LFCS – User Account Management

Jarret B

Active Member
Staff member
Joined
May 22, 2017
Messages
203
Reaction score
148
Credits
2,730
With any Linux system, you may need to add users. Additional Users may be needed when adding Services such as Samba. Being able to manage user accounts is a very important task, especially if working on multiple systems in a business environment.

There are four main points of user account management:
  1. Creating user accounts
  2. Managing users passwords
  3. Setting user account defaults
  4. Deleting user accounts

I will cover these points for both CentOS 7 and Ubuntu for the LFCS Exam.

Creating User Accounts

Let’s look at creating the account and then working to verify that the account was created.

The command to create an account is as follows:

Code:
sudo useradd <username>

NOTE: For Ubuntu, use the command 'adduser' so everything is set up for the new user or you cannot login with the specified username.

For example, if we were to create an account named ‘tech1’ we would use the command ‘sudo useradd tech1’.

NOTE: Be aware that the username is case-sensitive. So, the user account ‘tech1’ is different than ‘Tech1’. At this point, the user should not be able to log into the system until a password is set (the account is disabled).

By default, creating a user account will generate a Home Folder. If the system is running an e-mail service, an e-mail account should also be created. We’ll look into how to change these automatic account creations later in this article.

Once the user account is added, you can use the command ‘ls /home’ should list the Home Folders for all user accounts that had one created.

NOTE: If you are creating an account for a system service, such as Samba, use the option ‘-M’ so the Home Folder is not created for the new user. To specify the Home Folder should be created, use the option ‘-m’. The parameters will vary depending on the set defaults of a Home Folder being made when a user is added.

CentOS7 will default to creating a Home Folder, Ubuntu defaults to not create a Home Folder.

Each User and Group will have an ID. If the group is created by the system during the installation of the Operating System or service, the group ID will start at 100. Groups made will start at 1000. During installation, a new user is created and will have a User ID (uid) of 1000. A Group will be made with the same name and also have a Group ID (gid) of 1000. New users and groups will be number consecutively after 1000.

NOTE: To see the current user information for UID and GID, use the ‘id’ command in a Terminal.

To see the stored information about the last created user, use the command ‘tail -n 1 /etc/passwd’. If you created the User ‘tech1’ you should see something similar to the following:

Code:
tech1:x:1001:1001::/home/tech1:/bin/bash

The information is separated by colons :)). The first part is the username. The second section specifies the password which is stored in the file '/etc/shadow'. The third part is the User ID (uid). The fourth section is the Group ID (gid), which may not be the same as the 'uid'. The fifth part, in the example, is blank, shows the comment for the User. The comment may contain a comma-delimited list. The sixth portion is the location of the User's Home Folder. The seventh and final section is the default login shell. We will look into changing these defaults later in the article.

To see a list of all Users, including system-created Users, on a system, use the command:

Code:
cat /etc/passwd

If you noticed that after creating the User call ‘tech1’ there is also a Group called ‘tech1’. To see a listing of the Groups, including system-created Groups, use the command:

Code:
cat /etc/group

Let's look at Groups a bit more. There are Primary and Secondary Groups. The Primary Group is recorded in the '/etc/passwd' file that is generated when the user account is created. Secondary Groups are ones that the User Account is added to after it is created.

Let’s look t a little test. Let’s create a new account named ‘tech2’ and use the option ‘-N’ to not create a default Group with the same name as the username. The command will be:

Code:
sudo useradd -N tech2

You can check that a Home Folder was created by using the command:

Code:
ls /home

The folder should exist since we did not specify to not create it (except for Ubuntu which does not create the Home Folders by default).

What we are looking for is that there should be no default Primary Group. First, let’s look at the User ‘tech1’. Use the command:

Code:
id -gn tech1

The result should be ‘tech1’ that shows the default group was created and the User ‘tech1’ was added to the group. The lower-cased ‘g’ specifies that the primary Group should be listed. The option ‘n’ designates the name should be listed and not the number.

Now, we can look at the User ‘tech2’ with the command:

Code:
id -gn tech2

The response to the command should be 'users' showing that no Primary Group is set. We can further verify that the Group 'tech2' was not created with the command:

Code:
cat /etc/group

Since the ‘tech2’ group should have been the last one created, it should be at the end of the list. The group does not exist since we specified to not create it.

To see Secondary Groups, use the option of a capital ‘-G’ instead of a lower-cased ‘-g’.

Of course, at this point, ‘tech1’ and ‘tech2’ have not been added to other groups so there will be no secondary groups listed.

If you want to add a User to a specific group at creation, you can use the parameter ‘-g’ for Primary Groups or ‘-G’ for Secondary Groups. You can list multiple Groups after the option and separate the Group names with commas using no spaces.

Managing User Passwords

We can create a disabled account, but to enable the account we need to specify a password for the user. The process requires Root privileges, so the ‘sudo’ command is required or a Root User. The command is as follows:

Code:
sudo passwd <user>

So, to set a password for the User ‘tech1’, and enable the account, we could use the command:

Code:
sudo passwd tech1

Type the password for Root privileges and then you should be prompted for the password for ‘tech1’ and finally asked to verify the password. You may get a message the password is a regular dictionary word. You can go ahead and verify the password to use it anyway. Of course, this is not good practice for security measures.

A Root User can specify a Dictionary password, but a User cannot.

To see that a password was changed, you can view the file ‘/etc/shadow’. Use the command ‘sudo cat /etc/shadow’ to see the listing. You can see an example in Figure 1 of a password being set.

