User administration in Linux

Hi, this topic covers the user administration in linux operating system.

The important feature of a linux machine is that. In linux machine multiple users can access the same machine at the same time.

At the end of this topic you will learn to know the following 3 things

1.Add, Remove and Modify users in a system.

2.Groups.

3.Permissions(modes).

Okay, lets get detail in the above topic

1.Add, Remove and Modify users in a system:
===========================================

To add , delete or modify users in linux you much be a root user(super user) or a administrator.

1.Adding a user
—————

Command used to add a user in linux is

#useradd 

2.Remove a user
—————

Command used to delete a user in linux is

#userdel

3.Modify a user
—————

Command used to add a user in linux is

#usermod

All the above commands will be located in /usr/sbin directory.

You can specify the user config files which a new user will have when an account is created these configuration files are copied from the /etc/skel/ directory.

[skel stands for skeleton]

Now, let us see the steps in creating a new user account

Now first of all we will check the defaults of useradd command.

[root@siru /]#useradd -D

[The “-D” option means that default for useradd command]

O/P of above command is

GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
[root@siru /]#

In the above output
Group=100 It means that if we didn’t specify a group when we create a user it automatically puts the user into Group100.

HOME=/home It means that if we don’t specify a home directory it will set default home directory of that user as /home.

INACTIVE=-1
EXPIRE=
these two means account expiration date, either of them is not set now by default as INACTIVE=-1 means its not described and EXPIRE= has not returned any values hence there is no expiration date for a new account unless it is set specially just in-case if the EXPIRE is set to a date say 30-11-2010 the account that has been created with this expiration date will expire on 30-11-2010 and from that date the user cannot login to the system but all his files will be kept unmodified just in-case if we unexpire that account the user can access those files as he like he left it when it expired and if INACTIVE=-1 is set to any positive value say positive 10 then the files owned by the expired user account will delete after 10 days of the particular expired account including the user id.

SHELL=/bin/bash
is the default shell for that particular account.

SKEL=/etc/skel default skeleton for that particular account, when an account is created the configuration files under this folder will be copied to the user’s account.

Now let us add an account

[root@siru /]#useradd lisa

now once I press enter after typing the above command two files will be modified, they are htpasswd and htshadow files, lisa’s home directory was created and few configuration files are copied into this directory. Let’s see them now we will go into /home directory

[root@siru /]#cd /home

now a folder named lisa will be created

[root@siru home]#ls

output of the above file will be
jeevi lisa
which means that the system has created a account names lisa now lets go into lisa directory now and i will list all the files under lisa

[root@siru home]# cd lisa
[root@siru lisa]# ls -a

output of the above command is

. .. .bash_logout .bash_profile .bashrc .emacs .gtkrc .kde .screenrc

now you can see that the files under lisa folder is user config files as they start with the name dot(.), if we “ls -a” inside /etc/skel directory

[root@siru lisa]# ls -a /etc/skel
o/p
. .. .bash_logout .bash_profile .bashrc .emacs .gtkrc .kde .screenrc
hence these are files copied from /etc/skel directory.

now you will know that we have never set a password for the user lisa, so the user lisa cannot login to the system as it doesn’t have any password, so we are setting password for the user lisa

[root@siru /]#passwd lisa

[Note: the root user is the only user that can change or set password for a user other than the self]
o/p

Changing password for user lisa
New password:

type password for lisa

Re-Type password:

Retype password for lisa

passwd: all authentication tokens are updated successfully

password has been set and now lisa can login to the system using her account.

Alright, now we shall have a look into the htpasswd and htshadow files into the system.

cat /etc/passwd

o/p

jeevi:x:500:500::/home/jeevi:/bin/bash
lisa:x:501:501::/home/lisa:/bin/bash

in the above output you could see that lisa is the username, x is the password which will be stored in /etc/passwd file, 501 is the user id, next 501 is the group id, (ya i said default as 100 but redhat linux will have a separate user private group it starts with 501, you will know that if you are familiar with group administration)net files is comment which is not set so the two colons(::) it can be filled by using useradd -c command /home/lisa is the default home directory of the user lisa, /bin/bash is the default shell for the user lisa.

Now, let’s have a look into htshadow file, the htshadow file will also have a separate line for each user

#cat /etc/shadow

o/p

jeevi:fdsfsfGD#$%%565GF$$$%^*:11758:0:99999:7:::
lisa:Pfdefs@#4GFVtr33@334$ff:11768:0:99999:7:::

the first field of the above o/p is the user name and the next field is the encrypted version of the password just for security reasons.

