Managing users and groups

This post will talk about managing user accounts, email, log files, and system time.

Authentication – The goal of authentication is to create authentic users who have received authorization to access the system. Basically, it is a determining if a person or program is who they claim to be.

DAC (Discretionary Access Control) – DAC is a Linux security control where access to a file is based on user’s identity and current group membership. An user cannot access file if he is not it’s owner or if that user does not belong to that group. Groups are organizational structure and when a user is created, it has membership to a particular group. User can have multiple group memberships, that is be part of many groups.

Configuring user accounts

To add new user to the system, you use useradd command. In order to create an user on a Linux system, several files and programs are used, and we are going to explain all of them. The process of adding user account involves following:

  1. /etc/login.defs file
  2. /etc/default/useradd file
  3. /etc/skel/ directory
  4. /etc/passwd file
  5. /etc/shadow file

/etc/login.defs file

Directives in this configuration file control password minimum and maximum length, password expiring date, whether or not to create home directory, default mail directory, set default umask, default encrypt method, etc.

[aldin@arch ~]$ grep -v ^$ /etc/login.defs | grep -v ^\#
FAIL_DELAY		3
LOG_UNKFAIL_ENAB	no
LOG_OK_LOGINS		no
SYSLOG_SU_ENAB		yes
SYSLOG_SG_ENAB		yes
CONSOLE		/etc/securetty
SU_NAME		su
MAIL_DIR	/var/spool/mail
HUSHLOGIN_FILE	.hushlogin
ENV_SUPATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
ENV_PATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
TTYGROUP	tty
TTYPERM		0600
ERASECHAR	0177
KILLCHAR	025
UMASK		077
PASS_MAX_DAYS	99999
PASS_MIN_DAYS	0
PASS_WARN_AGE	7
UID_MIN			 1000
UID_MAX			60000
SYS_UID_MIN		  500
SYS_UID_MAX		  999
GID_MIN			 1000
GID_MAX			60000
SYS_GID_MIN		  500
SYS_GID_MAX		  999
LOGIN_RETRIES		5
LOGIN_TIMEOUT		60
CHFN_RESTRICT		rwh
DEFAULT_HOME	yes
USERGROUPS_ENAB yes
MOTD_FILE
ENCRYPT_METHOD	SHA512

UID (User ID) is number used by Linux to identify user accounts. User account is any account which can be accessed with appropriate credentials. Since we have user accounts, and Linux uses UID, each account has its own UID, uniquely identifying that account on the system. There are also system accounts and they are used by services.

  • ID_MIN: Indicates lowest UID number allowed for accounts
  • UID_MAX: Indicates maximum number system can use for UID
  • SYS_UID_MIN: Minimum UID for system accounts
  • SYS_UID_MAX: Maximum UID for system accounts
  • PASS_MAX_DAYS: Number of days until password change is required.
  • PASS_MIN_DAYS: Number of days to pass until password needs to be changed again.
  • PASS_MIN_LENGTH: Minimum number of characters required in password
  • PASS_WARN_AGE: Number of days a warning is shown before password’s expiration. It is like a notice to user to change his password.
  • CREATE_HOME: If set to yes, user’s home directory will be cretaed
  • ENCRYPT_METHOD: Method used to hash account passwords

/etc/default/useradd file

This is another file used that directs the process of creating accounts.

[root@arch ~]# cat /etc/default/useradd
# useradd defaults file for ArchLinux
# original changes by TomK
GROUP=users
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=no
[root@arch ~]# 
  • HOME: Base directory for all user account directories
  • INACTIVE: Number of days to pass after a password has expired and has not been changed until account will be activated
  • SKEL: The skeleton directory (discussed later)
  • SHELL: Default shell program for user accounts

/etc/skel/ directory

The skel directory is used when a new account is created, and all contents from /skel/ directory is copied to the home directory of that user. It is important to say that, files from skel directory are copied to home directory only after account creation. If you want to migrate files to home directory later on, you need to move them manually.

/etc/passwd file

Account information is stored inside /etc/passwd file. Each account has its own line, and there are seven records separated with colon (:)

[root@arch ~]# cat /etc/passwd
root:x:0:0::/root:/bin/bash
bin:x:1:1::/:/usr/bin/nologin
daemon:x:2:2::/:/usr/bin/nologin
mail:x:8:12::/var/spool/mail:/usr/bin/nologin
ftp:x:14:11::/srv/ftp:/usr/bin/nologin
http:x:33:33::/srv/http:/usr/bin/nologin
nobody:x:65534:65534:Nobody:/:/usr/bin/nologin
dbus:x:81:81:System Message Bus:/:/usr/bin/nologin

Fields explained:

  1. Account’s name (user or service)
  2. Password field (x indicates password is stored in /etc/shadow)
  3. User ID (UID)
  4. Group ID (GID)
  5. Comment field or user’s full name
  6. User’s home directory
  7. User’s defalt shell

If you set default shell to be /sbin/nologin or /bin/false, that user won’t be able to login to the system. Typically this is set on system accounts because they are not real users, and no need to login.

