User Management Related Commands
1) User management config file
1) User info config file: /etc/passwd
1) cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
output syntax:
username:password:UID:GID:GECOS:directory:shell
man 5 passwd
Command above can be used to inspect the help doc for passwd.
Cause there is a command called passwd, we have to specify the option 5.
2) Every single user will occupy a single line in this config file.
wc -l /etc/passwd
The command above can be used to count the number of user in current system.
3) Password will not be shown in password position and is marked as x instead.
4) Three kind of user in linux:
1) Super user (root, UID=0) -> More specific, as long as the UID=0, the user is SU no matter what name the user is.
2) Normal user (UID=500~60000) -> When we user useradd to add user, the user is normal user by default.
3) Dummy user (UID=1~499)
5) What is dummy user?
1) Dummy user related to system or program service.
Like bin, daemon, shutdown, halt, etc. Any linux system have these dummy user by default.
Like mail, news, games, apache, ftp, mysql and sshd, etc. These are related to process.
2) Dummy user don't have to or even cannot login system cause they may not have password.
3) Dummy user may not have home directory.
6) The GID means the default user group of the user.
1) A user can belong to more than one user group.
2) If a user belongs to a user group, he has all the permissions defined by the user group.
Think of the -rwxrwxrwx. The three alphabets in the middle means the user group.
3) There is no user who doesn't belong to any user group.
4) Every time we add a user, we can assign its user group explicitly. If not, linux os will assign a usergroup for the user.
7) The GECOS is the description of current user. It recommanded to provide detailed info when we add user.
8) Directory is the home directory for current user. We can assign this explicitly. If not, os will create a directory with the name of username in the /home directory.
2) User password file: /etc/shadow
1) cat /etc/passwd
root:****:15968:0:99999:7:::
Output syntax:
login-name:encrypted-password:date-of-last-password-change:minimum-password-age:maximum-password-age:password-warning-period:password-inactivity-period:account-expiration-date
2) If we sudo delete password for user, that means the user can login the system without typing password.
3)date-of-last-password-change starts with 1970-01-01.
4) When we add user and set the password for the user. The password will be recorded in /etc/passwd. Then execute "pwconv" to write the real password into /etc/shadow and use x to replace original password in /etc/passwd.
5) We can even manually change the /etc/passwd and /etc/shadow to add or delete user. And that is how the useradd worked.
3) User group info config file: /etc/group
4) User group password file: /etc/gshadow
5) User config file: etc/login.defs; etc/default/useradd
1) cat /etc/login.defs
Output sample:
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
UID_MIN 1000 ----> Minimum user id.
UID_MAX 60000 ----> Maximum user id.
GID_MIN 1000 ----> Minimum user group id.
GID_MAX 60000 ----> Maximum user group id.
DEFAULT_HOME yes ----> Should login be allowed if we can't cd to the home directory?
Set all the default config info for user login operation.
2) cat /etc/default/useradd
GROUP=100 ----> The default group for new added user.
HOME=/home ----> The default home dir.
INACTIVE=-1 ----> The number of days after a password expires until the account is permanently disabled.
EXPIRE= ----> The expiration time for account.
CREATE_MAIL_SPOOL=yes
SHELL=/bin/sh
Set all the default config info for user add operation.
6) New user info file: /etc/skel
1) When we manually modified the /etc/passwd and /etc/shadow file to add a user. There is another one step we have to do.
That is copy the config file in /etc/skel dir into /home/newuser dir.
7) Login info file: /etc/motd; etc/issue
1) cat etc/issue
Ubuntu 12.04.2 LTS \n \l
Includes the os name and version number. This info will shown every time we open the terminal even if we havn't login yet.
We can change this to change the welcome info.
2) cat etc/motd
Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.5.0-23-generic i686)
Includes the os name and version number. This info will shown every time when we successfully login the system in terminal.We can modify this to change the login successful welcome info.
2) User management command
1) The easiest way to create user, we can simply type "useradd ***" and then type password for this user.
The problem is that we didn't assign a group for this user, os will create a new group for this user with the name of username.
2) We can type "passwd" to change the password for current user.
We can type "password username" to change the password for the specified user.
As only the root have the access to password file, how can current nonroot user change their own password?
administrator@ubuntu:~$ ls -ltr /usr/bin/passwd -rwsr-xr-x 1 root root 41284 Sep 13 2012 /usr/bin/passwd
What does the s mean? --> If the x position marked as s, that would means SetUID.
3) SetUID: --> 4
If an executable file is excuted by other user and the file has the x position marked as s, then the user would have the permission of the file owner (Usually means root).
1) What if command "touch" x position marked as s?
2) What if command "vi" x position marked as s?
That would be dangerous! Cause any other user can vi any file in this system!
