5.2 Creazione di Utenti e Gruppi
Introduction
Managing users and groups on a Linux machine is one of the key aspects of system administration. In fact, Linux is a multi-user operating system in which multiple users can use the same machine at the same time.
Information about users and groups is stored in four files within the /etc/ directory tree:/etc/passwd
a file of seven colon-delimited fields containing basic information about users/etc/group
a file of four colon-delimited fields containing basic information about groups/etc/shadow
a file of nine colon-delimited fields containing encrypted user passwords/etc/gshadow
a file of four colon-delimited fields file containing encrypted group passwords
All of these files are updated by a suite of command-line tools for user and group management, which we’ll discuss later in this lesson. They can also be managed by graphical applications, specific to each Linux distribution, which provide simpler and more immediate management interfaces.
| Warning | Even though the files are plain text, do not edit them directly. Always use the tools provided with your distribution for this purpose. |
The File /etc/passwd
/etc/passwd is a world-readable file that contains a list of users, each on a separate line:
frank:x:1001:1001::/home/frank:/bin/bash
Each line consists of seven colon-delimited fields:Username
The name used when the user logs into the system.Password
The encrypted password (or an x if shadow passwords are used).User ID (UID)
The ID number assigned to the user in the system.Group ID (GID)
The primary group number of the user in the system.GECOS
An optional comment field, which is used to add extra information about the user (such as the full name). The field can contain multiple comma-separated entries.Home directory
The absolute path of the user’s home directory.Shell
The absolute path of the program that is automatically launched when the user logs into the system (usually an interactive shell such as /bin/bash).
The File /etc/group
/etc/group is a world-readable file that contains a list of groups, each on a separate line:
developer:x:1002:
Each line consists of four colon-delimited fields:Group Name
The name of the group.Group Password
The encrypted password of the group (or an x if shadow passwords are used).Group ID (GID)
The ID number assigned to the group in the system.Member list
A comma-delimited list of users belonging to the group, except those for whom this is the primary group.
The File /etc/shadow
/etc/shadow is a file readable only by root and users with root privileges and contains the encrypted passwords of the users, each on a separate line:
frank:$6$i9gjM4Md4MuelZCd$7jJa8Cd2bbADFH4dwtfvTvJLOYCCCBf/.jYbK1IMYx7Wh4fErXcc2xQVU2N1gb97yIYaiqH.jjJammzof2Jfr/:18029:0:99999:7:::
Each line consists of nine colon-delimited fields:Username
The name used when user logs into the system.Encrypted password
The encrypted password of the user (if the value is !, the account is locked).Date of last password change
The date of the last password change, as number of days since 01/01/1970. A value of 0 means that the user must change the password at the next access.Minimum password age
The minimum number of days, after a password change, which must pass before the user will be allowed to change the password again.Maximum password age
The maximum number of days that must pass before a password change is required.Password warning period
The number of days, before the password expires, during which the user is warned that the password must be changed.Password inactivity period
The number of days after a password expires during which the user should update the password. After this period, if the user does not change the password, the account will be disabled.Account expiration date
The date, as number of days since 01/01/1970, in which the user account will be disabled. An empty field means that the user account will never expire.A reserved field
A field that is reserved for future use.
The File /etc/gshadow
/etc/gshadow is a file readable only by root and by users with root privileges that contains encrypted passwords for groups, each on a separate line:
developer:$6$7QUIhUX1WdO6$H7kOYgsboLkDseFHpk04lwAtweSUQHipoxIgo83QNDxYtYwgmZTCU0qSCuCkErmyR263rvHiLctZVDR7Ya9Ai1::
Each line consists of four colon-delimited fields:Group name
The name of the group.Encrypted password
The encrypted password for the group (it is used when a user, who is not a member of the group, wants to join the group using the newgrp command — if the password starts with !, no one is allowed to access the group with newgrp).Group administrators
A comma-delimited list of the administrators of the group (they can change the password of the group and can add or remove group members with the gpasswd command).Group members
A comma-delimited list of the members of the group.
Now that we’ve seen where user and group information is stored, let’s talk about the most important command-line tools to update these files.
Adding and Deleting User Accounts
In Linux, you add a new user account with the useradd command, and you delete a user account with the userdel command.
