This post will talk about managing user accounts, email, log files, and system time.
Authentication – The goal of authentication is to create authentic users who have received authorization to access the system. Basically, it is a determining if a person or program is who they claim to be.
DAC (Discretionary Access Control) – DAC is a Linux security control where access to a file is based on user’s identity and current group membership. An user cannot access file if he is not it’s owner or if that user does not belong to that group. Groups are organizational structure and when a user is created, it has membership to a particular group. User can have multiple group memberships, that is be part of many groups.
Configuring user accounts
To add new user to the system, you use useradd command. In order to create an user on a Linux system, several files and programs are used, and we are going to explain all of them. The process of adding user account involves following:
- /etc/login.defs file
- /etc/default/useradd file
- /etc/skel/ directory
- /etc/passwd file
- /etc/shadow file
Directives in this configuration file control password minimum and maximum length, password expiring date, whether or not to create home directory, default mail directory, set default umask, default encrypt method, etc.
[aldin@arch ~]$ grep -v ^$ /etc/login.defs | grep -v ^\# FAIL_DELAY 3 LOG_UNKFAIL_ENAB no LOG_OK_LOGINS no SYSLOG_SU_ENAB yes SYSLOG_SG_ENAB yes CONSOLE /etc/securetty SU_NAME su MAIL_DIR /var/spool/mail HUSHLOGIN_FILE .hushlogin ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin TTYGROUP tty TTYPERM 0600 ERASECHAR 0177 KILLCHAR 025 UMASK 077 PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_WARN_AGE 7 UID_MIN 1000 UID_MAX 60000 SYS_UID_MIN 500 SYS_UID_MAX 999 GID_MIN 1000 GID_MAX 60000 SYS_GID_MIN 500 SYS_GID_MAX 999 LOGIN_RETRIES 5 LOGIN_TIMEOUT 60 CHFN_RESTRICT rwh DEFAULT_HOME yes USERGROUPS_ENAB yes MOTD_FILE ENCRYPT_METHOD SHA512
UID (User ID) is number used by Linux to identify user accounts. User account is any account which can be accessed with appropriate credentials. Since we have user accounts, and Linux uses UID, each account has its own UID, uniquely identifying that account on the system. There are also system accounts and they are used by services.
- ID_MIN: Indicates lowest UID number allowed for accounts
- UID_MAX: Indicates maximum number system can use for UID
- SYS_UID_MIN: Minimum UID for system accounts
- SYS_UID_MAX: Maximum UID for system accounts
- PASS_MAX_DAYS: Number of days until password change is required.
- PASS_MIN_DAYS: Number of days to pass until password needs to be changed again.
- PASS_MIN_LENGTH: Minimum number of characters required in password
- PASS_WARN_AGE: Number of days a warning is shown before password’s expiration. It is like a notice to user to change his password.
- CREATE_HOME: If set to yes, user’s home directory will be cretaed
- ENCRYPT_METHOD: Method used to hash account passwords
This is another file used that directs the process of creating accounts.
[root@arch ~]# cat /etc/default/useradd # useradd defaults file for ArchLinux # original changes by TomK GROUP=users HOME=/home INACTIVE=-1 EXPIRE= SHELL=/bin/bash SKEL=/etc/skel CREATE_MAIL_SPOOL=no [root@arch ~]#
- HOME: Base directory for all user account directories
- INACTIVE: Number of days to pass after a password has expired and has not been changed until account will be activated
- SKEL: The skeleton directory (discussed later)
- SHELL: Default shell program for user accounts
The skel directory is used when a new account is created, and all contents from /skel/ directory is copied to the home directory of that user. It is important to say that, files from skel directory are copied to home directory only after account creation. If you want to migrate files to home directory later on, you need to move them manually.
Account information is stored inside /etc/passwd file. Each account has its own line, and there are seven records separated with colon (:)
[root@arch ~]# cat /etc/passwd root:x:0:0::/root:/bin/bash bin:x:1:1::/:/usr/bin/nologin daemon:x:2:2::/:/usr/bin/nologin mail:x:8:12::/var/spool/mail:/usr/bin/nologin ftp:x:14:11::/srv/ftp:/usr/bin/nologin http:x:33:33::/srv/http:/usr/bin/nologin nobody:x:65534:65534:Nobody:/:/usr/bin/nologin dbus:x:81:81:System Message Bus:/:/usr/bin/nologin
- Account’s name (user or service)
- Password field (x indicates password is stored in /etc/shadow)
- User ID (UID)
- Group ID (GID)
- Comment field or user’s full name
- User’s home directory
- User’s defalt shell
If you set default shell to be /sbin/nologin or /bin/false, that user won’t be able to login to the system. Typically this is set on system accounts because they are not real users, and no need to login.
