107.1 Lesson 1

107.1 Lesson 1

Certificate:

LPIC-1

Version:

5.0

Topic:

107 Administrative Tasks

Objective:

107.1 Manage user and group accounts and related system files

Lesson:

1 of 2

Introduction

User and group administration is a very important part of any system administrator’s job. Modern Linux distributions implement graphical interfaces that allow you to manage all the activities related to this key aspect quickly and easily. These interfaces are different from each other in terms of graphical layouts, but the features are the same. With these tools you can view, edit, add, and delete local users and groups. However for more advanced management you need to work through the command line.

Adding User Accounts

In Linux, you can add a new user account with the useradd command. For example, acting with root privileges, you can create a new user account named michael with a default setting, using the following:

# useradd michael

When you run the useradd command, the user and group information stored in the password and group databases are updated for the newly created user account and, if specified, the home directory of the new user is created as well. A group with the same name of the new user account is also created.

Once you have created the new user, you can set its password using the passwd command. You can review its User ID (UID), Group ID (GID) and the groups it belongs to through the id and groups commands.

# passwd michael
Changing password for user michael.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
# id michael
uid=1000(michael) gid=100(michael) groups=100(michael)
# groups michael
michael : michael
Note

Remember that any user can review their UID, GID and the groups they belong to by simply using the id and groups commands without arguments, and that any user can change their password using the passwd command. However only users with root privileges can change any user’s password.

The most important options which apply to the useradd command are:

-c

Create a new user account with custom comments (for example the user’s full name).

-d

Create a new user account with a custom home directory.

-e

Create a new user account by setting a specific date on which it will be disabled.

-f

Create a new user account by setting the number of days after a password expires during which the user should update the password (otherwise the account will be disabled).

-g

Create a new user account with a specific GID.

-G

Create a new user account by adding it to multiple secondary groups.

-k

Create a new user account by copying the skeleton files from a specific custom directory (this option is only valid if the -m or --create-home option is specified).

-m

Create a new user account with its home directory (if it does not exist).

-M

Create a new user account without its home directory.

-s

Create a new user account with a specific login shell.

-u

Create a new user account with a specific UID.

See the manual pages for the useradd command for the complete list of options.

Modifying User Accounts

Sometimes you need to change an attribute of an existing user account, such as the login name, login shell, password expiry date and so on. In such cases, you need to use the usermod command.

# usermod -s /bin/tcsh michael
# usermod -c "Michael User Account" michael

Just as with the useradd command, the usermod command requires root privileges.

In the examples above, the login shell of michael is changed first and then a brief description is added to this user account. Remember that you can modify multiple attributes at once, specifying them in a single command.

The most important options which apply to the usermod command are:

-c

Add a brief comment to the specified user account.

-d

Change the home directory of the specified user account. When used with the -m option, the contents of the current home directory are moved to the new home directory, which is created if it does not already exist.

-e

Set the expiration date of the specified user account.

-f

Set the number of days after a password expires during which the user should update the password (otherwise the account will be disabled).

-g

Change the primary group of the specified user account (the group must exist).

-G

Add secondary groups to the specified user account. Each group must exist and must be separated from the next by a comma, with no intervening whitespace. If used alone, this option removes all existing groups to which the user belongs, while when used with the -a option, it simply appends new secondary groups to the existing ones.

-l

Change the login name of the specified user account.

-L

Lock the specified user account. This puts an exclamation mark in front of the encrypted password within the /etc/shadow file, thus disabling access with a password for that user.

-s

Change the login shell of the specified user account.

-u

Change the UID of the specified user account.

-U

Unlock the specified user account. This removes the exclamation mark in front of the encrypted password with the /etc/shadow file.

See the manual pages for the usermod command for the complete list of options.

Tip

Remember that when you change the login name of a user account, you should probably rename the home directory of that user and other user-related items such as mail spool files. Also remember that when you change the UID of a user account, you should probably fix the ownership of files and directories outside the user’s home directory (the user ID is changed automatically for the user’s mailbox and for all files owned by the user and located in the user’s home directory).

Deleting User Accounts

If you want to delete a user account, you can use the userdel command. In particular, this command updates the information stored in the account databases, deleting all entries referring to the specified user. The -r option also removes the user’s home directory and all its contents, along with the user’s mail spool. Other files, located elsewhere, must be searched for and deleted manually.

# userdel -r michael

As for useradd and usermod, you need root authority to delete user accounts.

Adding, Modifying and Deleting Groups

Just as with user management, you can add, modify and delete groups using the groupadd, groupmod and groupdel commands with root privileges. If you want to create a new group named developer, you can run the following command:

# groupadd -g 1090 developer

The -g option of this command creates a group with a specific GID.

Warning

Remember that when you add a new user account, the primary group and the secondary groups to which it belongs must exist before launching the useradd command.

Later, if you want to rename the group from developer to web-developer and change its GID, you can run the following:

# groupmod -n web-developer -g 1050 developer
Tip

Remember that if you change the GID using the -g option, you should change the GID of all files and directories that must continue to belong to the group.

