Administration Users and Groups on linux

1) Users Administration

• On Linux there are 2 types of users:
  
  
  
  • User system
  
  
  • User user
  
  
  
  


• System user: used to execute necessary modules and scripts for the operating system.


• User users: are accounts for login using the operating system.

Among user accounts, the user root (super user) account is the most important:

• 
  
  
  
  • This account is automatically created when installing Linux.
  
  
  • This account cannot be renamed or deleted.
  
  
  • The root user is also called a super user because it has full rights on the system.
  
  
  • Only work with the root user when trying to perform system administration, in other cases, should only work with normal users.
  
  
  
  


• Each user usually has the following characteristics:
  
  
  
  • User account name is unique, can name lowercase, uppercase.
  
  
  • Each user has a unique identifier (uid).
  
  
  • Each user can belong to many groups.
  
  
  • Super user account has uid = gid = 0.
  
  
  
  

1.1) File / etc / passwd

• A text file containing information about the user accounts on the machine.


• Any user can read this file, but only the root user can make changes.


• To view the file's content, use the command:

cat /etc/passwd

• The file structure consists of several rows, each of which is a user information. The first line of the file describes the information for the root user (with uid = 0), followed by other system accounts, and lastly the names of normal user accounts. Each row is divided into 7 columns separated by signs:

Meaning of columns in file:

• 1 - User name (login name)


• 2 - The group password is encrypted (because there is / etc / shadow file) so default here is x


• 3 - User ID (uid)


• 4 - Group ID (gid)


• 5 - Name describing the user (comment)


• 6 - User's home directory (usually / home / user_name)


• 7 - The shell type will work when the user logs in, usually / bin / bash

1.2) File / etc / shadow

• It is a text file containing information about the passwords of the user accounts stored on the computer.


• Only the root user can read this file.


• The root user has the right to reset the password of any user on the device.


• Each line in the file contains information about the user's password, the format of the row consists of columns, values, and commas are used to separate the columns.

Meaning of columns:

• 1 - User name, same as in / etc / passwd (login name)


• 2 - Password is encrypted
  
  
  
  • Empty - no password
  
  
  • * - account is suspended (disable)
  
  
  
  


• 3 - Number of days since the last time the password was changed (from 1/1/1970)


• 4 - Number of days before the password can be changed. Significant 0 values ​​can be changed at any time.


• 5 - Number of days a password is valid. 99999 means that the password is valid indefinitely.


• 6 - Number of days to alert user before password expires


• 7 - Number of days after the password expires the account will be locked. Usually valid for 7 (1 week)


• 8 - Number of days since the account was locked (from 1/1/1970)

1.3) User management commands

1.3.1) useradd

• Is a command to create a user account.

useradd [options] [login_name]

• Options:
  
  
  
  • -c: comment: create an alias
  
  
  • -u: set user ID: default will get the next ID number to assign to the user (starting from 1000)
  
  
  • -d: specify a home directory for the user
  
  
  • -g: specify the primary group
  
  
  • -G: specify a sub group (extended group)
  
  
  • -s: specify shell for user to use
  
  
  
  

VD1:

 Tạo user với tên Will và tên đầy đủ là Will Smiths :

useradd -c "Will Smiths" will

=> The created user will belong to the group will and the user's home directory / home / will be created automatically.

VD2:

 Tạo user với tên justice và tên đầy đủ là Justice Smiths , user thuộc nhóm users và các nhóm wheel , sales :

useradd -g users -G wheel,sales -c "Justice Smiths" justice

1.3.2) passwd

• Is an order to set / change password for the user

passwd [login_name]

1.3.3) usermod

• Is the order to correct account information.

usermod [options] [login_name]

• Options:
  
  
  
  • -c: comment: create aliases
  
  
  • -d: change the home directory for the user
  
  
  • -m: move content from old home directory to new home directory (only used with -d)
  
  
  • -g: specify the primary group
  
  
  • -G: specify a sub group (extended group)
  
  
  • -s: specify shell for user to use
  
  
  • -l: rename the account
  
  
  • -L: lock the account
  
  
  
  

For example:

 Đổi tên tài khoản will thành jaden ( Jaden Smiths ) với thư mục home của user là /home/jaden

usermod -l jaden -c "Jaden Smiths" -m -d /home/jaden will

1.3.4) userdel

• A command to delete a user account

userdel [options] [login_name]

• Options:
  
  
  
  • -r: delete the user's home directory
  
  
  
  

• When deleting a user account using the userdel command, the corresponding description lines of the user in / etc / passwd and / etc / shadow are also deleted.

