Module 16 Creating Users and Groups
Exam Objective 5.2 Create Users and Groups
Objective Description
Creating users and groups on a new system.
Introduction
Introduction
¡ñ Remember: User account info and authentication info is stored in the /etc/passwd and /etc/shadow files.
¡ñ Using these files to add users/groups is possible but not recommended.
¡ñ Using commands is more appropriate.
¡ñ When creating a new users, some distributions create a User Private Group (UPG).
Note: Before you begin creating users, you should plan how you will use groups.
Creating Groups
Groups
¡ñ Groups provide a way for users to share files.
¡ñ When creating a group, the grep command can be used to verify configuration and changes.
¡ñ The getent command can be used to show local and network-based groups.
root@localhost:~# grep root /etc/group root:x:0:
root@localhost:~# getent group root root:x:0:
Creating a Group
¡ñ Execute the groupadd command by root user to create a new group.
¡ñ To specify a group ID (GID) for the group, use the -g option.
root@localhost:~# groupadd -g 506 research
¡ñ If -g option is not used, groupadd will automatically assign a GID one value higher than the last added in /etc/group file.
root@localhost:~# grep research /etc/group research:x:506:
root@localhost:~# groupadd development root@localhost:~# grep development /etc/group development:x:507:
Group ID Considerations
¡ñ Remember: In some distributions, when a user ID is created a UPG is also created.
¡ñ Avoid creating GIDs in the same range as UIDs created in the future.
¡ñ GIDs under 1000 are reserved for system use. To bypass this and assign a <1000 GID, use the -r option.
Group Naming Considerations
¡ñ A portable group name functions correctly with other systems.
¡ñ Guidelines for creating a portable group name:
¡ð For first character, use an underscore _ character or lowercase alphanumeric a-z character
¡ð After first character, possible characters can be alphanumeric, dash, or underscore
¡ð Using more than 16 characters can be problematic
¡ð Last character should not be a hyphen -
Modifying a Group
¡ñ The groupmod command can be used to either change the name of the group (with the -n option) or change the GID (with the -g option).
root@localhost:~# groupmod -n clerks sales root@localhost:~# groupmod -g 10003 clerks
¡ñ Changing the group name won¡¯t cause any problems with accessing files
¡ñ Changing the GID will cause files to no longer be associated with that group.
¡ñ To search for orphaned files, use the find command with the -nogroup option.
Deleting a Group
¡ñ The groupdel command can be used to delete a group. root@localhost:~# groupdel clerks
¡ñ Files in the deleted group will become orphaned.
¡ñ Only supplementary groups can be deleted.
User Configurations
Users
¡ñ During installation it is common to create a normal user with root permissions using sudo.
¡ñ This works well when computer is used by one user.
¡ñ For computers with multiple users, creating separate user accounts is ideal.
User Configuration
¡ñ Before creating users, verify the default values using the useradd command.
¡ñ The -D option to the useradd command will allow you to view or change some of the default values. This can also be done by manipulating
the /etc/default/useradd file.
root@localhost:~# useradd -D GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE= SHELL=/bin/bash SKEL=/etc/skel CREATE_MAIL_SPOOL=yes
User Configuration
¡ñ What the values of useradd -D mean:
GROUP - default primary group for a new user. This setting affects the primary group ID field of
the /etc/passwd file. GROUP=100
HOME - the default base directory under which the user's new home directory will be created. This setting affects the home directory field of the /etc/passwd file.
HOME=/home
bob:x:600: :bob:/home/bob:/bin/bash
600
bob:x:600:600:bob: /bob:/bin/bash
/home
User Configuration
INACTIVE - This value represents the number of days after the password expires that the account is disabled. This setting affects the inactive field of the /etc/passwd file.
INACTIVE=-1
EXPIRED - By default, there is no value set for the expiration date. This setting affects the expire field of the /etc/passwd file.
EXPIRE=
bob:x:600: :bob:/home/bob:/bin/bash
600
bob:pw:15020:5:30:7:60: :
15050
User Configuration
SHELL - The default shell for a user when they log in to the system. This setting affects the shell field of the /etc/passwd file.
SHELL=/bin/bash
SKELETON DIRECTORY - The contents of this directory are copied into the new user's home directory. This setting affects the expire field of the /etc/passwd file.
SKEL=/etc/skel
CREATE MAIL SPOOL - File where the incoming email is placed. CREATE_MAIL_SPOOL=yes
bob:x:600:600:bob:/home/bob:
/bin/bash
User Configuration
¡ñ The /etc/login.defs file also contains values that will be applied by default to new users you create with the useradd command.
