Transcript Document

Working with users and
Groups
Working with users and Groups
1.
Manage users and group
2.
Manage ownership, permissions, and
quotas
1. Manage users and group

Linux user accounts

Linux groups

Linux user accounts

How Linux user accounts work

Where Linux user accounts are stored

Creating and managing user accounts from
the command line
How Linux User Accounts Work

Username

Password

By default, all user home directories are
created and maintained in the /home
directory.

However, the root user’s home directory is
/root

To view information about the user_name
account on my Linux system, you would enter
finger
user_name

The following information about the user account:

Login This is the username that is used to
authenticate to the system.
This is the user’s full name.

Name

Directory This is the user’s home directory.


Shell This is the default shell that will be provided
to the user.
Last Login This displays the last time the user
logged in and where from.

In addition to having a home directory and
default shell assigned, each user account is
also assigned a unique user ID (UID) number
when they are created. No two user accounts
on the system will have the same UID. To view
the UID for a given user account, you can use
the id username command from the shell
prompt. For example, to view information
about our vmk user account, we can enter
id vmk at the shell prompt

On a SUSE Linux system, the first regular user
account created on the system is always
assigned a UID of 1000. The next user
account will be assigned a UID of 1001...

Other distributions may use a different
numbering scheme for the UID, however. For
example, UIDs on a Fedora system start at
500 instead of 1000.

The root user account is always assigned a
UID of 0 on most Linux distributions.

It’s this UID that the operating system actually uses to
control access to files and directories in the file system.

Where Linux User Accounts Are
Stored
Linux is a very flexible operating system. One of
its flexible features is the location of user
accounts on the system. When you originally
installed the system, your distribution may have
given you several options for where you wanted
to store your

user accounts. This screen allows you to choose
from the following authentication methods:
Local This option stores user accounts in the
/etc/passwd file. This has been the default
configuration used by Linux systems for many
years.
LDAP This is a newer option that many Linux
administrators are starting to adopt. Instead of
storing user accounts in a file in the file system,
user accounts are stored in a directory service
provided by OpenLDAP. Unlike local
authentication, which is a flat file, the directory
service is hierarchical in nature, allowing you to
sort and organize your user accounts by location,
function, or department.
NIS This option stands for Network Information
Service. NIS is also designed to provide
centralized user account management when you
have multiple
systems that all need the same user accounts. To
do this, NIS configures systems to all use a
common passwd and shadow file.
Windows Domain If you have a Windows domain
controller in your network (or another Linux server
running the Samba service), you can configure
your Linux system to use the user accounts in the
domain to authenticate to the local system.
Local option

/etc/passwd This file contains the user
account information for your system.

/etc/shadow This file contains passwords for
your user accounts.

/etc/group This file contains your system’s
groups.
- The /etc/passwd File


Username:Password:UID:GID:Full_Name:Ho
me_Directory:Default_Shell
Username: The Username field simply identifies
the username the user will supply when logging
in to the system

Password: This is a legacy field. At one time,
the user’s password was stored in encrypted
form in this field in the passwd file. However, for
security reasons, the password has been moved
from /etc/passwd to /etc/shadow.

UID This is the user ID for the user account

GID This field references the group ID number
of the user’s default group

Full_Name This field contains the user’s full
name

Home_Directory This field contains the path to
the user’s home directory.

Default_Shell This field specifies the shell that
will be used by default
- The /etc/shadow File


Username:Password:Last_Modified:Min_Days:
Max_Days:Days_Warn:Disabled_Days:Expire
Username This is the user’s login name from
/etc/passwd.

Password This is the user’s password in
encrypted format

Last_Modified This field displays the number
of days since January 1, 1970 that the
password was last changed

Min_Days This field displays the minimum
number of days required before a password
can be changed. In this example, it is set to 0 days.

Max_Days This field displays the maximum
number of days before a password must be
changed. In this example, it is set to 99999
days. Effectively, this means a password isn’t required.

Days_Warn This field displays the number of
days prior to password expiration that the user
will be warned of the pending expiration. In
this case, it’s set to 7 days.

Disabled_Days This field displays the number
of days to wait after a password has expired to
disable the account.

Expire (T/g hết hạn) This field displays the
number of days since January 1, 1970 after
which the account will be disabled. In this
example, it is set to a null value, indicating the
account never expires.

To verify your /etc/passwd and /etc/shadow
files, you can use the pwck command at the
shell prompt. This utility will verify each line in
the two files and make sure they are valid. Any
errors are reported on the screen.

If, for some reason, the /etc/passwd and the
/etc/shadow files were out of synchronization,
you could use the pwconv command at the
shell prompt to fix the files. This utility will add
any missing user accounts from /etc/passwd to
/etc/shadow.
Creating and Managing User Accounts
from the Command Line

Using useradd

Using passwd

Using usermod

Using userdel
- Using useradd
Syntax:
useradd options username
ex (options default):
useradd ncth
ncth account is created using the default
parameters contained in the following
configuration files: /etc/default/useradd
/etc/login.defs This file contains values that
can be used for the GID and UID parameters
when creating an account with useradd. It also
contains
defaults for creating passwords in /etc/shadow.
You can also view these default values by entering
useradd –D at the shell prompt.


