The document discusses managing local Linux users and groups. It explains the role of users and groups on a Linux system and how they are understood by the computer. It describes different types of users like root, pseudo, system and normal users. It also discusses commands to switch users, view user details, administer users using sudo, and understand password and shadow files. Finally, it covers creating, modifying and deleting local user and group accounts and locking accounts.
1. Managing Local Linux Users and Groups
Objectives:
● Explain the role of users and groups on a linux system and how
they are understood by the computer.
● Run commands as the superuser to administer a linux system.
● Create,modify,lock and delete locally defined user accounts.
● Create,modify, and delete locally defined group accounts.
● Lock accounts manually or by setting a passwordaging policy in the shadow
password files.
Sections
1. Users
Types of user
Switching users with su command & id for user details
Sudo command & /etc/sudoers file.
Understanding /etc/passwd & /etc/shadow file.
password hash
Managing Local User Accounts using useradd,usermod,userdel,id,passwd
2. Groups
Understanding /etc/group and /etc/gshadow file
Managing Local Group Accounts
Managing group password. Author Bipul kumar
2. User:
Every process(running program) on the system runs as particular user.
Every file is owned by a particular user.
Types of user
In general there are four types of user:
● Root user i.e 0
● Pseudo User
● System user
● Other user
Root user i.e 0 :
Root user have power to override normal privileges on the file system and
is used to manage and administer the system. In short it has power to
damage the system, remove files and directories, remove user and
accounts, add backdoors.
Pseudo User:
Normal user with special privilege to execute any command as a root user.
System user:
A system user is created default by OS during installation time or when you
installed any packages and it runs as daemons in background. Ubuntu it’s
range start from 100 999
Source /etc/adduser.conf
Other user:
Other users are created by root or sudo users. It has a limited access on
the system.In Ubuntu it’s range start from 1000 29999. Source
/etc/adduser.conf
4. sudo command & /etc/sudoers file.
1. The sudo command allows a user to be permitted to run command
as root, or as another user, based on setting in the /etc/sudoers
2. sudo requires users to enter their own password for authentication.
3. In ubuntu member of group admin can use sudo to run commands as
any user, including root. Similar in Fedora/Redhat wheel group.
4. All command executed by sudo users are logged in /var/log/secure
5. We use visudo command to edit /etc/sudoers file.
/etc/sudoers Files
# This file MUST be edited with the 'visudo' command as root.
# Cmnd alias specification
# User privilege specification
root ALL = (ALL:ALL) ALL ALL
All terminal = All Console = All command
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
Question : Can we run any single /sbin command or root privileges
command though normal user?
Yes we can, let’s take an example adduser command
1. Login into the root account or sudo account
2. Create a normal user with password.
3. Go the the line number 20, and edit the line with
lucy ALL=(ALL) /usr/sbin/adduser
4. Now login into the lucy account, and you are done.
5. Question: Can we run any single /sbin command or root privileges
command without password authentication?
Yes we can, through following steps
1. Go to the below line root ALL = (ALL:ALL) ALL ALL and edit the
line with lucy ALL=(ALL) NOPASSWD:ALL
2. Now login into the lucy account , and your are done.
Question: Can we create user manually?
Yes, we can
1. Open a file /etc/passwd via any file editor. And update the last line
with following way vipul:x:2006:2009::/home/vipul:/bin/sh
2. Same open file /etc/group and update in last line vipul:x:2009:
3. Run pwck and grpck in verifies the integrity of the users and
authentication information.
4. Reset the password through encrypted
#echo YourPassword | openssl passwd 1 stdin
#usermod p <copy of encrypted text> vipul
You are done.
6. Understanding /etc/passwd & /etc/shadow file.
A system uses simple flat file that is /etc/passwd file to store information
about local users. The format of /etc/passwd follows seven colons
separated fields.
The format of /etc/passwd follows(Seven colon separated fields)
1 username:2 password:3 UID:4 GID:5 GECOS:6 /home/dir:7 shell
1. Username: It is a mapping of a UID to a name for the benefit of human
users.
2. Password: Historically, a password where kept in an encrypted
format
Today they are kept in separate file called /etc/shadow
3. UID: It is a user ID, a number that identifies the user at the most
fundamental level.
