% Users and Groups - /etc/passwd and /etc/group
% Ian! D. Allen - idallen@idallen.ca - www.idallen.com
% Fall 2012 - September to December 2012 - Updated Sat Mar 16 02:59:24 EDT
  2013

Topics
======

USERS
:   -   user account files: `/etc/passwd` and `/etc/shadow`
    -   `useradd` - add a user account
    -   `userdel` - remove a user account
    -   `usermod` - modify userid info, e.g. userid, UID, GID, etc.
    -   `chsh` - change shell
    -   `passwd` - change password
    -   `su` - start a subshell: log in as a new userid
    -   `sudo` - execute a single command as another userid

GROUPS
:   -   group account files: `/etc/group` and `/etc/gshadow`
    -   `groupadd` - create a new group
    -   `groupdel` - delete a group
    -   `groupmod` - modify group name, GID, password
    -   `gpasswd` - manage groups: set group administrator, add/delete
        members
    -   `groups` - display all groups
    -   `id` - display user UID and group GID and groups
    -   `newgrp` - start a subshell: log in to a new group with a password

Users: The Password File - `/etc/passwd`
========================================

-   the `/etc` directory is where “Host-Specific Configuration” files are
    stored
-   Almost everything a user can or can’t do in a Linux system is determined
    by:
    -   what user they log in as (or become with su or sudo)
    -   what group(s) that user belongs to

Password File Format - `/etc/passwd`
------------------------------------

When a user is created on the system, the following information is stored in
seven colon-separated fields in `/etc/passwd`:

    username:x:UID:GID:comment:home_directory:login_shell
        1    2  3   4     5        6               7
    root:x:0:0:Super User:/root:/bin/bash
    idallen:x:500:500:Ian! D. Allen:/home/idallen:/bin/bash

1.  login userid (stored in variables $USER or $LOGNAME in the shell)
2.  encrypted password (or an **x** marker indicating use of `/etc/shadow`)
3.  User ID number (UID)
4.  Group ID number (GID) - but users can be in more groups, too
5.  Comments: any text information; often the user’s full name and/or office
6.  Home directory (absolute path): usually `/home/$USER`
7.  Login shell to give the user at login; usually /bin/bash

-   The above information about each user is kept in `/etc/passwd`
-   The file requires root access for modifications (writing)
-   Its content can be viewed (read) by anyone
-   Using privileged commands, users can modify content related to their own
    account info, e.g. passwd, chsh
-   Encrypted passwords are usually stored in `/etc/shadow`, accessible only
    by root

Shadow Passwords - `/etc/shadow`
--------------------------------

-   When a system has shadow passwords enabled (the default), the password
    field in `/etc/passwd` is replaced by an “x” and the user’s real
    encrypted password is stored in `/etc/shadow`.
-   `/etc/shadow` is only readable by the root user, so even the encrypted
    password is hidden and can’t be used in a password-cracking program
-   Each line in `/etc/shadow` contains the user’s login userid, their
    encrypted password, and fields relating to password expiration.
-   Special passwords (see “man shadow”):
    -   a leading `!` means the password (and thus account) is locked
    -   an asterisk (star) `*` indicates the account has been disabled

`useradd`
---------

-   Used to create a new login account.
-   Also creates a group with the same name.
-   Usually the defaults are correct, but options let you change any of the
    information to be stored in the passwd and group files.
-   Sometimes called “adduser”, but sometimes “adduser” is a *different*
    program (e.g. Ubuntu).

`userdel`
---------

-   Remove an account from the password and group files.
-   To actually remove the home directory, you must use the “-r” option!
    -   if you forget -r, you will leave a home directory with no owner!

-   Will not remove an account that has active processes running (e.g. a
    shell)

`usermod`
---------

-   Change any of the information about a user account.
-   Changing the home directory with “-d” changes *only* the field in
    `/etc/passwd`; it does not actually *move* the directory unless you
    *also* give “-m”.
    -   RTFM: the `-d` option must be followed by the *new home directory
        name*
    -   RTFM: do not put the `-m` option in between the `-d` and the home
        directory
    -   RTFM: the *last* argument on the command line must always be the
        *login name* of the *existing* account you want modified
    -   If you have already used `-d` without using `-m`, you can’t do the
        command a second time with `-m` - it will say “nothing changed”. You
        have to put things back the way they were by using `-d` (without
        `-m`) to *undo* the change you made, then use `-d` *with* `-m` to
        redo the change.

-   Can lock/unlock an account by inserting “!” in front of the password
    field.
-   Will not modify an account that has active processes running (e.g. a
    shell)

`chsh`
------

-   “CHange SHell”
-   Changes the login shell in `/etc/passwd` - does not affect current shell
-   Only root can change shells of other accounts
-   If a shell isn’t specified on the command line, it will prompt for one
-   Usually only allows setting a shell from a small system-defined list

`passwd`
--------

-   Changes the login password in `/etc/passwd` (or `/etc/shadow`)
-   Only root can change passwords of other accounts

`su`
----

-   Set userid or substitute user
-   See [below]

`sudo`
------

-   Execute a single command with other (usually root) privileges
-   See [below][1]

Groups: The Group File - `/etc/group`
=====================================

-   Groups allow a set of permissions to be assigned to group of users
-   Every file system object has “group” permissions; if you are not the
    owner of the object but are in that group, group permissions apply to
    you.
    -   File system objects have only one owner and can be in only one group.
    -   Logged in users can be “in” (members of) multiple groups.

