April 22, 2011, 3:22 p.m.
posted by char
Managing Users and Groups
In an age of viruses, worms, and identity theft, keeping information private and secure has taken on great importance. Managing user identity creates the framework for system securityeven on a single-user system, where a distinction is maintained between using the system as the normal user and using the system as the root user.
How Do I Do That?
Almost everyone identifies themselves as both an individual and as a member of several groups. Linux uses separate user and group identities to reconstruct this two-level structure inside the system.
For example, company employee Richard might be all of the following:
(And that doesn't even touch on life outside of the company!)
The system administrator configures Richard's account to indicate his many involvements within the company. At the user level, the name richard is assigned to him, and a password and home directory are assigned. richard is then placed into the groups it, toronto, acmeproposal, christmas, and soccer.
Fedora Core extends this system using a scheme called user private group (UPG), which means that Richard also has his own private group, also named richard. UPG makes a lot of sense when you look at permissions.
Managing users graphically
The Fedora GUI tool for managing users and groups is system-config-users, which is accessed through the menu under SystemAdministration"Users and Groups." After you supply the root password, the window shown in Figure will appear.
The Users and Groups configuration window
This window has two tabs, one for managing groups and one for managing users.
To add a user, click on the Add User icon. The window shown in Figure will be displayed.
The Create New User window
Fill in each of the fields:
Once you have filled in all of these fields, click OK. You will be returned to the main User and Group configuration window (Figure).
To edit a user, double-click on the user's name, or highlight the name and click the Properties icon. An edit window will appear with four tabs, enabling you to edit values that cannot be set during the creation of the account; Figure shows each of these tabs.
The four tabs of the User Properties window
The four tabs are:
The value of password aging is debatable; while it does limit the time that a compromised password can be used, forcing a user to change her password too frequently can make it difficult for her to remember the current password, leading to unsafe practices such as writing passwords on sticky notes or choosing weak passwords.
To delete a user account, click on the username and then click on the Delete icon. You will be warned if the user account is active (i.e., if the user is logged in or has processes running), and you will be asked for confirmation. The confirmation dialog has a checkbox that controls whether the user's files will be deleted along with the user account. If you are planning to keep the user's files, it may be better to lock the account than to delete it, so that the user's name continues to show up as the owner of those files (if the account is deleted, the account number is shown instead of the name).
Managing groups graphically
The Group tab of the User Manager window works in exactly the same way as the Users tab. The only fields that appear in the Add Group dialog are for the group name and, if you want to set it manually, the group number. The Properties dialog adds a tab that shows you a list of all of the users on the system, with checkboxes to indicate which ones are in the group.
Adding and managing users from the command line
# useradd jane # passwd jane Changing password for user jane. New UNIX password: bigSecret Retype new UNIX password: bigSecret passwd: all authentication tokens updated successfully.
useradd accepts a number of options; the most common are shown in Figure. Most of these options can also be used with usermod to change an existing user's options.
To set Jane's full name when her account is created, execute:
# useradd -c "Jane Smith" jane
# usermod -c "Jane Lee" jane
# userdel -r jane
To add a group, just specify the name as an argument to groupadd:
# groupadd groupname
The only option commonly used is -g, which lets you manually select the group ID (useful if converting data from an old system):
# groupadd -g 781 groupname
# groupmod -g 947 groupname # groupmod -n newname groupname
# groupdel groupname
Managing user passwords from the command line
$ passwd Changing password for user chris. Changing password for chris (current) UNIX password: bigSecret New UNIX password: newSecret Retype new UNIX password: newSecret passwd: all authentication tokens updated successfully.
When used by the root user, passwd can be used to change the root password (the default) or any existing user's password if the username is supplied as an argument. You don't need to know the current password:
# passwd Changing password for user root. New UNIX password: topSecret Retype new UNIX password: topSecret passwd: all authentication tokens updated successfully. # passwd jane Changing password for user jane. New UNIX password: superSecret Retype new UNIX password: superSecret passwd: all authentication tokens updated successfully.
The root user can also delete a password from an account (so a user can log in with just a username):
# passwd -d jane Removing password for user jane. passwd: Success
# passwd -S jane Empty password. # passwd -S chris Password set, MD5 crypt.
Managing groups and delegating group maintenance from the command line
To specify the members of a group, use the -M option:
# gpasswd -M jane,richard,frank audit
In this case, jane, richard, and frank are made members of the audit group. Any previous memberships in that group will be obliterated, so only these three users will now be in that group. (Other group memberships held by those users will not be affected.)
