Managing Users

Managing Users Accounts

Managing Users and Groups
• One of the key administrative tasks with Linux is
managing users and groups.
• The primary reason for user accounts is to verify the
identity of each individual using a computer system.
• A secondary reason for user accounts is to permit the
per-individual tailoring of resources and access
privileges.
• Resources can include files, directories, and
devices. Controlling access to these resources is a
primary task of an administrator
Groups tie together users that have a
common purpose.
• an organization may have persons responsible for accounts
payable and others responsible for payroll.
• By placing the user accounts in an accounts payable
group then common permissions can be given to all the
members of that group.
• Members of the accounts payable group would not have
access to the information and resources of the payroll
group. Users within the same group have the same read,
write. or execute privileges of group resources.
etc
• Several files are used when creating users in Linux. The
following are a few most commonly used.
/etc/passwd
/etc/shadow
/etc/group
/etc/passwd
• The /etc/passwd file contains the user ID, and default home directory.
Because this file is used by many tools it needs to be readable by any user.
• To view the /etc/passwd file use the less command.
less /etc/passwd
• The /etc/passwd file is a group of fields separated with a colon (:). They
are username, password (shown as an x), numeric user ID, numeric
group ID, full name, user’s home directory, and user’s shell account.
• The format of the /etc/passwd file is as follows:
• username:password:UID:GID:comments:home_dir:shell
• For example; joe:x:1000:1000:Joe Henderson:/home/joe:/bin/bash
• The first entry in the /etc/passwd file is the root account
/etc/shadow
• The /etc/shadow file contains the encrypted passwords and other password information.
• This file is viewable by the root user only.
• To view the /etc/shadow file use the following commands:
su – root
tail /etc/shadow
• The /etc/shadow file is a group of fields separated with a colon (:). They are:
• Username
• password (13 characters encrypted)
• the number of days since the password was last changed
• the number of days before the password may be changed
• the number of days to warn a user of an expiring password
• the number of days after a password expires that account is disabled
• the number of days since an account has bee disabled
• a reserved field for possible future use.
Creating accounts
• Now that you know where account information is stored, let’s create an account using the useradd command.
• Adding accounts requires superuser privileges, so make sure you are using the root account or sudo. Here is the format of the useradd
command.
useradd [options] username
• The most commonly used options for the useradd command are:
•-c “COMMENT” Comments for the account, such as the user’s full name.
•-m Use the -m option to create the user’s home directory.
•-s /shell/path The path to the user’s shell.
• You can see a list of installed shells on your Linux system by looking at /etc/shells.
• For example example, an account is created for Grant Stewart. His username is grant and his shell is bash.
•# useradd –c “Grant Stewart” –m –s /bin/bash grant
• Other options for the useradd command include the following:
•-g GROUP Specify the default group for the account.
•-G GROUP1,GROUPN Add the account to additional groups.
• For example; Let’s create an account for Eddie Harris. His login will be eharris and his default group will be sales. We will also make him a
member of the projectx group as well
•# useradd –c “Eddie Harris” –m –s /bin/bash –g sales –G projectx eharris
•# passwd eharris
Creating accounts
• A look at the /etc/shadow file shows that jsmith was added but a
password has not been assigned. The command to add a password is
passwd. As root you can change the password for jsmith with the
following command:
passwd jsmith
• You will be asked to type the password and then repeat it to ensure it was
typed correctly. The root user can change any user password. A user can
change their own password by typing passwd without a user ID.

• passwd has options to configure the minimum password lifetime,

maximum password lifetime, and other options.
Suspending a User Account
• Put a * as start of Password field in /etc/shadow
• Change login shell to /sbin/nologin or /etc/false
• Use GUI to suspend the user
Deleting Accounts
• Deleting a user account is done as the root user with the userdel command. To delete
the user jsmith use the command:
userdel jsmith
• Userdel has one option, -r, which removes the user’s home directory as well as the
account. To remove jsmith and the associated home directory, /home/jsmith, use the
following command:
userdel –r jsmith
• Once a user’s home directory is removed it would have to be restored from backup to
recover it.
• There may be orphaned files – files that are not associated by a valid user – when you
delete a user
• Example: jsmith was storing some files in /tmp. Those files are not deleted when the
user jsmith is removed. Those files in /tmp are now orphaned.
Updating Accounts
• Deleting a user is done as the root user with the userdel command. To delete the user
jsmith use the command:
• To update, or modify, an existing user account, use the usermod command.
• Here are the most commonly used options to the usermod command. For a full listing of
all the options available see man usermod or usermod —help.
usermod [options] username

•-c “COMMENT” Update the comment field.

