You are on page 1of 57

Linux Based Networks

Zahid Shafique, Instructor

Linux Based Networks
Punjab University College of Information Technology Instructor: Zahid Shafique <z_shafique@hotmail.com>

User Administration

Class Meeting #

Slide :

Linux Based Networks

Zahid Shafique, Instructor

User Administration

User Administration

Class Meeting #

Slide :

Linux Based Networks

Zahid Shafique, Instructor

User Accounts
Because Linux is a multi-user system, the task of adding and maintaining user accounts is common in Linux system administration. Upon a successful installation of a Linux distribution, two user accounts are configured: the root user and a normal user. These two user accounts represent the two basic types of users that are configurable with Linux.

User Administration

Class Meeting #

Slide :

Linux Based Networks

Zahid Shafique, Instructor

The first type

The first type, the root user, is unique for several reasons. It is the only user account with system wide privileges. Other accounts can be set up as an exact clone of the root user account, but it is strongly discouraged.

User Administration

Class Meeting #

Slide :

Linux Based Networks

Zahid Shafique, Instructor

System Accounts
In your Linux distribution, you will see a number of accounts set up, like bin, daemon, adm, Ip, sync, shutdown, mail, operator, and others. They are called "system accounts" and are used for varying purposes, some self-explanatory, some not. These accounts do not have passwords because they are not designed for login. These special-purpose accounts are also called nonlogin Do not accounts. delete them or some programs will not run.
User Administration Class Meeting #

Slide :

Linux Based Networks Zahid Shafique. Instructor Default Users User Administration Class Meeting # Slide : .

Linux Based Networks Zahid Shafique. Instructor Default Groups User Administration Class Meeting # Slide : .

The following list summarizes some of the duties and privileges of a system administrator: Has complete access to all files and directories regardless of owner and permissions Controls user account administration Performs system maintenance Halts the system when necessary Sets up initial user passwords Changes passwords when necessary. Installs software on theClass Meeting # system User Administration Slide : . Instructor Privileges of a root user System administration tasks are performed from the root or super user account.Linux Based Networks Zahid Shafique.

is the type of account that is set up for each individual user. This type of account differs only in respect to access privileges and home directories.Linux Based Networks Zahid Shafique. Instructor The Second Type A normal user account. User Administration Class Meeting # Slide : .

User Administration Class Meeting # Slide : 1 . Avoid accounts that are shared.Linux Based Networks Zahid Shafique. if possible. Instructor Important It is good system practice to have a separate account for each individual user.

– Set an initial password. Configure disk quotas. – Create the user's home directory. Enter the user in the site-wide user database (NIS). Verify that the account is set up correctly. Add the user to the /etc/group file. Instructor Adding New Users • Required steps: – Edit the /etc/passwd file to define the user's account. Record accounting information. • Extra steps (optional): – – – – – – – Copy default startup files to the user's home directory. Set the user's mail home and establish mail aliases.Linux Based Networks Zahid Shafique. Class Meeting # User Administration Slide : 1 .

Red Hat Linux has a few tools and conventions that make users and groups easier to manage.Linux Based Networks Zahid Shafique. Instructor User Accounts Utilities Managing users and groups has traditionally been tedious. You can use useradd to create a new user from the shell prompt $ redhat-config-users The easiest way to manage usersredhat-config-users $ and groups is through User Administration Class Meeting # Slide : 1 .

The key to managing user accounts is to understand the underlying configuration files. Instructor Account Setup Adding and deleting users is simple. but understanding the files involved with user account management is a bit more complex. User Administration Class Meeting # Slide : 1 .Linux Based Networks Zahid Shafique.

Instructor Key Configuration File The key file used in user account setup and configuration is the /etc/passwd file.Linux Based Networks Zahid Shafique. This file is a simple ASCII text file. User Administration Class Meeting # Slide : 1 .

