YouTip LogoYouTip

Linux User Manage

Linux User and Group Management

Linux is a multi-user, multitasking time-sharing operating system. Any user who wants to use system resources must first apply to the system administrator for an account, and then enter the system with the identity of that account.

On one hand, user accounts help the system administrator track users of the system and control their access to system resources. On the other hand, they also help users organize files and provide security protection for users.

Each user account has a unique username and its own password.

After a user enters the correct username and password during login, they can enter the system and their home directory.

The management of user accounts mainly involves the following aspects:

  • Addition, deletion, and modification of user accounts.
  • Management of user passwords.
  • Management of user groups.

1. Management of Linux System User Accounts

The management of user accounts mainly involves the addition, modification, and deletion of user accounts.

Adding a user account means creating a new account in the system, and then allocating resources such as a user number, user group, home directory, and login shell to the new account. Newly added accounts are locked and cannot be used.

1. Adding a New User Account Using the useradd Command

The syntax is as follows:

useradd  username

Parameter description:

  • Options:
    • -c comment: Specifies a descriptive comment.
    • -d directory: Specifies the user's home directory. If this directory does not exist, use the -m option to create the home directory.
    • -g group: Specifies the user's primary group.
    • -G group1,group2,...: Specifies the user's supplementary groups.
    • -s shell: Specifies the user's login shell.
    • -u uid: Specifies the user's user ID. If the -o option is also used, it allows duplicate user IDs.
  • username: Specifies the login name for the new account.

Example 1

# useradd –d /home/sam -m sam

This command creates a user named sam. The -d and -m options are used to create a home directory /home/sam for the login name sam (/home is the default parent directory for user home directories).

Example 2

# useradd -s /bin/sh -g group –G adm,root gem

This command creates a new user named gem. The user's login shell is /bin/sh, it belongs to the group group, and also belongs to the adm and root groups, where group is its primary group.

A new group might need to be created first: # groupadd group and # groupadd adm

Adding a user account means adding a new record for the user in the /etc/passwd file, and simultaneously updating other system files such as /etc/shadow, /etc/group, etc.

Linux provides an integrated system management tool called userconf, which can be used to manage user accounts uniformly.

2. Deleting an Account

If a user's account is no longer in use, it can be deleted from the system. Deleting a user account means removing the user's record from system files like /etc/passwd, and if necessary, also deleting the user's home directory.

To delete an existing user account, use the userdel command. Its format is as follows:

userdel  username

A commonly used option is -r, which deletes the user's home directory along with the account.

For example:

# userdel -r sam

This command deletes the record of user sam from system files (mainly /etc/passwd, /etc/shadow, /etc/group, etc.) and also deletes the user's home directory.

3. Modifying an Account

Modifying a user account means changing the relevant attributes of the user according to the actual situation, such as user ID, home directory, user group, login shell, etc.

To modify information of an existing user, use the usermod command. Its format is as follows:

usermod  username

Commonly used options include -c, -d, -m, -g, -G, -s, -u, and -o. The meanings of these options are the same as those in the useradd command, and they can be used to specify new resource values for the user.

Additionally, some systems support the option: -l new_username

This option specifies a new account name, i.e., changing the original username to a new username.

For example:

# usermod -s /bin/ksh -d /home/z –g developer sam

This command changes the login shell of user sam to ksh, the home directory to /home/z, and the user group to developer.

4. Managing User Passwords

An important part of user management is managing user passwords. When a user account is first created, it has no password but is locked by the system and cannot be used. A password must be specified before it can be used, even if it is an empty password.

The shell command for specifying and modifying a user password is passwd. The superuser can specify passwords for themselves and other users, while ordinary users can only use it to change their own password. The command format is:

passwd  

Available options:

  • -l: Locks the password, i.e., disables the account.
  • -u: Unlocks the password.
  • -d: Removes the password from the account.
  • -f: Forces the user to change their password at the next login.

If the username is omitted, it modifies the current user's password.

For example, assuming the current user is sam, the following command changes that user's own password:

$ passwd
Old password:******
New password:*******
Re-enter new password:*******

If you are the superuser, you can specify the password for any user in the following form:

# passwd sam
New password:*******
Re-enter new password:*******

When an ordinary user changes their own password, the passwd command first asks for the old password. After verification, it asks the user to enter the new password twice. If the two entries match, the password is set for the user. When the superuser specifies a password for a user, the old password is not required.

