System Administration

Linux User
Management
Thái Minh Tuấn - minhtuan@ctu.edu.vn
Slides are adapted from:
[1] Slides prepared by Prof. Brian D. Davison (http://www.cse.lehigh.edu/~brian/)
[2] The Practice of System and Network Administration, 3rd Ed., by Limoncelli, Hogan, and Chalup (Addison Wesley, 2017) 1
[3] Practical Linux System Administration: A Guide to Installation, Configuration, and Management, by Kenneth Hess (O'Reilly Media, 2023)
User management
● User accounts ● Root powers
○ The /etc/passwd file ○ Ownership of files and
○ The /etc/shadow file processes
○ The /etc/group file ○ The superuser
○ Adding users ○ Choosing a root password
○ Removing users ○ Becoming root
○ Disabling logins ○ Other pseudo-users
○ Account management
utilities

2
The /etc/passwd file
● /etc/passwd lists all recognized users and contains:
○ Login name
○ Encrypted password
○ ID number
○ Default GID number
○ Full name, office, extension, (optional)
○ Home directory
○ Login shell
● Examples
○ jsmith:x:1007:1007:Jane Smith,Room 26,212-555-1000,jsmith@example.com:/home/
jsmith: /bin/bash

3
Login name
● Syntax
○ usernames must be unique
○ <= 32 chars
○ any characters except newlines and colons
● Recommendations
○ use lower case (even though case sensitive)
○ choose easy to remember
○ avoid “handles” and cutesy nicknames

4
Encrypted Hashed passwords
● Most passwords are in /etc/shadow, not /etc/passwd
● Passwords are stored encrypted hashed
○ Cannot be changed by hand
○ Can be copied from another account
○ Are set using passwd
● Password field should never be left blank
○ Put a star (*) in place (x for shadow usage)
○ Otherwise no pw needed!
● MD5/SHA-512/yescrypt passwords (most distributions) can be any
length

5
UID number
● In Linux, UIDs are unsigned 32-bit integers (4B!)
○ Older systems only allowed up to 32,767
● Root is (almost always) UID 0
● Fake/system logins typically have low UIDs
○ Place real users >= 1000
● Avoid recycling UIDs
○ Old files, backups are identified by UID
● Preserve unique UIDs across org
○ Helpful for consistency across network filesystems

6
Other fields
● Default GID number
○ Like UIDs, 32-bit unsigned integers
○ GID – is for the group “root”
● GECOS fields (optional) [chfn]
○ General Electric Comprehensive OS
○ Full name, office, extension, home phone
● Home directory
○ Where the user starts when the log in
● Login shell [chsh]
○ Such as sh/bash, csh/tcsh, ksh, etc.
7
The /etc/shadow file
● Readable only by superuser ● Contains:
● Enhanced account information ○ Login name
○ Hashed password
● Use is highly recommended
○ Date of pw change
● Use usermod to modify contents ○ Min number of days between
password changes
○ Max days between pw changes
○ Num days in advance to warn
○ Num days after expiration to disable
account
○ Account expiration date
○ Reserved field

8
The /etc/group file
● Contains names of groups and lists each member
● Example:
○ wheel:*:10:root,evi,garth,trent,brian
○ Group name:encrypted password:GID:List of members,
separated by commas (no spaces)
● Setting per-user groups is recommended
○ Better default security

9
Managing Groups Rather Than Users
● More convenient to define and manage a group than to manage each
user separately
○ Difficult to trace permissions for an user on every system
○ Managing permissions for groups allows sysadmins to manage fine-grained user access
on a more global level
● For example: a user move from the Human Resources (HR) to the Finance
department
○ Remove that user from the HR group and add them to the Finance group.
■ The user immediately has access to all shared files and folders that other finance
group members do.
■ And, the user no longer has access to HR files and folders.

10
Adding users
● For small installations, adding users is simple
○ Have user sign and date user agreement
○ Create user account with useradd
○ Set password with passwd
○ Change defaults with usermod

11
Steps to add a user
● useradd: standard command-line Linux method of adding new users
○ # useradd -c "Jane Smith" jsmith
■ creates the home directory /home/jsmith
■ create hidden environment files
■ places an entry into /etc/passwd
■ create default group into /etc/group
● Use the passwd command to supply a password to the account:
○ # passwd jsmith
● Adding users with adduser
○ On some Linux distributions, adduser is a symbolic link to useradd
○ Other distributions, adduser is an interactive Perl script that steps you through adding a
new user
■ useradd is a separate utility
12
Removing users
● Generally with userdel
○ Set disk quota to zero
○ Remove user from local databases or phone lists
○ Remove from aliases file (or add forwarding)
○ Remove crontab file and any pending at jobs
○ Kill any running processes
○ Remove temporary files in /var/tmp or /tmp
○ Remove from passwd, shadow, and group files
○ Remove home directory (backup first) and mail spool
13
Disabling logins
● Sometimes you need to temporarily disable a login
● Can't just put a star in front of encrypted pw
○ Might still be able to log in via network without pw
○ # usermod -L jsmith
● Current practice
○ Replace shell with program explaining status and instructions on how
to fix

14
Account management utilities
● Basic utilities
○ useradd – adds to passwd and shadow files
○ usermod – changes existing passwd entry
○ userdel – remove user, opt. delete home dir
○ groupadd, groupmod, groupdel operate on /etc/group
● Common to write custom adduser and rmuser scripts

