Linux Basics/User management
User management functions
edit- Functions: adding, deleting user, setting password, modifying
- Adding user: adduser(under Ubuntu), useradd
Adding user
editSyntax:
useradd [options] username
Options:
-u number
: setting the user id (UID)-c
: note-g group
: setting group membership-d /home/user
: setting HOME folder to /home/user.-s /bin/bash
: default shell (here the user gets bash as default-G group1, group2
: separating them with commas, if the user is member of other groups-m -k /home/existing <username>
: it creates the home folder based on an existing user's home folder.- -m switch refers to create home directory, -k indicates where we want to copy the default files from (e.g. /etc/skel -> the skeleton folder of the home folder)
so the command looks like this:
useradd -c "test account" -u 1001 -g users -G info,sysadmin -d /home/test -s /bin/bash -m -k /etc/skel test
getent
editUser information: getent
getent passwd <username>
If we want to get information about infotech group:
getent group infotech
/etc/passwd file
editLocation of user data: /etc/passwd
Content of /etc/passwd is like:
janos:x:1000:1000:Nagy János:/home/janos:/bin/bash
Passwd file's entries are separated with comma, and the explanation of the fields are the following:
- Username.
- Encrypted password.
- User ID(uid).
- Group ID (gid).
- Full name and other information
- Home folder
- Selected shell
/etc/shadow file
editContent of /etc/shadow file is like:
smithj:Ep6mckrOLChF.:10063:0:99999:7:::
As with the passwd file, each field in the shadow file is also separated with ":" colon characters, and are as follows
- Username, up to 8 characters. Case-sensitive, usually all lowercase. A direct match to the username in the /etc/passwd file.
- Password, 13 character encrypted. A blank entry (eg. ::) indicates a password is not required to log in (usually a bad idea), and a ``*'' entry (eg. :*:) indicates the account has been disabled.
- The number of days (since January 1, 1970) since the password was last changed.
- The number of days before password may be changed (0 indicates it may be changed at any time)
- The number of days after which password must be changed (99999 indicates user can keep his or her password unchanged for many, many years)
- The number of days to warn user of an expiring password (7 for a full week)
- The number of days after password expires that account is disabled
- The number of days since January 1, 1970 that an account has been disabled
- A reserved field for possible future use
chage
editChanging user rules: chage
We can regulate with changing it when will the password of a user expires.
For example, output of chage -l joska will display the data for it:
Last password change : Feb 28, 2019 Password expires : never Password inactive : never Account expires : never Minimum number of days between pasword change : 0 Maximum number of days between pasword change : 99999 Number of days of warning before password expires : 7
We want joska user's password to expire in 10 days:
chage -M 10 joska
When will we want joska's password to expire?
chage -E "2019-12-31" joska
Lockdown after inactive days
We lock joska's password after 10 inactive days.
chage -I 10 joska chage --inactive 10 joska
User password
editUser password: passwd
Changing own password:
# passwd
With superuser privilege we can change anybody's password:
# passwd username
Storing password encrypted: /etc/shadow
Generating password:
# makepasswd
chfn
editModifying user data: chfn
We need finger package for it.
e.g.:
# chfn -f János janos # chfn --full-name "Nagy János" janos
Kapcsolók:
- -f, --full-name
- -o, --office -- office room number
- -p, --office-phone - office phone number
- -h, --home-phone - home phone number
Deleting user
editDeleting user: deluser, userdel
It's recommended to regulate it with help of /etc/deluser.conf, We should look up deluser.conf(5) manual.
e.g.:
deluser --remove-home deluser --remove-all-files deluser --backup deluser –backup-to
Handling user groups
editCreating group: addgroup, groupadd
Location of group data: /etc/group
/etc/group file can be edited manually (text editor, mcedit, nano etc) by root.
A group is created with every user's name (like in case of kathy user a kathy group is created).
Adding to group:
gpasswd -a kathy infotech
- We add kathy to infotech group
Csoportból kivétel:
gpasswd -d kathy infotech
- We delete kathy from infotech group
Handling user groups (and user data)
edit„usermod” command:
- Changing user accounts.
Adding user mary to infotech group:
usermod -a -G infotech mary
(For -a the group name is appended, so the other group remains for that user. If we omit -a, then all the existing groups the user is assigned in gets deleted for that user.
Usermod command's other switches:
- -u value user: it changes user ID (UID)
- -g group user: it changes user group (e.g. usermod -g infotech mari)
- -G group1,group2: it adds the user to the given groups (but without appending)
usermod -G human,economy,sysadmin mary
- -L user: it locks the access of the user / bans the user (so you can't log in)
usermod -L -e 1970-01-01 mary (expiration date can be older than the current date) (--lock)
- -e value: expire date (--expiredate)
- -U user: unlocks the ban from the user
- -d user: setting new home folder (--home)
- -s user: setting shell (--shell)
id command:
Requesting information about the user.
group member:
id id -nG
User accounts and handling "default"
editUser account settings
editIn /etc/login.defs directory/file there can be set some properties for users. For example, where should the user emails be stored.
MAIL_DIR /var/mail
Logging failed logins into /var/log/faillog file:
FAILLOG_ENAB yes
Logging unknown usernames in case of failed logins:
LOG_UNKFAIL_ENAB no
Logging successful logins:
LOG_OK_LOGINS no
Controlling passwords. By default, when it's gonna expire, when the user can change it, what's the minimum length of the password, and when the warning should be:
PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7
User ID minimum and maximum ID's in case of useradd:
UID_MIN 1000 UID_MAX 60000
Minimum and maximum number group IDs:
GID_MIN 1000 GID_MAX 60000
Denying login after this number of fails:
LOGIN_RETRIES 5
The length of lockdown after exceeding the number of unsuccessful logins:
LOGIN_TIMEOUT 60
User defaults
edit/etc/default folder contains it.
E.g. /etc/default/useradd
# useradd defaults file GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL=/bin/bash SKEL=/etc/skel CREATE_MAIL_SPOOL=yes
- /etc/skel folder contains the base home directory's content.