Linux basics from the founder of Gentoo. Part 3 (3/4): Linux Account Management
Continuation of the third part of a series of Linux tutorials for beginners. Fundamentals of user and group management.
In this section, we will introduce the Linux account management mechanism and begin with the / etc / passwd file , which identifies all users that exist in the system. You can view your / etc / passwd file by typing less / etc / passwd . Each line in / etc / passwd defines a user account. Here is an example from my / etc / passwd :
As you can see, there is not much information in one line. Each of them contains several fields separated by ":". The first field is responsible for the user name (drobbins), the second field contains “x”. On legacy Linux systems, the second field contained an encrypted password for authentication, but in fact, now all Linux systems store this information in a different file. The third field is responsible for the numeric user identifier associated with a particular user, and the fourth field associates that user with a specific group; soon we will see where the group 1000 is defined. The fifth field contains the text description of the account, in our case this is the username. The sixth field specifies the user's home directory, the seventh sets the starting shell of the user, which will automatically start when the user logs on.
You probably noticed that the system has many more user accounts, which are defined in / etc / passwd, than those that actually log in to the system. All this is because the various components of Linux use some accounts to increase security. Typically, such system accounts have an identifier (uid) less than 100, and many of them have / bin / false as the starting shell. Since this program does nothing except for exiting and returning an error code, this effectively prevents the use of these accounts as regular accounts for a login — that is, they are intended for internal use only.
')
So, the user accounts themselves are defined in / etc / passwd . Linux systems, in addition to / etc / passwd, contain its companion file / etc / shadow . It, unlike / etc / passwd , is readable only to the superuser and contains encrypted password information. Take a look at the sample line from / etc / shadow :
Each line defines information about the password for a particular account, the fields in it are separated by the ":" sign. The first field identifies the specific user account to which this “shadow” entry corresponds. The second field contains the encrypted password. The remaining fields are described in the table below:
field 3 - the number of days from 01/01/1970 to the time when the password was changed
field 4 - the number of days before it will be allowed to change the password ("0" - "change at any time")
field 5 - the number of days before the system forces the user to change the password ("-1" - "never")
field 6 - the number of days until the expiration of the password, when the user receives a warning about this ("-1" - "not to warn")
field 7 - the number of days after the expiration of the password, after which the account will be automatically disabled by the system ("-1" - "do not disable")
field 8 - the number of days elapsed since the disconnection of this account ("-1" - "this account is enabled")
field 9 - reserved for future use
Now take a look at the / etc / group file, which defines groups on a Linux system. Here is an approximate line of it:
The format of the / etc / group file fields is as follows: the first field defines the name of the group, the second field is the residual password field, which is now simply reserved x, and the third field defines the numeric identifier for a specific group. The fourth field (which is empty in the example above) defines all members of the group.
Recall that in our sample line from / etc / passwd there is a “link” to the group with ID 1000. We can place the user drobbins into the group drobbins, even though there is no drobbins name in the fourth / etc / group field.
Note about matching users with groups: on some systems, each new login account is associated with a group having the same name (and usually an identifier). On other systems, all login accounts will belong to the same user group. Which of these methods to choose depends on you. Creating an appropriate group for each user has the advantage of allowing them to more easily control their own access by simply placing trusted friends in their personal group.
Now, I will show you how to create accounts for a user and a group. The best way to learn how to do this is to add a new user to the system manually. First, make sure your favorite editor's EDITOR environment variable matches:
If this is not the case, then you can set the EDITOR variable by typing something like:
Now your editor should be launched with the / etc / passwd screen already loaded. When changing the system passwd and group files, be sure to use the vipw and vigr commands. They have heightened precautions, protecting your files from being corrupted.
So, you already have a ready / etc / passwd file, now add the following line:
We have just added the user “testuser” with ID 3000. We have defined him in a group with the same ID that we have not yet created. But we can add it to an existing user group, if needed. This user has a comment that says "LPI tutorial test user", the home directory is set to "/ home / testuser", and the command shell is set to "/ bin / false", for security reasons. If we didn’t create a test account, we’d set the shell to "/ bin / bash". Great, now save the file and exit.
