- LFCA: Learn User Account Management – Part 5
- User Account Management in Linux
- Root User
- Regular User
- Service Account
- User Management Files
- The /etc/passwd File
- The /etc/group File
- The /etc/gshadow File
- The /etc/shadow File
- How to Add Users in a Linux System
- How to Delete Users in a Linux System
- Users and groups
- Overview
- Permissions and ownership
LFCA: Learn User Account Management – Part 5
As a Linux system administrator, you will be tasked with ensuring the smooth flow of all IT operations in your organization. Given that some IT operations are intertwined, a systems administrator usually wears many hats including being a database or network administrator.
This article is Part 5 of the LFCA series, here in this part, you will acquaint yourself with the general system administration commands to create and manage users in a Linux system.
User Account Management in Linux
One of the primary responsibilities of a Linux systems administrator is to create and manage users in a Linux system. Each user account has 2 unique identifiers: the username and the User ID (UID).
Essentially, there are 3 main categories of users in Linux:
Root User
The root user is the most powerful user in a Linux system and is usually created during the installation process. The root user has absolute power in the Linux system or any other UNIX-like OS. The user can access all the commands, files, and directories and modify the system to their preference.
The root user can update the system, install and uninstall packages, add or remove other users, grant or revoke permissions, and perform any other system administration task without any restrictions.
The root user can just about do anything on the system. The assumption by Linux and UNIX-like systems is that you know full well what you are doing with the system. That said, the root user can easily break the system. All it takes is for you to execute a fatal command, and the system will be up in smoke.
For this reason, running commands as the root user is highly discouraged. Instead, good practice demands that you should configure a sudo user. That is grant sudo privileges to a regular user to perform certain administrative tasks and restrict some tasks only to the root user.
Regular User
A regular user is a normal login user that can be created by a systems administrator. Usually, there is a provision to create one during the installation process. However, you can still create as many regular users as needed post-installation.
A regular user can only perform tasks and access files and directories for which they are authorized. If need be, a regular user can be granted elevated privileges to perform administrative-level tasks. Regular users can also be deleted or disabled when the need arises.
Service Account
This is a non-login account that is created when a software package is installed. Such accounts are used by services to execute processes in the system. They are not designed or intended to carry out any routine or administrative tasks in the system.
User Management Files
Information about users in a Linux system is stored in the following files:
Let’s understand each file and what it does:
The /etc/passwd File
The /etc/passwd file contains quite a bit of information about users which is contained in various fields. To view the contents of the file, simply use the cat command as shown.
Here’s a snippet of the output.
tecmint:x:1002:1002:tecmint. /home/tecmint:/bin/bash
Let’s focus on the first line and flesh out the various fields. Starting from the far left, we have the following:
- The username: This is the name of the user, in this case, tecmint.
- The Password: The second column represents the encrypted password of the user. The password is not printed in plain text, instead, a placeholder with an x sign is used.
- The UID: This is the User ID. It’s a unique identifier for every user.
- The GID: This is the Group ID.
- A brief description or summary of the user.
- This is the path to the user’s home directory. For tecmint user, we have /home/tecmint.
- This is the Login shell. For regular login users, this is usually represented as /bin/bash. For service accounts such as SSH or MySQL, this is usually represented as /bin/false.
The /etc/group File
This file contains information about the user groups. When a user is created, the shell automatically creates a group that corresponds to the username of the user. This is known as the primary group. The user is added to the primary group upon creation.
For example, if you create a user called bob, the system automatically creates a group called bob and adds the user bob to the group.
$ cat /etc/group tecmint:x:1002:
The /etc/group file has 3 columns. From the far left, we have:
- Group name. Each group name must be unique.
- Group password. Usually represented by an x placeholder.
- Group ID (GID)
- Group members. These are members that belong to the group. This field is left blank if the user is the only member in the group.
NOTE: A user can be a member of multiple groups. Likewise, a group can have multiple members.
To confirm the groups that a user belongs to, run the command:
For example, to check the groups that the user tecmint belongs to, run the command:
The output confirms that the user belongs to two groups: tecmint and sudo.
tecmint : tecmint sudo
The /etc/gshadow File
This file contains encrypted or ‘shadowed‘ passwords for group accounts and, for security reasons, cannot be accessed by regular users. It’s only readable by the root user and users with sudo privileges.
$ sudo cat /etc/gshadow tecmint.
From the far left, the file contains the following fields:
The /etc/shadow File
The /etc/shadow file stores the users actual passwords in a hashed or encrypted format. Again, the fields are colon-separated and take the format shown.
$ sudo cat /etc/shadow tecmint:$6$iavr8PAxxnWmfh6J$iJeiuHeo5drKWcXQ.BFGUrukn4JWW7j4cwjX7uhH1:18557:0:99999:7.
The file has 9 fields. Starting from the far left we have:
- The username: This is your login name.
- The user’s password. This is presented in a hashed or encrypted format.
- The last password change. This is the date since the password was changed and is calculated since the epoch date. Epoch is the 1st January 1970.
- The minimum password age. This is the minimum number of days that must elapse before a password can be set.