Other user can vi /etc/passwd, vi /etc/shadow
2) How can we add SetUID permission to file or command?
administrator@ubuntu:~$ chmod u+s Test/Test.java administrator@ubuntu:~$ ls -ltr Test/Test.java -rwSrw-r-- 1 administrator administrator 127 Oct 13 10:11 Test/Test.java
administrator@ubuntu:~$ ls -ltr Test/Test.java -rw-rw-r-- 1 administrator administrator 127 Oct 13 10:11 Test/Test.java administrator@ubuntu:~$ chmod 4755 Test/Test.java administrator@ubuntu:~$ ls -ltr Test/Test.java -rwsr-xr-x 1 administrator administrator 127 Oct 13 10:11 Test/Test.java
administrator@ubuntu:~$ umask 0002
Attention that the 4 in 4755 means SetUID Permission.
Also, in umask, the first digit 0 means the Special Permission which includes SetUID permission.
Also, the SetUID permission S is uppercase in Test/Test.java. Why?
The uppercased S is a sign of warning. Cause the SetUID should only be assigned to executable file!
If the file itself is not executable, there is no meaning of assign SetUID to it.
4) SetGID: --> 2
If an executable file is excuted by other user and the file has the x position marked as s, then the user would have the permission of the file owner group (Usually means root group).
5) How to find all the files that have the s permission?
administrator@ubuntu:~$ find / -perm -4000 -o -perm -2000 | more administrator@ubuntu:~$ find / -perm -0777 -o -perm -0755 | more
-o --> Means or
6) Sticky: -->1
administrator@ubuntu:~$ mkdir temp administrator@ubuntu:~$ chmod 777 temp administrator@ubuntu:~$ touch temp/Test.java administrator@ubuntu:~$ ls -ltr temp/ -rw-r--r-- 1 administrator administrator 0 Oct 17 22:35 Test.javaThe problem is that although we set Test.java the permission of 644, we set the permission of temp/ as 777 at the same time.
That means even other people cannot write and execute Test.java, they can delete and rename this file.
That would be undesirable cause we don't want other people touch the file we created especially in the shared folder /tmp.
Linux has a shared folder /tmp.
administrator@ubuntu:~$ ls -ld /tmp drwxrwxrwt 13 root root 28672 Oct 17 16:14 /tmp
Attention that the rwt in other position.
1) Sticky only applies for directory whose permission is 777. If not, sticky would be meaningless.
2) If set sticky, that would means everyone can create file in this directory,
but they can only delete the file they created(they are the owner of the file).
3) User group management command
1) user group info file --> /etc/group
administrator@ubuntu:~$ cat /etc/group root:x:0:root #What does that mean? man 5 group group_name:passwd:GID:user_list
1) Q: What's the usage of group passwd?
A: That applies for users who don't belongs to this group but willing to operate as a member of this group.
After typed in the group passwd, he can temporarily as a member of this group.
2) groupadd
administrator@ubuntu:~$ sudo groupadd webadmin administrator@ubuntu:~$ grep webadmin /etc/group webadmin:x:892: administrator@ubuntu:~$ sudo groupadd -g 888 leader administrator@ubuntu:~$ grep leader /etc/group leader:x:888:3) groupdel
administrator@ubuntu:~$ groupdel webadmin administrator@ubuntu:~$ grep webadmin /etc/group total 04) groupmod
administrator@ubuntu:~$ groupmod -n apache leader #Modify the group name leader to apache5) useradd
administrator@ubuntu:~$ useradd kunlun administrator@ubuntu:~$ grep kunlun /etc/passwd ... #useradd -D is the same with cat /etc/default/useradd #To see the new added user default info administrator@ubuntu:~$ sudo useradd -D administrator@ubuntu:~$ sudo cat /etc/default/useradd GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL=/bin/bash SKEL=/etc/skel CREATE_MAIL_SPOOL=yes # -u: assign one default uid.(Must not exist before) # -g: assign one default group for user. # -G: assign several groups for user. One user can belongs to many groups. # -d: assign the home folder for the user, default is /home # -s: assign the default shell for user, default /bin/bash # -c: description for the user. Use "" if description contains spaces. # -e: assign the expiration date for the user administrator@ubuntu:~$ useradd -u 888 -g apache -d /backup -s /bin/bash -c "Apache user Davy" -e 2013-11-21 davy administrator@ubuntu:~$ passwd davy ***6) usermod
# -G: add user Davy to group apache administrator@ubuntu:~$ usermod -G apache Davy # -g: add user to group # -l : modify user name # -d: modify home directory administrator@ubuntu:~$ usermod -l davy -d /home/davy -g apache Davy # modify username from davy to Davy administrator@ubuntu:~$ usermod -l Davy davy7) gpasswd
# -a: add user to usergroup # -d: delete user from usergroup # -A: set admin for usergroup # -r: delete usergroup passwd # -R: forbid user to act as member of this group by typing usergroup passwd administrator@ubuntu:~$ gpasswd -a Davy apache administrator@ubuntu:~$ gpasswd -r apache # set passwd for group apache administrator@ubuntu:~$ gpasswd apache8) newgrp
# shift user to davy from administrator administrator@ubuntu:~$ su -u davy # shift davy to usergroup administrator davy@ubuntu:~$ newgrp administrator password: ***
4) Add batch user
5) User permission authentication