Linux Based Networks Zahid Shafique. the contents of the /etc/passwd file resemble the following: root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm: lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail: news:x:9:13:news:/var/spool/news: uucp:x:10:14:uucp:/var/spool/uucp: operator:x:11:0:operator:/root: games:x:12:100:games:/usr/games: gopher:x:13:30:gopher:/usr/lib/gopher-data: ftp:x:14:50:FTP User:/var/ftp: nobody:x:99:99:Nobody:/: xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false apache:x:48:48:Apache:/var/www:/bin/false named:x:25:25:Named:/var/named:/bin/false gdm:x:42:42::/home/gdm:/bin/bash rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/bin/false rpc:x:32:32:Portmapper RPC user:/:/bin/false postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash mailnull:x:47:47::/var/spool/mqueue:/dev/null mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash nscd:x:28:28:NSCD Daemon:/:/bin/false pvm:x:24:24::/usr/share/pvm3:/bin/bash squid:x:23:23::/var/spool/squid:/dev/null User Administration Class Meeting # Slide : 1 . Instructor /etc/passwd File Upon a successful installation.

„ Each field within each user's entry is separated from the next by a colon.Linux Based Networks Zahid Shafique. Wang:/users/research/wang:/usr/local/bin/tcsh abaqus57:x:53:13:License Manager:/var/log/abaqus57:/usr/bin/csh abaqus57:x:53:13:License Manager:/var/log/abaqus57:/usr/bin/csh matlab:x:54:13:Matlab License Manager:/usr/local/matlab5:/usr/bin/csh matlab:x:54:13:Matlab License Manager:/usr/local/matlab5:/usr/bin/csh catadm:x:55:13::/usr/local/abaqus:/bin/csh catadm:x:55:13::/usr/local/abaqus:/bin/csh … … /etc/passwd : info:home:shell login_name password user_id group_id user Note : : : „ Each entry in /etc/passwd must be on one line. Stackelberg:/users/fac/stack:/bin/csh stacke:*:101:15:Olaf P.143 MSB:/:/bin/sh root:*:0:3:The Big Guy. Wang:/users/research/wang:/usr/local/bin/tcsh pwang:*:102:15:Paul S. Instructor The /etc/passwd file root:*:0:3:The Big Guy.143 MSB:/:/bin/sh daemon:*:1:5::/:/bin/sh daemon:*:1:5::/:/bin/sh farrell:*:100:15:Paul Farrell:/users/research/farrell/:/bin/csh farrell:*:100:15:Paul Farrell:/users/research/farrell/:/bin/csh stacke:*:101:15:Olaf P. User Administration Class Meeting # Slide : 1 . Stackelberg:/users/fac/stack:/bin/csh pwang:*:102:15:Paul S.

– no more than 8 chars long. encrypted by MD5 or DES algorithms. ie Press Enter directly! – change user's password with passwd. (refer to the /etc/shadow section) Class Meeting # • Encrypted password User Administration Slide : 1 . except in position 1. Instructor The /etc/passwd file contents • Login name – case sensitive and unique for users. – /etc/passwd is world readable -> no security. – Pseudo-Logins execute the corresponding commands as their shells. may include numbers. – If null. Eg daemon. – Look like Xv8Q981g71oKKrequ. no password is required. (for some old system only) – /etc/aliases can be used to set the alias of user name for most mail system like sendmail. bin.Linux Based Networks Zahid Shafique.

delimited – Can be modified by the chfn command. – It is recommended that human users start at 500. – The finger command expects one to have comma.Linux Based Networks • User ID Zahid Shafique. can be Full name. and traditionally the lower number are kept for systems programs. – gid is the ID of the group that the user belongs to. – It is a good idea to avoid reusing UIDs. etc. – Groups' info are defined in /etc/groups. Contact number. Address. – gid is generally a value between 0 an 65536. Class Meeting # User Administration Slide : 1 . GID 0 is reserved for root and 1 is usually reserved for daemon. which must be unique. (GECOS field) • Group ID • User Info – No particular format. – UID 0 is reserved for root. – uid is a value between 0 and 65536. since this avoids confusion when backups are restored. Instructor The /etc/passwd file contents – uid is the ID for the user.

