You are on page 1of 10

ManagingLocalLinuxUsersandGroups

1. Users
Typesofuser
Switchinguserswithsucommand&idforuserdetails
Sudocommand&/etc/sudoersfile.
Understanding/etc/passwd&/etc/shadowfile.
passwordhash
ManagingLocalUserAccountsusinguseradd,usermod,userdel,id,passwd
2. Groups
Understanding/etc/groupand/etc/gshadowfile
ManagingLocalGroupAccounts
Managinggrouppassword.


User:
Every process(running program) on the system runs as particular user. Every file is
ownedbyaparticularuser.
Typesofuser
Ingeneraltherearefourtypesofuser:
1. Rootuseri.e0
2. PseudoUser

3.
Systemuser

4.Otheruser

Rootuseri.e0:
Root user have power to override normal privileges on the file system and is used to
manage and administer the system. In short it has power to damage the system,
removefilesanddirectories,removeuserandaccounts,addbackdoors.
PseudoUser:
Normaluserwithspecialprivilegetoexecuteanycommandasarootuser.
Systemuser:
A system user is created default by OS during installation time or when you installed
anypackages and it runs as daemonsinbackground.Ubuntuitsrangestartfrom100
999
Source/etc/adduser.conf
Otheruser:
Other users are createdbyroot or sudo users.It has a limitedaccessonthesystem.In
Ubuntuitsrangestartfrom100029999.Source/etc/adduser.conf

Switchinguserswithsucommand&idforuserdetails
1. suCommandsallowsausertoswitchtodifferentuseraccount.
su<username>
Thecommandsu<username>startsanonloginshell
su<username>startloginshell.
2. The main distinctionis su setsuptheshellenvironmentasifthiswere a clean
login as that user, while su just starts a shell as that user with current environment
settings.

3.idcommandisusedtoshowinformationaboutthecurrentloggedinuser.
$id
#Currentloggedinuser

$idlucy

#Otheraccount

4.Toviewtheuserassociatedwithafileordirectoryusethe
$lsl

5. To view process information, use the ps command and add a option to view all
process with a terminal. To view the user associated with a process include the u
option.
$psau

sudocommand&/etc/sudoersfile.
1. Thesudocommand allows ausertobepermittedtoruncommandasroot,oras
anotheruser,basedonsettinginthe/etc/sudoers
2. sudorequiresuserstoentertheirownpasswordforauthentication.
3. In ubuntu member of group admincanuse sudo to runcommandsasany user,
includingroot.SimilarinFedora/Redhatwheelgroup.
4. Allcommandexecutedbysudousersareloggedin/var/log/secure
5. Weusevisudocommandtoedit/etc/sudoersfile.

/etc/sudoersFiles

1. #ThisfileMUSTbeeditedwiththe'visudo'commandasroot.
2. #
3. #Pleaseconsideraddinglocalcontentin/etc/sudoers.d/insteadof
4. #directlymodifyingthisfile.
5. #
6. #Seethemanpagefordetailsonhowtowriteasudoersfile.
7. #
8. Defaults
env_reset
9. Defaults
mail_badpass
10. Defaults
secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
11.
12. #Hostaliasspecification
13.
14. #Useraliasspecification
15.
16. #Cmndaliasspecification
17.
18. #Userprivilegespecification
19. root ALL=(ALL:ALL)ALL
20.
21. #Membersoftheadmingroupmaygainrootprivileges
22. %adminALL=(ALL)ALL
23.
24. #Allowmembersofgroupsudotoexecuteanycommand
25. %sudoALL=(ALL:ALL)ALL
26.
27. #Seesudoers(5)formoreinformationon"#include"directives:
28.
29. #includedir/etc/sudoers.d
30.


Question : Can we run any single /sbin command or root privileges command
thoughnormaluser?
Yeswecan,letstakeanexampleaddusercommand
1. Loginintotherootaccountorsudoaccount
2. Createanormaluserwithpassword.
3. Gothethelinenumber20,andeditthelinewith
lucy ALL=(ALL) /usr/sbin/adduser
4.Nowloginintothelucyaccount,andyouaredone.

Question: Can we run any single /sbin command or root privileges command
withoutpasswordauthentication?
Yeswecan,throughfollowingsteps
1. Gotothelinenumber20,andeditthelinewith
lucyALL=(ALL)NOPASSWD:ALL
2.Nowloginintothelucyaccount,andyourareagaindone.
Question:Canwecreateusermanually?
Yes,wecan


Understanding/etc/passwd&/etc/shadowfile.

A system uses simple flat file that is /etc/passwd filetostore informationaboutlocal


users.Theformatof/etc/passwdfollowssevencolonsseparatedfields.

