Manage User Accounts in Linux
What is a User Account?
User accounts are the method by which an individual is identified and authenticated to the system. User accounts have several different components associated like username, password, access control information etc. Managing user accounts and groups is an essential part of system administration within an organization. A system administrator must first understand what user accounts and groups are and how they work.
What is a Group?
Where Users and Passwords are Stored in Linux?
If you are familiar to Windows, you might remember that Windows used to store all the user information inside SAM (Security Accounts Manager) file which is located inside C:\Windows\System32\Config directory.
Similarly, Linux stores user information into /etc/passwd and /etc/shadow. The /etc/passwd file contains general information about users like username, user ID, group ID, location of home directory, login shell etc. The /etc/shadow file contains important information like user passwords in encrypted format, the day the password expires, whether or not the password has to be changed, the minimum and maximum time between password changes etc. is stored when a new user is created.
The /etc/passwd File
The /etc/passwd file contains general information about users like username, user ID, group ID, location of home directory, login shell etc. This file is readable by everyone since it does not contain any password.The /etc/passwd file contains general information about users like username, user ID, group ID, location of home directory, login shell etc. This file is readable by everyone since it does not contain any password. This file is readable by everyone since it does not contain any password.
Let’s take a look at the contents of /etc/passwd file:
[[email protected] ~]# cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin [output cut] surender:x:1000:1000:Surender:/home/surender:/bin/bash hsqldb:x:96:96::/var/lib/hsqldb:/sbin/nologin
The first line (marked purple) contains the information about root user account and the second last line (marked orange) contains information about regular user account. All other lines contain the list of default accounts which are auto generated by Linux system. They are required by normal functioning of system.
Now lets understand the information corresponding to a single user which is present in a single line. Lets take first entry for example:
Each filed is separated by a colon (:). The individual field represents:
First is the login name or the user name of the user. This name is unique across the system as it identifies a particular user. Usually people try to have their first name as the their login name but this is not always possible as multiple people can have same first name. You should adopt a naming convention for your organization which can deal with collision in user names.
The second field is an encrypted representation of the user’s password. This field is set using the passwd program to set the account’s password. Remember that it does not contain the actual user password but it is just a representation of user’s password. Notice that in every line, this field contains “x“. Here “x” means the user account has password present. If there is no “x” present for any user, it means the particular user account is not password protected. If the first character of the passwd field is * (an asterisk), the account is “disabled”; the system will not allow logins as this user.
User Identifier (UID)
The third field contains the user identifier. This can be understood as the user name in numeric form. Just like username is unique to system, this is also unique across the system. If the UID of a particular user is zero, then that user is the root or the superuser. A superuser has full access to the system. This UID is used to determine access privileges to a user.
Group Identifier (GID)
As individual user can also be part of a group. Groups exist to make things easier. For example, to provide certain access to a large number of users at once rather than doing it for individual user. So for a particular group, there exists a group ID. Again a group ID is unique and identifies a single group of users. So, fourth field in this file contains the group ID of the group to which this user belongs.
General electronic comprehensive operating system (GECOS)
The next field contains a GECOS. This entry may contain general information about user like user’s full name, telephone number, other contact information etc. All this information is comma separated. Mostly only the complete user name (or application name, if entry is for a program) is present. Note that not all the entries contain GECOS entry. Many of the entry contain just the user or application name and no commas. So whether a GECOS entry is produced or not depends on the program being used to create an entry. The useradd program, for example, creates a GECOS entry.
The sixth field contains the default home directory that user lands up just after login. Note that this could be any random directory but mostly it is kept as users home directory where user creates his/her files and manages everything in a customized environment. This is especially good when multiple users login in parallel (Linux being a multi user system) as it avoids conflicts by landing up each user in his/her respective home directory.
The last field provides the information about shell available to user after login. Just after login, a Shell provides an environment to a user to do run commands. Shell is an command language interpreter that executes commands read from the standard input device (keyboard) or from a file. Shell is not part of system kernel, but uses the system kernel to execute programs, create files etc. The mostly used shell in Linux is the BASH shell (Bourne-Again SHell) identified as /bin/bash.
