user&group administration

User and Group Administration

To add a new user account, you can run either of the following two commands as root.

adduser tom
useradd jerry

[root@machine1 ~]# cat /etc/passwd | grep tom
tom:x:501:501::/home/tom:/bin/bash
[root@machine1 ~]# cat /etc/passwd | grep jerry
jerry:x:502:502::/home/jerry:/bin/bash
———————————————————————————————————————–
View a List of All Groups
To view all the groups on the system, you can just use the groups command:

groups
———————————————————————————————————————–

View a List of All Users
To view all the users on the system, you can just use the groups command:
users
———————————————————————————————————————–
View a User’s Group Assignments
If you’re trying to figure out a permissions issue, you’ll want to use the id command to see what groups the user is assigned to:
id <username>
root@machine1:~# id
uid=0(root) gid=0(root) groups=0(root)

———————————————————————————————————————–
To set the password for user

[root@machine1 ~]# passwd tom
Changing password for user tom.
New password:
BAD PASSWORD: it is WAY too short
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully
———————————————————————————————————————–
When a new user account is added to the system, the following operations are performed.
1. His/her home directory is created (/home/username by default).
2. The following hidden files are copied into the user’s home directory, and will be used to provide environment variables for his/her user session.
.bash_logout
.bash_profile
.bashrc
3. A mail spool is created for the user at /var/spool/mail/username.
4. A group is created and given the same name as the new user account.
———————————————————————————————————————–
su(switch user) is the command to switch to another user
If use su username(U will be changed to another user but the pwd(present working directory) where u are before will be same)
If use su – username

[root@machine1 ~]# su – tom
[tom@machine1 ~]$ ls -la
total 28
drwx——. 4 tom  tom  4096 Jan 28 00:41 .
drwxr-xr-x. 5 root root 4096 Jan 28 00:41 ..
-rw-r–r–. 1 tom  tom    18 Aug 17 03:49 .bash_logout
-rw-r–r–. 1 tom  tom   176 Aug 17 03:49 .bash_profile
-rw-r–r–. 1 tom  tom   124 Aug 17 03:49 .bashrc
drwxr-xr-x. 2 tom  tom  4096 Jul 14  2010 .gnome2
drwxr-xr-x. 4 tom  tom  4096 Oct 24 05:24 .mozilla
[tom@machine1 ~]$ logout
[root@machine1 ~]# su – jerry
[jerry@machine1 ~]$ ls -la
total 28
drwx——. 4 jerry jerry 4096 Jan 28 00:41 .
drwxr-xr-x. 5 root  root  4096 Jan 28 00:41 ..
-rw-r–r–. 1 jerry jerry   18 Aug 17 03:49 .bash_logout
-rw-r–r–. 1 jerry jerry  176 Aug 17 03:49 .bash_profile
-rw-r–r–. 1 jerry jerry  124 Aug 17 03:49 .bashrc
drwxr-xr-x. 2 jerry jerry 4096 Jul 14  2010 .gnome2
drwxr-xr-x. 4 jerry jerry 4096 Oct 24 05:24 .mozilla
———————————————————————————————————————–
Understanding /etc/passwd

The full account information is stored in the /etc/passwd file. This file contains a record per system user account and has the following format (fields are delimited by a colon).

[username]:[x]:[UID]:[GID]:[Comment]:[Home directory]:[Default shell]

Fields [username] and [Comment] are self explanatory.
The x in the second field indicates that the account is protected by a shadowed password (in /etc/shadow), which is needed to logon as [username].
The [UID] and [GID] fields are integers that represent the User IDentification and the primary Group IDentification to which [username] belongs, respectively.
The [Home directory] indicates the absolute path to [username]’s home directory, and
The [Default shell] is the shell that will be made available to this user when he or she logins the system.
———————————————————————————————————————–
Understanding /etc/group

Group information is stored in the /etc/group file. Each record has the following format.

