¶ Administering Users and Groups in Linux
| Terminology |
Definition |
| Pluggable Authentication Modules (PAM) |
Supplement authentication methods with additional options and flexability |
| UID (User ID) |
A unique numeric identifier assigned to each user account in Linux. |
|
|
| GID (Group ID) |
A unique numeric identifier assigned to each group. |
| EUID (Effective User ID) |
The user ID a process runs as, often used during privilege escalation (e.g., sudo). |
| EGID (Effective Group ID) |
The effective group permissions a process is using. |
| /etc/passwd |
File that stores basic user account information such as username, UID, GID, home directory, and shell. |
| /etc/shadow |
Secure file that stores hashed passwords and password aging information. |
| /etc/group |
File that stores group names, GIDs, and group membership. |
| pam_faillock |
PAM module that locks accounts after too many failed login attempts. |
| Root |
The superuser account with unrestricted access to the system (UID 0). |
| Sudo |
A command that allows permitted users to execute commands with elevated privileges. |
| visudo |
A safe editor for modifying the /etc/sudoers file with syntax checking. |
| Wheel Group |
A special group that grants administrative privileges on Red Hat–based systems. |
| SGID (Set Group ID) |
A permission that causes files or processes to run with the group’s privileges. |
| Environment Variable |
A key-value pair passed to processes that defines system behavior (e.g., PATH, HOME). |
| Shell |
A command-line interpreter that allows users to interact with the operating system. |
| Login Shell |
The default shell assigned to a user when they log in. |
| Polkit (PolicyKit) |
A framework for fine-grained privilege authorization without full root access. |
| pkexec |
A Polkit command used to run programs with elevated privileges. |
| Exit Code |
A numeric value returned by a command indicating success or failure. |
| Skeleton Directory (/etc/skel) |
Template directory used to populate new user home directories. |
- Accounts represent identities on a computer
- Three Types of accounts exist on a Linux system
- System - Represents parts of the Linux operating system itself.
- User - Individual users who log in to the machine
- Service - Allow applications to access system resources, such as the CPU, time, Memory, and networking.
- When determining an account's permissions to a specific resource, Linux compares the account's user ID (UID) against the resource permissions to determine if it is allowed access
- Usually accounts have a user name which is what the system administrator uses to interact with the users instead of the UID
- Linux also has Effective UID (EUID) - Such as privilege escalation or when running programs or scripts as another user
- System accounts - Accounts critical to the running of the operating system. These accounts have a UID of 0-4, with 0 being root
- Service accounts - necessary for the operating system have a UID range of 100-999, but vary from distro to distro
- User accounts - These accounts represent people and have UIDs above 1000.
- Like most Linux settings user accounts are stored in a text file. Administrators do not just edit the text in these files, as editing the text directly has a high risk of typographical errors. Instead, they use specific programs and commands to edit these files.
- Two files store user account data
- /etc/passwd - This file stores usernames
- /etc/shadow - This file stores users' passwords in salted hash, it also contains account expiration information
- The /etc/passwd file contains the following information
- Username - The name the user logs in with
- Password - it's represented as an x. It is stored in /etc/shadow
- User ID - Unique number representing the user to the system
- Group ID - Unique number representing the user's primary group
- Comment - Typically displays the user's full name, but may store any needed value
- Home Directory - Absolute path to the user's home directory
- Login Shell - Absolute path to the user's default shell
- There was a time when both passwords and usernames were stored in the same file, but when they were stored in /etc/passwd, they were stored in cleartext, which necessitated the change
- There are three Primary commands for managing user accounts
- useradd
- usermod
- userdel
- Many debian based distro's do recognize these commands but also support
- adduser
- deluser
- Some common options for the useradd command are
- -c - Sets the comment value
- -e - Sets the expiration date for the user account, in the format YYYY-MM-DD
- -m - Creates the user home directory in /home
- -s - Sets the user's default shell
- -u - Set the specific user ID value
- -D - Displays the default settings
useradd -c "Joe Smith" -e 2025-12-31 -s /bin/ksh jsmith
# This creates the user Joe Smith with the username of jsmith with an expiration of 2025-12-31 and a default shell of kornshell
- While the useradd command does create a user, it does not set their password
sudo passwd jsmith
-
This will have you type in the new password and confirm, and let you know that the password was successfully updated
-
You can confirm the account information with getent passwd or tail /etc/passwd
- getent passwd also displays account information for network-based accounts like those through LDAP
-
The adduser command is used in some linux distro's, it is very similar to useradd but its functionality has been expanded to include custom scripts, prompts for additional account details, and more, including the ability to set a password.
