USERS
/etc/passwd and /etc/shadow
useradd - add a user account
userdel - remove a user account
usermod - modify userid info, e.g. userid, UID, GID, etc.
chsh - change shell
passwd - change password
su - start a subshell: log in as a new userid
sudo - execute a single command as another userid
GROUPS
/etc/group and /etc/gshadow
groupadd - create a new group
groupdel - delete a group
groupmod - modify group name, GID, password
gpasswd - manage groups: set group administrator, add/delete members
groups - display all groups
id - display user UID and group GID and groups
newgrp - start a subshell: log in to a new group with a password
Users: The Password File - /etc/passwd Index 
- the /etc directory is where “Host-Specific Configuration” files are stored
- Almost everything a user can or can’t do in a Linux system is determined by:
- what user they log in as (or become with su or sudo)
- what group(s) that user belongs to
When a user is created on the system, the following information is stored in seven fields in /etc/passwd:
PASSWD FILE FORMAT: username:x:UID:GID:comment:home_directory:login_shell
root:x:0:0:Super User:/root:/bin/bash
idallen:x:500:500:Ian! D. Allen:/home/idallen:/bin/bash
- login userid (stored in variables $USER or $LOGNAME in the shell)
- encrypted password (or an x marker indicating use of /etc/shadow)
- User ID number (UID)
- Group ID number (GID) - but users can be in more groups, too
- Comments: any text information; often the user’s full name and/or office
- Home directory (absolute path): usually /home/$USER
- Login shell to give the user at login; usually /bin/bash
- The above information about each user is kept in /etc/passwd
- The file requires root access for modifications (writing)
- Its content can be viewed (read) by anyone
- Using privileged commands, users can modify content related to their own account info, e.g. passwd, chsh
- Encrypted passwords are usually stored in /etc/shadow, accessible only by root
Shadow Passwords - /etc/shadow Index
- When a system has shadow passwords enabled (the default), the password field in /etc/passwd is replaced by an “x” and the user’s real encrypted password is stored in /etc/shadow.
- /etc/shadow is only readable by the root user, so even the encrypted password is hidden and can’t be used in a password-cracking program
- Each line in /etc/shadow contains the user’s login userid, their encrypted password, and fields relating to password expiration.
- Special passwords (see “man shadow”):
- a leading
! means the password (and thus account) is locked
* indicates the account has been disabled
- Used to create a new login account.
- Also creates a group with the same name.
- Usually the defaults are correct, but options let you change any of the information to be stored in the passwd and group files.
- Sometimes called “adduser”, but sometimes “adduser” is a different program (e.g. Ubuntu).
- Remove an account from the password and group files.
- To actually remove the home directory, you must use the “-r” option!
- if you forget -r, you will leave a home directory with no owner!
- Will not remove an account that has active processes running (e.g. a shell)
- Change any of the information about a user account.
- Changing the home directory with “-d” changes only the field in /etc/passwd; it does not actually move the directory unless you also give “-m”.
- Can lock/unlock an account by inserting “!” in front of the password field.
- Will not modify an account that has active processes running (e.g. a shell)
- “CHange SHell”
- Changes the login shell in /etc/passwd - does not affect current shell
- Only root can change shells of other accounts
- If a shell isn’t specified on the command line, it will prompt for one
- Usually only allows setting a shell from a small system-defined list
- Changes the login password in /etc/passwd (and /etc/shadow)
- Only root can change passwords of other accounts
- Set userid or substitute user
- See below
- Execute a single command with other (usually root) privileges
- See below
Groups: The Group File - /etc/group Index
- Groups allow a set of permissions to be assigned to group of users
- Every file system object has “group” permissions; if you are not the owner of the object but are in that group, group permissions apply to you.
- File system objects have only one owner and can be in only one group.
- Logged in users can be “in” (members of) multiple groups.
- Most group information is maintained in /etc/group and /etc/gshadow
- BUT: At login, every user is given an initial group GID from the passwd file.