If you want to create a new user account named frank with a default setting, you can run the following:
# useradd frank
After creating the new user, you can set a password using passwd:
# passwd frank Changing password for user frank. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully.
Both of these commands require root authority. When you run the useradd command, the user and group information stored in password and group databases are updated for the newly created user account and, if specified, the home directory of the new user is created as well as a group with the same name as the user account.
| Tip | Remember that you can always use the grep utility to filter the password and group databases, displaying only the entry that refers to a specific user or group. For the above example you can usecat /etc/passwd | grep frankorgrep frank /etc/passwdto see basic information on the newly created frank account. |
The most important options which apply to the useradd command are:-c
Create a new user account with custom comments (for example full name).-d
Create a new user account with a custom home directory.-e
Create a new user account by setting a specific date on which it will be disabled.-f
Create a new user account by setting the number of days after the password expires during which the user should update the password.-g
Create a new user account with a specific GID-G
Create a new user account by adding it to multiple secondary groups.-m
Create a new user account with its home directory.-M
Create a new user account without its home directory.-s
Create a new user account with a specific login shell.-u
Create a new user account with a specific UID.
Once the new user account is created, you can use the id and groups commands to find out its UID, GID and the groups to which it belongs.
# id frank uid=1000(frank) gid=1000(frank) groups=1000(frank) # groups frank frank : frank
| Tip | Remember to check and eventually edit the /etc/login.defs file, which defines the configuration parameters that control the creation of users and groups. For example, you can set the range of UIDs and GIDs that can be assigned to new user and group accounts, specify that you don’t need to use the -m option to create the new user’s home directory and if the system should automatically create a new group for each new user. |
If you want to delete a user account, you can use the userdel command. In particular, this command updates the information stored in the account databases, deleting all entries referring to the specified user. The -r option also removes the user’s home directory and all of its contents, along with the user’s mail spool. Other files, located elsewhere, must be searched for and deleted manually.
# userdel -r frank
As before, you need root authority to delete user accounts.
The Skeleton Directory
When you add a new user account, even creating its home directory, the newly created home directory is populated with files and folders that are copied from the skeleton directory (by default /etc/skel). The idea behind this is simple: a system administrator wants to add new users having the same files and directories in their home. Therefore, if you want to customize the files and folders that are created automatically in the home directory of the new user accounts, you must add these new files and folders to the skeleton directory.
| Tip | Note that the profile files that are usually found in the skeleton directory are hidden files. Therefore, if you want to list all the files and folders in the skeleton directory, which will be copied to the home dir of the newly created users, you must use the ls -Al command. |
Adding and Deleting Groups
As for group management, you can add or delete groups using the groupadd and groupdel commands.
If you want to create a new group named developer, you can run the following command as root:
# groupadd -g 1090 developer
The -g option of this command creates a group with a specific GID.
If you want to delete the developer group, you can run the following:
# groupdel developer
| Warning | Remember that when you add a new user account, the primary group and the secondary groups to which it belongs must exist before launching the useradd command. Also, you cannot delete a group if it is the primary group of a user account. |
The passwd Command
This command is primarily used to change a user’s password. Any user can change their password, but only root can change any user’s password.
Depending on the passwd option used, you can control specific aspects of password aging:-d
Delete the password of a user account (thus disabling the user).-e
Force the user account to change the password.-l
Lock the user account (the encrypted password is prefixed with an exclamation mark).-u
Unlock the user account (it removes the exclamation mark).-S
Output information about the password status for a specific account.
These options are available only for root. To see the full list of options, refer to the man pages.