You can also add or delete individual group users using the -a and -d options:
# gpasswd -a audrey audit # gpasswd -d frank audit
Those commands add audrey to the group audit, then delete frank.
If you delegate group administration to users, they can use the -a and -d optionsa great labor-saving idea! Delegation is performed with the -A (administrator) option:
# gpasswd -A jane audit jane$ gpasswd -a matthew audit
How Does It Work?
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin ...(Lines snipped)... fax:x:78:78:mgetty fax spool user:/var/spool/fax:/sbin/nologin nut:x:57:57:Network UPS Tools:/var/lib/ups:/bin/false privoxy:x:73:73::/etc/privoxy:/sbin/nologin chris:x:500:500:Chris Tyler:/home/chris:/bin/bash diane:x:501:501:Diane Tyler:/home/diane:/bin/bash jane:x:502:502:Jane Smith:/home/jane:/bin/bash richard:x:503:503:Richard Lee:/home/richard:/bin/bash
The fields in this file are separated by colons. From left to right, they are:
Since /etc/passwd must be readable by everyone so that commands such as ls -l can function correctly, the passwords have been moved to a file that is readable only by root, named /etc/shadow, which looks like this:
root:$1$45ZWBaPE$XvzhGEj/rA4VDJXdQESi0.:13024:0:99999:7::: bin:*:13024:0:99999:7::: daemon:*:13024:0:99999:7::: adm:*:13024:0:99999:7::: ...(Lines snipped)... fax:!!:13024:0:99999:7::: nut:!!:13024:0:99999:7::: privoxy:!!:13024:0:99999:7::: chris:$1$hUjsHJUHIhUhu889H98hH.8.BGhhY79:13068:0:99999:7::: diane:$1$97KJHNujHUkh88JHmnjNyu54NUI9JY7:13024:0:99999:7::: jane:$1$yuaJsudk9jUJHUhJHtgjhytnbYhGJHy:13024:0:99999:7::: richard:$1$pIjyfRbKo71jntgRFu3duhU97hHygbf:13024:0:99999:7:::
Note that the second field contains an encrypted version of the password. The encryption function, called a hash, is not reversible, so it's not possible to take this data and reconstruct the password. When the user enters his password, it is also encrypted; then the two encrypted values are compared.
In a similar way, /etc/group contains basic information about each group:
root:x:0:root bin:x:1:root,bin,daemon daemon:x:2:root,bin,daemon sys:x:3:root,bin,adm adm:x:4:root,adm,daemon ...(Lines snipped)... fax:x:78: nut:x:57: privoxy:x:73: chris:x:500:fen diane:x:501: jane:x:502: richard:x:503: audit:x:504:jane,richard soccer:x:505:richard,jake,wilson,audrey,shem,mike,olgovie,newton toronto:x:506:matthew,jake,wilson,richard,audrey,shem,mike,olgovie,newton,ed,jack ...(Lines snipped)...
The fields here are:
The /etc/gshadow file contains the actual passwords, plus group administrator information:
root:::root bin:::root,bin,daemon daemon:::root,bin,daemon sys:::root,bin,adm adm:::root,adm,daemon ...(Lines snipped)... fax:x:: nut:x:: privoxy:x:: chris:!:500::fen diane:!:501:: jane:!:502:: richard:!:503:: audit:!:504:jane:jane,richard,audrey,matthew soccer:!:505:richard,jake:richard,jake,wilson,audrey,shem,mike,olgovie,newton toronto:!:506:ed:matthew,jake,wilson,richard,audrey,shem,mike,olgovie,newton,ed ...(Lines snipped)...
The group administrators are in field 4 and group members are in field 5 in this fileso in this case, jane is the group administrator for audit, and jane, richard, andrew, and matthew are group members.
...the kuser program on the menu?
...editing the password and group files directly?
It is possible but must be done carefully to avoid leaving the system in an unusable state.
The vipw and vigr scripts provide the most convenient way of editing these files; vipw edits /etc/passwd and /etc/shadow, and vigr edits /etc/group and /etc/gshadow. In both cases, the files will be locked to prevent concurrent changes by another program, and the vi editor will be used for editing (the EDITOR environment variable can be used to specify another editor if you'd prefer).
...checking that the password and group files are properly written?
# pwck user adm: directory /var/adm does not exist user gopher: directory /var/gopher does not exist user ident: directory /home/ident does not exist user torrent: directory /var/spool/bittorrent does not exist invalid password file entry delete line \Q'? y pwck: the files have been updated
# grpck invalid group file entry delete line \Q'? y invalid group file entry delete line \Qascasdcasdarg asdfasdf'? y grpck: the files have been updated
Where Can I Learn More?