Linux User Administration:
As a Linux Administrator its very important job to monitor and administering users on Linux server.Security plays vital role in any organization , so user administration is very critical."The similarities of sysadmins and drug dealers: both measure stuff in Ks, and both have users." (Old, tired computer joke.)
Going forward i am going to explain different types user accounts,how to create new user accounts, how to modify the properties of those accounts, and how to remove the accounts.There are some differences in-terms of commands used in different Linux flavors but these commands will work mostly.
What is shell account ?
A Shell account is just like a bank account which is created on Linux server,which gives access to a shell via a command line interface protocol such as telnet or ssh.There is more than to user account than just a name.An account is all the files, resources, and information belonging to one user.Before moving to learn about types of shell accounts we need to know few terms .
Whenever you are trying to add a shell account (user) you add an entry to "/etc/passwd" file.This is an essential file used during the login. This file consists of seven colon-separated fields(:), specified all on one line.
Eg:
surya:x:501:105:Surya_Unix_Admin:/home/surya:/bin/bash
ram:!:202:100:Ram_App_User:/home/ram:/bin/bash
The fields are: user login name(shell account), password, UID, GID, comment (gecos) field, user's home directory & user's default shell.
1) Username: It is used when user logs in. It should be between 1 and 32 characters in length.Each name must be unique
2) Password: An 'x' character indicates that encrypted password is stored in /etc/shadow file.
3) User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs. 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups.
4) Group ID (GID): The primary group ID (stored in /etc/group file)
5) User ID Info(Gecos): The comment field. It allow you to add extra information about the users such as user's full name, phone number etc. This field use by finger command.
6) Home directory: The absolute path to the directory the user will be in when they log in. If this directory does not exists then users directory becomes /.
7) Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell. Please note that it does not have to be a shell.
ram:!:202:100:Ram_App_User:/home/ram:/bin/bash
The fields are: user login name(shell account), password, UID, GID, comment (gecos) field, user's home directory & user's default shell.
1) Username: It is used when user logs in. It should be between 1 and 32 characters in length.Each name must be unique
2) Password: An 'x' character indicates that encrypted password is stored in /etc/shadow file.
3) User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs. 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups.
4) Group ID (GID): The primary group ID (stored in /etc/group file)
5) User ID Info(Gecos): The comment field. It allow you to add extra information about the users such as user's full name, phone number etc. This field use by finger command.
6) Home directory: The absolute path to the directory the user will be in when they log in. If this directory does not exists then users directory becomes /.
7) Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell. Please note that it does not have to be a shell.
Note: Your encrypted password is not stored in /etc/passwd file. It is stored in /etc/shadow file.
Type of Linux user accounts:
There are three basic types of user accounts.
1) Administrative (root) Account
2) Regular Account
3) Service Account
Administrative Account:
Its root ,we often see people calling it as "super user" which is created automatically when you install Linux operating system.
A special kind of user account which holds all kind’s of permissions to do any alteration to a programs or services of Linux. Especially this kind of user account is used for system administration. He can control and limit the access of other User’s. As all the powers is vested for Root User, care has to be taken before performing each and every modifications, if anything goes wrong, no option left other than crash of Kernel. It is so sensitive with unlimited accessibility.Take care while logged in as Root :-).
A special kind of user account which holds all kind’s of permissions to do any alteration to a programs or services of Linux. Especially this kind of user account is used for system administration. He can control and limit the access of other User’s. As all the powers is vested for Root User, care has to be taken before performing each and every modifications, if anything goes wrong, no option left other than crash of Kernel. It is so sensitive with unlimited accessibility.Take care while logged in as Root :-).
Regular Account:
Regular user accounts have privileges to perform standard tasks on a Linux computer such as running word processors, databases, and Web browsers.They can store files in their own home directories. Since regular users do not normally have administrative privileges, they cannot accidentally delete critical operating system configuration files.
Service Account:
Services such as Apache, Squid, mail, games, and printing have their own individual service accounts. These accounts exist to allow each of these services to interact with your computer.