/home/staff/zahid.Linux Based Networks • Home directory Zahid Shafique. – If it is missing or invalid. write and executable by the user. – Home directories are usually named with the user's login name. but can be a restricted shell. bash.  If the shell field is null.). or a program. Bourne Shell is used. # mkdir # mkdir # chown # chown # chgrp # chgrp # chmod # chmod /home/staff/zahid /home/staff/zahid zahid /home/staff/zahid zahid /home/staff/zahid zahid /home/staff/zahid zahid /home/staff/zahid 700 /home/staff/zahid 700 /home/staff/zahid  Shell  Specify a standard shell (sh.  Can be changed by chsh commands. Instructor The /etc/passwd file contents – Users are placed in their home directory when they log in. User Administration Class Meeting # Slide : 1 . ksh. csh. etc. a message such as "no home directory" will be printed or login disabled or login to the root directory. Eg. and should be read.

eg fingerd. – Controls the files that belong to UNIX system. /dev/mem (the physical memory of system). • bin: Owner of System Commands – Owns directories that contain the system's command and most of the executable files. • sys (kmem): Owner of the Kernel and Memory Images – Owns special files such as /dev/kmem (kernel's address space). Instructor • daemon: Owner of Unprivileged Software Important Users – Usually has uid 1. and /dev/swap (image of the system's swap space). • nobody: Owner of Nothing – The owner of software that doesn't need or shouldn't have special permissions.Linux Based Networks Zahid Shafique. User Administration Class Meeting # Slide : 2 .

users are in the group given in the password file whether or not they are entered in that group in /etc/group User Administration Class Meeting # Slide : 2 .sys.sys.adm p sys:X:3:root.bin.bin.adm adm:X:4:root.bin.bin.adm.daemon … … Each line has. Group name password .daemon sys:X:3:root.adm.never used GID . 4 colon separated fields. Instructor The /etc/group file root:X:0:root root:X:0:root daemon:X:1: daemon:X:1: / etc/grou bin:X:2:root.group ID number list of members In practice.daemon adm:X:4:root.Linux Based Networks Zahid Shafique.daemon bin:X:2:root.

System wide setup procedure at login. Similar to . path. path. User-specific setup for bash at login User-specific setup for bash at login read by bash if . User-specific setup for ksh at login.cshrc for csh. Similar to . read by bash if . prompt.bash_profile . Sets command aliases.login. System wide setup procedure at login. read by bash when the shell is exited.bash_logout User Administration Sets the terminal type.bash_profile does not exist. read by bash only when a new bash started.Linux Based Networks Zahid Shafique.bashrc .kshrc started.profile.kshrc . read by bash only when a new bash started.bash_logout . System wide setup procedure at login.bash_profile does not exist. read by bash when the shell is exited. started. Class Meeting # Slide : 2 .cshrc . umask value. environment variables. User-specific setup for ksh at login. Execute when users logout. umask value.cshrc .bash_login . Sets the terminal type.bash_profile . System wide setup when bash started.profile .profile ksh /etc/profile ksh /etc/profile .) and end with rc (run command). Instructor The Startup Files • Startup files traditionally start with period (. Sets command aliases. . prompt. Execute when users logout.login . Eg . common startup files are: csh csh .login and .bashrc . bash /etc/profile bash /etc/profile /etc/bashrc /etc/bashrc . Addition command to the shell when a new ksh Addition command to the shell when a new ksh System wide setup procedure at login.cshrc. • Depends on the shell used. .login . System wide setup when bash started. environment variables.logout sh /etc/profile sh /etc/profile . System wide setup procedure at login.cshrc for csh. System wide setup procedure at login.profile .profile . etc • It is useful to place system defaults setting in these files.logout .bash_login .login and .