- --home /path/for/home - creates a home directory for the user on the given path
- --shell /bin/sh - Sets the user's default shell to bash
- --groups group1,group2 - Adds the user to the specified groups
sudo adduser jsmith
# this will prompt you to fill out the information for the new user
# including password, full name, room number, work phone, home phone, and other then to confirm
¶ The usermod command
- You can modify existing user accounts with the usermod command
- You can modify things like
- the comment with -c
- the expiration with the -e
- the shell with -s
usermod -c "John Smith" -d /home/jsmith -m -l jsmithy # This command was used to change the jsmithy user to jsmith due to a typo
cat /etc/passwd # To confirm username change
ls /home # To confirm the home profile has been changed
¶ The userdel Command
The userdel command removes existing users from the system. By default, it does not remove the user's home directory. However, you can use the -r to also remove the associated home directory
userdel -r jsmith # Command to delete the user and remove their user directory
cat /etc/passwd # To confirm that the user was removed
ls /home # To confirm that the users' directory has been removed
¶ The deluser Command
The deluser command removes user accounts from the system on some distros.
- Options for the deluser command are
- --remove-all-files - Deletes all files owned by the user
- --backup-to /path/to/backup - Backs up user files to the specified path as a .tar.gz archive
- --remove-home - Delete the user's home directory
When you use the useradd, usermod, or userdel command to manage users, the system records the command's result. Even when nothing appears on the screen. All error messages are labeled using a number called an exit code, and it can be retrieved with echo $?
- useradd exit codes are
- 0 success
- 1 Couldn't update the /etc/passwd file
- 9 Username is already in use
- 12 Couldn't create the home directory- Exit codes for usermod and userdel include
- 1 couldn't update the /etc/passwd file
- 2 Invalid command syntax
- 6 specified user does not exist
- 8 Cannot delete user because the specified user is currently logged in
¶ User Management Command Scripts
You can use scripting to help create and manage users. This can be used to help make the repetitive task of adding a lot of users a little easier and less prone to typographical errors.
#!/bin/bash
# This script adds a user, sets a full name comment, expiration, custom home directory location, and default shell. Edit the name information for each new user.
useradd -c "John Smith" -e 2030-1-1 -d /home/helpdesk/ -s /bin/ksh jsmith
#!/bin/bash
# This script creates multiple users based on an array of usernames
#
# Username Array
usernames=("jsmith" "bally" "dbarrett")
# Create the users by looping through the array
for username in "$[usernames[@]}"
do
sudo useradd -m -s /bin/bash "$username"
done
# Print a String to let you know that the command ran
echo "Successfully created users"
# Displays the last three lines of /etc/passwd to confirm
sudo tail -n 3 /etc/password
¶ Account Configuration Commands
There are many commands that system administrators can use to view and display account information.
- The whoami command by defualt will show the current logged in username
- The w and who command will display all accounts currently logged into the system
- This can be used to check to see if there are any users logged in before restarting the system
- The id command will display information about the current user
- While if you added a username to the end of the command then you can retreive information about the requested account
- You can set a password for an account with passwd using the syntax passwd jsmith
- Standard Linux authentication relies solely on the /etc/passwd and /etc/shadow files
- For businesses that require more secure authetication they can use PAM - Pluggable Authentication Modules
- Two PAM modules help manager manage authentication
- pam_tally2 - This module is currently deprecated and should only be used if pam_faillock is not available
- pam_faillock - module tracks login attempts and can block authentication if to many attempts fail.
¶ User Login Commands
Administrators need to be able to audit sign-in logs and this can be achieved through a couple of different commands
- lastlog - displays the last login times for accounts. This information allows administrators to know who was logged in at any given time.
- It uses its own log file found in /var/log/lastlog
- last - displays the contents of the wtmp file, which includes every login and logoff event on the system.
