% Users and Groups – /etc/passwd, /etc/group, su, sudo, chsh, useradd, gpasswd, etc. % Ian! D. Allen – – [www.idallen.com] % Winter 2015 - January to Apil 2015 - Updated Wed Nov 26 02:35:42 EST 2014 Topics in User and Group Management =================================== USERS : - user account files: `/etc/passwd` and `/etc/shadow` - `useradd` – add a user account - `userdel` – remove a user account (but not its HOME directory, unless you use the `-r` option) - `usermod` – modify userid info, e.g. userid, comment, UID, GID, HOME, etc. - `chfn` – change the Full Name (the GECOS/comment/name field) - `chsh` – change shell - `passwd` – change password - `su` – start a subshell (usually as `root`): log in as a new userid - `sudo` – execute a single command, or start a shell, as another userid - `whoami` – display only the current userid GROUPS : - group account files: `/etc/group` and `/etc/gshadow` - `groupadd` – create a new group - `groupdel` – delete a group - `groupmod` – modify group name, GID, password - `gpasswd` – manage groups: set group administrator, add/delete members - `groups` – display all current groups - `newgrp` – start a subshell: log in to a new group with a password BOTH : - `id` – display user `UID` and group `GID` and groups - `chown` – change owner and/or group of a file system object Users: The Password File – `/etc/passwd` ======================================== - the `/etc` directory is where “Host-Specific Configuration” files are stored - Almost everything a user can or can’t do in a Linux system is determined by: - what user they log in as (or become with `su` or `sudo`) - what group(s) that user belongs to Password File Format – `/etc/passwd` ------------------------------------ When a user is created on the system, the following information is stored in seven colon-separated fields in `/etc/passwd`: username:x:UID:GID:comment:home_directory:login_shell 1 2 3 4 5 6 7 root:x:0:0:Super User:/root:/bin/bash idallen:x:500:500:Ian! D. Allen:/home/idallen:/bin/bash 1. login userid (stored in variables `$USER` or `$LOGNAME` in the shell) 2. encrypted password (or an **x** marker indicating use of `/etc/shadow`) 3. User ID number (numeric `UID`) 4. Group ID number (numeric `GID`) – but users can be in more groups, too 5. GECOS/comments/name: any text information; often the user’s full name and/or office 6. Home directory (absolute path): usually `/home/$USER` 7. Login shell to give the user at login; usually `/bin/bash` - The above information about each user is kept in `/etc/passwd` - The file requires `root` access for modifications (writing) - Its content can be viewed (read) by anyone - Using privileged commands, users can modify content related to their own account info, e.g. `passwd`, `chsh` - Encrypted passwords are usually stored in `/etc/shadow`, accessible only by `root` - The GECOS/comments/name field gets its `GECOS` name because it was used on the original Unix systems to store `GECOS` mainframe account information for printing. Shadow Passwords – `/etc/shadow` -------------------------------- - When a system has shadow passwords enabled (the default), the password field in `/etc/passwd` is replaced by an `x` and the user’s real encrypted password is stored in the second field of `/etc/shadow`. - `/etc/shadow` is only readable by the `root` user, so even the encrypted password is hidden and can’t be used in a password-cracking program - Each line in `/etc/shadow` contains the user’s login userid, their encrypted password, and several fields relating to password expiry. - Special passwords (see `man shadow`): - a leading `!` means the password (and thus account) is locked - an asterisk (star) `*` indicates the account has been disabled `useradd` – create new user --------------------------- - Used to create a new login account. - Also creates a group with the same name. - Usually the defaults are correct, but options let you change any of the information to be stored in the passwd and group files. - Sometimes called `adduser`, but sometimes `adduser` is a *different* program with different options (e.g. Ubuntu). `userdel` – delete user ----------------------- - Remove an account from the password and group files. - Will not remove an account that has active processes running (e.g. a shell) - You must exit (or kill) all processes for an account before you remove it - By default, does *not* remove the HOME directory or any files under it. - To actually remove the home directory, you must use the `-r` option! - if you forget `-r`, you will leave a home directory with no owner! - Files owned by deleted users and groups show up with numeric owners and groups in the output of `ls`: # useradd redshirt # id redshirt uid=508(redshirt) gid=509(redshirt) groups=509(redshirt) # ls -la /home/redshirt # shows redshirt owner and group drwx------ 2 redshirt redshirt 4096 Nov 20 02:38 . drwxr-xr-x. 13 root root 4096 Nov 20 02:38 .. -rw-r--r-- 1 redshirt