5.2 Lesson 1
Certificate: |
Linux Essentials |
---|---|
Version: |
1.6 |
Topic: |
5 Security and File Permissions |
Objective: |
5.2 Creating Users and Groups |
Lesson: |
1 of 1 |
Introduction
Managing users and groups on a Linux machine is one of the key aspects of system administration. In fact, Linux is a multi-user operating system in which multiple users can use the same machine at the same time.
Information about users and groups is stored in four files within the /etc/
directory tree:
/etc/passwd
-
a file of seven colon-delimited fields containing basic information about users
/etc/group
-
a file of four colon-delimited fields containing basic information about groups
/etc/shadow
-
a file of nine colon-delimited fields containing encrypted user passwords
/etc/gshadow
-
a file of four colon-delimited fields file containing encrypted group passwords
All of these files are updated by a suite of command-line tools for user and group management, which we’ll discuss later in this lesson. They can also be managed by graphical applications, specific to each Linux distribution, which provide simpler and more immediate management interfaces.
Warning
|
Even though the files are plain text, do not edit them directly. Always use the tools provided with your distribution for this purpose. |
The File /etc/passwd
/etc/passwd
is a world-readable file that contains a list of users, each on a separate line:
frank:x:1001:1001::/home/frank:/bin/bash
Each line consists of seven colon-delimited fields:
- Username
-
The name used when the user logs into the system.
- Password
-
The encrypted password (or an
x
if shadow passwords are used). - User ID (UID)
-
The ID number assigned to the user in the system.
- Group ID (GID)
-
The primary group number of the user in the system.
- GECOS
-
An optional comment field, which is used to add extra information about the user (such as the full name). The field can contain multiple comma-separated entries.
- Home directory
-
The absolute path of the user’s home directory.
- Shell
-
The absolute path of the program that is automatically launched when the user logs into the system (usually an interactive shell such as
/bin/bash
).
The File /etc/group
/etc/group
is a world-readable file that contains a list of groups, each on a separate line:
developer:x:1002:
Each line consists of four colon-delimited fields:
- Group Name
-
The name of the group.
- Group Password
-
The encrypted password of the group (or an
x
if shadow passwords are used). - Group ID (GID)
-
The ID number assigned to the group in the system.
- Member list
-
A comma-delimited list of users belonging to the group, except those for whom this is the primary group.
The File /etc/shadow
/etc/shadow
is a file readable only by root and users with root privileges and contains the encrypted passwords of the users, each on a separate line:
frank:$6$i9gjM4Md4MuelZCd$7jJa8Cd2bbADFH4dwtfvTvJLOYCCCBf/.jYbK1IMYx7Wh4fErXcc2xQVU2N1gb97yIYaiqH.jjJammzof2Jfr/:18029:0:99999:7:::
Each line consists of nine colon-delimited fields:
- Username
-
The name used when user logs into the system.
- Encrypted password
-
The encrypted password of the user (if the value is
!
, the account is locked). - Date of last password change
-
The date of the last password change, as number of days since 01/01/1970. A value of
0
means that the user must change the password at the next access. - Minimum password age
-
The minimum number of days, after a password change, which must pass before the user will be allowed to change the password again.
- Maximum password age
-
The maximum number of days that must pass before a password change is required.
- Password warning period
-
The number of days, before the password expires, during which the user is warned that the password must be changed.
- Password inactivity period
-
The number of days after a password expires during which the user should update the password. After this period, if the user does not change the password, the account will be disabled.
- Account expiration date
-
The date, as number of days since 01/01/1970, in which the user account will be disabled. An empty field means that the user account will never expire.
- A reserved field
-
A field that is reserved for future use.
The File /etc/gshadow
/etc/gshadow
is a file readable only by root and by users with root privileges that contains encrypted passwords for groups, each on a separate line:
developer:$6$7QUIhUX1WdO6$H7kOYgsboLkDseFHpk04lwAtweSUQHipoxIgo83QNDxYtYwgmZTCU0qSCuCkErmyR263rvHiLctZVDR7Ya9Ai1::
Each line consists of four colon-delimited fields:
- Group name
-
The name of the group.
- Encrypted password
-
The encrypted password for the group (it is used when a user, who is not a member of the group, wants to join the group using the
newgrp
command — if the password starts with!
