Professional Documents
Culture Documents
Working With Users and Groups
Working With Users and Groups
Linux groups
By default, all user home directories are created and maintained in the /home
directory.
my Linux system, you would enter finger -l user_name The following information about the user account:
Login This is the username that is used to authenticate to the system. Name This is the users full name. Directory This is the users home directory. Shell This is the default shell that will be provided to the user. Last Login This displays the last time the user logged in and where from.
shell assigned, each user account is also assigned a unique user ID (UID) number when they are created. No two user accounts on the system will have the same UID. To view the UID for a given user account, you can use the id username command from the shell prompt.
account created on the system is always assigned a UID of 1000. The next user account will be assigned a UID of 1001... Other distributions may use a different numbering scheme for the UID, however. For example, UIDs on a Fedora system start at 500 instead of 1000. The root user account is always assigned a UID of 0 on most Linux distributions.
Its this UID that the operating system actually uses to
of its flexible features is the location of user accounts on the system. When you originally installed the system, your distribution may have given you several options for where you wanted to store your user accounts. This screen allows you to choose from the following authentication methods:
Local This option stores user accounts in the /etc/passwd file. This has been the default configuration used by Linux systems for many years. LDAP This is a newer option that many Linux administrators are starting to adopt. Instead of storing user accounts in a file in the file system, user accounts are stored in a directory service provided by OpenLDAP. Unlike local authentication, which is a flat file, the directory service is hierarchical in nature, allowing you to sort and organize your user accounts by location, function, or department.
NIS This option stands for Network Information Service. NIS is also designed to provide centralized user account management when you have multiple systems that all need the same user accounts. To do this, NIS configures systems to all use a common passwd and shadow file. Windows Domain If you have a Windows domain controller in your network (or another Linux server running the Samba service), you can configure your Linux system to use the user accounts in the domain to authenticate to the local system.
Local option
/etc/passwd This file contains the user account
information for your system. /etc/shadow This file contains passwords for your user accounts. /etc/group This file contains your systems groups.
Username:Password:UID:GID:Full_Name:Home_Directo ry:Default_Shell
username the user will supply when logging in to the system Password: This is a legacy field. At one time, the users password was stored in encrypted form in this field in the passwd file. However, for security reasons, the password has been moved from /etc/passwd to /etc/shadow.
users default group Full_Name This field contains the users full name Home_Directory This field contains the path to the users home directory. Default_Shell This field specifies the shell that will be used by default
Username:Password:Last_Modified:Min_Days:Ma x_Days:Days_Warn:Disabled_Days:Expire Username This is the users login name from /etc/passwd.
format Last_Modified This field displays the number of days since January 1, 1970 that the password was last changed
days required before a password can be changed. In this example, it is set to 0 days. Max_Days This field displays the maximum number of days before a password must be changed. In this example, it is set to 99999 days. Effectively, this means a password isnt required. Days_Warn This field displays the number of days prior to password expiration that the user will be warned of the pending expiration. In this case, its set to 7 days.
days to wait after a password has expired to disable the account. Expire This field displays the number of days since January 1, 1970 after which the account will be disabled. In this example, it is set to a null value, indicating the account never expires.
can use the pwck command at the shell prompt. This utility will verify each line in the two files and make sure they are valid. Any errors are reported on the screen. If, for some reason, the /etc/passwd and the /etc/shadow files were out of synchronization, you could use the pwconv command at the shell prompt to fix the files. This utility will add any missing user accounts from /etc/passwd to /etc/shadow.
- Using useradd
Syntax: useradd options username ex (options default): useradd ncth ncth account is created using the default parameters contained in the following configuration files: /etc/default/useradd /etc/login.defs This file contains values that can be used for the GID and UID parameters when creating an account with useradd. It also contains defaults for creating passwords in /etc/shadow.
You can also view these default values by entering useradd D at the shell prompt.
Options
c Includes the users full name. e Specifies the date when the user account
will be disabled. Format the date as yyyy-mmdd. f Specifies the number of days after password expiration before the account is disabled. Use a value of 1 to disable this functionality, e.g., useradd f 1 jmcarthur. g Specifies the users default group.
G Specifies additional groups that the user is to be made a member of. M Specifies that the user account be created without a home directory. m Specifies the users home directory. n Used only on Red Hat or Fedora systems. By default, these systems create a new group with the same name as the user every time an account is created. Using this option will turn off this functionality. p Specifies the users password.
r Specifies that the user being created is a system user. s Specifies the default shell for the user. u Manually specifies a UID for the user. EX: useradd c wipro esic useradd c dco m p wipro123 s /bin/bash esic
- Using passwd
existing users password You can find out this information using the S option with passwd. For example, we could enter passwd S wipro at the shell prompt Syntax: passwd username
options
l Locks the users account. This option invalidates the users password. u Unlocks a users account. d Removes a users password. n Sets the minimum number of days required before a password can be changed. x Sets the maximum number of days before a password must be changed.
w Sets the number of days prior to password expiration when the user will be warned of the pending expiration. i Sets the number of days to wait after a password has expired to disable the account.