This file contains information regarding user’s password. Each account occupies one line of the file. Here is the snipped of how it might look like:
[root@arch ~]# cat /etc/shadow root:$6$TwMIOJ1.Wi96hfZK4VV5.IrtTp1:18535:::::: bin:!*:18535:::::: daemon:!*:18535:::::: mail:!*:18535:::::: ftp:!*:18535:::::: http:!*:18535:::::: nobody:!*:18535:::::: dbus:!*:18535:::::: systemd-journal-remote:!*:18535::::::
- User’s account name
- Password field
- !! or ! – password has not been set
- ! or * – account cannot use password to login
- ! – account has been locked
- Date of last password change
- Number of days to pass until password may be changed again
- Number of days to pass until a password change is required
- Number of days to show warning message to a user before password’s expiration (notifying user to change his password)
- Number of days after a password has expired, and also password is not changed until the account will be deactivated
- Date of account’s expiration
- Special flag, future use and not used right now (blank)
When account have password expiration date, and when that happens, there is still time to login and change it. The user will have number of days (field #7) to login to the account using the old password and change it. If password expiration date passes, and still user does not login and change the password, then that user is locked out of the system. After the account expires, user cannot log into the account with its password.
Creating a user
Before creating a user, review the global directives inside /etc/login.defs and /etc/default/useradd we just mentioned, for example see what is the default shell, whether or not home directory will be created, and so on. Once you do that, creating a user is simple, and can have a lot of arguments specified.
# useradd themozak
With this in mind, home directory will be created, and default shell is /bin/bash, we can easily create an user. This user will not have entry in /etc/passwd and /etc/shadow files. This account does not have password yet. To give it a password, use passwd command:
# passwd themozak
Common options for useradd command we should know:
- –c : Comment field stored in /etc/passwd, field 5
- –d : User’s home directory name
- –D : Display /etc/default/useradd directives
- –e : Date of account’s expiration
- –f : Number of days after a password has expired and has not been changed until the account will be deactivated (-1 for never)
- –g : Account’s group membership
- –G : Assign this user to a new group
- –m : Create user’s home directory
- –M : Do not create user’s home directory
- –s : Account’s shell
- –u : Account’s UID number
- –r : Create system account instead of user account
View users and groups with getent command
getent command is used to simple pull the user’s line from either /etc/passwd or /etc/shadow files. Here is simple example:
[root@arch ~]# getent passwd aldin aldin:x:1000:1000::/home/aldin:/bin/bash [root@arch ~]# getent shadow aldin aldin:$6$z75S8I2dAIoNyLZ8OvWM0:18535:0:99999:7:::
When I create an user to my system, he does not have password. It is important to assign password to the new user, as soon as he is created. To do that, simply use passwd command. Here is quick example:
# passwd aldin Changing password for user aldin. New password: Retype new password: passd: all authentication tokens updated successfully.
With passwd, I can lock accounts, unlock accounts, set expiration date, delete account’s password. Here are the important flags to know:
- -d : Remove the account’s password
- -e : Set account’s password as expired. User needs to change password at next login.
- -i : Set the number of days after a password has expired and has not been changed until the account is deactivated.
- -l : Place (!) in /etc/shadow file, preventing user from logging in the system with that password
- -n : Set number of days after a password is changed until password may be changed again
- -S : Account’s password status
- -u : remove (!) from the /etc/shadow file
- -w : Set number of days a warning is issued to the user prior to password’s expiration
- -x : Set number of days until a password change is required.
View account’s password status
Easily, you would use chage command to view password information for given account. Here is an example:
[root@arch ~]# chage -l aldin Last password change : Sep 30, 2020 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
And to change password information for given account, you would use chage aldin command, to change password information such as:
- minimum password age
- maximum password age
- last password change
- password expiration warning
- password inactive
- account expiration date
To modify an account use usermod command. Here are flags we should remember regarding usermod:
- -c : Change user’s comment
- -d : Set new user home directory. Use with -m option to move current directory’s files to new location
- -e : Modify account’s expiration date
- -f : Modify the number of days after a password has expired and has not been changed until the account is deactivated.
- -g : Change account’s default group membership
- -G : Modify account’s memberships. When adding user to another group, use -a to append, and not override other groups
- -l : Modify account’s username.
- -L : Lock the account by placing exclamation mark in /etc/shadow file
- -s : Change default shell
- -u : Modify account’s UID number
- -U : Unlock the account by removing ! from /etc/shadow file
To do this, you would use userdel command. To delete account, use -r option to delete account and its home directory.
Groups are identified by their name as well as their group ID (GID). If a default group is not designated when a user is created, then a new group is created. This new group has the same name as the user account’s name and it has new GID. To see an account’s default group, use getent command and view /etc/passwd fourth field. However, with using getent you are seeing group GID and not group name. To view group name use group command.
To add a new user to a group, a group must already exist. We create groups with groupadd command:
# groupaddd -g 1010 group20
With this command, we created group20 with GID of 1010. Again, use getent group to see fields from /etc/groups file. The file has four fields: group name, group password, GID, and group members. To check for group’s password, use getent gshadow group20. If exclamation mark is present, no password is set for that group.