Linux Administration (2016)
Managing Users and Groups
Linux is a multi-user operating system. Not only can multiple accounts exist on the system, but each of those accounts can be used at the same time. Each account consists of a username and a unique number called the UID, short for user ID. Also, each account has a default group to which it belongs, some comments associated with the account, a shell to execute when the user logs into the system, and a home directory. All this information is stored in the /etc/passwd file.
The first entry in the /etc/passwd file is the root account.
root:x:0:0:root:/root:/bin/bash
The format of the /etc/passwd file is as follows.
username:password:UID:GID:comments:home_dir:shell
Each field is separated by a colon. Let's take a look at each of them individually.
Username: root
Password: x (This means the encrypted password is stored in /etc/shadow which you will learn about shortly.)
UID: 0
GID: 0
Comment: root
Home directory: /root
Shell: /bin/bash
Let's look at another entry in the /etc/passwd file. This is for the joe account.
joe:x:1000:1000:Joe Henderson:/home/joe:/bin/bash
Username: joe
Password: x
UID: 1000
GID: 1000
Comment: Joe Henderson
Home directory: /home/joe
Shell: /bin/bash
Even though Linux supports usernames up to 32 characters in length, it is customary to keep usernames to 8 or fewer characters. When using usernames longer than 8 characters, you will see run into situations where the UID is displayed in place of the username or a truncated version of the username is displayed. For example, when looking at output from the ps command.
Here is an example of a long username being truncated.
# ps -fu jasoncannon
UID PID PPID C STIME TTY TIME CMD
jasonca+ 2973 1 0 01:43 ? 00:00:00 bash
This is what it might look like on an older version of Linux. The long username is simply replaced by it's UID.
# ps -fu jasoncannon
UID PID PPID C STIME TTY TIME CMD
1000 2973 1 0 01:43 ? 00:00:00 bash
Usernames are case sensitive. Even though uppercase letters are allowed in usersnames, by convention usernames are in all lower case letters. Digits are also allowed in usernames, but avoid special characters.
Historically, encrypted password information was stored in the /etc/passwd file following the username. However the /etc/passwd file is readable by anyone on the system so storing password information, even encrypted, is a security risk. Now, by default, the encrypted password information is stored in /etc/shadow which is readable only by the superuser account.
The UID is a unique number. The root account is always UID 0. Accounts meant to be used by the system typically have UIDs lower than 1000. This is configurable by updating the /etc/login.defs file.
The group ID, or GID, listed in the password file entry for an account is the account's default group. When a user creates a file that file will belong to the user's default group. If a user wants to create files using another group, they can use the newgrp command to change to a new group before creating the files.
The comment field typically contains the user's real name or a description of what the account is used for. It can also remain empty. You'll sometimes hear this field refered to as the GECOS field. This is a historical hold over from the early years of Unix.
When a user logs into the system they are placed in their home directory, listed in the passwd file. If this directory does not exist, they will be placed into the root directory.
The shell will be executed when the user logs into the system with their account. You can see a list of installed shells on your Linux system by looking at /etc/shells. Whatever is listed in the shell field will be executed upon login even if the program is not actually a shell. For example, you may see /usr/sbin/nologin or /bin/false in the shell field for certain accounts. This ensures that no one can use those accounts interactively. You can also use the shell field to execute a program when a user logs into the system. For example, you could force users into a menu driven application that only allows them access to certain actions.
The Shadow File
Like the /etc/passwd file, the /etc/shadow file contains a series of fields separated by a colon.
root:$6$9g1IC8AYzqPorEZSHjWeZP8o21:16502:0:99999:7:::
The first field is the username. The second field contains the encrypted password. The third field is the number of days since January 1, 1970 since the password has been changed. The fourth field is the number of days before the password can be changed. The fifth field is the number of days after which the password must be changed. If this field contains 99999 the user never has to change their password. The sixth field is the number of days at which to warn the user that their password will expire. The seventh field is the number of days after the password expires that the account is disabled. The eighth field is the number of days since Janary 1, 1970 that an account has been disabled. The ninth field is reserved for future use.
Creating Accounts
Now that you know where account information is stored, let's create an account using the useradd command. Adding accounts requires superuser privileges, so make sure you are using the root account or sudo. Here is the format of the useradd command.
useradd [options] username
The most commonly used options for the useradd command are:
-c "COMMENT" Comments for the account, such as the user's full name.
-m Use the -m option to create the user's home directory.
-s /shell/path The path to the user's shell.
In this example, an account is created for Grant Stewart. His username is grant and his shell is bash.
