
-r
remove home directory and mail spool
Managing Groups
Similarly, we can add or delete groups with the groupadd
and groupdel
commands.
groupadd
switch
description
-g
use GID for the new group
-f
exit successfully if the group already exists, and cancel -g if the GID is already used
-p
use this encrypted password for the new group
groupmod
When you need to modify group information, use the groupmod
command.
switch
description
-n
change the group name
-g
change the group ID
groupdel
In fact, the groupdel
command to delete a group requires only the group name; it has no options. You cannot delete any group that is the primary group of a user.
Note: If root deletes a group with members, people wont be deleted! They will just wont be the members of that group anymore.
When we run ‘useradd‘ command in Linux terminal, it performs following major things:
It edits /etc/passwd, /etc/shadow, /etc/group and /etc/gshadow files for the newly created User account.
Creates and populate a home directory for the new user.
Sets permissions and ownerships to home directory.
What are those files?
/etc/passwd
/etc/passwd is the password file containing basic information about users.
it has one line for each user in the system. the format of it is :
Username: should be between 1 and 32 characters
Password (will be discussed)
User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups.
Group ID (GID): The primary group ID (stored in /etc/group file)
The comment field. It allow you to add extra information about the users such as user’s full name, phone number etc. This field use by finger command.
Home directory
Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell. It does not have to be a shell.
There are some users with /sbin/nologin shell, They are actually system accounts that run a service and no one can interactively login using them. Some times it has been set to /bin/false.
Every user should have read access to /etc/passwd :
In old days there was a place that all users information even the user's password, and it is not so hard thick about security issue that it caused. To solve the problem /etc/shadow was invented. An x character indicates that encrypted password is stored in /etc/shadow file
/etc/shadow
The /etc/shadow file contains encrypted passwords, along with password- and account-expiration information.
Lets see what's inside that:
Note: !! means user can not log in with any passwords. Most of service accounts are like this.
Passwords can be encrypted with one of several encryption algorithms. Older systems used DES or MD5, but modern systems typically use Blowfish, SHA-256, or SHA-512, or possibly MD5. Regardless of encryption algorithm, passwords are salted so that two otherwise identical passwords do not generate the same encrypted value.
Username : It is your login name.
Password : It is your encrypted password. The password should be minimum 8-12 characters long including special characters, digits, lower case alphabetic and more. Usually password format is set to
$id$salt$hashed
, The $id is the algorithm used On GNU/Linux as follows: $1$ is MD5 $2a$ is Blowfish $2y$ is Blowfish $5$ is SHA-256 $6$ is SHA-512Last password change (lastchanged) : Days since Jan 1, 1970 that password was last changed
Minimum : The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password
Maximum : The maximum number of days the password is valid (after that user is forced to change his/her password)
Warn : The number of days before password is to expire that user is warned that his/her password must be changed
Inactive : The number of days after password expires that account is disabled
Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used.
The last 6 fields provides password aging and account lockout features. You need to use the chage command to setup password aging.
epoch time
Unix time is a system for describing a point in time. It is the number of seconds that have elapsed since the Unix epoch, that is the time 00:00:00 UTC on 1 January 1970, minus leap seconds.
chage
chage command is used to view and change the user password expiry information. This command is used when the login is to be provided for a user for limited amount of time or when it is necessary to change the login password time to time.
chage without any options lets do editing all items interactively ,lets try -l option on user1:
chage -d 0 user-name
will force user to change his password in next login.
passwd can also change or reset the account's validity period — how much time can pass before the password expires and must be changed.
/etc/group
/etc/group is the group file containing basic information about groups and which users belong to them. It contains one line for each group in the system.
group_name: It is the name of group. If you run ls -l command, you will see this name printed in the group field.
Password: Generally password is not used, hence it is empty/blank. It can store encrypted password. This is useful to implement privileged groups.
Group ID (GID): Each user must be assigned a group ID. You can see this number in your /etc/passwd file.
Group List: It is a list of user names of users who are members of the group. The user names, must be separated by commas.
Like /etc/passwd file, /etc/group is shadowed for security reasons and must be world readable, but encrypted passwords should not be world readable.
groups password are stored in /etc/gshadow file which is readable only by root.
its format is :
Group name:Encrypted password:Group administrators: Group members
! :groups can have passwords but it have never been used in any distribution!
getent
getent is a Linux command that helps the user to get the entries in a number of important text files called databases.
we use the getent command for processing groups and user information, instead of manually reading /etc/passwd, /etc/groups.
do not forget to use id command.
.
.
.
Bonus: Commands and options for changing user accounts
usermod
passwd
chage
Purpose
-L
-l(lowercase L)
N/A
Lock or suspend the account.
-U
-u
N/A
Unlock the account.
N/A
-d
N/A
Disable account by setting it passwordless
-e
-f
-E
Set the expiration date for an account.
N/A
-n
-m
The minimum password lifetime in days.
N/A
-X
-M
The maximum password lifetime in days.
N/A
-W
-W
The number of days of warning before a password must be changed.
-f
-i
-I(uppercase i)
The number of days after a password expires until the account is disabled.
N/A
-S
-l(lowercase L)
Output a short message about the current account status.
.
.
.
https://developer.ibm.com/technologies/linux/tutorials/l-lpic1-map/
https://www.computerhope.com/unix/upasswor.htm
https://askubuntu.com/questions/639990/what-is-the-group-id-of-this-group-name
https://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/
https://www.cyberciti.biz/faq/understanding-etcshadow-file/
https://en.wikipedia.org/wiki/Unix_time
https://www.cyberciti.biz/faq/understanding-etcgroup-file/
https://www.geeksforgeeks.org/chage-command-in-linux-with-examples/
.
Last updated