Users and Groups in Linux/Unix: Managing Access and Privileges for Multiple Users
Users and Groups
Linux/Unix operating systems have the ability to multitask in a manner similar to other operating systems. However, Linux’s major difference from other operating systems is its ability to have multiple users. Linux was designed to allow more than one user to have access to the system at the same time.
The user of the system is either a human being or an account used by specific applications identified by a unique numerical identification number called user ID (UID). Users within a group can have read permissions, write permissions, execute permissions or any combination of read/write/execute permissions for files owned by that group.
A group is an organization unit tying users together for a common purpose, which can be reading permissions, writing permission, or executing permission for files owned by that group. Similar to UID, each group is associated with a group ID (GID).
/etc/passwd
It stores user account information, which is required during login.It contains a list of the system's accounts, giving for each account some useful information like user ID, group ID, home directory, shell, etc. It should readable by many utilities, but write access only for the root user's.
Each entry on this file should be mentioned below ::
Note
ganapathi:x:501:501:Ganapathi Chidambaram:/home/ganapathi:/bin/bash
-
Username: It is username which is used to logs into the system. It should be between 1 and 32 characters in length.
-
Password: An x character indicates that password is encrypted and saved password would be available in /etc/shadow file.
-
User ID (UID): The numerical equivalent of the username which is referenced by the system and applications when determining access privileges.Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups.And UID reservation range can be able to modify through /etc/login.defs.
-
Group ID (GID): The numerical equivalent of the primary group name which is referenced by the system and applications when determining access privileges.The primary group ID for the user.
-
User ID Info: The comment field. It allow you to add extra information about the users such as user's full name, phone number etc. This field use by finger command.
-
Home directory: The absolute path to the directory the user will be in when they log in. If this directory does not exists then users directory becomes /
-
Command/shell: The program automatically launched whenever a user logs in. This is usually a command interpreter (often called a shell). Under Red Hat Enterprise Linux, the default value is /bin/bash. If this field is left blank, /bin/sh is used. If it is set to a non-existent file, then the user will be unable to log into the system.
/etc/shadow
Individual users on the system are provided with shadow passwords. Encrypted password hashes are stored in here, which is readable only by the root user, and store information about password aging as well.
Each entry on this file should be mentioned below
Note
This line shows the following information for user ganapathi:
- The password was last changed February 11, 2005
- There is no minimum amount of time required before the password can be changed
- The password must be changed every 90 days
- The user will get a warning five days before the password must be changed
- The account will be disabled 30 days after the password expires if no login attempt is made
- The account will expire on November 9,2005.
-
Username: Username to login into the system.
-
Password: The 13 to 24 character password. The password is encrypted using either the crypt library function or the md5 hash algorithm. In this field, values other than a validly-formatted encrypted or hashed password are used to control user logins and to show the password status. For example, if the value is
!
or*
, the account is locked and the user is not allowed to log in. If the value is !! a password has never been set before (and the user, not having set a password, will not be able to log in). -
Last password change (lastchanged) : The number of days since January 1, 1970 (also called the epoch) that the password was last changed. This information is used in conjunction with the password aging fields that follow.
-
Minimum : The minimum number of days that must pass before the password can be changed.
-
Maximum : The number of days that must pass before the password must be changed.
-
Warn : The number of days before password expiration during which the user is warned of the impending expiration.
-
Inactive : The number of days after a password expires before the account will be disabled.
-
Expire : The date (stored as the number of days since the epoch) since the user account has been disabled.
/etc/group
It defines the groups to which users belong under Linux and UNIX operating system. Under Unix / Linux multiple users can be categorized into groups.The use of groups allows additional abilities to be delegated in an organized fashion, such as access to disks, printers, and other peripherals. This method, amongst others, also enables the Superuser to delegate some administrative tasks to normal users.
Each entry on this file should be mentioned below
Note
ganapathi:x:24:ganapathi,raja
-
group_name: It is the name of group. If you run ls -l command, you will see this name printed in the group field.
-
Password: Generally password is not used, hence it is empty/blank. It can store encrypted password. This is useful to implement privileged groups.
-
Group ID (GID): The numerical equivalent of the group name. It is used by the operating system and applications when determining access privileges.
-
Group List : It is a list of user names of users who are members of the group. The user names, must be separated by commas.
/etc/gshadow
Each Group on the system are provided with shadow passwords. Encrypted password hashes are stored in here, which is readable only by the root user group, and store information about password aging as well.
