Managing Users and Groups






Managing Users and Groups

In an age of viruses, worms, and identity theft, keeping information private and secure has taken on great importance. Managing user identity creates the framework for system securityeven on a single-user system, where a distinction is maintained between using the system as the normal user and using the system as the root user.

How Do I Do That?

Almost everyone identifies themselves as both an individual and as a member of several groups. Linux uses separate user and group identities to reconstruct this two-level structure inside the system.

For example, company employee Richard might be all of the following:

  • A member of the IT department

  • Located at the company's Toronto office

  • The leader of the team putting together the big sales pitch to Acme, Ltd.

  • Part of the Christmas party committee

  • A player in the Tuesday evening company soccer league

(And that doesn't even touch on life outside of the company!)

The system administrator configures Richard's account to indicate his many involvements within the company. At the user level, the name richard is assigned to him, and a password and home directory are assigned. richard is then placed into the groups it, toronto, acmeproposal, christmas, and soccer.

Fedora Core extends this system using a scheme called user private group (UPG), which means that Richard also has his own private group, also named richard. UPG makes a lot of sense when you look at permissions.

Managing users graphically

The Fedora GUI tool for managing users and groups is system-config-users, which is accessed through the menu under SystemAdministration"Users and Groups." After you supply the root password, the window shown in Figure will appear.

The Users and Groups configuration window


This window has two tabs, one for managing groups and one for managing users.

To add a user, click on the Add User icon. The window shown in Figure will be displayed.

The Create New User window


Fill in each of the fields:


User Name

The account name (username) you wish to use (such as jane). This is what the user will enter when she logs in to the system. It should be an opaque string (no spaces) and consist of letters, digits, dashes, underscores, and periods. Although you can use uppercase characters, traditional user names are all-lowercase for ease of typing.


Full Name

The actual name of the user, in upper- and lowercase (Jane Smith). This information is optional and is used for reference only.


Password and Confirm Password

Type the new user's password twice.


Login shell

For most users, this field should be left as is; it can always be changed (using chsh) later. If you are creating a user account that will never be used for logging in (such as an account used exclusively for email access or file sharing), select /sbin/nologin for the shell.


Create home directory

This should almost always be left checked.


Create a private group for the user

This enables the Fedora User Private Group scheme (which is a great idea), so it should almost always be left checked.


Specify a user ID manually

This controls whether the numeric user ID will be automatically or manually assigned. The only time you would want to specify it manually is when you are configuring the same user ID on two systems. In that case, check the box and enter the user ID in the UID field; otherwise, leave it unchecked.

Once you have filled in all of these fields, click OK. You will be returned to the main User and Group configuration window (Figure).

To edit a user, double-click on the user's name, or highlight the name and click the Properties icon. An edit window will appear with four tabs, enabling you to edit values that cannot be set during the creation of the account; Figure shows each of these tabs.

The four tabs of the User Properties window


The four tabs are:


User Data

Contains fields similar to those in the Create New User dialog (Figure).


Account Info

Allows you to set an expiry date for the account or lock (disable) the account.


Password Info

Configures password expiration (also called password aging). You can set the number of days before a change is required, to force users to change passwords periodically; the number of days after a change before another change is permitted, to prevent a user from gaming the forced password change by using a temporary password and then immediately switching back to her regular password; how far in advance the user will be warned about an impending password expiry; and the number of days of inactivity permitted before the account is locked as abandoned.


Groups

This tab is one of the least used, but most useful. Here you configure the groups to which the user belongs. In the case of our fictional example of Richard, you would check the it, toronto, acmeproposal, christmas, and soccer groups. By default, the user is automatically assigned to a group with the same name as his username. The significance of groups is that they can be used to manage file access.

The value of password aging is debatable; while it does limit the time that a compromised password can be used, forcing a user to change her password too frequently can make it difficult for her to remember the current password, leading to unsafe practices such as writing passwords on sticky notes or choosing weak passwords.

