Every user belongs to a unique numerical identification number(user-id). From 1-999 id's belongs to system users and from 1000-60000 belongs to users created by root OR Administrator. Same as every group have a group-id. Every user is a member of self group. You can make it a member of
other groups. There is 3 type of users in Linux.
1. System user Ex:- gnome, ntp, tcpdump (id- 1-999)
2. Admin user Ex:- root (id:- 0)
3. Other user Ex:- local user (id:-1000-60000)
You can not login with system user. Linux have by-default root login for administration work.
1.User Management
[root@TEST ~]# useradd option username
When we add a new user configurations of /etc/defaults/useradd and /etc/skel are applied. A user private group is created whenever a user is created to the system. Users information store in /etc/passwd & /etc/shadow file. By default the useradd command creates a locked user account.To unlock the account, run the passwd command.
[root@TEST ~]# useradd -m -u 1201 -G sales,ops test
Create a user test who is a member of the groups sales and ops with UID 1201 and add a home directory to the user account as well.
[root@TEST ~]# passwd username
//Assign the login password for user. For password /etc/login.defs configurations apply.//
[root@TEST ~]# passwd -n 30 -w 3 -x 90 test
Sets the password for user test to a minimal usage period(-n) of 30 days and an expiry(-x) after 90 days where a warning(-w) is generated 3 days before expiry. We have another option chage (change user password expiry information) to change password properties.
[root@TEST ~]# chage option username
Option Description
-d number of days when the password was last changed.
-E Set the date or number of days on which the user's account will no longer be accessible. Passing the number -1 as the EXPIRE_DATE will remove an account expiration date.
-h Display the help message
-I Set the number of days of inactivity after a password has expired before the account is locked.
-l Show account aging information.
-m Minimum number of days after that a user can change password
-M Set the maximum number of days during which a password is valid. Passing the number -1 as MAX_DAYS will remove checking a password's validity.
-R Apply changes in the CHROOT_DIR directory and use the configuration files from the CHROOT_DIR directory.
-w Set the number of days of warning before a password change is required.
Ex:- [root@TEST ~]# chage -E 2017-12-31 test //user test expires on December 31st 2017//
1.1 Modify user properties:
[root@TEST ~]# usermod option username
[root@TEST ~]# whoami //see which user account you are currently using.//
[root@TEST ~]# id username //Info about user-id,group-id and member of groups.//
Option Description
-a Use it with usermod -G to add a user with a additional group. Without it user can join only 1 additional group.
-c This option is generally used to specify the full name of a user.
-d Specify home directory instead of default /home/username/.
-e Date for the account to be disabled in the format YYYY-MM-DD
-f Number of days after the password expires until the account is disabled. If 0 is specified, the account is disabled immediately after the password expires. If -1 is specified, the account is not disabled after the password expires.
-g Group name or group number for the user's default (primary) group. The group must exist prior to being specified here.
-G List of additional (supplementary, other than default) group names or group numbers, separated by commas, of which the user is a member. The groups must exist prior to being specified here.
-m Create the home directory if it does not exist.
-M Do not create the home directory.
-N Do not create a user private group for the user.
-p The password encrypted with crypt.
-r Create a system account with a UID less than 1000 and without a home directory.
-s User's login shell, which defaults to /bi n/bash.
-u User ID for the user, which must be unique and greater than 999.
Options are same for useradd & usermod.
[root@TEST ~]# userdel username //Delete a user.//
[root@TEST ~]# userdel -r username //Delete user with home directory.//
2.Group Management
A user can be a member of two different types of group. One is the primary group. Primary group will be only one, can be a private group created during user creation. Secondary group can be multiple groups. Groups are made to share a file/directory with specific users. Group information store in /etc/group & /etc/gshadow.
[root@TEST ~]# groupadd option group-name
[root@TEST ~]# gpasswd groupname //To store password in encrypt form.//
Option Description
-f When used with -g gid and gid already exists, groupadd will choose another unique gid for the group.
