Beginners Guide to User and Group Administration in Linux

Each user in Linux has a unique user ID (UID), which is an ordinary integer number, and an associated username. Users log in by using their usernames, but the system uses the associated UIDs. Each user account also has a home directory and a login shell. When users log in, they are placed in their home directory and their login shell executes. All of this user account information is stored in the /etc/passwd file.

Each user also belongs to one or more groups. Different users can be assigned to the same group. Access can be given to a group and all members of the group are granted the same access privileges. Each group account in Linux has a unique group ID (GID) and an associated group name. Group information is stored in the /etc/group file.

RedHat Linux uses a user private group (UPG) scheme. When a new user account is added, a new user private group is also created. The user private group has the same name as the user, and the new user is the only member of this group.

Both users and groups use shadow passwords. Passwords are hashed and stored in different files, /etc/shadow for users and /etc/gshadow for groups. Security improves by storing hashed passwords in “shadow” files, because these files are readable only by the root user. The use of shadow passwords also provides password aging parameters and allows security policies to be enforced, using the /etc/login.defs file. Only the root user can add, modify, or delete user and group accounts.

User and Group Configuration Files

/etc/passwd

When a new user is added, the information is stored as a single, colon-separated line in /etc/passwd. Here is an example of an entry in this file:

# tail -1 /etc/passwd
test:x:1001:1001:test user:/home/test:/bin/bash

The following describes this entry:

Field Description
test Username
x Indicates that shadow passwords are used
1001 UID, these begin with 1000 and increment by 1 for each newly added user. UIDs below 1000 are reserved for system use.
1001 GID of the user’s primary group. These begin with 1000 and increment by 1 for each new group. Users can belong to more than one group.
test user GECOS (General Electric Comprehensive Operating System) information, used only for informational purposes such as full name
/home/test Home directory for this user
/bin/bash Default shell for this user

/etc/shadow

With shadow passwords, a new entry is automatically added to /etc/shadow when a new user is created. This file can be viewed only by root. Here is an example of an entry in this file:

# tail -1 /etc/shadow
test:$6$XBCDBQ...:17610:0:99999:7:::

The following describes this entry:

Field Description
test Username
$6$XBCDBQ… Hashed password value (partial value shown). The plain text password itself is not stored on the disk. An algorithm creates a unique string from a password.
17610 Number of days since password has changed (counted in days since Jan 1, 1970).
0 Number of days that need to pass before the password must be changed by the user.
99999 Maximum number of days since the password changed that the password can be used. After this amount of days, the password must be changed by the user.
7 Number of days before expire date that the user is warned about the pending password change policy. If the password is not changed after this number of days, the user account is locked.

The next field is empty but is used to store the last date when the account is locked (counted in days since Jan 1, 1970). The last field is also empty but is not used.

/etc/group

Because Oracle Linux uses a UPG scheme, a new entry is automatically created in /etc/group when a new user is added. The group name is the same as the username. Here is an example of an entry in this file:

# tail -1 /etc/group
test:x:1000:test

The following describes this entry:

Field Description
test Group Name
x Indicates that shadow passwords are used
1000 GID
test List of users that are members of the group

Each group can have multiple users. Users can also belong to more than one group. The GID stored in the user’s entry in /etc/passwd is the user’s primary group.

/etc/gshadow

Hashed group passwords are stored in this file. However, group passwords are rarely used. Here is an example of an entry in this file:

# tail -1 /etc/gshadow 
test:!!::test

The following describes this entry:

Field Description
test Group Name
x Hashed password. The !! Indicates that the account is locked.
oracle List of users that are members of the group

The last two fields are used to designate administrators and members.

Adding a User Account

useradd

Use the useradd command to add a user account. The syntax is:

# useradd [options] user_name

When creating a new user without any options, the default settings are applied. Example:

# useradd john
# tail -1 /etc/passwd
john:x:501:501::/home/john:/bin/bash

Also by default, useradd creates a locked user account. To unlock the account and assign a password, run the passwd user_name command as root. Example:

# passwd john

The passwd user_name command prompts you for a new password. Depending on the complexity of the password, you may be notified the password is bad (too short or too simple). Re-enter the same password to continue and unlock the user account. The same passwd command is used to change a password. The root user can always change a user’s password. Users are prompted to enter the current password first.

Default Settings

The default settings for a new user can be viewed and modified by using the -D option. Example:

# useradd -D
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes

The INACTIVE directive sets the number of days after a password expires until the account is locked. A value of 0 locks the account as soon as the password expires. A value of -1 disables the feature. Contents of the SKEL (/etc/skel by default) are copied to a new user’s home directory when the user account is created. Default settings are stored in /etc/default/useradd. The following options, used with –D, change the useradd command defaults:

  • -b default_home: The initial path prefix for a new user’s home directory
  • -e default_expire_date: The date on which the user account is disabled
  • -f default_inactive: The number of days after a password has expired before the account is locked
  • -g default_group: The group name or ID for a new user’s initial group
  • -s default_shell: The new user’s login shell

For example, to change a new user’s login shell to the Bourne shell, enter the following:

# useradd –D –s /bin/sh user_name

useradd Options

Several options are available to the useradd command to override default settings. The following are some of the more commonly used options:

  • -c comment: The new user’s GECOS information, such as full name
  • -d home_dir: The initial path prefix for a new user’s home directory
  • -e expire_date: The date (format YYYY-MM-DD) when the user account is disabled
  • -g initial_group: The group name or number of the user’s initial login group. The group name must exist. A group number must refer to an already existing group.
  • -G group: A list of secondary groups that the user is also a member of. Each group is separated from the next by a comma, with no intervening whitespace.
  • -p passwd: Set the new user’s password.
  • -s shell: The name of the user’s login shell

For example, to create a new username of “john”, and include the user’s name, and change the login shell to the C shell, enter the following:

# useradd –c "John Smith" –s /bin/csh john

nologin Shell

When you add a new user account, the user is granted shell access by default. You can create a user account with nologin shell for purposes of running a service such as SMTP, FTP, or running a web server, for example. A user without a login shell cannot log in to a system and, therefore, cannot run any commands interactively on the system. Processes can run as that user, however.