For system security, users should choose relatively complex passwords. For example, it is best to use passwords that are 8 characters long, contain uppercase letters, lowercase letters, and numbers, and are different from names, birthdays, etc.

To specify an empty password for a user, execute the following command:

# passwd -d sam

This command removes the password for user sam. This way, the system will not allow user sam to log in the next time.

The passwd command can also use the -l (lock) option to lock a specific user, preventing them from logging in. For example:

# passwd -l sam

2. Management of Linux System User Groups

Each user belongs to a user group, and the system can centrally manage all users within a user group. Different Linux systems have different regulations for user groups. For example, in Linux, a user belongs to a group with the same name as the user, which is created when the user is created.

User group management involves adding, deleting, and modifying user groups. Adding, deleting, and modifying groups is essentially updating the /etc/group file.

1. Adding a New User Group Using the groupadd Command

Its format is as follows:

groupadd  groupname

Available options:

  • -g GID: Specifies the group ID (GID) for the new group.
  • -o: Usually used with the -g option, it allows the new group's GID to be the same as an existing group's GID in the system.

Example 1:

# groupadd group1

This command adds a new group group1 to the system. The new group's GID is incremented by 1 based on the current maximum GID.

Example 2:

# groupadd -g 101 group2

This command adds a new group group2 to the system and specifies its GID as 101.

2. Deleting an Existing User Group Using the groupdel Command

Its format is as follows:

groupdel groupname

Example:

# groupdel group1

This command deletes the group group1 from the system.

3. Modifying User Group Attributes Using the groupmod Command

Its syntax is as follows:

groupmod  groupname

Commonly used options:

  • -g GID: Specifies a new GID for the user group.
  • -o: Used with the -g option, it allows the new GID to be the same as an existing group's GID in the system.
  • -n new_groupname: Changes the name of the user group to the new name.

Example 1:

# groupmod -g 102 group2

This command changes the GID of group group2 to 102.

Example 2:

# groupmod –g 10000 -n group3 group2

This command changes the GID of group group2 to 10000 and its name to group3.

4. Switching Between User Groups

If a user belongs to multiple user groups, the user can switch between user groups to gain the permissions of other groups.

After logging in, a user can use the newgrp command to switch to another user group. The parameter of this command is the target user group. For example:

$ newgrp root

This command switches the current user to the root group, provided that the root group is indeed the user's primary or supplementary group. Similar to user account management, user group management can also be completed through integrated system management tools.


3. System Files Related to User Accounts

There are many ways to complete user management tasks, but each method actually involves modifying relevant system files.

Information related to users and user groups is stored in some system files, including /etc/passwd, /etc/shadow, /etc/group, etc.

The contents of these files are described below.

1. The /etc/passwd File

The /etc/passwd file is the most important file involved in user management.

Every user in the Linux system has a corresponding record line in the /etc/passwd file, which records some basic attributes of the user.

This file is readable by all users. Its content is similar to the following example:

# cat /etc/passwd
root:x:0:0:Superuser:/:
daemon:x:1:1:System daemons:/etc:
bin:x:2:2:Owner of system commands:/bin:
sys:x:3:3:Owner of system files:/usr/sys:
adm:x:4:4:System accounting:/usr/adm:
uucp:x:5:5:UUCP administrator:/usr/lib/uucp:
auth:x:7:21:Authentication administrator:/tcb/files/auth:
cron:x:9:16:Cron daemon:/usr/spool/cron:
listen:x:37:4:Network daemon:/usr/net/nls:
lp:x:71:18:Printer administrator:/usr/spool/lp:
sam:x:200:50:Sam san:/home/sam:/bin/sh

From the example above, we can see that each line in /etc/passwd corresponds to a user. Each line is separated by colons (:) into 7 fields. The format and specific meanings are as follows:

username:password:UID:GID:comment:home_directory:login_shell

1) "username"

This is a string representing the user account. It is usually no more than 8 characters long and consists of uppercase and lowercase letters and/or numbers. The login name cannot contain a colon (:) because the colon is a delimiter here.

For compatibility, it is best not to include a dot (.) in the login name, and not to start with a hyphen (-) or a plus sign (+).

