107.1 Lesson 1
Certificate: |
LPIC-1 |
---|---|
Version: |
5.0 |
Topic: |
107 Administrative Tasks |
Objective: |
107.1 Manage user and group accounts and related system files |
Lesson: |
1 of 2 |
Introduction
User and group administration is a very important part of any system administrator’s job. Modern Linux distributions implement graphical interfaces that allow you to manage all the activities related to this key aspect quickly and easily. These interfaces are different from each other in terms of graphical layouts, but the features are the same. With these tools you can view, edit, add, and delete local users and groups. However for more advanced management you need to work through the command line.
Adding User Accounts
In Linux, you can add a new user account with the useradd
command. For example, acting with root privileges, you can create a new user account named michael
with a default setting, using the following:
# useradd michael
When you run the useradd
command, the user and group information stored in the password and group databases are updated for the newly created user account and, if specified, the home directory of the new user is created as well. A group with the same name of the new user account is also created.
Once you have created the new user, you can set its password using the passwd
command. You can review its User ID (UID), Group ID (GID) and the groups it belongs to through the id
and groups
commands.
# passwd michael Changing password for user michael. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. # id michael uid=1000(michael) gid=100(michael) groups=100(michael) # groups michael michael : michael
Note
|
Remember that any user can review their UID, GID and the groups they belong to by simply using the |
The most important options which apply to the useradd
command are:
-c
-
Create a new user account with custom comments (for example the user’s full name).
-d
-
Create a new user account with a custom home directory.
-e
-
Create a new user account by setting a specific date on which it will be disabled.
-f
-
Create a new user account by setting the number of days after a password expires during which the user should update the password (otherwise the account will be disabled).
-g
-
Create a new user account with a specific GID.
-G
-
Create a new user account by adding it to multiple secondary groups.
-k
-
Create a new user account by copying the skeleton files from a specific custom directory (this option is only valid if the
-m
or--create-home
option is specified). -m
-
Create a new user account with its home directory (if it does not exist).
-M
-
Create a new user account without its home directory.
-s
-
Create a new user account with a specific login shell.
-u
-
Create a new user account with a specific UID.
See the manual pages for the useradd
command for the complete list of options.
Modifying User Accounts
Sometimes you need to change an attribute of an existing user account, such as the login name, login shell, password expiry date and so on. In such cases, you need to use the usermod
command.
# usermod -s /bin/tcsh michael # usermod -c "Michael User Account" michael
Just as with the useradd
command, the usermod
command requires root privileges.
In the examples above, the login shell of michael
is changed first and then a brief description is added to this user account. Remember that you can modify multiple attributes at once, specifying them in a single command.
The most important options which apply to the usermod
command are:
-c
-
Add a brief comment to the specified user account.
-d
-
Change the home directory of the specified user account. When used with the
-m
option, the contents of the current home directory are moved to the new home directory, which is created if it does not already exist. -e
-
Set the expiration date of the specified user account.
-f
-
Set the number of days after a password expires during which the user should update the password (otherwise the account will be disabled).
-g
-
Change the primary group of the specified user account (the group must exist).
-G
-
Add secondary groups to the specified user account. Each group must exist and must be separated from the next by a comma, with no intervening whitespace. If used alone, this option removes all existing groups to which the user belongs, while when used with the
-a
option, it simply appends new secondary groups to the existing ones. -l
-
Change the login name of the specified user account.
-L
-
Lock the specified user account. This puts an exclamation mark in front of the encrypted password within the
/etc/shadow
file, thus disabling access with a password for that user. -s
-
Change the login shell of the specified user account.
-u
-
Change the UID of the specified user account.
-U
-
Unlock the specified user account. This removes the exclamation mark in front of the encrypted password with the
/etc/shadow
file.
See the manual pages for the usermod
command for the complete list of options.
Tip
|
Remember that when you change the login name of a user account, you should probably rename the home directory of that user and other user-related items such as mail spool files. Also remember that when you change the UID of a user account, you should probably fix the ownership of files and directories outside the user’s home directory (the user ID is changed automatically for the user’s mailbox and for all files owned by the user and located in the user’s home directory). |
Deleting User Accounts
If you want to delete a user account, you can use the userdel
command. In particular, this command updates the information stored in the account databases, deleting all entries referring to the specified user. The -r
option also removes the user’s home directory and all its contents, along with the user’s mail spool. Other files, located elsewhere, must be searched for and deleted manually.
# userdel -r michael
As for useradd
and usermod
, you need root authority to delete user accounts.
Adding, Modifying and Deleting Groups
Just as with user management, you can add, modify and delete groups using the groupadd
, groupmod
and groupdel
commands with root privileges. If you want to create a new group named developer
, you can run the following command:
# groupadd -g 1090 developer
The -g
option of this command creates a group with a specific GID.