However, there are other shells available in Linux like csh, ksh, tcsh etc. but bash shell is mostly used. To find out what your shell is, you can run echo $SHELL command as shown below:
[[email protected] ~]# echo $SHELL /bin/bash
This is all about /etc/passwd file. Before going towards /etc/shadow file, I would like to give some tips as follows:
- Remember that the second field represents the user’s password. So, if you want any user to be able to login without the need of entering password, just edit the /etc/passwd file and remove the “x” from the line corresponding to that user account. The user will not be asked to enter his/her password and directly enters the shell after entering username. But this tip will work if the user is logging in locally. It will not work if user is trying to login remotely using SSH.
- Remember that UID 0 gives the superuser access on system. So, if you want any regular user to have superuser (root) privilege, just edit the /etc/passwd file and replace his/her uid with 0. Then the user will have root privilege on system.
- Notice that many of the lines in /etc/passwd file has /sbin/nologin at the end. It means there are lot of auto-generated user accounts that are assigned /sbin/nologin shell. Any user account with this shell, can not login into the system. When the user enters username and password, he/she immediately logs out of the system. So, If you want that any user should exist in the system but he/she should not be able to login, just edit the /etc/passwd file and assign the /sbin/nologin shell to that user.
The /etc/shadow File
The /etc/shadow file contains important information like user passwords in encrypted format, the day the password expires, whether or not the password has to be changed, the minimum and maximum time between password changes etc. Since this file contains the real user password (in encrypted format), this file is readable only by root user account so that normal users do not have access to the encrypted passwords. There are lot of tools available which can decrypt the password if anyone get to know your encrypted password.
[[email protected] ~]# ll /etc/passwd -rw-r--r-- 1 root root 1877 Dec 26 2014 /etc/passwd [[email protected] ~]# ll /etc/shadow -rw------- 1 root shadow 1263 Dec 26 2014 /etc/shadow
Let’s take a look at the contents of /etc/shadow file:
[[email protected] ~]# cat /etc/shadow root:$6$Q61shfRjS7HvT.Tv$4YVtSojLq7YRicBkwUsbyrwhmbVfX4LinzhoRnwwfQ5ddvfCDY1TePOlmwqTu/rvvdmIqZcmHElxnhYkmeGIE/:16674:0:99999:7::: [output cut] tcpdump:!!:16674:::::: surender:$6$YtJl/zB4$rI.5LAXbcLJvUuwtlUMkf1WOAcNyN2CSFMgS5Bpy3XP/8m.j2uauhkWGeCNWaPLB8XBSbZs4qzAUta9I.fCxv.:16679:0:99999:7::: hsqldb:!!:16676:::::: test1:$6$kZCtVc0d$GTbnQXcP70eP4pIxfo7nC2Y1X4cnuqxmsexL2yRF0eSZFtSrrhfx2kOqzJQ3lqwC9jX8OIqZU59Rzw.G6skzV.:16679:0:99999:7::: [[email protected] ~]#
Every line in this file is separated by colon (:) similar to that of /etc/passwd. Each field has the following information:
- First field is login name
- Second field is the encrypted password
- Third field is the password last changed since 1st Jan 1970
- Fourth field is the minimum number of days required between password changes
- Fifth field is the maximum number of days the password is valid. The user will be forced to change his/her password after this.
- Sixth field is the number of days before password expiry warning starts popping up
- Seventh field is the number of days after password expires and the account is disabled
- The next field is the days since Jan 1, 1970 that account is disabled
- Reserved field for further use.
A regular user does not have access to /etc/shadow file. If a regular user tries to list the contents of this file, he/she will be presented with permission denied message.
[[email protected] ~]$ cat /etc/shadow cat: /etc/shadow: Permission denied
Creating User Account
To create a new standard user, use the useradd command. The syntax is as follows:
useradd <name> <options>
There are large number of options for useradd command. Some of the most commonly used options are:
-d <home_dir> : This will set the predefined home directory for user.
