USER MANAGEMENT

 

 

 

 

Linux files responsible for User managements

/etc/shadow Store all the Linux password in MD5 encryptions format
/etc/passwd Store all user related information's 

/etc/gshadow Store all group in MD5 encryptions format 

/etc/group Store all group related information's

Understanding /etc/passwd

The full account information is stored in the /etc/passwd file. This file contains a record per system user account and has the following format (fields are delimited by a colon).


[username]:[x]:[UID]:[GID]:[Comment]:[Home directory]:[Default shell]

 

Understanding /etc/shadow

 mithz:$1$.QKDPc5E$SWlkjRWexrXYgc98F.:12825:0:99999:5:30:13096: 

1. Username (mithz) : Login user name.
2. Password ($6$sTgBhfj0$pkzz/JpVTk./d4SDarljywUH8/TgNzL5rxtFlpsIsyi.i1) : It’s your encrypted password. A blank entry (eg. ::) indicates a password is not required to log in (usually a bad idea), and a ``*'' entry (eg. :*:) indicates the account has been disabled
3. Last Changed Date(12825) : Last password set/changed date.
4. Minimum days (0) : How many days remaining to change new password of user.
5. Maximum days (99999) : How many days the password to be valid for user.
6. Warn days (7) : This will show the warning message to user, how many days remaining to update/change the new password.
7. Inactive days () : After password expired, it will be disabled the user account for mentioned days (date).
8. Expire date () : Within the mentioned (Expire) date, the account has been disabled and user can’t login to system.

Useradd Command

useradd  is used to create user. Several options are used with useradd command but you will learn about them in our next assignments. In this assignment you are going to learn what exactly happen in these files when a new user is added. First watch carefully last lines of these files.

Add a user.

#useradd vinita
#passwd vinita 

if u are not set password for a user it will be in locked state.

When a new user account is added to the system, the following operations are performed.

1. His/her home directory is created (/home/username by default).
2. The following hidden files are copied into the user’s home directory, and will be used to provide environment variables for his/her user session.

.bash_logout
.bash_profile
.bashrc

3. A mail spool is created for the user at /var/spool/mail/username.
4. A group is created and given the same name as the new user account.

  

(useradd  jishnu  -u 504  -d /home/jishnu  -c second-admin -s /bin/bash)

How to create a user without password.

To create a user without password use –d switch .

#useradd nikki
#passwd -d nikki 

Usermod Command 

 

The linux command “usermod” is used to modify a user’s information. The files that may be affected during this operation are /etc/passwd (user account information), /etc/shadow (secure account information) and /etc/group (group information). Only root/super user can use this command.

usermod [-c comment] [-d home_dir [-m]] [-e expire_date] [-f inactive_time]
[-g initial_group] [-G group [,...]] [-l login_name] [-p passwd]
[-s shell] [-u uid [-o]] [-L|-U]login

In this article, we will go through some example usages of “usermod” command which will help you to learn these options in detail. First we can create a user “test” using useradd. In order to view user information, we can use the “id command.

# id test
uid=501(test) gid=501(test) groups=501(test)

Example 1: Changing the home directory of user “test”

Suppose the current home directory of the user “test” is /home/test and you want to change it to the existing directory /home/testnew without copying the contents of /home/test, you can use the following command.

#usermod –d /home/testnew test

If you want to move the contents of /home/test also (if the new directory doesn’t exist, it will create and move), you need to use the option “-m”.

#usermod –d /home/testnew –m test

Example 2: Adding groups to a user

When a user is added using “useradd” command without specifying group, then a group with the same name as that of user will be created. This is the primary group of the user. You can add as many groups to a user using the option “-G” as follows.
Suppose, you need to add a group “developer” to the user “test”, you can add it as follows.

#usermod –G developer test

Please note that, if you added the user to any other groups earlier (other than the primary group), that will get removed by the above command.
So, if you want to preserve the current groups of the user and add one more group you need to use the option –aG as follows.

#usermod –aG developer test
# id test
uid=501(test) gid=501(test) groups=501(test),506(pros),508(developer)

Example 3: Changing the primary group of a user

If you want to add a group as the primary group of the user, you can do it as follows.

# usermod –g developer test
# id test
uid=501(test) gid=508(developer) groups=508(developer), 506(pros)

Example 4: Locking and Unlocking users

In some cases, you may need to temporarily lock the account. This can be done with the “-L” option. This puts a '!' in front of the encrypted password, effectively disabling the password.

# usermod –L test

User can be unlocked as follows which will remove the '!' in front of the encrypted password.

# usermod –U test

Example 5: Changing the expiry data of an account

You can use the following command to disable the account “test” on 2012-12-01.

usermod -e 2012-12-01 test

Example 6: Changing login name and password using usermod

You can change the login name itself using the –l switch.

# usermod –l newtest test

# id test
Id: test: No such user
# id newtest
uid=501(newtest) gid=508(developer) groups=508(developer), 506(pros)

You can change the password as follows.

# usermod –p newpass newtest

Example 7: Changing shell of a user

The “shell” provided to a user can be changed as follows. This will change the shell of “newtest” user to “/bin/bash”.

# usermod –s /bin/bash newtest

Chage Command (Change Aging)

1. List the password and its related details for an user

As shown below, any user can execute the chage command for himself to identify when his password is about to expire.
Syntax: chage –-list username (or) chage -l username

$ chage --list dhinesh
Last password change                                    : Apr 01, 2009
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

 
If user dhinesh tries to execute the same command for user ramesh, he’ll get the following permission denied message.
$ chage --list ramesh
chage: permission denied

 
Note: However, a root user can execute chage command for any user account.
 