Now we need to add an entry in / etc / shadow for this user. To do this, type vipw -s . As always, your favorite editor will meet you in which the file / etc / shadow is already open. Now copy the line of the existing user account (the one that has the password and the entry is longer than the standard system account entries)
Replace the username in the copied line with the name of your user and make sure that all the fields (especially the old password) are set as you need:
Now save and close.
You will be returned to the command line. Now, it's time to set a password for your new user.
Now / etc / passwd and / etc / shadow are ready and it's time to configure / etc / group . To do this, type:
You will see your / etc / group file ready for editing. So, if you previously decided to add the created user to an existing group, then you do not need to create a new group in / etc / groups . If this is not the case, you need to add a new group for this user, enter the following line:
Now save and close.
We are almost done. Run the following commands to create a testuser home directory:
Our user directory is in place and your account is ready to use. Already almost done. If you are going to use this account, you will need to use vipw to change the starting shell to / bin / bash , so that the user can log in.
You already know how to manually add new accounts and groups, now let's consider various time-saving utilities for managing accounts under Linux. Due to some limitations, we will not consider many details describing these commands. Remember - you can always get more information about a team if you look at its man page. If you are planning to take the LPIC 101 exam, you should spend more time getting to know each of these teams.
newgrp - By default, any file that the user creates is immediately assigned to the group in which it is composed, as defined in / etc / passwd . If the user belongs to other groups, he or she can type newgrp thisgroup to become a member of thisgroup group. Then, any new files created will inherit the membership of thisgroup.
chage - The chage command is used to view and change the expiration settings for passwords stored in / etc / shadow.
gpasswd - Main group management utility
groupadd / groupdel / groupmod - Used to add / remove / modify groups in / etc / group
useradd / userdel / usermod - Used to add / remove / change users in / etc / passwd . These commands can perform other useful functions. See the man for more information.
pwconv / grpconv - Used to convert old-style passwd and group files into new shadow passwords. In fact, all Linux systems already use shadow passwords, so you never have to use these commands.
The translation was performed by collective intelligence using notabenoid.com . Thanks to the following benoid-users (in alphabetical order): kindacute , nekjine , Rich . As well as the initiator of the entire translation series, VBart .
To be continued...
Daniel Robbins
Daniel Robbins is the founder of the Gentoo community and the creator of the Gentoo Linux operating system. Daniel lives in New Mexico with his wife, Mary, and two energetic daughters. He is also the founder and head of Funtoo , has written many technical articles for IBM developerWorks , Intel Developer Services and the C / C ++ Users Journal.
Chris Hauser was a UNIX supporter since 1994 when he joined the team of administrators at Taylor University (Indiana, USA), where he received a bachelor's degree in computer science and mathematics. After that, he worked in many areas, including web applications, video editing, drivers for UNIX, and cryptographic protection. Currently working in Sentry Data Systems. Chris also contributed to many free projects, such as Gentoo Linux and Clojure, co-authored The Joy of Clojure .
Airon Griffis lives in Boston, where he spent the last decade working with Hewlett-Packard on projects such as UNIX network drivers for Tru64, Linux security certification, Xen and KVM virtualization, and most recently, the HP ePrint platform. In his spare time, Airon prefers to ponder over the problems of programming while riding his bike, juggling with bats, or cheering for the Boston professional Red Sox baseball team.
Navigating Linux basics from the founder of Gentoo:
Part I:
- BASH, navigation basics
- File and Directory Management
- Links, and deleting files and directories
- Glob substitutions
Part II:
- Regular expressions
- Folder Assignments, File Search
- Process management
- Text processing and redirection
- Kernel modules
Part III
- Documentation
- Access rights model
- Account Management
- Setting up the environment
Linux Account Management
Meet / etc / passwd
In this section, we will introduce the Linux account management mechanism and begin with the / etc / passwd file , which identifies all users that exist in the system. You can view your / etc / passwd file by typing less / etc / passwd . Each line in / etc / passwd defines a user account. Here is an example from my / etc / passwd :
drobbins:x:1000:1000:Daniel Robbins:/home/drobbins:/bin/bash
As you can see, there is not much information in one line. Each of them contains several fields separated by ":". The first field is responsible for the user name (drobbins), the second field contains “x”. On legacy Linux systems, the second field contained an encrypted password for authentication, but in fact, now all Linux systems store this information in a different file. The third field is responsible for the numeric user identifier associated with a particular user, and the fourth field associates that user with a specific group; soon we will see where the group 1000 is defined. The fifth field contains the text description of the account, in our case this is the username. The sixth field specifies the user's home directory, the seventh sets the starting shell of the user, which will automatically start when the user logs on.
