User and Group Administration




In Red Hat Linux, there are three different types of user accounts.
Root, Normal user, System account (pseudo-user)

Root user
·      The root user is the equivalent of the Administrator or Enterprise Admin account in the windows world.
·      It is most powerful account on the system and has access to everything.

Normal user
·      Normal user accounts have no write access to anything on the system except their home directory.
·      They can read and explorer much of the system, however

System account (pseudo-user)
·      The system user account is similar to a normal user account.
·      The main different is that system user normally don’t have a home directory and can’t log in the way normal user do.
·      Many system users are created or associated or service to help run them more securely. Think of the situation this way: If a system user is created for the Apache service (the web server), and the account becomes compromised, the attacker will have access only to the web server and its config files. This could be worse if the Apache service were running as the root user; in that case, the attacker would have full access to the system. These are just some additional reasons why you should never truly need the root account unless there is a problem with the system.

Command
Description
1.        Useradd
Creates user or system accounts
2.        Groupadd
Creates a group
3.        Passwd
Set a password or resets a password for a user account
4.        Gpasswd
Set encrypt group password
5.        Usermod
Modifies user accounts
6.        Groupmod
Modifies the properties of a group
7.        Userdel
Remove a user or system account
8.        Groupdel
Delete a group
9.        Id
Shows UID/GID for the group of a given user
10.    Chsh
To change the user login SHELL
11.    Chage
Enables you to modify the parameters surrounding passwords (complexity, age, expiration)
12.    Pwck
Verifies the consistency of passwords across database file
13.    Users
Currently logged in user displayed
14.    Groups
Print the groups a user is in
15.    Newusers
create bulk user using file method
16.    system-config-users
Graphically add the user and group
17.    userinfo
Graphically to change the user information
18.    su
Switching user
19.    sudo
Sudo user
20.    groupmems




User, Group and password configuration files

Directory and Files
Description
/etc/passwd
The password for a user
/etc/group
The group to which the user belongs
/etc/shadow
Encrypted password file
/etc/gshadow
Encrypted password file for groups
/etc/shells
The login shells, such as BASH or TCSH
/etc/skel
The default initialization files for the login shell, such as .bash_profile, .bashrc, and .bash_logout; includes many user setup directories and files such as .kde for KDE and Desktop for GNOME
/etc/login.defs
Default login definitions for users
/etc/defaults/useradd
Default user account creation
/etc/securetty
To specify the which tty device allowed root login account access
/home
The user’s own home directory

The password file


Syntax of /etc/passwd:

::::::


·      It contains basic information every user.
·      Other user in this file may relate to services such as mail, ftp, and sshd.
·      There are 7 columns of information in this file.

1.             Username           Login name of the user
2.             Password            Encrypted password for the user’s account
3.             User ID              Unique number assigned by the system
4.             Group ID                        Number used to identify the group to which the user belongs
5.             Comment           Any user information, such as the user’s full name
6.             Home                 The user’s home directory
7.             LoginShell          Shell to run when the user logs in; this is the default     shell, usually /bin/bash

[root@server1 ~]# grep -i “senthil” /etc/passwd
senthil:x:500:500:R.B. SENTHIL BABU:/home/senthil:/bin/bash

the password filed is actually just placeholder (with an x). The reason is that the passwords are actually in different file /etc/shadow.


Tips
You can find out which users are currently logged in with the command

w                     – detailed information
who                 – detailed data
whoami
who am i


[root@server1 ~]# w
 09:19:09 up  1:41,  2 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     tty1     :0               07:42    1:41m  6.05s  6.05s /usr/bin/Xorg :
root     pts/0    :0.0             08:28    0.00s  0.02s  0.00s w
[root@server1 ~]# who
root     tty1         2012-07-24 07:42 (:0)
root     pts/0        2012-07-24 08:28 (:0.0)

[root@server1 ~]# whoami
Root

[root@server1 ~]# who am i
root     pts/0        2012-07-24 08:28 (:0.0)


The group file


Syntax of /etc/group
:::


·      Every Linux user is assigned to a group.
·      There are 4 columns of information in the file.