/etc/shadow file

This file contains information regarding user’s password. Each account occupies one line of the file. Here is the snipped of how it might look like:

[root@arch ~]# cat /etc/shadow
root:$6$TwMIOJ1.Wi96hfZK4VV5.IrtTp1:18535::::::
bin:!*:18535::::::
daemon:!*:18535::::::
mail:!*:18535::::::
ftp:!*:18535::::::
http:!*:18535::::::
nobody:!*:18535::::::
dbus:!*:18535::::::
systemd-journal-remote:!*:18535::::::

Fields explained:

  1. User’s account name
  2. Password field
    • !! or ! – password has not been set
    • ! or * – account cannot use password to login
    • ! – account has been locked
  3. Date of last password change
  4. Number of days to pass until password may be changed again
  5. Number of days to pass until a password change is required
  6. Number of days to show warning message to a user before password’s expiration (notifying user to change his password)
  7. Number of days after a password has expired, and also password is not changed until the account will be deactivated
  8. Date of account’s expiration
  9. Special flag, future use and not used right now (blank)

When account have password expiration date, and when that happens, there is still time to login and change it. The user will have number of days (field #7) to login to the account using the old password and change it. If password expiration date passes, and still user does not login and change the password, then that user is locked out of the system. After the account expires, user cannot log into the account with its password.

Creating a user

Before creating a user, review the global directives inside /etc/login.defs and /etc/default/useradd we just mentioned, for example see what is the default shell, whether or not home directory will be created, and so on. Once you do that, creating a user is simple, and can have a lot of arguments specified.

# useradd themozak

With this in mind, home directory will be created, and default shell is /bin/bash, we can easily create an user. This user will not have entry in /etc/passwd and /etc/shadow files. This account does not have password yet. To give it a password, use passwd command:

# passwd themozak

Common options for useradd command we should know:

  • c : Comment field stored in /etc/passwd, field 5
  • d : User’s home directory name
  • D : Display /etc/default/useradd directives
  • e : Date of account’s expiration
  • f : Number of days after a password has expired and has not been changed until the account will be deactivated (-1 for never)
  • g : Account’s group membership
  • G : Assign this user to a new group
  • m : Create user’s home directory
  • M : Do not create user’s home directory
  • s : Account’s shell
  • u : Account’s UID number
  • r : Create system account instead of user account

View users and groups with getent command

getent command is used to simple pull the user’s line from either /etc/passwd or /etc/shadow files. Here is simple example:

[root@arch ~]# getent passwd aldin
aldin:x:1000:1000::/home/aldin:/bin/bash
[root@arch ~]# getent shadow aldin
aldin:$6$z75S8I2dAIoNyLZ8OvWM0:18535:0:99999:7:::

Maintaining passwords

When I create an user to my system, he does not have password. It is important to assign password to the new user, as soon as he is created. To do that, simply use passwd command. Here is quick example:

# passwd aldin
Changing password for user aldin.
New password:
Retype new password:
passd: all authentication tokens updated successfully.

With passwd, I can lock accounts, unlock accounts, set expiration date, delete account’s password. Here are the important flags to know:

  • -d : Remove the account’s password
  • -e : Set account’s password as expired. User needs to change password at next login.
  • -i : Set the number of days after a password has expired and has not been changed until the account is deactivated.
  • -l : Place (!) in /etc/shadow file, preventing user from logging in the system with that password
  • -n : Set number of days after a password is changed until password may be changed again
  • -S : Account’s password status
  • -u : remove (!) from the /etc/shadow file
  • -w : Set number of days a warning is issued to the user prior to password’s expiration
  • -x : Set number of days until a password change is required.

View account’s password status

Easily, you would use chage command to view password information for given account. Here is an example:

[root@arch ~]# chage -l aldin
Last password change					: Sep 30, 2020
Password expires					: never
Password inactive					: never
Account expires						: never
Minimum number of days between password change		: 0
Maximum number of days between password change		: 99999
Number of days of warning before password expires	: 7

And to change password information for given account, you would use chage aldin command, to change password information such as:

  • minimum password age
  • maximum password age
  • last password change
  • password expiration warning
  • password inactive
  • account expiration date

Modifying accounts

To modify an account use usermod command. Here are flags we should remember regarding usermod:

  • -c : Change user’s comment
  • -d : Set new user home directory. Use with -m option to move current directory’s files to new location
  • -e : Modify account’s expiration date
  • -f : Modify the number of days after a password has expired and has not been changed until the account is deactivated.
  • -g : Change account’s default group membership
  • -G : Modify account’s memberships. When adding user to another group, use -a to append, and not override other groups
  • -l : Modify account’s username.
  • -L : Lock the account by placing exclamation mark in /etc/shadow file
  • -s : Change default shell
  • -u : Modify account’s UID number
  • -U : Unlock the account by removing ! from /etc/shadow file

Deleting accounts

To do this, you would use userdel command. To delete account, use -r option to delete account and its home directory.

Configuring groups

Groups are identified by their name as well as their group ID (GID). If a default group is not designated when a user is created, then a new group is created. This new group has the same name as the user account’s name and it has new GID. To see an account’s default group, use getent command and view /etc/passwd fourth field. However, with using getent you are seeing group GID and not group name. To view group name use group command.

To add a new user to a group, a group must already exist. We create groups with groupadd command:

# groupaddd -g 1010 group20

With this command, we created group20 with GID of 1010. Again, use getent group to see fields from /etc/groups file. The file has four fields: group name, group password, GID, and group members. To check for group’s password, use getent gshadow group20. If exclamation mark is present, no password is set for that group.

Leave a Reply