/ etc / passwd tips and tricks
You probably noticed that the system has many more user accounts, which are defined in / etc / passwd, than those that actually log in to the system. All this is because the various components of Linux use some accounts to increase security. Typically, such system accounts have an identifier (uid) less than 100, and many of them have / bin / false as the starting shell. Since this program does nothing except for exiting and returning an error code, this effectively prevents the use of these accounts as regular accounts for a login — that is, they are intended for internal use only.
')
/ etc / shadow
So, the user accounts themselves are defined in / etc / passwd . Linux systems, in addition to / etc / passwd, contain its companion file / etc / shadow . It, unlike / etc / passwd , is readable only to the superuser and contains encrypted password information. Take a look at the sample line from / etc / shadow :
drobbins:$1$1234567890123456789012345678901:11664:0:-1:-1:-1:-1:0
Each line defines information about the password for a particular account, the fields in it are separated by the ":" sign. The first field identifies the specific user account to which this “shadow” entry corresponds. The second field contains the encrypted password. The remaining fields are described in the table below:
field 3 - the number of days from 01/01/1970 to the time when the password was changed
field 4 - the number of days before it will be allowed to change the password ("0" - "change at any time")
field 5 - the number of days before the system forces the user to change the password ("-1" - "never")
field 6 - the number of days until the expiration of the password, when the user receives a warning about this ("-1" - "not to warn")
field 7 - the number of days after the expiration of the password, after which the account will be automatically disabled by the system ("-1" - "do not disable")
field 8 - the number of days elapsed since the disconnection of this account ("-1" - "this account is enabled")
field 9 - reserved for future use
/ etc / group
Now take a look at the / etc / group file, which defines groups on a Linux system. Here is an approximate line of it:
drobbins:x:1000:
The format of the / etc / group file fields is as follows: the first field defines the name of the group, the second field is the residual password field, which is now simply reserved x, and the third field defines the numeric identifier for a specific group. The fourth field (which is empty in the example above) defines all members of the group.
Recall that in our sample line from / etc / passwd there is a “link” to the group with ID 1000. We can place the user drobbins into the group drobbins, even though there is no drobbins name in the fourth / etc / group field.
Group notes
Note about matching users with groups: on some systems, each new login account is associated with a group having the same name (and usually an identifier). On other systems, all login accounts will belong to the same user group. Which of these methods to choose depends on you. Creating an appropriate group for each user has the advantage of allowing them to more easily control their own access by simply placing trusted friends in their personal group.
Manual creation of users and groups
Now, I will show you how to create accounts for a user and a group. The best way to learn how to do this is to add a new user to the system manually. First, make sure your favorite editor's EDITOR environment variable matches:
# echo $EDITOR
vim
If this is not the case, then you can set the EDITOR variable by typing something like:
# export EDITOR=/usr/bin/emacs
# vipw
Now your editor should be launched with the / etc / passwd screen already loaded. When changing the system passwd and group files, be sure to use the vipw and vigr commands. They have heightened precautions, protecting your files from being corrupted.
Editing / etc / passwd
So, you already have a ready / etc / passwd file, now add the following line:
testuser:x:3000:3000:LPI tutorial test user:/home/testuser:/bin/false
We have just added the user “testuser” with ID 3000. We have defined him in a group with the same ID that we have not yet created. But we can add it to an existing user group, if needed. This user has a comment that says "LPI tutorial test user", the home directory is set to "/ home / testuser", and the command shell is set to "/ bin / false", for security reasons. If we didn’t create a test account, we’d set the shell to "/ bin / bash". Great, now save the file and exit.
