[Share Experiences] UOS 1060a Sharing Series on User and Group Management
Tofloor
poster avatar
SuperDavid
Moderator
2024-08-30 17:50
Author

I. Concepts of Users and Groups

(1) What is a User?

Different services use different users for better security. Using multiple users can enhance system efficiency and improve permission distribution and management.

Within the system, each user is assigned a unique identifier (User ID or UID) to distinguish them, while usernames are created for ease of use. Typically, users are given a password for login authentication.

There are three main types of users:

  • Super Administrator: Manages the system with UID 0 and has full system access.
  • System Users: Provide support services and processes. These processes (or daemons) generally do not run as super users. The system assigns non-privileged accounts to ensure their files and resources are unaffected by others. Users cannot log in interactively with system user accounts.
  • Normal Users: Have limited system access.

Use the id command to display information about the currently logged-in user.

[root@1060a ~]# id

uid=0(root) gid=0(root) groups=0(root)

(2) What is a User Group?

A group is a collection of users. Groups can be used to grant file access permissions to a set of users rather than just a single user. Groups are distinguished by a unique identifier (Group ID or GID) internally, and group names are for user convenience.

For a user, user groups can be divided into primary groups and supplementary groups.

  • Primary Group (Main Group): If no user group is specified during user creation, the system creates a user group with the same name as the username, which is the user's private group.
  • Supplementary Group (Secondary Group): A user can belong to multiple supplementary groups besides the primary group.

In the output of the id command, the Group ID represents the primary group, and the Groups field lists the supplementary groups.

(3) Explanation of User and Group Related Files

  • /etc/passwd: This file contains user account information, storing all users' basic details and is readable by all users. Each line in the file has seven fields separated by colons (:).root:x:0:0:root:/root:/bin/bash

Username:Password Placeholder:UID:GID:Description:Home Directory:Default Shell

  • Username: The account's username.
  • Password Placeholder: Indicates that the user needs a password for login. Removing x means no password is required.
  • UID: The user ID.
  • GID: The group ID.
  • GECOS: The user's name in the login interface.
  • Home Directory: The default working directory upon login.
  • Default Shell: The default shell program for login. To prevent interactive login, use /sbin/nologin.
  • /etc/shadow: Stores encrypted user password information, accessible only by the root user.

root:XXXX:19663:0:90:7:::

Username:Encrypted Password:Last Password Change Date:Minimum Password Age:Maximum Password Age:Warning Period:Inactive Period:Expiration Date:Reserved

  • Username: The account's username.
  • Encrypted Password: The encrypted password. !! indicates no password has been set, and an empty field means the password has been removed.
  • Last Password Change Date: The number of days since January 1, 1970, when the password was last changed. For example, 19663 represents the 19663rd day after January 1, 1970.

Use the following command to convert it to a standard date:

[root@1060a ~]# date -d '1970-01-01 19663 days'

Thu Nov 2 00:00:00 CST 2023

  • Password Verification: When a user attempts to log in, the system looks up the user's entry in /etc/shadow, combines the user's salt with the entered password, encrypts it using the specified hash algorithm, and compares the result with the stored hash.
  • /etc/group: This file contains information about user groups.

root:x:0:

Group Name:Password Placeholder:GID:Group Members

  • Group Name: The name of the group.
  • Password Placeholder: Always x.
  • GID: The group ID.
  • Group Members: Users belonging to the group.
  • /etc/gshadow: Stores group password information, accessible only by the root user.

root:::

Group Name:Group Password:Group Administrator:Group Members

  • Group Name: The name of the group.
  • Group Password: The encrypted group password.
  • Group Administrator: Can manage the group using the gpasswd command.
  • Group Members: Users belonging to the group.

II. User and Group Management

(1) User Management

  • Creating a User: useradd

useradd [options] username

Common Options:

  • -u: Specify the user's UID

useradd -u 1100 user1

id user1

uid=1100(user1) gid=1100(user1) groups=1100(user1)

  • -g: Specify the user's primary group

useradd -g user1 user2

id user2

uid=1101(user2) gid=1100(user1) groups=1100(user1)

  • -G: Specify the user's supplementary groups

useradd -G user1 user3

id user3

uid=1102(user3) gid=1102(user3) groups=1102(user3),1100(user1)

  • -c: Specify the user's GECOS information

useradd -c "web server" user4

grep user4 /etc/passwd

user4:x:1103:1103:web server:/home/user4:/bin/bash

  • -d: Specify the user's home directory

useradd -d /opt/user5 user5

cd ~user5

pwd

/opt/user5

  • -s: Specify the user's default shell

useradd -s /sbin/nologin user7

grep user7 /etc/passwd

user7:x:1106:1106::/home/user7:/sbin/nologin

Effect of useradd** command:**

  • Maps the UID to the username in /etc/passwd
  • Maps the GID to the group name in /etc/group
  • Stores password information in /etc/shadow
  • Stores group information in /etc/gshadow
  • Creates the specified home directory or a default one under /home
  • Creates a mailbox file in /var/spool/mail
  • Password Management: passwd

passwd [options] [username]

Changing Passwords:

  • Root user setting a password

passwd user1

  • Regular user changing their own password

passwd

Common Options:

  • -d: Delete the password

passwd -d user1

  • -l: Lock the account

passwd -l user1

  • -u: Unlock the account

passwd -u user1

  • --stdin: Read password from standard input (not recommended)

echo"password" | passwd --stdin user1

  • Modifying User Attributes: usermod

usermod [options] username

Common Options:

  • -l: Change the username

usermod -l new_name old_name

  • -u: Change the UID

usermod -u uid username

  • -g: Change the primary group

usermod -g groupname username

  • -G: Change supplementary groups

usermod -G groupname username

  • -c: Change the user's GECOS information

usermod -c "new comment" username

  • -md: Change the user's home directory

usermod -md /new/home/dir username

  • -s: Change the user's shell

usermod -s /bin/sh username

  • Deleting a User: userdel

userdel [options] username

Common Options:

  • -r: Delete the user's home directory and mailbox

userdel -r username

  • Modifying Password Attributes: chage

chage [options] username

Common Options:

chage username

(2) Group Management

  • Creating a Group: groupadd

groupadd [options] groupname

Common Options:

  • -g: Specify the GID

groupadd -g gid groupname

  • Modifying a Group: groupmod

groupmod [options] groupname

Common Options:

  • -n: Change the group name

groupmod -n new_name old_name

  • -g: Change the GID

groupmod -g gid groupname

  • Deleting a Group: groupdel

groupdel groupname

  • Managing Group Members: gpasswd

gpasswd [option] groupname

Common Options:

  • -A: Assign group administrators

gpasswd -A username groupname

  • -a: Add a user to the group

gpasswd -a username groupname

  • -d: Remove a user from the group

gpasswd -d username groupname

  • -r: Remove the group password

gpasswd -r groupname

  • Group Management: groupmems

groupmems [options]

Common Options:

  • -l: List all group members

groupmems -l -g groupname

  • -a: Add a user to the group

groupmems -a username -g groupname

  • -d: Delete a user from the group

groupmems -d username -g groupname

  • -p: Remove all users from the group

groupmems -p -g groupname

Reply Favorite View the author
All Replies

No replies yet