In this chapter you will learn how to manage users.
Objectives: In this chapter, future Linux administrators will learn how to:
add, delete or modify a group;
add, delete or modify a user;
understand the files associated with users and groups and learn how to manage them;
change the owner or the group owner of a file; secure user accounts;
change identity.
Each user must have a group called the user's primary group.
Several users can be part of the same group.
Groups other than the primary group are called the user's supplementary groups.
Note
Each user has a primary group and can be invited into one or more supplementary groups.
Groups and users are managed by their unique numerical identifiers GID and UID.
UID: User IDentifier. Unique user ID.
GID: Group IDentifier. Unique group identifier.
The kernel recognizes Both UID and GID, meaning that the Super Admin is not necessarily the root user, as long as the uid=0 user is the Super Admin.
The files related to users/groups are:
/etc/passwd
/etc/shadow
/etc/group
/etc/gshadow
/etc/skel/
/etc/default/useradd
/etc/login.defs
Danger
You should always use the administration commands instead of manually editing the files.
Note
Some commands in this chapter require administrator rights.
By convention, we will specify the command sudo when commands are to be run with administrator rights.
For the examples to work properly, please ensure your account has the right to use the sudo command.
The system chooses a GID if the one specified by the -g option already exists.
-r
Creates a system group with a GID between SYS_GID_MIN and SYS_GID_MAX. These two variables are defined in /etc/login.defs.
Group naming rules:
No accents or special characters;
Different from the name of an existing user or system files.
Note
Under Debian, the administrator should use, except in scripts intended to be portable to all Linux distributions, the addgroup and delgroup commands as specified in the man:
$ man addgroup
DESCRIPTION
adduser and addgroup add users and groups to the system according to command line options and configuration information
in /etc/adduser.conf. They are friendlier front ends to the low-level tools like useradd, groupadd and usermod programs,
by default, choosing Debian policy conformant UID and GID values, creating a home directory with skeletal configuration,
running a custom script, and other features.
The groupdel command deletes an existing group on the system.
groupdelgroup
Example:
sudogroupdelGroupC
Tip
When deleting a group, two conditions can occur:
If a user has a unique primary group and you issue the groupdel command on that group, you will be prompted that there is a specific user under the group and it cannot be deleted.
If a user belongs to a supplementary group (not the primary group for the user) and that group is not the primary group for another user on the system, then the groupdel command will delete the group without any additional prompts.
When you delete a user using the userdel -r command, the corresponding primary group is also deleted. The primary group name is usually the same as the username.
Tip
Each group has a unique GID. Multiple users can use a group as a supplementary group. By convention, The GID of the super administrator is 0. The GIDS reserved for some services or processes is 201-999, called system groups or pseudo-user groups. The GID for users is usually greater than or equal to 1000. These are related to /etc/login.defs, which we will talk about later.
4: Supplementary users in the group (excluding the unique primary user).
Warning
The name of the group in /etc/group and /etc/gshadow must correspond one by one. That is, each line in the /etc/group file must have a corresponding line in the /etc/gshadow file.
An ! in the password indicates it is locked.
Thus, no user can use the password to access the group (since group members do not need it).
GID of the primary group. The GID here can also be a group name.
-G GID1,[GID2]...
GID of the supplementary groups. The GID here can also be a group name. It is possible to specify many supplementary groups separated by commas.
-d directory
Creates the home directory.
-s shell
Specifies the user's shell.
-c COMMENT
Adds a comment.
-U
Adds the user to a group with the same name created simultaneously. If not specified, the creation of a group with the same name occurs when creating the user.
-M
Does not create the user's home directory.
-r
Creates a system account.
At creation, the account has no password and is locked.
The user must assign a password to unlock the account.
When invoking the useradd command without any options, the following default settings are set for the new user:
A home directory with the same name as the username is created;
A primary group with the same name as the username is created;
A default shell that points to /bin/bash is assigned to the user;
The user's UID and primary group GID values are automatically deduced. This is usually a unique value between 1000 and 60,000.
Note
The default settings and values are obtained from the following configuration files:
Lowercase letters, numbers, and underscores are allowed; other special characters such as asterisks, percent signs, and full-width symbols are not accepted.
Although you can use an uppercase user name in RockyLinux, we do not recommend it;
It is not recommended to start with numbers and underscores, although you may be allowed to do so;
Different from the name of an existing group or system file;
The user name can contain up to 32 characters.