15
Modifying User Accounts
● Add/remove the user to a supplementary group
○ Add: # usermod -a -G engineering jsmith
○ Remove: # gpasswd -d jsmith engineering
● Change the user’s comment field in /etc/passwd
○ # usermod -c "Jane R Smith" jsmith
○ # chfn -f "Janie Smith" jsmith
● Set an account expiry date
○ # usermod -e 2021-07-23 jsmith
● Lock/unlock a user’s account
○ Lock: # usermod -L jsmith
○ Unlock: # usermod -U jsmith
● Change a user’s login shell
○ # usermod -s /bin/sh jsmith 16
Modifying User Accounts
● Lists the current settings for the specified user account
○ # chage -l jsmith
● Forcing password changes
○ # chage -m 1 -M 90 rsmith
○ -M 90: force a password change every 90 days
○ -m 1: minimum number of days between password is 1

17
The superuser
● The root account has UID of 0
○ Can change the name and create other users with same
UID; neither recommended
● The superuser (any process with effective UID 0) can
perform any valid operation on any file or process.
● All other users are “normal”

18
Restricted operations
● Superuser privileges are required for:
○ Changing the root directory of a process with chroot
○ Creating device files
○ Setting the system clock
○ Raising resource usage limits and process priorities
○ Setting the system's hostname
○ Configuring the network interfaces
○ Opening privileged network ports (<= 1024)
○ Shutting down the system
○ Changing process UID and GID (only one way)
■ Example: login
19
Choosing a root password
● Any password? Not if you want it to be difficult
to crack.
● Should be
○ At least eight characters (more may not be helpful)
○ Not easily guessed or found by trial and error
○ Memorable (so you don't need to write it down)
○ A seemingly random sequence of letters, digits, &
punctuation
○ Shocking nonsense!
■ Memorable, unguessable, unique, undisclosed
■ Mpmgg!: “Mollusks peck my galloping genitals!”

20
Changing the root password
● Should be performed
○ At least every three months
○ Every time someone who might know
the password leaves the site
○ Whenever you think security might
be compromised
○ On a day when you will remember
the new pw!

21
Becoming root
● You can log in as root
○ No record of what operations were performed
○ Often you'll want a record!
■ When the root user was a colleague who is
unavailable
■ When you can't remember exactly what you did
■ When the access was unauthorized and you want to
know what was done
○ No record of who was root
● Typically want to disable root logins except at
console

22
Being root
● Responsibilities!
○ Do not give out root password
○ Do not create new accounts with UID 0
○ Use root account for admin work only
○ Change root password often
○ Do not leave root shell unattended
○ Be extra careful!
○ Perhaps more, depending on policies at
location

23
su
● su: substitute user identity (switch users)
○ Without args, su prompts for root password and then starts root shell
○ Logs who became root and when
○ Can also su username
■ if you know the pw, or are root already
○ Use “su –” to execute new user's shell
■ Otherwise new PATH is not established
○ Good idea to use full pathname to su (why?)
■ Linux: /bin/su
■ Solaris: /sbin/su
24
sudo
● sudo: a limited su
○ When you want to provide limited root-privileges
○ sudo <program to be executed>
■ Checks /etc/sudoers for authorization
■ Asks for user's password
■ Logs command executed, person, time, and
directory
■ Executes command
■ Additional sudo commands can be executed
without password for another five minutes
■ Example:
● sudo cat /etc/sudoers
25
The /etc/sudoers file
● Simple text file describing users, groups, and commands that can work
with root or other user privileges
● Each permissions line includes
○ Users to whom the line applies
○ Hosts on which the line applies
○ Commands that the users can run
○ Users as whom the commands can be executed
● You can create a sudoer with very restrictive permissions (i.e., to run a single
command as root) or permissive: run any command as root without entering
a password to do so
● Edit /etc/sudoers file
○ $ sudo visudo
○ $ sudo nano /etc/sudoers 26
The /etc/sudoers file

27
sudo advantages
● Accountability – commands are logged
● Operators can do chores without root privileges
● Real root password can be known to very few people
● sudo is faster to use than su or logging in as root
● Privileges can be revoked without changing root pw
● A complete list of users with root is maintained
● Less chance of a root shell being left unattended
● A single file can control access for an entire network

28
sudo logging

29
sudo disadvantages
● /etc/sudoers file is everything!
● Users with sudo privileges must protect
their accounts as if they were root!
● Command logging can be avoided by
starting a shell, or running some program
that allows shell escapes

30
Other pseudo-users
● Bin
○ Legacy owner of system commands
● Daemon
○ Owner of unprivileged files and processes
● Nobody
○ Account for remote roots of NFS systems
■ They often can't stay UID 0!
■ They need to be mapped to something

31
Group passwords
● The newgrp command allows a user to change the default
group
○ Starts a new shell
○ If the group has a password, it will prompt for the password
■ Sometimes might give access, even if user not in list (varies)
● Group passwords are antiquated and not recommended
○ Must copy and paste password info
○ Group passwords are world readable
● RH/Fedora Linux has gpasswd command to set group
password, put into /etc/gshadow, and more
32
sudo bang bang

33