Theformatof/etc/passwdfollows(Sevencolonseparatedfields)
1username:2password:3UID:4GID:5GECOS:6/home/dir:7shell

1.Username:ItisamappingofaUIDtoanameforthebenefitofhumanusers.
2.Password:Historically,apasswordwherekeptinanencryptedformat
Todaytheyarekeptinseparatefilecalled/etc/shadow
3. UID: It is a user ID, a number that identifies the user atthe mostfundamental
level.
4.GID:ItistheusersprimarygroupIDnumber.
5.GECOSItisarbitrarytext,whichincludesuserdetailsandrealname.
6./home/dirItisthelocationofuserspersonaldataandconfigurationfiles.
7.ShellItisaprogramthatrunsastheuserlogsin.Foraregularuser,
thisisthenormallytheprogramthatprovidestheuserscommandlineprompt.

/etc/shadowfile.

In olderdays, encrypted passwordswerestoredin readable/etc/passwdfile.Butdueto


security flaws, the encrypted passwords or passwordhashes ismovedto /etc/shadow
file.Whichalsoallowpasswordagingandexpirationfeaturestobeimplemented.
Theformatof/etc/shadowfollows(ninecolonseparatedfields)

1.
2.
3.
4.
5.
6.

Name
Thismustbeavalidaccountnameofthesystem.
PasswordItisinencryptedformat,ifitstartwith!markmeansitslocked.
LastchangeThedateatwhichlastpasswordchanged.
MinageMinimumnumberofdaysbeforepasswordmaychanged.
MaxageMaximumnumberofdaysbeforepasswordmustchange.
Warning Warning period at which password expired. 0 means no warning
given.
7. Inactive The number of days an account remains active after password has
expired. A user may log into the system and change his password. After that
specifiednumberofdays,theaccountislocked,becominginactive.
8. ExpireTheaccountexpirationdate
9. Blank:Itisusedforfutureuse.

Passwordhash

Therearethreepiecesofinformationstoredinamodernpasswordhash.
1. Hashingalgorithm.
2. HashSalt.
3. Encryptedhash.
$6$AmdWnEdR$c.Pn0d98tXDvxIUQixZwDWf4gVR7d5hqHN0QTYMwFnR7FPB5.

$6IthasSHA512hashingalgorithm.
$AmdWnEdR Salt value which is combined with password to increase hash
strength.
$c.Pn0d98tXDvxIUQixZwDWf4gVR7d5hqHN0QTYMwFnR7FPB5. : Its your
password+saltvalueinencryptedformattomakeitEncryptedhash.
Source#Shadow_file

ManagingLocalUserAccountsusinguseradd/adduser,usermod,userdel,id,passwd

To create a user account on Linux system, we use adduser(Debian) or


useradd(Fedora).
locationofcommand/usr/sbin.
#adduser<User>
#useraddu7777gbipulGrootd/home/hackerS/bin/bashcdbahacker
Makeuseraddcommandchangesfromhere/etc/default/useradd
#foriinuser{1..9}doadduser$idone
Deletinguser
#userdelr<User>
#foriinuser{1..9}douserdelr$idone

Creating/Updatingpasswordforuser.Weusepasswd
#passwd<User>
Echohacker|passwdstdin<user>
Lockingthepasswordforuser
#passwdl<User>
Tounclockthepassword
Passwdu<User>
Tocheckthestatusofthepassword
#passwdS<User>
Todeletethepassword
#passwdd<User>

Tomodifyauseraccountweuseusermodcommand.
Tochangethepasswordwithusermod
#encrypted=(echo "newpassword" | openssl passwd 1 stdin)sudo usermod p
$encrypted
Tolocktheuseraccount
#usermodL<User>
ToUnlocktheuseraccount.
#usermodU<User>
Assigningaprimarygroup.
#usermodgadminbipul
Assigningasecondarygroup.

#usermodGsambabipul
Assigningmorethenonesecondarygroup
#usermodaGdbabipul

Groups
Likeuser,grouphavenameandnumberanditisdividedintotwoparts:
1. Primarygroup.
2. Secondarygroup.

Understanding/etc/groupand/etc/gshadowfile

Localgrouporprimarygroupsaredefinedin/etc/group
1groupname:2password:3GID:4Listofuserinthegroup

1. Primary group: Every user has exactly one primary group. For local user, the
primarygroupisdefinedbytheGIDnumberofthegrouplistedinthefourthfieldof
/etc/passwd

2.Supplementarygroup:Usermaybeamemberofzeroormoresupplementary
Groups.Theuserthataresupplementarymemberoflocalgroupsarelistedin
thelastfieldofthegroupentryin/etc/group

/etc/gshadow
lucy:$6$jXU9U/Yc2$sSVMymgi9rlXTYAHU9Z7agtmkX.qJYJjyzuniVgnVilgLXkg6iLaKikj
3tv8HC333gDjdzF26yqaTmtlK1uvI.::