Короткий список команд для создания пользователя

Создание пользователя. В файле /etc/passwd хранятся все пользователи (бекап в /etc/passwd-).

sudo useradd -m -s /bin/bash weril
sudo passwd weril
sudo login weril - тестово логинемся
sudo passwd -e weril - (expire) делаем пароль протухшим (после авторизации пользователя заставят поменять пароль)
# sudo passwd -l weril - (lock) блокируем пользователя
sudo vi /etc/ssh/sshd_config - добавляем в AllowUsers в sshd (AllowUsers <username>@*)
sudo /etc/init.d/sshd restart - рестартуем службу (sudo service sshd restart)

При смене пароля может запрашивать старый пароль, мы его можем не знать (напр. потерял пользователь/учетная запись создана облаком), в таком случае меняем из под root.

sudo su
passwd weril

В Centos чтобы не добавлять каждого пользователя отдельно есть группа wheel, в Ubuntu группа sudo. Если добавить в эту группу – будут так же права sudo.

sudo usermod -a -G wheel [user name]
sudo usermod -a -G sudo [user name]

Типы пользователей

RHEL supports three fundamental user account types: root, normal, and service.

The root user, the superuser or the administrator with full access to all services and administrative functions, possesses full powers on the system. This user is automatically created during RHEL installation.
The normal users have user-level privileges. They cannot perform any administrative functions, but can run applications and programs that they are authorized to execute.
The service accounts are responsible for taking care of the installed services. These accounts include apache, ftp, mail, ntp, postfix, and qemu.

Ключевые файлы по управлению пользователями и группами

https://learning.lpi.org/en/learning-materials/010-160/5/5.2/5.2_01/

User account information for local users is stored in four files in the /etc directory. These files are passwd, shadow, group, and gshadow, and they are updated when a user account is created, modified, or deleted. The same files are referenced to check and validate the credentials for a user at the time of their login attempt into the system, and hence these files are referred to as user authentication files. These files are so critical to the operation of the system that, by default, the system maintains a backup of each of these files as passwd-, shadow-, group-, and gshadow- in the /etc directory. The shadow and gshadow files, as well as the user administration commands are part of the shadow-utils package that is installed on the system at the time of OS installation.

`/etc/passwd`

a file of seven colon-delimited fields containing basic information about users

frank:x:1001:1001::/home/frank:/bin/bash

Each line consists of seven colon-delimited fields:

Username: The name used when the user logs into the system.
Password: The encrypted password (or an x if shadow passwords are used).
User ID (UID): The ID number assigned to the user in the system.
Group ID (GID): The primary group number of the user in the system.
GECOS: An optional comment field, which is used to add extra information about the user (such as the full name). The field can contain multiple comma-separated entries.
Home directory: The absolute path of the user’s home directory.
Shell: The absolute path of the program that is automatically launched when the user logs into the system (usually an interactive shell such as /bin/bash).

`/etc/group`

a file of four colon-delimited fields containing basic information about groups

developer:x:1002:

Each line consists of four colon-delimited fields:

Group Name: The name of the group.
Group Password: The encrypted password of the group (or an x if shadow passwords are used).
Group ID (GID): The ID number assigned to the group in the system.
Member list: A comma-delimited list of users belonging to the group, except those for whom this is the primary group.

`/etc/shadow`

a file of nine colon-delimited fields containing encrypted user passwords, file readable only by root and users with root privileges and contains the encrypted passwords of the users, each on a separate line:

frank:$6$i9gjM4Md4MuelZCd$7jJa8Cd2bbADFH4dwtfvTvJLOYCCCBf/.jYbK1IMYx7Wh4fErXcc2xQVU2N1gb97yIYaiqH.jjJammzof2Jfr/:18029:0:99999:7:::

Each line consists of nine colon-delimited fields:

Username: The name used when user logs into the system.
Encrypted password: The encrypted password of the user (if the value is !, the account is locked).
Date of last password change: The date of the last password change, as number of days since 01/01/1970. A value of 0 means that the user must change the password at the next access.
Minimum password age: The minimum number of days, after a password change, which must pass before the user will be allowed to change the password again.
Maximum password age: The maximum number of days that must pass before a password change is required.
Password warning period: The number of days, before the password expires, during which the user is warned that the password must be changed.
Password inactivity period: The number of days after a password expires during which the user should update the password. After this period, if the user does not change the password, the account will be disabled.
Account expiration date: The date, as number of days since 01/01/1970, in which the user account will be disabled. An empty field means that the user account will never expire.
A reserved field: A field that is reserved for future use.