1.      Group name
2.      Password
3.      Group ID
4.      Group members

[root@server1 ~]# grep -i “skylark” /etc/group
skylark:x:501:babu


The shadow and gshadow  file


Syntax of /etc/shadow

:::::::


/etc/shadow and /etc/gshadow

·      The passwords are kept in a separate file called /etc/shadow.
·      Access is restricted to the root user.
·      A Corresponding password file, called /etc/gshadow, is also maintained for groups that require passwords.
·      /etc/shadow 8columns information
·      /etc/gshadow 4columns information

1.      Username
2.      Password
3.      Password history
4.      Min days
5.      Max days
6.      Warn days
7.      Inactive
8.      disabled
[root@server1 ~]# grep -i “senthil” /etc/shadow
senthil:$6$UroKWL5t$NxKyZk8e70M3f81rkNTunNNE2pMvRQhX1KoqN8/7Ov7416NX/p0lYpyKFW1LeKF4/FD9mFFvUQSrIj2jkjzMb1:15545:0:99999:7:::

1.      Group name
2.      Password
3.      Groupd ID
4.      Group members

[root@server1 ~]# grep -i “skylark” /etc/gshadow
skylark:$6$m12bWKNx4p/wJJZ$0tQWZ2sKorkiaEDV3B/yhXnUi/8uXinUVKOF7GmoWZDhx4SmemuiiGpbEGB93RBYI0106NNVyBIzAR4K77Ry20::babu

Tips

Vipw, vigr       à        edit the password, group, shadow and gshadows file

Options
-g         –           edit group databse
-p         –           edit password database
-q         –           quit
-s         –           edit shadow and gshadow database



User Account Initialization

            When a user is created, everything from the /etc/skel directory is copied to the user’s newly created home directory (usually /home/). You can modify these “skeleton” files or can add own custom files. The benefit here is that user creation becomes standardized, ensuring that polices are adhered to. The customizable files are broken down into two different sections:
User-specific files and system-wide settings

User-Specific files

            After a user is created and his home directory is populated, that user can now customize those files to fit his own personal needs. For example, the user might like to have certain PATH values or specific environment variables set. The following three files allow a user to customize the login experience to his own style.

~/.bashrc                     –           Defines functions and aliased
~/.bash_profile                        –           Sets environment variables
~/.bash_logout                        –           Defines any commands that should be executed before the log out

[root@server1 ~]# useradd -c “R.B. SENTHIL BABU” senthil

[root@server1 ~]# passwd senthil

[root@server1 ~]# ls -a /home/senthil/
.  ..  .bash_logout  .bash_profile  .bashrc  .gnome2  .mozilla

  

[root@server1 ~]# ls -a /etc/skel/
.  ..  .bash_logout  .bash_profile  .bashrc  .gnome2  .mozilla
Editing these files allows each user to be unique I the way he operations. Because each file is stored in the user’s home directory, that file is limited to use by that single user. What happens, though, if there is standard that you’d like set when users start out? Glad you asked.

Global user configuration

            Just as in the /etc/skel directory, you can edit the following three additional files to provide a more standardized format for your users:

/etc/bashrc      –           Defines functions and aliases
/etc/profile       –           Sets environment variables
/etc/profile.d    –           Specifies a directory that contains scripts that are called by the /etc/profile file.

These files help you make sure that your users receive everything they need and when they get started. If you require that settings be changed for your users, customizing these files is the way to go. Just make sure that when you’re editing files for distribution, you make sure you’re editing system-wide config files and not the config files within a user’s home directory.

Tips

[root@server1 ~]# ls -a /home/senthil/
.  ..  .bash_history  .bash_logout  .bash_profile  .bashrc  .gnome2  .mozilla

.bashrc            –           This file is used to controls user variable and other profile during his login session. If you want to execute any command automatically user logon set that command in this file. For example if user “senthil” wants to clear screen immediately after her login. He needs to add command at end of this file.

vim .bashrc
 # add your command only in the end of file
 clear

Create a user and set exit command in his .bashrc files. Now ask your friends login with this user. Exit commands will logout the user as soon as user will login and user never will be able to login.