Now let’s change a password for a bunch of users in a single command,

#pwlist

o/p

jeevi:siru
lisa:lisa
#chpasswd < pwlist

o/p of above command will change all passwords for user for jeevi and lisa, but the file pwlist will have passwords for them in plain text format hence its safe to delete pwlist file, hence the after deleting pwlist file the passwords for users will only be present under /etc/passwd file(which is encrypted).

Now lets learn about groups.

The group id’s for users are stored under /etc/group

# cat /etc/group

o/p

jeevi:x:500:
lisa:x:501:

again the first field specifies group name, next is group password which is stored at /etc/gshadow file, next is group id and next is the list of users in he group 500 which is empty which means that group jeevi has no users under it.

Let us consider that if some members are working on a project and have to access the files in common, say “projectX“, so we are now creating projectX group.

#groupadd -r projectX
#cat /etc/group
jeevi:x:500:
lisa:x:501:
projectX: x:11:

now we will add jeevi and lisa user into the projectX group this can be done by the following command
#usermod -G projectX jeevi
o/p

#cat /etc/group
jeevi:x:500:
lisa:x:501:
projectX: x:11:jeevi
#usermod -G projectX lisa

o/p

#cat /etc/group
jeevi:x:500:
lisa:x:501:
projectX: x:11:jeevi:lisa

which means users jeevi and lisa are a members of the group projectX, so the files with group permissions set to projectX can be accessible by jeevi as well as lisa in common.

Now lets add user jeevi to projectX as well as projectY, this can be done by

#groupadd -r projectY
#cat /etc/group
jeevi:x:500:
lisa:x:501:
projectX: x:11:jeevi:lisa
projectY:x:12:

 

#usermod -G projectX,projectY jeevi

o/p

#cat /etc/group
jeevi:x:500:
lisa:x:501:
projectX: x:11:jeevi:lisa
projectY:x:12:jeevi

now, user jeevi is a user of both projectX as well as projectY but lisa is only a member of projectX group.

Command to see the groups which a user is present is

#group

(i.e)

#group jeevi

O/P

jeevi: jeevi :projectX : projectY

Note that when ever you need to add an extra group for jeevi you need to specify all the group which jeevi wants to be else he will be removed from the other groups say you will be removed from projectX and projectY if you have not specified these two group then jeevi will be removed from these two groups.

File permssions(modes):
=======================

* There are separate permissions for user, group and other.
* #ls -l command shows modes
* Root and owner can change modes.

Every file has three types of modes(permissions) they are user(the actual owner of the file), group and other(all the users present in the system)

#ls -l

The above command will list the file permissions of files.

o/p

drwxr-xr-- root jeevi folder

The fields(i.e drwx) in the above output tells us d-directory,r-read w-write and x-execute permission for the owner(here its root).

The second field(r-x) in the above output tells us that the group user(here it is jeevi) has r-read and x-execute permissions for that folder so he cannot edit that folder like he cannot create or delete files inside that folder.

The third field(r–)in the above output tells us that the other user(say anyother user like lisa,apache, etc) has onlyr-read permission that means that he can only read the folder and cannot edit or execute that folder(to open a folder the user needs execute permission as this is disabled here he cant open the folder).

Changing file permissions:
===========================

To change the file permission you can use “chmod” command. chmod command has two formats they are

1.Symbolc mode.
2.Binary number mode.

1.Symbolic format here we use u(user),g(group),o(other)

Eg:

#chmod g+w filename

will allow group user have write permission to that file.

#chmod g-w filname

will stop the group user from writing/changng the file.
You can use symbolic format as below example as well

#chmod ug=rw filename

will make user and group to have read and write permission to that file hence there will be no access for others and no x-execute permission for user and group of that file.

2.Binary number mode uses the following sntax.

#chmod 754 filename

(where 7 is user permssion 5 is group permission and 4 is other user’s permission) which is represented in binary values as the number 7 comes with binary value “111=rwx” and then 5 with binary value “101=r-x” and 4 with “100=r–“.

Directory permissions
=====================
Directoies will have permissions like as follows

7=rwx(where the user will have full permission to the directory, he can add, delete the files inside the directory).
5=r-x(where the user can only read and execute the directory cannot modify the files in that directory).
0=—(No permissions, he cannot access the directory).
[Note: User cannot read the folder if he has the folder has only execute permission and not read permission and he cannot open the directory if he has only the read permission and not execute permission. So, you need at-least read and execute permissions for a directory to access and read it]

If a user have read and execute permission for a directory and no permissions at all for a file inside that directory then he cannot read that file, so both directory and file permissions have to be working on your favor so as to access that particular file inside the directory.

