Linux Users and Groups
Sources:
- A complete guide to Manage Users and Groups on Linux!
- 蔡德明. 第十四章 Linux账号管理与权限配置. 鸟哥的Linux私房菜.
Linux Users
- Linux user is an account or an entity which provides interactive access to the system and allows to create or modify files and to perform several other operations.
Types of Linux users
There are two types of users which exists on a typical Linux operating system.
Administrater: Any user with
UID=0becomes an administrater. By default, only therootaccount is an administrater. You can set other admiistraters by just settingUID=0, but it's highly unrecommended.A system user account aka privileged account is created by the operating system during its installation and that is used for operating system defined purposes. UID:
100-999.We can see some sys accounts in
/etc/passwd:1
2
3daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologinTheir UID is in
1-99, which is unusual. In fact, this is due to the backward compability. In normal, sys accounts are in100-999.
A regular user account: UID:
1000-60001
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16# /etc/login.defs
# ...
# Min/max values for automatic uid selection in useradd
#
UID_MIN 1000
UID_MAX 60000
# System accounts
#SYS_UID_MIN 100
#SYS_UID_MAX 999
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 1000
GID_MAX 60000
# ...To make the IDs assigned to new users by default start at any range of your choice for e.g. 5,000, change the
UID_MINandGID_MINdirectives in the /etc/login.defs file:
System user
The regular user accounts has ids from 100 to 999.
1 | cat /etc/login.defs | grep -i SYS_UID_MIN |
Regular user
The regular user accounts has ids begin from 1000 onwards.
1 | cat /etc/login.defs | grep -i UID_MIN | grep -v -E '^\#' |
How users and groups database is maintained
On Linux Operating system there are primarily four files placed under /etc directory which manages records about users and groups.
/etc/passwd-> The file containing basic information about users./etc/shadow-> The file containing encrypted passwords./etc/group-> The file containing basic information about groups and which users belong to them./etc/gshadow-> The containing encrypted group passwords.
The password (/etc/passwd) and group (/etc/group) files doesn't contain password information for security reasons and they are plain text, but the other two files are encrypted text.
The format of files for groups (/etc/group and /etc/gshadow) are quite similar to that of the files for users (/etc/passwd and /etc/shadow).
/etc/passwd
Source: Understanding the /etc/passwd File
View this file:
1 | cat /etc/passwd |
1 | mark:x:1001:1001:mark,,,:/home/mark:/bin/bash |
The syntax is:
1 | username:password:UID:GID:name:home directory:shell |
Explanation:
Username. the username given a the time of creation
Password. Usually, we’ll see an
xcharacter there. It means the password is encrypted.UID. The user identifier is a number assigned to each user. It is used by the operating system to refer to a user.
GID. The user’s group identifier number, referring to the user’s primary group. When a user creates a file , the file’s group is set to this group. Typically, the name of the group is the same as the name of the user. User’s secondary groups are listed in the
/etc/groupsfile.GECOS or the full name of the user. It's optional and not important. You can write anything to it.
Home directory. User’s home directory.
Login shell. User’s default shell. Note:
/sbin/nologinor/bin/falseindicates logging in is disabled for the user.To view valid login shell please run the following command
1
cat /etc/shells
/etc/shadow
Source: Understanding the /etc/shadow File
View this file:
1 | sudo cat /etc/shadow |
Output:
1 | mark:$6$.n.:17736:0:99999:7::: |
Explanation:
Username. The string you type when you log into the system. The user account that exist on the system.
Encrypted Password. The password is using the
$type$salt$hashedformat.$typeis the method cryptographic hash algorithm and can have the following values:$1$– MD5$2a$– Blowfish$2y$– Eksblowfish$5$– SHA-256$6$– SHA-512
If the password field contains an asterisk (
*) or exclamation point (!), the user will not be able to login to the system using password authentication. Other login methods like key-based authentication or switching to the user are still allowed.In older Linux systems, the user’s encrypted password was stored in the
/etc/passwdfile.Last password change. This is the date when the password was last changed. The number of days is counted since January 1, 1970 (epoch date).
Minimum password age. The number of days that must pass before the user password can be changed. Typically it is set to zero, which means that there is no minimum password age.
Maximum password age. The number of days after the user password must be changed. By default, this number is set to
99999.Warning period. The number of days before the password expires during which the user is warned that the password must be changed.
