107.1. Manage user and group accounts and related system files

107.1 Manage user and group accounts and related system files
Weight: 5
Description: Candidates should be able to add, remove, suspend and change user accounts.
Key Knowledge Areas:
Add, modify and remove users and groups
Manage user/group info in password/group databases
Create and manage special purpose and limited accounts
Terms and Utilities:
/etc/passwd
/etc/shadow
/etc/group
/etc/skel/
chage
getent
groupadd
groupdel
groupmod
passwd
useradd
userdel
usermod
Changing password
passwd
The passwd command changes passwords for user accounts. A normal user can only change the password for their own account, but the superuser can change the password for any account.
1
[email protected]:~$ passwd 
2
Changing password for user1.
3
(current) UNIX password: 
4
Enter new UNIX password: 
5
Retype new UNIX password: 
6
passwd: password updated successfully
Copied!
1.Before a normal user can change their own password, they must first enter their current password for verification. (The superuser can bypass this step when changing another user's password.)
2.After the current password has been verified, passwd checks to see if the user is allowed to change their password at this time or not. Then user is then prompted twice.
3.Next, the password is tested for complexity.passwords should consist of at least 6 characters.
The root user can change any users password to anything (weak passwords) without providing their current password:
1
[email protected]:~# passwd user1
2
Enter new UNIX password: 
3
Retype new UNIX password: 
4
passwd: password updated successfully
Copied!
 Groups can also have passwords, which you set with the gpasswd command, but it is not used at all!
Users and Groups
We have  learned  that Linux is a multiuser system.Recall that we can log in as one user and become another user by using the su or sudo commands. 
Linux also has the concept of groups . 
each user belongs to one primary group and possibly to additional groups. 
Each file belongs to one user and one group
We learn how to create, delete, and manage users and groups.
Managing users 
useradd
 We add a user to a Linux system with the useradd command.
1
 useradd <options> <username_or_login>
Copied!
switch
description
-d
home directory of the new account
-m
create the user's home directory
-s
login shell of the new account
-G
add to Additional Groups 
-c
comment, most of the time user's actual name
In most distributions  useradd creates home directory for the new user but we can make sure using -m switch. example(ubunru 16):
1
[email protected]:~# useradd -m -d /home/user3 -c "Dear user3" -s /bin/bash user3
Copied!
/etc/skel
The home directory skeleton
When you create a new user and a new home directory is created, the directory is populated with several files and subdirectories that, by default, are copied from /etc/skel.
1
[email protected]:~# ls -a /etc/skel/
2
.  ..  .bash_logout  .bashrc  examples.desktop  .profile
Copied!
usermod
 We can use the usermod command to modify a user account. we can use most of the options that you use with useradd, except that you cannot create or populate a new home directory for the user.
1
usermod <options> <username_or_login>
Copied!
switch
description
-L
lock the user account
-U
unlock the user account
-g
force use GROUP as new primary group
-G
new list of Additional GROUPS ( user will be  removed from all previous Additional groups )
-aG
append the user to the Additional  GROUPS(without removing him/her from other groups)
1
[email protected]:~# id user3
2
uid=1003(user3) gid=1003(user3) groups=1003(user3)
3
​
4
[email protected]:~# usermod -g user1 user3
5
[email protected]:~# id user3
6
uid=1003(user3) gid=1001(user1) groups=1001(user1),1003(user3)
7
​
8
[email protected]:~# usermod -G user2 user3
9
[email protected]:~# id user3
10
uid=1003(user3) gid=1001(user1) groups=1001(user1),1002(user2)
11
​
12
[email protected]:~# usermod -aG payam user3
13
[email protected]:~# id user3
14
uid=1003(user3) gid=1001(user1) groups=1001(user1),1000(payam),1002(user2)
15
​
16
###lets turn back to the deafult settings
17
[email protected]:~# usermod -g user3 -G user3 user3
18
[email protected]:~# id user3
19
uid=1003(user3) gid=1003(user3) groups=1003(user3)
Copied!
userdel
 We can delete a user with the userdel command.
1
userdel <options> <username_or_login>
Copied!
userdel by default does not remove user's home directory.
switch
description
-f
force removal of files
-r
remove home directory and mail spool
1
[email protected]:~# userdel -f -r user3
2
userdel: user3 mail spool (/var/mail/user3) not found
Copied!
Managing Groups
 Similarly, we can add or delete groups with the groupadd and groupdel commands.
groupadd 
1
groupadd [options] group
Copied!
switch
description
-g
use GID for the new group
-f
exit successfully if the group already exists, and cancel -g if the GID is already used
-p 
use this encrypted password for the new group
1
[email protected]:~# groupadd -g 666  group1
2
[email protected]:~# groupadd -g 666  group1
3
groupadd: group 'group1' already exists
4
[email protected]:~# echo $?
5
9
6
[email protected]:~# groupadd -f -g 666  group1
7
[email protected]:~# echo $?
8
0
9
​
Copied!
groupmod
 When you need to modify group information, use the groupmod command.
