Managing User and Group Accounts

Objectives:
Add, Modify and remove users and groups Suspend and change user accounts Manage user and group information in the password database and group database. Use the correct tools to manage shadow password databases and group databases Create and manage limited and special-purpose accounts

Concepts
Linux is a multi-user system where each user belongs to one primary group and possibly to additional groups. Ownership of files in Linux is closely related to user ids and groups. As you have seen, you can log in as one user and become another user using the su ( switch user )command and that you can use the whoami command to check your current effective id and the groups command to find out what groups you belong to.

Add and Remove Users and Groups

You add a user to a Linux system using the useradd command, and you delete a user using the userdel command. Similarly, you add or delete groups using the groupadd and groupdel commands. Adding user gel To accomplish the said task, we use the groupadd and useradd commands to create the group and user, then use the passwd command to set the password for the newly created user. All of these commands require root privileges. [emac@ubuntu ~]# groupadd scholarship [emac@ubuntu ~]# useradd c Gel V -g scholarship -m gel [emac@ubuntu ~]# passwd gel Changing password for user gel. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully.

Displaying User ID Information [emac@ubuntu ~]# id gel uid=503 (gel) gid=(gel) groups=503 (gel)

In the example shown above, the user id and group id have values greater than 500. These values normally signify ordinary users, while values 500 are reserved for system users. The actual cutoff points are set in /etc/login.defs as UID_MIN and GID_MIN. In the example, the groupadd command has a single parameter, gel, the name of the group to be added. Group names must begin with a lower case letter or an underscore, and usually contain only these along with hyphens or dashes. Options For groupadd Option Purpose -f Exit with success status if the group already exists. This is handy for scripting when you do not need to check if a group exists before attempting to create it. -g Specifies the group id manually. The default is to use the smallest value that is at least GID_MIN and also greater than the id of any existing group. -o Permits a group to have a non-unique -K Can be used to override defaults from /etc/login.defs

Options for useradd Options Purpose -b The default base directory in which user home directories are created. This is usually --base-dir /home and the users home directory is /home/$USER -c A text string describing the id, such as the users full name --comment -d Provides a specific directory name for the home directory --home -e The date on which the account will expire or be disabled in the form of YYYY-MM-DD --expiredate -g The name or number of the initial login group for the user. The group must exist, --gid which is why group scholarship was created before user jane. -G A comma-separated list of additional groups to which the user belong. --groups -K Can be used to override defaults from /etc/login.defs -m Create the users home directory if it does not exist. Copy the skeleton files and any --create-home directories from /etc/skel to the home directory -o Permits a user to have a non-unique id --non-unique -s The name of the users login shell if different from the default login shell --shell -u The non-negative numerical userid, which must be unique if o is not specified. -uid

Suspend And Change Accounts Now that you can create a user id or a group, you may also find a need to modify one.

Modifying User Accounts Suppose user Erwin wishes to have the tcsh shell as his default. From the command line, you can use the usermod command to modify a user account. You can use most of the options that you use with useradd except that you cannot create or populate a new home directory for the user. If you need to change the name of the user, specify the l or login option with the new name. You will probably want to rename the home directory to match the user id. You may also need to rename other items. [emac@ubuntu ~]# usermod l Erwin s /bin/tcsh d /home/Erwin Erwin

Modifying groups The groupmod command is used to modify group information. You can change the group number with the g option and the name with the n option. [emac@ubuntu ~]# groupmod n sysadmin developer [emac@ubuntu ~]# ls ld ~Erwin drwx ------ 3 sysadmin sysadmin 4096 Feb 13 18:29 /home/Erwin

Renumbering A Group [emac@ubuntu ~]# groupmod -g 505 sysadmin [emac@ubuntu ~]# ls ld ~Erwin drwx ------ 3 503 4096 Feb 13 18:29 /home/Erwin [emac@ubuntu ~]# id Erwin uid=503 gid=503 groupt=503 [emac@ubuntu ~]# usermod g sysadmin Erwin [emac@ubuntu ~]# id Erwin uid=503 gid=505 (sysadmin) groupt=505 (sysadmin)

User and group passwords The passwd command is used to change a user. The password is unique to the user and may be changed by user. The root user may change any users password. Groups may also have passwords, and the gpasswd command is used to set them. Having a group password allows users to join a group temporarily with the newgrp command, if they know the group password. Spending or locking accounts If you need to prevent a user from logging in, you can suspend or lock the account using the L option of the usermod command. To unlock the account, use the U option. [emac@ubuntu ~]# usermod L Erwin

Commands and options for changing user accounts Both the passwd and the usermod command can perform many tasks related to user accounts as can another command, the chage command. usermod -L -U N/A -e N/A N/A N/A -f passwd -l -u -d -f -n -x -w -i chage N/A N/A N/A -E -m -M -W -l Purpose Lock or suspend the account Unlock the account Disable the account by setting it passwordless Set the expiration date for an account The minimum password lifetime in days The maximum password lifetime in days. The number of days of warning before a password must be changed. The number of days after a password expires until the account is disabled.

Deleting A User or Group The groupdel command is used to delete a group and requires only the group name; it has no options. You cannot delete any group that is the primary group of a user. Use the userdel command to delete a user. The r or -- remove option requests removal of the users home directory and anything it contains. [emac@ubuntu ~]# groupdel sysadmin groupdel: cannot remove users primary group [emac@ubuntu ~]# userdel r Erwin userdel: Cannot remove group jane which is a primary group for another user. [emac@ubuntu ~]# userdel r Erwin [emac@ubuntu ~]# groupdel sysadmin

Manage user and group database The primary repositories for user and group information are four files in /etc/ /etc/passwd /etc/shadow /etc/group /etc/gshadow The password file containing basic information about users The shadow password file containing encrypted passwords The group file containing basic information about groups and which users belong to them The shadow group file containing encrypted password

The /etc/passwd file The /etc/passwd file contains one line for each user in the system. Each line contains seven fields separated by colons ( : )

Field Username Password User id (UID) Group id (GID) Comment Home Shell

Purpose The name used to log in to the system The encrypted password. When using shadow passwords, it contains a single x character The number used to represent this username in the system. The number used to represent this users primary group in the system An optional field used to describe the user The absolute path the users home directory The program automatically launched when a user logs in to the system.

The /etc/group file The /etc/group file contains one line for each group in the system. Each line contains four fields separated by colons ( : ). Field Groupname Password Group Id (GID) Members Purpose The name of this group. The encrypted password. When using shadow group passwords, it contains a single x character. The number used to represent this group in the system A comma-separated list of group members, excepting those members for whom this is the primary group.

Shadow Files The file /etc/shadow should only be readable by root. It contains encrypted passwords along with password and account expiration.