Useful Tips

Linux Users - Add, Modify, Delete

Linux is a multi-user system, and therefore a user is a key concept for organizing the entire access system in Linux. When a user logs into the system (goes through the authorization procedure, for example, by entering the system name and password), he is identified with account, in which the system stores information about each user: his system name and some other information necessary to work with him. It is with the accounts, and not with the users themselves, that the system works. The following is a list of this information.

Creating and deleting a user on Linux - useradd

Useradd command is used to add users, and they are deleted using userdel. Let's create two accounts, we will continue to work with one, and delete the second.

Before adding an account to an unfamiliar server, first look at the default settings for new users. useradd uses the template that is specified in the / etc / default / useradd file. Let's see what we have there:

What is important for us here:

  • HOME = / home - the directory where the user's home folder will be created, traditionally this is / home
  • INACTIVE = -1 - the number of days after which the account will be locked forever after the password expires. -1 here means that the opportunity is not used.
  • EXPIRE = - date when the user will be blocked. Now empty, then never.
  • SHELL = / bin / bash - which shell will be used by the user.
  • SKEL = / etc / skel - the folder where the files that will be copied to the new user's home directory are located.

In fact, everything suits us, let's create an account:

-m indicates that you need to create a user folder in / home if it is not already there.
And immediately create the second:

For a change, using the -s switch, I indicated that the shell shell would not be bash, but sh. A -c sets a comment for the user that is used, usually as the full name of the user.

What keys does useradd still understand:
-b - sets the base directory in which the user's home folder will be created. Default / home
-d - sets the name of the home directory. By default, the name matches the username
-e Date at which the user is blocked. Set in the format YYYY-MM-DD. Disabled by default. Corresponds to EXPIRE in the template / etc / default / useradd,
-f - corresponds to INACTIVE in the template, as already mentioned, the expiration date of the password before blocking,
-g - sets the primary group for the new user. GID or group name is indicated. If the parameter is not specified, the group name will be the same as the username,
-G - a list of additional groups for the user being created,
-k is the path to the template directory. Corresponds to SKEL in the template,
-u - to set the user UID manually.

User Identifier (UID)

Linux binds system name c user id in system - UID (User ID). UID Is a positive integer by which the system tracks users 1. Usually this number is automatically selected when registering an account, but it cannot be completely arbitrary. Linux has some conventions regarding what types of users identifiers from a given range can be issued. In particular, UID “0” to “100” are reserved for pseudo users 2 .

Group Identifier (GID)

In addition to the user ID, the account is associated with group id. Groups of users used to organize access for several users to certain resources. The group, like the user, has a name and identification number - Gid (Group ID). On Linux, each user must belong to at least one group - default group. When creating a user account, a group is usually created, the name of which coincides with system name 3, it is this group that will be used as the default group for this user. A user can enter more than one group, but only the default group number is indicated in the account. Groups allow you to control the access of several users to various resources.

Full name

Besides system name the account contains and full name (name and surname) of the person using this account. Of course, the user can specify anything as his first and last name. A full name is needed not so much for the system as for people - in order to be able to determine who owns the account.

Example of creating a user with sudo privileges

Log in to the server as root:

ssh root @ server_ip_address

Enter command adduser To create a new account in the system:

adduser username

Set and confirm the password for the new user by following the on-screen instructions:

If the password is updated successfully, the system will display a message:

Follow the instructions on the screen to enter information about the new user. You can accept the default values ​​by leaving the input fields blank.

Enter a new value or press ENTER to set the default values.

Next, the system will ask for confirmation that all data has been entered correctly:

Press the Y key to confirm that the entered data is correct.

Use command usermod To add a user to the sudo group:

usermod -aG sudo username

By default, in Ubuntu, members of the SUDO group have SUDO privileges.

Use command su to go to the new user account:

su - username

As a new user, make sure that you can use Sudo rights by typing sudo before the command that you run with superuser privileges:

sudo command_to_run

For example, you can view the contents of the / root directory, which is usually only accessible to the superuser:

sudo ls -la / root

When you use Sudo in a session for the first time, you will be asked to enter the password for the user account. Enter the password to continue:

If the user is in the corresponding group and the password is entered correctly, then the command that starts with sudo must be run with superuser privileges.

Change user account settings

Using command chfn You can enter or change user account information (full name, work phone number, work coordinates, etc., username - username):

chfn -f full_name -o office -p work_phone -h home_phone -u -v username

To set a password, use the command passwd:

passwd username

As a result of the command, we will be asked to enter a new password and repeat it.