1
groupmod [options] GROUP
Copied!
switch
description
-n
change the group name
-g
change the group ID 
1
[email protected]:~# groupmod -n newgroup1 group1
2
[email protected]:~# groupmod -g 888 newgroup1 
Copied!
groupdel
  In fact, the groupdel command to delete a group requires only the group name; it has no options. You cannot delete any group that is the primary group of a user.
1
[email protected]:~# groupdel newgroup1
Copied!
Note: If root deletes a group with members, people wont be deleted! They will just wont be the members of that group anymore.
​
When we run ‘useradd‘ command in Linux terminal, it performs following major things:
1.It edits /etc/passwd, /etc/shadow, /etc/group and /etc/gshadow files for the newly created User account.
2.Creates and populate a home directory for the new user.
3.Sets permissions and ownerships to home directory.
What are those files?
/etc/passwd
 /etc/passwd is the password file containing basic information about users.
1
[email protected]:~# tail /etc/passwd
2
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
3
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
4
saned:x:119:127::/var/lib/saned:/bin/false
5
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
6
payam:x:1000:1000:ubuntu16.04.3-1,,,:/home/payam:/bin/bash
7
user1:x:1001:1001::/home/user1:
8
sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin
9
mysql:x:122:129:MySQL Server,,,:/nonexistent:/bin/false
10
user2:x:1002:1002::/home/user2:
11
postfix:x:123:130::/var/spool/postfix:/bin/false
Copied!
it has one line for each user in the system. the format of it is :
1.Username:  should be between 1 and 32 characters 
2.Password (will be discussed)
3.User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups. 
4.Group ID (GID): The primary group ID (stored in /etc/group file) 
5.The comment field. It allow you to add extra information about the users such as user’s full name, phone number etc. This field use by finger command. 
6.Home directory
7.Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell. It does not have to be a shell.
There are some users with /sbin/nologin shell, They are actually system accounts that run a service and no one can interactively login using them. Some times it has been set to /bin/false. 
Every user should have read access to /etc/passwd  :
1
[email protected]:~# ls -l /etc/passwd
2
-rw-r--r-- 1 root root 2469 Feb 12 02:53 /etc/passwd
Copied!
In old days there was a place that  all users information even the user's password, and it is not so hard thick about security issue that it caused. To solve the problem /etc/shadow was invented.  An x character indicates that encrypted password is stored in /etc/shadow file
/etc/shadow
The /etc/shadow file contains encrypted passwords, along with password- and account-expiration information.
1
[email protected]:~# ls -l /etc/shadow
2
-rw-r----- 1 root shadow 1609 Feb 12 02:53 /etc/shadow
Copied!
Lets see what's inside that:
1
[email protected]:~# tail /etc/shadow
2
pulse:*:17379:0:99999:7:::
3
rtkit:*:17379:0:99999:7:::
4
saned:*:17379:0:99999:7:::
5
usbmux:*:17379:0:99999:7:::
6
payam:$1$jYgAdos4$Je8la0839ZRVgazhnBpDv1:17496:0:99999:7:::
7
user1:$6$c9PN.175$.t.CG0E0Gtr/trq4pqquSe1BemMjB6Zc3E0ExUOVufuTkPNe3BSRv3DyUuXFHPiAbEujzuSMCeMsCbpg8cV2j.:17749:0:99999:7:::
8
sshd:*:17749:0:99999:7:::
9
mysql:!:17867:0:99999:7:::
10
user2:$6$kN2DNYrP$XmM/3ONRnrTCuTTBxCwVBlVW9E4tVRc02JbRHPhwj128Q6aUIcUq4gxw2r74gopOs2J0HqNxuiBiqgAlkmuwV1:18290:0:99999:7:::
11
postfix:*:18300:0:99999:7:::
Copied!
Note: !! means user can not log in with any passwords. Most of service accounts are like this.
Passwords can be encrypted with one of several encryption algorithms. Older systems used DES or MD5, but modern systems typically use Blowfish, SHA-256, or SHA-512, or possibly MD5. Regardless of encryption algorithm, passwords are salted so that two otherwise identical passwords do not generate the same encrypted value.
1.Username : It is your login name. 
2.Password : It is your encrypted password. The password should be minimum 8-12 characters long including special characters, digits, lower case alphabetic and more. Usually password format is set to $id$salt$hashed, The $id is the algorithm used On GNU/Linux as follows: $1$ is MD5 $2a$ is Blowfish $2y$ is Blowfish $5$ is SHA-256 $6$ is SHA-512 
3.Last password change (lastchanged) : Days since Jan 1, 1970 that password was last changed 
4.Minimum : The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password
5.Maximum : The maximum number of days the password is valid (after that user is forced to change his/her password)
6. Warn : The number of days before password is to expire that user is warned that his/her password must be changed 
7.Inactive : The number of days after password expires that account is disabled 
8.Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used.
The last 6 fields provides password aging and account lockout features. You need to use the chage command to setup password aging.
epoch time
Unix time is a system for describing a point in time. It is the number of seconds that have elapsed since the Unix epoch, that is the time 00:00:00 UTC on 1 January 1970, minus leap seconds.
chage
 chage command is used to view and change the user password expiry information. This command is used when the login is to be provided for a user for limited amount of time or when it is necessary to change the login password time to time.