- Using usermod
From time to time, you will need to modify an existing
user account. The syntax for usermod is very similar to that used by useradd. Syntax: usermod options username
options
c Edits the users full name. e Sets the date when the user account will be disabled. Format the date as yyyy-mm-dd. f Sets the number of days after password expiration before the account is disabled. Use a value of 1 to disable this functionality. g Sets the users default group. G Specifies additional groups that the user is to be made a member of.
options
l Changes the username. L Locks the users account. This option invalidates the users password. m Sets the users home directory. p Sets the users password. s Specifies the default shell for the user. u Sets the UID for the user. U Unlocks a users account that has been locked.
useradd c your_full_name m p
your_password s /bin/bash your_username. tail /etc/passwd Create a user account using your systems default settings by entering useradd abc Passwd abc -> enter password
- Using userdel
Syntax: userdel username ex: userdel ncth
- Using userdel
Its important to note that, by default, userdel will not
remove the users home directory from the file system. If you do want to remove the home directory when you delete the user, you need to use the r option in the command line. For example, entering userdel r ncth will remove the account and delete her home directory.
Linux Groups
How Linux groups work Managing groups from the command line
authentication, your groups are defined in the /etc/group file. Each record is composed of the following four fields: Group:Password:GID:Users
Group Specifies the name of the group. In the
group. Users Lists the members of the group. As with /etc/shadow, each line in /etc/gshadow represents a record for a single group. Each record is composed of the following fields: Group_Name:Password:Group_Admins:Group_Me mbers
- Using groupadd
Syntax:
g Specifies a GID for the new group. p Specifies a password for the group. r Specifies that the group being created is a system group.
- Using groupmod
To modify a group, including adding users to the
group membership, you use the groupmod utility. Syntax: groupmod options group Options: g Changes the groups GID number. p Changes the groups password. A Adds a user account to the group. R Removes a user account from the group.
enter
groupmod A esic student at the shell prompt.
- Using groupdel
ex:
groupdel
student
Managing ownership
How ownership works Managing ownership from the command line
the owner of a given file or directory. To change the user who owns a file, you must be logged in as root. To change the group that owns a file, you must be logged in as root or as the user who currently owns the file.
- Using chown
The chown utility can be used to change the
user or group that owns a file or directory. Syntax chown user.group file or directory. Ex: If I wanted to change the files owner to the ncth1 user, I would enter chown ncth1 /tmp/myfile.txt
chown
If I wanted to change this to the users group, of
- Using chgrp
In addition to chown, you can also use chgrp to
chgrp group file (or directory) For example: chgrp student /tmp/newfile.txt.
Managing permissions
How permissions work Managing permissions from the command line Working with default permissions Working with special permissions
the specific permissions assigned to it. These permissions together constitute the mode of the file. These permissions are assigned to each of three different entities for each file and directory in the file system: Owner This is the user account that has been assigned to be the file or directorys owner. Permissions assigned to the owner apply only to that user account.
Group This is the group that has been assigned ownership of the file or directory. Permissions assigned to the group apply to all user accounts that are members of that group. Others This entity refers to all other users who have successful authenticated to the system. Permissions assigned to this entity apply to these user accounts.
ls -l
Owner, g for Group, and o for Others in the entity portion of the command. You substitute r, w, and/or x for the permissions portion of the command. For example, suppose I wanted to change the mode of contacts.odt to rwrwr chmod u=rw,g=rw,o=r contacts.odt You can also use chmod to toggle a particular permission on or off using the + or signs. For example, suppose I want to turn off the write permission I just gave to Group for the contacts.odt file. I could enter chmod gw contacts.odt at the shell prompt.
only three characters. To do this, enter chmod numeric_permission filename ex: chmod 660 contacts.odt
permissions to every file whenever it is created in the file system. It also assigns rwxrwxrwx permissions to every directory created in the file system. It also assigns rwxrwxrwx permissions to every directory created in the file system. To increase the overall security of the system, Linux uses a variable called umask to automatically remove permissions from the default mode whenever a file or directory is created in the file system. The value of umask is a three-digit number
of umask is 022. Each digit represents a numeric permission value to be removed. The first digit referencesyou guessed itOwner, the second references Group, the last references Other. If you only need to make a temporary change to umask, you can enter umask value at the shell prompt. For example, if you wanted to remove the execute permission that is automatically assigned to Others whenever a new directory is created, you could enter umask 023
SUID and SGID permissions to a file named runme that should be readable and executable by Owner and Group. You would enter chmod 6554 runme at the shell prompt. This specifies that the file have SUID (4) and SGID (2) permissions assigned (for a total of 6 in the first digit). It also specifies that Owner and Group have read (4) and execute permissions (1) assigned (for a total of 5 in the second and third digits). It also specifies that Others be allowed to read (4) the file, but not be able to modify or run it (for a total of 4 in the last digit)