Figure 01.jpg

FIGURE 1

Looking at the lines for the Users ‘Jarret’ and ‘tech1’ there is an encrypted hash listed for the passwords. For the User ‘tech2’, the password section is simply two exclamation marks (!!) showing that there is no password set for the account. The account should also be disabled because of having no password.

To see all the Users we created with the name of ‘tech#’, we can use the command ‘sudo grep tech. /etc/shadow’, as shown in Figure 2. The dot (.) is used to represent a wild card character.

Figure 2.jpg

FIGURE 2

The various stored information for each user is separated by colons :)). The fields are as follows: 'username : password hash : date of last password change (days since January 1, 1970) : minimum days between password changes : maximum days between password change : number of days in advance to warn of a required change : number of days after password expires to lock account : date for the account to expire : reserved field'.

To change the values of any of these values, you can use the command ‘chage’. Of course, you need to have elevated privileges. Use ‘chage --help’ to see the various commands.

The command ‘chage’ can change the following:

Last day password was changed -d
Account expiration date -E
password inactive after expiration -I
Minimum days before change -m
Maximum days before change -M
Expiration warning days -W

You can make changes and then use ‘cat /etc/shadow’ to see the changes.

Some of these defaults are stored in the file ‘/etc/login.defs’. The defaults are as follows:

PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7

A password can be locked to prevent it from being changed. You can lock a password with the command ‘sudo passwd -l <username> and then unlock it with the command ‘sudo passwd -u <username>’.

Setting User Account Defaults

Whenever a new user is created, specific items and configurations are made. For example, unless otherwise specified a Home folder is generated for the new user. Let’s look at the various things we can set for new users.

Since we recently created the users ‘tech1’ and ‘tech2’, let’s look at the Home folder by running the command in a Terminal ‘ls /home’.

In the Home folder should be at least the folders ‘tech1’ and ‘tech2’. If you perform a ‘sudo su’ and then open one of the folders and run ‘ls’ the folder should be empty. The folder really isn’t empty, it contains hidden files which can be listed with the command ‘ls -a’. There should be the files ‘.bash_logout’, ‘.bash_profile’, ‘bashrc’ and maybe the file ‘.mozilla’. These are configuration files that are defaults.

Looking at the folder ‘/etc/skel/’ you can see the ‘skeleton’ template used to create the new user home folders. Using the command ‘ls -a’ you can see the same hidden files as you saw in the new user’s home folder. If you add a file or folder and then create a new user, check the newly created home folder and you should see the folder or file you created in the template folder.

To see the default settings for a new user account, use the command ‘useradd -D’ The output should be something similar to the following:

GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes

You can edit the file, ‘/etc/default/useradd’ as Root user, and change the defaults as needed.

The GROUP specifies the default GID of 100 which is the groups ‘users’. The HOME variable sets the location of the Home folders. INACTIVE is the number of days an account should be inactive after creation. A value of -1 means it is active, at least after a password is assigned. EXPIRE is a date value (YYYY-MM-DD) when the account should expire. This is good to use for accounts that are for temporary workers. SHELL specifies the default shell for the user. SKEL designates the template folder to use when creating the Home folder. CREATE_MAIL_SPOOL will show whether to create a mail spool for the user.

Modify and Delete User Accounts

We can modify information for the user accounts as needed.

The command to modify user information is ‘usermod’ and requires Root privileges. There are various parameters you can use depending on the item you want to modify.

To add a user to a group you can use the parameters '-a -g' and specify the Groups, separated by commas and no spaces. The '-a' is used to append to the account and not overwrite the group information. For example, if there were a group called 'techs' which we were to put the tech users into it, we would use the command for the new user 'tech3':

Code:
sudo usermod -a -g techs tech3

There is a generic comment field for a user account which is usually used for the Full Name of a user. To set the comment field, use the command:

Code:
sudo usermod -c "full name" <username>

For example, to set the full name for ‘tech3’ the command would be:

Code:
sudo usermod -c “Tech Three” tech3

You can check the file ‘/etc/passwd’ to verify the comment field was modified.

A User's Home folder can be changed to a different location with the parameter '-d'. If we wanted to change the home folder for 'tech1' to '/test/tech3’ the command is:

Code:
sudo usermod -d /test/tech3 tech3

The command does not move information from the existing folder to the new one, or even delete the old folder. Performing these tasks is up to you as an administrator.

The default shell can be changed with the parameter -s. The format is ‘sudo usermod -s <shell> <username>.

A UID can also be changed. The parameter is ‘-u’. The command is ‘sudo usermod -u <uid> <user>.

It is possible to change the User’s Name as well. The command is ‘sudo usermod -l <new name> <user>. You may want to change the Home folder as well.

The expiration date can be set for a user. The command is ‘sudo usermod -e “date” <user>’. The date is specified as ‘YYYY-MM-DD’.

You can see the user’s expiration date by using the command ‘chage -l <user>’.

If a user account needs to be deleted, use the command 'userdel -r <user>'. The parameter '-r' will delete the home folder, mail account, etc. If you want to keep the user's data in the home folder, do not use the ‘-r’ parameter.

Conclusion

I hope you have learned more bout users and groups. When performing administrative tasks on a system, users and groups can require a lot of your time in a large environment.

Practice performing the various commands that were covered in this article.
 
Last edited:
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Staff online


Latest posts

Top