1
chage [options] LOGIN
Copied!
1
Options:
2
  -d, --lastday LAST_DAY        set date of last password change to LAST_DAY
3
  -E, --expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE
4
  -h, --help                    display this help message and exit
5
  -I, --inactive INACTIVE       set password inactive after expiration
6
                                to INACTIVE
7
  -l, --list                    show account aging information
8
  -m, --mindays MIN_DAYS        set minimum number of days before password
9
                                change to MIN_DAYS
10
  -M, --maxdays MAX_DAYS        set maximim number of days before password
11
                                change to MAX_DAYS
12
  -R, --root CHROOT_DIR         directory to chroot into
13
  -W, --warndays WARN_DAYS      set expiration warning days to WARN_DAYS
14
​
Copied!
chage without any options lets do  editing  all items interactively ,lets try -l option on user1:
1
[email protected]:~# chage -l user1
2
Last password change					: Aug 06, 2018
3
Password expires					: never
4
Password inactive					: never
5
Account expires						: never
6
Minimum number of days between password change		: 0
7
Maximum number of days between password change		: 99999
8
Number of days of warning before password expires	: 7
Copied!
 chage -d 0 user-name will force user to change his password in next login.
passwd can also change or reset the account's validity period — how much time can pass before the password expires and must be changed.
/etc/group
 /etc/group is the group file containing basic information about groups and which users belong to them. It contains one line for each group in the system.
1
[email protected]:~# tail /etc/group
2
rtkit:x:126:
3
saned:x:127:
4
payam:x:1000:
5
sambashare:x:128:payam
6
user1:x:1001:
7
mysql:x:129:
8
user2:x:1002:
9
postfix:x:130:
10
postdrop:x:131:
11
mysecuregroup:x:1003:
Copied!
1.group_name: It is the name of group. If you run ls -l command, you will see this name printed in the group field. 
2.Password: Generally password is not used, hence it is empty/blank. It can store encrypted password. This is useful to implement privileged groups. 
3.Group ID (GID): Each user must be assigned a group ID. You can see this number in your /etc/passwd file. 
4.Group List: It is a list of user names of users who are members of the group. The user names, must be separated by commas.
1
[email protected]:~# ls -l /etc/group
2
-rw-r--r-- 1 root root 1077 Feb 12 03:58 /etc/group
Copied!
Like /etc/passwd file, /etc/group is shadowed for security reasons and must be world readable, but encrypted passwords should not be world readable.
groups password are stored in /etc/gshadow file which is readable only by root.
1
[email protected]:~# ls -l /etc/gshadow
2
-rw-r----- 1 root shadow 902 Feb 12 03:58 /etc/gshadow
3
​
4
[email protected]:~# tail /etc/gshadow
5
rtkit:!::
6
saned:!::
7
payam:!::
8
sambashare:!::payam
9
user1:!::
10
mysql:!::
11
user2:!::
12
postfix:!::
13
postdrop:!::
14
mysecuregroup:Aa12345::
Copied!
its format is : 
Group name:Encrypted password:Group administrators: Group members
! :groups can have passwords but it have never been used in any distribution!
getent
 getent is a Linux command that helps the user to get the entries in a number of important text files called databases.
1
getent database [key ...]
Copied!
we use the getent command for processing groups and user information, instead of manually reading /etc/passwd, /etc/groups.
1
[email protected]:~# getent passwd payam
2
payam:x:1000:1000:ubuntu16.04.3-1,,,:/home/payam:/bin/bash
3
​
4
[email protected]:~# getent group payam
5
payam:x:1000:
Copied!
do not forget to use id command.
.
.
.
Bonus: Commands and options for changing user accounts
usermod
passwd
chage
Purpose
-L
-l(lowercase L)
N/A
Lock or suspend the account.
-U
-u
N/A
Unlock the account.
N/A
-d
N/A
Disable account by setting it passwordless
-e
-f
-E
Set the expiration date for an account.
N/A
-n
-m
The minimum password lifetime in days.
N/A
-X
-M
The maximum password lifetime in days.
N/A
-W
-W
The number of days of warning before a password must be changed.
-f
-i
-I(uppercase i)
The number of days after a password expires until the account is disabled.
N/A
-S
-l(lowercase L)
Output a short message about the current account status.
.
.
.
​https://developer.ibm.com/technologies/linux/tutorials/l-lpic1-map/​
​https://www.computerhope.com/unix/upasswor.htm​
​https://jadi.gitbooks.io/lpic1/content/1071_manage_user_and_group_accounts_and_related_system_files.html​
​https://askubuntu.com/questions/639990/what-is-the-group-id-of-this-group-name​
​https://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/​
​https://www.cyberciti.biz/faq/understanding-etcshadow-file/​
​https://en.wikipedia.org/wiki/Unix_time​
​https://www.cyberciti.biz/faq/understanding-etcgroup-file/​
​https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Introduction_To_System_Administration/s3-acctsgrps-gshadow.html​
​https://www.geeksforgeeks.org/chage-command-in-linux-with-examples/​
.