User and Group Management
1. The ability to control users and groups
1. useradd - used to add users and modify group membership
1. create a user named 'student' using 'useradd'
Note: default user settings derive from: /etc/login.deps
a. useradd student
b. set password for user 'student': passwd student
Default user accounts DB: /etc/passwd
Note: /etc/passwd is a human-readable file
Note: /etc/shadow stores password in encryptes form
Note: /etc/shadow is NOT human-readable
2. encrypted password:
3. Last password change (lastchanged): Days since Jan 1, 1970 that password was last changed
4. Minimum: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password
5. Maximum: The maximum number of days the password is valid (after that user is forced to change his/her password)
6. Warn: The number of days before password is to expire that user is warned that his/her password must be changed
7. Inactive: The number of days after password expires that account is disabled
8. Expire: days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used
2. encrypted password: The encrypted password for the group. If set, non-members of the group can join the group by typing the password for that group using the newgrp command. If the value of this field is !, then no user is allowed to access the group using the newgrp command. A value of !! is treated the same as a value of ! — however, it also indicates that a password has never been set before. If the value is null, only group members can log into the group.
3. group administrators - group members listed here (in a comma delimited list) can add or remove group members using the gpasswd command.
4. group members - group members listed here (in a comma delimited list) are regular, non-administrative members of the group.
gpasswd sales - will set the 'sales' group password
gpasswd -a anas sales - append 'anas' amember to a group 'sales'
gpasswd -A student sales - add a group administrator
gpasswd -M student sales - add a new member 'student' and remove existing members from a group 'sales'
gpasswd -r sales - remove the encrypted passwd
gpasswd -R sales - will put the value '!' instead of encrypted password
This line shows that the general group has no password and does not allow non-members to join using the newgrp command. In addition, student is a group administrator, and anas is regular, non-administrative members.
1. group_name: It is the name of group. If you run ls -l command, you will see this name printed in the group field.
2. Password: Generally password is not used, hence it is empty/blank. It can store encrypted password. This is useful to implement privileged groups.
3. Group ID (GID): Each user must be assigned a group ID. You can see this number in your /etc/passwd file.
4. Group List: It is a list of user names of users who are members of the group. The user names must be separated by commas.
2. Modify user 'student' to have password expire after 45 days
Let's say that you want to change student’s shell, you would do the following:
usermod -s /bin/tcsh student
Now student’s /etc/passwd file entry would be change to this:
Let's make student’s account expire on 09/15/97:
usermod -e 09/15/97 student
Now student’s entry in /etc/shadow becomes:
1. groupadd - add's new group
2. groups - lists groups on the system: /etc/group
/etc/group - maintains group membership information
Task: create a 'sales' group and add 'student' as member and removing 'student' from the 'sales' group
1. groupadd sales
2. usermod -G sales student
3. gpasswd -d student sales
Note: 2 types of groups exist:
1. Primary - used by default for a user's permissions
2. supplimental - used to determine effective permissions
Task: change 'sudent' primary group to 'sales' as a secondary group
1. usermod -g student -G sales student
Note: use 'id' to determine the group information of user
Note: Create a new shell session to realize new group membership information