.bash_profile         –              This script file instructs user session to check .bashrc file for user aliases and functions. Further its set user command path.  Add your own home directory in command path. Edit this file. For example user “senthil” wants here home directory should be check while executing commands he can add this line in here .bash_profile files.

vim .bash_profile
PATH=$PATH:$HOME/BIN:/home/senthil
 
 
 
.bash_logout          -              This file is used to clear the terminal after the exit of current user.

vim /home/senthil/.bash_logout
# ~/.bash_logout
clear

  

Tips
To stop the overwriting of the file

[root@server1 Desktop]# set -o noclobber

[root@server1 Desktop]# echo “senthil” > test
bash: test: cannot overwrite existing file

[root@server1 Desktop]# set +o noclobber

[root@server1 Desktop]# echo “senthil” > test
[root@server1 Desktop]# cat test
Senthil

To stop logout form ctrl+D in terminal

[root@server1 Desktop]# set -o ignoreeof
Press ctrl+D

[root@server1 Desktop]# Use “exit” to leave the shell.

[root@server1 Desktop]# set +o ignoreeof
Now press ctrl+D


The default login file /etc/login.defs

·      This file controls specific relating to system-wide user logins and passwords.

[root@server1 ~]# grep -v ^# /etc/login.defs
MAIL_DIR      /var/spool/mail

PASS_MAX_DAYS    99999
PASS_MIN_DAYS      0
PASS_MIN_LEN         5
PASS_WARN_AGE    7
UID_MIN                                  500
UID_MAX                               60000
GID_MIN                                  500
GID_MAX                               60000
CREATE_HOME         yes
UMASK           077
USERGROUPS_ENAB yes
ENCRYPT_METHOD SHA512
MD5_CRYPT_ENAB no

            These values should all be self-explanatory. You can edit them if you don’t like the give defaults, but make sure you remember that these are local to this system and don’t apply on other systems on your network unless you change them there as well. Initialization files can save you a great deal of time so that you don’t have to create custom profile and scripts for individual users every time they are created. This process does take some planning ahead, however, and making sure that your file and custom scripts are distributed to all users (even if they have already been created).


Switching Accounts

·      “su”            enables you to run a command as another user or switch user accounts

Examples
su  username
su – username
·         The “su” commands move you into the root user account without initializing any of root’s path or shell variables.
·         The “su – “ commands everything is initialized as if you were logging in from the console.

·      “sudo”        enables you to run a command as the root user          


The default user add file /etc/defaults/useradd

[root@server1 ~]# cat /etc/default/useradd
# useradd defaults file
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes

To specify the which tty device allowed root login account access

[root@server1 Desktop]# cat /etc/securetty
console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11

User and Group Management Command man and help file 


[root@server1 Desktop]# useradd –usage
useradd: unrecognized option ‘–usage’
Usage: useradd [options] LOGIN

Options:
-b, –base-dir BASE_DIR       base directory for the home directory of the new account
  -c, –comment COMMENT         GECOS field of the new account
  -d, –home-dir HOME_DIR       home directory of the new account
  -D, –defaults                print or change default useradd configuration
  -e, –expiredate EXPIRE_DATE  expiration date of the new account
  -f, –inactive INACTIVE       password inactivity period of the new account
  -g, –gid GROUP               name or ID of the primary group of the new
                                account
  -G, –groups GROUPS           list of supplementary groups of the new
                                account
  -h, –help                    display this help message and exit
  -k, –skel SKEL_DIR           use this alternative skeleton directory
  -K, –key KEY=VALUE           override /etc/login.defs defaults
  -l, –no-log-init             do not add the user to the lastlog and
                                faillog databases
  -m, –create-home             create the user’s home directory
  -M, –no-create-home          do not create the user’s home directory
  -N, –no-user-group           do not create a group with the same name as
                                the user
  -o, –non-unique              allow to create users with duplicate
                                (non-unique) UID
  -p, –password PASSWORD       encrypted password of the new account
  -r, –system                  create a system account
  -s, –shell SHELL             login shell of the new account
  -u, –uid UID                 user ID of the new account
  -U, –user-group              create a group with the same name as the user
  -Z, –selinux-user SEUSER     use a specific SEUSER for the SELinux user mapping


[root@server1 Desktop]# groupadd –usage
groupadd: unrecognized option ‘–usage’
Usage: groupadd [options] GROUP

Options:
  -f, –force                   exit successfully if the group already exists,
                                and cancel -g if the GID is already used
  -g, –gid GID                 use GID for the new group
  -h, –help                    display this help message and exit
  -K, –key KEY=VALUE           override /etc/login.defs defaults
  -o, –non-unique              allow to create groups with duplicate
                                (non-unique) GID
  -p, –password PASSWORD       use this encrypted password for the new group
  -r, –system                  create a system account