1.3.5) chage

• Used to set the policy for the user

chage [options] [login_name]

• Options:
  
  
  
  • -l: view the policy of 1 user
  
  
  • -E: set an expiration date for the account
  
  
  • -I: set the date to be locked after password expires (the date format is YYYY-MM-DD)
  
  
  • -m: set the minimum number of days allowed to change the password
  
  
  • -M: set the maximum number of days allowed to change the password
  
  
  • -W: set the number of days to alert before the password expires
  
  
  
  

VD1:

 Xem policy của user :

chage -l jaden

VD2:

 Thiết lập policy cơ bản :

chage -E 2019-08-30 -m 5 -M 90 -I 30 -W 14 jaden

=> The above command will set the password to expire on April 30, 2019. Additionally, the minimum / maximum number of days between password changes is between 5 and 90. Accounts will be locked after 30 days after the expiration date, and a warning message will be sent out 14 days before the expiry of the password.

VD3:

 Thiết lập tắt chính sách hết hạn mật khẩu :

chage -I -1 -m 0 -M 99999 -E -1 jaden

=> The above command will set "Password inactive" -> never (no password expiration) (parameter -1); the minimum / maximum number of days between password changes is infinite (0 -> 99999); Account never expires ("Account expires" -> never) (parameter -1) => THIS IS DEFAULT SETTING

VD4:

 Thiết lập bắt buộc user đổi mật khẩu trong lần đầu đăng nhập :

chage -d 0 jaden

=> The above command will set "Last Password Change" to "Password must be changed" and user must change password at first login.

1.3.6) id

• View current user information.

1.3.7) su

• Convert working user from terminal.


• The user root switches to other users without entering a password.


• If another user switches to the root user, then the password of the root user must be entered.

su -l [login_name]

2) Group Administration

• Group is a collection of many users.


• Each group has a unique name and a unique identifier (gid).


• When creating a user (not using the -g option), by default a group named user is created.

2.1) File / etc / group

• A text file containing information about groups on the computer.


• All users have the right to read this file, but only the root user has the right to change.


• Each file line contains information about a group on the machine, the format of the row includes many columns of values, the: is used to separate the columns.

• Meaning of columns:
  
  
  
  • 1 - Group name
  
  
  • 2 - The group password is encrypted (because there is / etc / gshadow file) so default here is x
  
  
  • 3 - Group code (gid)
  
  
  • 4 - List of users in the group
  
  
  
  

2.2) File / etc / gshadow

• Contains group password information.

• Meaning of columns:
  
  
  
  • 1 - Group name
  
  
  • 2 - The group password has been encrypted
  
  
  
  
  
  
  • Empty - no password
  
  
  • 3 - List of users with admin rights on this group
  
  
  • 4 - List of users in the group
  
  
  
  

2.3) Group management commands

2.3.1) groupadd

• Is the command to create a group.

groupadd [options] [group_name]

• Options:
  
  
  
  • -g [gid] : group definition with group code (gid) -g [gid] : group definition with group code (gid)
  
  
  
  

2.3.2) gpasswd

• Create a password for the group.

gpasswd [group_name]

2.3.3) groupmod

• Is the command to edit group information.

groupmod [options] [group_name]

• Options:
  
  
  
  • -g [gid] : edit group code (gid)
  
  
  • -n [group_name] : edit the group name
  
  
  
  

2.3.4) groupdel

• Use to delete a group.

groupdel [group_name]

Change the default parameters

• When using the useradd or groupadd command, if we do not list all the necessary parameters, the system will take the default value has been defined.


• We can change the definition of these values ​​in the following files:
  
  
  
  • /etc/login.defs: file contains default parameters when creating a user or creating a group.
  
  
  
  

• / etc / skel /: all files and subdirectories in these will be copied to the home directory of the newly created user.