[Group name]:[Group password]:[GID]:[Group members]
[Group name] is the name of group.
An x in [Group password] indicates group passwords are not being used.
[GID]: same as in /etc/passwd.
[Group members]: a comma separated list of users who are members of [Group name
———————————————————————————————————————–
After adding an account, you can edit the following information (to name a few fields) using the usermod command, whose basic syntax of usermod is as follows.
# usermod [options] [username]

Setting the expiry date for an account
Use the –expiredate flag followed by a date in YYYY-MM-DD format.
# usermod –expiredate 2014-10-30 tom
———————————————————————————————————————–
Adding the user to supplementary groups
Use the combined -aG, or –append –groups options, followed by a comma separated list of groups.
# usermod –append –groups root,users tom

#usermod -a -G <groupname> username
———————————————————————————————————————–

Changing the default location of the user’s home directory
Use the -d, or –home options, followed by the absolute path to the new home directory.
# usermod –home /tmp tom
# usermod -d /tmp tom
———————————————————————————————————————–
Changing the shell the user will use by default
Use –shell, followed by the path to the new shell.
# usermod –shell /bin/sh tom
usermod  -s /bin/sh tom
———————————————————————————————————————–
Displaying the groups an user is a member of
# groups tom
# id tom
———————————————————————————————————————–
Now let’s execute all the above commands in one go.
# usermod –expiredate 2014-10-30 –append –groups root,users –home /tmp –shell /bin/sh tom
———————————————————————————————————————–

Add a User to a Group (or Second Group) on Linux
Changing the group a user is associated to is a fairly easy task, but not everybody knows the commands, especially to add a user to a secondary group. We’ll walk through all the scenarios for you.
Add a New Group
To add a new group, all you need to do is use the groupadd command like so:
groupadd <groupname>
Add an Existing User to a Group
Next we’ll add a user to the group, using this syntax:
usermod -a -G <groupname> username
Sometimes you might want to switch out the primary group that a user is assigned to, which you can do with this command:
usermod -g <groupname> username
Add a User to Multiple Groups
You can easily add a user to more than one group by simply specifying them in a comma-delimited list, as long as you are assigning the secondary groups:
usermod -a -G ftp,admins,othergroup <username>
———————————————————————————————————————–

[root@machine1 ~]# chage  -l tom
Last password change : Jan 28, 2016
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
———————————————————————————————————————–
[root@machine1 ~]# cat /etc/passwd | grep tom
tom:x:501:501::/home/tom:/bin/bash

[root@machine1 ~]# usermod –home /tmp tom
[root@machine1 ~]# cat /etc/passwd | grep tom
tom:x:501:501::/tmp:/bin/bash

[root@machine1 ~]# cat /etc/group | grep tom
tom:x:501:

[root@machine1 ~]# cat /etc/passwd | grep jerry
jerry:x:502:502::/home/jerry:/bin/bash

[root@machine1 ~]# usermod –expiredate 2016-10-30 tom
[root@machine1 ~]# chage  -l tom
Last password change : Jan 28, 2016
Password expires : never
Password inactive : never
Account expires : Oct 30, 2016
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7


[root@localhost ~]# tail -n1 /etc/shadow

mohammed:$1$jUXt.n.l$Jop9u6TlkRT.I6OT7zFq50:16984:0:99999:7:::

Username : It is your login name.

Password : It is your encrypted password. The password should be minimum 6-8 characters long including special characters/digits and more.

Last password change (lastchanged) : Days since Jan 1, 1970 that password was last changed

Minimum : The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password

Maximum : The maximum number of days the password is valid (after that user is forced to change his/her password)

Warn : The number of days before password is to expire that user is warned that his/her password must be changed

Inactive : The number of days after password expires that account is disabled

Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used.

The last 6 fields provides password aging and account lockout features. You need to use the chage command to setup password aging. According to man page of shadow – the password field must be filled. The encrypted password consists of 13 to 24 characters from the 64 character alphabet a through z, A through Z, 0 through 9, \. and /. Optionally it can start with a “$” character. This means the encrypted password was generated using another (not DES) algorithm. For example if it starts with “$1$” it means the MD5-based algorithm was used. Please note that a password field which starts with a exclamation mark (!) means that the password is locked. The remaining characters on the line represent the password field before the password was locked.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s