redshirt 18 Feb 21 2013 .bash_logout -rw-r--r-- 1 redshirt redshirt 176 Feb 21 2013 .bash_profile -rw-r--r-- 1 redshirt redshirt 124 Feb 21 2013 .bashrc # userdel redshirt # does *NOT* remove HOME directory # id redshirt id: redshirt: No such user # ls -la /home/redshirt # now shows numeric owner and group drwx------ 2 508 509 4096 Nov 20 02:38 . drwxr-xr-x. 13 root root 4096 Nov 20 02:38 .. -rw-r--r-- 1 508 509 18 Feb 21 2013 .bash_logout -rw-r--r-- 1 508 509 176 Feb 21 2013 .bash_profile -rw-r--r-- 1 508 509 124 Feb 21 2013 .bashrc # useradd goldshirt # new account gets same uid/gid # id goldshirt uid=508(goldshirt) gid=509(goldshirt) groups=509(goldshirt) # ls -la /home/redshirt # old files now owned by goldshirt drwx------ 2 goldshirt goldshirt 4096 Nov 20 02:38 . drwxr-xr-x. 14 root root 4096 Nov 20 02:47 .. -rw-r--r-- 1 goldshirt goldshirt 18 Feb 21 2013 .bash_logout -rw-r--r-- 1 goldshirt goldshirt 176 Feb 21 2013 .bash_profile -rw-r--r-- 1 goldshirt goldshirt 124 Feb 21 2013 .bashrc - After deleting a user, it is often wise to walk the entire system and look for files that used to be owned by that numeric userid: - `# find / -user 508 -ls` `usermod` – modify user information ----------------------------------- Change any of the information about a user account. This command changes the stored information about the account, usually kept in the password and group files. - The command modifies each account attribute separately. For example: Changing the name of an account only changes its name. It doesn’t change the groups for that user, nor does it change the home directory. - Modifying user account information does **not** always automatically move or modify all the files **owned** by the account in the file system. If you change some account information, you may still have to walk the entire file system to find files owned by the old account and change them to match the new values you have set. - One exception is moving home directories using `usermod`: - Using both the `-d` and `-m` options, the `usermod` command is able to both change and move a home directory and all the files under it. - Follow the syntax shown in the **SYNOPSIS** section of the man page **exactly** and remember that the *existing* account name is always the *last* thing on the command line: `usermod -m -d /home/bar foo` - Will not modify an account that has active processes running (e.g. a shell) - You have to exit all shells for a user (e.g. exit from all `su` or `sudo`) before you can change that user’s accounting information. - The *last* argument on the `usermod` command line must always be the *login name* of the *existing* account you want modified. Never put a *new* account name or directory last. RTFM! - From RTFM: - `-l` – change the login name (the userid), but *not* the HOME directory - `-p` – change the encrypted password (this is *not* like `passwd`, since you must supply the *encrypted* password here) - `-u` – change the numeric user `UID` and also all HOME directory files - `-g` – change the numeric group `GID` and also all HOME directory files - `-c` – change the GECOS/comment/name field (can also use `chfn`) - `-s` – change the login shell (can also use `chsh`) - `-d` – change the HOME directory, but do *not* move the old one - `-m` – move the existing HOME directory to the new one, if used with `-d` - `-L` – lock an account by inserting `!` in front of the password field - `-U` – unlock an account by removing `!` from the password field - RTFM: Changing the HOME directory with `-d` changes *only* the field in `/etc/passwd`; it does not actually *move* the old HOME directory to the new location unless you *also* give `-m`. - RTFM: the `-d` option must be followed by the *new HOME directory name* - RTFM: do not put the `-m` option in between the `-d` and the HOME directory - If you have already used `-d` without using `-m`, you can’t do the command a second time with `-m` – it will say “nothing changed”, since you have already changed the name of the HOME in the password file. To do the command properly, you first have to put things back the way they were by using `-d` (without `-m`) to *undo* the change you made, then use `-d` *with* `-m` to redo the change. `chsh` – change shell --------------------- - Changes the login shell in `/etc/passwd` – does not affect current shell - Only `root` can change shells of other accounts - If a shell isn’t specified on the command line, it will prompt for one - Usually only allows setting a shell from a small system-defined list `passwd` – change password -------------------------- - Changes the login password in `/etc/passwd` (or `/etc/shadow`) - Only `root` can change passwords of other accounts `su` – substitute userid ------------------------ - Set userid or substitute user - See [below for `su`] `sudo` – do command as another user ----------------------------------- - Execute a single command with other (usually `root`) privileges - See [below for `sudo`] `whoami` – who am I ------------------- - Display your current userid. Same output as `id -un` Groups: The Group File – `/etc/group` ===================================== - Groups allow a set of permissions to be assigned to group of users - Every file system object has “group” permissions; if you are not the owner of the object but are in that group, group permissions apply to you. - File system objects have only one owner and can be in only one group. - Logged in users can be “in” (members of) multiple groups. - Most group information is maintained in `/etc/group` and `/etc/gshadow` - BUT: At login, every user is given an initial group GID from the passwd file. - A user will belong to other groups (supplementary groups), if the user is a member of those groups in the `/etc/group` file. Group File Format – `/etc/group` -------------------------------- When a group is created on the system, the following information is stored in four colon-separated fields in `/etc/group`: groupname:x:GID:userid1,userid2,userid3 1 2 3 4 root:x:0: cdrom:x:500:idallen,alleni 1. group name 2. encrypted password (or an **x** marker indicating use of `/etc/gshadow`) 3. Group ID number (GID) 4. Optional list of userids that are members of that group - The above information about groups is kept in `/etc/group` - Modifications can be done by `root` or by the Group Administrator for a group - Its content can be viewed by anyone - Encrypted passwords are usually stored in `/etc/gshadow`, accessible only by `root` Group Shadow Passwords – `/etc/gshadow` --------------------------------------- - When a system has shadow passwords enabled (the default), the password field in `/etc/group` is replaced by an `x` and the user’s real encrypted password is stored in `/etc/gshadow`. - `/etc/gshadow` is only readable by the `root` user, so even the encrypted password is hidden and can’t be used in a password-cracking program - Each line in `/etc/gshadow` contains the group name, the group encrypted password, an optional list of Group Administrators, and an optional list of Group Members (which should be the same as in `/etc/group`) - Special passwords (see `man gshadow`): - a leading `!` means the group password is locked - an asterisk (star) `*` indicates the group cannot be logged into by non-members Group Commands – `groupadd, groupdel, groupmod, gpasswd, group, id, newgrp` --------------------------------------------------------------------------- - `groupadd` – create a new group in `/etc/group` - `groupdel` – remove a group from `/etc/group` - `groupmod` – modify the name or GID of a group in `/etc/group` - `gpasswd` – administer the `/etc/group` and `/etc/gshadow` files - can be used by the Group Administrator as well as `root` - can add and delete individual group members using `-a` and `-d`, or set the entire member list at once using `-M` - `root` can set the entire list of Group Administrators for a group using `-A` - `groups` – list all the groups a user belongs to - `id` – more detailed version of “groups” showing userid and numeric values - `newgrp` – (rarely used) use the group password to start a new shell with additional group privileges Changing Privilege – su, sudo, and newgrp ========================================= `su` – substitute user or set userid ------------------------------------ - Means “set userid” or “substitute user”. Example: `su --login abcd0001` - Starts a subshell as the new user, with that user’s privileges. - Exiting the subshell goes back to the previous shell and previous user. - Remember to exit the subshell; don’t keep nesting more and more subshells! - If you don’t give a userid, it assumes you want to become the `root` user. - Ordinary (non-root) users need to enter the password for the new account. - A dash `-` or `--login` option (options must be surrounded by spaces) means use a full login shell that clears the environment, sets groups and goes to the specified user’s home directory as if the user had just logged in. - Without the full login, the command will set privileges but will leave most of the existing environment unchanged, including an unchanged `PATH` and unchanged current directory (that may not grant the new user any permissions!). Without the `--login` function, you get a new shell with new permissions but much of your existing shell environment and your current directory are unchanged. You may not have a `$PATH` that includes system administration commands. When running a shell with `root` privileges, most shells change the `$` in your prompt to be a `#` character, to remind you that you have full permissions to change anything, so be careful. See the example below: $ whoami ; pwd ; echo "$PATH" idallen /home/idallen /bin:/usr/bin $ su # assumes root; does not do full login Password: # whoami ; pwd ; echo "$PATH" # note new prompt includes '#' character root /home/idallen # current directory is unchanged /bin:/usr/bin # PATH