If we want to give the user the opportunity to change the password at the first login, you should enter the command:

change -d 0 username

View user accounts

All user account information is stored in the / etc / passwd file.

To see the list of users, you need to enter the command:

cat / etc / passwd

The output may look like this:

This line has the following format:

account: password: UID: GID: GECOS: directory: shell

account - Username
password - encrypted user password
UID - user identification number
Gid - identification number of the main user group
Gecos - an optional field used to indicate additional information about the user (for example, the full name of the user)
directory - user's home directory ($ HOME)
shell - user shell (usually / bin / sh)

To view the list of users who are currently in the system, use the command who or w.

Command result who as follows:

Command result w as follows:

User Account Management

Linux user accounts can be managed in three equivalent ways. First, you can use the GUI tools provided by your distribution. The appearance and operation of these tools depends on the distribution you use. In case you are an inexperienced user of your home Linux system, use the GUI tool provided by your distribution. This approach is guaranteed to avoid problems.

Another option is to use command-line tools such as useradd, usermod, gpasswd, passwd and others. Server administrators are most likely to use these tools, as they are familiar to them, and are also supplied unchanged as part of various distributions. This chapter will focus on these very command line tools.

A third fairly radical way to manage user accounts is to directly edit local configuration files using the vi text editor (or vipw / vigr). Do not try to do this when operating systems that are in commercial operation, if you do not have the appropriate knowledge!

File / etc / passwd

As you can see, this file contains data in the form of a table with seven columns separated by a colon. The columns contain the username, the x character, the user ID, the identifier of the main user group, the description of the user account, the path to the user's home directory, and the path to the executable file of the shell used to log the user into the system.

Home directory

The files of all users on Linux are stored separately, each user has his own home directoryin which he can store his data. Other users' access to the user's home directory may be restricted. Information about the home directory must be present in the account, because it is from him that the user who logs in to the system begins to work.

Login shell

The most important way to interact with a Linux system is command line, which allows the user to conduct a “dialogue” with the system: send commands to her and receive her answers. A special program serves for this purpose - command shell (or command line interpreter), in English - shell. The initial shell (login shell) is launched when a user logs in in text mode (for example, on a virtual console). Since several different shells are available on Linux, the account indicates which of the shells to run for this user. Unless you specifically specify the initial shell when creating the account, it will be assigned by default, most likely it will be bash.

All listed account information is stored in the / etc / passwd file. Information about a specific user account can be obtained using the getent 4 utility:

The first parameter, passwd, is the name of the database in which to search, it matches the name of the corresponding configuration file. The second parameter, tester, is the name of the user account (system name). getent displays the line / etc / passwd where the account is described: it contains the system name, password (“here” is indicated by the letter “x” because the password is hidden elsewhere, see below), UID, GID , full name, home directory, and initial shell.

On Linux, the user's password is not explicitly stored anywhere, but only in the encrypted one. In modern systems, the so-called “shadow passwords” are usually used, which are stored separately from other information about the account, and also allow you to assign additional restrictions, in particular, the “expiration date” of the password. Depending on the severity of the security policy, encrypted user passwords can be stored in a common / etc / shadow file (less strictly) or in a separate shadow file for each user. ALT Linux uses the tcb scheme by default, which implements a more stringent policy. To view information from the shadow file, superuser privileges are required, this can be done using the getent passwd tester command. You can read more about the capabilities of shadow passwords in the shadow (5) and tcb (5) manuals.

Information on all user groups in the system is also stored separately, for this the / etc / group file is intended. Information about a specific group can be obtained using the same getent utility:

The entry in the / etc / group file is very simple: first comes the name of the group (like the name of the account, then the password field (here again “x”, but the passwords for the group are very rarely used), GID, a comma-separated list of account names (user names) included in this group Any user can get a list of the names of the groups in which he is a member of the groups command, and more detailed information about his or another account with the id command Username . Belonging to a group is significant only in one respect - access rights, since for each file not only the user-owner is defined, but also the group-owner.

User Creation

To create a full-fledged Linux user, you need to perform several relatively independent actions:

  • create an entry in / etc / passwd, where to give the account a unique name, UID, etc.,
  • create the user's home directory, provide the user with access to his home directory (make him the owner of the directory),
  • put in the home directory the standard content (usually configuration files), taken from / etc / skel,
  • modify system configuration files, in particular, create a repository for incoming mail for a given user (/ var / spool / mail / tester).