gDvSX$nyQhvBgUGbw0GcNTxAdKR1:11507:0:99999:7: bin:*:11458:0:99999:7::: daemon:*:11458:0:99999:7::: adm:*:11458:0:99999:7::: lp:*:11458:0:99999:7::: sync:*:11458:0:99999:7::: shutdown:*:11458:0:99999:7::: halt:*:11458:0:99999:7::: mail:*:11458:0:99999:7::: User Administration Class Meeting # Slide : 2 .Linux Based Networks Zahid Shafique. Instructor /etc/shadow File The /etc/shadow password file looks similar to the following: ot:$1$d5.

Linux Based Networks Zahid Shafique. User Administration Class Meeting # Slide : 2 . • The /etc/shadow file: – Its access permissions are much more restricted. Instructor Secure Password Files • Modern UNIX systems like Linux and Solaris. like password expiration. – Provides also Password Aging. only view by the root. place the passwords in a secure file (commonly called a shadow password file) or files elsewhere. • The format and location differs between systems. as does the entry in the password section of the normal password file.

or no string. YYYY-MM-DD. Instructor root:$1$d5X$nyQBgUGbw0GcNTxAdKR1:11507:0:99999:7::: Much like the /etc/passwd file. An encrypted password for the user. Class Meeting # Slide : 2 . (-1 for disable the feature) A date. which shows that there is no password for the login. a lock string to indicate that the login is not accessible. The number of days after password expires until the a/c is permanently disable. sername:password:lastchg:min:max:warn:inactive:expire:fla username password lastchg min max warn inactive expire flag User Administration The user's login name (UID). specifying when the user will be disabled. the /etc/shadow file consists of single-line entries with colon-delimited fields.Linux Based Networks Zahid Shafique. The number of days between 1/1/70 and the date that the password was last modified. The maximum number of days the password is valid. The number of days before password expires that the user is warned. The minimum number of days required between password changes. (-1 for disable) Reserved for future use.

available in all Linux distributions.defs file. Instructor Adding Users User accounts can be added by directly editing the /etc/passwd file or by using a utility such as useradd. as follows User Administration Class Meeting # Slide : 2 . Default characteristics for each user account are defined by the settings in the /etc/login .Linux Based Networks Zahid Shafique.

# PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_WARN_AGE Number of days warning given before a password expires. # CREATE_HOME yes User Administration Class Meeting # Slide : 2 . This option is ORed with the -m flag on # useradd command line.mail # Password aging controls: # PASS_MAX_DAYS Maximum number of days a password may be used. # #USERDEL_CMD /usr/sbin/userdel_local # # If useradd should create home directories for users by default # On RH systems. this command is run when removing a user. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # UID_MIN 500 UID_MAX 60000 # # Min/max values for automatic gid selection in groupadd # GID_MIN 500 GID_MAX 60000 # # If defined. # PASS_MIN_LEN Minimum acceptable password length. we do. Instructor /etc/login.defs #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .Linux Based Networks Zahid Shafique. owned by # the user to be removed (passed as the first argument). # It should remove any at/cron/print jobs etc.

User Administration Class Meeting # Slide : 2 .d directories (in that order). Instructor When we create a new home directory A new directory.Linux Based Networks Zahid Shafique. is created and populated with copies of the default files in the /etc/skel and /etc/skel. /home/username.

#useradd newuser This will add a new entry in /etc/passwd and in /etc/shadow if you use shadow passwords using system defaults.Linux Based Networks Zahid Shafique. Instructor Managing Users with Command Line Tools Creating a new user account To create a user from your command line you can run the useradd command. User Administration Class Meeting # Slide : 2 .

