User and Group Management

Understanding Multi-user Systems
Linux is like an corporate office building
  • The System - the building itself
    provides security and stability
  • The Root User - the building owner/master architect
    full control over everything
    can fire and hire
  • Regular Users - employees with private offices
  • Groups - the departments
User Accounts: Regular Users vs. Root
User Type User ID Home Directory Powers
Superuser (root) 0 /root ignores permssions
root is the administrator
rarely log in as root
better to use sudo
Regular Users usually starts at 1000 /home/<username> limited to home directory and public areas
root is the first regular user
first regular user automatically added to the sudo group
sudo group allows requests for root powers to be granted
System Users between 1 and 999 (inclusive) varies
often /nonexistent or /var/www 		very specific limitations
exist as background services
Creating and Managing Users: useradd, usermod, userdel
Ubuntu has two commands for creating users

Creating a User (useradd)
low-level standard Linux command
powerful but 'dumb'
creates the user but might not create a home directory or set a password

need to use sudo because adding a user changes the system
command to add Bob as a user 

sudo useradd -m -s /bin/bash bob
  • -m - create a home directory for the user
  • -s /bin/bash - set the default shell to bash
  • bob - username
Creating a User (adduser)
script (specific to Debian/Ubuntu) that wraps around useradd
runs interactively
creates the home folder automatically
prompts to set a password immediately

Modifying a User (usermod)
sudo usermod -c "Bob Smith, Accounting" bob
  • -c - comment
  • Bob Smith, Accounting - the comment
  • bob - username

can also use usermod to lock and unlock user accounts
to lock an account 

sudo usermod -L bob
to unlock an account 
sudo usermod -U bob
Deleting a User (userdel)
to remove user access 
sudo userdel bob
removes bob from system registry
does not delete the account's home directory
to delete the user and home directory 
sudo userdel -r bob
Setting and Changing Passwords: passwd
when user bob was created he was not assigned a password
an account without a password is locked unless configured otherwise
to set a password use 
sudo passwd bob
the system will for the password to be entered twice
> no password characters will appear on the screen

Changing Your Own Password
any user can change their password without using sudo 
passwd
will ask for current password then the new one

Forcing a Password Change
to force bob to change his password 
sudo passwd -e bob
-e flag is for expire
at bob's next login he will be prompted to make the change
Understanding /etc/passwd and /etc/shadow
when useradd is run the information is stored in simple text files

The User Registry: /etc/passwd
file contains the list of all users
readable by all users 
cat /etc/passwd
the first and last lines of the file are 
root:x:0:0:root:/root:/bin/bash 
...
bob:x:1001:1001:Bob Smith, Accounting:/home/bob:/bin/bash
each line consists of seven colon-separated fields
  1. Username (bob) - the login name
  2. Password (x) - passwords are kept in the shadow file
  3. UID (1001) - bob's numeric ID
  4. GID (1001) - ID of bob's primary group
  5. GECOS / Comment (Bob Smith, Accounting) - description
  6. Home Directory (/home/bob) - where bob starts after he logs in
  7. Shell (/bin/bash) - program which runs when bob opens a terminal

The Secret Vault: /etc/shadow
file contains actual encrypted passwords
readable only by root 
sudo cat /etc/shadow
output lines will each contains seven colon-separated fields 
bob:$6$kH...long_string...:19265:0:99999:7:::
  1. Username (bob)
  2. Encrypted Password - hashed with SHA-512
  3. Last Change - date of last password change
    stored as number of days since January 1, 1970
  4. Minimum Days (0) - time required between password changes
  5. Maximum Days (99999) - before password expires
  6. Warning Days - how many days before expiration to warn the user
Manual Editing
can edit these files with nano
probably shouldn't
use commands like usermod instead
Creating and Managing Groups: groupadd, groupmod, groupdel
Creating a Group (groupadd)
create new entry in the /etc/group file 
sudo groupadd developers
Modifying a Group (groupmod)
to rename a group 
sudo groupmod -n engineering developers
Deleting a Group (groupdel)
no longer a need for the group 
sudo groupdel engineering
Adding Users to Groups: usermod -aG
add bob to the developers group 
sudo usermod -aG developers bob
flags are critical
  • -G (Groups) specifies the list of groups bob belongs to
  • -a (Append)

use -aG (Append to Groups) to add a new group without deleting the existing ones

Verifying Group Membership
groups bob
output shows two groups bob belongs to
bob is bob's primary group 
bob : bob developers
Switching Users: su and sudo
The Substitute User (su)
to switch users 
su bob
enter bob's password to complete
current directory doesn't change to get to bob's home 
cd ~
to return to original user type exit
if su is entered without a username, system assumes you want to be root
will ask for password
on Ubuntu the root account is disabled by default
no password is set
security feature
su usually fails

The SuperUser DO (sudo)
sudo lets user run a single command as root
every admin has their own password

Getting a Root Shell with sudo
use one of the commands below 
sudo -i
sudo su
will ask for password
as root use extreme caution
to return to original user type exit
Configuring sudo Access: Understanding /etc/sudoers
bob can't use sudo
not listed in /etc/sudoers
The Sudo Group
any member of the sudo group can use the sudo command
first user (1000) is automatically added
to make bob an adminstrator 
sudo usermod -aG sudo bob
never edit /etc/sudoers in vim or nano
always use 
sudo visudo
opens file in a safe editor
when a save is attempted, it checks grammar
if error found, save is refused

can use visudo to create granular permissions
Best Practices for User Account Security
Lock Unused Accounts
sudo usermod -L bob
Enforce Strong Passwords
can install a module called libpam-pwquality to force users to pick complex passwords

Disable Root Login
force everyone to use sudo
sudo commands are logged in /var/log/auth.log

Limit Sudo Access
standard permissions are safer

Clean Up Old Groups
when a project finishes delete the group

Use SSH
for remote access encourage users to use SSH Keys instead of passwords
they are significantly harder to hack
Summary
covered
  • hierarchy - root is owner, users are tenants
  • creation - adduser preferred over useradd
  • secrets - /etc/shadow stores encrypted passwords
  • teams - working with groups and users
  • power - difference between sudo and sa
  • safety - use sudo visudo to edit /etc/sudoers

key points
  • useradd -m <user> - creates a new user with a home directory
  • passwd <user> - set or change password
  • usermod -aG <group> <user> - add user to group
  • userdel -r <user> - deletes a user and their home directory
  • /etc/passwd - stores readable user information
  • /etc/shadow - stores encrypted passwords
  • sudo - execute command an another user (usually root)
  • visudo - only safe way to edit sudoers file
index