`/etc/gshadow`

a file of four colon-delimited fields file containing encrypted group passwords, file readable only by root and by users with root privileges that contains encrypted passwords for groups, each on a separate line:

developer:$6$7QUIhUX1WdO6$H7kOYgsboLkDseFHpk04lwAtweSUQHipoxIgo83QNDxYtYwgmZTCU0qSCuCkErmyR263rvHiLctZVDR7Ya9Ai1::

Each line consists of four colon-delimited fields:

Group name: The name of the group.
Encrypted password: The encrypted password for the group (it is used when a user, who is not a member of the group, wants to join the group using the newgrp command — if the password starts with !, no one is allowed to access the group with newgrp).
Group administrators: A comma-delimited list of the administrators of the group (they can change the password of the group and can add or remove group members with the gpasswd command).
Group members: A comma-delimited list of the members of the group.

vipw/vigr

vipw – редактируем безопасно файл passwd & shadow
vigr – редактируем безопасно файл group & gshadow

The vipw and vigr commands edits the files /etc/passwd and /etc/group, respectively. With the -s flag, they will edit the shadow versions of those files, /etc/shadow and /etc/gshadow, respectively. The programs will set the appropriate locks to prevent file corruption. When looking for an editor, the programs will first try the environment variable $VISUAL, then the environment variable $EDITOR, and finally the default editor, vi(1).

Occasionally, it is imperative for the administrator to modify the passwd file manually using an editor such as vi. If another user attempts to change their password while the file is being edited, it results in a successful password update for the user. Unfortunately, this change is lost when the file is later saved by the administrator. To prevent this from happening, and to prevent any corruption resulting from such a condition, the shadow-utils package offers two tools called vipw and vigr that allow a privileged user to edit the passwd and group files while disabling write access to them. The same commands are also used to edit the shadow versions of these files when they are executed with the –s option. Both commands make a copy of the respective file in the /etc directory with the .edit extension and also a corresponding lock file with the .lock extension in the same directory. The .edit file stores the changes being made while the .lock file saves the PID of the process. During this time, if a user attempts to change their password, the passwd command accepts the new password and checks for the existence of a .lock file before attempting to update the original file. The presence of a .lock file is an indication for the passwd command that an edit session is in progress and that it has to wait for it to complete. As soon as the administrator finishes with the editing and quits the file, some automatic checks are performed on the file for data and syntax validity. The original file is backed up with the hyphen sign as a suffix to its name and the edited version replaces the original file. The .edit and .lock files are then removed. At this point, the passwd command that was waiting for the editing session to finish goes ahead and updates the user password successfully.

The same rule is applied to other commands that attempt to write to these files while they are being amended. Also, while an instance of either of these tools is running on any of the four files, invoking another session of either of these tools generates an error message similar to the following:

# vigr –s
vigr: Couldn't lock file: Interrupted system call
vigr: /etc/gshadow is unchanged

At the end of an editing session for any of the four files, a message is displayed, reminding us of modifying the corresponding file also. For example, the following reminder is shown after the completion of passwd file modification with the vipw command:

You have modified /etc/passwd.
You may need to modify /etc/shadow for consistency.
Please use the command 'vipw -s' to do so.

And after the execution of the vigr command on the gshadow file:

You have modified /etc/gshadow.
You may need to modify /etc/group for consistency.
Please use the command 'vigr' to do so.

pwck / grpck

pwck / grpck – verify integrity of password/group files

 The pwck command verifies the integrity of the users and authentication information. It checks that all entries in /etc/passwd and /etc/shadow have the proper format and contain valid
data. The user is prompted to delete entries that are improperly formatted or which have other uncorrectable errors.

Over the period of time or, especially, after making a manual modification, inconsistencies may occur in any of the four authentication files and require administrative attention. The passwd and shadow files are particularly important, as they are the primary sources for validating local user existence and authenticating them. The shadow-utils package offers a tool called pwck that we can use to check the integrity and validity of data in these files. This command checks each line entry for the correct number of fields, uniqueness and validity of the login name, and validity of the UID, GID, primary group, login directory, and the shell file. For the shadow file, it checks for the existence of corresponding entries, the correct number of fields, duplicate entries, the presence of passwords, and some password aging attributes based on the directives defined in the /etc/login.defs file. This command reports any inconsistencies as it finds.