does not include system directories # exit # exit the subshell; return to previous shell $ $ whoami ; pwd ; echo "$PATH" idallen /home/idallen /bin:/usr/bin $ su - # assumes root; does full login this time password: XXX # whoami ; pwd ; echo "$PATH" root /root # current directory is now root HOME /bin:/usr/bin:/sbin:/usr/sbin # PATH includes system directories now # exit # exit the subshell; return to previous shell $ `sudo` – do as if `su` ---------------------- - Execute a single command with other (usually `root`) privileges. - Safer way to do `root` tasks (avoids running a whole shell as `root`). - The password you type for `sudo` is *your* account password, not the *root* password. - You must be authorized via the `/etc/sudoers` file to use `sudo` - The `root` account can use the `visudo` command to update file `/etc/sudoers` with the list of who is allowed to use `sudo` and which commands they are allowed to run. - The `-i` option to `sudo` functions the same way as the `--login` option to the `su` command. (RTFM) - Example use of `sudo`: `$ sudo userdel -r someuser` $ whoami ; pwd idallen /home/idallen $ sudo whoami [sudo] password for idallen: XXXXXXXXXX root $ whoami idallen $ sudo id uid=0(root) gid=0(root) groups=0(root) $ sudo pwd /home/idallen $ sudo -i pwd /root $ whoami idallen $ wc /etc/shadow wc: /etc/shadow: Permission denied $ sudo wc /etc/shadow 48 48 1831 /etc/shadow ### Use `sudo` not `su` For most actions that involve `root` privilege, use the `sudo` command to make the privilege change just for that one command. Do not start a `root` subshell (e.g. using `su`) until you have more experience. Mistakes made in a `root` subshell can destroy your system! If you do start a full subshell using the `su` or `sudo -s` commands, remember to `exit` your subshell to return to your previous account. Don’t keep layering multiple subshells inside each another. ### `sudo` doesn’t affect shell redirection Remember that redirection is done by the shell **before** it runs a command, so `sudo` doesn’t affect the permissions of a redirection done in the same command line: $ sudo echo "mygroup:x:123:" >>/etc/group bash: /etc/group: Permission denied Above, the redirection is done by the unprivileged shell, before the `sudo` command is run, and so the redirection fails. More examples: $ sudo touch foo >bar # foo is touched by root; bar is not $ sudo cp /etc/shadow foo # foo is written by root $ sudo cat /etc/shadow >bar # bar is *not* written by root ![] [`sudo` Make Me a Sandwich Shirt] `newgrp` – log in to a new group -------------------------------- - Opens up a subshell as the new group, with that group’s privileges - Exiting the subshell goes back to the previous group - rarely used – needs a group password set Showing and changing owner and group – `id` and `chown` ======================================================= These commands deal with both the user/owner and the groups/group. The match between your logged-in user/groups and the file system owner/group determines the permissions you have on a file system object. `id` – show user and `UID`, groups and `GIDs` --------------------------------------------- The `id` command tells you everything about your logged-in account. $ id uid=777(idallen) gid=777(idallen) groups=777(idallen),4(adm),6(disk) On SELinux systems, you are also shown information about your security context. `chown` – change owner and/or group of file system object --------------------------------------------------------- The command that changes the owner and/or group of a file system object (e.g. of a file, directory, etc.) is `chown`. Only the `root` user can change the owner of an object. The owner of an object can change the group of an object to any one of his/her list of groups. You can change both the owner and the group by separating the two with a colon character, you can change just the owner by leaving off the colon and the group, and you can change just the group by leaving off the owner while keeping the leading colon character: # chown idallen:staff mydir # change both user and group # chown idallen mydir # change only the owner, not the group # chown :staff mydir # change only the group; use a leading colon -- | Ian! D. Allen - idallen@idallen.ca - Ottawa, Ontario, Canada | Home Page: http://idallen.com/ Contact Improv: http://contactimprov.ca/ | College professor (Free/Libre GNU+Linux) at: http://teaching.idallen.com/ | Defend digital freedom: http://eff.org/ and have fun: http://fools.ca/ [Plain Text] - plain text version of this page in [Pandoc Markdown] format [www.idallen.com]: http://www.idallen.com/ [below for `su`]: #su---substitute-user-or-set-userid [below for `sudo`]: #sudo---do-as-if-su []: http://imgs.xkcd.com/comics/sandwich.png "http://xkcd.com/149/" [`sudo` Make Me a Sandwich Shirt]: http://store.xkcd.com/products/sudo [Plain Text]: 700_users_and_groups.txt [Pandoc Markdown]: http://johnmacfarlane.net/pandoc/