- This is found in /var/log/wtmp
- Users can fail to authenticate with the system, and a good place to start your troubleshooting process for this is in the /etc/passwd and /etc/shadow files
- Confirm that the user has an account by displaying the contents of /etc/passwd
- Maybe the user doesn't have an account, use the useradd to add the user's account
- If the account exists, confirm that it has a password in the /etc/shadow file
- Use passwd if there is no password set
- The user could have also forgotten their password reset with passwd
- If the user account exists and the password both exists and are correct
- Unlock the account with passwd -u username or usermod -U username
- Sometimes the account has expired
- Use the change command to unlock the account
- Linux Groups are stored in the file /etc/group and store all of the groups and which accounts are members of those groups
- Groups have both a human-readable name and a Group ID (GID), which is used by Linux to handle the groups
- Standard groups receive a GID of 1000 or higher
- System Groups start with the number 101
- Groups might have an Effective Group ID (EGID) tied to privilege escalation
- The EGID helps enable access to resources managed by another group
- They might also have a Set Group ID (SGID) special permission
¶ Group Management Commands
The commands to create and manage groups are similar to user management commands
-
The Standard Life Cycle of groups is - groupadd - Create a new group
- groupmod - modifies an existing group
- groupdel - deletes an existing group
-
When you delete a group, it doesn't remove the user accounts that are a part of that group
-
You can not delete a group if there is a user that exists on the server that has that group as their main group
-
Debian versions of Linux have the addgroup and delgrou commands
Before you delete a group, you have to ensure that you have another way to access the resources that the group can access
- You can use the exit values after running group commands to confirm the action that you performed. Can they be accessed with echo$?
- groupadd
- 0 success
- 2 Invalid argument syntax
- 4 GID not unique
- 9 Group name not unique
- groupmod and groupdel
- 0 success
- 2 Invalid command syntax
- 6 specified group doesn't exist
- 8 Can't remove the user's primary group
- 10 Can't update group file
- Adding a user to the group does not modify the group; it modifies the user. Use the usermod command to add a user to an existing group
- There are two specific options used with the usermod command
- -a Appends the user to the group and maintains any existing group memberships
- -G Specifies a group to which the user will be added
- If you don't use the -a option, the user will be removed from all other groups
¶ Rename and Create Groups
groupmod -n sales_west sales # Rename the sales group to sales_west
groupadd sales_east # create the group sales_east
usermod -G sales_east jsmith # adds jsmith to the sales_east group
Due to the large amount of time Linux administrators spend in the command Line interface, it is quite common for them to customize the shell to their liking
-
You can customize your shell by editing the ~/.bashrc file
- \u@ Displays the current user's username
- \h Displays the system's hostname
- \w Displays the current directory - $ Displays the $ symbol for standard users and the # symbol for root, allowing users to easily tell the difference between the two
- \t Displays the current time
- \d displays the current date
-
Users can customize their own shell, and while the user can not directly edit the /etc/passwd file, they can run the chsh command to specify there preffered shell
chsh -s /bin/ksh # Turns the user's shell to KornShell
chsh -l # Lists the available shells
chsh -s # Provides a path to the requested shell
- Users are free to edit the ~/.bashrc file as it is in their home directory
- By default, the user management commands rely on the /etc/login.defs file to define default account settings.
- As a sysadmin, you can use a few different files to set the system up according to your organization's preferences
- /etc/profile - used to set system-wide variables and startup programs
- /etc/bashrc - used for shells
- ~/.profile is the user-specific file of the /etc/profile file; users have the freedom to edit the ~/.profile for their own profile preferences
- /etc/skel - This directory can store files that will automatically copy to the home directory for new users
¶ Shell and Environment Variables
Variables, just like their name suggests, are variable and can change over time. Linux has two types of variables: shell variables and environmental variables
- Environment variables - are variables that are inherited from a parent shell process and are passed to the child process
- Within the environment variables are references as key-value pairs in the format KEY=value. Some of the default environment variables are listed below
- HOSTNAME - Hostname of the system
- SHELL - The Shell path for the system
- MAIL - The Path where mail is stored
- HOME - The home directory of the user
- PATH - The Search path
- HISTSIZE - The number of entries stored in the command history
- User - The name of the user
- You can declare a variable in bash with the syntax my_variable=variable, and you can call it with $my_variable
- Directories containing executable files are usually assigned to the PATH variable, enabling you to type a command or script at the CLI without specifying the absolute path
- Don't ever set your home directory as one of the PATH variables, as this is a security misconfiguration and could lead to automatic execution of malware
