User management is important in any multi-user network operating system. Linux is a multi-user network operating system. Without the users, there wouldn’t be any need for a multi-user network operating system in the first place!
Managing users on a system is intricately tied to the system's security. There is an old saying that:
A system is as secure as its weakest user.
Linux inherits the old UNIX tradition of governing access to files, programs and other resources on a per-user and per-group basis.
Just like almost all other configurations in Linux, user management can be carried out by directly editing configuration files that can be found in the file system hierarchy. This lab will explore user management through the manual way and also through the use of system utilities.
We'll also briefly examine file permissions and ownership.
Important user and group management files are below. Some of the fields or entries in the files are also discussed.
```bash
Usage: useradd [options] LOGIN
useradd -D
useradd -D [options]
Options:
--badname do not check for bad names
-b, --base-dir BASE_DIR base directory for the home directory of the new account
--btrfs-subvolume-home use BTRFS subvolume for home directory
-c, --comment COMMENT GECOS field of the new account
-d, --home-dir HOME_DIR home directory of the new account
-D, --defaults print or change default useradd configuration
-e, --expiredate EXPIRE_DATE expiration date of the new account
-g, --gid GROUP name or ID of the primary group of the new account
-G, --groups GROUPS list of supplementary groups of the new account
-h, --help display this help message and exit
-k, --skel SKEL_DIR use this alternative skeleton directory
-K, --key KEY=VALUE override /etc/login.defs defaults
-l, --no-log-init do not add the user to the lastlog and faillog databases
-m, --create-home create the user's home directory
-M, --no-create-home do not create the user's home directory
-N, --no-user-group do not create a group with the same name as the user
-o, --non-unique allow to create users with duplicate (non-unique) UID
-p, --password PASSWORD encrypted password of the new account
-r, --system create a system account
-R, --root CHROOT_DIR directory to chroot into
-P, --prefix PREFIX_DIR prefix directory where are located the /etc/* files
-s, --shell SHELL login shell of the new account
-u, --uid UID user ID of the new account
-U, --user-group create a group with the same name as the user
-Z, --selinux-user SEUSER use a specific SEUSER for the SELinux user mapping
```
```bash
Usage: groupadd [options] GROUP
Options:
-f, --force exit successfully if the group already exists, and cancel -g if the GID is already used
-g, --gid GID use GID for the new group
-h, --help display this help message and exit
-K, --key KEY=VALUE override /etc/login.defs defaults
-o, --non-unique allow to create groups with duplicate (non-unique) GID
-p, --password PASSWORD use this encrypted password for the new group
-r, --system create a system account
-R, --root CHROOT_DIR directory to chroot into
-P, --prefix PREFIX_DI directory prefix
-U, --users USERS list of user members of this group
```
```bash
Usage: passwd [OPTION...] <accountName>
-k, --keep-tokens keep non-expired authentication tokens
-d, --delete delete the password for the named account (root only); also removes password lock if any
-l, --lock lock the password for the named account (root only)
-u, --unlock unlock the password for the named account (root only)
-e, --expire expire the password for the named account (root only)
-f, --force force operation
-x, --maximum=DAYS maximum password lifetime (root only)
-n, --minimum=DAYS minimum password lifetime (root only)
-w, --warning=DAYS number of days warning users receives before password expiration (root only)
-i, --inactive=DAYS number of days after password expiration when an account becomes disabled (root only)
-S, --status report password status on the named account (root only)
--stdin read new tokens from stdin (root only)
Help options:
-?, --help Show this help message
--usage Display brief usage message
```
So far, throughout the previous labs, you have been using the system as the most powerful user on the system – the root user. This is not good practice in a production system because it makes the system vulnerable, securityi-wise. The root user can, do and undo unlimited damage to the system.
Other than the superuser, every other user has limited access to files and directories.
Always use your machine as a normal user. Two confusing concepts will be made clear here.
Firstly the home directory of the root user is “ /root “.
Secondly the root directory is the topmost directory, known as the / (slash) directory.
(“/root” is different from “/ “)
In this lab you will create a new user called “Me Mao”. The user name for “Me Mao" will be the first name - “me”. This new user will belong to the group “me”. The password will be “a1b2c3”
Warning
System configurations usually conform to a specific format. It is always important to adhere to this format when manually editing the configuration files. One way to do this is to find and copy an existing entry in the file and then modify the copied line/section with any new changes. This will help reduce the chances of you making errors.
Log in to the computer as root
Use the tail command to view the last 4 entries at the bottom of the /etc/passwd file.
Launch your editor of choice and open up the file “/etc/passwd”
Add the text below to the bottom or end of the file:
me:x:500:500:memao:/home/me:/bin/bash
Save your changes and close the passwd file.
Next we'll edit the /etc/shadow file.
Launch your editor and open up the “/etc/shadow” file.
Add a new entry like the one below to the bottom of the file - put an asterisk (*) in the password field. Type:
me:x:11898:11898:99999:7:::
Save your changes and close the shadow file.
We will edit the /etc/group file next.
Launch your editor and open up the /etc/group file.
At the bottom of the file add a new entry like:
me:x:1000:me
Save your changes and close the group file.
Time to create the home directory.
Copy the entire contents of the “/etc/skel” directory into /home directory, renaming the new directory to the name of the user i.e. “/home/me”. Type:
[root@localhostroot]# cp -r /etc/skel /home/me
The root user owns the directory you just created, because she created it. In order for the user “me mao” to be able to use the directory you will change the permissions/ownership of the folder. Type:
[root@localhostroot]# chown -R me:me /home/me
Create a password for the user. Set the value of the password to be a!b!c!d!.
You will use the “passwd” utility.
Type “passwd” and follow the prompts
[root@localhostroot]# passwd me
Changingpasswordforuserme.
Newpassword:
Retypenewpassword:
passwd:allauthenticationtokensupdatedsuccessfully.
There are loads of utilities available to simplify all the tasks/steps that we manually performed in the previous exercise. We only walked through the manual process of creating a user, so that you can see what actually goes on in the background.
In this exercise we will use some common utilities to manage and simplify the process.
You will create another user account for the user “Ying Yang” the login name will be “ying”.
And the password for "ying" will be “y@i@n@g@”.
You will also create a group called “common” and add the user "me" and "ying" to the group.
It is not always convenient to log completely out of the system completely to log in as another user. This may be because you have certain tasks running and you don’t want to end them. The su (set user) program is used to become another user temporarily. You can “su” from a regular user account to the root account or vice-versa.
It changes the current user to have the access rights of the temporary user.
The HOME, LOGNAME, and USER environment variables will be set to those of the temporary user by default.