Options
–c Includes the user’s full name.
–e Specifies the date when the user account
will be disabled. Format the date as yyyy-mm-dd.
 –f Specifies the number of days after password
expiration before the account is disabled. Use a
value of –1 to disable this functionality, e.g.,
useradd –f –1 jmcarthur.
 –g Specifies the user’s default group.

–G Specifies additional groups that the user is
to be made a member of.
–M Specifies that the user account be created
without a home directory.
–m Specifies the user’s home directory.
–n Used only on Red Hat or Fedora systems. By
default, these systems create a new group with
the same name as the user every time an
account is created. Using this option will turn off
this functionality.
–p Specifies the user’s password.
–r Specifies that the user being created is a
system user.
–s Specifies the default shell for the user.
–u Manually specifies a UID for the user.
EX: useradd –c “Tommy” ncth1
useradd –c “Truong Khac Tung” –m –p
“tung123” –s “/bin/bash” tktung
- Using passwd
The passwd utility is used to change an existing
user’s password
 You can find out this information using the –S
option with passwd. For example, we could enter
passwd –S vmk at the shell promp
Syntax:
passwd username

options
–l Locks the user’s account. This option
invalidates the user’s password.
–u Unlocks a user’s account.
–d Removes a user’s password.
–n Sets the minimum number of days required
before a password can be changed.
–x Sets the maximum number of days before a
password must be changed.
–w Sets the number of days prior to password
expiration when the user will be warned of the
pending expiration.
–i Sets the number of days to wait after a
password has expired to disable the account.
- Using usermod

From time to time, you will need to modify an
existing user account. The syntax for
usermod is very similar to that used by
useradd.
Syntax:
usermod options username
options
–c Edits the user’s full name.
–e Sets the date when the user account will be
disabled. Format the date as yyyy-mm-dd.
–f Sets the number of days after password
expiration before the account is disabled. Use
a value of –1 to disable this functionality.
–g Sets the user’s default group.
–G Specifies additional groups that the user is
to be made a member of.
options
–l Changes the username.
–L Locks the user’s account. This option
invalidates the user’s password.
–m Sets the user’s home directory.
–p Sets the user’s password.
–s Specifies the default shell for the user.
–u Sets the UID for the user.
–U Unlocks a user’s account that has been
locked.

useradd –c “your_full_name” –m –p
“your_password” –s “/bin/bash”
your_username.

tail /etc/passwd

Create a user account using your system’s
default settings by entering useradd abc

Passwd abc -> enter password
- Using userdel
Syntax:
userdel username
ex:
userdel
ncth
- Using userdel

It’s important to note that, by default, userdel
will not remove the user’s home directory from
the file system. If you do want to remove the
home directory when you delete the user, you
need to use the –r option in the command line.
For example, entering userdel –r ncth will
remove the account and delete her home
directory.
• Linux Groups

How Linux groups work

Managing groups from the command line
How Linux Groups Work

If your Linux system has been configured to
use local authentication, your groups are
defined in the /etc/group file. Each record is
composed of the following four fields:
Group:Password:GID:Users

Group Specifies the name of the group. In the
example above, the name of the group is video.

Password Specifies the group password.

GID Specifies the group ID (GID) number of
the group.

Users Lists the members of the group.

As with /etc/shadow, each line in /etc/gshadow
represents a record for a single group. Each
record is composed of the following fields:
Group_Name:Password:Group_Admins:Grou
p_Members
Managing groups from the command line

Using groupadd

Using groupmod

Using groupdel
- Using groupadd

Syntax:
groupadd options groupname

Options:
–g Specifies a GID for the new group.
–p Specifies a password for the group.
–r Specifies that the group being created is a
system group.
- Using groupmod

To modify a group, including adding users to the
group membership, you use the groupmod utility.

Syntax:
groupmod options group

Options:
–g Changes the group’s GID number.
–p Changes the group’s password.
–A Adds a user account to the group.
–R Removes a user account from the group.

If we wanted to add ncth to the group, we
would enter
groupmod –A “ncth” student
at the shell prompt.
- Using groupdel

Syntax:
groupdel group_name
ex:
groupdel
student
2. Manage ownership, permissions,
and quotas

Managing ownership

Managing permissions

Implementing disk quotas
Managing ownership

How ownership works

Managing ownership from the command line
• How ownership works
Anytime a user creates a new file or directory, his
or her user account is assigned as that file or
directory’s “owner.” For example, suppose the
vmk user logs in to her Linux system and creates
a file named linux_introduction.odt using
OpenOffice.org in home directory. Because she
created this file, ksanders is automatically
assigned ownership of linux_introduction.odt. By
right-clicking on this file in the system’s graphical
user interface and selecting Properties |
Permissions, you can view who owns the file.
• How ownership works
You can also view file ownership from the
command line using the ls –l command
• Managing ownership from the
command line

You can specify a different user and/or group
as the owner of a given file or directory. To
change the user who owns a file, you must be
logged in as root. To change the group that
owns a file, you must be logged in as root or as
the user who currently owns the file.