- If you need to execute an executable file that is not stored in the PATH variable, you need to either specify the absolute path or, if it is in the present working directory (PWD), you need to specify ./
- In the /etc/locale. Confirm you have the option to configure localization variables. Some common localization variables are
- LC_ADDRESS - Sets the postal address format
- LC_MONETARY - set the format of monetary values
- LC_MEASUREMENT - sets the measuring system
- LC_ALL= - Defines the locale to use for all options
- TZ= - Sets the system timezone
- LANG= Defines the locale for all LC_* variables that aren't explicity defined
¶ Command Aliases
If there is a command that you type frequently, you can use command aliases as shorthand for that command
- Use the syntax alias alias-name="commandThatYouWouldLikeToExecute"
¶ Command History
The Bash Shell stores a list of all commands that you enter, while the default settings are usually suffecient you can modify these values
- HITFILESIZE - a shell variable to store command history, and lets you set the maximum number of commands in the history file
- Edit the ~/.bashrc file to set this value
- One useful change you can make is to export HISTCONTROL=ignoredups, which. gnoreands in the history file
- The /etc/login.defs file is used for common password configurations to help enforce security
- PASS_MAX_DAYS - The maximum number of days before a password must be changed. 2. PASS_MIN_DAYS - The minimum password age before a user can change their password
- PASS_WARN_AGE - The Number of days before a user's password expires that they will receive a warning that they need to change their password
- PASS_MIN_LEN - the minimum length the user's password must be
¶ the chage command
- The change commands have the following options
- -l Displays the current values
- -M Specifies the maximum number of days between password changes
- -m Specifies the minimum number of days between password changes
- -W specifies the number of warning days between password changes
- -E Locks an account after a specified date
¶ the passwd Command
- You can use the passwd command to manage specific account passwords, and it has the following options
- -d Deletes a password and disables the account
- -e Immediately expires a password
- -l locks the account
- -u unlocks a locked accout
It is never recommended to log in and perform day-to-day tasks as the root user; the root user's permissions are very broad and allow inexperienced users to break the system, which is a serious security concern.
- The best practice for this is to log in as a standard user and escalate when necessary using sudo or by switching user to root with su
- If you are using su, if you use the syntax su root, you will obtain the privileges of root but stay in your profile, and you also be able switch to a different user as long as you know their password
- If you use su with the syntax su -root, you will spawn an entirely new shell as that user, which is the more accepted use case
- Using the sudo command allows you to only execute a specific command with escalated privileges - The people who are allowed to use sudo are specified in the /etc/sudoers file
- You should only edit the /etc/sudoers file with the command visudo, as any mistakes in this file could seriously break the system and rendor completly unusable if there is no way to escalate privledges
- Some of the arguments that you can use with the visudo command are
- -c Checks the existing /etc/sudoers file for errors
- -f Edits or checks the file in adifferent location than the default
- -s Checks the file in strict mode
- -x output the file in JSON format
- The syntax for entries in the sudoers file is username hostname = user command
- This allows you to specify only specific commands to specific users
¶ The Wheel and sudo groups
- Many distros disable the login as root and specify administrative rights with the wheel group
- Members of the wheel group exercise the administrative rights of root with less possibility to damage the system
- Fedora and Redhat distro's use the wheel group
- Debian-based distros use the sudo group
- Ensure that you always use the visudo command when editing the rights of these groups to ensure that you do not break the sudoers file
- The sudo -i command enables users to simulate full root access, including a new shell with the root user's environmental variables loaded
- Administrators can add the # includedir /etc/sudoers.d line to the main sudoers file, which allows system administrators to add detailed delegations without risking corruption of the main sudoers file
¶ The sudoedit command
- Some Linux files require root privileges to edit, and you can accomplish this with the sudo command
- But you can also use the sudoedit command - Using sudoedit allows the user to edit the file with there prefered text editor
- To use the sudoedit command, you must add an entry in the sudoers file %editors ALL = sudoedit /path/to/file - allowing any user of the editors group to use the command sudoedit /path/to/file to edit that file
- The Polkit toolkit provides a different way of delegating privileges than sudo. Unlike sudo, t does not grant full root access to a process; it grants specific access to defined actions.
- Polkit can allow a user update an existing software but prevent that user from installing new software.
- Actions are defined in XML files stored in /usr/share/polkit-1/actions. These have a .policy extensionare stored in two different directories and are stored as a file with the .rules extensionpolkit-1/rules.d - local policiesr/shar/polkit-1/rules.d - for third party policys
- Rules are written in JavaScriptence actions are ned in the actions files
¶ pkexec and other polkit commands