107.1 Lesson 2

107.1 Lesson 2

Certificate:

LPIC-1

Version:

5.0

Topic:

107 Administrative Tasks

Objective:

107.1 Manage user and group accounts and related system files

Lesson:

2 of 2

Introduction

The command line tools discussed in the previous lesson and the graphical applications provided by each distribution that perform the same tasks update a series of files that store information about users and groups.

These files are located under the /etc/ directory and are:

/etc/passwd

A file of seven colon-delimited fields containing basic information about users.

/etc/group

A file of four colon-delimited fields containing basic information about groups.

/etc/shadow

A file of nine colon-delimited fields containing encrypted user passwords.

/etc/gshadow

A file of four colon-delimited fields file containing encrypted group passwords.

Although these four files are in plain text, they should not be edited directly, but always through the tools provided by the distribution you are using.

/etc/passwd

This is a world-readable file that contains a list of users, each on a separate line. Each line consists of seven colon-delimited fields:

Username

The name used when the user logs into the system.

Password

The encrypted password (or an x if shadow passwords are used).

User ID (UID)

The ID number assigned to the user in the system.

Group ID (GID)

The primary group number of the user in the system.

GECOS

An optional comment field, which is used to add extra information about the user (such as the full name). The field can contain multiple comma-separated entries.

Home Directory

The absolute path of the user’s home directory.

Shell

The absolute path of the program that is automatically launched when the user logs into the system (usually an interactive shell such as /bin/bash).

/etc/group

This is a world-readable file that contains a list of groups, each on a separate line. Each line consists of four colon-delimited fields:

Group Name

The name of the group.

Group Password

The encrypted password of the group (or an x if shadow passwords are used).

Group ID (GID)

The ID number assigned to the group in the system.

Member List

A comma-delimited list of users belonging to the group, except those for whom this is the primary group.

/etc/shadow

This is a file readable only by root and by users with root privileges that contains encrypted user passwords, each on a separate line. Each line consists of nine colon-delimited fields:

Username

The name used when the user logs into the system.

Encrypted Password

The encrypted password of the user (if the value starts with !, the account is locked).

Date of Last Password Change

The date of the last password change, as number of days since 01/01/1970 (a value of 0 means that the user must change the password when they next login).

Minimum Password Age

The minimum number of days, after a password change, which must pass before the user will be allowed to change the password again.

Maximum Password Age

The maximum number of days that must pass before a password change is required.

Password Warning Period

The number of days, before the password expires, during which the user is warned that the password must be changed.

Password Inactivity Period

The number of days after a password expires during which the user should update the password. After this period, if the user does not change the password, the account will be disabled.

Account Expiration Date

The date, expressed as the number of days since 01/01/1970, in which the user account will be disabled (an empty field means that the user account will never expire).

A reserved field

A field that is reserved for future use.

/etc/gshadow

This is a file readable only by root and by users with root privileges that contains encrypted group passwords, each on a separate line. Each line consists of four colon-delimited fields:

Group Name

The name of the group.

Encrypted Password

The encrypted password for the group (it is used when a user, who is not a member of the group, wants to join the group using the newgrp command — if the password starts with !, no one is allowed to access the group with newgrp).

Group Administrators

A comma-delimited list of the administrators of the group (they can change the password of the group and can add or remove group members with the gpasswd command).

Group Members

A comma-delimited list of the members of the group.

Filter the Password and Group Databases

Very often it may be necessary to review information on users and groups stored in these four files and search for specific records. To perform this task, you can use the grep command or alternatively concatenate cat and grep.

# grep emma /etc/passwd
emma:x:1020:1020:User Emma:/home/emma:/bin/bash
# cat /etc/group | grep db-admin
db-admin:x:1050:grace,frank

Another way to access these databases is to use the getent command. In general, this command displays entries from databases supported by the Name Service Switch (NSS) libraries and requires the name of the database and a lookup key. If no key argument is provided, all entries in the specified database are displayed (unless the database does not support enumeration). Otherwise, if one or more key arguments are provided, the database is filtered accordingly.

# getent passwd emma
emma:x:1020:1020:User Emma:/home/emma:/bin/bash
# getent group db-admin
db-admin:x:1050:grace,frank

The getent command does not require root authority; you just need to be able to read the database from which you want to retrieve records.

Note

Remember that getent can only access databases configured in the /etc/nsswitch.conf file.

