Management in Linux

Ayush Bhat — Sun, 17 Oct 2021 10:45:13 +0000

In this blog we will be exploring the following fields in Linux:

User Account Management
Group Management
File Permissions And Ownership

Let's start with User Account Management

Question arises why to have different user accounts? To answer this following are some points that we keep in mind.

Each user will have their own individualized private space.
Will help in distinguishing privileges among users.

Note : root user is a special user who is able to do anything on the system.

Attributes Of a User

UID : It is a unique number that is assigned to the user account. It is also used for determination of user privileges and activity tracking.
GID : Indicates default group of the user.
Comment : Using comment field for contact information.
Home Directory : This is owned by a user and will be found on system under /home directory, except for root.
Login Shell : Various shells are there e.g. /bin/bash or /bin/csh.

Create user accounts

WHAT actually happens behind the scene when a user account is created let's debug it 😎

In /etc/login.defs ; the next UID greater than UID_MIN by default is assigned to the new user.
By default value of UID is assigned to GID.
Then the home directory for the user is created.
A login shell is attached with the user.
The contents of /etc/skel is copied to home directory of user. Note : /etc/skel contains the startup files for bash and for the X Window system.
Command to create a user named student

 useradd -s /bin/bash -m  student

Deleting and Modifying User Account

userdel : The root user can remove user accounts using this command. This command doesn't delete the home directory. To delete the home directory use -r option. User reference is removed from /etc/passwd, /etc/shadow, and /etc/group.
usermod : Change the characteristics of a user account, such as group memberships, home directory, login, name, password, default shell, user id etc.

Locked Accounts

You might be thinking what is locked accounts? To answer this in Linux some accounts are locked means they can run programs but can never login to the system and have no valid password associated with them, such as bin and daemon.
If you look up these entries in the /etc/passwd file

daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin

To lock a user account

usermod -L student

Unlocking can be done by -U option.

User ID's and /etc/passwd

If we look up in some entries of /etc/passwd we will see the following records. Each record consists of a number of fields separated by colons (:):

student:x:1006:1008::/home/student:/bin/bash
user1:x:1002:1002:user 1:/home/user1:/bin/bash

username : user's unique name
password : it can be hashed password or a placeholder ("x")
UID : User Identification Number
GID : primary group identification number for the user
comment : comment area, usually the user's real name
home : user's home drectory
shell : name of the shell to be invoked at the login

Why to use /etc/shadow when /etc/passwd is available?

The default permissions in /etc/passwd is 644 (-rw-r--r--), this make the file vulnerable to attack as anyone can read this file. Tools like Crack, John the ripper can easily exploit this file.
*/etc/shadow** : provides greater security of hashed passwords, also provides the option of enabling password aging on a per user basis. The permission attached to this file **400 (-r--------), means only root can access this file. Let's see one record from this file.

student:$6$2BDjRtz3.i4hg.bY$/KxesQ.UefXY3dUpvnWf0L6oi24TaPONhqHQgm9g/9IunYY1w2x0jNbuUNuRuvjTcx1Hjk0VUTnjDPKJjqBS51:18917:0:99999:7:::

This file contains one record for each user.
Colon separated fields are:

username
password (hashed 512)
last change : days since Jan 1,1970 that password was last changed.
mindays : minimum days after which password must be changed.
maxdays : maximum days after which password must be changed.
warn : days before password expires that the user is warned.
grace : days after password expires that account is disabled.
expire : date that account will be disabled.
reserved

Password Management

passwd is the command to change the password. Remember, Normal users can change only their own password. Root can change any user password. Normal users will not be allowed to set bad passwords, such as short words. However, root is allowed to do so.

root@ayush:~# passwd student
New password:
Retype new password:
passwd: password updated successfully

Group Management

Linux Systems form collection of users called groups, whose member share some common purpose. They share certain files and directories, and maintain some common privileges; this separates them from others on the system called the world. Groups are defined in /etc/group.

cat /etc/group
student:x:1008:

where

groupname is name of the group
password is password placeholder
GID is the group identifier. Values between 0 and 99 are for system groups. Values between 100 and GID_MIN are considered special. Values over GID_MIN are for User Private Groups. Each user will have his or her own group, not guaranteed to be private, this is called UPG(User Private Groups).
user1, user2 is the list of users who are the members of the group.

Group Management

groupadd: Add a new group.
groupmod: Modify a group and add new users.
groupdel: Remove a group.
usermod: Manage a user's group memberships.

Let's see the demo of it.

1. Step 1 - Create a group
   groupadd -r -g 245 student_grp
2. Step 2 - Add users in the group
   usermod -G  student_grp student
   usermod -G  student_grp user1
3. Check whether the group is created or not
   root@ayush:~# cat /etc/group | grep student_grp
   student_grp:x:245:student,user1

Note : Be careful while using usermod -G as grouplist that follows is complete list of groups, not just the changes, any supplemented groups left out will be gone !

-a option in usermod will preserve pre-existing group memberships when adding new ones.

Linux User has 1 primary group listed in /etc/passwd and /etc/group. Primary group GID is used whenever the user creates the files or directories.

1. Group membership can be identified by running the following command:
root@ayush:~# groups
root

File Permissions and Ownership

First character indicates the type of the file object. There are nine more which indicate the access rights granted to file users.

root@ayush:~# ls -l file.txt
-rw-r--r--. 1 root root 16 Oct  8 12:31 file.txt

These are arranged in three groups of three:
- owner: the user who owns the file
- group: the group of users who have access
- other: the rest of the world (also called world)
File access rights r : read access is allowed w : write access is allowed x : execute access is allowed

If permission is not allowed a, - (dash) appears.

Want to change file permissions - Use chmod

Changing file permissions is done with chmod

Let's see a demo now.

Create a file, give the owner and world execute permission, and remove the group write permission:

You can only change permissions on files you own, unless you are the supervisor.

student user tried to change the file permissions but failed as this file is owned by other user.

Octal Digits

Simple algorithm, and a single digit suffices to specify all three permissions bits for each entity.

Octal Number representation

Octal Number representation is sum of each digit of:

4 - if read permission is desired
2 - if write permission is desired
1 - if execute permission is desired

Chown and Chgrp

Changing file ownership is done with chown and changing the group is done with chgrp.

Note : Only Superuser can change ownership on files.

In this demo we have changed the owner of file from ayush to user1

In this demo we have changed the group ownership.

Umask

Default permission given when creating a file are read/write for owner, group and world (0666) and for directory is (0777)
But we noticed that actual permission on file is 664(u=rw, g=rw, o=r) and for directory is 775(u=rwx, g=rwx, o=wx)

Question arises who has done it ? Umask is the answer. Umask whose purpose is to show permissions should be denied. Let's see the value of umask set by default.

umask
0002

This represents that for the other users write permission is disabled.

That's all for now. Thank you for reading. Do share your feedback and if you have liked the article share it with your friends.

DEV Community: Ayush Bhat

Management in Linux

Let's start with User Account Management

Attributes Of a User

Create user accounts

Deleting and Modifying User Account

Locked Accounts

User ID's and /etc/passwd

Why to use /etc/shadow when /etc/passwd is available?

Password Management

Group Management

Group Management

File Permissions and Ownership

Want to change file permissions - Use chmod