Warning
The user must create the home directory, except for the last directory.
The last directory is created by the useradd command, which takes the opportunity to copy the files from /etc/skel into it.
A user can belong to several groups besides their primary group.
Example:
sudouseradd-u1000-gGroupA-GGroupP,GroupCalbert
Note
Under Debian, you will have to specify the -m option to force the creation of the login directory or set the CREATE_HOME variable in the /etc/login.defs file. In all cases, the administrator should use the adduser and deluser commands as specified in the man, except in scripts intended to be portable to all Linux distributions:
$ man useradd
DESCRIPTION
**useradd** is a low-level utility for adding users. On Debian, administrators should usually use **adduser(8)**
instead.
Associated with the -d option. Moves the contents of the old login directory to the new one. If the old home directory does not exist, creation of a new home directory does not occur; Creation of the new home directory occurs when it does not exist.
-l login
Modifies the login name. After you modify the login name, you also need to modify the name of the home directory to match it.
-e YYYY-MM-DD
Modifies the account expiration date.
-L
Locks the account permanently. That is, it adds an ! at the beginning of the /etc/shadow password field.
-U
Unlocks the account.
-a
Appends the user's supplementary groups, which must be used together with the -G option.
-G
Modifies the user's supplementary groups and overwrites previous supplementary groups.
Tip
To be modified, a user must be disconnected and have no running processes.
After changing the identifier, the files belonging to the user have an unknown UID. It must be reassigned to the new UID.
Where 1000 is the old UID and 1044 is the new one. Examples are as follows:
sudofind/-uid1000-execchown1044:{}\;
Locking and unlocking of user accounts. Examples are as follows:
The userdel command lets you delete a user's account.
sudouserdel-rcarine
Option
Description
-r
Deletes the user's home directory and mail files located in the /var/spool/mail/ directory
Tip
To be deleted, a user must be logged out and have no running processes.
The userdel command removes the corresponding lines in /etc/passwd, / etc/shadow, /etc/group, /etc/gshadow. As mentioned above, userdel -r will also delete the corresponding primary group of the user.
2: Encrypted password. Uses the SHA512 encryption algorithm, defined by the ENCRYPT_METHOD of /etc/login.defs.
3: The time when the password was last changed, the timestamp format, in days. The so-called timestamp is based on January 1, 1970 as the standard time. Every time one day goes by, the timestamp is +1.
4: Minimum lifetime of the password. That is, the time interval between two password changes (related to the third field), in days. Defined by the PASS_MIN_DAYS of /etc/login.defs, the default is 0, that is, when you change the password for the second time, there is no restriction. However, if it is 5, it means that it is not allowed to change the password within 5 days, and only after 5 days.
5: Maximum lifetime of the password. That is, the validity period of the password (related to the third field). Defined by the PASS_MAX_DAYS of /etc/login.defs.
6: The number of warning days before the password expires (related to the fifth field). The default is 7 days, defined by the PASS_WARN_AGE of /etc/login.defs.
7: Number of days of grace after password expiration (related to the fifth field).
8: Account expiration time, the timestamp format, in days. Note that an account expiration differs from a password expiration. In case of an account expiration, the user shall not be allowed to login. In case of a password expiration, the user is not allowed to login using her password.
9: Reserved for future use.
Danger
For each line in the /etc/passwd file there must be a corresponding line in the /etc/shadow file.
For time stamp and date conversion, please refer to the following command format:
# The timestamp is converted to a date, "17718" indicates the timestamp to be filled in.
$date-d"1970-01-01 17718 days"# The date is converted to a timestamp, "2018-07-06" indicates the date to be filled in.