Linux Based Networks Zahid Shafique. You will see that the password field (the second field) is set to !!. So you will need to create a password for this user by running the passwd command as follows: #passwd newuser User Administration Class Meeting # Slide : 3 . /etc/passwd shows a new line such as the following: newuser:!!:506:506::/home/newuser:/bin/bash If you remember the /etc/passwd fields from earlier discussion. Instructor Creating a new user account When I run the preceding command on my Red Hat system. This means that this password is not set and the user cannot log in just yet.

You will learn to set these defaults in a later section. The home directory is created in the default top-level home directory The login shell is also selected from a system default.Linux Based Networks Zahid Shafique. Instructor Default Settings The UID and the GID values will be automatically selected by useradd. User Administration Class Meeting # Slide : 3 .

use the -d new directory option #useradd /www/newuser newuser -d Note: useradd will create only the final directory and not the entire path. Instructor Overriding System Default If you would like to override a system default. User Administration Class Meeting # Slide : 3 . you can specify a command line option To override the default home directory.Linux Based Networks Zahid Shafique.

Linux Based Networks Zahid Shafique. Instructor Private Group The useradd that comes with Red Hal Linux creates a private group for the user with the same name as the username. User Administration Class Meeting # Slide : 3 .

User Administration Class Meeting # Slide : 3 .Linux Based Networks Zahid Shafique. Instructor Overriding System Default You can override the idea of private group by using the -g group option For example: #useradd mjkabir -g users This will make useradd create the new user (mjkabir) with the default group set to the users.

admins Here the new user (mjkabir) will be added to the wheel and admins groups in the /etc/group file.Linux Based Networks Zahid Shafique. Instructor Assigning user an additional group You can use the -G comma-separated list of groups option. User Administration Class Meeting # Slide : 3 . For example:mjkabir #useradd -G wheel.

User Administration Class Meeting # Slide : 3 .Linux Based Networks Zahid Shafique. Instructor To Find Out which groups user belong to You can use the #groups username command to find out which user belongs to what group.

use the groupadd command.Linux Based Networks Zahid Shafique. For example: #groupadd mygroup User Administration Class Meeting # Slide : 3 . Instructor Creating a new group To create a new group.

no username argument is required. because it will allow her to change only her own password.Linux Based Networks Zahid Shafique. Instructor CHANGING A PASSWORD To change or set a user's password. use the passwd command. User Administration Class Meeting # Slide : 3 . For example: #passwd zahid Note: When an ordinary user runs the passwd program.

Linux Based Networks Zahid Shafique. Use the chsh command to change a user's shell. you may change it to any shell you list in /etc/shells. You can also use the usermod command to modify the shell information as follows: #usermod -s new shell path username User Administration Class Meeting # Slide : 3 . Instructor CHANGING THE SHELL If the default shell is not appropriate for a user. For example: #chsh zahid Note that a user can change her own shell using this command as well.

Linux Based Networks Zahid Shafique. run the usermod command as follows: #usermod -d new home directory username For example. use the -m option as follows: #usermod -d /home2/zahid -m zahid User Administration Class Meeting # Slide : 4 . if you would like to move the home directory contents to the new location. Instructor CHANGING THE HOME DIRECTORY To change the home directory of an existing user. you can run the command as follows: #usermod -d /home2/zahid zahid However.

use the usermod command as follows: #usermod -g group name or GID username #usermod -g 777 For example: zahid User Administration Class Meeting # Slide : 4 . Instructor CHANGING A DEFAULT GROUP To change the default group for a user.Linux Based Networks Zahid Shafique.

Linux Based Networks Zahid Shafique. Instructor CHANGING ACCOUNT EXPIRATION DATE If you are using shadow passwords. you can change the expiration date of a user account using the usermod command as follows: #usermod -e MM/DD/YY username For example: #usermod -e 12/31/2002 zahid This command will reset the account expiration date for user zahid to 12/31/2002. User Administration Class Meeting # Slide : 4 .