-g Group ID for the group, which must be unique and greater than 999.
-K Override /etc/login.defs defaults.
-o Allows creating groups with duplicate GID .
-p password for the new group in plain text.
-r Create a system group with a GID less than 1000.
The above options can work also with groupadd. You can add users with a group using useradd or usermod command. Usermod command is available to change the name or group-id of the group. Ex:-
[root@TEST ~]# groupmod -n group-name new-group-name
[root@TEST ~]# groupmod -p password group-name
3.For user and group management following files are responsible:
/etc/passwd //For user information about home-directory,login shell etc.//
/etc/shadow //Save user password in encryption form.//
/etc/group //Save group information about member user.//
/etc/gshadow //Save group password in encryption form.//
/etc/login.defs //Contains configuration about user password.//
/etc/default/useradd
/etc/skel
3.1 /etc/passwd
test:x:1001:1003: :/home/test:/bin/bash
1 2 3 4 5 6 7
1. test= username ,
2. x=Used to store password in plain text. Encrypted passwords stored in /etc/shadow,
3. 1001=userid,
4. 1003=groupid,
5. Shows the comments or user fullname
6. /home/test=user home directory,
7. /bin/bash=login shell
3.2 /etc/shadow
test:6$c5/aCYN5snlTA4x1$VEIOCgaTxlkxmnm8N2: :0:99999:7: : :
1 2 3 4 5 6 7 8
1. Username
2. Encrypted user login passwd
3. number of days since the password was last changed.
4. The number of days before password may be changed (0 indicates it may be changed at any time)
5. number of days after which password must be changed.
6. number of days to warn user before an expiring password.
7. number of days after password expires that account is disabled.
8. number of days since user created that an account has been disabled.
3.3 /etc/group
myproject:x:1004:test
1 2 3 4
1. Group Name
2. Used for password, but now password is saved in /etc/gshadow
3. Group id
4. Users added to this group.
3.5 /etc/gshadow
myproject:centos: :test
1 2 3 4
1. GroupName
2. password in plain text form, If password is assigned by gpasswd command then it will be in encrypt form.
3. Group Admin User/Users
4. Users added to this group
3.5 /etc/login.defs
This file contains default settings about password management, UID, GID,home-directory, MOTD file, ENV_PATH and UMASK. We can change them as per our needs.
3.6 /etc/default/useradd
[root@TEST ~]$ cat /etc/default/useradd
# useradd defaults file
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
1. GROUP : Maximum number of groups for which a user can be a member of.
2. HOME : Directory where the user's home directory will be created.
3. INACTIVE : Number of days the account should be inactive after creation.
Note :"-1" means never inactive i.e. always active
4. EXPIRE : Date on which the account should expire. It is given in the form YYYY-MM-DD.
5. SHELL : Default login shell for the user.
6. SKEL : Directory from where the default user profile files will be copied to the user's home directory.
7. CREATE_MAIL_SPOOL: This option ensures that a new user will have a directory of its user name in /var/main where the mail process can store mail messages.
By editing this file from command line,you can change the default shell and directory containing home directories for new users on Linux Operating System.
3.6 /etc/skel
The /etc/skel directory contains files and directories that are automatically copied over to a new user's home directory when such user is created by the useradd program. Contains these files .bash_logout .bash_profile .bashrc .
4. Using su
Switch user(su) is used to change the user identity on console without logout. Ex:-
[root@TEST ~]# su - username //Change to the user after password confirmation except root//
[root@TEST ~]# su //Chnage to root user after password confirmation.//
[root@TEST ~]# su -
With – user logs in home directory. Without “-” user changed but direcotry remains same.
5. Using sudo
Unprivileged/local users can be configured for using administrator permissions on specific tasks by using sudo.
[root@TEST ~]# usermod -aG wheel username //add user to wheel group.//
[root@TEST ~]# visudo
%wheel ALL=(ALL) ALL //enable this by remove #.//
root ALL=(ALL) ALL
TEST ALL=(ALL) ALL //add this line below root .//
:wq // To save and exit.//
Now you know about users and groups. So we can discuss about PERMISSIONS.
other groups. There is 3 type of users in Linux.