Guided Exercises

  1. Observe the following output and answer the following questions:

    # cat /etc/passwd | grep '\(root\|mail\|catherine\|kevin\)'
root:x:0:0:root:/root:/bin/bash
mail:x:8:8:mail:/var/spool/mail:/sbin/nologin
catherine:x:1030:1025:User Chaterine:/home/catherine:/bin/bash
kevin:x:1040:1015:User Kevin:/home/kevin:/bin/bash
# cat /etc/group | grep '\(root\|mail\|db-admin\|app-developer\)'
root:x:0:
mail:x:8:
db-admin:x:1015:emma,grace
app-developer:x:1016:catherine,dave,christian
# cat /etc/shadow | grep '\(root\|mail\|catherine\|kevin\)'
root:$6$1u36Ipok$ljt8ooPMLewAhkQPf.lYgGopAB.jClTO6ljsdczxvkLPkpi/amgp.zyfAN680zrLLp2avvpdKA0llpssdfcPppOp:18015:0:99999:7:::
mail:*:18015:0:99999:7:::
catherine:$6$ABCD25jlld14hpPthEFGnnssEWw1234yioMpliABCdef1f3478kAfhhAfgbAMjY1/BAeeAsl/FeEdddKd12345g6kPACcik:18015:20:90:5:::
kevin:$6$DEFGabc123WrLp223fsvp0ddx3dbA7pPPc4LMaa123u6Lp02Lpvm123456pyphhh5ps012vbArL245.PR1345kkA3Gas12P:18015:0:60:7:2::
# cat /etc/gshadow | grep '\(root\|mail\|db-admin\|app-developer\)'
root:*::
mail:*::
db-admin:!:emma:emma,grace
app-developer:!::catherine,dave,christian

    • What is the User ID (UID) and the Group ID (GID) of root and catherine?

    • What is the name of the primary group of kevin? Are there other members in this group?

    • Which shell is set for mail? What does it mean?

    • Who are the members of the app-developer group? Which of these members are group administrators and which are ordinary members?

    • What is the minimum password lifetime for catherine? And what is the maximum password lifetime?

    • What is the password inactivity period for kevin?

  2. By convention, which IDs are assigned to system accounts and which to ordinary users?

  3. How do you find out if a user account, which was previously able to access the system, is now locked? Assume your system uses shadow passwords.

Explorational Exercises

  1. Create a user account named christian using the useradd -m command and identify its User ID (UID), Group ID (GID) and shell.

  2. Identify the name of the primary group of christian. What can you deduce?

  3. Using the getent command, review password aging information for the christian user account.

  4. Add the editor group to the secondary groups of christian. Assume that this group already contains emma, dave and frank as ordinary members. How can you verify that there are no administrators for this group?

  5. Run the ls -l /etc/passwd /etc/group /etc/shadow /etc/gshadow command and describe the output that it gives you in terms of file permissions. Which of these four files are shadowed for security reasons? Assume your system uses shadow passwords.

Summary

In this lesson you learned:

  • The location of files that store information about users and groups.

  • Manage user and group information stored in password and group databases.

  • Retrieve information from password and group databases.

The following files and commands were discussed in this lesson:

/etc/passwd

The file containing basic information about users.

/etc/group

The file containing basic information about groups.

/etc/shadow

The file containing encrypted user passwords.

/etc/gshadow

The file containing encrypted group passwords.

getent

Filter the password and group databases.

Answers to Guided Exercises

  1. Observe the following output and answer the following questions:

    # cat /etc/passwd | grep '\(root\|mail\|catherine\|kevin\)'
root:x:0:0:root:/root:/bin/bash
mail:x:8:8:mail:/var/spool/mail:/sbin/nologin
catherine:x:1030:1025:User Chaterine:/home/catherine:/bin/bash
kevin:x:1040:1015:User Kevin:/home/kevin:/bin/bash
# cat /etc/group | grep '\(root\|mail\|db-admin\|app-developer\)'
root:x:0:
mail:x:8:
db-admin:x:1015:emma,grace
app-developer:x:1016:catherine,dave,christian
# cat /etc/shadow | grep '\(root\|mail\|catherine\|kevin\)'
root:$6$1u36Ipok$ljt8ooPMLewAhkQPf.lYgGopAB.jClTO6ljsdczxvkLPkpi/amgp.zyfAN680zrLLp2avvpdKA0llpssdfcPppOp:18015:0:99999:7:::
mail:*:18015:0:99999:7:::
catherine:$6$ABCD25jlld14hpPthEFGnnssEWw1234yioMpliABCdef1f3478kAfhhAfgbAMjY1/BAeeAsl/FeEdddKd12345g6kPACcik:18015:20:90:5:::
kevin:$6$DEFGabc123WrLp223fsvp0ddx3dbA7pPPc4LMaa123u6Lp02Lpvm123456pyphhh5ps012vbArL245.PR1345kkA3Gas12P:18015:0:60:7:2::
# cat /etc/gshadow | grep '\(root\|mail\|db-admin\|app-developer\)'
root:*::
mail:*::
db-admin:!:emma:emma,grace
app-developer:!::catherine,dave,christian

    • What is the User ID (UID) and the Group ID (GID) of root and catherine?

      The UID and GID of root are 0 and 0, while the UID and GID of catherine are 1030 and 1025.

    • What is the name of the primary group of kevin? Are there other members in this group?

      The group name is db-admin. Also emma and grace are in this group.

    • Which shell is set for mail? What does it mean?

      mail is a system user account and its shell is /sbin/nologin. In fact, system user accounts such as mail, ftp, news and daemon are used to perform administrative tasks and therefore normal login should be prevented for these accounts. This is why the shell is usually set to /sbin/nologin or /bin/false.

    • What are the members of the app-developer group? Which of these are group administrators and which are ordinary members?

      The members are catherine, dave and christian and they are all ordinary members.

    • What is the minimum password lifetime for catherine? And what is the maximum password lifetime?

      The minimum password lifetime is 20 days, while the maximum password lifetime is 90 days.

    • What is the password inactivity period for kevin?

      The password inactivity period is 2 days. During this period kevin should update the password, otherwise the account will be disabled.

  2. By convention, which IDs are assigned to system accounts and which to ordinary users?

    System accounts usually have UIDs less than 100 or between 500 and 1000, while ordinary users have UIDs starting at 1000 although some legacy systems may start numbering at 500. The root user has UID 0. Remember that the UID_MIN and UID_MAX values in /etc/login.defs define the range of UIDs used for the creation of ordinary users. From the standpoint of LPI Linux Essentials and LPIC-1, system accounts have UIDs less than 1000 and ordinary users have UIDs greater than 1000.

  3. How do you find out if a user account, which was previously able to access the system, is now locked? Assume your system uses shadow passwords.

    When shadow passwords are used, the second field in /etc/passwd contains the x character for each user account, because the encrypted user passwords are stored in /etc/shadow. In particular, the encrypted password of a user account is stored in the second field of this file and, if it starts with an exclamation mark, the account is locked.

Answers to Explorational Exercises

  1. Create a user account named christian using the useradd -m command and identify its User ID (UID), Group ID (GID) and shell.

    # useradd -m christian
# cat /etc/passwd | grep christian
christian:x:1050:1060::/home/christian:/bin/bash

    The UID and GID of christian are 1050 and 1060 respectively (the third and fourth fields in /etc/passwd). /bin/bash is the shell set for this user account (the seventh field in /etc/passwd).

  2. Identify the name of the primary group of christian. What can you deduce?

    # cat /etc/group | grep 1060
christian:x:1060:

    The name of the primary group of christian is christian (the first field in /etc/group). Therefore, USERGROUPS_ENAB in /etc/login.defs is set to yes so that useradd creates by default a group with the same name of the user account.

  3. Using the getent command, review password aging information for the christian user account.

    # getent shadow christian
christian:!:18015:0:99999:7:::

    The christian user account does not have the password set and is now locked (the second field in /etc/shadow contains an exclamation mark). There is no minimum and maximum password age for this user account (the fourth and fifth fields in /etc/shadow are set to 0 and 99999 days), while the password warning period is set to 7 days (the sixth field in /etc/shadow). Finally, there is no inactivity period (the seventh field in /etc/shadow) and the account never expires (the eighth field in /etc/shadow).

  4. Add the editor group to the secondary groups of christian. Assume that this group already contains emma, dave and frank as ordinary members. How can you verify that there are no administrators for this group?

    # cat /etc/group | grep editor
editor:x:1100:emma,dave,frank
# usermod -a -G editor christian
# cat /etc/group | grep editor
editor:x:1100:emma,dave,frank,christian
# cat /etc/gshadow | grep editor
editor:!::emma,dave,frank,christian

    The third and fourth fields in /etc/ghadow contain administrators and ordinary members for the specified group. Therefore, since the third field is empty for editor, there are no administrators for this group (emma, dave, frank and christian are all ordinary members).

  5. Run the ls -l /etc/passwd /etc/group /etc/shadow /etc/gshadow command and describe the output that it gives you in terms of file permissions. Which of these four files are shadowed for security reasons? Assume your system uses shadow passwords.

    # ls -l /etc/passwd /etc/group /etc/shadow /etc/gshadow
-rw-r--r-- 1 root root    853 mag  1 08:00 /etc/group
-rw-r----- 1 root shadow 1203 mag  1 08:00 /etc/gshadow
-rw-r--r-- 1 root root   1354 mag  1 08:00 /etc/passwd
-rw-r----- 1 root shadow 1563 mag  1 08:00 /etc/shadow

    The /etc/passwd and /etc/group files are world readable and are shadowed for security reasons. When shadow passwords are used, you can see an x in the second field of these files, because the encrypted passwords for users and groups are stored in /etc/shadow and /etc/gshadow, which are readable only by root and, in my system, even by members belonging to the shadow group.

Linux Professional Insitute Inc. All rights reserved. Visit the Learning Materials website: https://learning.lpi.org
This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.