Updated: 2014-11-26 02:35 EST

1 Topics in User and Group ManagementIndexup to index

USERS
  • user account files: /etc/passwd and /etc/shadow
  • useradd – add a user account
  • userdel – remove a user account (but not its HOME directory, unless you use the -r option)
  • usermod – modify userid info, e.g. userid, comment, UID, GID, HOME, etc.
  • chfn – change the Full Name (the GECOS/comment/name field)
  • chsh – change shell
  • passwd – change password
  • su – start a subshell (usually as root): log in as a new userid
  • sudo – execute a single command, or start a shell, as another userid
  • whoami – display only the current userid
GROUPS
  • group account files: /etc/group and /etc/gshadow
  • groupadd – create a new group
  • groupdel – delete a group
  • groupmod – modify group name, GID, password
  • gpasswd – manage groups: set group administrator, add/delete members
  • groups – display all current groups
  • newgrp – start a subshell: log in to a new group with a password
BOTH
  • id – display user UID and group GID and groups
  • chown – change owner and/or group of a file system object

2 Users: The Password File – /etc/passwdIndexup to index

2.1 Password File Format – /etc/passwdIndexup to index

When a user is created on the system, the following information is stored in seven colon-separated fields in /etc/passwd:

username:x:UID:GID:comment:home_directory:login_shell
    1    2  3   4     5        6               7
root:x:0:0:Super User:/root:/bin/bash
idallen:x:500:500:Ian! D. Allen:/home/idallen:/bin/bash
  1. login userid (stored in variables $USER or $LOGNAME in the shell)
  2. encrypted password (or an x marker indicating use of /etc/shadow)
  3. User ID number (numeric UID)
  4. Group ID number (numeric GID) – but users can be in more groups, too
  5. GECOS/comments/name: any text information; often the user’s full name and/or office
  6. Home directory (absolute path): usually /home/$USER
  7. Login shell to give the user at login; usually /bin/bash

2.2 Shadow Passwords – /etc/shadowIndexup to index

2.3 useradd – create new userIndexup to index

2.4 userdel – delete userIndexup to index

2.5 usermod – modify user informationIndexup to index

Change any of the information about a user account. This command changes the stored information about the account, usually kept in the password and group files.

2.6 chsh – change shellIndexup to index

2.7 passwd – change passwordIndexup to index

2.8 su – substitute useridIndexup to index

2.9 sudo – do command as another userIndexup to index

2.10 whoami – who am IIndexup to index

3 Groups: The Group File – /etc/groupIndexup to index

3.1 Group File Format – /etc/groupIndexup to index

When a group is created on the system, the following information is stored in four colon-separated fields in /etc/group:

groupname:x:GID:userid1,userid2,userid3
     1    2  3  4
root:x:0:
cdrom:x:500:idallen,alleni
  1. group name
  2. encrypted password (or an x marker indicating use of /etc/gshadow)
  3. Group ID number (GID)
  4. Optional list of userids that are members of that group

3.2 Group Shadow Passwords – /etc/gshadowIndexup to index

3.3 Group Commands – groupadd, groupdel, groupmod, gpasswd, group, id, newgrpIndexup to index

4 Changing Privilege – su, sudo, and newgrpIndexup to index

4.1 su – substitute user or set useridIndexup to index

Without the --login function, you get a new shell with new permissions but much of your existing shell environment and your current directory are unchanged. You may not have a $PATH that includes system administration commands.

When running a shell with root privileges, most shells change the $ in your prompt to be a # character, to remind you that you have full permissions to change anything, so be careful. See the example below:

$ whoami ; pwd ; echo "$PATH"
idallen
/home/idallen
/bin:/usr/bin
$ su                              # assumes root; does not do full login
Password:
# whoami ; pwd ; echo "$PATH"     # note new prompt includes '#' character
root
/home/idallen                     # current directory is unchanged
/bin:/usr/bin                     # PATH does not include system directories
# exit                            # exit the subshell; return to previous shell
$
$ whoami ; pwd ; echo "$PATH"
idallen
/home/idallen
/bin:/usr/bin
$ su -                            # assumes root; does full login this time
password: XXX
# whoami ; pwd ; echo "$PATH"
root
/root                             # current directory is now root HOME
/bin:/usr/bin:/sbin:/usr/sbin     # PATH includes system directories now
# exit                            # exit the subshell; return to previous shell
$

4.2 sudo – do as if suIndexup to index

4.2.1 Use sudo not suIndexup to index

For most actions that involve root privilege, use the sudo command to make the privilege change just for that one command. Do not start a root subshell (e.g. using su) until you have more experience. Mistakes made in a root subshell can destroy your system!

If you do start a full subshell using the su or sudo -s commands, remember to exit your subshell to return to your previous account. Don’t keep layering multiple subshells inside each another.

4.2.2 sudo doesn’t affect shell redirectionIndexup to index

Remember that redirection is done by the shell before it runs a command, so sudo doesn’t affect the permissions of a redirection done in the same command line:

$ sudo echo "mygroup:x:123:" >>/etc/group
bash: /etc/group: Permission denied

Above, the redirection is done by the unprivileged shell, before the sudo command is run, and so the redirection fails. More examples:

$ sudo touch foo >bar               # foo is touched by root; bar is not
$ sudo cp /etc/shadow foo           # foo is written by root
$ sudo cat /etc/shadow >bar         # bar is *not* written by root

sudo Make Me a Sandwich Shirt

4.3 newgrp – log in to a new groupIndexup to index

5 Showing and changing owner and group – id and chownIndexup to index

These commands deal with both the user/owner and the groups/group.

The match between your logged-in user/groups and the file system owner/group determines the permissions you have on a file system object.

5.1 id – show user and UID, groups and GIDsIndexup to index

The id command tells you everything about your logged-in account.

$ id
uid=777(idallen) gid=777(idallen) groups=777(idallen),4(adm),6(disk)

On SELinux systems, you are also shown information about your security context.

5.2 chown – change owner and/or group of file system objectIndexup to index

The command that changes the owner and/or group of a file system object (e.g. of a file, directory, etc.) is chown. Only the root user can change the owner of an object. The owner of an object can change the group of an object to any one of his/her list of groups.

You can change both the owner and the group by separating the two with a colon character, you can change just the owner by leaving off the colon and the group, and you can change just the group by leaving off the owner while keeping the leading colon character:

# chown idallen:staff mydir     # change both user and group
# chown idallen mydir           # change only the owner, not the group
# chown :staff mydir            # change only the group; use a leading colon
Author: 
| Ian! D. Allen  -  idallen@idallen.ca  -  Ottawa, Ontario, Canada
| Home Page: http://idallen.com/   Contact Improv: http://contactimprov.ca/
| College professor (Free/Libre GNU+Linux) at: http://teaching.idallen.com/
| Defend digital freedom:  http://eff.org/  and have fun:  http://fools.ca/

Plain Text - plain text version of this page in Pandoc Markdown format

Campaign for non-browser-specific HTML   Valid XHTML 1.0 Transitional   Valid CSS!   Creative Commons by nc sa 3.0   Hacker Ideals Emblem   Author Ian! D. Allen