USER ADMINISTRATION

In Linux/Unix user is one who uses the system. There can be at least one or more than one users in Linux at a time. Users on a system are identified by a username and a userid. The username is something that users would normally refer to, but as far as the operating system is concerned this is referred to using the user id (or uid). The username is typically a user friendly string, such as your name, whereas the user id is a number. The words username and userid are often (incorrectly) used interchangeably. The user id numbers should be unique (one number per user). If you had two usernames with the same user id, effectively there permissions would be the same and the files that they create would appear to have been created by the same user. This should not be allowed and the useradd command will not allow usernames to share the same userid.

Some Important Points related to Users:

  • Users and groups are used to control access to files and resources
  • Users login to the system by supplying their username and password
  • Every file on the system is owned by a user and associated with a group
  • Every process has an owner and group affiliation, and can only access the resources its owner or group can access.
  • Every user of the system is assigned a unique user ID number ( the UID)
  • Users name and UID are stored in /etc/passwd
  • User’s password is stored in /etc/shadow in encrypted
  • Users are assigned a home directory and a program that is run when they login (Usually a shell)
  • Users cannot read, write or execute each other’s files without permission

Types of users In Linux and their attributes:

TYPEEXAMPLEUSER ID (UID)GROUP ID (GID)HOME DIRECTORYSHELL
Super UserRoot00/root/bin/bash
System Userftp, ssh, apache nobody1 to 4991 to 499/var/ftp , etc/sbin/nologin
Normal UserVisitor, user,etc500 to 60000500 to 60000/home/user name/bin/bash

In Linux there are three types of users.

 

1.  Super user or root user

Super user or the root user is the most powerful user. He is the administrator user.

2.  System user

System users are the users created by the softwares or applications. For example if we install Apache it will create a user apache. These kinds of users are known as system users.

3.  Normal user

Normal users are the users created by root user. They are normal users like Rahul, Musab etc. Only the root user has the permission to create or remove a user.

Whenever a user is created in Linux things created by default:-

  • A home directory is created(/home/username)
  • A mail box is created(/var/spool/mail)
  • unique UID & GID are given to user

Linux uses UPG (User Private Group) scheme

  • It means that whenever a user is created is has its own private group
  • For Example if a user is created with the name Rahul, then a primary group for that user will be Rahul only

There are two important files a user administrator should be aware of.

  1. “/etc/passwd”
  2. “/etc/shadow”

Each of the above mentioned files have specific formats.

1. /etc/passwd
[root@localhost ~]# head /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin

The above fields are
  • root =name
  • x= link to password file i.e. /etc/shadow
  • 0 or 1= UID (user id)
  • 0 or 1=GID (group id)
  • root or bin = comment (brief information about the user)
  • /root or /bin = home directory of the user
  • /bin/bash or /sbin/nologin = shell

2. /etc/shadow

[root@localhost ~]# head /etc/shadow
root:$6$TvkNilAQPp2FarCx$nD42BBQSVPU7ZFyETkZ3jgSZhwjVDB1GZkgzQ9TO07TXMhFXbE5Wg7x

The fields are as follows,

  1. root = User name
  2. :$1fdsfsgsdfsdkffefje = Encrypted password
  3. 14757 = Days since that password was last
  4. 0 = Days after which password must be
  5. 99999 = Days before password is to expire that user is
  6. 7 = Days after the password is expires that the user is
  7. A reserved
Password Complexity Requirements:
  • A root user can change password of self and of any user in the system, there are no rules for root to assign a password. Root can assign any length of password either long or short, it can be alphabet or numeric or both. On the whole there is no limitation for root for assigning a
  • A normal user can change only its password. Valid password for a normal user should adhere to the following rules
  • It should be at least 7 characters but not more than 255
  • At least one character should be Upper case
  • At least one character should be Lower case
  • At least one character should be a symbol, and one character should be a number.
  • It should not match the previous
  • It cannot have a sequence (ex: 123456 or abcdef )
  • The login name and the password cannot be the same.

