Posted on

Linux OS Basics – Part 3

Users Management

users and groups

Users and groups exist from the very beginning of the operating system development. Traditionally, it has been in constant development to improve the management feature. File access and ownership are permission dependent. You wouldn’t want Jane to see Bob’s documents and vice versa.

Each user has their own home directory where their user-specific files get stored, this is usually located in /home/username but can vary in different distributions.

The system uses user ids (UID) to manage users, usernames are a friendly way to associate users with identification, but the system identifies users by their UID. The system also uses groups to manage permissions, groups are just sets of users with permission set by that group, they are identified by the system with their group ID (GID).

In Linux, you’ll have users in addition to the normal humans that use the system. Sometimes these users are system daemons that continuously run processes to keep the system functioning. One of the most important users is the root or superuser, root is the most powerful user on the system, root can access any file and start and terminate any process. For that reason, it can be dangerous to operate as root all the time, you could potentially remove system-critical files. Luckily, if root access is needed and a user has root access, they can run a command as root instead of the sudo command. The sudo command (superuser do) is used to run a command with root access, we’ll go more in-depth on how a user receives root access in a later lesson.

Go ahead and try to view a protected file like /etc/shadow:

pineturtle@DESKTOP-ESO0AIU:/tmp$ cat /etc/shadow

Notice how you get a permission denied error, look at the permissions with:

pineturtle@DESKTOP-ESO0AIU:/tmp$ ls -la /etc/shadow
-rw-r----- 1 root shadow 1084 Apr 27 01:46 /etc/shadow

We haven’t gone through permissions yet, but what’s happening here is that root is the owner of the file and you’ll need root access or be part of the shadow group to read the contents. Now run the command with sudo:

pineturtle@DESKTOP-ESO0AIU:/tmp$ sudo cat /etc/shadow

Now you’ll be able to see the contents of the file!

root

root as the name suggests root is the root of all. 🙂 In the previous section, we have looked at a command to gain access to be able to read the shadow file using sudo command. The command su will substitute the user for the action you prefer to do. You can use this command to substitute for any user as long as you know the password. Go ahead and try the command 

pineturtle@DESKTOP-ESO0AIU:/tmp$ su

/etc/passwd

This file actually provides detailed information about users and groups. To find out what users are mapped to what ID, look at the /etc/passwd file.

pineturtle@DESKTOP-ESO0AIU:/tmp$ cat /etc/passwd
pineturtle@DESKTOP-ESO0AIU:/var/log$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash

Each line displays user information for one user, most commonly you’ll see the root user as the first line. There are many fields separated by colons that tell you additional information about the user, let’s look at them all:

  1. Username
  2. User’s password – the password is not really stored in this file, it’s usually stored in the /etc/shadow file. We’ll discuss more in the next lesson about /etc/shadow, but for now, know that it contains encrypted user passwords. You can see many different symbols that are in this field, if you see an “x” that means the password is stored in the /etc/shadow file, a “*” means the user doesn’t have login access and if there is a blank field that means the user doesn’t have a password.
  3. The user ID – as you can see root has the UID of 0
  4. The group ID
  5. GECOS field – This is used to generally leave comments about the user or account such as their real name or phone number, it is comma-delimited.
  6. User’s home directory
  7. User’s shell – you’ll probably see a lot of users defaulting to bash for their shell

/etc/shadow

The /etc/shadow file is used to store information about user authentication. It requires superuser read permissions.

pineturtle@DESKTOP-ESO0AIU:/var/log$ sudo cat /etc/shadow
[sudo] password for pineturtle:
root:$6$NCDQx.FFjIpjaph4$dkxXkkNnQH3hO5CUuGPNzsK9t1b94B/CkKyPVn64GogmMRpLwF.J29olrZGcSguGhvmfdqi05hfynqjaJPpq70:19108:0:99999:7:::

You’ll notice that it looks very similar to the contents of /etc/passwd, however, in the password field you’ll see an encrypted password. The fields are separated by colons as followed:

  1. Username
  2. Encrypted password
  3. Date of the last password changed – expressed as the number of days since Jan 1, 1970. If there is a 0 that means the user should change their password the next time they log in
  4. Minimum password age – Days that a user will have to wait before being able to change their password again
  5. Maximum password age – Maximum number of days before a user has to change their password
  6. Password warning period – Number of days before a password is going to expire
  7. Password inactivity period – Number of days after a password has expired to allow login with their password
  8. Account expiration date – a date that the user will not be able to log in
  9. Reserved field for future use

In most distributions today, user authentication doesn’t rely on just the /etc/shadow file, there are other mechanisms in place such as PAM (Pluggable Authentication Modules) that replace authentication.

/etc/shadow

Another file that is used in user management is the /etc/group file. This file allows for different groups with different permissions.

pineturtle@DESKTOP-ESO0AIU:/var/log$ cat /etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:

Very similar to the /etc/password field, the /etc/group fields are as follows:

  1. Group name
  2. Group password – there isn’t a need to set a group password, using an elevated privilege like sudo is standard. A “*” will be put in place as the default value.
  3. Group ID (GID)
  4. List of users – you can manually specify users you want in a specific group

User Management Tools

Most enterprise environments are using management systems to manage users, accounts and passwords. However, on a single machine computer, there are useful commands to run to manage users.

Adding Users

You can use the adduser or the useradd command. The adduser command contains more helpful features such as making a home directory and more. There are configuration files for adding new users that can be customized depending on what you want to allocate to a default user.

pineturtle@DESKTOP-ESO0AIU:sudo useradd user1

You’ll see that the above command creates an entry in /etc/passwd for bob, sets up default groups and adds an entry to the /etc/shadow file.

Removing Users

To remove a user, you can use the userdel command.

pineturtle@DESKTOP-ESO0AIU:sudo userdel user1

This basically does its best to undo the file changes by useradd.

Changing Passwords

pineturtle@DESKTOP-ESO0AIU:sudo passwd user1

This will allow you to change the password of yourself or another user (if you are root).

See you at the next part 🙂

Leave a comment