~$ sudo pwck
[sudo] password for admin:
user 'ftp': directory '/var/ftp' does not exist
user 'avahi-autoipd': directory '/var/lib/avahi-autoipd' does not exist
pwck: no changes

~$ sudo pwck
[sudo] password for redkin_p:
user 'lp': directory '/var/spool/lpd' does not exist
user 'news': directory '/var/spool/news' does not exist
user 'uucp': directory '/var/spool/uucp' does not exist
pwck: no changes

The shadow-utils package offers a cousin of pwck called grpck that is used to verify the information in the group and gshadow files for validity and consistency. This command performs checks on the validity of the number of fields in each line entry and whether a user belonging to a group is absent from the passwd or the shadow file. It reports inconsistencies as well.

~$ sudo grpck

pwconv / grpconv or pwunconv / grpunconv : Activating and Deactivating Shadow Password Mechanism

The shadow password mechanism that enables the use of shadow and gshadow files for storing user and group passwords and password aging information may be deactivated if desired. However, this is an undesirable and unrecommended action unless there is a specific need to do so. The shadow-utils package offers four tools, two (pwconv and grpconv) to activate the mechanism and the other two (pwunconv and grpunconv) to deactivate it.

pwconv – Creates and updates the shadow file and moves user passwords over from the passwd file. Activates password shadowing if it is not already active. The activation tools reference the /etc/login.defs file for some password aging attributes while being executed. This command works quietly and does not display any output unless there is a problem. It creates the shadow file with read-only permission for the root user.
pwunconv – Moves user passwords back to the passwd file and removes the shadow file. Deactivates password shadowing.
grpconv – Creates and updates the gshadow file and moves group passwords over from the group file. Activates password shadowing at the group level if it is not already active. This command works quietly and does not display any output unless there is a problem. It creates the gshadow file with read-only permission for the root user.
grpunconv – Moves group passwords back to the group file and removes the gshadow file. Deactivates password shadowing.

The Skeleton Directory

When you add a new user account, even creating its home directory, the newly created home directory is populated with files and folders that are copied from the skeleton directory (by default /etc/skel). The idea behind this is simple: a system administrator wants to add new users having the same files and directories in their home. Therefore, if you want to customize the files and folders that are created automatically in the home directory of the new user accounts, you must add these new files and folders to the skeleton directory.

ID

id – просмотр информации по себе uid (user id), gid (primary group id – она назначается для новых файлов), список групп с их ID.

root@serv:~# id
uid=0(root) gid=0(root) groups=0(root)

user@serv:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Useradd

https://linux.die.net/man/8/useradd

When invoked with only the -D option, useradd will display the current default values. When invoked with -D plus other options, useradd will update the default values for the specified options.

~# useradd -D
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/sh
SKEL=/etc/skel
CREATE_MAIL_SPOOL=no

Базовое создание пользователя

[root@localhost ~]# useradd user2 - Create a User Account with Default Values defined in the useradd and login.defs files

[root@localhost ~]# useradd -u 1010 -g 1001 -m -d /home/user3 -k /etc/skel -s /bin/bash user3 - Create user3 with UID 1010 (–u), home directory /home/user3 (–m and –d) shell /bin/bash (–s) membership in group 1001 (–g), and default startup files copied into this user’s home directory (–k)

[root@localhost ~]# useradd -s /sbin/nologin user4 - Create user4 with shell file /sbin/nologin. This shell is primarily used for application accounts that do not require login access to the system. It can also be assigned to a regular user to disable access temporarily using the usermod command.

[root@localhost ~]# ls /home/
user1 user2 user3 user4

Проверка инфы в файлах: проверяем что все файлы правильно заполнены.

### grep for user2 on the passwd, shadow, group, and gshadow files to check what the useradd command has added:

[root@localhost ~]# cd /etc; grep user2 passwd shadow group gshadow
passwd:user2:x:1001:1001::/home/user2:/bin/bash
shadow:user2:$6$k8Zc4syc$vGkOpb5g/kcNEE8SwYy9kcw5pc6I.eWP90bWwS7WXpk.gXzmiawBueQIvJOaiEtCaEIRDe3Nacr5hFKRDztM5/:17098:0:99999:7:::
group:user2:x:1001:
gshadow:user2:!::

[root@localhost etc]# cd /etc ; grep user3 passwd shadow group gshadow
passwd:user3:x:1010:1001::/home/user3:/bin/bash
shadow:user3:$6$4Y9/Kbaz$J3E6ndqZ7dOXGF5t/gTwDXL7vaDJjiadR9jg4JnfX5BLnClm0lfnRba6qkE6RSRcy6xpe9qNRZXuBXnXX58VM1:17098:0:99999:7:::