To delete a user account, click on the username and then click on the Delete icon. You will be warned if the user account is active (i.e., if the user is logged in or has processes running), and you will be asked for confirmation. The confirmation dialog has a checkbox that controls whether the user's files will be deleted along with the user account. If you are planning to keep the user's files, it may be better to lock the account than to delete it, so that the user's name continues to show up as the owner of those files (if the account is deleted, the account number is shown instead of the name).

Managing groups graphically

The Group tab of the User Manager window works in exactly the same way as the Users tab. The only fields that appear in the Add Group dialog are for the group name and, if you want to set it manually, the group number. The Properties dialog adds a tab that shows you a list of all of the users on the system, with checkboxes to indicate which ones are in the group.

Adding and managing users from the command line

Fedora provides six utilities for managing users and groups from the command line. For users, there are useradd, usermod, and userdel; for groups, there are groupadd, groupmod, and groupdel.

The express way to add a user is to use useradd and then set the new user's password using passwd:

# useradd jane
# passwd jane
Changing password for user jane.
New UNIX password: 
                     bigSecret
Retype new UNIX password: 
                     bigSecret
passwd: all authentication tokens updated successfully.

useradd accepts a number of options; the most common are shown in Figure. Most of these options can also be used with usermod to change an existing user's options.

useradd options
OptionDescriptionNotes
-b directory Base for home directories (a directory with the same name as the username will be created in this directory and used as the home directory) useradd only; the default is /home.
-c "fullName" User comment field; almost always used to hold the user's full nameIf the full name contains spaces, quote it.
-d homedir User's home directory 
-e YYYY-MM-DD Account expiry date 
-f days Days of inactivity before the account is considered abandoned and locked 
-g group User's primary groupDefault is the user's own group (same name as the username).
-G grp1,grp2,... Supplementary group membership 
-M Don't create a home directory useradd only.
-m Create a home directory if it doesn't existThis is the default action.
-p cryptpass Set encrypted password to cryptpass Useful when copying accounts from an old system configuration.
-s shell Sets the user's shell to shell  
-u uid Set the numeric user ID to uid Useful when copying accounts from an old system configuration or synchronizing with old NFS servers.
-L Lock account against login usermod only.
-U Unlock account and permit login usermod only.


To set Jane's full name when her account is created, execute:

# useradd -c "Jane Smith" jane

usermod works in a similar way to useradd, but is used to adjust the parameters of existing accounts. For example, to change Jane's full name:

# usermod -c "Jane Lee" jane

As you'd expect, the userdel command deletes a user. The -r option specifies that the user's home directory and mail spool (/var/spool/mail/ user) should also be removed:

# userdel -r jane

The groupadd, groupmod, and groupdel commands are used in a similar way to create, modify, and delete groups.

To add a group, just specify the name as an argument to groupadd:

# groupadd groupname

The only option commonly used is -g, which lets you manually select the group ID (useful if converting data from an old system):

# groupadd -g 781 groupname

The groupmod command is rarely used, but it will change the numeric group ID (-g) or the name (-n) of an existing group:

# groupmod -g 947 groupname
# groupmod -n newname groupname

To delete a group, use groupdel:

# groupdel groupname

Managing user passwords from the command line

passwd is used to set a user's password. Used by a normal user, it sets that user's password by asking for the current password and then asking for the new password twice:

$ passwd
Changing password for user chris.
Changing password for chris
(current) UNIX password: 
                     bigSecret
New UNIX password: 
                     newSecret
Retype new UNIX password: 
                     newSecret
passwd: all authentication tokens updated successfully.

When used by the root user, passwd can be used to change the root password (the default) or any existing user's password if the username is supplied as an argument. You don't need to know the current password:

# passwd
Changing password for user root.
New UNIX password: 
                     topSecret
Retype new UNIX password: 
                     topSecret
passwd: all authentication tokens updated successfully.
# passwd jane
Changing password for user jane.
New UNIX password: 
                     superSecret
Retype new UNIX password: 
                     superSecret
passwd: all authentication tokens updated successfully.