1. System user Ex:- gnome, ntp, tcpdump (id- 1-999)
2. Admin user Ex:- root (id:- 0)
3. Other user Ex:- local user (id:-1000-60000)
You can not login with system user. Linux have by-default root login for administration work.
1.User Management
[root@TEST ~]# useradd option username
When we add a new user configurations of /etc/defaults/useradd and /etc/skel are applied. A user private group is created whenever a user is created to the system. Users information store in /etc/passwd & /etc/shadow file. By default the useradd command creates a locked user account.To unlock the account, run the passwd command.
[root@TEST ~]# useradd -m -u 1201 -G sales,ops test
Create a user test who is a member of the groups sales and ops with UID 1201 and add a home directory to the user account as well.
[root@TEST ~]# passwd username
//Assign the login password for user. For password /etc/login.defs configurations apply.//
[root@TEST ~]# passwd -n 30 -w 3 -x 90 test
Sets the password for user test to a minimal usage period(-n) of 30 days and an expiry(-x) after 90 days where a warning(-w) is generated 3 days before expiry. We have another option chage (change user password expiry information) to change password properties.
[root@TEST ~]# chage option username
Option Description
-d number of days when the password was last changed.
-E Set the date or number of days on which the user's account will no longer be accessible. Passing the number -1 as the EXPIRE_DATE will remove an account expiration date.
-h Display the help message
-I Set the number of days of inactivity after a password has expired before the account is locked.
-l Show account aging information.
-m Minimum number of days after that a user can change password
-M Set the maximum number of days during which a password is valid. Passing the number -1 as MAX_DAYS will remove checking a password's validity.
-R Apply changes in the CHROOT_DIR directory and use the configuration files from the CHROOT_DIR directory.
-w Set the number of days of warning before a password change is required.
Ex:- [root@TEST ~]# chage -E 2017-12-31 test //user test expires on December 31st 2017//
1.1 Modify user properties:
[root@TEST ~]# usermod option username
[root@TEST ~]# whoami //see which user account you are currently using.//
[root@TEST ~]# id username //Info about user-id,group-id and member of groups.//
Option Description
-a Use it with usermod -G to add a user with a additional group. Without it user can join only 1 additional group.
-c This option is generally used to specify the full name of a user.
-d Specify home directory instead of default /home/username/.
-e Date for the account to be disabled in the format YYYY-MM-DD
-f Number of days after the password expires until the account is disabled. If 0 is specified, the account is disabled immediately after the password expires. If -1 is specified, the account is not disabled after the password expires.
-g Group name or group number for the user's default (primary) group. The group must exist prior to being specified here.
-G List of additional (supplementary, other than default) group names or group numbers, separated by commas, of which the user is a member. The groups must exist prior to being specified here.
-m Create the home directory if it does not exist.
-M Do not create the home directory.
-N Do not create a user private group for the user.
-p The password encrypted with crypt.
-r Create a system account with a UID less than 1000 and without a home directory.
-s User's login shell, which defaults to /bi n/bash.
-u User ID for the user, which must be unique and greater than 999.
Options are same for useradd & usermod.
[root@TEST ~]# userdel username //Delete a user.//
[root@TEST ~]# userdel -r username //Delete user with home directory.//
2.Group Management
A user can be a member of two different types of group. One is the primary group. Primary group will be only one, can be a private group created during user creation. Secondary group can be multiple groups. Groups are made to share a file/directory with specific users. Group information store in /etc/group & /etc/gshadow.
[root@TEST ~]# groupadd option group-name
[root@TEST ~]# gpasswd groupname //To store password in encrypt form.//
Option Description
-f When used with -g gid and gid already exists, groupadd will choose another unique gid for the group.
-g Group ID for the group, which must be unique and greater than 999.
-K Override /etc/login.defs defaults.
-o Allows creating groups with duplicate GID .