[root@localhost etc]# cd /etc ; grep user4 passwd shadow group gshadow
passwd:user4:x:1011:1011::/home/user4:/sbin/nologin
shadow:user4:$6$yjNYeAkL$GPmyvzx0ipg6ZKndwJyGA8VhUrKvjKpsOYSwX.KpvfBEjBY6H085l0WJtYa04DX.bFgDUuTEMsI2r2APgwk1v.:17098:0:99999:7:::
group:user4:x:1011:
gshadow:user4:!::

Проверяем работу

[user1@localhost ~]$ su - user2
Password:
Last login: Mon Oct 24 17:20:51 MSK 2016 on pts/0

[root@localhost ~]# su - user4
Last login: Mon Oct 24 17:51:42 MSK 2016 on pts/0
This account is currently not available. -- The message “This account is currently not available” is displayed when a user with a nologin shell attempts to log in.

[root@localhost ~]# su - user5
su: user user5 does not exist

useradd – Adds a user. The useradd command adds entries to the passwd, group, shadow, and gshadow files for each user added to the system. This command creates a home directory for the user and copies the default user startup files from the skeleton directory /etc/skel into the user’s home directory. It can also be used to update the default settings that are used at the time of new user creation for unspecified settings. The useradd command has several options available with it.

login – Specifies a login name to be assigned to the new user account.

–b/–base-dir – Defines the absolute path to the base directory for placing user home directories.

–c/–comment – Describes useful information about the user .

–d/–home-dir – Defines the absolute path to the user home directory.

–D/–defaults – Displays or modifies the default settings. The useradd command picks up the default values from the /etc/default/useradd and /etc/login.defs files for any options that are not specified at the command line. Moreover, the login.defs file is also consulted by the usermod, userdel, chage, and passwd commands as needed. We can view the useradd file contents with a command such as cat or more, or display the settings with the useradd -D command.

[root@localhost ~]# useradd -GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes

We can modify these defaults and set them to our desired values. For instance, the following changes the default base directory to /usr/home as the new location for placing home directories for new users:

[root@localhost ~]# useradd -D -b /usr/home

[root@localhost ~]# useradd -D
GROUP=100
HOME=/usr/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes

The other file /etc/login.defs comprises of additional directives that set several defaults. User and group management commands consult this file to obtain information that is not specified at the command line.

[root@localhost ~]# grep -v ^# /etc/login.defs | grep -v ^$
MAIL_DIR /var/spool/mail
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
UID_MIN 1000
UID_MAX 60000
SYS_UID_MIN 201
SYS_UID_MAX 999
GID_MIN 1000
GID_MAX 60000
SYS_GID_MIN 201
SYS_GID_MAX 999
CREATE_HOME yes
UMASK 077
USERGROUPS_ENAB yes
ENCRYPT_METHOD SHA512

These directives define the mail directory location for the user (MAIL_DIR), password aging attributes (PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_MIN_LEN, and PASS_WARN_AGE), range of UIDs and GIDs to be allocated to new user and group accounts (UID_MIN, UID_MAX, GID_MIN and GID_MAX), range of UIDs and GIDs to be allocated to new system user and group accounts (SYS_UID_MIN, SYS_UID_MAX, SYS_GID_MIN and SYS_GID_MAX), and instructions for the useradd command to create a home directory (CREATE_HOME), set the default umask to 077 (UMASK), delete the user’s group if it contains no more members (USERGROUPS_ENAB), and use the SHA512 algorithm for encrypting user passwords (ENCRYPT_METHOD).

–e/–expiredate – Specifies a date after which a user account is automatically disabled. The format for date specification is YYYYMM-DD.

–f/–inactive – Denotes maximum days of inactivity before a user account is declared invalid.

–g/–gid – Specifies the primary group identifier . The base GID is 1000. If this option is not used, a group account matching the user name is created with the GID matching the UID. If you wish to assign a different GID, specify it with this option. Make sure that the group already exists. –G (–groups) Specifies the membership for up to 20 comma-separated supplementary groups. If this option is not specified, no supplementary groups are added.

–k/–skel – Specifies the location of the skeleton directory (default is /etc/skel), which contains default user startup files. These files are copied to the user’s home directory at the time of account creation. Three bash shell files – .bash_profile, .bashrc, and .bash_logout – are available in this directory by default.