All these actions can be performed manually, however, it is quite inconvenient and you can forget something. To simplify the process, the useradd utility is used (it is traditionally called adduser), which, of course, will require administrator privileges. In the simplest case, two steps will suffice:

First, useradd adds an account (username is the only parameter, in our example - test), filling it with default values ​​and making any necessary changes to the system. Using additional parameters when calling useradd, you can explicitly specify a value for a particular account field, this utility also allows you to modify the default user creation settings. See the useradd (8) manual for details. The passwd utility, called with superuser privileges, allows you to assign any password to this user. In this case, information about the previous password for this user (if there was one) will be completely lost. passwd, caused by a regular user (without parameters), allows him to change his own password, but for this, you will need to enter the current user password.

There are similar useradd utilities for modifying the parameters of an existing account (usermod) and for deleting users (userdel). The user can also change some non-critical information in his account on his own. In particular, to install your full name and some other information fields of the account is the utility chfn (1) from the shadow-change package, change initial shell the chsh (1) utility will help (it allows you to select only one of the shells listed in / etc / shells) from the same package. Please note that in ALT Linux a user has the right to edit his own account only if the appropriate access mode is set: the control chsh command should return public, similar to control chfn. The superuser can set the required access with the control chsh public command (similarly for chfn).

The most popular operation for working with groups — adding a user to a group — is most easily accomplished by simply editing the / etc / group file. It is enough to open this file in any text editor (of course, with superuser privileges), find the line beginning with the name of the desired group, and add the name of the desired user at the end of this line with a comma). To manage groups, there is a set of utilities groupadd (8), groupdel (8), groupmod (8), details about working with them can be found in the respective manuals.

This can be important, for example, in such a situation: a user account with the name test was deleted from the system, and then added again. However, from a system point of view, this is a different user, because he has a different UID.

2 Typically, Linux gives UIDs to normal users starting at “500” or “1000”.

3Normally, the numerical value of the GID in this case coincides with the value of the UID.

4This utility is also useful for getting information about some other system resources, see getent --help.

Practice: Managing User Accounts

1. Create a user account with the name serena and the description (or comment) "Serena Williams", as well as the user's home directory. Perform the necessary actions within one team.

2. Create a user account with the name venus, indicating the need to use the bash shell and the description of "Venus Williams", as well as the user's home directory with a single command.

3. Verify that both users have the correct entries in the / etc / passwd, / etc / shadow, and / etc / group files.

4. Verify the correct creation of user home directories.

5. Создайте учетную запись пользователя с именем einstime и утилитой /bin/time в качестве стандартной командной оболочки.

6. Что случится, если вы войдете в систему под именем пользователя einstime ? Можете ли вы сделать предположение о реальной ситуации, в которой было бы полезно заменить стандартную командную оболочку пользователя на приложение?

7. Создайте файл с именем welcome.txt и убедитесь в том, что каждый новый пользователь будет обнаруживать данный файл в своей домашней директории.

8. Проверьте корректность размещения созданного файла в файловой системе, создав (и удалив) тестовую учетную запись пользователя.

9.Change the default shell for logging in to serena with the shell / bin / bash. Perform the necessary checks before and after changing the shell.

The correct procedure for completing the practical task: managing user accounts

1. Create a user account with the name serena and the description (or comment) "Serena Williams", as well as the user's home directory. Perform the necessary actions within one team.

2. Create a user account with the name venus, indicating the need to use the bash shell and the description of "Venus Williams", as well as the user's home directory with a single command.

3. Verify that both users have the correct entries in the / etc / passwd, / etc / shadow, and / etc / group files.

4. Verify the correct creation of user home directories.

5. Create a user account named einstime and the utility / bin / time as a standard shell.

6. What happens if you log in as einstime? Can you make an assumption about a real situation in which it would be useful to replace the standard user shell with an application?

Such a replacement for the standard command shell may be useful if the user needs to access only one application on the server. Immediately after entering the system, the user gets the opportunity to work with the application, and after the completion of this application, the system is automatically logged out.

7. Create a file called welcome.txt and make sure that each new user will find this file in their home directory.

8. Check the placement of the created file in the file system by creating (and deleting) a test user account.

9. Change the default shell for logging in to serena as the shell / bin / bash. Perform the necessary checks before and after changing the shell.