Each user in Linux has a unique user ID (UID), which is an ordinary integer number, and an associated username. Users log in by using their usernames, but the system uses the associated UIDs. Each user account also has a home directory and a login shell. When users log in, they are placed in their home directory and their login shell executes. All of this user account information is stored in the /etc/passwd file.
Each user also belongs to one or more groups. Different users can be assigned to the same group. Access can be given to a group and all members of the group are granted the same access privileges. Each group account in Linux has a unique group ID (GID) and an associated group name. Group information is stored in the /etc/group file.
RedHat Linux uses a user private group (UPG) scheme. When a new user account is added, a new user private group is also created. The user private group has the same name as the user, and the new user is the only member of this group.
Both users and groups use shadow passwords. Passwords are hashed and stored in different files, /etc/shadow for users and /etc/gshadow for groups. Security improves by storing hashed passwords in “shadow” files, because these files are readable only by the root user. The use of shadow passwords also provides password aging parameters and allows security policies to be enforced, using the /etc/login.defs file. Only the root user can add, modify, or delete user and group accounts.
User and Group Configuration Files
/etc/passwd
When a new user is added, the information is stored as a single, colon-separated line in /etc/passwd. Here is an example of an entry in this file:
# tail -1 /etc/passwd test:x:1001:1001:test user:/home/test:/bin/bash
The following describes this entry:
| Field | Description |
|---|---|
| test | Username |
| x | Indicates that shadow passwords are used |
| 1001 | UID, these begin with 1000 and increment by 1 for each newly added user. UIDs below 1000 are reserved for system use. |
| 1001 | GID of the user’s primary group. These begin with 1000 and increment by 1 for each new group. Users can belong to more than one group. |
| test user | GECOS (General Electric Comprehensive Operating System) information, used only for informational purposes such as full name |
| /home/test | Home directory for this user |
| /bin/bash | Default shell for this user |
/etc/shadow
With shadow passwords, a new entry is automatically added to /etc/shadow when a new user is created. This file can be viewed only by root. Here is an example of an entry in this file:
# tail -1 /etc/shadow test:$6$XBCDBQ...:17610:0:99999:7:::
The following describes this entry:
| Field | Description |
|---|---|
| test | Username |
| $6$XBCDBQ… | Hashed password value (partial value shown). The plain text password itself is not stored on the disk. An algorithm creates a unique string from a password. |
| 17610 | Number of days since password has changed (counted in days since Jan 1, 1970). |
| 0 | Number of days that need to pass before the password must be changed by the user. |
| 99999 | Maximum number of days since the password changed that the password can be used. After this amount of days, the password must be changed by the user. |
| 7 | Number of days before expire date that the user is warned about the pending password change policy. If the password is not changed after this number of days, the user account is locked. |
The next field is empty but is used to store the last date when the account is locked (counted in days since Jan 1, 1970). The last field is also empty but is not used.
/etc/group
Because Oracle Linux uses a UPG scheme, a new entry is automatically created in /etc/group when a new user is added. The group name is the same as the username. Here is an example of an entry in this file:
# tail -1 /etc/group test:x:1000:test
The following describes this entry:
| Field | Description |
|---|---|
| test | Group Name |
| x | Indicates that shadow passwords are used |
| 1000 | GID |
| test | List of users that are members of the group |
Each group can have multiple users. Users can also belong to more than one group. The GID stored in the user’s entry in /etc/passwd is the user’s primary group.
/etc/gshadow
Hashed group passwords are stored in this file. However, group passwords are rarely used. Here is an example of an entry in this file:
# tail -1 /etc/gshadow test:!!::test
The following describes this entry:
| Field | Description |
|---|---|
| test | Group Name |
| x | Hashed password. The !! Indicates that the account is locked. |
| oracle | List of users that are members of the group |
The last two fields are used to designate administrators and members.
Adding a User Account
useradd
Use the useradd command to add a user account. The syntax is:
# useradd [options] user_name
When creating a new user without any options, the default settings are applied. Example:
# useradd john # tail -1 /etc/passwd john:x:501:501::/home/john:/bin/bash
Also by default, useradd creates a locked user account. To unlock the account and assign a password, run the passwd user_name command as root. Example:
# passwd john
The passwd user_name command prompts you for a new password. Depending on the complexity of the password, you may be notified the password is bad (too short or too simple). Re-enter the same password to continue and unlock the user account. The same passwd command is used to change a password. The root user can always change a user’s password. Users are prompted to enter the current password first.
Default Settings
The default settings for a new user can be viewed and modified by using the -D option. Example:
# useradd -D GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL=/bin/bash SKEL=/etc/skel CREATE_MAIL_SPOOL=yes
The INACTIVE directive sets the number of days after a password expires until the account is locked. A value of 0 locks the account as soon as the password expires. A value of -1 disables the feature. Contents of the SKEL (/etc/skel by default) are copied to a new user’s home directory when the user account is created. Default settings are stored in /etc/default/useradd. The following options, used with –D, change the useradd command defaults:
- -b default_home: The initial path prefix for a new user’s home directory
- -e default_expire_date: The date on which the user account is disabled
- -f default_inactive: The number of days after a password has expired before the account is locked
- -g default_group: The group name or ID for a new user’s initial group
- -s default_shell: The new user’s login shell
For example, to change a new user’s login shell to the Bourne shell, enter the following:
# useradd –D –s /bin/sh user_name
useradd Options
Several options are available to the useradd command to override default settings. The following are some of the more commonly used options:
- -c comment: The new user’s GECOS information, such as full name
- -d home_dir: The initial path prefix for a new user’s home directory
- -e expire_date: The date (format YYYY-MM-DD) when the user account is disabled
- -g initial_group: The group name or number of the user’s initial login group. The group name must exist. A group number must refer to an already existing group.