Okay, now let’s combine all the above topics and work to share files for different users.

Let us consider that some users are working on ProjectX where everybody working on ProjectX needs to access a common folder and edit files.

[root@siru home]#ls -l
drwxr-x--- 3 siru ProjectX 4086 Mar20 12:11:20 siru
drwxr-x--- 4 lisa lisa 4086 Mar21 12:30:21 lisa

The user siru has group user as ProjectX and read and execute permission for group users, hence the users with ProjectX can access the directory siru, Now lets go inside siru’s directory and do an ls -l command

[root@siru home]#cd siru
[root@siru siru]#ls -l

O/P

drwxr-x--- 5 siru ProjectX 4086 Mar20 12:11:20 ProjectX

Here we have ProjectX folder has group user as ProjectX hence the users with ProjectX group can access the files under ProjectX folder. Now, let go inside ProjectX folder and do an ls -l.

[root@siru siru]#cd ProjectX
[root@siru ProjectX]#ls -l

O/P

-rw------- 1 siru ProjectX 64 Mar 21 12:20:21 Plans

Now, here is the mistake where the file “Plans” doesn’t have any permissions set for the group ProjectX hence the memebers of the ProjectX cannot access the contents of the file “Plans”. So, you need to set read and write permissions to “Plans” file so that users from group “ProjectX” can read or edit that particular file, this can be done as follows

[root@siru ProjectX]#chmod 660
[root@siru ProjectX]#ls -l
-rw-rw---- 1 siru ProjectX 64 Mar 21 12:20:21 Plans

Now, the users under group ProjectX can edit the file “Plans”.

Wait a minute do you know how the folder “ProjectX” had group permission as “ProjectX”, let me explain how to create a file/folder with other group permission, let us consider that we are logged in as siru user.

This will create a folder sample

[siru@siru ProjectX]#ls -l

O/P

-rw-rw---- 1 siru ProjectX 64 Mar 21 12:20:21 Plans
drwxr-xr-x 2 siru siru 4086 Mar 21 13:20:21 sample

now the group permission set here for sample folder is siru, you have to change that as follows

[siru@siru ProjectX]#chown siru.ProjectX sample
[siru@siru ProjectX]#ls -l

O/P

-rw-rw---- 1 siru ProjectX 64 Mar 21 12:20:21 Plans
drwxr-xr-x 2 siru ProjectX 4086 Mar 21 13:20:21 sample

you can also do this as below steps as well

[siru@siru ProjectX]#newgrp ProjectX

[siru@siru ProjectX]#mkdir sample

[siru@siru ProjectX]#ls -l 

O/P

-rw-rw---- 1 siru ProjectX 64 Mar 21 12:20:21 Plans
drwxr-xr-x 2 siru ProjectX 4086 Mar 21 13:20:21 sample

So, how to make a normal user a administrator of a group, let’s see now., it can be done by following commands

#gpasswd -A siru ProjectX

[The capital A tells the system that the successive user is the administrator of that group so, after executing the previous command we will have siru as the administrator of ProjectX, he can add or delete users to ProjectX group].

# su siru[switching user from root to siru]

#gpasswd -a ram ProjectX

The above command adds user ram to group ProjectX

#gpasswd -d lisa ProjectX

The above command delets user lisa from ProjectX

Now if we see the /etc/group file we won’t be having user lisa in ProjectX but user ram will be added in ProjectX

#cat /etc/group

O/P

#cat /etc/group
jeevi:x:500:
lisa:x:501:
projectX:x:11:jeevi:ram
projectY:x:12:jeevi

We can have user private groups as well so that if user siru wants only lisa to access his files then he can add user lisa as his group member this can be done as follows

#gpasswd -A siru siru
#su siru

[switching user from root to siru]

#gpasswd -a lisa siru
The above command will add user lisa to user siru’s private group. Hence lisa can access the files which are set read permissions for siru group. Something like this

-rw-r----- 1 siru siru 64 Mar 21 14:15:00 test

[Note: See to that lisa can enter in to the directory where the groups of siru has permissions to execute and read the particular directory].

Whof.. Long isn’t it. Let me know if i have gone wrong somewhere.

Reference: CBTNUGGETS video tutorials

Thank you for visiting helpinlinux.com

Leave a Reply

Protected by WP Anti Spam