Th

e S

aig

on

CT

T

Chapter 10

Managing Users

Th

e S

aig

on

CT

T

ObjectivesObjectives

Define the requirements for user accounts

Explain group and group accounts

Construct configuration files (group, passwd,

shadow)

Demonstrate adding users

Describe modifying user details

Explain user passwords

Demonstrate deleting users

Th

e S

aig

on

CT

T

New User Requirements New User Requirements

When adding a new user, you need be familiar with files :

passwd, shadow, group, gshadow under /etc directory

/etc/passwd contains information of all users : Login

name, User ID, Group ID, Descriptive name, Home

directory, Login shell

/etc/shadow stores parameters to control account

access: user’s password hash and password aging

information

/etc/group contains information about user’s groups

/etc/gshadow stores group’s password hash,…(rarely

used)

Th

e S

aig

on

CT

T

Preparing GroupsPreparing Groups

Carefully constructed groups are very useful to

users who are all working in the same

department or project

Groups not only allow for a second level of

access control but also allow the members in

group to share files in secured environment

Each line in /etc/group file correspond to a group

Commands to modify groups: groupadd,

groupmod, groupdel

Th

e S

aig

on

CT

T

The /etc/passwdThe /etc/passwd

Each line in this file correspond to a user,

has the following form :

name:password:UID:GID:comment:home directory:shell

# more /etc/passwd

root:x:0:0:Super User:/root:/bin/bash

henry:x:101:101:Thiery Henry:/home/henry:/bin/ksh

...

Th

e S

aig

on

CT

T

Allocating User IDsAllocating User IDs

All Linux system come with several

administrator users pre-configured, are

intended to perform certain administrative

work. They are typically assigned UID less

than 100: root, bin, daemon, sys, adm, lp, …

System with administration tools allocate

UIDs automatically, greater than 100 in

general

Th

e S

aig

on

CT

T

Adding UsersAdding Users

The useradd utility is recommended for administering

users. It creates the required record in /etc/passwd

and /etc/shadow

A list of options can be used with useradd to override

defaults:

-u UID Specify new user ID (default: next available number)

-g GID Specify default (primary) group ( default other group )

-c comment Description of user ( default: blank )

-d directory Define home directory ( default /home/username )

-m Make home directory

-k skel_dir Skeleton directory ( default /etc/skel )

-s shell Specify login shell ( default /bin/bash )

Th

e S

aig

on

CT

T

Changing User AttributesChanging User Attributes

If you edit files manually, you risk corrupting

file, resulting with users not being able to log

in at all. Instead, use usermod utility

# usermod –g users –c “Henry Blake” henry

# usermod –u 321 –s /bin/ksh majorh

# usermod –f 10 henry

# usermod –e 2004-12-20 majorh

Th

e S

aig

on

CT

T

Changing Group MembershipChanging Group Membership

Each user belongs to a group (primary) that can be

changed by usermod –g

User can also belongs to secondary groups, controlled by

usermod –G

# grep blofeldt /etc/passwd

blofeldt:x:416:400::/home/blofeldt:/bin/bash

# groups blofeldt

blofeldt: : mash

# groupadd –g 600 fleming

# usermod –G fleming blofeldt

# grep blofeldt /etc/group

fleming:x:600: blofeldt

Th

e S

aig

on

CT

T

Removing UsersRemoving Users

When a user leaves, there are two main concerns:

Protect the system from unauthorized access via his/her

account

Protect and manage his/her files, directories left on the

system

The userdel command takes care of removing a

user account. userdel can remove user’s home

directory but does not user’s mail, crontab table,

atd queues, …

Th

e S

aig

on

CT

T

Removing Users - Removing Users - userdeluserdel

Command format:

userdel [option] <login_name>

-r This option will remove home directory

Th

e S

aig

on

CT

T

To safely remove a user from a system:To safely remove a user from a system:

1.Lock the account password until you are

ready to remove it altogether ( use chage

command )# chage –E 1999-01-01 henry

2.Save all file owned by the user somewhere

outside the home directory# find / -user henry –print | cpio ov | gzip >/hold/henry

# find / -user henry –type f –exec rm –f {} \;

# find / -user henry –type d –depth –exec rmdir {} \;

Th

e S

aig

on

CT

T

To safely remove a user from a system:To safely remove a user from a system:

3.Change access permission on saved files to

root only

# chown root /hold/henry ; chmod 700 /hold/henry

4.Consider crontab and at jobs setup by the

user

5.Setup mail forwarding to send mail to a

manager

Th

e S

aig

on

CT

T

SecuritySecurity

Use passwd command to change the password :

# passwd henry

current password :

new password:

retype new password:

Choosing password:

• Not use proper words or names

• Use letters and digits

• Include symbols: !, @, #, $, %, …

Do not allow guest account to login to your system

Th

e S

aig

on

CT

T

The The /etc/shadow/etc/shadow File File

If shadow passwords are used, encrypted passwords are

stored in this file:

name:password:lastchange:min:max:warn:inactive:expire:flag

name User login name, mapped to /etc/passwdpassword Encrypted password. If this field is blank, then there is no

password ; “*” : account is locked, …lastchange Number of days since the last password change, from

1/1/70min Minimum number of days between password changesmax Maximum number of days password is validwarn Number of days before expiration that user will be warnedinactive Number of inactivity days allowed for this userexpire Absolute date, beyond which the account will be disabled

Th

e S

aig

on

CT

T

Account SecurityAccount Security

Actions you can take to improve security: Use preset expiration date for temporary employees

# usermod –e 2003-12-20 henry

Use inactivity counts to lock unused accounts

# usermod –f 5 henry

Change passwords known by someone who leaves.

If they know the root password, change ALL

password

Th

e S

aig

on

CT

T

Account SecurityAccount Security

Password aging with chage command:

chage [options] <user>

Options:

-m <mindays> Minimum days

-M <maxdays> Maximum days

-d <lastdays> Day last changed

-I <inactive> Inactive lock

-E <expiredate> Expiration (YYYY-MM-DD or MM/DD/YY)

-W <warndays> Warning days

Th

e S

aig

on

CT

T

SummarySummary

Define the requirements for user accounts

Explain group and group accounts

Construct configuration files (group, passwd,

shadow)

Demonstrate adding users

Describe modifying user details

Explain user passwords

Demonstrate deleting users