- -G group: A list of secondary groups that the user is also a member of. Each group is separated from the next by a comma, with no intervening whitespace.
- -p passwd: Set the new user’s password.
- -s shell: The name of the user’s login shell
For example, to create a new username of “john”, and include the user’s name, and change the login shell to the C shell, enter the following:
# useradd –c "John Smith" –s /bin/csh john
nologin Shell
When you add a new user account, the user is granted shell access by default. You can create a user account with nologin shell for purposes of running a service such as SMTP, FTP, or running a web server, for example. A user without a login shell cannot log in to a system and, therefore, cannot run any commands interactively on the system. Processes can run as that user, however.
Logging in as a user with a nologin shell is politely refused and a message is displayed that the account is not available. If the file /etc/nologin.txt exists, nologin displays the file’s contents rather than the default message. To create a nologin user, first ensure that nologin exists in the /etc/shells file:
# cat /etc/shells /bin/sh /bin/bash /sbin/nologin /bin/dash
To add a new user called test with no shell access:
# useradd -s /sbin/nologin test
Attempting to log in as user test displays:
# su – test This account is currently not available.
Modifying or Deleting User Accounts
usermod
Use the usermod command to modify an existing user account. The syntax is:
# usermod [options] user_name
One of the most common uses of the usermod command is to add a user to another (secondary) group. Use the –a and –G options followed by a comma-separated list of the secondary groups to add the user to. The following example lists the contents of /etc/group before and after modifying a user and adding them to a secondary group:
# grep 1017 /etc/group students:x:1017:
# usermod –aG 1017 mary # grep 1017 /etc/group students:x:1017:mary
userdel
Use the userdel command to delete a user account. Example:
# userdel john
Group Account Administration
groupadd
Use the groupadd command to add a group account. The syntax is:
# groupadd [options] group_name
groupmod
Use the groupmod command to modify a group account. The syntax is:
# groupmod [options] group_name
groupdel
Use the groupdel command to delete a group account. The syntax is:
# groupdel group_name
You can remove groups even if there are members in the group. You cannot remove the primary group of any existing user. You must remove the user before removing the group.
gpasswd
Use the gpasswd command to administer /etc/group and /etc/gshadow. Every group can have administrators, members, and a password. The syntax is:
# gpasswd [options] group_name
groups
The groups command displays the groups that a user belongs to. The following example illustrates that user oracle belongs to two groups, oracle (primary group) and students (secondary group):
$ grep oracle /etc/passwd oracle:x:1000:1000:Oracle Student:/home/oracle/bin/bash
$ grep oracle /etc/group oracle:x:1000: students:x:1056:student1,student2,oracle
The groups command (logged on as oracle) verifies these group memberships.
$ whoami oracle $ groups oracle students
newgrp
The newgrp command executes a new shell and changes a user’s real group identification. The following example illustrates the group ID before and after running the command. It also illustrates that a new shell is executed.
$ id uid=1000(oracle) gid=1000(oracle) groups=1000(oracle),1066(students)...
Note that the gid equals 1000(oracle).
$ ps PID TTY TIME CMD 20279 pts/0 00:00:00 bash 20411 pts/0 00:00:00 ps
$ newgrp students
$ id uid=1000(oracle) gid=1066(students) groups=1000(oracle),1066(students)...
Note that the gid now equals 1066(students). Also note that a new shell was executed:
$ ps PID TTY TIME CMD 20279 pts/0 00:00:00 bash 20464 pts/0 00:00:00 bash 20486 pts/0 00:00:00 ps
The newgrp command does not recognize group ID numbers and you can only change your real group name to a group that you are a member of. Running the command without an argument sets the real group identification to the user’s primary group.
Password Configuration
Password aging requires users to change their password periodically. Use the chage command to configure password expiration. The syntax is:
# chage [options] user_name
Enter the chage command, followed by a username, to display existing password aging values and make modifications. For example, to display and change values for user john, type (as user root):
# chage john Changing the aging information for john Enter the new value, or press ENTER for the default Minimum Password Age [0]: Maximum Password Age [99999]: Last Password Change (YYYY-MM-DD) [2018-03-24]: Password Expiration Warning [7]: Password Inactive [-1]: Account Expiration Date (YYYY-MM-DD) [-1]:
Password aging information is stored in the /etc/shadow file. To view the user john’s entry before making any changes:
# grep john /etc/shadow john:$6$fJB4dWkt$...:17614:0:99999:7:::
Changing the minimum password age value to 14 and maximum password age value to 30 means that in 14 days the user has 30 days to change their password. The new entry appears as:
# grep john /etc/shadow john:$6$fJB4dWkt$...:17614:14:30:7:::
Based on this information, the user is warned to change his password seven days before the date the password expires. The INACTIVE directive is used to set the number of days of inactivity after a password has expired before the user account is locked. Setting INACTIVE to -1 disables this feature.
chage Options
A number of options are available for the chage command. To list aging information:
# chage -l john Last password change : Mar 24, 2018 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
To force a user to set a new password immediately (force immediate expiration), set the last password change value to 0. Example:
# chage –d 0 john
After login, the user is prompted to change his password.
authconfig
The Linux user password hashing algorithm is also configurable. Use the authconfig command to determine the current algorithm being used, or to set it to something different. To determine the current algorithm:
# authconfig --test | grep hashing
password hashing algorithm is sha512
To change the algorithm, use the –passalgo option with one of the following as a parameter: descrypt, bigcrypt, md5, sha256, or sha512, followed by the –update option. For example, to change the algorithm to MD5:
# authconfig --passalgo=md5 --update
Understanding /etc/login.defs file