107.1 Lesson 2
Certificate: |
LPIC-1 |
---|---|
Version: |
5.0 |
Topic: |
107 Administrative Tasks |
Objective: |
107.1 Manage user and group accounts and related system files |
Lesson: |
2 of 2 |
Introduction
The command line tools discussed in the previous lesson and the graphical applications provided by each distribution that perform the same tasks update a series of files that store information about users and groups.
These files are located under the /etc/
directory and are:
/etc/passwd
-
A file of seven colon-delimited fields containing basic information about users.
/etc/group
-
A file of four colon-delimited fields containing basic information about groups.
/etc/shadow
-
A file of nine colon-delimited fields containing encrypted user passwords.
/etc/gshadow
-
A file of four colon-delimited fields file containing encrypted group passwords.
Although these four files are in plain text, they should not be edited directly, but always through the tools provided by the distribution you are using.
/etc/passwd
This is a world-readable file that contains a list of users, each on a separate line. Each line consists of seven colon-delimited fields:
- Username
-
The name used when the user logs into the system.
- Password
-
The encrypted password (or an
x
if shadow passwords are used). - User ID (UID)
-
The ID number assigned to the user in the system.
- Group ID (GID)
-
The primary group number of the user in the system.
- GECOS
-
An optional comment field, which is used to add extra information about the user (such as the full name). The field can contain multiple comma-separated entries.
- Home Directory
-
The absolute path of the user’s home directory.
- Shell
-
The absolute path of the program that is automatically launched when the user logs into the system (usually an interactive shell such as
/bin/bash
).
/etc/group
This is a world-readable file that contains a list of groups, each on a separate line. Each line consists of four colon-delimited fields:
- Group Name
-
The name of the group.
- Group Password
-
The encrypted password of the group (or an
x
if shadow passwords are used). - Group ID (GID)
-
The ID number assigned to the group in the system.
- Member List
-
A comma-delimited list of users belonging to the group, except those for whom this is the primary group.
/etc/shadow
This is a file readable only by root and by users with root privileges that contains encrypted user passwords, each on a separate line. Each line consists of nine colon-delimited fields:
- Username
-
The name used when the user logs into the system.
- Encrypted Password
-
The encrypted password of the user (if the value starts with
!
, the account is locked). - Date of Last Password Change
-
The date of the last password change, as number of days since 01/01/1970 (a value of 0 means that the user must change the password when they next login).
- Minimum Password Age
-
The minimum number of days, after a password change, which must pass before the user will be allowed to change the password again.
- Maximum Password Age
-
The maximum number of days that must pass before a password change is required.
- Password Warning Period
-
The number of days, before the password expires, during which the user is warned that the password must be changed.
- Password Inactivity Period
-
The number of days after a password expires during which the user should update the password. After this period, if the user does not change the password, the account will be disabled.
- Account Expiration Date
-
The date, expressed as the number of days since 01/01/1970, in which the user account will be disabled (an empty field means that the user account will never expire).
- A reserved field
-
A field that is reserved for future use.
/etc/gshadow
This is a file readable only by root and by users with root privileges that contains encrypted group passwords, each on a separate line. Each line consists of four colon-delimited fields:
- Group Name
-
The name of the group.
- Encrypted Password
-
The encrypted password for the group (it is used when a user, who is not a member of the group, wants to join the group using the
newgrp
command — if the password starts with!
, no one is allowed to access the group withnewgrp
). - Group Administrators
-
A comma-delimited list of the administrators of the group (they can change the password of the group and can add or remove group members with the
gpasswd
command). - Group Members
-
A comma-delimited list of the members of the group.
Filter the Password and Group Databases
Very often it may be necessary to review information on users and groups stored in these four files and search for specific records. To perform this task, you can use the grep
command or alternatively concatenate cat
and grep
.
# grep emma /etc/passwd emma:x:1020:1020:User Emma:/home/emma:/bin/bash # cat /etc/group | grep db-admin db-admin:x:1050:grace,frank
Another way to access these databases is to use the getent
command. In general, this command displays entries from databases supported by the Name Service Switch (NSS) libraries and requires the name of the database and a lookup key. If no key argument is provided, all entries in the specified database are displayed (unless the database does not support enumeration). Otherwise, if one or more key arguments are provided, the database is filtered accordingly.
# getent passwd emma emma:x:1020:1020:User Emma:/home/emma:/bin/bash # getent group db-admin db-admin:x:1050:grace,frank
The getent
command does not require root authority; you just need to be able to read the database from which you want to retrieve records.