, no one is allowed to access the group withnewgrp
). - Group administrators
-
A comma-delimited list of the administrators of the group (they can change the password of the group and can add or remove group members with the
gpasswd
command). - Group members
-
A comma-delimited list of the members of the group.
Now that we’ve seen where user and group information is stored, let’s talk about the most important command-line tools to update these files.
Adding and Deleting User Accounts
In Linux, you add a new user account with the useradd
command, and you delete a user account with the userdel
command.
If you want to create a new user account named frank
with a default setting, you can run the following:
# useradd frank
After creating the new user, you can set a password using passwd
:
# passwd frank Changing password for user frank. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully.
Both of these commands require root authority. When you run the useradd
command, the user and group information stored in password and group databases are updated for the newly created user account and, if specified, the home directory of the new user is created as well as a group with the same name as the user account.
Tip
|
Remember that you can always use the
or
to see basic information on the newly created |
The most important options which apply to the useradd
command are:
-c
-
Create a new user account with custom comments (for example full name).
-d
-
Create a new user account with a custom home directory.
-e
-
Create a new user account by setting a specific date on which it will be disabled.
-f
-
Create a new user account by setting the number of days after the password expires during which the user should update the password.
-g
-
Create a new user account with a specific GID
-G
-
Create a new user account by adding it to multiple secondary groups.
-m
-
Create a new user account with its home directory.
-M
-
Create a new user account without its home directory.
-s
-
Create a new user account with a specific login shell.
-u
-
Create a new user account with a specific UID.
Once the new user account is created, you can use the id
and groups
commands to find out its UID, GID and the groups to which it belongs.
# id frank uid=1000(frank) gid=1000(frank) groups=1000(frank) # groups frank frank : frank
Tip
|
Remember to check and eventually edit the |
If you want to delete a user account, you can use the userdel
command. In particular, this command updates the information stored in the account databases, deleting all entries referring to the specified user. The -r
option also removes the user’s home directory and all of its contents, along with the user’s mail spool. Other files, located elsewhere, must be searched for and deleted manually.
# userdel -r frank
As before, you need root authority to delete user accounts.
The Skeleton Directory
When you add a new user account, even creating its home directory, the newly created home directory is populated with files and folders that are copied from the skeleton directory (by default /etc/skel
). The idea behind this is simple: a system administrator wants to add new users having the same files and directories in their home. Therefore, if you want to customize the files and folders that are created automatically in the home directory of the new user accounts, you must add these new files and folders to the skeleton directory.
Tip
|
Note that the profile files that are usually found in the skeleton directory are hidden files. Therefore, if you want to list all the files and folders in the skeleton directory, which will be copied to the home dir of the newly created users, you must use the |
Adding and Deleting Groups
As for group management, you can add or delete groups using the groupadd
and groupdel
commands.
If you want to create a new group named developer
, you can run the following command as root:
# groupadd -g 1090 developer
The -g
option of this command creates a group with a specific GID.
If you want to delete the developer
group, you can run the following:
# groupdel developer
Warning
|
Remember that when you add a new user account, the primary group and the secondary groups to which it belongs must exist before launching the |
The passwd
Command
This command is primarily used to change a user’s password. Any user can change their password, but only root can change any user’s password.
Depending on the passwd
option used, you can control specific aspects of password aging:
-d
-
Delete the password of a user account (thus setting an empty password, making it a passwordless account).
-e
-
Force the user account to change the password.
-l
-
Lock the user account (the encrypted password is prefixed with an exclamation mark).
-u
-
Unlock the user account (it removes the exclamation mark).
-S
-
Output information about the password status for a specific account.
These options are available only for root. To see the full list of options, refer to the man pages.