# useradd –c "Grant Stewart" –m –s /bin/bash grant
Next, let's assign the account a password. To do this, use the passwd command followed by the username. You'll be prompted to enter a password for the user and then confirm that password.
# passwd grant
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Here is the entry for the account in the /etc/passwd file and /etc/shadow file.
# tail -1 /etc/passwd
grant:x:1000:1000:Grant Stewart:/home/grant:/bin/bash
# tail -1 /etc/shadow
grant: $6$iDDgPYtR$0D1s0AMkFkQ7NvQe8c2Uc.:16507:0:99999:7:::
Grant's UID is 1000, his GID is 1000, his home directory is /home/grant and his shell is /bin/bash.
Other options for the useradd command include the following:
-g GROUP Specify the default group for the account.
-G GROUP1,GROUPN Add the account to additional groups.
Let's create an account for Eddie Harris. His login will be eharris and his default group will be sales. We will also make him a member of the projectx group as well.
# useradd –c "Eddie Harris" –m –s /bin/bash –g sales –G projectx eharris
# passwd eharris
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
#
Creating System or Application Accounts
Not every account on a Linux system is meant to be used by a person. Some accounts exist to run applications or perform system functions. Some common examples of this include accounts that run web server processes, database processes, or application processes.
Let's create an account that will be used to run the Apache web server process.
# useradd –c "Apache Web Server User" –d /opt/apache –r –s /usr/sbin/nologin apache
# tail -1 /etc/passwd
apache:x:999:999:Apache Web Server User:/opt/apache:/usr/sbin/nologin
#
You'll notice that the shell was set to /usr/sbin/nologin. This is because we don't want someone to be able to log into the system using the account. We also use the -r option, which instructs useradd to create a system account. Effectivly, this means the account will receive a UID in the system account range as defined in /etc/login.defs. In this instance the user received UID 999.
The home directory was specified using the -d option. By default, the home directory for a new account is created in the /home directory. The actual directory will be the name of the user account. By default, the apache account's home directory will be /home/apache. However, since this account will be used by an application, we set the home directory to the directory where the application is installed.
Notice that the -m option was not used in this instance. When using the -m option the contents of the skeleton directory, /etc/skel by default, are copied into the user's home directrory. The contents of /etc/skel usually include shell configuration files which are not needed for application accounts.
Here are the new options we used to create this account.
-r Create a system account.
-d /path/to/home Use -d to specify a home directory.
It's a common practice to use the same UID for an account across multiple sytems. This makes syncing data or sharing data easier to do as Linux uses UID's to determine a file's ownership. The account name is really for the sake of us humans. Let's use the -u option to specify a UID when creating an account.
# useradd –c "MySQL Server" –d /opt/mysql -u 97 –s /usr/sbin/nologin mysql
# tail -1 /etc/passwd
mysql:x:97:1003:MySQL Server:/opt/mysql:/usr/sbin/nologin
#
-u UID Specify the numeric UID for the user.
Deleting Accounts
To delete an account, use the userdel command followed by the username. If you want to delete the account's home directory use the -r option. It also removes the users mail spool if it exists.
In the example, we'll delete the eharris account, but leave his home directory intact since there are some files in there we want to use later. We'll also delete the grant account and remove his home directory.
# ls /home
eharris grant
# userdel eharris
# ls /home
eharris grant
# userdel -r grant
# ls /home
eharris
#
Updating Accounts
To update, or modify, an existing account, use the usermod command. Here are the most commonly used options to the usermod command. For a full listing of all the options available see man usermod or usermod --help.
usermod [options] username
-c "COMMENT" Update the comment field.
-g GROUP Change the primary group.
-G GROUP1,GROUPN Change the additional groups the account belongs to.
-s /path/to/shell Change the account's shell.
In this example, we update the comment associated witht the mysql account.
# grep mysql /etc/passwd
mysql:x:97:1003:MySQL Server:/opt/mysql:/usr/sbin/nologin
# usermod -c "MySQL User" mysql
# grep mysql /etc/passwd
mysql:x:97:1003:MySQL User:/opt/mysql:/usr/sbin/nologin
#
Groups
Group details are stored in the /etc/group file.
The first entry in the /etc/group file is the root group.
root:x:0:
Here is another sample entry from /etc/group.
sales:x:1001:john,mary
The format of the /etc/group file is as follows.
group_name:password:GID:account1,accountN
Each field is separated by a colon. The group name is the human readable name that you will see when group information is displayed by commands such as ls.
The password is used for privileged groups, but that functionality is rarely used. When there is an x in this field it means that shadow group passwords are being used. That information is stored in the /etc/gshadow file.
The GID is the group ID. It is simply a unique number which represents the group.
The remaining field lists the members of the group separated by commas.
You might have noticed that the root group did not contain a list of members. Remember that the /etc/passwd file specifies an account's default group. In the case of the root user, the default GID is 0. When an account’s default GID is listed in the /etc/passwd file, that account is in that group even if it is not listed in the members field in the /etc/group file.
# grep root /etc/passwd
root:x:0:0:root:/root:/bin/bash
# grep root /etc/group
root:x:0:
To display the groups that a member belongs to, pass the username to the groups command. If you execute the groups command without supplying a username, your group memberships will be listed.
groups [options] [username]
Let's confirm that the root user is in fact in the root group.
# groups root
root
Creating Groups
To create a group, use the groupadd command.
groupadd [options] group
-g GID Assign the numerical value for the group ID.
The most commonly used option for the groupadd command is -g, which allows you to specify the GID. Let's create two groups. For the first group, we'll let the group command automatically select the GID. For the second group, we'll specify the GID.
# groupadd web
# tail -1 /etc/group
web:x:1003:
# groupadd -g 2500 db
# tail -1 /etc/group
db:x:2500:
#
Deleting Groups
To delete a group, simply pass the group name to the groupdel command.
groupdel group
Let's delete the db group.
# groupdel db
#
Updating Groups
To change the properties of an existing group, use the groupmod command.
groupmod [options] group
-g GID Change the group ID to GID.
-n GROUP Change the name of the group to GROUP.
In this example, we changed the GID of the web group from 1003 to 1234. Next we’ll change the name from web to http.
# grep web /etc/group
web:x:1003:
# groupmod -g 1234 web
# grep web /etc/group
web:x:1234:
# groupmod -n http web
# grep http /etc/group
http:x:1234:
Putting Groups and Users Together
In the following example, we are going to create a writers group, a tv group, and a movie group. Next we are going to create some user accounts. All of these user accounts will belong to the writers groups, but only some of them will belong to the tv group, while the others will belong to the movie group.
# groupadd writers
# groupadd tv
# groupadd movie
# useradd -c "Carlton Cuse" -g writers -G tv -m -s /bin/bash ccuse
# passwd ccuse
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
# groups ccuse
ccuse : writers tv
# useradd -c "David Fury" -g writers -G tv -m -s /bin/bash dfury
# passwd dfury
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
# groups dfury
dfury : writers tv
# useradd -c "Matt Damon" -g writers -G movie -m -s /bin/bash mdamon
# passwd mdamon
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
# groups mdamon
mdamon : writers movie
# useradd -c "Ben Affleck" -g writers -G movie -m -s /bin/bash baffleck
# passwd mdamon
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
# groups baffleck
baffleck : writers movie
# tail -3 /etc/group
writers:x:1235:
tv:x:1236:ccuse,dfury
movie:x:1237:mdamon,baffleck
# grep 1235 /etc/passwd
ccuse:x:1000:1235:Carlton Cuse:/home/ccuse:/bin/bash
dfury:x:1001:1235:David Fury:/home/dfury:/bin/bash
mdamon:x:1002:1235:Matt Damon:/home/mdamon:/bin/bash
baffleck:x:1003:1235:Ben Affleck:/home/baffleck:/bin/bash
#
Summary
Account information is stored in the /etc/passwd and /etc/shadow files. In addition to a username, each account consists of a unique number called the UID, a default group, a comment, a home directory location, and a login shell.
Accounts can be created with the useradd command. To delete an account, use the userdel command. To modify an account, use the usermod command.
Group information is stored in the /etc/group file. To create a group, use the groupadd command. You can delete groups by using the groupdel command. To update an existing group use the groupmod command. To list group memberships for an account, use the groups command.
Quiz
1. Which file stores account information?
1. /etc/accounts
2. /etc/passwordfile
3. /etc/password
4. /etc/passwd
2. The /etc/shadow file stores encrypted passwords.
1. True
2. False
3. What UID is always assigned to the root account?
1. 0
2. 1
3. 100
4. 1000
4. What command displays the group memberships for a user?
1. groupshow
2. lsgroups
3. listgroups
4. groups
5. What file stores group information?
1. /etc/groups
2. /etc/group
3. /etc/memberships
6. The sudo command allows users to run processes as other users, most typically the root user.
1. True
2. False
7. Which command is used to set or change passwords for Linux accounts?
1. password
2. pwd
3. passwd
4. pswd
Quiz Answers
1. D
2. A
3. A
4. D
5. B
6. A
7. C