Note
|
Remember that |
Guided Exercises
-
Observe the following output and answer the following questions:
# cat /etc/passwd | grep '\(root\|mail\|catherine\|kevin\)' root:x:0:0:root:/root:/bin/bash mail:x:8:8:mail:/var/spool/mail:/sbin/nologin catherine:x:1030:1025:User Chaterine:/home/catherine:/bin/bash kevin:x:1040:1015:User Kevin:/home/kevin:/bin/bash # cat /etc/group | grep '\(root\|mail\|db-admin\|app-developer\)' root:x:0: mail:x:8: db-admin:x:1015:emma,grace app-developer:x:1016:catherine,dave,christian # cat /etc/shadow | grep '\(root\|mail\|catherine\|kevin\)' root:$6$1u36Ipok$ljt8ooPMLewAhkQPf.lYgGopAB.jClTO6ljsdczxvkLPkpi/amgp.zyfAN680zrLLp2avvpdKA0llpssdfcPppOp:18015:0:99999:7::: mail:*:18015:0:99999:7::: catherine:$6$ABCD25jlld14hpPthEFGnnssEWw1234yioMpliABCdef1f3478kAfhhAfgbAMjY1/BAeeAsl/FeEdddKd12345g6kPACcik:18015:20:90:5::: kevin:$6$DEFGabc123WrLp223fsvp0ddx3dbA7pPPc4LMaa123u6Lp02Lpvm123456pyphhh5ps012vbArL245.PR1345kkA3Gas12P:18015:0:60:7:2:: # cat /etc/gshadow | grep '\(root\|mail\|db-admin\|app-developer\)' root:*:: mail:*:: db-admin:!:emma:emma,grace app-developer:!::catherine,dave,christian
-
What is the User ID (UID) and the Group ID (GID) of
root
andcatherine
? -
What is the name of the primary group of
kevin
? Are there other members in this group? -
Which shell is set for
mail
? What does it mean? -
Who are the members of the
app-developer
group? Which of these members are group administrators and which are ordinary members? -
What is the minimum password lifetime for
catherine
? And what is the maximum password lifetime? -
What is the password inactivity period for
kevin
?
-
-
By convention, which IDs are assigned to system accounts and which to ordinary users?
-
How do you find out if a user account, which was previously able to access the system, is now locked? Assume your system uses shadow passwords.
Explorational Exercises
-
Create a user account named
christian
using theuseradd -m
command and identify its User ID (UID), Group ID (GID) and shell. -
Identify the name of the primary group of
christian
. What can you deduce? -
Using the
getent
command, review password aging information for thechristian
user account. -
Add the
editor
group to the secondary groups ofchristian
. Assume that this group already containsemma
,dave
andfrank
as ordinary members. How can you verify that there are no administrators for this group? -
Run the
ls -l /etc/passwd /etc/group /etc/shadow /etc/gshadow
command and describe the output that it gives you in terms of file permissions. Which of these four files are shadowed for security reasons? Assume your system uses shadow passwords.
Summary
In this lesson you learned:
-
The location of files that store information about users and groups.
-
Manage user and group information stored in password and group databases.
-
Retrieve information from password and group databases.
The following files and commands were discussed in this lesson:
/etc/passwd
-
The file containing basic information about users.
/etc/group
-
The file containing basic information about groups.
/etc/shadow
-
The file containing encrypted user passwords.
/etc/gshadow
-
The file containing encrypted group passwords.
getent
-
Filter the password and group databases.
Answers to Guided Exercises
-
Observe the following output and answer the following questions:
# cat /etc/passwd | grep '\(root\|mail\|catherine\|kevin\)' root:x:0:0:root:/root:/bin/bash mail:x:8:8:mail:/var/spool/mail:/sbin/nologin catherine:x:1030:1025:User Chaterine:/home/catherine:/bin/bash kevin:x:1040:1015:User Kevin:/home/kevin:/bin/bash # cat /etc/group | grep '\(root\|mail\|db-admin\|app-developer\)' root:x:0: mail:x:8: db-admin:x:1015:emma,grace app-developer:x:1016:catherine,dave,christian # cat /etc/shadow | grep '\(root\|mail\|catherine\|kevin\)' root:$6$1u36Ipok$ljt8ooPMLewAhkQPf.lYgGopAB.jClTO6ljsdczxvkLPkpi/amgp.zyfAN680zrLLp2avvpdKA0llpssdfcPppOp:18015:0:99999:7::: mail:*:18015:0:99999:7::: catherine:$6$ABCD25jlld14hpPthEFGnnssEWw1234yioMpliABCdef1f3478kAfhhAfgbAMjY1/BAeeAsl/FeEdddKd12345g6kPACcik:18015:20:90:5::: kevin:$6$DEFGabc123WrLp223fsvp0ddx3dbA7pPPc4LMaa123u6Lp02Lpvm123456pyphhh5ps012vbArL245.PR1345kkA3Gas12P:18015:0:60:7:2:: # cat /etc/gshadow | grep '\(root\|mail\|db-admin\|app-developer\)' root:*:: mail:*:: db-admin:!:emma:emma,grace app-developer:!::catherine,dave,christian
-
What is the User ID (UID) and the Group ID (GID) of
root
andcatherine
?The UID and GID of
root
are 0 and 0, while the UID and GID ofcatherine
are 1030 and 1025. -
What is the name of the primary group of
kevin
? Are there other members in this group?The group name is
db-admin
. Alsoemma
andgrace
are in this group. -
Which shell is set for
mail
? What does it mean?mail
is a system user account and its shell is/sbin/nologin
. In fact, system user accounts such asmail
,ftp
,news
anddaemon
are used to perform administrative tasks and therefore normal login should be prevented for these accounts. This is why the shell is usually set to/sbin/nologin
or/bin/false
. -
What are the members of the
app-developer
group? Which of these are group administrators and which are ordinary members?The members are
catherine
,dave
andchristian
and they are all ordinary members. -
What is the minimum password lifetime for
catherine
? And what is the maximum password lifetime?The minimum password lifetime is 20 days, while the maximum password lifetime is 90 days.
