In a multi-user environment, multiple persons use the same system either concurrently, or at separate times. The operating system must support multiuser operations, and take care of the following tasks:
- Allocate necessary resources for each user.
- Manage sessions start, termination, and timeout.
- Maintain a private workspace for each connected user.
- Ensure system security.
- Track users’ activities.
For the above requirements to be adequately met, each person who needs to connect to the system must have his own user account. This ensures authenticity, authority, and accountability.
Managing users and groups is an essential part of your role as a Linux system administrator. In this article, we will tackle this important topic. I hope you find it useful.
Users and Groups
Having a valid user and password for a system is similar to having a valid passport and visa to enter a country.
A user account on a Linux machine has:
- Name: must be unique.
- User ID (UID): also unique.
- Home directory.
- Startup program.
- Membership in one or more groups.
A group also has:
- A unique group name.
- A unique group ID GID.
Administrating Users and Groups
User accounts and groups administration could be done using CLI and graphical user interface GUI tool. As usual, we will learn how to do our job using both tools.
Adding User Accounts
When a new staff joins your team as a Linux system admin, it is wise to create a user account for him on your system. Using shared – or generic – accounts is not a good idea from security perspective. So, to create a user account using the CLI, use the useradd command while logging as root.
Syntax
useradd [options] USERNAME
User-created user accounts are created with IDs starting from 500. So, the first user we created during the installation process was eduonix with UID 500. User accounts created after that follow the serial: 501, 502, 503, etc.
To create a user named omer, use the command:
useradd omer
For each user in a Linux box, there is a line in the /etc/passwd file:
You will notice that there are a large number of user accounts on the system. Of this long list, we have created only two: eduonix that the installation wizard created for us, and omer that we have just created using the useradd command. All the other users – including the root user – have been created during installation.
Notes: –
- The root user always has the UID 0.
- User account created by the system during installation are usually called built-in users, or system users.
In Red Hat, when a user is created either by the system or by the administrator:
- A line for the user is added to /etc/passwd file.
- Another line is added to the /etc/shadow file.
- A private group with the same name is automatically created for that user.
The /etc/passwd File
In all UNIX and Linux distributions with no exception, this file exists. The /etc/passwd file is called the password file. It is a text file, which contains the list of the system’s accounts, giving for each account some useful information like user ID, primary group ID, home directory, shell, etc.
The format of the password file is as follows:
useraccount:password:UID:GID:GECOS:directory:shell
Where:
|
useraccount |
is the name of the user on the system. It must be unique. |
|
password |
the password field. Often, this field has the “x” letter, and the encrypted password is stored in the /etc/shadow file. |
|
UID |
the numerical user ID. Also unique. |
|
GID |
the numerical primary group ID for this user. |
|
GECOS |
optional field for informational purposes. It can be used to contain the full name of the user. |
|
directory |
the user’s home directory. |
|
shell |
the program to run at login. If set to a non-existing executable, the user will be unable to login. |
The /etc/shadow File
This is the shadowed password file. It contains the password information for the system’s accounts and optional aging information.
The number of lines in this file is equal to that of the /etc/passwd file. The format of the file is as follows:
Each line consists of 9 fields separated by colons “:”. The fields are:
- Username: It must be a valid account name, which exist on the system.
- Encrypted password:
1. If field is empty, no passwords are required to authenticate this user.
2. If the field contains ! or *, the user will not be able to use a Linux password to log in.
3. A password field which starts with an exclamation mark means that the password is locked. The remaining characters on the line represent the password field before the password was locked. - Date of last password change.
- Minimum password age.
- Maximum password age.
- Password warning period.
- Password inactivity period.
- Account expiration date.
- Reserved field: this field is reserved for future use.
In the file, notice the long hashes (encrypted passwords) in the 2nd field of the lines for user root and eduonix. These are the encrypted passwords for both accounts. Note also that this field for the new user omer contains only two exclamation marks !! because we haven’t set a password for it yet.
Setting User’s Password
To set the password of a user, use the passwd command:
passwd [USERNAME]
The command will prompt you to enter a password, and will prompt you again to confirm it.
Note that for increased security, and to prevent others from knowing the length of your password, the UNIX and Linux don’t print asterisks or hyphens, or anything when you type your password.
Now, have another look to the /etc/shadow file. May some thing change?!
Yes!! That what I meant. Now, the password field contains the encrypted hash of the new password you entered.
In the next article, we will continue with Users and Groups Administration by talking about Private Groups, then how to create users and set their passwords using the GUI tool.
See you in the next article.
