Scribd
Upload
1 views

User and Group Administration

The document provides an overview of user and group administration in Linux, detailing user account types, creation, modification, and deletion commands. It also explains password aging policies, special permissions like setgid and sticky bits, and how to manage group memberships. Additionally, it emphasizes the importance of proper permissions to maintain system security.

Uploaded by

ahmed mohamed ali
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
1 views

User and Group Administration

The document provides an overview of user and group administration in Linux, detailing user account types, creation, modification, and deletion commands. It also explains password aging policies, special permissions like setgid and sticky bits, and how to manage group memberships. Additionally, it emphasizes the importance of proper permissions to maintain system security.

Uploaded by

ahmed mohamed ali
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

User & Group Administration:

Linux user accounts, Password and Its groups are found in this location:
It consists of 7 fields:
Note: Redhat 7, 8 used password hash sha256, sha512 and md5 (default sha512),
When the account is inactive it means user cannot access it and this account is
locked.

Types of User accounts:


Super user account or administrator or root, its UID is 0 and it has a full privilege to
the system
System account: it is a service account, they are assigned non-privileged accounts
that allow them to secure their files and other resources from each other and from
regular users on the system. Users do not interactively log in using a system user
account.
Regular accounts: Most users have standard accounts which they use for their day-
to-day work. They have the least privileges to the system.

To create used account you must login with root account or you have privilege to
create account like sudoers file.

To create user account we use useradd commands:

[root@server ~]#useradd mahmoud ==> basic method to create account •


[root@server ~]#passwd mahmoud ==> the account must login with encrypted
password, this command create to the user home directory from /etc/skel directory.

Note: Password must be complex and at least 8 characters

To use useradd options: #useradd -u uid -g gid -c comment -md home_dir -s


loginshell mahmoud
Note: if we use this command the primary group must be exist at /etc/group, to add
the user with secondary group we use -G.

To make changes to the user accoun.


[root@server ~]# usermod --help Usage: usermod [options] LOGIN
Options:
-c, --comment COMMENT new value of the GECOS field
-e, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE
-f, --inactive INACTIVE set password inactive after expiration to INACTIVE
-G, --groups GROUPS new list of supplementary GROUPS
-l, --login NEW_LOGIN new value of the login name
-L, --lock lock the user account
-s, --shell SHELL new login shell for the user account
-U, --unlock unlock the user account

[root@server ~]#userdel mahmoud ==> this command delete the account without
removing his/her home directory.

[root@server ~]#userdel -r mahmoud ==> will delete the account, primary group,
mail account and its home directory.

Password aging policy:


The chage command setup password aging:
Usage: chage [options] LOGIN
Options:
-E, --expiredate set account expiration date to EXPIRE_DATE
-l, --list show account aging information
-m, --mindays set minimum number of days before password change to min
-M, --maxdays set maximim number of days before password change to max
-W, --warndays WARN_DAYS set expiration warning days to warn

Note: When the user has left the company the administrator may lock and expire an
account with a single command usermod and note that the date must be taken as the
number of days since 1970.01.01.

[root@ server ~]#usermod -L xyz ==> to lock the user account


[root@ server ~]#usermod -U xyz ==> to unlock the account
To see Groups:
/etc/group
groupname:x:gid:group_memberlist

/etc/gshadow
groupname:password:gadmin:memberlist

Adding, Modify and Delete Group to the system:


[root@server ~]# groupadd --help
Usage: groupadd [options] GROUP
Options:
-g, --gid GID use GID for the new group
-p, --password PASSWORD use this encrypted password for the new group

[root@server ~]# groupmod –help


Usage: groupmod [options] GROUP
Options:
-g, --gid GID change the group ID to GID
-n, --new-name NEW_GROUP change the name to NEW_GROUP

[root@server ~]# gpasswd --help


Usage: gpasswd [option] GROUP
Options:
-a, --add USER add USER to GROUP
-d, --delete USER remove USER from GROUP
-r, --delete-password remove the GROUP's password
-M, --members USER,... set the list of members of GROUP
-A, --administrators ADMIN,
[root@server ~]# groupdel hr

To know the current login user:


[ali@server ~]$ whoami
Ali
To have more details:
[ali@server ~]$id
[ali@server ~]$id root

[ali@server ~]$groups ==> to view the primary and secondary groups


To see the effective user when we used the switch user command:
[ali@server ~]$ who am i
root pts/0 2018-11-09 18:41 (192.168.100.1)

[ali@server ~]$ w
18:30:51 up 10:35, 2 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 192.168.10.1 13:39 4:49m 0.15s 0.15s -bash

To change the Ownership of files or directories:


[root@server ~]# chown root:root /home/ali/xyz/
[root@server ~]# chown -R :hr /share/

To make a certain group owner of a certain file:


[iti@server ~]$ chgrp hr f1

Special Permissions:

Note: The permissions are not inherited like windows.

Normally, on a unix-like operating system, the ownership of files and directories is


based on the default uid (user-id) and gid (group-id) of the user who created them.
The same thing happens when a process is launched: it runs with the effective user-
id and group-id of the user who started it, and with the corresponding privileges.
This behavior can be modified by using special permissions.

setgid bit:
the setgid bit has effect on both files and directories. In the first case, the file which
has the setgid bit set, when executed, instead of running with the privileges of the
group of the user who started it, runs with those of the group which owns the file: in
other words, the group ID of the process will be the same of that of the file.

When used on a directory, instead, the setgid bit alters the standard behavior so that
the group of the files created inside said directory, will not be that of the user who
created them, but that of the parent directory itself. This is often used to ease the
sharing of files (files will be modifiable by all the users that are part of said group).
The setgid bit can easily be spotted (in this case on a /private/ directory):
Sticky bit:
The sticky bit works in a different way: while it has no effect on files, when used on
a directory, all the files in said directory will be modifiable only by their owners. A
typical case in which it is used, involves the /private/ directory. Typically this
directory is writable by all users on the system, so to make impossible for one user
to delete the files of another one.

In this case the owner, the group, and all other users, have full permissions on the
directory (read, write and execute). The sticky bit is identifiable by a t which is
reported where normally the executable x bit is shown, in the "other" section.

How to set special bits:


Just like normal permissions, the special bits can be assigned with the chmod
command, using the numeric or the ugo/rwx format. In the former case the setuid,
setgid, and sticky bits are represented respectively by a value of 4, 2 and 1. So for
example if we want to set the setgid bit on a directory we would execute:
$ chmod 2775 test

With this command we set the setgid bit on the directory, (identified by the first of
the four numbers), and gave full privileges on it to it's owner and to the user that are
members of the group the directory belongs to, plus read and execute permission for
all the other users (remember the execute bit on a directory means that a user is able
to cd into it or use ls to list its content).

The other way we can set the special permissions bits is to use the ugo/rwx syntax:
$ chmod g+s test

While to apply the sticky bit:


$ chmod o+t test

The use of special permissions can be very useful in some situations, but if not used
correctly the can introduce serious vulnerabilities, so think twice before using them.

Note:
Set gid =2
Sticky bit =1

You might also like