¡ñ To view contents of /etc/login.defs file without comments and blank lines, use the grep command.
root@localhost:~# grep -Ev '^#|^$' /etc/login.defs MAIL_DIR /var/mail/spool
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5 PASS_WARN_AGE 7 UID_MIN
UID_MAX
Output omitted...
500 60000
User Configuration
¡ñ Values of /etc/login.defs file include:
Mail Directory - The directory in which the user's mail spool file will be created.
MAIL_DIR /var/mail/spool
Password Max Days - The maximum number of days that a user can continue to use the same password.
PASS_MAX_DAYS 99999
Password Min Days - The shortest time that a user is required to keep a password. PASS_MIN_DAYS 0
User Configuration
Password Minimum Length - The minimum number of characters that a password must contain.
PASS_WARN_AGE 7
UID Minimum - Determines the first UID that will be assigned to an ordinary user. UID_MIN 500
UID Maximum - Although it can go up to four billion, for maximum compatibility it's recommended to leave it at its default value of 60000.
UID_MAX 60000
User Configuration
GID Minimum - Determines the first GID that will be assigned to an ordinary group. GID_MIN 500
GID Maximum - The maximum number of days that a user can continue to use the same password.
GID_MAX 60000
Home Directory - Determines whether or not a new directory will be created for the user when their account is created.
CREATE_HOME yes
User Configuration
Mail Directory - The directory in which the user's mail spool file will be created. MAIL_DIR /var/mail/spool
Password Max Days - The maximum number of days that a user can continue to use the same password.
PASS_MAX_DAYS 99999
Password Min Days - The shortest time that a user is required to keep a password. PASS_MIN_DAYS 0
User Configuration
Umask- Determines what the default permissions will be on the user home directory. UMASK 077
UPG - If UPG is used in the distribution, it will have a value of yes. If not, a value of no. USERGROUPS_ENAB yes
Encryption - The encryption method that is used to encrypt the users' passwords in the /etc/shadow file.
ENCRYPT_METHOD SHA512
Account Considerations
¡ñ Creating a user account may require additional information
¡ð You need the account name, you may also want to plan the UID, the primary group, the supplementary groups, the home directory, the skeleton directory, and the shell to be used.
¡ñ Guidelines for creating a portable group name:
¡ð For first character, use an underscore _ character or lowercase alphanumeric a-z character
¡ð After first character, possible characters can be alphanumeric, dash, or underscore
¡ð Using more than 16 characters can be problematic
¡ð Last character should not be a hyphen -
Creating a User
¡ñ Once you know what values to use, you can create a user by using the useradd command:
root@localhost:~# useradd -u 1000 -g users -G wheel,research -c 'Jane Doe' jane
¡ñ Information about new user jane is automatically added to /etc/passwd and /etc/shadow while information about supplemental groups is added to /etc/group and /etc/gshadow.
¡ñ A /var/spool/mail/jane file would also be created as well as the /home/jane directory.
Passwords
¡ñ Factors to consider when you are trying to choose a password for an account:
¡ð Length - Minimum length is specified in /etc/login.defs file
¡ð Composition - A combination of alphabetic, numeric and symbolic characters
¡ð Lifetime - Amount of time that a password can be used at maximum should be limited to minimize security threats
Note: Requiring a user to change their password too often might also pose security problems.
Setting a User Password
¡ñ There are a few ways a password can be set up:
¡ð User can execute passwd command
¡ð Admin can execute passwd command with username as an argument
¡ð Graphical tools
¡ñ Users must follow guidelines for entering passwords while root can bypass warnings:
root@localhost:~# passwd jane Enter new UNIX password:
BAD PASSWORD: it is WAY to short BAD PASSWORD: is too simple Retype new UNIX password:
Modifying a User
¡ñ Use who, w, and last commands to verify if user is currently logged in.
¡ñ The usermod command offers multiple options for modifying users.
¡ñ Examples of usermod options include:
Short Option
Long Option
Description
-c
COMMENT
Sets the value of the GECOS or comment field to COMMENT.
-d HOME_DIR
--home HOME_DIR
Sets HOME_DIR as a new home directory for the user.
-e EXPIRE_DATE
--expiredate EXPIRE_DATE
Set account expiration date to EXPIRE_DATE.
Deleting a User
¡ñ When you delete a user account, you also need to decide whether to delete the user's home directory.
¡ñ To delete a user without deleting the user¡¯s home directory execute:
root@localhost:~# userdel jane
¡ñ To delete a user and their home directory execute:
root@localhost:~# userdel -r jane