The root user can also delete a password from an account (so a user can log in with just a username):

# passwd -d jane
Removing password for user jane.
passwd: Success

This must be used carefully because it presents a big security risk. Remember that remote users may be able to connect via SSH, and then they won't need a password either!

To find out the password status of an account, use -S:

# passwd -S jane
Empty password.
# passwd -S chris
Password set, MD5 crypt.

Managing groups and delegating group maintenance from the command line

The gpasswd command can be used to set a group password. This is rarely done. However, it is also used to manage groups and, better yet, to delegate group administration to any user.

To specify the members of a group, use the -M option:

# gpasswd -M jane,richard,frank audit

In this case, jane, richard, and frank are made members of the audit group. Any previous memberships in that group will be obliterated, so only these three users will now be in that group. (Other group memberships held by those users will not be affected.)

You can also add or delete individual group users using the -a and -d options:

# gpasswd -a audrey audit
# gpasswd -d frank audit

Those commands add audrey to the group audit, then delete frank.

If you delegate group administration to users, they can use the -a and -d optionsa great labor-saving idea! Delegation is performed with the -A (administrator) option:

# gpasswd -A jane audit
jane$ gpasswd -a matthew audit

How Does It Work?

User accounts are controlled by the /etc/passwd file, which looks like this:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
...(Lines snipped)...
fax:x:78:78:mgetty fax spool user:/var/spool/fax:/sbin/nologin
nut:x:57:57:Network UPS Tools:/var/lib/ups:/bin/false
privoxy:x:73:73::/etc/privoxy:/sbin/nologin
chris:x:500:500:Chris Tyler:/home/chris:/bin/bash
diane:x:501:501:Diane Tyler:/home/diane:/bin/bash
jane:x:502:502:Jane Smith:/home/jane:/bin/bash
richard:x:503:503:Richard Lee:/home/richard:/bin/bash

The fields in this file are separated by colons. From left to right, they are:


username

The name of the user account, which shows up in ls -l output and is used to log in to the system. This is sometimes (incorrectly) called the user ID.


password

The encrypted password used to be stored in this field. For security, it has now been moved to /etc/shadow.


user ID

The number identifying this user. Process and file ownership is stored as a number; this field is used to cross-reference the number with a username. The user ID is frequently abbreviated to uid. User IDs below 500 are considered system IDs and are reserved for system services.


group ID

The group ID (gid) indicates the primary group for this user. It's cross-referenced to a group name through /etc/group.


comment field

This field can be used to store any text associated with the user. On Fedora, it's usually used to store the user's full name; the chfn and finger commands use it to store the user's full name, office location, office phone number, and home phone number, separated by commas.

This field is historically called the gecos or gcos field because it originally cross-referenced user IDs between the Unix and General Electric Comprehensive Operating System (gecos) at Bell Labs. You'll still find this field documented as pw_gecos in Linux library function documentation (for an example, see man getpwent).



home directory

At login, the shell changes to this directory automatically, and the HOME environment variable is set to this value.


shell

This field specifies the user's default shell.

For accounts that require a password but should not permit the user to log in, such as an account used only for file sharing or POP/IMAP email access, use the dummy shell /sbin/nologin. If the user attempts to log in, the message "This account is currently not available" is displayed, and the user is logged out automatically. To use a different message, place the desired text in the file /etc/nologin.txt.


