Module – 7.1 Linux User & Group Administration

UNIX Users & Groups:

  • Users can be either people, meaning accounts tied to physical users, or accounts which exist for specific applications to use.
  • Groups are logical expressions of organization, tying users together for a common purpose. Users within the same group can read, write, or execute files owned by the group.
  • Each user and group has a unique numerical identification number called a userid(UID) and a groupid(GID) respectively.

Basic Commands

  • useradd, usermod, and userdel        — Industry-standard methods of adding, deleting and modifying user accounts.
  • groupadd, groupmod, and groupdel  — Industry-standard methods of adding, deleting, and modifying user groups.
  • gpasswd        — Industry-standard method of administering the /etc/groupfile.
  • pwck, grpck   — Tools used for the verification of the password, group, and associated shadow files.
  • pwconv, pwunconv   — Tools used for the conversion of passwords to shadow passwords and back to standard passwords.

To create user:

useradd mike
(or)
useradd -d /home/mike -u 501 -c "User - Mike" -m mike
-d : Home Directory
-u : UID
-c : Comment
-m : username

The above <useradd> command will add the lines following two files:
    /etc/passwd  --> User information
    /etc/shadow  --> Password information

To create group:
groupadd dba  * this command creates group <dba> and assign default GID
Verify --> cat /etc/group | grep dba 
(or)
groupadd -g 888 dba
    -g :  GID for the group

To create user with specific UID and specific group:

useradd -d /home/mike -u 599 -g group01 
      -c "Mike Davis - Oracle Team" -m mike

To Modify existing user's group:
usermod -g <groupname> <username>
 
To lock the user ID:
passwd -l <username>
To Verify user status:
passwd -S <username>

Example:
passwd -l mike
passwd -S mike
mike LK 2015-09-16 0 99999 7 -1 (Password locked.)
         ** LK : Locked

To Un-lock the user ID:
passwd -u <username>

To Delete the user and group permanently:
userdel <username>
userdel -r <username>
  -r : removes users home directory & files 
groupdel <groupname>

Below are the Users & Groups exists by default:
Standard Users                                                     Standard Group

std_usersstd_group

Understanding fields in /etc/passwd

The /etc/passwd contains one entry per line for each user (or user account) of the system. All fields are separated by a colon (:) symbol. Total seven fields as follows.

passwd-file-791527

  1. Username: It is used when user logs in. It should be between 1 and 32 characters in length.
  2. Password: An x character indicates that encrypted password is stored in /etc/shadow file.
  3. User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups.
  4. Group ID (GID): The primary group ID (stored in /etc/group file)
  5. User ID Info: The comment field. It allow you to add extra information about the users such as user’s full name, phone number etc. This field use by finger command.
  6. Home directory: The absolute path to the directory the user will be in when they log in. If this directory does not exists then users directory becomes /
  7. Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell. Please note that it does not have to be a shell.

See User List

/etc/passwd is only used for local users only. To see list of all users, enter:
$ cat /etc/passwd
To search for a username called tom, enter:
$ grep oracle /etc/passwd

/etc/passwd file permission

The permission on the /etc/passwd file should be read only to users (-rw-r–r–) and the owner must be root:
$ ls -l /etc/passwd
Output:

-rw-r--r-- 1 root root 2659 Sep 17 01:46 /etc/passwd

Understanding /etc/shadow file

/etc/shadow file stores actual password in encrypted format for user’s account with additional properties related to user password i.e. it stores secure user account information.

All fields are separated by a colon (:) symbol.

It contains one entry per line for each user listed in /etc/passwd file Generally, shadow file entry looks as follows

shadow-file-718705

  1. User name : It is your login name
  2. Password: It your encrypted password. The password should be minimum 6-8 characters long including special characters/digits
  3. Last password change (last changed): Days since Jan 1, 1970 that password was last changed
  4. Minimum: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password
  5. Maximum: The maximum number of days the password is valid (after that user is forced to change his/her password)
  6. Warn : The number of days before password is to expire that user is warned that his/her password must be changed
  7. Inactive : The number of days after password expires that account is disabled
  8. Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used

 

Leave a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>