% Users and Groups - /etc/passwd and /etc/group % Ian! D. Allen - idallen@idallen.ca - www.idallen.com % Winter 2012 - January to April 2012 Topics ====== * Fedora Text: Chapter 16 USERS /etc/passwd and /etc/shadow useradd - add a user account userdel - remove a user account usermod - modify userid info, e.g. userid, UID, GID, etc. chsh - change shell passwd - change password su - start a subshell: log in as a new userid sudo - execute a single command as another userid GROUPS /etc/group and /etc/gshadow groupadd - create a new group groupdel - delete a group groupmod - modify group name, GID, password gpasswd - manage groups: set group administrator, add/delete members groups - display all groups id - display user UID and group GID and groups newgrp - start a subshell: log in to a new group with a password Users: The Password File - /etc/passwd ====================================== * the /etc directory is where "Host-Specific Configuration" files are stored * Almost everything a user can or can’t do in a Linux system is determined by: - what user they log in as (or become with su or sudo) - what group(s) that user belongs to When a user is created on the system, the following information is stored in seven fields in /etc/passwd: PASSWD FILE FORMAT: username:x:UID:GID:comment:home_directory:login_shell root:x:0:0:Super User:/root:/bin/bash idallen:x:500:500:Ian! D. Allen:/home/idallen:/bin/bash 1. login userid (stored in variables $USER or $LOGNAME in the shell) 2. encrypted password (or an **x** marker indicating use of /etc/shadow) 3. User ID number (UID) 4. Group ID number (GID) - but users can be in more groups, too 5. Comments: any text information; often the user's full name and/or office 6. Home directory (absolute path): usually /home/$USER 7. Login shell to give the user at login; usually /bin/bash * The above information about each user is kept in /etc/passwd * The file requires root access for modifications (writing) * Its content can be viewed (read) by anyone * Using privileged commands, users can modify content related to their own account info, e.g. passwd, chsh * Encrypted passwords are usually stored in /etc/shadow, accessible only by root Shadow Passwords - /etc/shadow ------------------------------ * When a system has shadow passwords enabled (the default), the password field in /etc/passwd is replaced by an "x" and the user's real encrypted password is stored in /etc/shadow. * /etc/shadow is only readable by the root user, so even the encrypted password is hidden and can't be used in a password-cracking program * Each line in /etc/shadow contains the user's login userid, their encrypted password, and fields relating to password expiration. * Special passwords (see "man shadow"): - a leading **`!`** means the password (and thus account) is locked - **`*`** indicates the account has been disabled useradd ------- * Used to create a new login account. * Also creates a group with the same name. * Usually the defaults are correct, but options let you change any of the information to be stored in the passwd and group files. * Sometimes called "adduser", but sometimes "adduser" is a *different* program (e.g. Ubuntu). userdel ------- * Remove an account from the password and group files. * To actually remove the home directory, you must use the "-r" option! - if you forget -r, you will leave a home directory with no owner! * Will not remove an account that has active processes running (e.g. a shell) usermod ------- * Change any of the information about a user account. * Changing the home directory with "-d" changes *only* the field in /etc/passwd; it does not actually *move* the directory unless you *also* give "-m". * Can lock/unlock an account by inserting "!" in front of the password field. * Will not modify an account that has active processes running (e.g. a shell) chsh ---- * "CHange SHell" * Changes the login shell in /etc/passwd - does not affect current shell * Only root can change shells of other accounts * If a shell isn’t specified on the command line, it will prompt for one * Usually only allows setting a shell from a small system-defined list passwd ------ * Changes the login password in /etc/passwd (and /etc/shadow) * Only root can change passwords of other accounts su -- * Set userid or substitute user * See [below](#su---substitute-user-or-set-userid) sudo ---- * Execute a single command with other (usually root) privileges * See [below](#sudo---do-as-if-su) Groups: The Group File - /etc/group =================================== * Groups allow a set of permissions to be assigned to group of users * Every file system object has "group" permissions; if you are not the owner of the object but are in that group, group permissions apply to you. - File system objects have only one owner and can be in only one group. - Logged in users