You may customize these files or add more files to this directory to ensure new users get them. Existing user home directories are not affected by this change.

–K/–key Overrides some of the default values specified in the /etc/login.defs file.

–M/–no-create-home – Prevents the command from creating a home directory for the user .

–m/–create-home – Creates a home directory if it does not already exist.

–N/–no-user-group – Prevents the command from creating a private group for the user .

–o/–non-unique – Creates a user account sharing the UID of an existing user . When two users share a common UID, both get identical rights on each other’s files. This should only be done in specific situations.

–r/–system – Creates a system account with a UID below 1000 and a never-expiring password.

–s/–shell – Defines the absolute path to the shell file.

–u/–user-group – Indicates a unique user identifier . The base UID is 1000. If this option is not specified, the next available UID from the /etc/passwd file is used.

Usermod

usermod -u 2000 -m -d /home/user2new -s /sbin/nologin -l user2new user2 – Modify the login name for user2 to user2new (–l), UID to 2000 (–u), home directory to /home/user2new (–m and –d) and login shell to /sbin/nologin (–s)

[root@localhost ~]# cd /etc; grep user2 passwd
user2new:x:2000:1001::/home/user2new:/sbin/nologin

usermod – Modifies user attributes. The syntax of this command is very similar to that of the useradd’s, with most options identical. Options that are specific to usermod only:

–L/–lock – Locks a user account by placing an exclamation mark at the beginning of the password field and before the encrypted password.

–U/–unlock – Unlocks a user’s account by removing the exclamation sign from the beginning of the password field.

-a/–append – Adds a user to the supplementary group(s).

–l/–login – Specifies a new login name.

–m/–move-home – Creates a new home directory and moves the contents from the old location to here.

Userdel

Пример Userdel (удаляем пользователя вместе с home директорией)

sudo userdel -r akandratov

userdel – Deletes a user. The userdel command is straightforward. It removes entries for the specified user from all the authentication files.

–r – deletes the user’s home directory if the option is specified.

–f – flag may be used to force the removal even if the user is still logged in.

passwd

Выставляем пароль

[root@localhost ~]# passwd user2
Changing password for user user2.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Пример блокировки аккаунта passwd/usermod.

Lock user4 using either of the following

[root@localhost ~]# usermod -L user2new

[root@localhost ~]# passwd -l user2new
Locking password for user user2new.
passwd: Success

[root@localhost ~]# cat /etc/passwd | grep user2new
user2new:x:2000:1001::/home/user2new:/sbin/nologin

passwd – The common use of the passwd command is to set or modify a user’s password; however, we can also use this command to lock and unlock a user account and modify their password aging attributes.

–d (–delete) Deletes a user password without expiring the user account.

–e (–expire) Forces a user to change their password upon next logon.

–l (–lock) Locks a user account.

–u (–unlock) Unlocks a user account.

–k (–keep) Re-activates an expired user account without changing the password.

–i (–inactive) Defines the number of days of inactivity after the password expiry and before the account is locked. It corresponds to the seventh field in the shadow file.

–n (–minimum) Specifies the number of days that must elapse before the password can be changed. It corresponds to the fourth field in the shadow file.

–w (–warning) Defines the number of days a user gets warning messages to change password. It corresponds to the sixth field in the shadow file.

–x (maximum) Denotes the maximum days of validity of the password before a user starts getting warning messages to change password. It corresponds to the fifth field in the shadow file.

chage / passwd / usermod for managing password aging

change

- chage -E 2024-12-31 user10 – deactivate user user10 at 2024-12-31
- chage -d 0 user60 – force to change the password at next login (аналог sudo passwd -e weril)
- chage -m 10 -M 30 -W 7 -E 2016-12-31 user3 – Configure password aging for user3 with mindays (–m) set to 10 (cannot change their password within 10 days after setting it), maxdays (–M) to 30 (password validity of 30 days), warndays (–W) to 7 (user should get warning messages for changing password for 7 days before their account is locked), and account expiry set to December 31, 2016
- passwd -n 7 -x 15 -w 3 user5 – configures password aging for user5 with mindays (–n) set to 7, maxdays (–x) to 16, and warndays (–w) to 3 using the passwd
- passwd -n 7 -x 28 -w 5 user2 – Configure password aging for user2 with mindays (–n) set to 7, maxdays (–x) to 28, and warndays (–w) to 5 using the passwd
- usermod -e 2016-12-31 user2new
```
[root@localhost ~]# chage -l user2new | grep Account
Account expires : Dec 31, 2016
```

show

chage -l user10 – lists password aging attributes for user

# chage -l user10
Last password change : May 24, 2021
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

[root@localhost ~]# chage -l user1
Last password change : never
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7