Each entry on this file should be mentioned below ::
Note
ganapathi:x:ganapathi:ganapathi,raja
-
Group name — The name of the group. Used by various utility programs as a human-readable identifier for the group.
-
Encrypted password — The encrypted password for the group. If set, non-members of the group can join the group by typing the password for that group using the newgrp command. If the value of this field is !, then no user is allowed to access the group using the newgrp command. A value of !! is treated the same as a value of ! — however, it also indicates that a password has never been set before. If the value is null, only group members can log into the group.
-
Group administrators — Group members listed here (in a comma delimited list) can add or remove group members using the gpasswd command.
-
Group members — Group members listed here (in a comma delimited list) are regular, non-administrative members of the group
/etc/login.defs
Under Linux password related utilities and config file(s) comes from shadow password suite.It defines the site-specific configuration for this suite.The lines consist of a configuration name and value, separated by whitespace.Absence of this file will not prevent system operation, but will probably result in undesirable operation.
Blank lines and comment lines are ignored. Comments are introduced with a “#” pound sign and the pound sign must be the first non-white character of the line.
Parameter values may be of four types: strings, booleans, numbers, and long numbers. A string is comprised of any printable characters. A boolean should be either the value “yes” or “no”. An undefined boolean parameter or one with a value other than these will be given a “no” value. Numbers (both regular and long) may be either decimal values, octal values (precede the value with “0”) or hexadecimal values (precede the value with “0x”). The maximum value of the regular and long numeric parameters is machine-dependent.
The following configuration items are provided:
-
CHFN_AUTH (boolean) : If yes, the chfn and chsh programs will require authentication before making any changes, unless run by the superuser.
-
CHFN_RESTRICT (string) : This parameter specifies which values in the gecos field of the /etc/passwd file may be changed by regular users using the chfn program. It can be any combination of letters f ,r, w, h, for Full name, Room number, Work phone, and Home phone, respectively. For backward compatibility, “yes” is equivalent to “rwh” and “no” is equivalent to “frwh”. If not specified, only the superuser can make any changes. The most restrictive setting is better achieved by not installing chfn SUID.
-
DEFAULT_HOME : Should login be allowed if we can't cd to the home directory?. Default in no.So change it as Yes for cd to the home directory.
-
ENCRYPT_METHOD : Encryption method for the password entered by the user.More complicated algorithm is used to difficult to brute forcing the password.
-
ENV_PATH & ENV_SUPATH - Default Environment path for normal user and super user login.This is must be defined to successful login of user into the system.
-
FAILLOG_ENABLE : Enable logging and display of /var/log/faillog login failure info.
-
LOGIN_RETRIES : Max number of login retries if password is bad. This will most likely be overriden by PAM, since the default pam_unix module has it's own built in of 3 retries. However, this is a safe fallback in case you are using an authentication module that does not enforce PAM_MAXTRIES.
-
LOGIN_TIMEOUT : Max time in seconds for login.
-
GID_MAX (number), GID_MIN (number) : Range of group IDs to choose from for the useradd and groupadd programs.
-
MAIL_DIR (string) : The mail spool directory. This is needed to manipulate the mailbox when its corresponding user account is modified or deleted. If not specified, a compile-time default is used.
-
PASS_MAX_DAYS (number) : The maximum number of days a password may be used. If the password is older than this, a password change will be forced. If not specified, -1 will be assumed (which disables the restriction).
-
PASS_MIN_DAYS (number) : The minimum number of days allowed between password changes. Any password changes attempted sooner than this will be rejected. If not specified, -1 will be assumed (which disables the restriction).
-
PASS_WARN_AGE (number) : The number of days warning given before a password expires. A zero means warning is given only upon the day of expiration, a negative value means no warning is given. If not specified, no warning will be provided.
-
UID_MAX (number), UID_MIN (number) : Range of user IDs to choose from for the useradd program.
-
UMASK (number) : The permission mask is initialized to this value. If not specified, the permission mask will be initialized to 022.
-
USERDEL_CMD (string) : If defined, this command is run when removing a user. It should remove any at/cron/print jobs etc. owned by the user to be removed (passed as the first argument).
The following cross reference shows which programs in the shadow password suite use which parameters.
- chfn CHFN_AUTH CHFN_RESTRICT
- chsh CHFN_AUTH
- groupadd GID_MAX GID_MIN
- newusers PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE UMASK
- pwconv PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
- useradd GID_MAX GID_MIN PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE UID_MAX UID_MIN UMASK
- userdel MAIL_DIR USERDEL_CMD
- usermod MAIL_DIR
Adding a New User
To create a new standard user, we should use the useradd
command and for the syntax is as follows:
These mentioned Process would happen for Every newly created user.