[root@server1 Desktop]# userdel –usage
userdel: unrecognized option ‘–usage’
Usage: userdel [options] LOGIN

Options:
  -f, –force                   force removal of files,
                                even if not owned by user
  -h, –help                    display this help message and exit
  -r, –remove                  remove home directory and mail spool
  -Z, –selinux-user            remove SELinux user from SELinux user mapping
Groupdel  groupname


[root@server1 Desktop]# passwd –help
Usage: passwd [OPTION…]
  -k, –keep-tokens       keep non-expired authentication tokens
  -d, –delete            delete the password for the named account (root only)
  -l, –lock              lock the named account (root only)
  -u, –unlock            unlock the named account (root only)
  -f, –force             force operation
  -x, –maximum=DAYS      maximum password lifetime (root only)
  -n, –minimum=DAYS      minimum password lifetime (root only)
  -w, –warning=DAYS      number of days warning users receives before password
                          expiration (root only)
  -i, –inactive=DAYS     number of days after password expiration when an account
                          becomes disabled (root only)
  -S, –status            report password status on the named account (root only)
  –stdin                 read new tokens from stdin (root only)

Help options:
  -?, –help              Show this help message
  –usage                 Display brief usage message

[root@server1 Desktop]# gpasswd –help
gpasswd: unrecognized option ‘–help’
Usage: gpasswd [option] GROUP

Options:
  -a, –add USER                add USER to GROUP
  -d, –delete USER             remove USER from GROUP
  -r, –remove-password         remove the GROUP’s password
  -R, –restrict                restrict access to GROUP to its members
  -M, –members USER,…        set the list of members of GROUP
  -A, –administrators ADMIN,…
                                set the list of administrators for GROUP
Except for the -A and -M options, the options cannot be combined.


[root@server1 Desktop]# usermod –usage
Usage: usermod [options] LOGIN

Options:
  -c, –comment COMMENT         new value of the GECOS field
  -d, –home HOME_DIR           new home directory for the user account
  -e, –expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE
  -f, –inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -g, –gid GROUP               force use GROUP as new primary group
  -G, –groups GROUPS           new list of supplementary GROUPS
  -a, –append                  append the user to the supplemental GROUPS
                                mentioned by the -G option without removing
                                him/her from other groups
  -h, –help                    display this help message and exit
  -l, –login NEW_LOGIN         new value of the login name
  -L, –lock                    lock the user account
  -m, –move-home               move contents of the home directory to the
                                new location (use only with -d)
  -o, –non-unique              allow using duplicate (non-unique) UID
  -p, –password PASSWORD       use encrypted password for the new password
  -s, –shell SHELL             new login shell for the user account
  -u, –uid UID                 new UID for the user account
  -U, –unlock                  unlock the user account
  -Z, –selinux-user            new SELinux user mapping for the user account


[root@server1 Desktop]# groupmod –usage
groupmod: unrecognized option ‘–usage’
Usage: groupmod [options] GROUP

Options:
  -g, –gid GID                 change the group ID to GID
  -h, –help                    display this help message and exit
  -n, –new-name NEW_GROUP      change the name to NEW_GROUP
  -o, –non-unique              allow to use a duplicate (non-unique) GID
  -p, –password PASSWORD       change the password to this (encrypted)
                                PASSWORD


[root@server1 Desktop]# id –help
Usage: id [OPTION]… [USERNAME]
Print user and group information for the specified USERNAME,
or (when USERNAME omitted) for the current user.

  -a              ignore, for compatibility with other versions
  -Z, –context   print only the security context of the current user
  -g, –group     print only the effective group ID
  -G, –groups    print all group IDs
  -n, –name      print a name instead of a number, for -ugG
  -r, –real      print the real ID instead of the effective ID, with -ugG
  -u, –user      print only the effective user ID
      –help     display this help and exit
      –version  output version information and exit


[root@server1 Desktop]# chsh –usage
chsh: unrecognized option ‘–usage’
Usage: chsh [ -s shell ] [ –list-shells ] [ –help ] [ –version ]
       [ username ]


[root@server1 Desktop]# chage –usage
chage: unrecognized option ‘–usage’
Usage: chage [options] [LOGIN]