[root@localhost ~]# chage -l user2
Last password change : Oct 24, 2016
Password expires : Nov 21, 2016
Password inactive : never
Account expires : never
Minimum number of days between password change : 7
Maximum number of days between password change : 28
Number of days of warning before password expires : 5


[root@localhost ~]# chage -l user3
Last password change : Oct 24, 2016
Password expires : Nov 23, 2016
Password inactive : never
Account expires : Dec 31, 2016
Minimum number of days between password change : 10
Maximum number of days between password change : 30
Number of days of warning before password expires : 7

- The chage command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change
  his/her password.

chage – Sets or modifies password aging attributes for a user.

–l – Lists password aging attributes set on a user account.

–d/–lastday – Specifies a date in the YYYY-MM-DD format, or number of days since the epoch time when the password was last modified. With –d 0, the user is forced to change the password at next login. It corresponds to the third field in the shadow file.

–E (–expiredate) Sets a date in the YYYY-MM-DD format, or number of days since the epoch time on which the user account is deactivated. With -1, this feature can be disabled. It corresponds to the eighth field in the shadow file.

–I (–inactive) Defines the number of days of inactivity after the password expiry and before the account is locked. With -1, this feature can be disabled. It corresponds to the seventh field in the shadow file.

–m (–mindays) (cannot change their password within x days after setting it) Indicates the minimum number of days that must elapse before the password can be changed. A value of 0 in this field allows the user to change their password at any time. It corresponds to the fourth field in the shadow file.

–M (–maxdays) (password validity of x days) Denotes the maximum days of validity of the password before the user starts getting warning messages to change the password. With -1, this feature can be disabled. It corresponds to the fifth field in the shadow file.

–W (–warndays) (user should get warning messages for changing password for x days before their account is locked) Designates the number of days the user gets warning messages to change password before the password expiry. It corresponds to the sixth field in the shadow file.

SU

The su command available in RHEL provides us with the ability to switch into other user accounts.

Even though we can log in to the system directly as root, it is not a recommended practice. The recommended practice is to log in with our own normal user account and then switch into the root account if necessary. This is safer and ensures system security and protection. In addition to becoming root, we can switch into another user account as well. In either case, we need to know the password for the target user account in order for a successful switch with exception – the root user can switch into any other user account on the system without being prompted for that user’s password..

To switch from user1 to root without executing startup scripts for the target user:

[user1@localhost ~]$ su
Password:
[root@localhost user1]#

To repeat the above while ensuring that startup scripts for the target user are also executed to provide an environment similar to a real login.

[user1@localhost ~]$ su -
Password:
Last login: Mon Oct 24 18:27:52 MSK 2016 on pts/0
[root@localhost ~]#

To switch into a different user account specify the name of the target user with the command:

[user1@localhost ~]$ su - user2new

To issue a command as a different user without switching into that user, the –c option is available with su. For example, the firewall-cmd command with the –list-services option requires superuser privileges. user1 can use su as follows and execute this privileged command to obtain desired results

[user1@localhost ~]$ su -c 'firewall-cmd --list-services'
Password:
dhcpv6-client ftp ssh

sudo/sudoers

- The sudoers file contains several examples with a brief explanation. It is a good idea to look at those examples for a better understanding.

Добавление конкретного пользователя в sudo (sudoers).

sudo vi /etc/sudoers

## Allow root to run any commands anywhere
root ALL=(ALL) ALL
weril ALL=(ALL) ALL

RHEL offers a way for normal users to be able to run an assigned set of privileged commands without the knowledge of the root password. This allows the flexibility of assigning a specific command or a set of commands to an individual user or a group of users based on their needs. These users can then precede one of those commands with a utility called sudo (superuser do) at the time of executing that command. The users are prompted to enter their own password, and if correct, the command is executed successfully. The sudo utility is designed to provide protected access to administrative functions as defined in the /etc/sudoers file. It can also be used to allow a user or a group of users to run scripts and applications owned by a different user.

Any normal user who requires access to one or more administrative commands is defined in the sudoers file. This file can be edited with the visudo command, which creates a copy of the file as sudoers.tmp and applies the changes there. After the visudo session is over, the updated file overwrites the original sudoers file, and sudoers.tmp is deleted. This is done to prevent multiple users editing the file simultaneously.