Guided Exercises
-
For each of the following entries, indicate the file to which it refers:
-
developer:x:1010:frank,grace,dave
-
root:x:0:0:root:/root:/bin/bash
-
henry:$1$.AbCdEfGh123456789A1b2C3d4.:18015:20:90:5:30::
-
henry:x:1000:1000:User Henry:/home/henry:/bin/bash
-
staff:!:dave:carol,emma
-
-
Observe the following output to answer the next seven questions:
# cat /etc/passwd | tail -3 dave:x:1050:1050:User Dave:/home/dave:/bin/bash carol:x:1051:1015:User Carol:/home/carol:/bin/sh henry:x:1052:1005:User Henry:/home/henry:/bin/tcsh # cat /etc/group | tail -3 web_admin:x:1005:frank,emma web_developer:x:1010:grace,kevin,christian dave:x:1050: # cat /etc/shadow | tail -3 dave:$6$AbCdEfGh123456789A1b2C3D4e5F6G7h8i9:0:20:90:7:30:: carol:$6$q1w2e3r4t5y6u7i8AbcDeFgHiLmNoPqRsTu:18015:0:60:7::: henry:!$6$123456789aBcDeFgHa1B2c3d4E5f6g7H8I9:18015:0:20:5::: # cat /etc/gshadow | tail -3 web_admin:!:frank:frank,emma web_developer:!:kevin:grace,kevin,christian dave:!::
-
What is the User ID (UID) and Group ID (GID) of
carol
? -
What shell is set for
dave
andhenry
? -
What is the name of the primary group of
henry
? -
What are the members of the
web_developer
group? Which of these are group administrators? -
Which user cannot log into the system?
-
Which user should change the password the next time he will log into the system?
-
How many days must pass before a password change is required for
carol
?
-
Explorational Exercises
-
Working as root, run the
useradd -m dave
command to add a new user account. What operations does this command perform? Assume thatCREATE_HOME
andUSERGROUPS_ENAB
in/etc/login.defs
are set to yes. -
Now that you have created the
dave
account, can this user login to the system? -
Identify the User ID (UID) and Group ID (GID) of
dave
and all members of thedave
group. -
Create the
sys_admin
,web_admin
anddb_admin
groups and identify their Group IDs (GIDs). -
Add a new user account named
carol
with UID 1035 and setsys_admin
as its primary group andweb_admin
anddb_admin
as its secondary groups. -
Delete the
dave
andcarol
user accounts and thesys_admin
,web_admin
anddb_admin
groups that you have previously created. -
Run the
ls -l /etc/passwd /etc/group /etc/shadow /etc/gshadow
command and describe the output that it gives you in terms of file permissions. Which of these four files are shadowed for security reasons? Assume your system uses shadow passwords. -
Run the
ls -l /usr/bin/passwd
command. Which special bit is set and what is its meaning?
Summary
In this lesson, you learned:
-
The fundamentals of user and group management in Linux
-
Manage user and group information stored in password and group databases
-
Maintain the skeleton directory
-
Add and remove user accounts
-
Add and remove group accounts
-
Change the password of user accounts
The following commands were discussed in this lesson:
useradd
-
Create a new user account.
groupadd
-
Create a new group account.
userdel
-
Delete a user account.
groupdel
-
Delete a group account.
passwd
-
Change the password of user accounts and control all aspects of password aging.
Answers to Guided Exercises
-
For each of the following entries, indicate the file to which it refers:
-
developer:x:1010:frank,grace,dave
/etc/group
-
root:x:0:0:root:/root:/bin/bash
/etc/passwd
-
henry:$1$.AbCdEfGh123456789A1b2C3d4.:18015:20:90:5:30::
/etc/shadow
-
henry:x:1000:1000:User Henry:/home/henry:/bin/bash
/etc/passwd
-
staff:!:dave:carol,emma
/etc/gshadow
-
-
Observe the following output to answer the next seven questions:
# cat /etc/passwd | tail -3 dave:x:1050:1050:User Dave:/home/dave:/bin/bash carol:x:1051:1015:User Carol:/home/carol:/bin/sh henry:x:1052:1005:User Henry:/home/henry:/bin/tcsh # cat /etc/group | tail -3 web_admin:x:1005:frank,emma web_developer:x:1010:grace,kevin,christian dave:x:1050: # cat /etc/shadow | tail -3 dave:$6$AbCdEfGh123456789A1b2C3D4e5F6G7h8i9:0:20:90:7:30:: carol:$6$q1w2e3r4t5y6u7i8AbcDeFgHiLmNoPqRsTu:18015:0:60:7::: henry:!$6$123456789aBcDeFgHa1B2c3d4E5f6g7H8I9:18015:0:20:5::: # cat /etc/gshadow | tail -3 web_admin:!:frank:frank,emma web_developer:!:kevin:grace,kevin,christian dave:!::
-
What is the User ID (UID) and Group ID (GID) of
carol
?The UID is 1051 and the GID is 1015 (the third and fourth fields in
/etc/passwd
). -
What shell is set for
dave
andhenry
?dave
uses /bin/bash andhenry
uses /bin/tcsh (the seventh field in/etc/passwd
). -
What is the name of the primary group of
henry
?The group name is
web_admin
(the first field in/etc/group
). -
What are the members of the
web_developer
group? Which of these are group administrators?The members are
grace
,kevin
andchristian
(the fourth field in/etc/group
), but onlykevin
is the administrator of the group (the third field in/etc/gshadow
). -
Which user cannot log into the system?