Guided Exercises
- For each of the following entries, indicate the file to which it refers:
developer:x:1010:frank,grace,daveroot:x:0:0:root:/root:/bin/bashhenry:$1$.AbCdEfGh123456789A1b2C3d4.:18015:20:90:5:30::henry:x:1000:1000:User Henry:/home/henry:/bin/bashstaff:!:dave:carol,emma
- Observe the following output to answer the next seven questions:# cat /etc/passwd | tail -3
dave:x:1050:1050:User Dave:/home/dave:/bin/bash
carol:x:1051:1015:User Carol:/home/carol:/bin/sh
henry:x:1052:1005:User Henry:/home/henry:/bin/tcsh
# cat /etc/group | tail -3
web_admin:x:1005:frank,emma
web_developer:x:1010:grace,kevin,christian
dave:x:1050:
# cat /etc/shadow | tail -3
dave:$6$AbCdEfGh123456789A1b2C3D4e5F6G7h8i9:0:20:90:7:30::
carol:$6$q1w2e3r4t5y6u7i8AbcDeFgHiLmNoPqRsTu:18015:0:60:7:::
henry:!$6$123456789aBcDeFgHa1B2c3d4E5f6g7H8I9:18015:0:20:5:::
# cat /etc/gshadow | tail -3
web_admin:!:frank:frank,emma
web_developer:!:kevin:grace,kevin,christian
dave:!::
- What is the User ID (UID) and Group ID (GID) of
carol? - What shell is set for
daveandhenry? - What is the name of the primary group of
henry? - What are the members of the
web_developergroup? Which of these are group administrators? - Which user cannot log into the system?
- Which user should change the password the next time he will log into the system?
- How many days must pass before before a password change is required for
carol?
- What is the User ID (UID) and Group ID (GID) of
Explorational Exercises
- Working as root, run the
useradd -m davecommand to add a new user account. What operations does this command perform? Assume thatCREATE_HOMEandUSERGROUPS_ENABin/etc/login.defsare set to yes. - Now that you have created the
daveaccount, can this user login to the system? - Identify the User ID (UID) and Group ID (GID) of
daveand all members of thedavegroup. - Create the
sys_admin,web_adminanddb_admingroups and identify their Group IDs (GIDs). - Add a new user account named
carolwith UID 1035 and setsys_adminas its primary group andweb_adminanddb_adminas its secondary groups. - Delete the
daveandcaroluser accounts and thesys_admin,web_adminanddb_admingroups that you have previously created. - Run the
ls -l /etc/passwd /etc/group /etc/shadow /etc/gshadowcommand and describe the output that it gives you in terms of file permissions. Which of these four files are shadowed for security reasons? Assume your system uses shadow passwords. - Run the
ls -l /usr/bin/passwdcommand. Which special bit is set and what is its meaning?
Summary
In this lesson, you learned:
- The fundamentals of user and group management in Linux
- Manage user and group information stored in password and group databases
- Maintain the skeleton directory
- Add and remove user accounts
- Add and remove group accounts
- Change the password of user accounts
The following commands were discussed in this lesson:useradd
Create a new user account.groupadd
Create a new group account.userdel
Delete a user account.groupdel
Delete a group account.passwd
Change the password of user accounts and control all aspects of password aging.
Answers to Guided Exercises
- For each of the following entries, indicate the file to which it refers:
developer:x:1010:frank,grace,dave/etc/grouproot:x:0:0:root:/root:/bin/bash/etc/passwdhenry:$1$.AbCdEfGh123456789A1b2C3d4.:18015:20:90:5:30::/etc/shadowhenry:x:1000:1000:User Henry:/home/henry:/bin/bash/etc/passwdstaff:!:dave:carol,emma/etc/gshadow
- Observe the following output to answer the next seven questions:# cat /etc/passwd | tail -3
dave:x:1050:1050:User Dave:/home/dave:/bin/bash
carol:x:1051:1015:User Carol:/home/carol:/bin/sh
henry:x:1052:1005:User Henry:/home/henry:/bin/tcsh
# cat /etc/group | tail -3
web_admin:x:1005:frank,emma
web_developer:x:1010:grace,kevin,christian
dave:x:1050:
# cat /etc/shadow | tail -3
dave:$6$AbCdEfGh123456789A1b2C3D4e5F6G7h8i9:0:20:90:7:30::
carol:$6$q1w2e3r4t5y6u7i8AbcDeFgHiLmNoPqRsTu:18015:0:60:7:::
henry:!$6$123456789aBcDeFgHa1B2c3d4E5f6g7H8I9:18015:0:20:5:::
# cat /etc/gshadow | tail -3
web_admin:!:frank:frank,emma
web_developer:!:kevin:grace,kevin,christian
dave:!::
- What is the User ID (UID) and Group ID (GID) of
carol?The UID is 1051 and the GID is 1015 (the third and fourth fields in/etc/passwd). - What shell is set for
daveandhenry?daveuses /bin/bash andhenryuses /bin/tcsh (the seventh field in/etc/passwd). - What is the name of the primary group of
henry?The group name isweb_admin(the first field in/etc/group). - What are the members of the
web_developergroup? Which of these are group administrators?The members aregrace,kevinandchristian(the fourth field in/etc/group), but onlykevinis the administrator of the group (the third field in/etc/gshadow). - Which user cannot log into the system?The
henryuser account is locked (it has an exclamation mark in front of the password hashes in/etc/shadow). - Which user should change the password the next time he will log into the system?If the third field (Date of Last Password Change) in
/etc/shadowis 0, the user should change his pasword the next time he will log into the system. Therefore,davemust change his password. - How many days must pass before before a password change is required for
carol?60 days (the fifth field in/etc/shadow).