Using chown

Using chgrp
- Using chown
The chown utility can be used to change the
user or group that owns a file or directory.
Syntax chown user.group file or directory.

Ex: If I wanted to change the file’s owner to the
ncth1 user, I would enter
chown ncth1 /tmp/myfile.txt
chown
If I wanted to change this to the users group, of
which users is a member, I would enter

chown .users /tmp/myfile.txt
Notice that I used a period (.) before the group
name to tell chown that the entity specified is a
group, not a user account.
Ex: chown student.users /tmp/myfile.txt
Note: You can use the –R option with chown to
change ownership on many files at once
recursively.
- Using chgrp

In addition to chown, you can also use chgrp to
change the group that owns a file or directory.

Syntax:
chgrp group file (or directory)

For example:
chgrp student /tmp/newfile.txt.
Managing permissions

How permissions work

Managing permissions from the command
line

Working with default permissions

Working with special permissions
- How permissions work


Each file or directory in your Linux file system
stores the specific permissions assigned to it.
These permissions together constitute the
mode of the file. These permissions are
assigned to each of three different entities for
each file and directory in the file system:
Owner This is the user account that has been
assigned to be the file or directory’s owner.
Permissions assigned to the owner apply only
to that user account.


Group This is the group that has been
assigned ownership of the file or directory.
Permissions assigned to the group apply to all
user accounts that are members of that group.
Others This entity refers to all other users who
have successful authenticated to the system.
Permissions assigned to this entity apply to
these user accounts.
ls -l
- Managing Permissions from the Command
Line with chmod
chmod entity=permissions filename
Owner, g for Group, and o for Others in the entity
portion of the command. You substitute r, w,
and/or x for the permissions portion of the
command. For example, suppose I wanted to
change the mode of contacts.odt to –rw–rw–r– –
chmod u=rw,g=rw,o=r contacts.odt
 You can also use chmod to toggle a particular
permission on or off using the + or – signs. For
example, suppose I want to turn off the write
permission I just gave to Group for the
contacts.odt file. I could enter chmod g–w
contacts.odt
at the shell prompt.
You can modify all three entities at once with
only three characters. To do this, enter
chmod numeric_permission filename

ex:
chmod
660
contacts.odt
Working with default permissions
By default, Linux assigns rw–rw–rw– (666)
permissions to every file whenever it is created in
the file system. It also assigns rwxrwxrwx
permissions to every directory created in the file
system. It also assigns rwxrwxrwx permissions to
every directory created in the file system.

To increase the overall security of the system,
Linux uses a variable called umask to
automatically remove permissions from the
default mode whenever a file or directory is
created in the file system. The value of umask is a
three-digit number

For most Linux distributions, the default value of
umask is 022. Each digit represents a numeric
permission value to be removed. The first digit
references—you guessed it—Owner, the second
references Group, the last references Other.

If you only need to make a temporary change
to umask, you can enter umask value at the shell
prompt. For example, if you wanted to remove the
execute permission that is automatically assigned
to Others whenever a new directory is created,
you could enter umask 023

- Working with Special Permissions

SUID: 4

SGID: 2

Sticky Bit: 1

For example, suppose you wanted to apply the
SUID and SGID permissions to a file named
runme that should be readable and executable by
Owner and Group. You would enter chmod 6554
runme at the shell prompt. This specifies that the
file have SUID (4) and SGID (2) permissions
assigned (for a total of 6 in the first digit). It also
specifies that Owner and Group have read (4)
and execute permissions (1) assigned (for a total
of 5 in the second and third digits). It also
specifies that Others be allowed to read (4) the
file, but not be able to modify or run it (for a total
of 4 in the last digit)
Implementing Disk Quotas
To implement quotas on your Linux file system,
you first need to install the quota package on your
system
Note: See the next chapter to learn how to install
packages on a Linux system. If you want to check
and see if quota is already installed on your
system, enter rpm –qi quota at the shell prompt.

quotacheck –amvug
The quotacheck utility is used to scan the file
system for disk usages as well as create quota
files. The options used with quotacheck above do
the following:
–a: Checks all mounted file systems.

–m: Forces check on mounted file systems.
–u: Checks users.
–g: Checks groups.
–v: Operates in verbose mode.
View current disk space used by your users by
entering
repquota
–av

at the shell prompt
Create disk quotas for your users by doing the
following:
edquota –u username

Create disk quotas for your groups by doing the
following
edquota –g groupname