-e <date> : This will set the date when the account will expire.
-s <shell> : This will set the default login shell for user.
-g <group> : This will add user to initial login group (primary group). The group name must exist.
-G <groups> : This will add the user to a list of supplementary groups.
In the following example, I am going to create a user john.
[[email protected] ~]# useradd john [[email protected] ~]#
Notice that I did not use any option with useradd command. Now look at the /etc/passwd file to determine the user home directory and shell assigned to user.
[[email protected] ~]# cat /etc/passwd | grep john john:x:1001:1002::/home/john:/bin/bash
The home directory is /home/john (marked red). By default every user’s home directory is created inside /home directory.
The default shell is bash shell as denoted by /bin/bash (marked purple). You could set the alternate shell for user by using useradd -s command.
Setting Password for User Account
You need to set a password for the new user by using the passwd command. Note, you will need root privileges to change a user password. The syntax is as follows:
[[email protected] ~]# passwd john Changing password for user john. New password: Retype new password: passwd: all authentication tokens updated successfully. [[email protected] ~]#
If you see the “all authentication tokens updated successfully” message at the end, it means password is successfully set on user. Remember that if you are logged in as root user and you want to change the password of root, you do not need to enter passwd root command, instead you can just type passwd and hit enter. Similarly, the logged on user will be able to change their password at any time using the passwd
command with the syntax. Below is an example:
[[email protected] ~]$ passwd Changing password for user john. Changing password for john. (current) UNIX password: New password: Retype new password: passwd: all authentication tokens updated successfully. [[email protected] ~]$
Look at the lines marked red, The user is asked his/her current password. If you fail to enter your current password, you will not be able to change your own password. If you did not enter your current password or enter wrong current password, you will see the following message:
[[email protected] ~]$ passwd Changing password for user john. Changing password for john. (current) UNIX password: passwd: Authentication token manipulation error [[email protected] ~]$
Disable the User Accounts
Disabling a user account, for whatever reason, is even simpler. You can either remove the user’s entry in /etc/passwd (leaving the home directory and other files intact), or add an asterisk to the first character of the password field of the /etc/passwd entry, as shown below:
This will disallow logins to the user account.
Delete the User Accounts
To remove a user account, enter the following userdel command. The syntax of command is as follows:
userdel <name> <options>
You can use userdel -f command to force the user removal, if the user is currently logged in. The userdel -r command will remove the user account and his/her files and home directory.
Creating a new Group
When you create a new user, a group with the same name is automatically created and the user is added as member of this group. Every user is assigned to at least one group. However, a user can be a member of multiple groups. The file /etc/group contains a one-line entry for each group on the system, very similar in nature to /etc/passwd file. Let’s take a look at the file:
[[email protected] ~]# cat /etc/group root:x:0: bin:x:1: [output cut] surender:x:1000: test1:x:1001: john:x:1002: [[email protected] ~]#
The information contained in this file is separated by colon (:) and each field is as follows:
- First field is group name. It is the group name printed when using commands such as ls -l.
- Second field is an optional password associated with group. The password allows users that are not member of this group to access the group with newgrp command.
- Third field is group ID which is used by the system to refer to the group.
- Fourth field is members. It is a comma-separated list of usernames (with no whitespace in between), identifying those users who are members of this group.
The groupadd command can be used to add user groups to the system. The basic syntax of command is groupadd <options> <groupname>.
If no options are used, the group is created with the next available Group ID number (GID) above 499. To specify a GID, use the groupadd -g <gid> <group-name> command.
The following command will create a group with the name admins.
[[email protected] ~]# groupadd admins
To add existing users to existing group, use the usermod -aG <group> <username> command. This command will not replace the user’s existing primary group but it will append and add the user surender as a member of admins group.
[[email protected] ~]# usermod -aG admins surender [[email protected] ~]# usermod -aG admins root
The following command will change surender user’s primary group from surender to admins. The group admins must already exist in the system:
[[email protected] ~]# usermod -g admins surender
You can use man usermod command to see all the options available to be used with this command.