Inactivity period. The number of days after the user password expires before the user account is disabled. Typically this field is empty.
Expiration date. The date when the account was disabled. It is represented as an epoch date.
Unused. This field is ignored. It is reserved for future use.
Example Entry
Let’s take a look at the following example:
1 | linuxize:$6$zHvrJMa5Y690smbQ$z5zdL...:18009:0:120:7:14:: |
The entry above contains information about the user “linuxize” password:
- The password is encrypted with SHA-512 (the password is truncated for better readability).
- The password was last changed on April 23, 2019 -
18009. - There is no minimum password age.
- The password must be changed at least every 120 days.
- The user will receive a warning message seven days before the password expiration date.
- If the user doesn’t attempt to login to the system 14 days after the password is expired, the account will be disabled.
- There is no account expiration date.
id and groups command
Another way to check groups information of a Linux user using id and groups command.
1 | id sample |
User Management
TL;DR: On your old user account, do
1 | sudo adduser lyk |
Create a Linux User
Method 1: Using adduser command (Recommended)
adduser is a Perl script which uses useradd (which is native to Linux) binary in back-end. It's more interactive and user friendly than it's back-end useradd.
1 | sudo adduser <username> |
Method 2: Using useradd command:
1 | sudo useradd <username> |
Method 3: By directly modifying /etc/passwd file:
Not a recommended way but one can create a Linux user by directly modifying /etc/passwd file and making an entry for new user. In such cases you need to create the group, home directory etc. individually for that user.
1 | cat /etc/passwd | tail -1 |
Grant sudo Permisson to a Linux User
Give the new user sudo permission:
1 | sudo usermod -a -G adm <username> |
Alternatively, you can edit /etc/sudoers to achieve it.
Add the write permisson to
/etc/sudoers:1
chmod u+w /etc/sudoers
Edit
/etc/sudoers, below the line ofroot ALL=(ALL) ALL, add1
lyk ALL=(ALL) ALL
Finnaly, delete the write permisson to
/etc/sudoers:1
chmod u-w /etc/sudoers
Switch user account
1 | su - <username> |
Assign/Change password to a Linux user
Using passwd command we can assign passwords to Linux user.
1 | passwd <user> |
Delete a Linux user
Using userdel command you can delete a user from Linux operating system.
1 | userdel -r <user> |
Before this, you need to kill the systemd process of that user, if any.
Modifying an Existing user's properties
usermod command is used to modify an existing user's properties.
Update the comment part ->
1 | usermod -c "This is Sample user" sample |
Change User Home Directory ->
1 | usermod -d /var/www/ sample |
Lock and unlock the user account ->
Use -L (lock) option with usermod command to lock the user account and to unlock use -U option.
Once locked user can’t login by using the password and you will see a ! added before the encrypted password in /etc/shadow file, means password is disabled.
1 | usermod -L sample |
Group Management
There are two types of groups in Linux.
- primary group: when you create a user the primary group that the user belongs to also gets created with the same name as the user. User must be a member of a primary group and there can be only one primary group for each member.
- secondary group: It's always optional. If you have a requirement create it and add the users to it. A user can be mart of one or more secondary groups.
Create a Linux group
Use groupadd command to create a Linux group.
1 | groupadd secondgroup |
Add users to a Linux group
We can add users to become part of any other groups.
1 | usermod -G secondgroup sample |
Change Name of a Linux group
Run following command to change name of a Linux group.
1 | groupmod -n secondarygroup secondgroup |
Change GID of a Linux group
Run following command to change name of a Linux group.
1 | groupmod -g 1007 secondarygroup |
The syntax is -> groupmod -g newgid groupname
Remove a User from a Linux group
Run the following commands to remove a user from a Linux group.
1 | gpasswd -d user1 lcousersecondary1 |
Delete or Remove a Linux group
Run following command to delete a Linux group.
1 | groupdel secondarygroup |
Example: Create a user
Here we will use multiple useradd command options to create the user.
Our requirement is as follows:
- Full name is
LearnCodeOnline - username is
lcouser - Primary group is
lcouserprimary - Secondary groups are
lcousersecondary1andlcousersecondary2 - Default shell is
/bin/tcsh
Run the following commands to achieve this.
1 | groupadd lcouserprimary |