User And Group
Define User and Group. Its Principle
Managing superuser with command line and syntax
Getting ready
$ vagrant up
$ vagrant ssh
How to do it
From the man pages su, it run a command with substitute user and group ID.
su [-] <username>
For root user
$ su -
Password: centos
#
From the man pages useradd, it create a new user or update default new user information.
$ useradd ram
use with the username
$ su -ram
For lock the user name by using sudo(as per /etc/sudoers) or as root
$sudo usermod -L <username>
Benifit to using sudo is that all command executed using sudo are logged by default to /var/log/secure
$sudo tail /var/log/secure
$sudo usermod -L ram
Extra view for knowledge
check the id of user and group information and it current working directory
$ id
uid=1000(vagrant) gid=1000(vagrant) groups=1000(vagrant) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
check the variable which specify the home directory and the locations searched for executable files.
$ echo $HOME
/home/vagrant
$ echo $PATH
/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/vagrant/.local/bin:/home/vagrant/bin
Use dash and without dash in switch user how the reaction
using without dash
$ su
Password: vagrant
check the id of user and group in the current working directory.
#id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# pwd
/home/vagrant
check the variable which specify the home directory and the locations searched for executable files.
$ echo $HOME
/root
$ echo $PATH
/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/vagrant/.local/bin:/home/vagrant/bin
then after using dash
$ su -
Password: vagrant
Again check the id of user and group in the current working directory.
#id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# pwd
/root/
check the variable which specify the home directory and the locations searched for executable files.
$ echo $HOME
/root
$ echo $PATH
/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
Exit to return to the user vagrant.
# exit
logout
Require root access or user access with command line
check the last 5 line of the /var/log/messages
$ tail -5 /var/log/messages
tail: cannot open ‘/var/log/messages’ for reading: Permission denied
By using sudo
$ sudo tail -5 /var/log/messages
May 17 02:01:01 localhost systemd: Starting user-0.slice.
May 17 02:01:01 localhost systemd: Created slice user-0.slice.
May 17 02:01:01 localhost systemd: Starting Session 4 of user root.
May 17 02:01:01 localhost systemd: Started Session 4 of user root.
May 17 02:12:34 localhost su: (to root) vagrant on pts/0
How it work
Creating/Managing Local User and Group with Command Line and Its syntax
Getting ready
$ vagrant up
$ vagrant ssh
How to do it
From the man pages useradd, it create a new user or update default new user information.
making user by command line its syntax.
$ sudo useradd radha
also using root
# useradd radha
use helping command for useradd
# useradd --help
useradd key option for basic
$ sudo useradd --help
Usage: useradd [options] LOGIN
useradd -D
useradd -D [options]
Options:
-b, --base-dir BASE_DIR base directory for the home directory of the
new account
-c, --comment COMMENT GECOS field of the new account
-d, --home-dir HOME_DIR home directory of the new account
-D, --defaults print or change default useradd configuration
-e, --expiredate EXPIRE_DATE expiration date of the new account
-f, --inactive INACTIVE password inactivity period of the new account
-g, --gid GROUP name or ID of the primary group of the new
account
-G, --groups GROUPS list of supplementary groups of the new
account
-h, --help display this help message and exit
-k, --skel SKEL_DIR use this alternative skeleton directory
-K, --key KEY=VALUE override /etc/login.defs defaults
-l, --no-log-init do not add the user to the lastlog and
faillog databases
-m, --create-home create the user's home directory
-M, --no-create-home do not create the user's home directory
-N, --no-user-group do not create a group with the same name as
the user
-o, --non-unique allow to create users with duplicate
(non-unique) UID
-p, --password PASSWORD encrypted password of the new account
-r, --system create a system account
-R, --root CHROOT_DIR directory to chroot into
-s, --shell SHELL login shell of the new account
-u, --uid UID user ID of the new account
-U, --user-group create a group with the same name as the user
-Z, --selinux-user SEUSER use a specific SEUSER for the SELinux user mapping
From the man pages usermod, itmodify a user account.
use help for usermod
# usermod --help
usermod key option for basic
$ sudo usermod --help
Usage: usermod [options] LOGIN
Options:
-c, --comment COMMENT new value of the GECOS field
-d, --home HOME_DIR new home directory for the user account
-e, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE
-f, --inactive INACTIVE set password inactive after expiration
to INACTIVE
-g, --gid GROUP force use GROUP as new primary group
-G, --groups GROUPS new list of supplementary GROUPS
-a, --append append the user to the supplemental GROUPS
mentioned by the -G option without removing
him/her from other groups
-h, --help display this help message and exit
-l, --login NEW_LOGIN new value of the login name
-L, --lock lock the user account
-m, --move-home move contents of the home directory to the
new location (use only with -d)
-o, --non-unique allow using duplicate (non-unique) UID
-p, --password PASSWORD use encrypted password for the new password
-R, --root CHROOT_DIR directory to chroot into
-s, --shell SHELL new login shell for the user account
-u, --uid UID new UID for the user account
-U, --unlock unlock the user account
-Z, --selinux-user SEUSER new SELinux user mapping for the user account
From the man pages groupadd, it create a new group.