For example: #chfn zahid User Administration Class Meeting # Slide : 4 . Run the chfn command to change a user's finger information. Instructor CHANGING FINGER INFORMATION You can also change the finger information.Linux Based Networks Zahid Shafique. such as the full name and phone numbers.

use the following syntax: #groupmod -n new group current group For example: #groupmod -n experts novices Here the existing novices group is renamed to experts. User Administration Class Meeting # Slide : 4 . use the groupmod command. To rename a group to a new name. Instructor Modifying an existing group To modify an existing group name or GID.Linux Based Networks Zahid Shafique.

Linux Based Networks Zahid Shafique. For example: # userdel snake This deletes a user called snake. Instructor Deleting a user account To delete an existing user use the userdel command. User Administration Class Meeting # Slide : 4 . If you would like to remove the user's home directory and all the contents within the directory. use the -r option.

Linux Based Networks Zahid Shafique. User Administration Class Meeting # Slide : 4 . Instructor Caution!! userdel will not delete the user if the user is currently logged in.

you can use the usermod -e MM/DD/YY username command to cause the user account to expire.Linux Based Networks Zahid Shafique. This will disallow the user from logging into the system If you are using the shadow passwords. you can create a file called Class Meeting # User Administration Slide /etc/nologin with a message explaining why you arc : 4 . If you would like to disable all user account access for a temporary reason. Instructor Disabling a user account If you would like to temporarily disable a user account. you can do one of the following: Use the usermod -s new shell username' command to change the shell to /bin/false (make sure it is in your / etc/shells).

An example /etc/default/useradd file GROUP=100 HOME= /home INACTIVE= -1 EXPIRE= SHELL= /bin/bash SKEL= /etc/skel User Administration Class Meeting # Slide : 4 .Linux Based Networks Zahid Shafique. Instructor Creating default user settings The default settings for creating new users using useradd come from /etc/default/useradd.

The value you specify in this line must exist In /etc/group. This value is used only when you disable (using the -n option) the default private group (that is the group with the same name as the new user).Linux Based Networks Zahid Shafique. Instructor GROUP=100 The GROUP=100 line specifics that the default group ID is 100. Yon can change this value as follows: #useradd -D -g news group name or GID User Administration Class Meeting # Slide : 4 . You can specify a group name instead of the numeric value as well.

Instructor HOME=/home The HOME=/home line specifies the default top-level home directory for new users. You can change this value as follows: #useradd directory -D -b User Administration Class Meeting # Slide : 5 .Linux Based Networks Zahid Shafique.

You can change this value as follows: #useradd -D -f number of days User Administration Class Meeting # Slide : 5 . This is useful only if you are using shadow passwords. The default value of -l states that accounts are never inactive.Linux Based Networks Zahid Shafique. Instructor INACTIVE=-1 The INACTIVE=-1 line specifies when (in days) the account will become inactive after the password expires.

This is useful only if you are using shadow passwords. You can change this value as follows: #useradd D -e MM/DD/YY User Administration Class Meeting # Slide : 5 . By default.Linux Based Networks Zahid Shafique. accounts never become disabled. Instructor EXPIRE= The EXPIRE= line specifics when a account should he disabled.

Instructor SHELL=/bin/bash The SHELL=/bin/bash line specifies the default login shell path.Linux Based Networks Zahid Shafique. You can change this value as follows: #useradd /bin/tcsh D -s User Administration Class Meeting # Slide : 5 .

User Administration Class Meeting # Slide : 5 . Instructor SKEL=/etc/skel The files in this directory are copied to the new home directory of a new user account.Linux Based Networks Zahid Shafique. Normally. you do not want to change this path to some other directory.

Instructor User Administration Class Meeting # Slide : 5 .Linux Based Networks Zahid Shafique.

Instructor Exercise: User Administration Class Meeting # Slide : 5 .Linux Based Networks Zahid Shafique.

Instructor Homework • Homework this week: • Next week: User Administration Class Meeting # Slide : 5 .Linux Based Networks Zahid Shafique.