- Would create the Home Directory for the user.
- Copy the Below mentioned Files on their Home Directory.
- Would create the Mail Spool directory for the user.
- A group would create automatically in the same name of user.
adduser command is an interactive mode of user creation.Along with user creation would ask for password to set,and gecos information for the user(Full Name,Room Number,Work Phone,Home Phone) to store into /etc/passwd file.
Useradd Options
-
-d --home
home_dir will be used as the value for the user’s login directory
-
-e --expiredate
the date when the account will expire
-
-f --inactive
the number of days before the account expires
-
-k, --skel
The skeleton directory, which contains files and directories to be copied in the user's home directory, when the home directory is created by useradd.
This option is only valid if the -m (or --create-home) option is specified.
If this option is not set, the skeleton directory is defined by the SKEL variable in /etc/default/useradd or, by default, /etc/skel.
If possible, the ACLs and extended attributes are copied.
-
-K, --key KEY=VALUE
Overrides /etc/login.defs defaults (UID_MIN, UID_MAX, UMASK, PASS_MAX_DAYS and others).
Example:
-K PASS_MAX_DAYS=-1 can be used when creating system account to turn off password ageing, even though system account has no password at all. Multiple -K options can be specified, e.g.: -K UID_MIN=100-K UID_MAX=499
-
-k, --skel SKEL_DIR
The skeleton directory, which contains files and directories to be copied in the user's home directory, when the home directory is created by useradd.
This option is only valid if the -m (or --create-home) option is specified.
If this option is not set, the skeleton directory is defined by the SKEL variable in /etc/default/useradd or, by default, /etc/skel.
If possible, the ACLs and extended attributes are copied.
-
-m, --create-home
Create the user's home directory if it does not exist. The files and directories contained in the skeleton directory (which can be defined with the -k option) will be copied to the home directory.
By default, if this option is not specified and CREATE_HOME is not enabled, no home directories are created.
-
-M
Do no create the user's home directory, even if the system wide setting from /etc/login.defs (CREATE_HOME) is set to yes.
-
-N, --no-user-group
Do not create a group with the same name as the user, but add the user to the group specified by the -g option or by the GROUP variable in /etc/default/useradd.
The default behavior (if the -g, -N, and -U options are not specified) is defined by the USERGROUPS_ENAB variable in /etc/login.defs.
-
-o, --non-unique
Allow the creation of a user account with a duplicate (non-unique) UID.
This option is only valid in combination with the -u option.
-
-p, --password PASSWORD
The encrypted password, as returned by crypt(3). The default is to disable the password.
Note: This option is not recommended because the password (or encrypted password) will be visible by users listing the processes.
You should make sure the password respects the system's password policy.
-
-r, --system
Create a system account.
System users will be created with no aging information in /etc/shadow, and their numeric identifiers are chosen in the SYS_UID_MIN-SYS_UID_MAX range, defined in /etc/login.defs, instead of UID_MIN-UID_MAX (and their GID counterparts for the creation of groups).
Note that useradd will not create a home directory for such an user, regardless of the default setting in /etc/login.defs (CREATE_HOME). You have to specify the -m options if you want a home directory for a system account to be created.
-
-R, --root CHROOT_DIR
Apply changes in the CHROOT_DIR directory and use the configuration files from the CHROOT_DIR directory.
-
-s, --shell SHELL
The name of the user's login shell. The default is to leave this field blank, which causes the system to select the default login shell specified by the SHELL variable in /etc/default/useradd, or an empty string by default.
-
-u, --uid UID
The numerical value of the user's ID. This value must be unique, unless the -o option is used. The value must be non-negative. The default is to use the smallest ID value greater than or equal to UID_MIN and greater than every other user.
See also the -r option and the UID_MAX description.
-
-U, --user-group
Create a group with the same name as the user, and add the user to this group.
The default behavior (if the -g, -N, and -U options are not specified) is defined by the USERGROUPS_ENAB variable in /etc/login.defs.
adduser Options
-
--conf FILE
Use FILE instead of /etc/adduser.conf.
-
--disabled-login
Do not run passwd to set the password. The user won't be able to use her account until the password is set.
-
--disabled-password
Like --disabled-login, but logins are still possible (for example using SSH RSA keys) but not using password authentication.
-
--force-badname
By default, user and group names are checked against the configurable regular expression NAME_REGEX (or NAME_REGEX_SYSTEM if --system is specified) specified in the configuration file. This option forces adduser and addgroup to apply only a weak check for validity of the name.