-   Most group information is maintained in `/etc/group` and `/etc/gshadow`
    -   BUT: At login, every user is given an initial group GID from the
        passwd file.

-   A user will belong to other groups (supplementary groups), if the user is
    a member of those groups in the `/etc/group` file.

Group File Format - `/etc/group`
--------------------------------

When a group is created on the system, the following information is stored in
four colon-separated fields in `/etc/group`:

    groupname:x:GID:userid1,userid2,userid3
         1    2  3  4
    root:x:0:
    cdrom:x:500:idallen,alleni

1.  group name
2.  encrypted password (or an **x** marker indicating use of `/etc/gshadow`)
3.  Group ID number (GID)
4.  Optional list of userids that are members of that group

-   The above information about groups is kept in `/etc/group`
-   Modifications can be done by root or by the Group Administrator for a
    group
-   Its content can be viewed by anyone
-   Encrypted passwords are usually stored in `/etc/gshadow`, accessible only
    by root

Group Shadow Passwords - `/etc/gshadow`
---------------------------------------

-   When a system has shadow passwords enabled (the default), the password
    field in `/etc/group` is replaced by an “x” and the user’s real encrypted
    password is stored in `/etc/gshadow`.
-   `/etc/gshadow` is only readable by the root user, so even the encrypted
    password is hidden and can’t be used in a password-cracking program
-   Each line in `/etc/gshadow` contains the group name, the group encrypted
    password, an optional list of Group Administrators, and an optional list
    of Group Members (which should be the same in `/etc/group`)
-   Special passwords (see “man gshadow”):
    -   a leading `!` means the group password is locked
    -   `*` indicates the group cannot be logged into by non-members

Group Commands - `groupadd, groupdel, groupmod, gpasswd, group, id, newgrp`
---------------------------------------------------------------------------

-   `groupadd` - create a new group in `/etc/group`
-   `groupdel` - remove a group from `/etc/group`
-   `groupmod` - modify the name or GID of a group in `/etc/group`
-   `gpasswd` - administer the `/etc/group` and `/etc/gshadow` files
    -   can be used by the Group Administrator as well as root
    -   add and delete group members, or set the member list
    -   root can set the list of Group Administrators for a group

-   `group` - list all the groups a user belongs to
-   `id` - more detailed version of “groups” showing numeric values
-   `newgrp` - (rarely used) use the group password to start a new shell with
    additional group privileges

Changing Privilege - su, sudo, and newgrp
=========================================

su - substitute user or set userid
----------------------------------

-   Example: `su --login`
-   Opens up a subshell as the new user, with that user’s privileges
-   Exiting the subshell goes back to the previous user
-   Ordinary (non-root) users need to enter the password for the other
    account
-   A dash `-` or `--login` option (options must be surrounded by spaces)
    means use a full login shell that clears the environment, sets groups and
    goes to the user’s home directory as if the user had just logged in.
-   Without the full login, the command will set privileges but will leave
    most of the existing environment unchanged, including an unchanged
    current directory (that may not grant the new user any permissions!).
-   If you don’t give a userid, it assumes you want to become the root user

    [idallen@localhost]$ whoami
    idallen
    [idallen@localhost]$ su
    password: XXX
    [root@localhost]# whoami
    root
    [root@localhost]# exit 
    [idallen@localhost]$
    [idallen@localhost]$ whoami
    idallen

sudo - do as if su
------------------

-   Example: `sudo passwd idallen`
-   Execute a single command with other (usually root) privileges
-   Safer way to do root tasks (avoids running a whole shell as root)
-   The root account can update `/etc/sudoers` with the list of who can do
    what
-   [XKCD comic about sudo]

![sudo] 

    [idallen@localhost]$ whoami
    idallen
    [idallen@localhost]$ sudo passwd alleni
    [sudo] password for idallen: XXXXXXXXXX
    Changing password for user alleni.
    New password: XXX
    Retype new password: XXX
    passwd: all authentication tokens updated successfully.
    [idallen@localhost]$ whoami
    idallen
    [idallen@localhost]$ 

newgrp - log in to a new group
------------------------------

-   Opens up a subshell as the new group, with that group’s privileges
-   Exiting the subshell goes back to the previous group
-   rarely used - needs a group password set

    -- 
    | Ian! D. Allen  -  idallen@idallen.ca  -  Ottawa, Ontario, Canada
    | Home Page: http://idallen.com/   Contact Improv: http://contactimprov.ca/
    | College professor (Free/Libre GNU+Linux) at: http://teaching.idallen.com/
    | Defend digital freedom:  http://eff.org/  and have fun:  http://fools.ca/

[Plain Text] - plain text version of this page in [Pandoc Markdown]
format 

  [below]: #su---substitute-user-or-set-userid
  [1]: #sudo---do-as-if-su
  [XKCD comic about sudo]: http://xkcd.com/149/
  [sudo]: http://imgs.xkcd.com/comics/sandwich.png "sudo"
  [Plain Text]: 600_users_and_groups.txt
  [Pandoc Markdown]: http://johnmacfarlane.net/pandoc/