2) "password"

In some systems, the encrypted user password is stored here. Although this field only stores the encrypted string of the user password, not the plaintext, it is still a security risk because the /etc/passwd file is readable by all users. Therefore, many Linux systems (such as SVR4) now use shadow technology, storing the actual encrypted user password in the /etc/shadow file, and only storing a special character, such as "x" or "*", in the password field of the /etc/passwd file.

3) "UID" (User ID)

This is an integer used internally by the system to identify the user. Generally, it corresponds one-to-one with the username. If several usernames correspond to the same UID, the system will treat them as the same user internally, but they can have different passwords, different home directories, and different login shells, etc.

Typically, the UID range is 0 to 65,535. 0 is the UID of the superuser root, 1 to 99 are reserved by the system for administrative accounts, and ordinary users' UIDs start from 100. In Linux systems, this threshold is 500.

4) "GID" (Group ID)

This field records the user group to which the user belongs. It corresponds to a record in the /etc/group file.

5) "comment"

This field records some personal information about the user, such as the user's real name, phone number, address, etc. This field has no practical use. The format of this field is not unified across different Linux systems. In many Linux systems, this field stores an arbitrary comment text, used as output for the finger command.

6) "home_directory"

This is the user's starting working directory. It is the directory where the user is located after logging into the system. In most systems, users' home directories are organized under a specific directory, and the name of the home directory is the user's login name. Users have read, write, and execute (search) permissions for their own home directories, while other users' access permissions to this directory are set according to the specific situation.

7) "login_shell"

After a user logs in, a process needs to be started to pass the user's operations to the kernel. This process is the command interpreter or a specific program that runs after the user logs into the system, i.e., the Shell.

The Shell is the interface between the user and the Linux system. There are many types of Linux Shells, each with different characteristics. Common ones include sh (Bourne Shell), csh (C Shell), ksh (Korn Shell), tcsh (TENEX/TOPS-20 type C Shell), bash (Bourne Again Shell), etc.

The system administrator can specify a Shell for the user based on the system situation and user habits. If no Shell is specified, the system uses sh as the default login shell, i.e., the value of this field is /bin/sh.

The user's login shell can also be specified as a specific program (which is not a command interpreter).

Using this feature, we can restrict users to only run specified applications. After the application finishes running, the user automatically exits the system. Some Linux systems require that only programs registered in the system can appear in this field.

8) Pseudo Users

There is a class of users in the system called pseudo users. These users also have a record in the /etc/passwd file, but they cannot log in because their login shell is empty. Their existence is mainly to facilitate system management and meet the requirements of corresponding system processes for file owners.

Common pseudo users are as follows:

Pseudo User Meaning
bin Owns executable user command files
sys Owns system files
adm Owns account files
uucp Used by UUCP
lp Used by lp or lpd subsystems
nobody Used by NFS

2. The /etc/shadow File

1. In addition to the pseudo users listed above, there are many standard pseudo users, such as audit, cron, mail, usenet, etc., which are also required by their respective processes and files.

Since the /etc/passwd file is readable by all users, if a user's password is too simple or the pattern is obvious, an ordinary computer can easily crack it. Therefore, Linux systems with high security requirements separate the encrypted password and store it in a separate file, which is the /etc/shadow file. Only the superuser has read permission for this file, which ensures the security of user passwords.

2. The record lines in /etc/shadow correspond one-to-one with those in /etc/passwd. It is automatically generated by the pwconv command based on data from /etc/passwd.

Its file format is similar to /etc/passwd, consisting of several fields separated by colons (:). These fields are:

login_name:encrypted_password:last_password_change_time:min_password_age:max_password_age:password_warning_period:inactive_account_period:expiration_date:reserved
  1. "login_name" is the user account consistent with the login name in the /etc/passwd file.
  2. The "encrypted_password" field stores the encrypted user password, which is 13 characters long. If it is empty, the corresponding user has no password and does not need a password to log in. If it contains characters not in the set { ./0-9A-Za-z }, the corresponding user cannot log in.
  3. "last_password_change_time" represents the number of days from a certain point in time until the user last changed their password. The starting point of time may vary for different systems. For example, in SCO Linux, this starting point is January 1, 1970.
  4. "min_password_age" refers to the minimum number of days required between two password changes.
  5. "max_password_age" refers to the maximum number of days the password remains valid.
  6. The "password_warning_period" field indicates the number of days from when the system starts warning the user until the password officially expires.
  7. "inactive_account_period" indicates the maximum number of days the account can remain active without login activity.
  8. The "expiration_date" field gives an absolute number of days. If this field is used, it specifies the lifetime of the corresponding account. After expiration, the account is no longer a valid account and cannot be used to log in.

