User and Group Management
Linux is a multi-user system. This means that the platform can handle multiple user logins. As a system adminstrator, it's important to know how to manage all the users, assign them to groups and manage their permission levels.
In this series, we'll learn how to first create and manage users and groups, then look at all the important files that manage these settings in the background.
Three Types of Accounts
There are three types of accounts on any Unix platform, all of may be within a group account:
- Root account - unrestricted to running any command.
- System account - accounts that are used to maintain the operation of daemons, mail accounts and other system-related programs.
- User accounts - used by ordinary users or groups or users.
Creating a user
Creating a user is simple. Simply use useradd
with any of the below options to create a user. Make sure you are root when you perform these actions.
$ useradd -c "Sarah Jones" -d /home/sarah -G intro-unix-course sarah
- -c
- Command field (store the user's full name).
- -d
- Specify user's home directory.
- -e
- Set a date when the account expires (YYYY-MM-DD).
- -s
- Set the default shell.
- -p
- Specify that you already have an encrypted password.
- -M
- Don't specify a home directory.
- -G
- Define all secondary groups that the user will belong to.
- -g
- Set the user's primary group.
- -f
- Define the number of days after a password expires that the account is permanently disabled.
- 0 for right after the password expires, -1 for don't use this feature at all.
- -m
- Create a home directory for the user.
- -k
- Specify a skeleton directory.
- -l
- Change the login name of the user.
- -L
- Lock the user's account.
- -U
- Unlock the user's account.
- -x
- Force the change of password after this many days have passed.
The Skeleton Directory
The skeleton directory holds all the default files to be included when a user is created. The system default skeleton folder is in /etc/skel.
$ mkdir skel
$ touch skel/example.txt
$ touch skel/example2.txt
$ useradd -c "Sarah Goodwill" -m -k /home/skel sarah
$ ls /home/
sarah ubuntu user
$ ls /home sarah/
example.txt example2.txt
If we forgot to include the -k
option, we can easily create the directory and chown
it to the user.
$ cd /home
$ mkdir sarah
$ chown sarah:sarah
Or we can use usermod
with the -d
option to assign sarah's new home directory. Note that the user can't be logged in.
$ usermod -d /home/sarah
Modying existing users
To modify any existing users, use the usermod
command with any of the above options.
# Set the user account to expire on the last day of 2016
$ usermod -e 2016-12-31 sarah
Setting user password
To set a user's password, simply use the passwd
command.
$ passwd sarah
Deleting users
To delete a user, use the userdel
command. If Sarah spawned any processes, you can send the processes a kill
signal to close them.
$ userdel sarah
userdel: user sarah is currently used by process 2381
$ kill 2381
$ userdel -r sarah
The -r
options removes the user's home directory as well. The safe option is to not use this option, unless you are 100% sure.
Managing expiration time limits
The chage
command is used to manage password expiration time limits. It sets the number of days between required password changes. First, make sure it's installed on your distro:
$ sudo apt-get install chage
$ sudo yum install chage
- -E
- Set the account expiration date (YYYY-MM-DD).
- -I
- Number of inactive days before locking the account.
- -m
- Minimum number of days between password changes.
- -M
- Maximum number of days that a password is valid.
Creating and Modifying Groups
Creating a Group
To create a group, use the groupadd
command.
$ groupadd family
- -g
- Specify group id (else, system will make one for you).
- -f
- Force create a group, even if it already exists.
- -n
- Change name of the group.
- -o
- Allow duplicate groupnames to be created.
- -r
- Create a system group ID (gid < 500).
Notice that there's an option to set the group ID to less than 500 with the -r
option. All group ID's in this range are known a system processes and not real user-populated groups. You may check all current groups within the /etc/group file, which we'll go over in detail shortly.
Modifying a Group
To modify a group, use the groupmod
command. Let's try renaming our family group to cousins.
$ groupmod -n cousins family
Deleting groups
To delete a group, simply use the groupdel
command.
$ groupdel cousins
Here's some extra practice for using the above commands and options.
$ groupadd developers
# Check to see that the new group has been added
$ cat /etc/group
# Let's say we have a group with GID 1010 already
$ groupadd -g 1010 developers
# This should error out. Now let's allow duplicates
$ groupmod -o -g 1040 developers
# Rename
$ groupmod -n cool-kids developers
Important files
As a system admin, you'll be dealing with a number of important files.
/etc/sudoers
When performing root-level tasks, you may do so in three different ways:
- Login the host as root when you ssh.
- Use the
su
command to login as root user. - Use the
sudo
command, which allows you to input a single command as the root user.
The settings in the last of these options is configured through a file named /etc/sudoers. It may be accessed with the visudo
command.
$ visudo
Opening the file with visudo
is different from opening it in a regular text editor in that it validates the syntax before closing.
/etc/passwd
The /etc/passwd file contains a list of all users and system listing. You may delete a user from the system just by deleting their corresponding line in this file. The usermod
command is simply an interface for editing this file and /etc/shadow.
If you open this file, you'll see a colon-separated line with 6 sections:
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
Each line represents a user, along with seven parameters:
- Username.
- Encrypted Password (an x indicates that it is stored in the shadow file, an asterisk indicates that the user cannot login and a blank indicates no password is required).
- User ID (UID).
- User's group ID number (GID).
- Full name of user.
- User home directory.
- Login shell.
The encrypted password will show as an x
and is actually stored in /etc/shadow.
Special users
There exists two special users - the root, which has UID and GID of 0, and the nobody user. The nobody user is an underprivileged user used by some processes to prevent writing on the system.
All processes that have a user ID are also known as pseudo-users.
/etc/shadow
The /etc/shadow file contains a colon-separated line per user and process, along with encrypted passwords and expiration information. When a user is created or deleted, this file, along with /etc/passwd, are modified.
- Username
- Encrypted Password
- Days since last password change
- Days until password change allowed
- Days before password change required
- Days for warning for expiration
- Days before account inactive
If the encrypted password shows a !
, then the account is locked. A !!
means that the password has never been set.
A 999999 or -1 specifies that this feature is disabled.
/etc/default/useradd
Within this file are a list of shell variables that are defaulted whenever a user is created with the useradd
command.
Here are just some default variables within this file:
SHELL=/bin/sh
HOME=/home
SKEL=/etc/skel
GROUP=100
/etc/group
This file contains a colon-separated list of groups and all its members. Here are its four parameters, all separated by a colon.
- Group name.
- Password.
- GUID (group ID).
- List of users.
/etc/gshadow
This file, much like /etc/shadow, contains information about secure group account information.