Warning
|
Remember that when you add a new user account, the primary group and the secondary groups to which it belongs must exist before launching the |
Later, if you want to rename the group from developer
to web-developer
and change its GID, you can run the following:
# groupmod -n web-developer -g 1050 developer
Tip
|
Remember that if you change the GID using the |
Finally, if you want to delete the web-developer
group, you can run the following:
# groupdel web-developer
You cannot delete a group if it is the primary group of a user account. Therefore, you must remove the user before removing the group. As for users, if you delete a group, the files belonging to that group remain in your filesystem and are not deleted or assigned to another group.
The Skeleton Directory
When you add a new user account, even creating its home directory, the newly created home directory is populated with files and folders that are copied from the skeleton directory (by default /etc/skel
). The idea behind this is simple: a system administrator wants to add new users having the same files and directories in their home folder. Therefore, if you want to customize the files and folders that are created automatically in the home directory of new user accounts, you must add these new files and folders to the skeleton directory.
Tip
|
Note that if you want to list all the files and directories in the skeleton directory, you must use the |
The /etc/login.defs
File
In Linux, the /etc/login.defs
file specifies the configuration parameters that control the creation of users and groups. In addition, the commands shown in the previous sections take default values from this file.
The most important directives are:
UID_MIN
andUID_MAX
-
The range of user IDs that can be assigned to new ordinary users.
GID_MIN
andGID_MAX
-
The range of group IDs that can be assigned to new ordinary groups.
CREATE_HOME
-
Specify whether a home directory should be created by default for new users.
USERGROUPS_ENAB
-
Specify whether the system should by default create a new group for each new user account with the same name as the user, and whether deleting the user account should also remove the user’s primary group if it no longer contains members.
MAIL_DIR
-
The mail spool directory.
PASS_MAX_DAYS
-
The maximum number of days a password may be used.
PASS_MIN_DAYS
-
The minimum number of days allowed between password changes.
PASS_MIN_LEN
-
The minimum acceptable password length.
PASS_WARN_AGE
-
The number of warning days before a password expires.
Tip
|
When managing users and groups, always check this file to view and eventually change the default behavior of the system if needed. |
The passwd
Command
This command is primarily used to change a user’s password. As described before, any user can change their own password, but only root can change any user’s password. This happens because the passwd
command has the SUID bit set (an s
in the place of the executable flag for the owner), which means that it executes with the privileges of the file’s owner (thus root).
# ls -l /usr/bin/passwd -rwsr-xr-x 1 root root 42096 mag 17 2015 /usr/bin/passwd
Depending on the passwd
options used, you can control specific aspects of password aging:
-d
-
Delete the password of a user account (thus disabling the user).
-e
-
Force the user account to change the password.
-i
-
Set the number of days of inactivity after a password expires during which the user should update the password (otherwise the account will be disabled).
-l
-
Lock the user account (the encrypted password is prefixed with an exclamation mark in the
/etc/shadow
file). -n
-
Set the minimum password lifetime.
-S
-
Output information about the password status of a specific user account.
-u
-
Unlock the user account (the exclamation mark is removed from the password field in the
/etc/shadow
file). -x
-
Set the maximum password lifetime.
-w
-
Set the number of days of warning before the password expires during which the user is warned that the password must be changed.
Note
|
Groups can also have a password, which can be set using the |
The chage
Command
This command, which stands for “change age”, is used to change the password aging information of a user. The chage
command is restricted to root, except for the -l
option, which can be used by ordinary users to list password aging information of their own account.
The other options which apply to the chage
command are:
-d
-
Set the last password change for a user account.
-E
-
Set the expiration date for a user account.
-I
-
Set the number of days of inactivity after a password expires during which the user should update the password (otherwise the account will be disabled).
-m
-
Set the minimum password lifetime for a user account.
-M
-
Set the maximum password lifetime for a user account.
-W
-
Set the number of days of warning before the password expires during which the user is warned that the password must be changed.
Guided Exercises
-
For each of the following commands, identify the corresponding purpose:
usermod -L
passwd -u
chage -E
groupdel
useradd -s
groupadd -g
userdel -r
usermod -l
groupmod -n
useradd -m
-
For each of the following
passwd
commands, identify the correspondingchage
command:passwd -n
passwd -x
passwd -w
passwd -i
passwd -S
-
Explain in detail the purpose of the commands in the previous question:
-
What commands can you use to lock a user account? And which commands to unlock it?
Explorational Exercises
-
Using the
groupadd
command, create theadministrators
anddevelopers
groups. Assume you are working as root. -
Now that you have created these groups, run the following command:
useradd -G administrators,developers kevin
. What operations does this command perform? Assume thatCREATE_HOME
andUSERGROUPS_ENAB
in/etc/login.defs
are set toyes
. -
Create a new group named
designers
, rename it toweb-designers
and add this new group to the secondary groups of thekevin
user account. Identify all the groupskevin
belongs to and their IDs. -
Remove only the
developers
group from the secondary groups ofkevin
. -
Set the password for the
kevin
user account. -
Using the
chage
command, first check the expiry date of thekevin
user account and then change it to December 31st 2022. What other command can you use to change the expiration date of a user account? -
Add a new user account named
emma
with UID 1050 and setadministrators
as its primary group anddevelopers
andweb-designers
as its secondary groups. -
Change the login shell of
emma
to/bin/sh
. -
Delete the
emma
andkevin
user accounts and theadministrators
,developers
andweb-designers
groups.
