When discussing user management, we have three important terms to understand −
We have already discussed in-depth permissions as applied to files and folders. In this chapter, let's discuss about users and groups.
In CentOS, there are two types accounts −
System accounts − Used for a daemon or other piece of software.
Interactive accounts − Usually assigned to a user for accessing system resources.
The main difference between the two user types is −
System accounts are used by daemons to access files and directories. These will usually be disallowed from interactive login via shell or physical console login.
Interactive accounts are used by end-users to access computing resources from either a shell or physical console login.
With this basic understanding of users, let's now create a new user for Bob Jones in the Accounting Department. A new user is added with the adduser command.
Following are some adduser common switches −
Switch | Action |
---|---|
-c | Adds comment to the user account |
-m | Creates user home directory in default location, if nonexistent |
-g | Default group to assign the user |
-n | Does not create a private group for the user, usually a group with username |
-M | Does not create a home directory |
-s | Default shell other than /bin/bash |
-u | Specifies UID (otherwise assigned by the system) |
-G | Additional groups to assign the user to |
When creating a new user, use the -c, -m, -g, -n switches as follows −
[root@localhost Downloads]# useradd -c "Bob Jones Accounting Dept Manager" -m -g accounting -n bjones
Now let's see if our new user has been created −
[root@localhost Downloads]# id bjones (bjones) gid = 1001(accounting) groups = 1001(accounting) [root@localhost Downloads]# grep bjones /etc/passwd bjones:x:1001:1001:Bob Jones Accounting Dept Manager:/home/bjones:/bin/bash [root@localhost Downloads]#
Now we need to enable the new account using the passwd command −
[root@localhost Downloads]# passwd bjones Changing password for user bjones. New password: Retype new password: passwd: all authentication tokens updated successfully. [root@localhost Downloads]#
The user account is not enabled allowing the user to log into the system.
There are several methods to disable accounts on a system. These range from editing the /etc/passwd file by hand. Or even using the passwd command with the -lswitch. Both of these methods have one big drawback: if the user has ssh access and uses an RSA key for authentication, they can still login using this method.
Now let’s use the chage command, changing the password expiry date to a previous date. Also, it may be good to make a note on the account as to why we disabled it.
[root@localhost Downloads]# chage -E 2005-10-01 bjones [root@localhost Downloads]# usermod -c "Disabled Account while Bob out of the country for five months" bjones [root@localhost Downloads]# grep bjones /etc/passwd bjones:x:1001:1001:Disabled Account while Bob out of the country for four months:/home/bjones:/bin/bash [root@localhost Downloads]#
Managing groups in Linux makes it convenient for an administrator to combine the users within containers applying permission-sets applicable to all group members. For example, all users in Accounting may need access to the same files. Thus, we make an accounting group, adding Accounting users.
For the most part, anything requiring special permissions should be done in a group. This approach will usually save time over applying special permissions to just one user. Example, Sally is in-charge of reports and only Sally needs access to certain files for reporting. However, what if Sally is sick one day and Bob does reports? Or the need for reporting grows? When a group is made, an Administrator only needs to do it once. The add users is applied as needs change or expand.
Following are some common commands used for managing groups −
chgrp − Changes the group ownership for a file or directory.
Let's make a directory for people in the accounting group to store files and create directories for files.
[root@localhost Downloads]# mkdir /home/accounting [root@localhost Downloads]# ls -ld /home/accounting drwxr-xr-x. 2 root root 6 Jan 13 10:18 /home/accounting [root@localhost Downloads]#
Next, let's give group ownership to the accounting group.
[root@localhost Downloads]# chgrp -v accounting /home/accounting/ changed group of ‘/home/accounting/’ from root to accounting [root@localhost Downloads]# ls -ld /home/accounting/ drwxr-xr-x. 2 root accounting 6 Jan 13 10:18 /home/accounting/ [root@localhost Downloads]#
Now, everyone in the accounting group has read and execute permissions to /home/accounting. They will need write permissions as well.
[root@localhost Downloads]# chmod g+w /home/accounting/ [root@localhost Downloads]# ls -ld /home/accounting/ drwxrwxr-x. 2 root accounting 6 Jan 13 10:18 /home/accounting/ [root@localhost Downloads]#
Since the accounting group may deal with sensitive documents, we need to apply some restrictive permissions for other or world.
[root@localhost Downloads]# chmod o-rx /home/accounting/ [root@localhost Downloads]# ls -ld /home/accounting/ drwxrwx---. 2 root accounting 6 Jan 13 10:18 /home/accounting/ [root@localhost Downloads]#
groupadd − Used to make a new group.
Switch | Action |
---|---|
-g | Specifies a GID for the group |
-K | Overrides specs for GID in /etc/login.defs |
-o | Allows overriding non-unique group id disallowance |
-p | Group password, allowing the users to activate themselves |
Let's make a new group called secret. We will add a password to the group, allowing the users to add themselves with a known password.
[root@localhost]# groupadd secret [root@localhost]# gpasswd secret Changing the password for group secret New Password: Re-enter new password: [root@localhost]# exit exit [centos@localhost ~]$ newgrp secret Password: [centos@localhost ~]$ groups secret wheel rdc [centos@localhost ~]$
In practice, passwords for groups are not used often. Secondary groups are adequate and sharing passwords amongst other users is not a great security practice.
The groups command is used to show which group a user belongs to. We will use this, after making some changes to our current user.
usermod is used to update account attributes.
Following are the common usermod switches.
Switch | Action |
---|---|
-a | Appends, adds user to supplementary groups, only with the -G option |
-c | Comment, updatesthe user comment value |
-d | Home directory, updates the user's home directory |
-G | Groups, adds or removesthe secondary user groups |
-g | Group, default primary group of the user |
[root@localhost]# groups centos centos : accounting secret [root@localhost]# [root@localhost]# usermod -a -G wheel centos [root@localhost]# groups centos centos : accounting wheel secret [root@localhost]#