UNIX Users & Groups:
- Users can be either people, meaning accounts tied to physical users, or accounts which exist for specific applications to use.
- Groups are logical expressions of organization, tying users together for a common purpose. Users within the same group can read, write, or execute files owned by the group.
- Each user and group has a unique numerical identification number called a userid(UID) and a groupid(GID) respectively.
- useradd, usermod, and userdel — Industry-standard methods of adding, deleting and modifying user accounts.
- groupadd, groupmod, and groupdel — Industry-standard methods of adding, deleting, and modifying user groups.
- gpasswd — Industry-standard method of administering the /etc/groupfile.
- pwck, grpck — Tools used for the verification of the password, group, and associated shadow files.
- pwconv, pwunconv — Tools used for the conversion of passwords to shadow passwords and back to standard passwords.
To create user:
useradd mike (or) useradd -d /home/mike -u 501 -c "User - Mike" -m mike -d : Home Directory -u : UID -c : Comment -m : username The above <useradd> command will add the lines following two files: /etc/passwd --> User information /etc/shadow --> Password information To create group: groupadd dba * this command creates group <dba> and assign default GID Verify --> cat /etc/group | grep dba (or) groupadd -g 888 dba -g : GID for the group To create user with specific UID and specific group: useradd -d /home/mike -u 599 -g group01 -c "Mike Davis - Oracle Team" -m mike To Modify existing user's group: usermod -g <groupname> <username> To lock the user ID: passwd -l <username>
To Verify user status: passwd -S <username> Example: passwd -l mike passwd -S mike mike LK 2015-09-16 0 99999 7 -1 (Password locked.) ** LK : Locked To Un-lock the user ID: passwd -u <username> To Delete the user and group permanently: userdel <username> userdel -r <username> -r : removes users home directory & files groupdel <groupname> Below are the Users & Groups exists by default:
Standard Users Standard Group
Understanding fields in /etc/passwd
The /etc/passwd contains one entry per line for each user (or user account) of the system. All fields are separated by a colon (:) symbol. Total seven fields as follows.
- Username: It is used when user logs in. It should be between 1 and 32 characters in length.
- Password: An x character indicates that encrypted password is stored in /etc/shadow file.
- User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups.
- Group ID (GID): The primary group ID (stored in /etc/group file)
- User ID Info: The comment field. It allow you to add extra information about the users such as user’s full name, phone number etc. This field use by finger command.
- Home directory: The absolute path to the directory the user will be in when they log in. If this directory does not exists then users directory becomes /
- Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell. Please note that it does not have to be a shell.
See User List
/etc/passwd is only used for local users only. To see list of all users, enter:
$ cat /etc/passwd
To search for a username called tom, enter:
$ grep oracle /etc/passwd
/etc/passwd file permission
The permission on the /etc/passwd file should be read only to users (-rw-r–r–) and the owner must be root:
$ ls -l /etc/passwd
-rw-r--r-- 1 root root 2659 Sep 17 01:46 /etc/passwd
Understanding /etc/shadow file
/etc/shadow file stores actual password in encrypted format for user’s account with additional properties related to user password i.e. it stores secure user account information.
All fields are separated by a colon (:) symbol.
It contains one entry per line for each user listed in /etc/passwd file Generally, shadow file entry looks as follows
- User name : It is your login name
- Password: It your encrypted password. The password should be minimum 6-8 characters long including special characters/digits
- Last password change (last changed): Days since Jan 1, 1970 that password was last changed
- Minimum: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password
- Maximum: The maximum number of days the password is valid (after that user is forced to change his/her password)
- Warn : The number of days before password is to expire that user is warned that his/her password must be changed
- Inactive : The number of days after password expires that account is disabled
- Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used