Linux Basics/User management

User management functions

edit
  • Functions: adding, deleting user, setting password, modifying
  • Adding user: adduser(under Ubuntu), useradd
 
useradd's interactive guide in Ubuntu (adduser)

Adding user

edit

Syntax:

useradd [options] username

Options:

  • -u number: setting the user id (UID)
  • -c: note
  • -g group: setting group membership
  • -d /home/user: setting HOME folder to /home/user.
  • -s /bin/bash: default shell (here the user gets bash as default
  • -G group1, group2: separating them with commas, if the user is member of other groups
  • -m -k /home/existing <username>: it creates the home folder based on an existing user's home folder.
    • -m switch refers to create home directory, -k indicates where we want to copy the default files from (e.g. /etc/skel -> the skeleton folder of the home folder)

so the command looks like this:

useradd -c "test account" -u 1001 -g users -G info,sysadmin -d /home/test -s /bin/bash -m -k /etc/skel test

getent

edit

User information: getent

getent passwd <username>

If we want to get information about infotech group:

getent group infotech

/etc/passwd file

edit

Location of user data: /etc/passwd

Content of /etc/passwd is like:

janos:x:1000:1000:Nagy János:/home/janos:/bin/bash

Passwd file's entries are separated with comma, and the explanation of the fields are the following:

  1. Username.
  2. Encrypted password.
  3. User ID(uid).
  4. Group ID (gid).
  5. Full name and other information
  6. Home folder
  7. Selected shell

/etc/shadow file

edit

Content of /etc/shadow file is like:

smithj:Ep6mckrOLChF.:10063:0:99999:7:::

As with the passwd file, each field in the shadow file is also separated with ":" colon characters, and are as follows

  1. Username, up to 8 characters. Case-sensitive, usually all lowercase. A direct match to the username in the /etc/passwd file.
  2. Password, 13 character encrypted. A blank entry (eg. ::) indicates a password is not required to log in (usually a bad idea), and a ``*'' entry (eg. :*:) indicates the account has been disabled.
  3. The number of days (since January 1, 1970) since the password was last changed.
  4. The number of days before password may be changed (0 indicates it may be changed at any time)
  5. The number of days after which password must be changed (99999 indicates user can keep his or her password unchanged for many, many years)
  6. The number of days to warn user of an expiring password (7 for a full week)
  7. The number of days after password expires that account is disabled
  8. The number of days since January 1, 1970 that an account has been disabled
  9. A reserved field for possible future use

chage

edit

Changing user rules: chage

We can regulate with changing it when will the password of a user expires.

For example, output of chage -l joska will display the data for it:

   Last password change                                 : Feb 28, 2019
   Password expires 	                                : never
   Password inactive 	                                : never
   Account expires 	                                : never
   Minimum number of days between pasword change	: 0
   Maximum number of days between pasword change	: 99999
   Number of days of warning before password expires 	: 7

We want joska user's password to expire in 10 days:

chage -M 10 joska

When will we want joska's password to expire?

chage -E "2019-12-31" joska

Lockdown after inactive days

We lock joska's password after 10 inactive days.

chage -I 10 joska
chage --inactive 10 joska

User password

edit

User password: passwd

Changing own password:

# passwd

With superuser privilege we can change anybody's password:

# passwd username

Storing password encrypted: /etc/shadow

Generating password:

# makepasswd

chfn

edit

Modifying user data: chfn

We need finger package for it.

e.g.:

# chfn -f János janos
# chfn --full-name "Nagy János" janos

Kapcsolók:

  • -f, --full-name
  • -o, --office -- office room number
  • -p, --office-phone - office phone number
  • -h, --home-phone - home phone number

Deleting user

edit

Deleting user: deluser, userdel

It's recommended to regulate it with help of /etc/deluser.conf, We should look up deluser.conf(5) manual.

e.g.:

deluser --remove-home
deluser --remove-all-files
deluser --backup
deluser –backup-to

Handling user groups

edit

Creating group: addgroup, groupadd

Location of group data: /etc/group

/etc/group file can be edited manually (text editor, mcedit, nano etc) by root.

A group is created with every user's name (like in case of kathy user a kathy group is created).

Adding to group:

gpasswd -a kathy infotech
  • We add kathy to infotech group

Csoportból kivétel:

gpasswd -d kathy infotech
  • We delete kathy from infotech group

Handling user groups (and user data)

edit

„usermod” command:

  • Changing user accounts.

Adding user mary to infotech group:

usermod -a -G infotech mary

(For -a the group name is appended, so the other group remains for that user. If we omit -a, then all the existing groups the user is assigned in gets deleted for that user.

Usermod command's other switches:

  • -u value user: it changes user ID (UID)
  • -g group user: it changes user group (e.g. usermod -g infotech mari)
  • -G group1,group2: it adds the user to the given groups (but without appending)
usermod -G human,economy,sysadmin mary
  • -L user: it locks the access of the user / bans the user (so you can't log in)
usermod -L -e 1970-01-01 mary (expiration date can be older than the current date) (--lock)
  • -e value: expire date (--expiredate)
  • -U user: unlocks the ban from the user
  • -d user: setting new home folder (--home)
  • -s user: setting shell (--shell)

id command:

Requesting information about the user.

group member:

id
id -nG

User accounts and handling "default"

edit

User account settings

edit

In /etc/login.defs directory/file there can be set some properties for users. For example, where should the user emails be stored.

MAIL_DIR /var/mail

Logging failed logins into /var/log/faillog file:

FAILLOG_ENAB yes

Logging unknown usernames in case of failed logins:

LOG_UNKFAIL_ENAB no

Logging successful logins:

LOG_OK_LOGINS no

Controlling passwords. By default, when it's gonna expire, when the user can change it, what's the minimum length of the password, and when the warning should be:

PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7

User ID minimum and maximum ID's in case of useradd:

UID_MIN 1000
UID_MAX 60000

Minimum and maximum number group IDs:

GID_MIN 1000
GID_MAX 60000

Denying login after this number of fails:

LOGIN_RETRIES 5 

The length of lockdown after exceeding the number of unsuccessful logins:

LOGIN_TIMEOUT 60

User defaults

edit

/etc/default folder contains it.

E.g. /etc/default/useradd

# useradd defaults file
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
  • /etc/skel folder contains the base home directory's content.