Chapter 3 Manage Local Users and

Groups
Section 1: Describe User and Group concepts
What is a user?
A user account provide security boundaries between different people and programs that can run
commands.

Users have user names to identify them to human users. The system uses UID which is assigned to
them.

User accounts are fundamental to system security. Every process on the system run as a particular
user. Every file has a particular user as its owner. With the ownership, the system enforces access
control for users of the files. The user that is associated with running process determines the files
and directories that are accessible to that process.

There are three types of users,

 Super user
 System user
 Regular user

Super user: The super user account administers the system. The super user name is root and the
account has a UID of 0.

System user: The system user account are used by processes that provide support services.

Regular user: Most users have regular user accounts for their day-to-day work.
#id  shows the information about the current logged in user.

#id <username>  shows the information of the given user

#ls –l <file name>  shows the owner of the file.

#ls –ld <dir name> shows the owner of the directory.

#ps –au  shows the running process in the current shell. –a  all process –u  to view user that is
associated with the process.

The system uses the /ect/passwd file to store information about local users. The file is divided into
seven colon-seperated fields.

#cat /etc/passwd

user01:x:1000:1000:user one:/home/user01:/bin/bash

user01  the username for this user

x  the users encrypted password was stored here, this is now a placeholder

1000  the UID for this user account.

1000  the GID of this user account.

User one  a brief comment, description or the real name for this user

/home/user01  The users home directory

/bin/bash  The default shell program for this user that runs at login. Some accounts use the
/sbin/nologin shell to disallow interactive login with that account.

What is a group?
A group is a collection of users that need to share access to files and other system resources. Groups
can be used to grant access to files to set of users instead a single user. The system uses GID which is
assigned to them.

The system user /etc/group file to store information about local groups.

Each line in the /etc/group file contains information about one group. Each group entry is divided
into four colon-separated fields.

#cat /etc/group

group01:x:10000:user01,user02,user03

group01  name of this group

x  obsolete group password field; this is now a placeholder

10000 The GID of the group

user01,user02,user03  a list of users that are members of this group as a secondary group

Primary groups and Secondary Groups

Every user has exactly one primary group. This group is listed by GID in the /etc/passwd file.

When creating a regular user, a group is created with the same name as the user to be primary
group of the user.

Users might also have secondary groups. Membership in secondary group is stored in the /etc/group
file. Users are granted access to files based on whether any of their groups have access, regardless of
whether the groups are primary or secondary.

#id  command to see the groups of the user.

Section 2: Gain Superuser access
The superuser has access to everything.

Switch user account

With the su command, users can switch to a different user account. If su from a regular user, you
must provide the password. From root user it doesn’t ask for a password.

$su – user01  switch to user02

Password:

$su –

Password: <root password>

su -  starts the login shell to the users home directory

su  starts from the current working directory

Run commands with sudo

For security reasons root user will not have valid password. The users cannot login to the system as
root. In this case, you can use the sudo command to get root access

Sudo requires users to enter their own password authentication. They need not know the root
password.

Eg: $sudo usermod -L user01

Password: <user password>

$su – usero1

Password: <password>

Authentication failure

$sudo tail /var/log/secure  to check the reported log file

Password: < user password>

Get an interactive root shell with sudo

$sudo -i  command to switches to the root user

$sudo -s  command to run the shell without the interactive shell

Configure sudo
The /etc/sudoers file is the main configuration file for the sudo command.

#visudo  command to edit the sudo file. It also validates the file for any syntax errors.
Syntax
%wheel ALL=(ALL:ALL) ALL

%wheel  string is the user or group that the rule applies to. The % symbol specifies a group.

ALL=(ALL:ALL)  1st all -> on any host 2nd all -> users in wheel group can run commands as any other
users and any other group

All It specifies that the users in the wheel group can run any command.

