Linux Users and Groups
Users
Linux is a multiuser operating system, meaning that it provides features to help multiple individuals use the computer. Collectively, these features constitute accounts.
Related to accounts are groups, which are collections of accounts that can be given special permissions on the computer.
One account, known as root, has special privileges on the computer. You use this account to perform most system administration tasks, so you should understand this account before you tackle the administrative tasks. These important topics are at the foundation of system security.
/etc/passwd
Most account features are defined in the /etc/passwd
file, which
consists of colon-delimited lines, with each line (or record) defining a
single account. An entry might resemble the following:
vader:x:1003:100:Darth Vader:/home/rich:/bin/bash
The information contained in the fields of this record includes the following:
Username An account's username is its most relevant feature. Most Linux account usernames consist of lowercase letters, and occasionally numbers, as in rich or thx1138. Underscores (_) and dashes (-) are also valid characters in some Linux distributions' usernames, as are dollar signs ($) at the end.
Password User accounts are typically protected by a password, which is
required to log into the computer. Direct login to most system accounts is
disabled, so they lack passwords. The root account is an important
exception; it has a password in most distributions. The password field in
the /etc/passwd
file usually contains an x, which is a
code meaning that the password is stored in /etc/shadow
.
UID In reality, the username is just a label that the computer displays to humans. The computer uses a user identification (UID) number to track accounts. UID numbers begin with 0, which refers to the root account. In most distributions, user accounts have UID numbers at 1,000 and above, with lower numbers reserved for system accounts. Some distributions number user accounts starting at 500 rather than 1,000.
GID Accounts are tied to one or more groups. Groups are similar to accounts in many ways; however, a group is a collection of accounts. One of the primary purposes of groups is to enable users to give certain users access to their files, while preventing others from accessing them. Each account is tied directly to a primary group via a group ID (GID) number. Accounts can be tied to other groups by inclusion in the group's definition.
Comment Field The comment field normally holds the user's full name, although this field can hold other information instead of or in addition to the user's name.
Home Directory User accounts, and some system accounts, have home directories. A home directory is an account's "home base." Normally, ownership of an account's home directory belongs to the account. Certain tools and procedures make it easy for users to access their home directories; for instance, the tilde (~) refers to a user's home directory when used at the start of a filename.
Default Shell A default shell is associated with every account. In
Linux, this shell is normally Bash (/bin/bash
), but
individual users can change this if they like. Most non-root system accounts
set the default shell to /usr/sbin/nologin
(or
/sbin/nologin
) as an added security measure-this program
displays a message stating that the account is not available. Using
/bin/false
works in a similar way, although without the
explanatory message.
/etc/shadow
You might guess by its name that /etc/passwd
holds password
information. This isn't normally the case today, although it was many years
ago. For historical reasons, /etc/passwd
must be readable by
all users, so storing passwords there, even as a salted and hashed password,
is risky. Passwords today are stored in another file,
/etc/shadow
, that ordinary users can't read. This file
associates a salted and hashed password, as well as other information,
with an account. This information can disable an account after a period of
time or if the user doesn't change the password within a given period of
time.
Passwords are stored using a salted hash, a one-way mathematical process with
additional random input (salt), that produces what looks like nonsense to
humans. When a user types a password, it's salted and hashed, andif the
salted hashes match, access is granted. A typical /etc/shadow
entry looks like this:
vader:$1$E/moFkeT5UnTQ3KqZUoA4Fl2tPUoIc:16860:5:30:14:-1:-1:
The meaning of each colon-delimited field on this line is as follows:
Username Each line begins with the username. Note that the UID is
not used in /etc/shadow
; the username links entries in this file
to those in /etc/passwd
.
Password The password is stored as a salted hash, so it bears no
obvious resemblance to the actual password. An asterisk (*
) or
exclamation mark (!
) denotes an account with no password (that
is, the account doesn't accept logins-it's locked). This is common for
accounts used by the system itself.
Last Password Change The next field (16860 in this example) is the date of the last password change. This date is stored as the number of days since January 1, 1970.
