A comprehensive guide for basic user management of a linux box:
Creating a user is rather simple. While logged in as root, type:
Where “username” is the name of the user you want to add. There are a couple options to this command as well.
-s allows you to specify what shell you want this user to have. For instance, the default is the “bash” shell, but if you wanted a user to have the ZSH shell you’d do the following:
useradd username -s /bin/zsh
-d will specify a home directory. Usually in most modern linux systems, this gets specified automatically with useradd as /home/<username>. If you wish to specify someplace different simply do this:
useradd -d /new/path/of/home username
-g will specify what group you want this user to have as its default group. This is option as the system will auto-assign a group to the user.
-m – this tells the system that to create the user´s home directory if it does not exist. The files and directories contained in the skeleton directory (which can be defined with the -k option) will be copied to the home directory. By default the “skeleton” directory is /etc/skel. Any file in this directory will be copied to newly created home directories.
-k This allows you to assign a skel directory other than the default.
For the rest of the useradd options please see
man useradd By default, no home directories are created.
Once your user is created you’ll want to set a password for that user. While logged in as root or the user that will be changed, type:
Where “username” is the name of the user whose password you want to change. If “passwd” is typed, the password will be changed for the user, you are logged in as. This command also works to change passwords for already existing users. If you wish to change the password for yourself, just type “passwd” and do not specify a user.
lets say this is a line out of my /etc/passwd file:
Each field is seperated by a “:”, this is what each field represents.
- Username: This is the name for a user when a user logs in. It should be between 1 and 32 characters in length.
- Password: An x character indicates that encrypted password is stored in /etc/shadow file. (See Below)
- User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups.
- Group ID (GID): The primary group ID (stored in /etc/group file). It tells the system which group this user belongs to.
- User ID Info: The comment field. It allow you to add extra information about the users such as user’s full name, phone number etc. This field use by finger command.
- Home directory: The absolute path to the directory the user will be in when they log in. If this directory does not exists then users directory becomes /
- Command/shell: The absolute path of the default shell (usually /bin/bash).
The /etc/passwd file can be readable by other uses on the system. Even though an encrypted password can be used in the /etc/passwd file, it is safer practice to place an x in the password field, telling /etc/password to look in the /etc/shadow file for the encrypted password. In the /etc/shadow file there will be a line for every user and they’re encrypted password. Only a user with root privileges can view this file.
Again, each field is separated by colons “:”
- User name : It is your login name
- Password: It your encrypted password. The password should be minimum 6-8 characters long including special characters/digits
- Last password change (lastchanged): Days since Jan 1, 1970 that password was last changed
- Minimum: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password
- Maximum: The maximum number of days the password is valid (after that user is forced to change his/her password)
- Warn : The number of days before password is to expire that user is warned that his/her password must be changed
- Inactive : The number of days after password expires that account is disabled
- Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used
The last 6 fields provides password aging and account lockout features (you need to use chage command to setup password aging). According to man page of shadow – the password field must be filled. The encrypted password consists of 13 to 24 characters from the 64 character alphabet a through z, A through Z, 0 through 9, . and /. Optionally it can start with a “$” character. This means the encrypted password was generated using another (not DES) algorithm. For example if it starts with “$1$” it means the MD5-based algorithm was used.
The usermod command can change just about anything that you can create with useradd. You can change the shell (-s) the UID (-u), the login name (-l , though this will not change permissions set to your old login name), the initial group (-g), supplemenary groups (-G)
The syntax is generall the same too:
usermod <options> <username>
Comman usages are to lock a user account (-L) This puts a ‘!’ in front of the encrypted password, effectively disabling the password. Another is to unlock it (-U).
See: man usermod
While logged in as root, type:
userdel -r username
Where “username” is the name of the user you want to remove. This will remove the user’s home directory. You can delete the user without the “-r” option and delete the user’s home directory manually. If the group the user was in, is no longer needed, you may delete it by editing the “/etc/group” file.
Create a Group
groupadd [-g gid [-o]] [-r] [-f] group
The groupadd command creates a new group account using the values specified on the command line and the default values from the system. The new group will be entered into the system files as needed. None of these options (below) are necessary. You can add a group simply by:
(with “group” being the name of the group)
That being said options which apply to the groupadd command are
-g gid The numerical value of the group’s ID. This value must be unique, unless the -o option is used. The value must be non-negative. The default is to use the smallest ID value greater than 500 and greater than every other group. Values between 0 and 499 are typically reserved for system accounts.
-r This flag instructs groupadd to add a system account. The first available gid lower than 499 will be automatically selected unless the -g option is also given on the command line. This is an option added by Red Hat.
-f This is the force flag. This will cause groupadd to exit with an error when the group about to be added already exists on the system. If that is the case, the group won’t be altered (or added again). This option also modifies the way -g option works. When you request a gid that it is not unique and you don’t specify the -o option too, the group creation will fall back to the standard behavior (adding a group as if neither -g or -o options were specified). This is an option also added by Red Hat.
Modify a Group
groupmod [-g gid [-o]] [-n group_name ] group
The groupmod command modifies the system account files to reflect the changes that are specified on the command line. The options which apply to the groupmod command are
-g gid The numerical value of the group’s ID. This value must be unique, unless the -o option is used. The value must be non-negative. Values between 0 and 99 are typically reserved for system groups. Any files which the old group ID is the file group ID must have the file group ID changed manually.
-n groupname The name of the group will be changed from group to groupname.
Delete a Group
The groupdel command modifies the system account files, deleting all entries that refer to group. The named group must exist.
You must manually check all filesystems to insure that no files remain with the named group as the file group ID. You can do this easily with the find command.
find /var/tmp -gid 1000
/etc/group is a file that defines the groups to which users belong. In Linux multiple users can be categorized into groups. Linux file system permissions are organized into three classes, user, group, and others. The use of groups allows additional abilities to be delegated in an organized fashion, such as access to disks, printers, and other peripherals.
It stores group information or defines the user groups i.e. it defines the groups to which users belong. There is one entry per line, and each line has the format (all fields are separated by a colon (:)
Like previous files talked about in Part 1, the fields are separated by colons. This is what each field represents:
- group_name: It is the name of group. If you run ls -l command, you will see this name printed in the group field.
- Password: Generally password is not used, hence it is empty/blank. It can store encrypted password. This is useful to implement privileged groups.
- Group ID (GID): Each user must be assigned a group ID. You can see this number in your /etc/passwd file.
- Group List: It is a list of user names of users who are members of the group. The user names, must be separated by commas.
Users on Linux systems are assigned to one or more groups for following reasons:
- To share files or other resource with a small number of users
- Ease of user management
- Ease of user monitoring
- Group membership gives you or your user special access to files and directories or devices which are permitted to that group
Like /etc/shadow, /etc/gshadow contains secure group account information only readable by the root account such as group passwords.
The finger command reads the /etc/password file and displays information of a user. It is executed like below
It will tell you a user’s name (if given in comments), home directory, default shell, and if they’re on the system and if so, for how long.
The chfn command changes finger information and extends what is provide in /etc/passwd. You use it like follows:
chfn -option username
The “-options” for chfn are as follows:
-f Assigns a full name to the user
-o Allows the assignment of a location of a office
-p Assigns an office phone number
-h Assigns a home phone number