Finally, if you want to delete the web-developer group, you can run the following:

# groupdel web-developer

You cannot delete a group if it is the primary group of a user account. Therefore, you must remove the user before removing the group. As for users, if you delete a group, the files belonging to that group remain in your filesystem and are not deleted or assigned to another group.

The Skeleton Directory

When you add a new user account, even creating its home directory, the newly created home directory is populated with files and folders that are copied from the skeleton directory (by default /etc/skel). The idea behind this is simple: a system administrator wants to add new users having the same files and directories in their home folder. Therefore, if you want to customize the files and folders that are created automatically in the home directory of new user accounts, you must add these new files and folders to the skeleton directory.

Tip

Note that if you want to list all the files and directories in the skeleton directory, you must use the ls -al command.

The /etc/login.defs File

In Linux, the /etc/login.defs file specifies the configuration parameters that control the creation of users and groups. In addition, the commands shown in the previous sections take default values from this file.

The most important directives are:

UID_MIN and UID_MAX

The range of user IDs that can be assigned to new ordinary users.

GID_MIN and GID_MAX

The range of group IDs that can be assigned to new ordinary groups.

CREATE_HOME

Specify whether a home directory should be created by default for new users.

USERGROUPS_ENAB

Specify whether the system should by default create a new group for each new user account with the same name as the user, and whether deleting the user account should also remove the user’s primary group if it no longer contains members.

MAIL_DIR

The mail spool directory.

PASS_MAX_DAYS

The maximum number of days a password may be used.

PASS_MIN_DAYS

The minimum number of days allowed between password changes.

PASS_MIN_LEN

The minimum acceptable password length.

PASS_WARN_AGE

The number of warning days before a password expires.

Tip

When managing users and groups, always check this file to view and eventually change the default behavior of the system if needed.

The passwd Command

This command is primarily used to change a user’s password. As described before, any user can change their own password, but only root can change any user’s password. This happens because the passwd command has the SUID bit set (an s in the place of the executable flag for the owner), which means that it executes with the privileges of the file’s owner (thus root).

# ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 42096 mag 17  2015 /usr/bin/passwd

Depending on the passwd options used, you can control specific aspects of password aging:

-d

Delete the password of a user account (thus disabling the user).

-e

Force the user account to change the password.

-i

Set the number of days of inactivity after a password expires during which the user should update the password (otherwise the account will be disabled).

-l

Lock the user account (the encrypted password is prefixed with an exclamation mark in the /etc/shadow file).

-n

Set the minimum password lifetime.

-S

Output information about the password status of a specific user account.

-u

Unlock the user account (the exclamation mark is removed from the password field in the /etc/shadow file).

-x

Set the maximum password lifetime.

-w

Set the number of days of warning before the password expires during which the user is warned that the password must be changed.

Note

Groups can also have a password, which can be set using the gpasswd command. Users, who are not members of a group but know its password, can join it temporarily using the newgrp command. Remember that gpasswd is also used to add and remove users from a group and to set the list of administrators and ordinary members of the group.

The chage Command

This command, which stands for “change age”, is used to change the password aging information of a user. The chage command is restricted to root, except for the -l option, which can be used by ordinary users to list password aging information of their own account.

The other options which apply to the chage command are:

-d

Set the last password change for a user account.

-E

Set the expiration date for a user account.

-I

Set the number of days of inactivity after a password expires during which the user should update the password (otherwise the account will be disabled).

-m

Set the minimum password lifetime for a user account.

-M

Set the maximum password lifetime for a user account.

-W

Set the number of days of warning before the password expires during which the user is warned that the password must be changed.

Guided Exercises

  1. For each of the following commands, identify the corresponding purpose:

    usermod -L

    passwd -u

    chage -E

    groupdel

    useradd -s

    groupadd -g

    userdel -r

    usermod -l

    groupmod -n

    useradd -m

  2. For each of the following passwd commands, identify the corresponding chage command:

    passwd -n

    passwd -x

    passwd -w

    passwd -i

    passwd -S

  3. Explain in detail the purpose of the commands in the previous question:

  4. What commands can you use to lock a user account? And which commands to unlock it?

Explorational Exercises

  1. Using the groupadd command, create the administrators and developers groups. Assume you are working as root.

  2. Now that you have created these groups, run the following command: useradd -G administrators,developers kevin. What operations does this command perform? Assume that CREATE_HOME and USERGROUPS_ENAB in /etc/login.defs are set to yes.

  3. Create a new group named designers, rename it to web-designers and add this new group to the secondary groups of the kevin user account. Identify all the groups kevin belongs to and their IDs.

  4. Remove only the developers group from the secondary groups of kevin.

  5. Set the password for the kevin user account.

  6. Using the chage command, first check the expiry date of the kevin user account and then change it to December 31st 2022. What other command can you use to change the expiration date of a user account?

  7. Add a new user account named emma with UID 1050 and set administrators as its primary group and developers and web-designers as its secondary groups.