- The maximum password age. This is the maximum number of days after which a password must be changed.
- The warning period. As the name suggests, this is the number of days shortly before a password expires that a user is notified of the impending password expiry.
- The inactivity period. The number of days after a password expires that a user account is disabled without the user changing the password.
- The expiration date. The date when the user account expired.
- Reserved field. – This is left blank.
How to Add Users in a Linux System
For Debian and Ubuntu distributions, the adduser utility is used for adding users.
The syntax is quite simple and straightforward.
For example, to add a user called bob, run the command
From the output, a user called ‘bob‘ is created and is added to a newly created group called ‘bob‘. Additionally, the system also creates a home directory and copies configuration files into it.
Thereafter, you will be prompted for the new user’s password and then confirm it. The shell will also prompt you for the user’s full name and other optional information such as Room no and Work phone. This information is not really necessary, so it’s safe to skip it. Finally, press ‘Y’ to confirm that the information provided is correct.
For RHEL & CentOS-based systems, use the useradd command.
Next, set the password for the user using the passwd command as follows.
How to Delete Users in a Linux System
To delete a user from the system, it’s advisable to first lock the user from logging into the system as shown.
If you wish, you can backup the user’s files using the tar command.
# tar -cvf /backups/bob-home-directory.tar.bz2 /home/bob
Finally, to delete the user together with the home directory use the deluser command as follows:
Additionally, you can use the userdel command as shown.
The two commands completely remove the user alongside their home directories.
Conclusion
That was an overview of user management commands that will prove useful especially when managing user accounts in your office environment. Give them a try from time to time to sharpen your system administration skills.
Users and groups
Users and groups are used on GNU/Linux for access control—that is, to control access to the system’s files, directories, and peripherals. Linux offers relatively simple/coarse access control mechanisms by default. For more advanced options, see ACL, Capabilities and PAM#Configuration How-Tos.
Overview
A user is anyone who uses a computer. In this case, we are describing the names which represent those users. It may be Mary or Bill, and they may use the names Dragonlady or Pirate in place of their real name. All that matters is that the computer has a name for each account it creates, and it is this name by which a person gains access to use the computer. Some system services also run using restricted or privileged user accounts.
Managing users is done for the purpose of security by limiting access in certain specific ways. The superuser (root) has complete access to the operating system and its configuration; it is intended for administrative use only. Unprivileged users can use several programs for controlled privilege elevation.
Any individual may have more than one account as long as they use a different name for each account they create. Further, there are some reserved names which may not be used such as «root».
Users may be grouped together into a «group», and users may be added to an existing group to utilize the privileged access it grants.
Note: The beginner should use these tools carefully and stay away from having anything to do with any other existing user account, other than their own.
Permissions and ownership
The UNIX operating system crystallizes a couple of unifying ideas and concepts that shaped its design, user interface, culture and evolution. One of the most important of these is probably the mantra: «everything is a file,» widely regarded as one of the defining points of UNIX. This key design principle consists of providing a unified paradigm for accessing a wide range of input/output resources: documents, directories, hard-drives, CD-ROMs, modems, keyboards, printers, monitors, terminals and even some inter-process and network communications. The trick is to provide a common abstraction for all of these resources, each of which the UNIX fathers called a «file.» Since every «file» is exposed through the same API, you can use the same set of basic commands to read/write to a disk, keyboard, document or network device.
A fundamental and very powerful, consistent abstraction provided in UNIX and compatible operating systems is the file abstraction. Many OS services and device interfaces are implemented to provide a file or file system metaphor to applications. This enables new uses for, and greatly increases the power of, existing applications — simple tools designed with specific uses in mind can, with UNIX file abstractions, be used in novel ways. A simple tool, such as cat, designed to read one or more files and output the contents to standard output, can be used to read from I/O devices through special device files, typically found under the /dev directory. On many systems, audio recording and playback can be done simply with the commands, » cat /dev/audio > myfile » and » cat myfile > /dev/audio ,» respectively.
Every file on a GNU/Linux system is owned by a user and a group. In addition, there are three types of access permissions: read, write, and execute. Different access permissions can be applied to a file’s owning user, owning group, and others (those without ownership). One can determine a file’s owners and permissions by viewing the long listing format of the ls command:
total 13740 drwxr-xr-x 2 root root 4096 Jan 12 00:33 grub -rw-r--r-- 1 root root 8570335 Jan 12 00:33 initramfs-linux-fallback.img -rw-r--r-- 1 root root 1821573 Jan 12 00:31 initramfs-linux.img -rw-r--r-- 1 root root 1457315 Jan 8 08:19 System.map26 -rw-r--r-- 1 root root 2209920 Jan 8 08:19 vmlinuz-linux
The first column displays the file’s permissions (for example, the file initramfs-linux.img has permissions -rw-r—r— ). The third and fourth columns display the file’s owning user and group, respectively. In this example, all files are owned by the root user and the root group.
total 16 drwxrwx--- 1 root vboxsf 16384 Jan 29 11:02 sf_Shared
In this example, the sf_Shared directory is owned by the root user and the vboxsf group. It is also possible to determine a file’s owners and permissions using the stat command: