Linux Admin - User Managemen
When discussing user management, we have three important terms to understand −
Users
Groups
Permissions
We have already discussed in-depth permissions as applied to files and folders. In this chapter, let's discuss about users and groups.
CentOS Users
In CentOS, there are two types accounts –
System accounts − Used
for a daemon or other piece of software.
Interactive
accounts − Usually assigned to a user for
accessing system resources.
The main difference between the two user types is −
System accounts are used by daemons to access files and directories. These will usually be disallowed from interactive login via shell or physical console login..
Interactive accounts are used by end-users to access
computing resources from either a shell or physical console login.
With this basic understanding of users, let's now create a new user for Bob Jones in the Accounting Department. A new user is added with the adduser command.
Following are some adduser common switches −
Switch |
Action |
-c |
Adds comment to the user account |
-m |
Creates user home directory in default location,
if nonexistent |
-g |
Default group to assign the user |
-n |
Does not create a private group for the user,
usually a group with username |
-M |
Does not
create a home directory |
-s |
Default
shell other than /bin/bash |
-u |
Specifies
UID (otherwise assigned by the system) |
G |
Additional
groups to assign the user to |
When creating a new user, use the -c, -m, -g, -n switches as
follows −
[root@localhost Downloads]# useradd -c "Bob deep Accounting
Dept Manager" -m -g accounting -n deep
Now let's see if our new user has been created −
[root@localhost deep123]# grep Dell /etc/passwd
Dell:x:1001:1001:Dell Accounting Dept Manager:/home/bjones:/bin/bash
Now we need to enable the new account using the passwd
command −
[root@localhost
deep123]#
The user account is not enabled allowing the user to log into
the system.
Disabling User Accounts
There are several methods to disable accounts on a system. These range from editing the /etc/passwd file by hand. Or even using the passwd command with the -lswitch. Both of thes methods have one big drawback: if the user has ssh access and uses an RSA key for authentication, they can still login using this method.
Now let’s use the chage command, changing the password expiry
date to a previous date. Also, it may be good to make a note on the account as
to why we disabled it.
[root@localhost Dell]# chage -E 2005-10-01 Dell
[root@localhost Dell]# usermod -c "Disabled Account
while Bob out of the country
> for five months" Dell
[root@localhost Dell]# # grep Dell /etc/passwd
Dell:x:1001:1001:Disabled
Account while Bob out of the country for four months:/home/bjones:/bin/bash
Manage Groups
Managing groups in Linux
makes it convenient for an administrator to combine the users within containers
applying permission-sets applicable to all group members. For example, all
users in Accounting may need access to the same files. Thus, we make an
accounting group, adding Accounting users.
For the most part, anything requiring special permissions should be done in a group. This approach will usually save time over applying special permissions to just one user. Example,
Following are some common commands used for managing groups -
Chgrp
groupadd
groups
usermod
chgrp − Changes the group ownership for a file or directory. Let's make a directory for people in the accounting group to store files and create directories for files.
[root@localhost Dell]#
Next, let's give group ownership to the accounting group.
[root@localhost Dell]# chgrp -v accounting /home/accounting/
changed group of ‘/home/accounting/’ from root to accounting
[root@localhost Dell]# ls -ld /home/accounting/
drwxr-xr-x. 2 root accounting 6 Jan 13 10:18 /home/accounting/
[root@localhost Dell]#
Now, everyone in the accounting group has read and execute
permissions to /home/accounting. They will need write permissions as well
drwxrwxr-x. 2 root accounting 6 Jan 13 10:18 /home/accounting/
[root@localhost Dell]#
Since the accounting group may deal with sensitive documents, we need to apply some restrictive permissions for other or world.
[root@localhost Dell]# chmod o-rx /home/accounting
drwxrwx---. 2 root accounting 6 Jan 13 10:18
/home/accounting/
[root@localhost Dell]#
groupadd − Used to make a new group.
Switch |
Action |
-g |
Specifies a
GID for the group |
-K |
Overrides
specs for GID in /etc/login.defs |
-o |
Allows
overriding non-unique group id disallowance |
-p |
Group
password, allowing the users to activate themselves |
Let's make a new group called secret. We will add a password
to the group, allowing the users to add themselves with a known password.
[root@localhost Dell]# gpasswd secret
Changing the password for group secret
New Password:
Re-enter new password:
[root@localhost Dell]#exit
exit
In practice, passwords for groups are not used often.
Secondary groups are adequate and sharing passwords amongst other users is not
a great security practice. The groups command is used to show which group a
user belongs to. We will use this, after making some changes to our current
user. usermod is used to update account attributes. Following are the common
usermod switches.
Switch |
Action |
-a |
Appends,
adds user to supplementary groups, only with the -G option |
-c |
Comment,
updatesthe user comment value |
-d |
Home
directory, updates the user's home directory |
-G |
Groups, adds
or removesthe secondary user groups |
-g |
Group,
default primary group of the user |
[root@localhost Dell]#
Comments
Post a Comment