•-g GROUP Change the primary group.
•-G GROUP1,GROUPN Change the additional groups the account belongs to.
•-s /path/to/shell Change the account’s shell.
Root Account
• Special and powerful account
• UID 0
• Guard your root passwd “with your life!!!”
• At least 8 chars. long
• Don’t write it down
• Mix letters, numbers and punctuations
• Eg. Bambo0!
• Don’t login root as a normal user
• Use su when needed
• Don’t share your root passwd with others
Root Account
• Use sudo instead
• $ sudo /bin/bash
• /etc/sudoers
• All commands are logged
• To edit /etc/sudoers
• $ visudo
• foo ALL=(root) ALL
• User foo can run ALL commands on ALL machines as root
• Host_Alias CS=eon,orpheus
• Cmnd_Alias SNOOP=/usr/sbin/tcpdump,/usr/sbin/ethereal
• bar CS=SNOOP
Groups
• The mail file for groups is the /etc/group file. The file is a group of fileds that describe the group and who is a
member of it. The fields in order are the group name, password (not used), numeric ID, and then a list of
members separated by a comma.
• The first entry in the /etc/group file is the root group
• The format of the /etc/group file is as follows
• group_name:password:GID:account1,accountN
• Each field is separated by a colon. The group name is the human readable name that you will see when group
information is displayed by commands such as ls.
• The password is used for privileged groups, but that functionality is rarely used. When there is an x in this field
it means that shadow group passwords are being used. That information is stored in the /etc/gshadow file.
• A group is used to assign rights and permissions to users. For example, if you have several files that should be
made available to users in the Accounts Payable department you could create an Accounts Payable group then
add users to the group. Once the group is populated then the permissions of the file or directory can be
changed to allow access by the group.
Creating Groups
• To create a group, use the groupadd command.
groupadd [options] group
• -g GID Assign the numerical value for the group ID.
• For example;
groupadd AccountsPayable
• The most commonly used option for the groupadd command is -g, which allows you to
specify the GID. Let’s create two groups. For the first group, we’ll let the group command
automatically select the GID. For the second group, we’ll specify the GID.
• groupadd -g 2500 db
Deleting Groups
• To delete a group, simply pass the group name to the
groupdel command.
• groupdel group
• Let’s delete the db group.
• # groupdel db
Updating Groups
• To change the properties of an existing group,
use the groupmod command.
groupmod [options] group
• -g GID Change the group ID to GID.
• -n GROUP Change the name of the group to
GROUP
Assigning Users to a Group
• The usermod command is used to add users to a group.
• It also has options to change the home directory, change the shell, and other values.
• To use usermod to add users jsmith and jdoe to the AccountsPayable group type the following:
usermod –G AccountsPayable jsmith
usermod –G AccountsPayable jdoe
Changing Group Permissions
• Groups can be used to assign privileges to resources, such as a directory.
• to change the group to AccountsPayable. This is accomplished with
the following command:
chgrp –R AccountsPayable AP
• Where –R causes it to recursively affect files and directories within the
AP directory, AccountsPayable is the new group, and AP is the name of
the directory.
• Permissions for group are then changed to give full read/write/execute
access with the chmod command.
chmod 775 AP
Managing System Resources
Backup & Restore
• Backup the user area or configuration file
• Use tar to take backup on a different disk or tape
• Backup can be scheduled using cron
• Backup: tar –zcvf <tar filename> <Directory Tree to be backedup>
• Restore: tar –zxvf <tar filename> <file to be recovered>
• Backup should be occasionally checked by restoring it
• Backup Policy: Full Backup every weekly/fortnightly and incremental
backup every day
Software package management
• A way to distribute software and configuration
• Eg.
• .tar.gz or tgz (Slackware)
• .rpm (Red Hat, Fedora, SUSE, …)
• .deb (Debian, Ubuntu)
• Meta-package manager
• Locate packages on the Internet, download, install and analyze inter-package
dependencies. eg.
• yum (rpm)
• apt-get (deb and rpm)
Installing Software on CentOS, Fedora, and
RedHat Distributions
• The yum command line utility is a package management program for Linux distributions
that use the RPM package manager. CentOS, Fedora, Oracle Linux, RedHat Enterprise
• Linux, and Scientific Linux are RPM-based distributions on which you can use yum .
• yum search search-string - Search for search-string.
• yum install [-y] package - Install package. Use the -y option to automatically answer yes
to yum’s questions.
• yum remove package - Remove/uninstall package.
• yum info [package] - Display information about package.
• To search for software to install, use yum search search-string
• To install software, use yum install package . Installing software requires superuser
privileges. This means you need to use sudo or switch to the root account with the su
command
sudo yum install inkscape
Installing Software on CentOS, Fedora, and
RedHat Distributions
• The rpm Command, In addition to the yum command, you can use the
rpm command to interact with the package manager.
• rpm -qa - List all the installed packages.
• rpm -qf /path/to/file - List the package that contains file.
• rpm -ivh package.rpm - Install a package from the file named
package.rpm.
• rpm -ql package - List all files that belong to package.
• rpm -e emacs - To uninstall/erase a software package
• RPM Disadvantages
• Very primitive
• Have to resolve software dependencies manually
Installing Software on Debian and Ubuntu
• The Debian and Ubuntu distributions use a package manager called APT, the Advanced Packaging Tool.
• APT is comprised of a few small utilities with the two most commonly used ones being apt-cache and apt-get
• apt-cache search search-string - Search for search-string.
• apt-get install [-y] package - Install package. Use the -y option to automatically answer
• yes to apt-get’s questions.
• apt-get remove package - Remove/uninstall package, leaving behind configuration files.
• apt-get purge package - Remove/uninstall package, deleting configuration files.
• apt-cache show package - Display information about package.
• To search for software to install, use apt-cache search search-string .
$ apt-cache search inkscape
• To install software, use apt-get install package . Installing software requires superuser privileges. This means you
need to use sudo or switch to the root account with the su command.
•sudo apt-get install inkscape
• To uninstall a package, use apt-get remove . Removing software requires superuser privileges.
•sudo apt-get remove inkscape
Installing Software on Debian and Ubuntu
• The dpkg Command
• In addition tothe apt utilities, you can use the dpkg command to
interact with the package manager.
• dgpk -l - List all the installed packages.
• dpkg -S /path/to/file - List the package that contains the file.
• dpkg -i package.deb - Install a package from the file named
package.deb.
• dpkg -L package - List all files that belong to package.
• rpm or .deb are too primitive
• yum or apt-get is good for default system installation
• pkgtools is good for:
• Customized or local packages
• /import can be mounted over NFS for sharing
• Allow users to install software without root access