Working with Users, Groups, and Permissions – Part I

ManagingUsersandGroups

•To create users from acommand-lineenvironment,you can usethe"useradd"command

•Alternatively,it ispossible to add users totherelevantconfigurationfilesmanually,butthisisn'ttherecommendedapproach

oThe reason: an error in the main user configuration files might cause problems for all users on yourserver

In this section, we will learn how to add users from the command line using "useradd", how the relevant configuration files are modified for theseusers, and how users can be added usingthesytem-config-usersutility.

Commands for UserManagement:

When you want to add users from the command line,"useradd"is thecommand touse.

•Other commands are available as well.

•But,here are the most important commands for managingtheuserenvironment:

ouseradd: this command is used for adding users to the local authenticationsystem

ousermod: this command is used to modify properties for existing users.

ouserdel: this command is used to delete users properly from a system

•Using "useradd" is simple. . . it just takes the name of a user as its argument.

oExample:"useraddlinda" will create a user calledlindaon your server

•The "useradd" command has a few options.....If an option isn'tspecified, "useradd" willread its configuration file locatedin

/etc/default/useradd

oIn this configuration file, "useradd" finds some default values,as showninexample: (show examplebelow)

Setting default values in /etc/default/useradd

•These default values specify the groups the user will become a member of,where to create the user'shome directory,andmore.

•You can set different properties to manage users

•For every user, the group membership, UID, and shell default properties are set. Now an explanation:

oGroupMembership:

•InanyUNIX/Linuxenvironment,ausercanbeamemberof twodifferentkindsofgroups:theprimarygroupandall othergroups

•Every user must be a member of a primarygroup

•NOTE :If one user on your system does not have a primary groupsetting,noonewillbeabletologin,somembership in a primary group isvital

•On Red Hat server, all users are by default a member of a group that has the same name as theuser. .thisisdonefor security reasons to make sure that no files are shared with other users byaccident

•Userscanbemembersofmorethanjusttheprimarygroup,and they will automatically have access to the rights granted to these othergroups

•The most important difference between a primary groupand other groups is that the primary group willautomatically become group owner of a new file that a usercreates

•You now know the relation between the primary group andthe other groups of which a user is a member .Later in this lesson, you will see how to apply thisknowledge

oUID:

•Another major type of information used when creating auser is the userID(UID)

•For your server, this is the only way to identify auser

•Usernames are just a convenience because we, ashumans, tend not to handle being identified by numberswell)

•Ingeneral,allusersneedauniqueUID

•Red Hat starts generating local UIDs at500..thehighest UID available by default is 60000, because ofthe restriction defined in /etc/login.defs, which can be changed..(try itoutonserver)

•Typically,UIDsbelow500arereservedforsystemaccounts that are needed to startservices

•The UID O isalsospecial..theuser who has ithascomplete administrative permissions to theserver

•UID O is typically reserved for the user"root"

oShell:

•To log into a server, every user needs ashell

•The shell will enable interpretation of commands theuser enters from theirconsole

The default shell in Linux is "/bin/bash", butseveral other shells areavailable

•BE AWARE :not all users needshells..userswithashellare allowed to log in locally to your system and access any files and directories stored on that system, as far as their permissions allow suchaccess

•You could specify an alternative command to be usedas theshell. .forexample,Isbin/nologin canbeusedif you don 't want to allow the user any interaction with your systemlocally

Example:usermod -s /sbin/nologinmysuer

IF you server doesn't provide /sbin/nologin:

usermod -s /bin/false myuser

•Other commands are available as I statedearlier

•CHECK google for moreexamples

Managing Passwords·

•To access the system, a user needs apassword .

•By default ,login is denied for the users you create , and passwords are not assignedautomatically. .therefore, newlycreateduserscan't do anything on the server

•To enable users ,assign passwords using the "passwd"command

•The root user can change passwords as well.

  • For example :command "passwdlinda" would prompt to change the password forlinda
  • The user root can use the "passwd" command in 3 generic ways:
  • Forpasswordmaintenance (to change apassword)
  • To set passwordexpiryinformation (which dictatesapasswordwill expire at a particular date)
  • Used foraccountmaintenance (an admin can use passwd to lockan

account so that login is disabled temporarily)

Performing Account Maintenance with "passwd":

•In an environment where many users are using the same server, it is important to perform some basic account maintenance tasks ,which includes:

  • Locking accounts where they are unneeded for a long time oUnlocking anaccount
  • Reporting the password status
  • Force a user to change their password on first use

•To perform these tasks, the "passwd" command has some options available:

-1: Enablesanadministratortolockanaccount

Ex:passwd-1lucywilllocktheaccountforlucy

-u:

-S:

-e:

Unlocks an account that has been locked before

Reports the status of the password for a given account

Forces the user to change their password on next login

Managing PasswordExpiry:

•Inaserverenvironment,itmakessensetochangepasswords occasionally

•The"passwd"commandhassomeoptionstomanagethis

  • -nmin:This rarely used option is applied to set theminimumnumber of days that must elapse before the password can be changed . If this option is not used , a user can change their password at any time (passwd -n 7 username)
  • -xmax:This option is used to set the maximum number of daysauser can use a password without changing it (passwd -x 28 usr)
  • -wwarn:When a password is about to expire ,you can usethisoption to send a warning to the user . .theargument for this option specifies the number of days before expiry of the password that the user will receive thewarning(passwd -w 5 usr)
  • -iinact:Use this option to expire anaccountautomaticallywhen it hasn't been used for a given period of time .The argument for this option is used to specify the exactduration ofthisperiod (passwd -i 10 usr)
  • Combine command: passwd -n 7 -x 28 -w 5 -i 10 usr

•Apartfromthe"passwd"command,youcanalsouse"chage"tomanage accountexpiry..checkoutthemanpage fordetailsonitsusage

•To set a user’s password to expire in 90 days:

  • # chage -M 90 student1

Exercise:

  • Creating Users