can be "in" (members of) multiple groups. * Most group information is maintained in /etc/group and /etc/gshadow - BUT: At login, every user is given an initial group GID from the passwd file. * A user will belong to other groups (supplementary groups), if the user is a member of those groups in the /etc/group file. When a group is created on the system, the following information is stored in four fields in /etc/group: GROUP FILE FORMAT: groupname:x:GID:userid1,userid2,userid3 root:x:0: cdrom:x:500:idallen,alleni 1. group name 2. encrypted password (or an **x** marker indicating use of /etc/gshadow) 4. Group ID number (GID) 5. Optional list of userids that are members of that group * The above information about groups is kept in /etc/group * Modifications can be done by root or by the Group Administrator for a group * Its content can be viewed by anyone * Encrypted passwords are usually stored in /etc/gshadow, accessible only by root Group Shadow Passwords - /etc/gshadow ------------------------------------- * When a system has shadow passwords enabled (the default), the password field in /etc/group is replaced by an "x" and the user's real encrypted password is stored in /etc/gshadow. * /etc/gshadow is only readable by the root user, so even the encrypted password is hidden and can't be used in a password-cracking program * Each line in /etc/gshadow contains the group name, the group encrypted password, an optional list of Group Administrators, and an optional list of Group Members (which should be the same in /etc/group) * Special passwords (see "man gshadow"): - a leading **`!`** means the group password is locked - **`*`** indicates the group cannot be logged into by non-members Group Commands - groupadd, groupdel, groupmod, gpasswd, group, id, newgrp ------------------------------------------------------------------------- * groupadd - create a new group in /etc/group * groupdel - remove a group from /etc/group * groupmod - modify the name or GID of a group in /etc/group * gpasswd - administer the /etc/group and /etc/gshadow files - can be used by the Group Administrator as well as root - add and delete group members, or set the member list - root can set the list of Group Administrators for a group * group - list all the groups a user belongs to * id - more detailed version of "groups" showing numeric values * newgrp - (rarely used) use the group password to start a new shell with additional group privileges Changing Privilege - su, sudo, and newgrp ========================================= su - substitute user or set userid ---------------------------------- * Example: `su --login` * Opens up a subshell as the new user, with that user's privileges * Exiting the subshell goes back to the previous user * Ordinary (non-root) users need to enter the password for the other account * A dash **`-`** or **`--login`** option (options must be surrounded by spaces) means use a full login shell that clears the environment, sets groups and goes to the user's home directory as if the user had just logged in. * Without the full login, the command will set privileges but will leave most of the existing environment unchanged, including an unchanged current directory (that may not grant the new user any permissions!). * If you don't give a userid, it assumes you want to become the root user [idallen@localhost]$ whoami idallen [idallen@localhost]$ su password: XXX [root@localhost]# whoami root [root@localhost]# exit [idallen@localhost]$ [idallen@localhost]$ whoami idallen sudo - do as if su ------------------ * Example: `sudo passwd idallen` * Execute a single command with other (usually root) privileges * Safer way to do root tasks (avoids running a whole shell as root) * The root account can update /etc/sudoers with the list of who can do what * [XKCD comic about sudo](http://xkcd.com/149/) ![sudo](http://imgs.xkcd.com/comics/sandwich.png "sudo")\ [idallen@localhost]$ whoami idallen [idallen@localhost]$ sudo passwd alleni [sudo] password for idallen: XXXXXXXXXX Changing password for user alleni. New password: XXX Retype new password: XXX passwd: all authentication tokens updated successfully. [idallen@localhost]$ whoami idallen [idallen@localhost]$ newgrp - log in to a new group ------------------------------ * Opens up a subshell as the new group, with that group's privileges * Exiting the subshell goes back to the previous group * rarely used - needs a group password set -- | Ian! D. Allen - idallen@idallen.ca - Ottawa, Ontario, Canada | Home Page: http://idallen.com/ Contact Improv: http://contactimprov.ca/ | College professor (Free/Libre GNU+Linux) at: http://teaching.idallen.com/ | Defend digital freedom: http://eff.org/ and have fun: http://fools.ca/ [Plain Text] - plain text version of this page in [Pandoc Markdown](http://johnmacfarlane.net/pandoc/) format