Since /etc/passwd must be readable by everyone so that commands such as ls -l can function correctly, the passwords have been moved to a file that is readable only by root, named /etc/shadow, which looks like this:

root:$1$45ZWBaPE$XvzhGEj/rA4VDJXdQESi0.:13024:0:99999:7:::
bin:*:13024:0:99999:7:::
daemon:*:13024:0:99999:7:::
adm:*:13024:0:99999:7:::
...(Lines snipped)...
fax:!!:13024:0:99999:7:::
nut:!!:13024:0:99999:7:::
privoxy:!!:13024:0:99999:7:::
chris:$1$hUjsHJUHIhUhu889H98hH.8.BGhhY79:13068:0:99999:7:::
diane:$1$97KJHNujHUkh88JHmnjNyu54NUI9JY7:13024:0:99999:7:::
jane:$1$yuaJsudk9jUJHUhJHtgjhytnbYhGJHy:13024:0:99999:7:::
richard:$1$pIjyfRbKo71jntgRFu3duhU97hHygbf:13024:0:99999:7:::

Note that the second field contains an encrypted version of the password. The encryption function, called a hash, is not reversible, so it's not possible to take this data and reconstruct the password. When the user enters his password, it is also encrypted; then the two encrypted values are compared.

The other fields in this file contain information used for password aging (expiry).

In a similar way, /etc/group contains basic information about each group:

root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
...(Lines snipped)...
fax:x:78:
nut:x:57:
privoxy:x:73:
chris:x:500:fen
diane:x:501:
jane:x:502:
richard:x:503:
audit:x:504:jane,richard
soccer:x:505:richard,jake,wilson,audrey,shem,mike,olgovie,newton
toronto:x:506:matthew,jake,wilson,richard,audrey,shem,mike,olgovie,newton,ed,jack
...(Lines snipped)...

The fields here are:


group name

The name assigned to the group.


group password

A password assigned to the group. This is rarely used, because it's just as easy to add a user into a group as it is to give her the password. The actual password values have been moved to /etc/gshadow.


group ID

The numeric value assigned to the group. This file is used to cross-reference group IDs to group names.


supplementary members

The username of each user in this group, except users who have this group as their primary group (field 4 in /etc/passwd).

The /etc/gshadow file contains the actual passwords, plus group administrator information:

root:::root
bin:::root,bin,daemon
daemon:::root,bin,daemon
sys:::root,bin,adm
adm:::root,adm,daemon
...(Lines snipped)...
fax:x::
nut:x::
privoxy:x::
chris:!:500::fen
diane:!:501::
jane:!:502::
richard:!:503::
audit:!:504:jane:jane,richard,audrey,matthew
soccer:!:505:richard,jake:richard,jake,wilson,audrey,shem,mike,olgovie,newton
toronto:!:506:ed:matthew,jake,wilson,richard,audrey,shem,mike,olgovie,newton,ed
...(Lines snipped)...

The group administrators are in field 4 and group members are in field 5 in this fileso in this case, jane is the group administrator for audit, and jane, richard, andrew, and matthew are group members.

What About...

...the kuser program on the menu?

kuser is a KDE program that provides an alternative to system-config-user. The two programs are functional duplicates, but I think system-config-user looks better.

...editing the password and group files directly?

It is possible but must be done carefully to avoid leaving the system in an unusable state.

The vipw and vigr scripts provide the most convenient way of editing these files; vipw edits /etc/passwd and /etc/shadow, and vigr edits /etc/group and /etc/gshadow. In both cases, the files will be locked to prevent concurrent changes by another program, and the vi editor will be used for editing (the EDITOR environment variable can be used to specify another editor if you'd prefer).

...checking that the password and group files are properly written?

The pwck command can be used to check and repair /etc/passwd and /etc/shadow:

# pwck
user adm: directory /var/adm does not exist
user gopher: directory /var/gopher does not exist
user ident: directory /home/ident does not exist
user torrent: directory /var/spool/bittorrent does not exist
invalid password file entry
delete line \Q'? y
pwck: the files have been updated

grpck performs similar checks on /etc/group and /etc/gshadow:

# grpck
invalid group file entry
delete line \Q'? y
invalid group file entry
delete line \Qascasdcasdarg asdfasdf'? y
grpck: the files have been updated

Where Can I Learn More?

  • The manpages for passwd, useradd, usermod, userdel, groupadd, groupmod, groupdel, vipw, vigr, pwconv, grpconv, crypt (3), passwd (5), shadow (5), group (5), and gshadow (5)



 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows