Linux - Module 14: Managing users and groups

Module 14Managing Users and GroupsExam Objective5.2 Creating Users and GroupsObjective SummaryUnderstanding user and group commandsCreating User IDsWorking with GroupsCreating a Group The most common reason to create a group is to provide a way for users to share files. After creating or modifying a group, you can verify the changes by viewing the /etc/group file or running the getent command.The groupadd Command The groupadd command creates a new group.The -g option can be used to specify a group id: groupadd -g 506 research If the -g option is not provided, the groupadd command will automatically provide a GID for the new group.Group ID Considerations Avoid creating GIDs in the same numeric ranges where you expect to create user IDs if your system uses UPG.Recall that GIDs of under 500 are reserved for system use.The -r option will assign the new group a GID that will be less than the lowest standard UID. Group Naming Considerations The first character of the name should be either an underscore (_) or a lower-case alphabetic character (a-z).Up to 32 characters are allowed on most Linux distributions, but using more than 16 can be problematic as some distributions may not accept more than 16.After the first character, the remaining characters can be alphanumeric, dash (-) and underscore(_).The last character should not be a hyphen (-).Modifying a GroupThe groupmod –n command changes a group’s name.The groupmod –g command changes a group’s ID.If you change the GID for a group, then all files that were associated with that group will no longer be associated with that group.These are called “orphaned” files.To find “orphaned” files: find / -nogroup Deleting a Group Delete a group with the groupdel command.This may result in “orphaned” files.Only supplemental groups can be deleted.Working with UsersThe /etc/default/useradd File The /etc/default/useradd file is used to define default settings when creating user accounts.Default settings can be viewed of modified with the useradd -D command.Editing this file required root access.The /etc/default/useradd File FieldExampleDescriptionGROUP100The default primary group for a new user. HOME/homeThe default base directory under which the user's new home directory will be created INACTIVE-1This value represents the number of days after the password expires that the account is disabled. EXPIREAccount expiration date. SHELL/bin/bashThe SHELL setting indicates the default shell for user's when they login to the system. SKEL/etc/skelThe contents of this directory are copies into the new user's home directory and the new user is given ownership of these files CREATE_MAIL_SPOOLyesA "mail spool" is a file where incoming email is placed. ".The /etc/login.defs File The /etc/login.defs file is used to define default settings when creating user accounts.These default settings can be viewed only by viewing the contents of this file.These settings can also only be modified by editing the file directly.Editing this file required root access.The /etc/login.defs File FieldExampleDescriptionMAIL_DIR/var/mail/spoolThe directory in which the user's mail spool file will be created.PASS_MAX_DAYS99999The maximum number of days that a user can continue to use the same password. PASS_MIN_DAYS0The shortest time that a user are required to keep a password.PASS_MIN_LEN5This indicates the minimum number of characters that a password must contain. PASS_WARN_AGE7This is the default for the warning fieldUID_MIN500The UID_MIN determines the first UID that will be assigned to an ordinary user. UID_MAX60000The UID_MAX determines the highest possible UID that will be assigned to an ordinary user. GID _MIN500The GID _MIN determines the first GID that will be assigned to an ordinary group.GID _MAX60000The GID_MAX determines the highest possible GID that will be assigned to a regular group. CREATE_HOMEyesThe value of this determines whether or not a new directory will be created for the user, when their account is created.UMASK077Determines what the default permissions will be for the user's home directory. Working with Account InformationAdvantages to Individuals having Separate Accounts Accounts can be used to grant selective access to files or services. The sudo command can be configured to grant the ability to specify individuals to permit execution of select administrative commands. Each account can have group memberships and rights associated with it allowing for greater management flexibility. Account Considerations Before creating a user account, consider what values you want to set for the following:User nameUIDPrimary GroupSupplementary group(s)Home DirectorySkeleton DirectoryShellCommentThe useradd Command The useradd command will allow you to create new users. Example: useradd -u 1000 -c 'Jane Doe' jane Modifies the following files:/etc/passwd/etc/shadow/etc/group/etc/gshadowCreates mail spool (/var/spool/mail/jane) and user’s home directory (/home/jane). Password SecurityPicking a Password Avoid using personal information in passwords.Encourage complex passwords.Encourage longer passwords, but not too long as to make them hard to remember.Consider how often users will be required to reset their passwords.Setting a Password The passwd command will allow you to change a password.The root user can change any user password: passwd user_nameThe root user can break password rules besides “no empty passwords”.A user can change their own password by running the passwd command with no argument.Regular users can not break password rules.Password rules vary from one distribution to another.chage CommandUsing the chage Command Used to change password aging settings for a user.Short optionLong optionDescription-l--listList the account aging information-d LAST_DAY--lastday LAST_DAYSet the date of the last password change to LAST_DAY-E EXPIRE_DATE--expiredate EXPIRE_DATESet account to expire on EXPIRE_DATE-h--helpShow the help for chage-I INACTIVE--inactive INACTIVESet account to permit login for INACTIVE days after password expires-m MIN_DAYS--mindays MIN_DAYSSet the minimum number of days before password can be changed to MIN_DAYS-M MAX_DAYS--maxdays MAX_DAYSSet the maximum number of days before a password should be changed to MAX_DAYS-W WARN_DAYS--warndays WARN_DAYSSet the number of days before a password expires to start displaying a warning to WARN_DAYS Modifying a User AccountModify a User The user may need to be logged off to modify the account.Use the who, w or last commands to determine if a user is currently logged in to the system.The usermod Command Used to modify a user account.OptionDescription-c COMMENTSets the value of the GECOS or comment field to COMMENT.-d HOME_DIRSets a new home directory for the user.-e EXPIRE_DATESet account expiration date to EXPIRE_DATE.-f INACTIVESet account to permit login for INACTIVE days after password expires.-g GROUPSet GROUP as primary group.-G GROUPSSet supplementary groups to a list specified in GROUP .-aAppend the user's supplemental groups with those specified by –G.-hShow the help for usermod.-l NEW_LOGINChange the user's login name.-LLock the user account.-s SHELLSpecify the login shell for the account.-u NEW_UIDSpecify the user's UID to be NEW_UID .-UUnlock the user account.Removing a UserDelete a User Use the userdel command to delete a user account.By default, only the account is deleted, not any of the files owned by the user.By using the –r option, files in the user’s home directory and the user’s mail spool are deleted.