user and group management
Users on Linux
To get information about a user account, use the id
command.
$ id uid=1000(toor) gid=100(users) groups=100(users)
root
On all linux systems, by default there is the user root, also known as the super-user. root is used for managing Linux… Generally speaking, all tasks that involve direct access to devices need root permissions.
Making a habit of logging in as root is an unnecessary security risk, try using one of the following alternative methods.
Run Tasks W/Elevated Permissions
Command | Use |
---|---|
su |
Opens a subshell as a different user, with the advantage that only in the subshell commands are executed as root; environmental variables are NOT set. |
su - |
Opens a subshell as a different user, with the advantage that only in the subshell commands are executed as root; environmental variables ARE set. |
sudo |
Allows you to set up an environment where specific tasks are executed with administrative privileges. |
PolicyKit |
Allows you to set up graphical utilities to run with administrative privileges. |
*** Using su -
is better than using su
. When -
is used, a login shell is started, without the -
, some variables may not be set correctly.
sudo
Instead of using the root user account, unprivileged users can be configured for using administrator permissions on specific tasks by using sudo. This is more secure because you will only be able to act as if you have administrator permissions while running this specific command.
- Add USER account to the wheel group,
usermod -aG wheel USER
- Use
visudo
to verify%wheel ALL=(ALL) ALL
is included
## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL
A few useful user commands:
whoami - print effective userid id - print real and effective user and group IDs
Managing Accounts
/etc/passwd
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:999:998:User for polkitd:/:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin
Fields of /etc/passwd
:
- USERNAME: Unique name for the user. User names are important to match a user to his password, which is stored separately in
/etc/shadow
. On Linux, there can be no spaces in the username. - Password: In the old days, the second field of
/etc/passwd
was used to store the hashes password of the user./etc/passwd
is readable by all users, and poses a security risk. Current Linux systems store the hashes password in/etc/shadow
. - UID: Each user has a unique user ID (UID). It is the UID that really determines what a user can do. UID 0 is reserved for root. The lowerd UIDs (typically up to 999) are used for system accounts, and the higher UIDs (from 1,000 on by default), are reserved for people that need to connect directly to the server. The range of UIDs that are used to create regular user accounts is set in
/etc/login.defs
. - GID: Each user is a member of at least one group, referred to as the primary group. The primary group plays a central role in permissions management.
- Comment Field: Self explanatory.
- Directory: The home directory, the initial directory where the user is placed after logging in, and storing personal files, programs, etc.
- Shell: The program that is started after the user has successfully connected to the server, for most users it will be
/bin/bash
. For system accounts it will typically be/sbin/nologin
. The/sbin/nologin
command is a specific command that denies access.
Fields of /etc/shadow
:
- Login Name: Notice
/etc/shadow
does not contain any UIDs, but user names only. - Encrypted Password: Self explanatory.
- Days since January 1, 1970, that the password was last changed: aka epoch, considered the beginning of days on Linux
- Days before a password may be changed: Allows for a more strict password policy, where it's not possible to change back to the original password immediately.
- Days after which a password must be changed: Contains the maximum validity period of passwords. Notice default is 99,999
- Days before password is to expire that user is warned: Used to warn a user when a forced password change is upcoming, default is 7.
- Days after password expires that account is disabled: Used to enforce a password change. After password expiry, users can't log in.
- Days since January 1, 1970, that account is disabled: Can set this field to disable an account.
- Reserved field: Self explanatory.
*** Most of the password properties can be managed with passwd
or chage
.
Creating Users
You can edit /etc/passwd
and /etc/shadow
files directly or use useradd
. To remove users, you can use userdel
. Use userdel -r
to remove a user, including the complete user environment.
Modifying Configuration Files
To add accounts, it suffices that one line is added to /etc/passwd
and another line is added to /etc/shadow
, in which the user account and all of its properties are defined. It’s not recommended, though. By making an error, you might mess up the consistency of the file and make logging in completely impossible to anyone.
useradd
The useradd
utility is probably the most common tool on Linux for managing users.
useradd - create a new user or update default new user information -m, --create-home Create the user's home directory if it does not exist -M, --no-create-home Do not create the user's home directory, even if the system wide setting from /etc/login.defs (CREATE_HOME) is set to yes. -g, --gid GROUP The group name or number of the user's initial login group -G, --groups GROUP1[,GROUP2,...[,GROUPN]]] A list of supplementary groups which the user is also a member of. Each group is separated from the next by a comma, with no intervening whitespace -u, --uid UID The numerical value of the user's ID userdel - delete a user account and related files -r, --remove Files in the user's home directory will be removed along with the home directory itself and the user's mail spool.
usermod
The ultimate command-line utility for modifying user properties is usermod
. It can be used to set all properties of users as stored in /etc/passwd
and /etc/shadow
, plus some additional tasks, such as managing group membership.
User Management Default Configuration Files
/etc/login.defs
and /etc/default/useradd
.
/etc/default/useradd
contains some default values that are applied when using useradd.
/etc/login.defs
login related variables are set. A list of the most significant properties that can be set:
MOTD_FILE
: Message of the Day File.ENV_PATH
: Defines $PATH variable, a list of directories that should be searched for executable files after logging in.PASS_MAX_DAYS, PASS_MIN_DAYS
andPASS_WARN_AGE
: Define the default password expiration properties when creating new users.UID_MIN
: The first UID to use when creating new users.CREATE_HOME
: Indicates whether or not to create a home directory for new users.USERGROUPS_ENAB
: Set to yes to create a private group for all new users. That means a new user has a group with the same name as the user as its default group. If set to no, all users are made a member of the group users.
passwd
- update user’s authentication tokens
chage
- change user password expiry information
Managing Password Properties
Password properties are set in /etc/shadow
. You can use chage
and passwd
to change these properties. To see current password settings use chage -l USERNAME
.
Creating a User Environment
When a user logs in, an environment is created. To construct the user environment, a few files play a role:
/etc/profile
: Used for default settings for all users when starting a login shell/etc/bashrc
: Used to define defaults for all users when starting a subshell~/.bash_profile
: Specific settings for one user applied when starting a login shell~/.bashrc
: Specific settings for one user applied when starting a subshell
When logging in, the files are read in this order, and variables and other settings that are defined in these files are applied. If a variable or setting occurs in more than one file, the last one wins.
Linux Groups
Every Linux users has to be a member of at least one group, the primary group. When creating files, the primary group becomes group owner of these files. The user can access all files their primary group has access to. The users primary group membership is defined in /etc/passwd
; the group itself is stored in the /etc/group
configuration file.
Users can also be members of secondary groups as well. Secondary groups are important to get access to files. If the group a user is a member or has access to specific files, the user will get access.
Fields of /etc/group
:
- Group Name: Self explanatory
- Group Password: A group password can be used by users that want to join the group on a temporary basis, so that access to files the group has access to is allowed.
- Group ID: A unique numeric group identification number.
- Members: Names of users that are a member of this group as a secondary group.
*** Note: It doesn't show users that are a member of this group as their primary group.
groupadd
To create a new group use groupadd
. Just use groupadd
followed by the name of the group you want to add. Use groupadd -g
to specify the Group ID when creating the group.
groupmod
Use groupmod
to manage group properties. You can use groupmod
to change the name or Group ID of the group, but it doesn’t allow you to add group members. To add users to a group use usermod
. usermod -aG
will add users to new groups that will be used as their secondary group.