-p password for the new group in plain text.
-r Create a system group with a GID less than 1000.
The above options can work also with groupadd. You can add users with a group using useradd or usermod command. Usermod command is available to change the name or group-id of the group. Ex:-
[root@TEST ~]# groupmod -n group-name new-group-name
[root@TEST ~]# groupmod -p password group-name
3.For user and group management following files are responsible:
/etc/passwd //For user information about home-directory,login shell etc.//
/etc/shadow //Save user password in encryption form.//
/etc/group //Save group information about member user.//
/etc/gshadow //Save group password in encryption form.//
/etc/login.defs //Contains configuration about user password.//
/etc/default/useradd
/etc/skel
3.1 /etc/passwd
test:x:1001:1003: :/home/test:/bin/bash
1 2 3 4 5 6 7
1. test= username ,
2. x=Used to store password in plain text. Encrypted passwords stored in /etc/shadow,
3. 1001=userid,
4. 1003=groupid,
5. Shows the comments or user fullname
6. /home/test=user home directory,
7. /bin/bash=login shell
3.2 /etc/shadow
test:6$c5/aCYN5snlTA4x1$VEIOCgaTxlkxmnm8N2: :0:99999:7: : :
1 2 3 4 5 6 7 8
1. Username
2. Encrypted user login passwd
3. number of days since the password was last changed.
4. The number of days before password may be changed (0 indicates it may be changed at any time)
5. number of days after which password must be changed.
6. number of days to warn user before an expiring password.
7. number of days after password expires that account is disabled.
8. number of days since user created that an account has been disabled.
3.3 /etc/group
myproject:x:1004:test
1 2 3 4
1. Group Name
2. Used for password, but now password is saved in /etc/gshadow
3. Group id
4. Users added to this group.
3.5 /etc/gshadow
myproject:centos: :test
1 2 3 4
1. GroupName
2. password in plain text form, If password is assigned by gpasswd command then it will be in encrypt form.
3. Group Admin User/Users
4. Users added to this group
3.5 /etc/login.defs
This file contains default settings about password management, UID, GID,home-directory, MOTD file, ENV_PATH and UMASK. We can change them as per our needs.
3.6 /etc/default/useradd
[root@TEST ~]$ cat /etc/default/useradd
# useradd defaults file
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
1. GROUP : Maximum number of groups for which a user can be a member of.
2. HOME : Directory where the user's home directory will be created.
3. INACTIVE : Number of days the account should be inactive after creation.
Note :"-1" means never inactive i.e. always active
4. EXPIRE : Date on which the account should expire. It is given in the form YYYY-MM-DD.
5. SHELL : Default login shell for the user.
6. SKEL : Directory from where the default user profile files will be copied to the user's home directory.
7. CREATE_MAIL_SPOOL: This option ensures that a new user will have a directory of its user name in /var/main where the mail process can store mail messages.
By editing this file from command line,you can change the default shell and directory containing home directories for new users on Linux Operating System.
3.6 /etc/skel
The /etc/skel directory contains files and directories that are automatically copied over to a new user's home directory when such user is created by the useradd program. Contains these files .bash_logout .bash_profile .bashrc .
4. Using su
Switch user(su) is used to change the user identity on console without logout. Ex:-
[root@TEST ~]# su - username //Change to the user after password confirmation except root//
[root@TEST ~]# su //Chnage to root user after password confirmation.//
[root@TEST ~]# su -
With – user logs in home directory. Without “-” user changed but direcotry remains same.
Unprivileged/local users can be configured for using administrator permissions on specific tasks by using sudo.
[root@TEST ~]# usermod -aG wheel username //add user to wheel group.//
[root@TEST ~]# visudo
%wheel ALL=(ALL) ALL //enable this by remove #.//
root ALL=(ALL) ALL
TEST ALL=(ALL) ALL //add this line below root .//
:wq // To save and exit.//
Now you know about users and groups. So we can discuss about PERMISSIONS.
No comments:
Post a Comment