Days Until a Change Is Allowed The next field (5 in this example) is the number of days before a password change is allowed. This is used to prevent users from changing their passwords as required and then changing them right back to the original password.
Days Before a Change Is Required This field (30 in this example) is the number of days before another password change is required (since the last password change).
Days of Warning Before Password Expiration If your system is configured to expire passwords, you may set it to warn the user when an expiration date is approaching. A value of 7 is typical. However 14 days, as shown in the preceding example, may be appropriate if your company's employees take two-week vacations.
Days Between Expiration and Deactivation Linux allows for a gap between the expiration of an account and its complete deactivation. An expired account either can't be used or requires that the user change the password immediately after logging in. In either case, its password remains intact. A deactivated account's password is erased, and the account can't be used until the system administrator reactivates it. A -1 in this field, as shown in the preceding example, indicates that this feature is disabled.
Expiration Date This field shows the date on which the account will expire. As with the last password change date, the date is expressed as the number of days since January 1, 1970. A -1 in this field, as shown in the preceding example, indicates that this feature is disabled.
Special Flag This field is reserved for future use and normally isn't used or contains a meaningless value. This field is empty in the preceding example.
For fields relating to day counts, a value of -1 or 99999 typically indicates
that the relevant feature has been disabled. The /etc/shadow
values are generally best left to modification through commands such as
usermod
and chage
. Understanding the format of
the file enables you to review its contents and note any discrepancies,
which could indicate that your system has been compromised.
The /etc/shadow
file is usually stored with restrictive
permissions, with ownership by root. This fact is critical to the
shadow password system's utility because it keeps non-root users from reading
the file and obtaining the password list, even in a salted and hashed form.
By contrast, /etc/passwd
must be readable by ordinary users
and usually has less-restrictive permissions.
The terms encrypted and hashed are often confused when used with computer objects. You can decrypt an encrypted object, but you cannot "dehash" a hashed object. Passwords on Linux are salted and hashed, though often you'll see the term encrypted mistakenly used instead in Linux documentation.
It's important to realize that an account isn't a single entity like a
program binary file. Account information is scattered across several
configuration files, such as /etc/passwd
,
/etc/shadow
, /etc/group
, and possibly in other
configuration files that refer to accounts. User files reside in the
user's home directory and perhaps elsewhere. Thus managing accounts can
require doing more than just maintaining a file or two. For this reason,
various utilities exist to help create, manage, and delete accounts.
Examples of user files stored outside the user's home directory include email
in /var/spool/mail
and temporary files in /tmp
.
Adding Users
You use the useradd
utility to create an account from the
command line. To use this utility, you type its name and the username that
you want to associate with a new account.
Option Name | Option Abbreviation | Description |
---|---|---|
--comment comment |
-c |
This parameter specifies the comment field for the user. |
--home home-dir |
-d |
Specify the account's home directory with this parameter. It
defaults to /home/username . |
--expiredate expire-date |
-e |
You set the date on which the account will be disabled, expressed in
the form YYYY-MM-DD , with this option. The default is
for an account that does not expire. |
--inactive inactive-days |
-f |
This parameter sets the number of days after a password expires,
after which the account becomes completely disabled. A value of
-1 disables this feature and is the default. |
--gid default-group |
-g |
You set the name or GID of the user's default group with this option. The default for this value is a new group named after the user. |
--groups group[,...] |
-G |
This parameter sets the names or GIDs of groups to which the user belongs-more than one may be specified by separating them with commas. |
--create-home |
-m |
When this option is included, useradd creates a home
directory for the user. This option is typically enabled by default. |
--skel skeleton-dir |
-k |
Normally, default user configuration files are copied from /etc/skel , but you may specify another template directory with this option, which is valid only in conjunction with -m . |
N/A | -M |
This option forces the system not to automatically create a home directory. |
--shell shell |
-s |
You set the name of the user's default login shell with this option. The default is /bin/bash . |
--uid UID |
-u |
This parameter creates an account with the specified user ID value (UID ). |
--non-unique |
-o |
This parameter enables a single UID number to be reused; this option is passed when creating the second or subsequent account that reuses a UID. |
--system |
-r |
This parameter specifies the creation of a system account.
useradd doesn't create a home directory for system
accounts, and it gives them UID values below 100. |
--no-user-group |
-N |
This option disables creation of a group for the user. |
Note: It is possible to add a password with the useradd
command's -p
option. However, for security reasons, this is
not reccommended. It is better to user the passwd
command.