4. GID: It is the user ‘s primary group ID number.
5. GECOS It is arbitrary text, which includes user details and real name.
6. /home/dir It is the location of users personal data and configuration
files.
7. Shell It is a program that runs as the user logs in. For a regular user,
this is the normally the program that provides the users command
line prompt.
7.
/etc/shadow file.
In older days, encrypted passwords were stored in readable /etc/passwd
file. But due to security flaws, the encrypted passwords or password
hashes is moved to /etc/shadow file. Which also allow password aging and
expiration features to be implemented.
The format of /etc/shadow follows(nine colonseparated fields)
1. Name This must be a valid account name of the system.
2. Password It is in encrypted format, if it start with ! mark means it’s
locked.
3. Lastchange The date at which last password changed.
4. Minage Minimum number of days before password may changed.
5. Maxage Maximum number of days before password must change.
6. Warning Warning period at which password expired. 0 means no
warning given.
7. Inactive The number of days an account remains active after
password has expired. A user may log into the system and change
his password. After that specified number of days, the account is
locked, becoming inactive.
8. Expire The account expiration date
9. Blank: It is used for future use.
8.
Managing user password / Password hash
In older days, encrypted passwords were stored in worldreadable
/etc/passwd file.But due to security concern, the encrypted password or
password hashes were moved to more secure /etc/shadow file. Which also
allow password aging and expiration features to be implemented.
When a user tries to login , the system looks up the entry for the user in
/etc/shadow.
It combines the salt value and plain password you enter, and encrypt them
with hashing algorithm. If the result matches with store encrypted hash at
/etc/shadow then successful login into the system, otherwise authentication
get failed.
There are three pieces of information stored in a modern password hash.
1. Hashing algorithm.
2. Hash Salt .
3. Encrypted hash.
$6$AmdWnEdR$c.Pn0d98tXDvxIUQixZwDWf4gVR7d5hqHN0QTYMwF
nR7FPB5.
● $6 It has SHA512 hashing algorithm.
● $AmdWnEdR Salt value which is combined with password to
increase hash strength.
● $c.Pn0d98tXDvxIUQixZwDWf4gVR7d5hqHN0QTYMwFnR7FPB5.
: It’s your password + salt value in encrypted format to make it
Encrypted hash.
Source #Shadow_file
9.
Managing Local User Accounts using
useradd/adduser,usermod, userdel, id,passwd,gpasswd
To create user account on Linux system, we use adduser(Debian) or
useradd (Fedora).
#adduser <User>
#useradd u 7777 g bipul G root d /home/bipul S /bin/bash c
“dba” bipul
Make useradd command changes from here /etc/default/useradd
#for i in user{1..9};do adduser $i; done
Deleting user
#userdel r <User>
#for i in user{1..9};do userdel r $i; done
Creating/Updating password for user.We use passwd
#passwd <User>
#echo “hacker” | passwd stdin <user>
Locking the password for user
#passwd l <User>
To unlock the password
#Passwd u <User>
To check the status of the password
#passwd S <User>
To delete the password
#passwd d <User>
To modify a user account we use usermod command.
To change the password without passwd command
#encrypted=(echo "newpassword" | openssl passwd 1 stdin);sudo
usermod p $encrypted
To lock the user account
#usermod L <User>
To Unlock the user account.
#usermod U <User>
13. ● #gpasswd sudo
2. Log in into other user account.
● #su bipul
3. Use newgrp <groupName>
● #newgrp sudo
4. Now run any root privileges command or task for specific group.
● #sudo useradd lucy
5. To come out from group use exit.
● Exit
Managing Local Group Accounts
Creating a group from next available GID from the range specified in the
/etc/login.defs file with groupadd
● #groupadd admin
● #groupadd g 700 db1
Modifying the existing groups with groupmod
The groupmod command is used to change a group name to a GID
mapping. The n option is used to specify a new name g option to specify
a new GID
● #groupmod n db1 db
● #groupmod g 700 db2
Deleting a group with groupdel
To remove group we use groupdel command.
● #groupdel db2
NOTE: A group may not be removed if it is a primary group of an existing
user.