Editing / etc / shadow
Now we need to add an entry in / etc / shadow for this user. To do this, type vipw -s . As always, your favorite editor will meet you in which the file / etc / shadow is already open. Now copy the line of the existing user account (the one that has the password and the entry is longer than the standard system account entries)
drobbins:$1$1234567890123456789012345678901:11664:0:-1:-1:-1:-1:0
Replace the username in the copied line with the name of your user and make sure that all the fields (especially the old password) are set as you need:
testuser:$1$1234567890123456789012345678901:11664:0:-1:-1:-1:-1:0
Now save and close.
Password setting
You will be returned to the command line. Now, it's time to set a password for your new user.
# passwd testuser
Enter new UNIX password: (enter a password for testuser)
Retype new UNIX password: (enter testuser's new password again)
Editing / etc / group
Now / etc / passwd and / etc / shadow are ready and it's time to configure / etc / group . To do this, type:
# vigr
You will see your / etc / group file ready for editing. So, if you previously decided to add the created user to an existing group, then you do not need to create a new group in / etc / groups . If this is not the case, you need to add a new group for this user, enter the following line:
testuser:x:3000:
Now save and close.
Creating a home directory
We are almost done. Run the following commands to create a testuser home directory:
# cd /home
# mkdir testuser
# chown testuser:testuser testuser
# chmod o-rwx testuser
Our user directory is in place and your account is ready to use. Already almost done. If you are going to use this account, you will need to use vipw to change the starting shell to / bin / bash , so that the user can log in.
Account Administration Utilities
You already know how to manually add new accounts and groups, now let's consider various time-saving utilities for managing accounts under Linux. Due to some limitations, we will not consider many details describing these commands. Remember - you can always get more information about a team if you look at its man page. If you are planning to take the LPIC 101 exam, you should spend more time getting to know each of these teams.
newgrp - By default, any file that the user creates is immediately assigned to the group in which it is composed, as defined in / etc / passwd . If the user belongs to other groups, he or she can type newgrp thisgroup to become a member of thisgroup group. Then, any new files created will inherit the membership of thisgroup.
chage - The chage command is used to view and change the expiration settings for passwords stored in / etc / shadow.
gpasswd - Main group management utility
groupadd / groupdel / groupmod - Used to add / remove / modify groups in / etc / group
useradd / userdel / usermod - Used to add / remove / change users in / etc / passwd . These commands can perform other useful functions. See the man for more information.
pwconv / grpconv - Used to convert old-style passwd and group files into new shadow passwords. In fact, all Linux systems already use shadow passwords, so you never have to use these commands.
The translation was performed by collective intelligence using notabenoid.com . Thanks to the following benoid-users (in alphabetical order): kindacute , nekjine , Rich . As well as the initiator of the entire translation series, VBart .
To be continued...
About the authors
Daniel Robbins 
Daniel Robbins is the founder of the Gentoo community and the creator of the Gentoo Linux operating system. Daniel lives in New Mexico with his wife, Mary, and two energetic daughters. He is also the founder and head of Funtoo , has written many technical articles for IBM developerWorks , Intel Developer Services and the C / C ++ Users Journal.
Chris Houser
Chris Hauser was a UNIX supporter since 1994 when he joined the team of administrators at Taylor University (Indiana, USA), where he received a bachelor's degree in computer science and mathematics. After that, he worked in many areas, including web applications, video editing, drivers for UNIX, and cryptographic protection. Currently working in Sentry Data Systems. Chris also contributed to many free projects, such as Gentoo Linux and Clojure, co-authored The Joy of Clojure .
Aron griffis
Airon Griffis lives in Boston, where he spent the last decade working with Hewlett-Packard on projects such as UNIX network drivers for Tru64, Linux security certification, Xen and KVM virtualization, and most recently, the HP ePrint platform. In his spare time, Airon prefers to ponder over the problems of programming while riding his bike, juggling with bats, or cheering for the Boston professional Red Sox baseball team.
Source: https://habr.com/ru/post/110012/
All Articles