Assign full access to a user

#vim /etc/sudoers

user01 ALL=(ALL) ALL

Assign full access to a group

#vim /etc/sudoers

%group01 ALL=(ALL) ALL

Only run specific commands

# which useradd

#vim /etc/sudoers

user02 ALL=(ALL) /usr/sbin/useradd

All commands except few

#vim /etc/sudoers

user03 ALL=(ALL) ALL,!/usr/sbin/userdel,!/usr/sbin/useradd

Stop sudo password

#vim /etc/sudoers

user04 ALL=(ALL) NOPASSWD: ALL

Instead of editing sudoers file

#vim /etc/sudoers.d/<filename>

User05 ALL=(ALL) ALL

Section 3: Manage Local user Accounts
Create users from the command line
# useradd <username>

It sets up the user’s home directory and account information and creates a private group for the user
called <username>

# id <username>  to check if the user is created

# tail -5 /etc/passwd  to check the last entry

# useradd -u 1500 <username>  to set UID

# useradd -u 2000 -c “production user” <username>  to create user with UID and real name

Modify Exiting users from command line

# usermod -u 2345 <username>  to change UID

# usermod -c “marketing user” <username>  to change real name

# usermod -l <username>  to change username

# usermod -s /sbin/nologin <username>  to block user

# usermod -s /bin/bash <username>  to unblock user

# usermod -md /home/frank <username>  change home directory of the user

# usermod -L <username>  Lock the user account

# usermod -U <username>  unlock the user account

Delete users form command line

# userdel -r <username>  delete username and the user directories

# userdel <username>  just deletes the username from /etc/passwd. It becomes a security risk if
the same user or different user with same UID is created. The new user will own users file.

Set password from command line

# passwd <username>  change password

New password:

Retype password:

# passwd --stdin <username>  password typed will be visible

UID Ranges
UID 0 : The superuser(root) account UID

UID 1 to 200: System account UID statically assigned

UID 201 to 999: UID assigned to system processed that do not own files on this system. Software
that requires an unprivileged UID is dynamically assigned UID from this available pool.

UID 1000+: This UID is assigned to regular unprivileged users.

Section 4 Manage Local Group accounts
Create Groups from command line
# groupadd group01  adding a group

# groupadd –g 10000 group02  adding group with GID

# groupadd –r group03  adds a system group

# getent group group01 group02 group03  to check if the group is added

# tail /etc/group  to check if the group is added

Modify existing group from command line

# groupmod -n group0022 group02  change group name

# groupmod -g 20000 group0022  change GID

Delete Group from command line

#groupdel group0022delete group, cannot delete if it’s the primary group of an existing user

Change group membership from command line

# usermod -g group01 user01  change primary group

# usermod -G group02 user01  change secondary group

# gpasswd -a user01 group02  add a user to a secondary group

# gpasswd -d user01 group02  delete from secondary group

Compare primary and secondary group membership

A user’s primary group is viewed on the /etc/passwd file. A user can belong only to one primary
group. A user secondary group is viewed on the /etc/group file. A user can belong to as many
secondary group necessary.

There is no difference between primary and secondary group for accessing files. The only difference
is when the user created a file. The user’s primary group is used for new file’s group ownership.

Temporarily change your primary group

Only a user’s primary group is used for new file creation attributes. A user can temporarily switch
primary group, but you can only choose from secondary group. However, you can switch to any
group if you know the password.

To set group password

# gpasswd group01

Password: redhat

# id  to check the group of the user

# newgrp group01  to switch group

#id to check the group of the user

Section 5: Manage User passwords
Originally it was stored in /etc/passwd file, now its moved to /etc/shadow as the file can only be
accessed by root user.

# cat /etc/shadow

Configure password Aging

The password aging can be configure with chage command. Config file /etc/login.defs

# chage –l user01  to check the users password age

Options of password aging

-m  minimum days

-M  maximum days

-W  warning days

-I  Inactive days

-d  Last change date

-E  End date

Eg: #chage –m 0 –M 90 –W 7 –I 14 user01

# chage –d 0 user01

Few more examples

# date +%F  check date

# date –d “+30days” +%F  check date + 30

# chage –E $(date –d “+30days” +%F) user01

# chage –l user01  check end date