The syntax for user and group entries in the file is similar to the following example entries for user user1 and members of the wheel group (group is prefixed by the % sign). These entries provide ALL privileges to ALL administrative commands. Now, when user1 or any dba group member executes a privileged command, they will be required to enter their own password.

## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
user1 ALL=(ALL) ALL

If we want user1 and wheel group members not to be prompted for a password, we can modify their entries in the sudoers file to look like:

## Allows people in group wheel to run all commands
%wheel ALL=(ALL) NOPASSWD: ALL
user1 ALL=(ALL) NOPASSWD: ALL

[user1@localhost ~]$ sudo cat [user1@localhost ~]$

To restrict user1 and wheel group members to run only the date and cat commands, modify the directives as follows:

## Allows people in group wheel to run all commands
%wheel ALL=/usr/bin/date,/usr/bin/cat
user1 ALL=/usr/bin/date,/usr/bin/cat

[user1@localhost ~]$ sudo cat 1
[sudo] password for user1:[user1@localhost ~]$ sudo tail 1
Sorry, user user1 is not allowed to execute '/bin/tail 1' as root on localhost.localdomain.

Configuring sudo to work the way it has just been explained may result in a cluttered sudoers file containing too many entries. To avoid this and for better management of this file, sudo allows us to use aliases to define groups of users, commands, and hosts using the User_Alias, Cmnd_Alias, and Host_Alias directives available in the file. For instance, we can define a Cmnd_Alias called PKGCMD containing yum and rpm package management commands, and a User_Alias called PKGADM containing users user1 to user5. These users may or may not belong to the same Linux group. We then give PKGADM access to PKGCMD. This way we set one rule that allows a group of users access to a group of commands. We can add or remove commands and users anytime as needed. Here is what needs to be added to the sudoers file to achieve this:

Cmnd_Alias PKGCMD = /usr/bin/yum, /usr/bin/rpm
User_Alias PKGADM = user1, user2, user3, user4, user5
%PKGADM ALL = PKGCMD

The sudo command logs successful authentication and command data to the /var/log/secure file. It uses the name of the actual user executing the command (and not root).

groups

Просмотр групп без ID (с ID смотрим по ID).

$ groups
user cdrom floppy audio dip video plugdev netdev

Add group shared with GID 9999. В файле /etc/group хранятся все группы (бекап в /etc/group-). groupmod используется для модификации существующей группы.

$ sudo groupadd -g 9999 shared
$ tail -1 /etc/group
shared:x:9999:

Add existing users as members to group

$ sudo usermod -G shared test_user1
$ sudo usermod -G shared test_user2
$ tail -1 /etc/group
shared:x:9999:test_user1,test_user2 # shared - имя группы, 
х - пароль зашифрован (чаще всего отсутствует и хранится в отдельном файле gshadow), 
9999 - id группы, 
test_user1/2 - члены группы

Managing group accounts involves creating and modifying groups, adding and deleting group members and administrators, setting and revoking group-level password, and deleting groups. RHEL provides a set of tools and the graphical User Manager for performing these operations. The command toolset is part of the shadow-utils package and the User Manager GUI application becomes available when the system-config-users package is installed on the system.

groupadd – Adds a group. The groupadd command picks up the default values from the login.defs file. Command adds entries to the group and gshadow files for each group added to the system.

–g/–gid – Specifies the GID to be assigned to the group.

–o/–non-unique – Creates a group account sharing the GID of an existing group. When two groups share a common GID, members of each group get identical rights on each other’s files. This should only be done in specific situations.

–r – Creates a system group account with a GID below 1000.

groupname Specifies a group name.

Create group account admins with GID 6666:

[root@localhost ~]# groupadd -g 6666 admins

Create group account tests sharing the GID of group admins:

[root@localhost ~]# groupadd -o -g 6666 tests

groupmod – Modifies group attributes. most options identical groupadd.

-n – us to change the name of an existing group from test to test666

[root@localhost ~]# groupmod -n tests666 tests

Change the GID of tests666 group to 6666

[root@localhost ~]# groupmod -g 6666 tests666

Usermod – Add user user1 to group admins while retaining the user’s existing memberships

[root@localhost ~]# usermod -a -G admins user1

[root@localhost ~]# id user1
uid=1000(user1) gid=1000(user1) groups=1000(user1),6666(admins)

[root@localhost ~]# groups user1
user1 : user1 admins

groupdel – Deletes a group. Removes entries for the specified group from both group and gshadow files.