A complete useradd
command, including setting a few options,
looks like this:
useradd -m -c "Darth Vader" -u 1012 vader
This example creates an account with a username vader
, a home
directory, a comment field containing the user's full name, and a UID of
1012
.
You might want to specify a UID to keep these values synchronized across computers that share files with the Network File System (NFS), which identifies file ownership via UIDs.
When you create an account with useradd
, it will be in a
locked state - the user will not be able to log in. To unlock it, you
must use the passwd
command.
If you use --create-home
or -m
, or if this option is
used by default, the program creates a home directory and copies files from
/etc/skel
to that location. Creating an account will also usually create a mail spool file in which the user's incoming email will be stored. (This file may go unused on many desktop systems, but it can be important if you run mail server software on the computer.) Thus you can see that useradd
makes quite a few modifications to your computer's files and directories in creating the account.
Deleting Users
Deleting accounts can sometimes be as important as adding or modifying them. Unused accounts can be abused, either by their former owners or by others who might be able to break into an account if it has a weak password. Thus you should routinely delete unused accounts. Before you do so, though, you should understand what happens when you delete an account and decide precisely how to do it, lest you create problems by deleting an account in an inappropriate way.
Avoiding Account-Deletion Pitfalls
Deleting an account may sound simple enough, but a mistake can cause problems, either immediately or in the future. In addition to obvious issues such as accidentally deleting the wrong account, you should consider two factors:
User File Preservation
Users’ files might be extremely valuable, either to the users
themselves or to the organization that owns the computer. Thus you should
check your company’s file retention policies when considering whether
to delete the user’s home directory or do something else with it, such
as move it into another user’s home directory and change permissions on
the files it contains. The same is true of the user’s mail queue
(normally stored in /var/spool/mail/username
, where
username
is the username).
Consider archiving a deleted account’s home directory to a long-term backup medium. This will enable you to recover the files should they become valuable in the future.
UID and GID Reuse
When an account is deleted, the account’s UID and GID become available for reuse. In many cases, these numbers will not be reused, since Linux assigns these values based on the highest current value. Thus if you delete any but the highest-numbered current user, the user’s old UID and GID numbers won’t be reused unless intervening accounts are also deleted. Nonetheless, if a UID is reused, any files previously owned by the old user will suddenly appear to be owned by the new user. This might not cause any problems, but it might cause confusion about who created the files. In some cases, it could even cause suspicion of wrongdoing by the new user (if the old files contain information the new user shouldn’t have, or if they reside in directories to which the new user shouldn’t have access).
If you want to avoid any chance of confusion or misbehavior claims falling on
new users due to UID or GID reuse, you can use the find command to locate all
files with particular UID or GID values, using the -uid
and
-gid
options, as in:
# find / -uid 1004
You can issue this command as a non-root
user, but it will
return errors and it may miss some files. Thus it’s best to do this
with superuser privileges.
This example finds all files on the computer with a UID of 1004. (Searching on a GID works the same way, but using the -gid
option.) You can then reassign ownership of these files by using the chown
command or delete them. Ordinarily, you’d issue this command only after deleting or reassigning ownership of the user’s home directory, since that directory will probably contain far too many matching files.
Deleting Accounts From the Shell
The userdel
command deletes accounts from a text-mode shell.
In its simplest form, you pass it a username and nothing more:
userdel vader
Notice that in the userdel
examples, the sudo
command is used to obtain superuser privileges, which are required to
complete this command successfully. If you were logged into the root
account, sudo
would not be needed.
