Whether on a corporate server or personal desktop machine, managing user accounts is an important aspect of running a Linux system. The root, or superuser, account is established when you first install Linux. Unlike single-user systems (such as MS-DOS), multiuser systems require the notion of an owner for files, processes, and other system objects. A owner may be a human system user or a system service, such as a web server. Each of these owners is differentiated from others by a unique user account, which is assigned to it by the system administrator.
When a new user account is added to a Linux system, an entry is added to a list of users in the password file, which is stored in /etc/passwd. This file gets its name from its original use, which was to store user information including an encrypted form of the user's password. The password file is in plain text and is readable by everyone on the system. Each line in the password file contains information for a single user account, with fields separated by colons as illustrated in Figure 18-1.
Each line in the file contains information for a single system account and contains the following pieces of information in colon-separated fields:
The first field on a line is a unique username for the person or service using the account.
Each username has an associated password. The password stored in this field is in a hashed (unreadable and unrecoverable) form. Despite the hash, for security reasons, most systems now store user passwords
in a separate /etc/shadow file that has restricted permissions. If the password is not included, its field is filled by the letter x
, which indicates that the shadow password system is in use.
Each username requires a unique user identifier, or UID. The UID is simply a nonnegative integer. The root
account is assigned the UID of 0, which gives it global privilege on the system. By convention, the UID values from 0 to 99 are reserved for administrative use; those over 99 are for regular system users. It's not unusual for new system accounts to start at 500.
Each username has a default group identifier, or GID. The GID is also a nonnegative integer. Groups are a way of allowing users to share files through mutual group membership. Group numbers and their associated names are specified in the /etc/group file. The GID stored for each user in /etc/passwd is its default group ID, though a user may belong to many groups.
The user's full name or other information is stored as plain text. This field may contain spaces.
The home directory is the default directory in the filesystem for the user's account. If a new account is meant for a person, a home directory will probably be created in the filesystem with standard configuration files that the user may then personalize. The full path to that home directory is listed here.
This field specifies the default shell for the user or service, which is the shell that runs when the user logs in or opens a shell window. In most cases, the shell will be /bin/bash, but it can be any shell, or even another executable program. (Nonshell entries may be seen in the case of some services that should own files but never log in interactively. You may see the shell field filled with /bin/false, a small program that does nothing but yield an error and terminate. This ensures that a service account is secured from login.)
Looking back at Figure 18-1, the first line shows the definition of the root
account with UID and GID of 0, a name of root
, a home directory of /root, and a default shell of /bin/bash. The second line shows a standard user account for Jeff Dean, with UID and GID of 500. The home directory is /home/jdean and the default shell is /bin/tcsh.
In addition to ownership by individual system users, filesystem objects have separate ownership settings for groups of users. This group ownership allows an additional level of user-specific access control beyond that of a file's individual owner. Groups are similar to users in their administration and are defined in the file /etc/group. Like the passwd file, the group file contains colon-separated fields:
Each group must have a unique name.
Just as user accounts have passwords, groups can have passwords for their membership. If the password field is empty, the group does not require a password.
Each group requires a unique GID. Like a UID, a GID is a nonnegative integer.
The last field is a list of group members by username, separated by commas.
Together, these pieces of information define a group; colons separate the fields. Here are a few sample lines from a group file:
root:x:0:root pppusers:x:230:jdean,jdoe finance:x:300:jdean,jdoe,bsmith jdean:x:500: jdoe:x:501: bsmith:x:502:
In this example, both jdean
and jdoe
are members of the pppusers
group (GID 230), and jdean, jdoe
, and bsmith
are all members of the finance
group (GID 300). The remaining groups, root
, jdean
, jdoe
, and bsmith
are single-user groups. These groups are not intended for multiple users and do not contain additional members. For security purposes, it is common to create new users with their own personal single-user group. Doing this enhances security because new files and directories will not have group privileges for other users. (Although the GID of these single-user groups may match the UID of the user for which they're created, there is no direct relationship between the UID and GID.)
Encrypted passwords must be secure from all users on the system, while leaving the remainder of the information in /etc/passwd world-readable. To do this, the encrypted password is moved to a new file that shadows the password file line for line. The file is aptly called /etc/shadow and is generally said to contain shadow passwords . Here are a couple of example lines from a shadow file:
root:$1$oxEaSzzdXZESTGTU:10927:0:99999:7:-1:-1:134538444 jdean:$1$IviLopPn461z47J:10927:0:99999:7::11688:134538412
The first two fields contain the username and the encrypted passwords. The remaining fields contain optional additional information on password aging information.
Just as user accounts listed in /etc/passwd are protected by encrypted passwords, groups listed in /etc/group can also be protected by passwords. A group password can be used to allow access to a group by a user account that is not actually a member of the group. Account users can use the newgrp command to change their default group and enter the group password. If the password is correct, the account is granted the group privileges, just as a group member would be.
The group definition file, like the password file, is readable by everyone on the system. If group passwords are stored there, a dictionary attack could be made against them. To protect against such attacks, passwords in /etc/group can be shadowed. The protected passwords are stored in /etc/gshadow, which is readable only by root
. Here are a few sample lines from a gshadow file:
root:::root pppusers:!:: finance:0cf7ipLtpSBGg:: jdean:!:: jdoe:!:: bsmith:!::
In this example, the groups pppusers
, jdean
, jdoe
, and bsmith
do not have group passwords as indicated by the !
in the password field. The finance
group is the only one with a password, which is hashed.
Although possible, it is rarely necessary (or advised) to manipulate the account and group definition files manually with a text editor. Instead, a family of convenient administrative commands is available for managing accounts, groups, password shadowing, group shadowing, and password aging. Password aging (rules governing change intervals and automated expiration of passwords) is not an explicit Objective for the LPIC Level 1 Exams.
useradd
useradd [options] user
Create the account user
on the system. Both system defaults and specified options
define how the account is configured. All system account files are updated as required. An initial password must subsequently be set for new users using the passwd command. It is the user's responsibility to go back and change that password when he first logs in to the system.
comment
Define the comment field, probably the user's name.
homedir
Use homedir
as the user's home directory.
Create and populate the home directory.
shell
Use shell
as the default for the account.
List (and optionally change) system default values.
Add a new user, bsmith
, with all default settings:
# useradd bsmith
Add a new user, jdoe
, with a name, default home directory, and the tcsh shell:
# useradd -mc "Jane Doe" -s /bin/tcsh jdoe
usermod
usermod [options] user
Modify an existing user account. The usermod command accepts many of the same options useradd does.
Lock the password, disabling the account.
Unlock the user's password, enabling the user to once again log in to the system.
Change jdoe
's name in the comment field:
# usermod -c "Jane Deer-Doe" jdoe
Lock the password for bsmith
:
# usermod -L bsmith
userdel
userdel [-r] user
Delete an existing user account. When combined with the -r option, the user's home directory is deleted. Note that completely deleting accounts may lead to confusion when files owned by the deleted user remain in other system directories. For this reason, it is common to disable an account rather than delete it. Accounts can be disabled using the chage, usermod, and passwd commands.
Delete the user bsmith
, including the home directory:
# userdel -r bsmith
groupadd
groupmod
groupdel
passwd
gpasswd