Options:
  -d, –lastday LAST_DAY        set date of last password change to LAST_DAY
  -E, –expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE
  -h, –help                    display this help message and exit
  -I, –inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -l, –list                    show account aging information
  -m, –mindays MIN_DAYS        set minimum number of days before password
                                change to MIN_DAYS
  -M, –maxdays MAX_DAYS        set maximim number of days before password
                                change to MAX_DAYS
  -W, –warndays WARN_DAYS      set expiration warning days to WARN_DAYS



User and Groups Management Examples

1.      Create two user account and set password

[root@server1 ~]# useradd -c “R.B. Senthil Babu” senthil

[root@server1 ~]# passwd senthil
Changing password for user senthil.
New password:
BAD PASSWORD: it is WAY too short
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.

[root@server1 ~]# useradd -c “T.V. RAVI KUMAR” ravi

[root@server1 ~]# passwd ravi
Changing password for user ravi.
New password:
BAD PASSWORD: it is WAY too short
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.

2.      Create two group and password

[root@server1 ~]# groupadd skylark
[root@server1 ~]# groupadd cordia

[root@server1 ~]# gpasswd skylark
Changing the password for group skylark
New Password:
Re-enter new password:

[root@server1 ~]# gpasswd cordia
Changing the password for group cordia
New Password:
Re-enter new password:

3.      Delete (remove) user password (without need password login user account)

[root@server1 ~]# passwd -d senthil
Removing password for user senthil.
passwd: Success

[root@server1 ~]# su – ravi

[ravi@server1 ~]$ su – senthil

[senthil@server1 ~]$ su – ravi
Password:

[ravi@server1 ~]$ logout
[senthil@server1 ~]$ logout
[ravi@server1 ~]$ logout

4.      Remove the group password

[root@server1 ~]# grep -i “skylark” /etc/gshadow
skylark:$6$ECeZYcwRCL/Je$ugbDKhVRsxf2t3wY1swVR6aCnjKvN2nnvJsmBwl28uNqBofoOT.EyO9k3bYdeU1DrH2D3WcHBJbC6/ILjbweQ/::

[root@server1 ~]# gpasswd -r skylark

[root@server1 ~]# grep -i “skylark” /etc/gshadow
skylark:::

5.      Lock and unlock user login password

First to check the status

[root@server1 Desktop]# passwd -S senthil
senthil PS 2012-10-01 0 99999 7 -1 (Password set, SHA512 crypt.)

[root@server1 Desktop]# passwd -l senthil     or         usermod –L senthil
Locking password for user senthil.
passwd: Success

[root@server1 Desktop]# su – ravi
[ravi@server1 ~]$ su – senthil
Password:
su: incorrect password

[root@server1 Desktop]# passwd -u senthil
Unlocking password for user senthil.
passwd: Warning: unlocked password would be empty.
passwd: Unsafe operation (use -f to force)

[root@server1 Desktop]# passwd -fu senthil or           usermod –U senthil
Unlocking password for user senthil.
passwd: Success

[root@server1 Desktop]# su – ravi
[ravi@server1 ~]$ su – senthil
[senthil@server1 ~]$

Or

[root@server1 Desktop]# passwd senthil
[root@server1 Desktop]# passwd ravi

[root@server1 Desktop]# usermod -L senthil

[root@server1 Desktop]# su – ravi
[ravi@server1 ~]$ su – senthil
Password:
su: incorrect password

[ravi@server1 ~]$ logout

[root@server1 Desktop]# usermod -U senthil

[root@server1 Desktop]# su – ravi
[ravi@server1 ~]$ su – senthil
Password:
[senthil@server1 ~]$ logout
[ravi@server1 ~]$ logout

6.      Delete the username and groupname

[root@server1 Desktop]# userdel -rf senthil
[root@server1 Desktop]# userdel -rf ravi

[root@server1 Desktop]# groupdel cordia
[root@server1 Desktop]# groupdel skylark

7.      To change the username “senthil” to “babu” and group name “rooman” to “skylark”

[root@server1 ~]# usermod -l babu senthil
[root@server1 ~]# groupmod -n skylark rooman

[root@server1 ~]# grep -i “senthil” /etc/passwd
babu:x:500:500::/home/senthil:/bin/bash

[root@server1 ~]# grep -i “skylark” /etc/group
skylark:x:501:

8.      User “senthil” add to primary group “skylark
User “babu” add to primary and secondary group “skylark” and “cordia”

[root@server1 Desktop]# usermod -g skylark senthil
[root@server1 Desktop]# usermod -G cordia babu
[root@server1 Desktop]# usermod -G cordia,skylark babu

9.      To check the user id (UID) and (GID) then change.

RHEL default is 500 and maximum limit is 65534.
[root@server1 Desktop]# id senthil
uid=500(senthil) gid=502(skylark) groups=502(skylark)

[root@server1 Desktop]# id babu
uid=501(babu) gid=501(babu) groups=501(babu),502(skylark),503(cordia)

[root@server1 Desktop]# usermod -u 700 senthil
[root@server1 Desktop]# usermod -u 701 babu

[root@server1 Desktop]# groupmod -g 900 skylark
[root@server1 Desktop]# groupmod -g 901 cordia

[root@server1 Desktop]# id senthil
uid=700(senthil) gid=900(skylark) groups=900(skylark)

[root@server1 Desktop]# id babu
uid=701(babu) gid=501(babu) groups=501(babu),900(skylark),901(cordia)

[root@server1 Desktop]# groupmod -g 701 babu

[root@server1 Desktop]# id babu
uid=701(babu) gid=701(babu) groups=701(babu),900(skylark),901(cordia)

10.  Remove user from group

[root@server1 /]# usermod -g skylark senthil
[root@server1 /]# usermod -G skylark,cordia babu

[root@server1 /]# id senthil
uid=502(senthil) gid=504(skylark) groups=504(skylark)

[root@server1 /]# id babu
uid=503(babu) gid=503(babu) groups=503(babu),504(skylark),505(cordia)

[root@server1 /]# gpasswd -d senthil skylark
Removing user senthil from group skylark
gpasswd: user ‘senthil’ is not a member of ‘skylark’

[root@server1 /]# gpasswd -d babu skylark
Removing user babu from group skylark

[root@server1 /]# gpasswd -d babu cordia
Removing user babu from group cordia

[root@server1 /]# id babu
uid=503(babu) gid=503(babu) groups=503(babu)

11.  Move content of the home directory to the new location user for “senthil”

[root@server1 ~]# ls -l /home/
total 4
drwx——. 4 senthil senthil 4096 Jul 25 09:51 senthil

[root@server1 ~]# mkdir /newhome

[root@server1 ~]# usermod -m -d /newhome/senthil senthil

[root@server1 ~]# ls -l /home
total 0



[root@server1 ~]# ls -l /newhome/
total 4
drwx——. 4 senthil senthil 4096 Jul 25 09:51 senthil

12.  To create user without home directory and change the shell no login that user

[root@server1 ~]# useradd -M ftpuser
[root@server1 ~]# ls -l /home/
total 0

[root@server1 ~]# passwd ftpuser
[root@server1 ~]# su – ftpuser
su: warning: cannot change directory to /home/ftpuser: No such file or directory

-bash-4.1$ echo $SHELL
/bin/bash

[root@server1 ~]# chsh –l                   (to check the shell)
/bin/sh
/bin/bash
/sbin/nologin
/bin/tcsh
/bin/csh

[root@server1 ~]# chsh -s /sbin/nologin ftpuser
Changing shell for ftpuser.
Shell changed.

[root@server1 ~]# su – ftpuser
su: warning: cannot change directory to /home/ftpuser: No such file or directory
This account is currently not available.

13.  Create user without same group name as user

[root@server1 /]# useradd -N senthil; passwd senthil;id senthil
Changing password for user senthil.
New password:
BAD PASSWORD: it is WAY too short
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
uid=502(senthil) gid=100(users) groups=100(users)

14.  Which command to check the /etc/passwd and /etc/shadow file have proper format and contain valid data.

[root@server1 Desktop]# pwck
user ‘adm’: directory ‘/var/adm’ does not exist
user ‘uucp’: directory ‘/var/spool/uucp’ does not exist
user ‘gopher’: directory ‘/var/gopher’ does not exist
user ‘avahi-autoipd’: directory ‘/var/lib/avahi-autoipd’ does not exist
user ‘pulse’: directory ‘/var/run/pulse’ does not exist
user ‘saslauth’: directory ‘/var/empty/saslauth’ does not exist
pwck: no changes



pwck [options]
-q         –           report errors only
-r          –           read only mode
-s         –           sort entries in /etc/passwd and /etc/shadow by UID