-
What is the password inactivity period for
kevin
?The password inactivity period is 2 days. During this period
kevin
should update the password, otherwise the account will be disabled.
-
-
By convention, which IDs are assigned to system accounts and which to ordinary users?
System accounts usually have UIDs less than 100 or between 500 and 1000, while ordinary users have UIDs starting at 1000 although some legacy systems may start numbering at 500. The
root
user has UID 0. Remember that theUID_MIN
andUID_MAX
values in/etc/login.defs
define the range of UIDs used for the creation of ordinary users. From the standpoint of LPI Linux Essentials and LPIC-1, system accounts have UIDs less than 1000 and ordinary users have UIDs greater than 1000. -
How do you find out if a user account, which was previously able to access the system, is now locked? Assume your system uses shadow passwords.
When shadow passwords are used, the second field in
/etc/passwd
contains thex
character for each user account, because the encrypted user passwords are stored in/etc/shadow
. In particular, the encrypted password of a user account is stored in the second field of this file and, if it starts with an exclamation mark, the account is locked.
Answers to Explorational Exercises
-
Create a user account named
christian
using theuseradd -m
command and identify its User ID (UID), Group ID (GID) and shell.# useradd -m christian # cat /etc/passwd | grep christian christian:x:1050:1060::/home/christian:/bin/bash
The UID and GID of
christian
are 1050 and 1060 respectively (the third and fourth fields in/etc/passwd
)./bin/bash
is the shell set for this user account (the seventh field in/etc/passwd
). -
Identify the name of the primary group of
christian
. What can you deduce?# cat /etc/group | grep 1060 christian:x:1060:
The name of the primary group of
christian
ischristian
(the first field in/etc/group
). Therefore,USERGROUPS_ENAB
in/etc/login.defs
is set to yes so thatuseradd
creates by default a group with the same name of the user account. -
Using the
getent
command, review password aging information for thechristian
user account.# getent shadow christian christian:!:18015:0:99999:7:::
The
christian
user account does not have the password set and is now locked (the second field in/etc/shadow
contains an exclamation mark). There is no minimum and maximum password age for this user account (the fourth and fifth fields in/etc/shadow
are set to 0 and 99999 days), while the password warning period is set to 7 days (the sixth field in/etc/shadow
). Finally, there is no inactivity period (the seventh field in/etc/shadow
) and the account never expires (the eighth field in/etc/shadow
). -
Add the
editor
group to the secondary groups ofchristian
. Assume that this group already containsemma
,dave
andfrank
as ordinary members. How can you verify that there are no administrators for this group?# cat /etc/group | grep editor editor:x:1100:emma,dave,frank # usermod -a -G editor christian # cat /etc/group | grep editor editor:x:1100:emma,dave,frank,christian # cat /etc/gshadow | grep editor editor:!::emma,dave,frank,christian
The third and fourth fields in
/etc/ghadow
contain administrators and ordinary members for the specified group. Therefore, since the third field is empty foreditor
, there are no administrators for this group (emma
,dave
,frank
andchristian
are all ordinary members). -
Run the
ls -l /etc/passwd /etc/group /etc/shadow /etc/gshadow
command and describe the output that it gives you in terms of file permissions. Which of these four files are shadowed for security reasons? Assume your system uses shadow passwords.# ls -l /etc/passwd /etc/group /etc/shadow /etc/gshadow -rw-r--r-- 1 root root 853 mag 1 08:00 /etc/group -rw-r----- 1 root shadow 1203 mag 1 08:00 /etc/gshadow -rw-r--r-- 1 root root 1354 mag 1 08:00 /etc/passwd -rw-r----- 1 root shadow 1563 mag 1 08:00 /etc/shadow
The
/etc/passwd
and/etc/group
files are world readable and are shadowed for security reasons. When shadow passwords are used, you can see anx
in the second field of these files, because the encrypted passwords for users and groups are stored in/etc/shadow
and/etc/gshadow
, which are readable only by root and, in my system, even by members belonging to theshadow
group.