  8. Change the login shell of emma to /bin/sh.

  9. Delete the emma and kevin user accounts and the administrators, developers and web-designers groups.

Summary

In this lesson you learned:

  • The fundamentals of user and group management in Linux.

  • How to add, modify and remove user accounts.

  • How to add, modify and remove group accounts.

  • Maintain the skeleton directory.

  • Edit the file that controls the creation of users and groups.

  • Change the passwords of user accounts.

  • Change the password aging information of user accounts.

The following files and commands were discussed in this lesson:

useradd

Create a new user account.

usermod

Modify a user account.

userdel

Delete a user account.

groupadd

Create a new group account.

groupmod

Modify a group account.

groupdel

Delete a group account.

passwd

Change the password of user accounts and control all aspects of password aging.

chage

Change user password expiry information.

/etc/skel

The default location of the skeleton directory.

/etc/login.defs

The file that controls the creation of users and groups and provides default values for several user account parameters.

Answers to Guided Exercises

  1. For each of the following commands, identify the corresponding purpose:

    usermod -L

    Lock the user account

    passwd -u

    Unlock the user account

    chage -E

    Set the expiration date for the user account

    groupdel

    Delete the group

    useradd -s

    Create a new user account with a specific login shell

    groupadd -g

    Create a new group with a specific GID

    userdel -r

    Remove the user account and all files in its home directory, the home directory itself and the user’s mail spool

    usermod -l

    Change the login name of the user account

    groupmod -n

    Change the name of the group

    useradd -m

    Create a new user account and its home directory

  2. For each of the following passwd commands, identify the corresponding chage command:

    passwd -n

    chage -m

    passwd -x

    chage -M

    passwd -w

    chage -W

    passwd -i

    chage -I

    passwd -S

    chage -l

  3. Explain in detail the purpose of the commands in the previous question:

    In Linux, you can use the passwd -n command (or chage -m) to set the minimum number of days between password changes, the passwd -x command (or chage -M) to set the maximum number of days during which a password is valid, the passwd -w command (or chage -W) to set the number of days of warning before the password expires, the passwd -i command (or chage -I) to set the number of days of inactivity during which the user should change the password and the passwd -S command (or chage -l) to show brief information about the password of the user account.

  4. What commands can you use to lock a user account? And which commands to unlock it?

    If you want to lock an user account, you can use one of these commands: usermod -L, usermod --lock and passwd -l. Instead, if you want to unlock it, you can use usermod -U, usermod --unlock and passwd -u.

Answers to Explorational Exercises

  1. Using the groupadd command, create the administrators and developers groups. Assume you are working as root.

    # groupadd administrators
# groupadd developers

  2. Now that you have created these groups, run the following command: useradd -G administrators,developers kevin. What operations does this command perform? Assume that CREATE_HOME and USERGROUPS_ENAB in /etc/login.defs are set to yes.

    The command adds a new user, named kevin, to the list of users in the system, creates its home directory (CREATE_HOME is set to yes and therefore you can omit the -m option) and creates a new group, named kevin, as the primary group of this user account (USERGROUPS_ENAB is set to yes). Finally, the files and folders contained in the skeleton directory are copied to the home dir of kevin.

  3. Create a new group named designers, rename it to web-designers and add this new group to the secondary groups of the kevin user account. Identify all the groups kevin belongs to and their IDs.

    # groupadd designers
# groupmod -n web-designers designers
# usermod -a -G web-designers kevin
# id kevin
uid=1010(kevin) gid=1030(kevin) groups=1030(kevin),1028(administrators),1029(developers),1031(web-designers)

  4. Remove only the developers group from the secondary groups of kevin.

    # usermod -G administrators,web-designers kevin
# id kevin
uid=1010(kevin) gid=1030(kevin) groups=1030(kevin),1028(administrators),1031(web-designers)

    The usermod command does not have an option to remove only one group; therefore, you need to specify all the secondary groups to which the user belongs.

  5. Set the password for the kevin user account.

    # passwd kevin
Changing password for user kevin.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

  6. Using the chage command, first check the expiry date of the kevin user account and then change it to December 31st 2022. What other command can you use to change the expiration date of a user account?

    # chage -l kevin | grep "Account expires"
Account expires		: never
# chage -E 2022-12-31 kevin
# chage -l kevin | grep "Account expires"
Account expires		: dec 31, 2022

    The usermod command with the -e option is equivalent to chage -E.

  7. Add a new user account named emma with UID 1050 and set administrators as its primary group and developers and web-designers as its secondary groups.

    # useradd -u 1050 -g administrators -G developers,web-designers emma
# id emma
uid=1050(emma) gid=1028(administrators) groups=1028(administrators),1029(developers),1031(web-designers)

  8. Change the login shell of emma to /bin/sh.

    # usermod -s /bin/sh emma

  9. Delete the emma and kevin user accounts and the administrators, developers and web-designers groups.

    # userdel -r emma
# userdel -r kevin
# groupdel administrators
# groupdel developers
# groupdel web-designers

Linux Professional Insitute Inc. All rights reserved. Visit the Learning Materials website: https://learning.lpi.org
This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.