[root@localhost ~]# groupdel admins

gpasswd – can be used to add group administrators, add or delete group members, assign or revoke a group password, and disable access to a group via the newgrp command. The root user can perform all of these tasks, while the group administrator can perform only the last three. This command prompts to change the group password if invoked by root or the group administrator. The gpasswd command updates the group and gshadow files. This command picks up the default values from the /etc/login.defs file.

–A/–administrators – Adds one or more group administrators. Inserts an entry in the third field of the gshadow file.

–a/–add – Adds a group member. Inserts an entry in the fourth field of both group and gshadow files.

–d/–delete – Deletes a group member.

–M/–members – Substitutes all existing group members.

–R/–restrict – Disables access to a group for non-members. Members with a password can still join the group.

–r/–remove-password – Revokes the password set on a group. Only group members can join the group

If a password is set the members can still use newgrp(1) without a password, and non-members must supply the password. Group passwords are an inherent security problem since more than one person is permitted to know the password. However, groups are a useful tool for permitting co-operation between different users.

gpasswd -A user1,user2new admins - Add user1 and user2new as administrators to the group

gpasswd -a user2new -a user3 admins - Add user2new and user3 as members to the group

gpasswd -M user4 admins - Substitute user2new and user3 with user4 as a member of the group

gpasswd admins - Set a password on the group

[user4@localhost ~]$ groups
user4 admins

Temporarily change the primary group for user4 to admins:

[user4@localhost ~]$ newgrp admins

Verify the new primary group membership for user4. It should be listed first in the output.

[user4@localhost ~]$ groups
admins user4

Return to the original primary group by issuing the exit command or pressing Ctrl+d, and verify

[user4@localhost ~]$ exit
logout

[root@localhost ~]# su - user4
Last login: Tue Oct 25 16:53:33 MSK 2016 on pts/1

[user4@localhost ~]$ groups
user4 admins

questions

1. What are the two utilities for manually editing shadow password files exclusively?

vipw, vigr

2. What are the two tools for checking shadow password files consistency?

pwck,grpck

3. What does the “x” in the password field in the passwd file imply?

The “x” in the password field implies that the encrypted password is stored in the shadow file.

4. What would the command useradd –D do?

show default values for created accounts

When invoked with only the -D option, useradd will display the current default values. When invoked with -D plus other options, useradd will update the default values for the specified options.

~# useradd -D
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/sh
SKEL=/etc/skel
CREATE_MAIL_SPOOL=no

5. Name the four local user authentication files.

passwd, shadow, group, gshadow

6. The passwd file contains secondary user group information. True or False?

nope

7. What does the gpasswd command do?

gpasswd command is used to add group administrators, add or delete group members, assign and revoke a group password, and disable access to a group with the newgrp command.

8. What is the name and location of the sudo configuration file?

/etc/sudoers

9. Which command would we use to add group administrators?

gpasswd

10. Name the two types of shell startup files?

system-wide, per-user

11. What would the command passwd –l user10 do?

lock login

12. What is the first UID assigned to a regular user?

1000

13. Name the three fundamental user account categories in RHEL.

root, normal, and system

14. Every user in RHEL gets a private group by default. True or False?

true

15. What would the userdel command do if it is run with the –r option?

delete user dir with account info

16. What is the first GID assigned to a group?

1000

17. Write two command names for managing password aging.

chage, passwd

18. What is the name of the default backup file for shadow?

shadow-

19. What would the command chage –E 2015-12-31 user10 do?

number of days since the epoch time on which the user account is deactivated

20. What would the command chage –l user5 do?

Lists password aging attributes set on a user account.

21. What is the difference between running the su command with and without the dash sign?

With the dash sign the su command will process the specified user’s startup files, and it won’t without this sign.

22. What is the significance of the –o option with the groupadd and groupmod commands?

create group with not uniq gid

23. What would the command passwd –n 7 –x 15 –w 3 user5 do?

Configures password aging for user5 with mindays (–n) set to 7, maxdays (–x) to 16, and warndays (–w) to 3 using the passwd

24. What two commands are used to create and update the shadow and gshadow files?

pwconv grpconv

25. What would the command useradd user500 do?

Create a User Account with Default Values defined in the useradd and login.defs files

26. Which command is used to change a user’s primary group temporarily?

newgrp

27. What would the command chage –d 0 user60 do?

With –d 0, the user is forced to change the password at next login.

28. What four local files are updated when a user account is created?