-
--gecos GECOS
Set the gecos field for the new entry generated. adduser will not ask for finger information if this option is given.
-
--gid ID
When creating a group, this option forces the new groupid to be the given number. When creating a user, this option will put the user in that group.
-
--group
When combined with --system, a group with the same name and ID as the system user is created. If not combined with --system, a group with the given name is created. This is the default action if the program is invoked as addgroup.
-
--home DIR
Use DIR as the user's home directory, rather than the default specified by the configuration file. If the directory does not exist, it is created and skeleton files are copied.
Adding a Group
To add a group to the system, use the command groupadd/addgroup and syntax as follows :
groupadd Options
-
-g
Group ID for the group, which must be unique and greater than 499
-
-r
Create a system group with a GID less than 500
-
-f
When used with -g
and already exists, groupadd will choose another unique for the group.
addgroup Options
-
-g
Group ID for the group, which must be unique and greater than 499
User Modification
By usermod command we can modify the existing available users on the system with help of below configuration.
-
-a, --append
Add the user to the supplementary group(s). Use only with the -G option.
-
-c, --comment COMMENT
The new value of the user's password file comment field. It is normally modified using the chfn(1) utility.
-
-d, --home HOME_DIR
The user's new login directory.
If the -m option is given, the contents of the current home directory will be moved to the new home directory, which is created if it does not already exist.
-
-e, --expiredate EXPIRE_DATE
The date on which the user account will be disabled. The date is specified in the format YYYY-MM-DD.
An empty EXPIRE_DATE argument will disable the expiration of the account.
This option requires a /etc/shadow file. A /etc/shadow entry will be created if there were none.
-
-f, --inactive INACTIVE
The number of days after a password expires until the account is permanently disabled.
A value of 0 disables the account as soon as the password has expired, and a value of -1 disables the feature.
This option requires a /etc/shadow file. A /etc/shadow entry will be created if there were none.
-
-g, --gid GROUP
The group name or number of the user's new initial login group. The group must exist.
Any file from the user's home directory owned by the previous primary group of the user will be owned by this new group.
The group ownership of files outside of the user's home directory must be fixed manually.
-
-G, --groups GROUP1[,GROUP2,...[,GROUPN]]]
A list of supplementary groups which the user is also a member of. Each group is separated from the next by a comma, with no intervening whitespace. The groups are subject to the same restrictions as the group given with the -g option.
If the user is currently a member of a group which is not listed, the user will be removed from the group. This behaviour can be changed via the -a option, which appends the user to the current supplementary group list.
-
-l, --login NEW_LOGIN
The name of the user will be changed from LOGIN to NEW_LOGIN. Nothing else is changed. In particular, the user's home directory or mail spool should probably be renamed manually to reflect the new login name.
-
-L, --lock
Lock a user's password. This puts a '!' in front of the encrypted password, effectively disabling the password. You can't use this option with -p or -U.
Note
if you wish to lock the account (not only access with a password), you should also set the EXPIRE_DATE to 1.
-
-m, --move-home
Move the content of the user's home directory to the new location.
This option is only valid in combination with the -d (or --home) option.
usermod will try to adapt the ownership of the files and to copy the modes, ACL and extended attributes, but manual changes might be needed afterwards.
-
-o, --non-unique
When used with the -u option, this option allows to change the user ID to a non-unique value.
-
-p, --password PASSWORD
The encrypted password, as returned by crypt(3).
Note
This option is not recommended because the password (or encrypted password) will be visible by users listing the processes.
The password will be written in the local /etc/passwd or /etc/shadow file. This might differ from the password database configured in your PAM configuration.
Password Aging
For security reasons, it is advisable to require users to change their passwords periodically.To configure password expiration for a user from a shell prompt, use the chage command, followed by an option which is mentioned below ,followed by the username of the user.
-
-m
Specifies the minimum number of days between which the user must change passwords. If the value is 0, the password does not expire.
-
-M
Specifies the maximum number of days for which the password is valid. When the number of days specified by this option plus the number of days specified with the -d option is less than the current day, the user must change passwords before using the account.
-
-d
Specifies the number of days since January 1, 1970 the password was changed
-
-I
Specifies the number of inactive days after the password expiration before locking the account. If the value is 0, the account is not locked after the password expires.
-
-E
Specifies the date on which the account is locked, in the format YYYY-MM-DD. Instead of the date, the number of days since January 1, 1970 can also be used.
-
-W
Specifies the number of days before the password expiration date to warn the user.