- A user will belong to other groups (supplementary groups), if the user is a member of those groups in the /etc/group file.
When a group is created on the system, the following information is stored in four fields in /etc/group:
GROUP FILE FORMAT: groupname:x:GID:userid1,userid2,userid3
root:x:0:
cdrom:x:500:idallen,alleni
- group name
- encrypted password (or an x marker indicating use of /etc/gshadow)
- Group ID number (GID)
- Optional list of userids that are members of that group
- The above information about groups is kept in /etc/group
- Modifications can be done by root or by the Group Administrator for a group
- Its content can be viewed by anyone
- Encrypted passwords are usually stored in /etc/gshadow, accessible only by root
Group Shadow Passwords - /etc/gshadow Index
- When a system has shadow passwords enabled (the default), the password field in /etc/group is replaced by an “x” and the user’s real encrypted password is stored in /etc/gshadow.
- /etc/gshadow is only readable by the root user, so even the encrypted password is hidden and can’t be used in a password-cracking program
- Each line in /etc/gshadow contains the group name, the group encrypted password, an optional list of Group Administrators, and an optional list of Group Members (which should be the same in /etc/group)
- Special passwords (see “man gshadow”):
- a leading
! means the group password is locked
* indicates the group cannot be logged into by non-members
Group Commands - groupadd, groupdel, groupmod, gpasswd, group, id, newgrp Index
- groupadd - create a new group in /etc/group
- groupdel - remove a group from /etc/group
- groupmod - modify the name or GID of a group in /etc/group
- gpasswd - administer the /etc/group and /etc/gshadow files
- can be used by the Group Administrator as well as root
- add and delete group members, or set the member list
- root can set the list of Group Administrators for a group
- group - list all the groups a user belongs to
- id - more detailed version of “groups” showing numeric values
- newgrp - (rarely used) use the group password to start a new shell with additional group privileges
Changing Privilege - su, sudo, and newgrp Index
su - substitute user or set userid Index
- Example:
su --login
- Opens up a subshell as the new user, with that user’s privileges
- Exiting the subshell goes back to the previous user
- Ordinary (non-root) users need to enter the password for the other account
- A dash
- or --login option (options must be surrounded by spaces) means use a full login shell that clears the environment, sets groups and goes to the user’s home directory as if the user had just logged in.
- Without the full login, the command will set privileges but will leave most of the existing environment unchanged, including an unchanged current directory (that may not grant the new user any permissions!).
- If you don’t give a userid, it assumes you want to become the root user
[idallen@localhost]$ whoami
idallen
[idallen@localhost]$ su
password: XXX
[root@localhost]# whoami
root
[root@localhost]# exit
[idallen@localhost]$
[idallen@localhost]$ whoami
idallen
sudo - do as if su Index
- Example:
sudo passwd idallen
- Execute a single command with other (usually root) privileges
- Safer way to do root tasks (avoids running a whole shell as root)
- The root account can update /etc/sudoers with the list of who can do what
- XKCD comic about sudo
[idallen@localhost]$ whoami
idallen
[idallen@localhost]$ sudo passwd alleni
[sudo] password for idallen: XXXXXXXXXX
Changing password for user alleni.
New password: XXX
Retype new password: XXX
passwd: all authentication tokens updated successfully.
[idallen@localhost]$ whoami
idallen
[idallen@localhost]$
newgrp - log in to a new group Index
- Opens up a subshell as the new group, with that group’s privileges
- Exiting the subshell goes back to the previous group
- rarely used - needs a group password set
Author:
| Ian! D. Allen - idallen@idallen.ca - Ottawa, Ontario, Canada
| Home Page: http://idallen.com/ Contact Improv: http://contactimprov.ca/
| College professor (Free/Libre GNU+Linux) at: http://teaching.idallen.com/
| Defend digital freedom: http://eff.org/ and have fun: http://fools.ca/
Plain Text - plain text version of this page in Pandoc Markdown format