use help for groupadd
# groupadd --help
groupadd key option for basic
$ sudo groupadd --help
Usage: groupadd [options] GROUP
Options:
-f, --force exit successfully if the group already exists,
and cancel -g if the GID is already used
-g, --gid GID use GID for the new group
-h, --help display this help message and exit
-K, --key KEY=VALUE override /etc/login.defs defaults
-o, --non-unique allow to create groups with duplicate
(non-unique) GID
-p, --password PASSWORD use this encrypted password for the new group
-r, --system create a system account
-R, --root CHROOT_DIR directory to chroot into
From the man pages groupmod, it modify a group definition on the system.
use help for groupmod
# groupmod --help
groupadd key option for basic
$ sudo groupmod --help
Usage: groupmod [options] GROUP
Options:
-g, --gid GID change the group ID to GID
-h, --help display this help message and exit
-n, --new-name NEW_GROUP change the name to NEW_GROUP
-o, --non-unique allow to use a duplicate (non-unique) GID
-p, --password PASSWORD change the password to this (encrypted)
PASSWORD
-R, --root CHROOT_DIR directory to chroot into
Example
Add the user and give its password
$ sudo passwd shyam
Changing password for user shyam.
New password: shyam
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: shyam
passwd: all authentication tokens updated successfully.
check the file create in home
$ ls -l /home
total 4
drwx------. 2 ram ram 59 May 17 03:15 ram
drwx------. 2 shyam shyam 59 May 17 06:07 shyam
drwx------. 3 vagrant vagrant 4096 May 17 03:11 vagrant
Now create a group
$ groupadd sales
Make supplementary group with group id 50000
$ groupadd -g 50000 sales
confirm the group id of sales
$ sudo tail -5 /etc/group
vagrant:x:1000:vagrant
vboxsf:x:997:
ram:x:1001:
shyam:x:1002:
sales:x:1003:
Modify the user shyam with group sales
$ sudo usermod -G sales shyam
Confirm user id of shyam
$ id shyam
uid=1002(shyam) gid=1002(shyam) groups=1002(shyam),1003(sales)
For nologin shell
$ sudo useradd -s /sbin/nologin radha
$ su -radha
or
$ sudo usermod -s /sbin/nologin radha
$ sudo passwd radha
$ su - radha
Password:
Last login: Tue May 17 08:05:12 EDT 2016 on pts/0
This account is currently not available.
Deleting user and group by simple command
From the man pages userdel, it delete a user account and related files.
use help command for userdel
# userdel --help
userdel key option for basic
$ sudo userdel --help
Usage: userdel [options] LOGIN
Options:
-f, --force force some actions that would fail otherwise
e.g. removal of user still logged in
or files, even if not owned by the user
-h, --help display this help message and exit
-r, --remove remove home directory and mail spool
-R, --root CHROOT_DIR directory to chroot into
-Z, --selinux-user remove any SELinux user mapping for the user
Delete the by command line
$ sudo userdel -r shyam
How it work
Aging of user and Group
Getting ready
$ vagrant up
$ vagrant ssh
How to do it
From the man pages chage, it change user password expiry information.
use help command for chage
# chage --help
chage key option for basic
$ sudo chage --help
Usage: chage [options] LOGIN
Options:
-d, --lastday LAST_DAY set date of last password change to LAST_DAY
-E, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE
-h, --help display this help message and exit
-I, --inactive INACTIVE set password inactive after expiration
to INACTIVE
-l, --list show account aging information
-m, --mindays MIN_DAYS set minimum number of days before password
change to MIN_DAYS
-M, --maxdays MAX_DAYS set maximim number of days before password
change to MAX_DAYS
-R, --root CHROOT_DIR directory to chroot into
-W, --warndays WARN_DAYS set expiration warning days to WARN_DAYS
Change the privacy password policy for shyam to require a new password every 90 day.
$ sudo chage -M 90 shyam
check the list of age of shyam
$ sudo chage -l shyam
Force a password change on the first login for the shyam account
$ sudo chage -d 0 shyam
Log in as shyam and change the password shoomany012
$ su - shyam
Password: shyam
You are required to change your password immediately (root enforced)
Changing password for shyam.
(current) UNIX password: shyam
New password: shoomany012
Retype new password: shoomany012
$ exit