Summary
In this lesson you learned:
-
The fundamentals of user and group management in Linux.
-
How to add, modify and remove user accounts.
-
How to add, modify and remove group accounts.
-
Maintain the skeleton directory.
-
Edit the file that controls the creation of users and groups.
-
Change the passwords of user accounts.
-
Change the password aging information of user accounts.
The following files and commands were discussed in this lesson:
useradd
-
Create a new user account.
usermod
-
Modify a user account.
userdel
-
Delete a user account.
groupadd
-
Create a new group account.
groupmod
-
Modify a group account.
groupdel
-
Delete a group account.
passwd
-
Change the password of user accounts and control all aspects of password aging.
chage
-
Change user password expiry information.
/etc/skel
-
The default location of the skeleton directory.
/etc/login.defs
-
The file that controls the creation of users and groups and provides default values for several user account parameters.
Answers to Guided Exercises
-
For each of the following commands, identify the corresponding purpose:
usermod -L
Lock the user account
passwd -u
Unlock the user account
chage -E
Set the expiration date for the user account
groupdel
Delete the group
useradd -s
Create a new user account with a specific login shell
groupadd -g
Create a new group with a specific GID
userdel -r
Remove the user account and all files in its home directory, the home directory itself and the user’s mail spool
usermod -l
Change the login name of the user account
groupmod -n
Change the name of the group
useradd -m
Create a new user account and its home directory
-
For each of the following
passwd
commands, identify the correspondingchage
command:passwd -n
chage -m
passwd -x
chage -M
passwd -w
chage -W
passwd -i
chage -I
passwd -S
chage -l
-
Explain in detail the purpose of the commands in the previous question:
In Linux, you can use the
passwd -n
command (orchage -m
) to set the minimum number of days between password changes, thepasswd -x
command (orchage -M
) to set the maximum number of days during which a password is valid, thepasswd -w
command (orchage -W
) to set the number of days of warning before the password expires, thepasswd -i
command (orchage -I
) to set the number of days of inactivity during which the user should change the password and thepasswd -S
command (orchage -l
) to show brief information about the password of the user account. -
What commands can you use to lock a user account? And which commands to unlock it?
If you want to lock an user account, you can use one of these commands:
usermod -L
,usermod --lock
andpasswd -l
. Instead, if you want to unlock it, you can useusermod -U
,usermod --unlock
andpasswd -u
.
Answers to Explorational Exercises
-
Using the
groupadd
command, create theadministrators
anddevelopers
groups. Assume you are working as root.# groupadd administrators # groupadd developers
-
Now that you have created these groups, run the following command:
useradd -G administrators,developers kevin
. What operations does this command perform? Assume thatCREATE_HOME
andUSERGROUPS_ENAB
in/etc/login.defs
are set toyes
.The command adds a new user, named
kevin
, to the list of users in the system, creates its home directory (CREATE_HOME
is set to yes and therefore you can omit the -m option) and creates a new group, namedkevin
, as the primary group of this user account (USERGROUPS_ENAB
is set to yes). Finally, the files and folders contained in the skeleton directory are copied to the home dir ofkevin
. -
Create a new group named
designers
, rename it toweb-designers
and add this new group to the secondary groups of thekevin
user account. Identify all the groupskevin
belongs to and their IDs.# groupadd designers # groupmod -n web-designers designers # usermod -a -G web-designers kevin # id kevin uid=1010(kevin) gid=1030(kevin) groups=1030(kevin),1028(administrators),1029(developers),1031(web-designers)
-
Remove only the
developers
group from the secondary groups ofkevin
.# usermod -G administrators,web-designers kevin # id kevin uid=1010(kevin) gid=1030(kevin) groups=1030(kevin),1028(administrators),1031(web-designers)
The
usermod
command does not have an option to remove only one group; therefore, you need to specify all the secondary groups to which the user belongs. -
Set the password for the
kevin
user account.# passwd kevin Changing password for user kevin. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully.
-
Using the
chage
command, first check the expiry date of thekevin
user account and then change it to December 31st 2022. What other command can you use to change the expiration date of a user account?# chage -l kevin | grep "Account expires" Account expires : never # chage -E 2022-12-31 kevin # chage -l kevin | grep "Account expires" Account expires : dec 31, 2022
The
usermod
command with the-e
option is equivalent tochage -E
. -
Add a new user account named
emma
with UID 1050 and setadministrators
as its primary group anddevelopers
andweb-designers
as its secondary groups.# useradd -u 1050 -g administrators -G developers,web-designers emma # id emma uid=1050(emma) gid=1028(administrators) groups=1028(administrators),1029(developers),1031(web-designers)
-
Change the login shell of
emma
to/bin/sh
.# usermod -s /bin/sh emma
-
Delete the
emma
andkevin
user accounts and theadministrators
,developers
andweb-designers
groups.# userdel -r emma # userdel -r kevin # groupdel administrators # groupdel developers # groupdel web-designers