Exploring UID:
Every Users got their own identity and authenticity. When someone say Identity of the User, UID (User identifier) comes into picture. UID is a unique identity, simply a number given to the user.Valid UID ranges are from 0 to 65534.Every kind of User type as discussed above are given a particular range of UID’s.
Root User got the UID ‘0‘ . {As root user is prime and supreme authoritative, so he got the UID ” 0 “, This can be altered in the configuration file, which we come across later}
UID for System User lies with in the range of 1 to 499. {Don’t come to a conclusion that Linux OS can only provide 500 System Users. It’s just a default range provided by the OS, it can be altered and can add system users greater than 500 but less than a saturation value which depends on a type Linux OS}.
UID for Normal User lies with in the range of > 500 <6000.
UID for Network User lies with in the range of >6000.
User Administration-Live:
1) Creating User Account:
"useradd" : This command is used to create a new user with default values.
To view the default options give the following command with the option-D.
$useradd {username}
where the options can be,
-U = User id
-g = group ID (primary)
-G = group ID (secondary)
-c = comment
-d = directory
-s = shell
-f = inactive days
-e = expire date (YYYY MM DD)
# useradd surya
# passwd surya
Changing password for user surya.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
# grep surya /etc/passwd
surya:x:500:500::/home/surya:/bin/bash
# grep surya /etc/group
surya:x:500:
[Note: default useradd command created surya as username and group
where the options can be,
-U = User id
-g = group ID (primary)
-G = group ID (secondary)
-c = comment
-d = directory
-s = shell
-f = inactive days
-e = expire date (YYYY MM DD)
# useradd surya
# passwd surya
Changing password for user surya.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
# grep surya /etc/passwd
surya:x:500:500::/home/surya:/bin/bash
# grep surya /etc/group
surya:x:500:
[Note: default useradd command created surya as username and group
To view the default options give the following command with the option-D.
$ useradd -D
GROUP=1001
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/sh
SKEL=/etc/skel
CREATE_MAIL_SPOOL=no
GROUP=1001
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/sh
SKEL=/etc/skel
CREATE_MAIL_SPOOL=no
- GROUP: This is the only option which will not be taken as default. Because if you don’t specify -n option a group with same name as the user will be created and the user will be added to that group. To avoid that and to make the user as the member of the default group you need to give the option -n.
- HOME: This is the default path prefix for the home directory. Now the home directory will be created as /home/USERNAME.
- INACTIVE: -1 by default disables the feature of disabling the account once the user password has expired. To change this behavior you need to give a positive number which means if the password gets expired after the given number of days the user account will be disabled.
- EXPIRE: The date on which the user account will be disabled.
- SHELL: Users login shell.
- SKEL: Contents of the skel directory will be copied to the users home directory.
- CREATE_MAIL_SPOOL: According to the value creates or does not create the mail spool.
2) Modify user accounts ( UserName/Lock/Un-Lock):
usermod : This command is used to modify the user accounts. Only the administrator can use this command. It's syntax is,
$ usermod {username}
where the options can be,
-l = to change the user name
-L = to lock the user account
-U = to unlock the user account
where the options can be,
-l = to change the user name
-L = to lock the user account
-U = to unlock the user account
3) Changing Password of a User:
passwd:This command is used to generate the passwords for users account.
$ passwd < user-name>
To disable a password,
$ passwd -d {username}
4) Remove/Delete a User:
userdel : This command is used to delete a user account.
$userdel {user-name}
This will remove the user. But if you want to remove their home folder and all their files.
$userdel -r {user-name}
Miscellaneous Commands:
5) Change user password expiry information:
chage: This command is used to change the password expiry information.
$ chage {user-name}
6) change the shell of a User:
chsh: Changes a user's login shell.
Valid shells are defined in the usw stanza of the /etc/security/login.cfg file. The default list of valid shells is: /usr/bin/ksh, /usr/bin/sh, /usr/bin/bsh, /usr/bin/csh but your system manager may have defined more.