Creating a user

  • The syntax for creating a user in Linux is
  • #   useradd <option> <username>
  • options are
  • -u user id
  • -G Secondary group id
  • -g primary group id
  • -d home directory
  • -c comment
  • -s shell
Let’s create a user with default attributes:
  • When no option is used with useradd command the options like UID, GID, home dir and shell will be assigned default.
  • #useradd <username>
  • #useradd lbuser
[root@localhost ~]# useradd lbuser
[root@localhost ~]# tail /etc/passwd
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin
dovenull:x:383:383:Dovecot's unauthorized user:/usr/libexec/dovecot:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/var/lib/oprofile:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
lb:x:1000:1000:lb:/home/lb:/bin/bash
lbuser:x:1001:1001::/home/lbuser:/bin/bash
Observe that the uid, gid, home dir, and shell is assigned automatically.
Let’s create a user with our own attributes
  • Create a user with following attributes
  • Name = lbuser2
  • uid=1002
  • home dir = /home/basics
  • comment = salesman
  • #useradd lbuser2 -u 1002 -g 1002 -d/home/basics -c salesman
[root@localhost ~]# useradd lbuser -u 1002 -g 1002 -d/home/basics -c salesman
[root@localhost ~]# tail /etc/passwd
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin
dovenull:x:383:383:Dovecot's unauthorized user:/usr/libexec/dovecot:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/var/lib/oprofile:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
lb:x:1000:1000:lb:/home/lb:/bin/bash
lbuser:x:1001:1001::/home/lbuser:/bin/bash
[root@localhost ~]# lbuser2:x:1002:1002:salesman:/home/basics:/bin/bash

Assigning password to the user:

  • As a root user, we can assign any password to any user
  • The syntax for assigning a password is
  • #passwd to assign a password to the current user ( the one with which you have logged in, if it is root then root’s password will be changed)
  • #passwd <user name> to assign a password to a specific user, the only root can assign a password to other users.
[root@localhost ~]# passwd lbuser 
Changing password for user lbuser.
New password: 
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@localhost ~]# 

Modifying the user’s attribute:

  • After creating a user if we need to modify the attributes of the user like changing uid, changing secondary group id, or adding a comment, locking or unlocking the user account, can be done by the following command.
  • Syntax. # usermod <options> <username>
  • options are:
  • all the options which are used with useradd command can be used and also the following,
  •             -l                         to change the login name
  •             -L                        to LOCK account
  •             -U                       to UNLOCK account
  • ex. # usermod     -l   newname oldname (changing the name of the user)
  • ex. # usermod     -L   newname to lock the user account
  • ex. # usermod     -U   newname to unlock the user account.
  • Note: – when an account is locked it will show! (Exclamation mark) in /etc/shadow file.

Locking and unlocking a user account:

  • To lock a user a/c use the following
  • #usermod –L < user name>
  • #usermod –L lbuser
  • Verify it in /etc/shadow file, it shows exclamation mark before user a/c or try login as lbuser
[root@localhost ~]# usermod -L lbuser 
[root@localhost ~]# tail /etc/shadow
sshd:!!:18345::::::
avahi:!!:18345::::::
postgres:!!:18345::::::
postfix:!!:18345::::::
dovecot:!!:18345::::::
dovenull:!!:18345::::::
oprofile:!!:18345::::::
tcpdump:!!:18345::::::
lb:$6$n7b3T8qAVY2CZtbd$B85MZd.tKecRWcvIg63IH01LTD8644oXVYH9VwgXZdelDArNpa4CRekjfl3dSc0mGBHCNjZeXBhdsWAgqKt5Q0::0:99999:7:::
lbuser:!$6$LnOf5ywg$w49AbyUN409azDPIMzAdtWqHZnZM3G7gKTshPxlH9osLAILTjkdE97t0fEl2oeHF9RKGWCwED.VHdPG4tSsVT0:18461:0:99999:7:::
[root@localhost ~]# 
 

Locking and unlocking a user account:

  • To lock a user a/c use the following
  • #usermod –U < user name>
  • #usermod –U lbuser
  • Verify it in /etc/shadow file, it shows exclamation mark before user a/c or try login as lbuser
[root@localhost ~]# usermod -U lbuser 
[root@localhost ~]# tail /etc/shadow
sshd:!!:18345::::::
avahi:!!:18345::::::
postgres:!!:18345::::::
postfix:!!:18345::::::
dovecot:!!:18345::::::
dovenull:!!:18345::::::
oprofile:!!:18345::::::
tcpdump:!!:18345::::::
lb:$6$n7b3T8qAVY2CZtbd$B85MZd.tKecRWcvIg63IH01LTD8644oXVYH9VwgXZdelDArNpa4CRekjfl3dSc0mGBHCNjZeXBhdsWAgqKt5Q0::0:99999:7:::
lbuser:$6$LnOf5ywg$w49AbyUN409azDPIMzAdtWqHZnZM3G7gKTshPxlH9osLAILTjkdE97t0fEl2oeHF9RKGWCwED.VHdPG4tSsVT0:18461:0:99999:7:::
[root@localhost ~]# 

Leave a Reply

Your email address will not be published. Required fields are marked *