15.  To show the user creating default option and how it change

[root@server1 Desktop]# useradd -D
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes

[root@server1 Desktop]# mkdir /changehome

[root@server1 Desktop]# chsh -l
/bin/sh
/bin/bash
/sbin/nologin
/bin/tcsh
/bin/csh

[root@server1 Desktop]# useradd -D -b /changehome/           [change default home directory]
[root@server1 Desktop]# useradd -D -s /bin/sh                       [change default shell]

[root@server1 ~]# useradd -D
GROUP=100
HOME=/changehome/
INACTIVE=-1
EXPIRE=
SHELL=/bin/sh
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes

[root@server1 ~]# useradd redhat
[root@server1 ~]# ls /changehome/
Redhat

[root@server1 ~]# su redhat
sh-4.1$ echo $SHELL
/bin/sh
sh-4.1$

16.  Bulk user and group add using for loop method

[root@server1 Desktop]# for USER in ravi mani anbu
> do
> useradd $USER
> echo “password” | passwd –stdin $USER
> done
Changing password for user ravi.
passwd: all authentication tokens updated successfully.
Changing password for user mani.
passwd: all authentication tokens updated successfully.
Changing password for user anbu.
passwd: all authentication tokens updated successfully.

[root@server1 Desktop]# for GROUP in skyark cordia
> do
> groupadd $GROUP
> done

17.  Manage Linux password expiration and aging using “chage” command.

List the password and its related details for a user

[root@server1 Desktop]# chage -l ravi
Last password change                                                              : Jul 26, 2012
Password expires                                                                     : never
Password inactive                                                                    : never
Account expires                                                                       : never
Minimum number of days between password change             : 0
Maximum number of days between password change             : 99999
Number of days of warning before password expires             : 7

The ravi password is set to expire 10 days from the last password change.

[root@server1 Desktop]# chage -M 10 ravi
[root@server1 Desktop]# chage -l ravi
Last password change                                                              : Jul 26, 2012
Password expires                                                                     : Aug 05, 2012
Password inactive                                                                    : never
Account expires                                                                       : never
Minimum number of days between password change             : 0
Maximum number of days between password change             : 10
Number of days of warning before password expires             : 7

Set the account expiry date for an user

[root@server1 Desktop]# chage -E 2012-08-06 ravi
[root@server1 Desktop]# chage -l ravi
Last password change                                                              : Jul 26, 2012
Password expires                                                                     : Aug 05, 2012
Password inactive                                                                    : never
Account expires                                                                       : Aug 06, 2012
Minimum number of days between password change             : 0
Maximum number of days between password change             : 10
Number of days of warning before password expires             : 7

Set the account password inactive x number of days

[root@server1 Desktop]# chage -M 10 ravi
[root@server1 Desktop]# chage -l ravi
Last password change                                                              : Jul 26, 2012
Password expires                                                                     : Aug 05, 2012
Password inactive                                                                    : Aug 15, 2012
Account expires                                                                       : never
Minimum number of days between password change             : 0
Maximum number of days between password change             : 10
Number of days of warning before password expires             : 7
Disable all default
[root@server1 Desktop]# chage -m 0 -M 99999 -I -1 -E -1 ravi

[root@server1 Desktop]# chage -l ravi
Last password change                                                              : Jul 26, 2012
Password expires                                                                     : never
Password inactive                                                                    : never
Account expires                                                                                   : never
Minimum number of days between password change             : 0
Maximum number of days between password change             : 99999
Number of days of warning before password expires             : 7

18.  How to add bulk user using “newusers” command.

[root@server1 Desktop]# touch adduser.txt                [create one text file]

[root@server1 Desktop]# vim adduser.txt                   [add user details /etc/passwd file model]
babu:password:501:501::/home/babu:/bin/bash
kumar:password:502:502::/home/kumar:/bin/bash

:wq!