Valid shells are defined in the usw stanza of the /etc/security/login.cfg file. The default list of valid shells is: /usr/bin/ksh, /usr/bin/sh, /usr/bin/bsh, /usr/bin/csh but your system manager may have defined more.
To change the shell to /usr/bin/ksh for ram, type:
#chsh ram /usr/bin/ksh
7) Editing the default options used by useradd:
The following example shows how to change the default shell from /bin/bash to /bin/ksh during user creation.
Syntax: #useradd -D --shell={shell name}
Syntax: #useradd -D --shell={shell name}
# useradd -D
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
[Note: The default shell is /bin/bash]
# useradd -D -s /bin/ksh
# useradd -D
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/ksh
SKEL=/etc/skel
[Note: Now the default shell changed to /bin/ksh]
# useradd ram
# grep ram /etc/passwd
ram:x:512:512::/home/ram:/bin/ksh
[Note: New users are getting created with /bin/ksh]
# useradd -D -s /bin/bash
[Note: Set it back to /bin/bash, as the above is only for testing purpose]
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
[Note: The default shell is /bin/bash]
# useradd -D -s /bin/ksh
# useradd -D
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/ksh
SKEL=/etc/skel
[Note: Now the default shell changed to /bin/ksh]
# useradd ram
# grep ram /etc/passwd
ram:x:512:512::/home/ram:/bin/ksh
[Note: New users are getting created with /bin/ksh]
# useradd -D -s /bin/bash
[Note: Set it back to /bin/bash, as the above is only for testing purpose]
8) Linux adduser Command – Create Users Interactively:
These are the friendlier tools to the low level useradd. By default it chooses the Debian policy format for UID and GID. A very simple way of creating user in the command line interactively is using adduser command.
Syntax: # adduser {username}
Syntax: # adduser {username}
# adduser pinky
Adding user `pinky' ...
Adding new group `pinky' (1009) ...
Adding new user `pinky' (1009) with group `pinky' ...
Creating home directory `/home/pinky' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for pinky
Enter the new value, or press ENTER for the default
Full Name []: Peter Parker
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [y/N] y
Adding user `pinky' ...
Adding new group `pinky' (1009) ...
Adding new user `pinky' (1009) with group `pinky' ...
Creating home directory `/home/pinky' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for pinky
Enter the new value, or press ENTER for the default
Full Name []: Peter Parker
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [y/N] y
9) Linux newusers Command — Creating bulk users:
Sometimes you may want to to create multiple users at the same time.
Any method for bulk user creation can be very tedious and time consuming. Fortunately, Linux offers a way to upload users using newusers command. This can also be executed in batch mode as it cannot ask any input.
Syntax: # newusers {filename}
This file format is same as the password file.
loginname:password:uid:gid:comment:home_dir:shell
#cat db-tema-users.txt
sony:HbZ600a9:1008:1000:Sony DBA:/home/sony:/bin/bash
navs:1enq733N:1009:1000:Navs DBA:/home/navs:/bin/csh
rohan:1y51Jr8K:1010:1000:Rohan DBA:/home/rohan:/bin/ksh
Create DBA team user ids at oneshot
# newusers db-tema-users.txt
Any method for bulk user creation can be very tedious and time consuming. Fortunately, Linux offers a way to upload users using newusers command. This can also be executed in batch mode as it cannot ask any input.
Syntax: # newusers {filename}
This file format is same as the password file.
loginname:password:uid:gid:comment:home_dir:shell
#cat db-tema-users.txt
sony:HbZ600a9:1008:1000:Sony DBA:/home/sony:/bin/bash
navs:1enq733N:1009:1000:Navs DBA:/home/navs:/bin/csh
rohan:1y51Jr8K:1010:1000:Rohan DBA:/home/rohan:/bin/ksh
Create DBA team user ids at oneshot
# newusers db-tema-users.txt
I hope these are helpful to you,see you again with another article.
informative post given knowledge on subject, helpful for the newbies to learn Linux administration. Career in Linux administration is very good.
ReplyDelete