The
henry
user account is locked (it has an exclamation mark in front of the password hashes in/etc/shadow
). -
Which user should change the password the next time he will log into the system?
If the third field (Date of Last Password Change) in
/etc/shadow
is 0, the user should change his password the next time he will log into the system. Therefore,dave
must change his password. -
How many days must pass before a password change is required for
carol
?60 days (the fifth field in
/etc/shadow
).
-
Answers to Explorational Exercises
-
Working as root, run the
useradd -m dave
command to add a new user account. What operations does this command perform? Assume thatCREATE_HOME
andUSERGROUPS_ENAB
in/etc/login.defs
are set to yes.The command adds a new user, named
dave
, to the list of users in the system. The home directory ofdave
is created (by default/home/dave
) and the files and directories contained in the skeleton directory are copied to the home directory. Finally, new group is created with the same name as the user account. -
Now that you have created the
dave
account, can this user login to the system?No, because the
dave
account is locked (see the exclamation mark in/etc/shadow
).# cat /etc/shadow | grep dave dave:!:18015:0:99999:7:::
If you set a password for
dave
, the account will be unlocked. You can do this using thepasswd
command.# passwd dave Changing password for user dave. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully.
-
Identify the User ID (UID) and Group ID (GID) of
dave
and all members of thedave
group.# cat /etc/passwd | grep dave dave:x:1015:1019::/home/dave:/bin/sh # cat /etc/group | grep 1019 dave:x:1019:
The UID and GID of
dave
are 1015 and 1019 respectively (the third and fourth fields in/etc/passwd
) and thedave
group has no members (the fourth field in/etc/group
is empty). -
Create the
sys_admin
,web_admin
anddb_admin
groups and identify their Group IDs (GIDs).# groupadd sys_admin # groupadd web_admin # groupadd db_admin # cat /etc/group | grep admin sys_admin:x:1020: web_admin:x:1021: db_admin:x:1022:
The GIDs for the
sys_admin
,web_admin
anddb_admin
groups are 1020, 1021 and 1022 respectively. -
Add a new user account named
carol
with UID 1035 and setsys_admin
as its primary group andweb_admin
anddb_admin
as its secondary groups.# useradd -u 1035 -g 1020 -G web_admin,db_admin carol # id carol uid=1035(carol) gid=1020(sys_admin) groups=1020(sys_admin),1021(web_admin),1022(db_admin)
-
Delete the
dave
andcarol
user accounts and thesys_admin
,web_admin
anddb_admin
groups that you have previously created.# userdel -r dave # userdel -r carol # groupdel sys_admin # groupdel web_admin # groupdel db_admin
-
Run the
ls -l /etc/passwd /etc/group /etc/shadow /etc/gshadow
command and describe the output that it gives you in terms of file permissions. Which of these four files are shadowed for security reasons? Assume your system uses shadow passwords.# ls -l /etc/passwd /etc/group /etc/shadow /etc/gshadow -rw-r--r-- 1 root root 853 mag 1 08:00 /etc/group -rw-r----- 1 root shadow 1203 mag 1 08:00 /etc/gshadow -rw-r--r-- 1 root root 1354 mag 1 08:00 /etc/passwd -rw-r----- 1 root shadow 1563 mag 1 08:00 /etc/shadow
The
/etc/passwd
and/etc/group
files are world readable and are shadowed for security reasons. When shadow passwords are used, you can see anx
in the second field of these files because the encrypted passwords for users and groups are stored in/etc/shadow
and/etc/gshadow
, which are readable only by root and, in some systems, also by members belonging to theshadow
group. -
Run the
ls -l /usr/bin/passwd
command. Which special bit is set and what is its meaning?# ls -l /usr/bin/passwd -rwsr-xr-x 1 root root 42096 mag 17 2015 /usr/bin/passwd
The
passwd
command has the SUID bit set (the fourth character of this line), which means that the command is executed with the privileges of the file’s owner (thus root). This is how ordinary users can change their password.