Here is an example of /etc/shadow:

# cat /etc/shadow
root:Dnakfw28zf38w:8764:0:168:7:::
daemon:*::0:0::::
bin:*::0:0::::
sys:*::0:0::::
adm:*::0:0::::
uucp:*::0:0::::
nuucp:*::0:0::::
auth:*::0:0::::
cron:*::0:0::::
listen:*::0:0::::
lp:*::0:0::::
sam:EkdiSECLWPdSa:9740:0:0::::

3. The /etc/group File

All information about user groups is stored in the /etc/group file.

Grouping users is a means of managing users and controlling access permissions in Linux systems.

Each user belongs to a certain user group; a group can have multiple users, and a user can also belong to different groups.

When a user is a member of multiple groups simultaneously, the /etc/passwd file records the user's primary group, which is the default group at login, while other groups are called supplementary groups.

When a user wants to access files belonging to a supplementary group, they must first use the newgrp command to become a member of the group they want to access.

All information about user groups is stored in the /etc/group file. The format of this file is also similar to the /etc/passwd file, with several fields separated by colons (:). These fields are:

group_name:password:GID:group_members_list
  1. "group_name" is the name of the user group, consisting of letters or numbers. Like the login name in /etc/passwd, group names should not be duplicated.
  2. The "password" field stores the encrypted password of the user group. Generally, user groups in Linux systems do not have passwords, so this field is usually empty or contains *.
  3. "GID" is similar to the UID, an integer used internally by the system to identify the group.
  4. "group_members_list" is a list of all users belonging to this group, with different users separated by commas (,). This user group can be the user's primary group or a supplementary group.

An example of the /etc/group file is as follows:

root::0:root
bin::2:root,bin
sys::3:root,uucp
adm::4:root,adm
daemon::5:root,daemon
lp::7:root,lp
users::20:root,sam

4. Adding Users in Bulk

Adding and deleting users is easy for every Linux system administrator. The tricky part is when you need to add dozens, hundreds, or even thousands of users. It's unlikely that you would still use useradd to add them one by one. You must find a simple method to create a large number of users. Linux systems provide tools for creating a large number of users, allowing you to create many users immediately. The method is as follows:

(1) First, edit a text user file.

Each column is written according to the format of the /etc/passwd password file. Note that each user's username, UID, and home directory must be different. The password field can be left blank or filled with an 'x'. A sample file user.txt content is as follows:

user001::600:100:user:/home/user001:/bin/bash
user002::601:100:user:/home/user002:/bin/bash
user003::602:100:user:/home/user003:/bin/bash
user004::603:100:user:/home/user004:/bin/bash
user005::604:100:user:/home/user005:/bin/bash
user006::605:100:user:/home/user006:/bin/bash

(2) Execute the command /usr/sbin/newusers as root to import data from the newly created user file user.txt and create users:

# newusers < user.txt

Then you can execute the command vipw or vi /etc/passwd to check if the data for these users has appeared in the /etc/passwd file and if the users' home directories have been created.

(3) Execute the command /usr/sbin/pwunconv.

This decodes the shadow password generated by /etc/shadow, writes it back to /etc/passwd, and removes the shadow password field from /etc/shadow. This is to facilitate the next password conversion step, i.e., first disabling the shadow password feature.

# pwunconv

(4) Edit the password mapping file for each user.

The format is:

username:password

The content of the example file passwd.txt is as follows:

user001:123456
user002:123456
user003:123456
user004:123456
user005:123456
user006:123456

(5) Execute the command /usr/sbin/chpasswd as root.

This creates user passwords. chpasswd will write the passwords encoded by the /usr/bin/passwd command into the password field of /etc/passwd.

# chpasswd < passwd.txt

(6) After ensuring the passwords are encoded and written to the password field of /etc/passwd.

Execute the command /usr/sbin/pwconv to encode the passwords as shadow passwords and write the results to /etc/shadow.

# pwconv

This completes the creation of a large number of users. Afterwards, you can go to /home to check if the permission settings for these users' home directories are correct, and log in to verify if the user passwords are correct.

← Node Js Get PostLinux Remote Login β†’