$echo$(($(date--date="2018-07-06"+%s)/86400+1))
The newgrp command can select a group from the user's supplementary groups as the user's new temporary primary group. The newgrp command every time you switch a user's primary group, there will be a new child shell(child process). Be careful! child shell and sub shell are different.
newgrp[secondarygroups]
Example:
$sudouseraddtest1
$sudopasswdtest1
$sudogroupaddgroupA;sudogroupaddgroupB
$sudousermod-GgroupA,groupBtest1
$idtest1
uid=1000(test1)gid=1000(test1)groups=1000(test1),1001(groupA),1002(groupB)
$echo$SHLVL;echo$BASH_SUBSHELL10
$su-test1
$toucha.txt
$ll
-rw-rw-r--1test1test1010月714:02a.txt
$echo$SHLVL;echo$BASH_SUBSHELL10# Generate a new child shell
$newgrpgroupA
$touchb.txt
$ll
-rw-rw-r--1test1test1010月714:02a.txt
-rw-r--r--1test1groupA010月714:02b.txt
$echo$SHLVL;echo$BASH_SUBSHELL20# You can exit the child shell using the `exit` command
$exit
$logout
$whoami
root
Permanently removes the password. For root (uid=0) use only.
-l
Permanently locks the user account. For root (uid=0) use only.
-S
Displays the account status. For root (uid=0) use only.
-u
Permanently unlocks user account. For root (uid=0) use only.
-e
Permanently expires the password. For root (uid=0) use only.
-n DAYS
Defines the minimum password lifetime. Permanent change. For root (uid=0) use only.
-x DAYS
Defines the maximum password lifetime. Permanent change. For root (uid=0) use only.
-w DAYS
Defines the warning time before expiration. Permanent change. For root (uid=0) use only.
-i DAYS
Defines the delay before deactivation when the password expires. Permanent change. For root (uid=0) use only.
Use password -l, that is, add "!!" at the beginning of the password field of the user corresponding to /etc/shadow.
Example:
Alain changes his password:
[alain]$passwd
root changes Alain's password
sudopasswdalain
Note
Users can use the passwd command to change their passwords (the old password is requested). The administrator can change the passwords of all users without restriction.
They will have to comply with the security restrictions.
When managing user accounts by shell script, setting a default password after creating the user may be useful.
This can be done by passing the password to the passwd command.
Example:
sudoecho"azerty,1"|passwd--stdinphilippe
Warning
The password is entered in clear text, passwd encrypts it.
Defines the days to delay before deactivation, password expired. Permanent change.
-l
Displays the policy details.
-m DAYS
Defines the minimum lifetime of the password. Permanent change.
-M DAYS
Defines the maximum lifetime of the password. Permanent change.
-d LAST_DAY
Defines the number of days since the password was last changed. You can use the days' timestamp style or the YYYY-MM-DD style. Permanent change.
-E EXPIRE_DATE
Defines the account expiration date. You can use the days' timestamp style or the YYYY-MM-DD style. Permanent change.
-W WARN_DAYS
Defines the number of days warning time before expiration. Permanent change.
Examples:
# The `chage` command also offers an interactive mode.
$sudochagephilippe
# The `-d` option changes the password when logging in.
$sudochage-d0philippe
Defines the directory path of the upper level of the common user's home directory.
INACTIVE
Defines the number of days of grace after password expiration. Corresponds to the 7th field of the /etc/shadow file. -1 value means that the grace period feature is turned off.
EXPIRE
Defines the account expiration date. Corresponds to the 8th field of the /etc/shadow file.
SHELL
Defines the command interpreter.
SKEL
Defines the skeleton directory of the login directory.
CREATE_MAIL_SPOOL
Defines the mailbox creation in /var/spool/mail/.
If you do not need a primary group with the same name when creating users, you can do this:
UMASK 022: This means that the permission to create a file is 755 (rwxr-xr-x). However, for security, GNU/Linux does not have x permission for newly created files. This restriction applies to root(uid=0) and ordinary users(uid>=1000). For example:
When a user is created, their home directory and environment files are created. You can think of the files in the /etc/skel/ directory as the file templates you need to create users.
These files are automatically copied from the /etc/skel directory.
.bash_logout
.bash_profile
.bashrc
All files and directories placed in this directory will be copied to the user tree when created.
The su command allows you to change the identity of the connected user.
su[-][-ccommand][login]
Examples:
$sudosu-alain
[albert]$su-root-c"passwd alain"
Option
Description
-
Loads the user's complete environment.
-c command
Executes the command under the user's identity.
If the login is not specified, it will be root.
Standard users will have to type the password for the new identity.
Tip
You can use the exit/logout command to exit users who have been switched. It should be noted that after switching users, there is no new child shell or sub shell, for example:
So, when you want to switch users, remember not to lose the -. Because the necessary environment variable files are not loaded, there may be problems running some programs.