When user dhinesh changes his password on Apr 23rd 2009, it will update the “Last password change” value as shown below.
 

$ date
Thu Apr 23 00:15:20 PDT 2009

$ passwd dhinesh
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

$ chage --list dhinesh
Last password change                                    : Apr 23, 2009
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

2. Set Password Expiry Date for an user using chage option -M

Root user (system administrators) can set the password expiry date for any user. In the following example, user dhinesh password is set to expire 10 days from the last password change.
 
Please note that option -M will update both “Password expires” and “Maximum number of days between password change” entries as shown below.
Syntax: # chage -M number-of-days username

# chage -M 10 dhinesh

# chage --list dhinesh
Last password change                                    : Apr 23, 2009
Password expires                                        : May 03, 2009
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 10
Number of days of warning before password expires       : 7

3. Password Expiry Warning message during login

By default the number of days of warning before password expires is set to 7. So, in the above example, when the user dhinesh tries to login on Apr 30, 2009 — he’ll get the following message.




$ ssh dhinesh@testingserver
dhinesh@testingserver's password:
Warning: your password will expire in 3 days

4. User Forced to Change Password after Expiry Date

If the password expiry date reaches and user doesn’t change their password, the system will force the user to change the password before the login as shown below.
$ ssh dhinesh@testingserver
dhinesh@testingserver's password:

You are required to change your password immediately (password aged)
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for dhinesh
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:

5. Set the Account Expiry Date for an User

You can also use chage command to set the account expiry date as shown below using option -E. The date given below is in “YYYY-MM-DD” format. This will update the “Account expires” value as shown below.
# chage -E "2009-05-31" dhinesh

# chage -l dhinesh
Last password change                                    : Apr 23, 2009
Password expires                                        : May 03, 2009
Password inactive                                       : never
Account expires                                         : May 31, 2009
Minimum number of days between password change          : 0
Maximum number of days between password change          : 10
Number of days of warning before password expires       : 7

6. Force the user account to be locked after X number of inactivity days

Typically if the password is expired, users are forced to change it during their next login. You can also set an additional condition, where after the password is expired, if the user never tried to login for 10 days, you can automatically lock their account using option -I as shown below. In this example, the “Password inactive” date is set to 10 days from the “Password expires” value.
 
Once an account is locked, only system administrators will be able to unlock it.
# chage -I 10 dhinesh

# chage -l dhinesh
Last password change                                    : Apr 23, 2009
Password expires                                        : May 03, 2009
Password inactive                                       : May 13, 2009
Account expires                                         : May 31, 2009
Minimum number of days between password change          : 0
Maximum number of days between password change          : 10
Number of days of warning before password expires       : 7

7. How to disable password aging for an user account

To turn off the password expiration for an user account, set the following:

-m 0 will set the minimum number of days between password change to 0
-M 99999 will set the maximum number of days between password change to 99999
-I -1 (number minus one) will set the “Password inactive” to never
-E -1 (number minus one) will set “Account expires” to never.

# chage -m 0 -M 99999 -I -1 -E -1 dhinesh

# chage --list dhinesh
Last password change                                    : Apr 23, 2009
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

How to delete User

userdel command is used to delete user. When a user is deleted user's primary group will automatically be deleted.

#userdel nikki
#groupdel nikki groupdel: group nikki does not exist. 

Whenever you delete user with userdel command. entry of user will be removed from these files. But users home folder and mail folder will not be deleted. As you can see in image. If you want completely remove user including his home folder and mail folder use –r switch with userdel commands.

Remove user with all related  files (home dir,mail box)

userdel -r username 

ADDITIONAL INFO :-)

Q: How do you know what default values would be assigned to a user when created using useradd command?

A: These are the two files which contain the default values to be assigned to a user when created using useradd

1) /etc/default/useradd
2) /etc/login.defs


# less /etc/default/useradd
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
You can also view the default parameters set for new user to be created using
# useradd -D
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
The second file containing values used by useradd command for UID, GID, password encryption method and expiry related information
# less /etc/login.defs
MAIL_DIR        /var/spool/mail

PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_MIN_LEN    5
PASS_WARN_AGE   7

UID_MIN                   500
UID_MAX                 60000

GID_MIN                   500
GID_MAX                 60000

CREATE_HOME     yes
UMASK           077

USERGROUPS_ENAB yes
ENCRYPT_METHOD SHA512


Create a USER Account with ROOT Privileges

Lets say we need to add a new user and grand him root privileges.

Use the following commands to create the new user john, grand him the same privileges as root and set him a password :
# useradd -ou 0 -g 0 john
# passwd john

We've just created the user john, with UID 0 and GID 0, so he is in the same group and has the same permissions as root.

Grant ROOT Privileges to an Existing USER

Perhaps you already have some user john and you would like to give root permissions to a normal user.

# grep john /etc/passwd
john:x:1001:1001::/home/john:/bin/sh

Edit /etc/passwd file and grant root permissions to the user john by changing User and Group IDs to UID 0 and GID 0 :

# $ grep john /etc/passwd
john:x:0:0::/home/john:/bin/sh

Delete a USER Account with UID 0

You won't be able to delete second root user with another UID 0 using userdelcommand.
# userdel john
userdel: user john is currently used by process 1
To delete user john with UID 0, open /etc/passwd file and change john's UID.

For example, change the line :

john:x:0:0::/home/john:/bin/sh

to something like :

john:x:1111:0::/home/john:/bin/sh

Now, you'll be able to delete user john with userdel command :
# userdel john                                                                                                                       




 
What is the difference between .bash_profile and .bashrc?

Ans: Every time you login to a Linux (Red Hat) machine .bash_profile file is executed
but
In case you are already logged in and you open a new terminal then .bashrc file is executed