The program doesn’t prompt you for confirmation; it just deletes
the account. It does not, however, delete the user’s home directory
by default. To have it do so, pass it the --remove
(-r
) option.
If the user is currently logged in, userdel
notifies you of that fact and does nothing. You can pass it the --force
(-f
) option to delete the account even though it’s in use. To both force account deletion and remove the user’s files, you can pass both options:
userdel -rf vader
userdel: user vader is currently logged in
The program still complains about the user being logged in, but it deletes the account and files just the same.
Groups
In many respects, groups are comparable to accounts. They’re defined in similar files and managed with similar utilities. Groups are also tied to accounts, in that accounts include group definitions. Until now, it has been assumed that you’ll be using standard groups or the groups that are defined as part of account creation. Sometimes, though, you need to create, delete, or modify groups for specific purposes, such as if you use a project group strategy.
Adding Groups
You can create groups from the shell by using the groupadd
command, which works much like useradd
for users but takes a
smaller set of options. Consult the program’s man
pages
for information on more-obscure options.
Option Name | Option Abbreviation | Description |
---|---|---|
--gid GID |
-g |
You can provide a specific GID with this parameter. If you omit it, groupadd uses the next available GID. |
--non-unique |
-o |
Normally, the GID that you specify must be unused by other groups, but the -o parameter overrides this behavior, enabling you to create multiple groups that share one GID. |
--system |
-r |
This parameter instructs groupadd to create a system group, which is one with a GID of less than 500 or 1,000, depending on the distribution. Nonsystem groups are normally used as user private groups. |
--force |
-f |
Normally, if you try to create a group that already exists, groupadd returns an error message. This parameter suppresses that error message. |
Using the groupadd
command, including setting an option, looks
like this:
# groupadd -g 1001 groupname
This example creates a group with a GID of 1001 and a group name of
groupname
.
Once the group is added, new members can be added to the group. This
requires the use of the usermod
command, as follows:
usermod -aG groupname vader
The -aG
options were used together to add the account, vader
, to the new groupname
group. If the -a
option was not used, the vader
account would be removed from its current group memberships and belong only to the groupname
group. A good habit is to check if the modification was successful by using the groups
command. The groups
command shows all of the group memberships for the specified user account.
To modify the group itself, you can use the groupmod
command.
The --gid
(-g
) and --non-unique
(-o
) options can be used with this command, as well as
--new-name
name (-n
name), which
changes the group’s name.
Deleting Groups
Deleting groups from the shell entails use of the groupdel
command, which takes a group name as a single option, as in
groupdel groupname
to delete the groupname
group.
How To's
To see the groups that your Linux ID belongs to, use the command:
groups
[root@hdcentos infauser]# groups root
To see the groups that a particular Linux ID belongs to, use the command:
groups userid
[root@hdcentos infauser]# groups infauser infauser : infauser
To see a list of all groups:
cat /etc/group
... stapusr:x:156: stapsys:x:157: stapdev:x:158: osboxes:x:1000:osboxes reo:x:1001: hduser:x:1002: hadoop:x:982:yarn,mapred,hdfs yarn:x:981: mapred:x:980: hdfs:x:979: Rodney:x:1003: infauser:x:1004:
To see a list of all users that belong to a group, like the 'root' group:
getent group root
root:x:0:
To change a password on behalf of a user, first sign on or "su" to the "root" account. Then type:
passwd userID
The system will prompt you to enter a password. Passwords do not echo to the screen when you enter them.
The wheel Group
Linux distributions invariably provide several groups by default. One of
these, wheel
(on some distributions), is particularly important
for system administration. Members of the wheel
group are
granted certain special administrative privileges, such as the right to use
the sudo
command. The group name comes from the slang term big
wheel, which refers to an important person.
Not all distributions provide this particular group. You can type grep
wheel /etc/group
to determine if the wheel
group exists
on your distribution.
Some distributions enable you to add your primary user account to the
wheel
group when you install the OS. Be aware that this
phrasing is not used often; instead, the installer asks if you want to add the
account to the “administrators group” or some similar term.