Logging in as a user with a nologin shell is politely refused and a message is displayed that the account is not available. If the file /etc/nologin.txt exists, nologin displays the file’s contents rather than the default message. To create a nologin user, first ensure that nologin exists in the /etc/shells file:

# cat /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/bin/dash

To add a new user called test with no shell access:

# useradd -s /sbin/nologin test

Attempting to log in as user test displays:

# su – test
This account is currently not available.

Modifying or Deleting User Accounts

usermod

Use the usermod command to modify an existing user account. The syntax is:

# usermod [options] user_name

One of the most common uses of the usermod command is to add a user to another (secondary) group. Use the –a and –G options followed by a comma-separated list of the secondary groups to add the user to. The following example lists the contents of /etc/group before and after modifying a user and adding them to a secondary group:

# grep 1017 /etc/group 
students:x:1017:
# usermod –aG 1017 mary 
# grep 1017 /etc/group students:x:1017:mary

userdel

Use the userdel command to delete a user account. Example:

# userdel john

Group Account Administration

groupadd

Use the groupadd command to add a group account. The syntax is:

# groupadd [options] group_name

groupmod

Use the groupmod command to modify a group account. The syntax is:

# groupmod [options] group_name

groupdel

Use the groupdel command to delete a group account. The syntax is:

# groupdel group_name

You can remove groups even if there are members in the group. You cannot remove the primary group of any existing user. You must remove the user before removing the group.

gpasswd

Use the gpasswd command to administer /etc/group and /etc/gshadow. Every group can have administrators, members, and a password. The syntax is:

# gpasswd [options] group_name

groups

The groups command displays the groups that a user belongs to. The following example illustrates that user oracle belongs to two groups, oracle (primary group) and students (secondary group):

$ grep oracle /etc/passwd
oracle:x:1000:1000:Oracle Student:/home/oracle/bin/bash
$ grep oracle /etc/group
oracle:x:1000: students:x:1056:student1,student2,oracle

The groups command (logged on as oracle) verifies these group memberships.

$ whoami
oracle
$ groups 
oracle students

newgrp

The newgrp command executes a new shell and changes a user’s real group identification. The following example illustrates the group ID before and after running the command. It also illustrates that a new shell is executed.

$ id
uid=1000(oracle) gid=1000(oracle)
groups=1000(oracle),1066(students)... 

Note that the gid equals 1000(oracle).

$ ps
PID TTY TIME CMD
20279 pts/0 00:00:00 bash 
20411 pts/0 00:00:00 ps
$ newgrp students
$ id
uid=1000(oracle) gid=1066(students)
groups=1000(oracle),1066(students)...

Note that the gid now equals 1066(students). Also note that a new shell was executed:

$ ps
PID TTY TIME CMD
20279 pts/0 00:00:00 bash
20464 pts/0 00:00:00 bash
20486 pts/0 00:00:00 ps

The newgrp command does not recognize group ID numbers and you can only change your real group name to a group that you are a member of. Running the command without an argument sets the real group identification to the user’s primary group.

Password Configuration

Password aging requires users to change their password periodically. Use the chage command to configure password expiration. The syntax is:

# chage [options] user_name

Enter the chage command, followed by a username, to display existing password aging values and make modifications. For example, to display and change values for user john, type (as user root):

# chage john
Changing the aging information for john
Enter the new value, or press ENTER for the default

 Minimum Password Age [0]: 
 Maximum Password Age [99999]: 
 Last Password Change (YYYY-MM-DD) [2018-03-24]: 
 Password Expiration Warning [7]: 
 Password Inactive [-1]: 
 Account Expiration Date (YYYY-MM-DD) [-1]: 

Password aging information is stored in the /etc/shadow file. To view the user john’s entry before making any changes:

# grep john /etc/shadow
john:$6$fJB4dWkt$...:17614:0:99999:7:::

Changing the minimum password age value to 14 and maximum password age value to 30 means that in 14 days the user has 30 days to change their password. The new entry appears as:

# grep john /etc/shadow
john:$6$fJB4dWkt$...:17614:14:30:7:::

Based on this information, the user is warned to change his password seven days before the date the password expires. The INACTIVE directive is used to set the number of days of inactivity after a password has expired before the user account is locked. Setting INACTIVE to -1 disables this feature.

chage Options

A number of options are available for the chage command. To list aging information:

# chage -l john
Last password change     : Mar 24, 2018
Password expires     : never
Password inactive     : never
Account expires      : never
Minimum number of days between password change  : 0
Maximum number of days between password change  : 99999
Number of days of warning before password expires : 7

To force a user to set a new password immediately (force immediate expiration), set the last password change value to 0. Example:

# chage –d 0 john

After login, the user is prompted to change his password.

authconfig

The Linux user password hashing algorithm is also configurable. Use the authconfig command to determine the current algorithm being used, or to set it to something different. To determine the current algorithm:

# authconfig --test | grep hashing
    password hashing algorithm is sha512

To change the algorithm, use the –passalgo option with one of the following as a parameter: descrypt, bigcrypt, md5, sha256, or sha512, followed by the –update option. For example, to change the algorithm to MD5:

# authconfig --passalgo=md5 --update
Related Post