[root@server1 Desktop]# newusers adduser.txt           [use “newusers” command]

[root@server1 Desktop]# ls /home/
babu  kumar  senthil

19.  Groupmems command examples

#groupmems [options] [action]
[options]
-g groupname

[action]
-a add username
-d delete username
-l list
-p purge all members from the groups

[root@server1 Desktop]# groupmems -g ibm -a senthil
[root@server1 Desktop]# groupmems -g ibm -a kumar

[root@server1 Desktop]# groupmems -g ibm -l
babu  senthil  kumar



ACL

Access Control List

[root@server1 Desktop]# for USER in senthil babu ravi
> do
> useradd $USER
> echo “password” | passwd –stdin $USER
> done
Changing password for user senthil.
passwd: all authentication tokens updated successfully.
Changing password for user babu.
passwd: all authentication tokens updated successfully.
Changing password for user ravi.
passwd: all authentication tokens updated successfully.

[root@server1 Desktop]# groupadd skylark

[root@server1 Desktop]# for USER in senthil babu ravi
> do
> usermod -G skylark $USER
> done

[root@server1 Desktop]# id senthil
uid=500(senthil) gid=500(senthil) groups=500(senthil),503(skylark)

[root@server1 Desktop]# id babu
uid=501(babu) gid=501(babu) groups=501(babu),503(skylark)

[root@server1 Desktop]# id ravi
uid=502(ravi) gid=502(ravi) groups=502(ravi),503(skylark)

[root@server1 Desktop]# mkdir /example

[root@server1 Desktop]# chown senthil:skylark /example

[root@server1 Desktop]# ls -ld /example
drwxr-xr-x. 2 senthil skylark 4096 Aug  3 12:34 /example

[root@server1 Desktop]# su – senthil

[senthil@server1 ~]$ cd /example/

[senthil@server1 example]$ mkdir account

[senthil@server1 example]$ ll
total 4
drwxrwxr-x. 2 senthil senthil 4096 Aug  3 12:36 account

[senthil@server1 example]$ getfacl account
# file: account
# owner: senthil
# group: senthil
user::rwx
group::rwx
other::r-x

[senthil@server1 example]$ setfacl -m u:ravi:rwx account
[senthil@server1 example]$ setfacl -m g:skylark:r-x account
[senthil@server1 example]$ setfacl -m o:— account

[senthil@server1 example]$ getfacl account
# file: account
# owner: senthil
# group: senthil
user::rwx
user:ravi:rwx
group::rwx
group:skylark:r-x
mask::rwx
other::—

[senthil@server1 example]$ su – ravi
Password:

[ravi@server1 ~]$ cd /example/
[ravi@server1 example]$ cd account/
[ravi@server1 account]$ touch test
[ravi@server1 account]$ ll
total 0
-rw-rw-r–. 1 ravi ravi 0 Aug  3 12:39 test

[ravi@server1 account]$ su – babu
Password:
[babu@server1 ~]$ cd /example/account/
[babu@server1 account]$ touch babutest
touch: cannot touch `babutest’: Permission denied
[babu@server1 account]$ ll
total 0
-rw-rw-r–. 1 ravi ravi 0 Aug  3 12:39 test
[babu@server1 account]$ logout
[ravi@server1 account]$ logout
[senthil@server1 example]$ logout

[root@server1 Desktop]# useradd kumar; passwd kumar
Changing password for user kumar.
New password:
BAD PASSWORD: it is based on a dictionary word
Retype new password:
passwd: all authentication tokens updated successfully.
[root@server1 Desktop]# su – kumar
[kumar@server1 ~]$ cd /example/account/
-bash: cd: /example/account/: Permission denied
[kumar@server1 ~]$ logout










RHCE Linux – nologin file in etc directory and securetty file

You are the administrator of example.com domain. Configure to deny local login to all normal users on your domain server. As well as allow to root login only on First Terminal.

First login from root user and run these command

[root@server1 Desktop]# touch /etc/nologin

[root@server1 Desktop]# cat /etc/securetty
console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
#tty2
#tty3
#tty4
#tty5
#tty6
#tty7
#tty8
#tty9
#tty10
#tty11

:wq!

[root@server1 Desktop]# useradd senthil
[root@server1 Desktop]# echo “redhat” | passwd –stdin senthil

[root@server1 Desktop]# init 3



Alt + F2

Tags: User and Group Administration,user management commands in linux with examples
user management in linux interview questions
user management in linux pdf
linux user management command line
user management in linux ppt
linux user management gui
managing users and groups in os
managing users and groups in windows

Leave a Reply

Your email address will not be published. Required fields are marked *