- What is the User ID (UID) and Group ID (GID) of
Answers to Explorational Exercises
- Working as root, run the
useradd -m davecommand to add a new user account. What operations does this command perform? Assume thatCREATE_HOMEandUSERGROUPS_ENABin/etc/login.defsare set to yes.The command adds a new user, nameddave, to the list of users in the system. The home directory ofdaveis created (by default/home/dave) and the files and directories contained in the skeleton directory are copied to the home directory. Finally, new group is created with the same name as the user account. - Now that you have created the
daveaccount, can this user login to the system?No, beacuse thedaveaccount is locked (see the exclamation mark in/etc/shadow).# cat /etc/shadow | grep dave dave:!:18015:0:99999:7:::If you set a password fordave, the account will be unlocked. You can do this using thepasswdcommand.# passwd dave Changing password for user dave. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. - Identify the User ID (UID) and Group ID (GID) of
daveand all members of thedavegroup.# cat /etc/passwd | grep dave dave:x:1015:1019::/home/dave:/bin/sh # cat /etc/group | grep 1019 dave:x:1019:The UID and GID ofdaveare 1015 and 1019 respectively (the third and fourth fields in/etc/passwd) and thedavegroup has no members (the fourth field in/etc/groupis empty). - Create the
sys_admin,web_adminanddb_admingroups and identify their Group IDs (GIDs).# groupadd sys_admin # groupadd web_admin # groupadd db_admin # cat /etc/group | grep admin sys_admin:x:1020: web_admin:x:1021: db_admin:x:1022:The GIDs for thesys_admin,web_adminanddb_admingroups are 1020, 1021 and 1022 respectively. - Add a new user account named
carolwith UID 1035 and setsys_adminas its primary group andweb_adminanddb_adminas its secondary groups.# useradd -u 1035 -g 1020 -G web_admin,db_admin carol # id carol uid=1035(carol) gid=1020(sys_admin) groups=1020(sys_admin),1021(web_admin),1022(db_admin) - Delete the
daveandcaroluser accounts and thesys_admin,web_adminanddb_admingroups that you have previously created.# userdel -r dave # userdel -r carol # groupdel sys_admin # groupdel web_admin # groupdel db_admin - Run the
ls -l /etc/passwd /etc/group /etc/shadow /etc/gshadowcommand and describe the output that it gives you in terms of file permissions. Which of these four files are shadowed for security reasons? Assume your system uses shadow passwords.# ls -l /etc/passwd /etc/group /etc/shadow /etc/gshadow -rw-r–r– 1 root root 853 mag 1 08:00 /etc/group -rw-r—– 1 root shadow 1203 mag 1 08:00 /etc/gshadow -rw-r–r– 1 root root 1354 mag 1 08:00 /etc/passwd -rw-r—– 1 root shadow 1563 mag 1 08:00 /etc/shadowThe/etc/passwdand/etc/groupfiles are world readable and are shadowed for security reasons. When shadow passwords are used, you can see anxin the second field of these files because the encrypted passwords for users and groups are stored in/etc/shadowand/etc/gshadow, which are readable only by root and, in some systems, also by members belonging to theshadowgroup. - Run the
ls -l /usr/bin/passwdcommand. Which special bit is set and what is its meaning?# ls -l /usr/bin/passwd -rwsr-xr-x 1 root root 42096 mag 17 2015 /usr/bin/passwdThepasswdcommand has the SUID bit set (the fourth character of this line), which means that the command is executed with the privileges of the file’s owner (thus root). This is how ordinary users can change their password.
