Table of Content

107.1 Manage user and group accounts and related system files

Weight: 5

Description: Candidates should be able to add, remove, suspend and change user accounts.

Key Knowledge Areas:

  • Add, modify and remove users and groups
  • Manage user/group info in password/group databases
  • Create and manage special purpose and limited accounts

Terms and Utilities:

/etc/passwd
/etc/shadow
/etc/group
/etc/skel/
chage
getent
groupadd
groupdel
groupmod
passwd
useradd
userdel
usermod

group

/etc/group

Groups are not accounts, help organize collections of accounts

oldhorse@dclab:~$ cat /etc/passwd|grep root
root:x:0:0:root:/root:/bin/bash
oldhorse@dclab:~$ cat /etc/passwd|grep oldhorse
oldhorse:x:1000:1000:dreamcloud,,,:/home/oldhorse:/bin/bash

change new group

sudo addgroup testgrp

change group by chgrp

ls -ltr ttt
-rw-rw-r-- 1 oldhorse oldhorse 0 Feb 12 07:51 ttt
oldhorse@dclab:~$ sudo chgrp testgrp ttt
oldhorse@dclab:~$ ls -ltr ttt
-rw-rw-r-- 1 oldhorse testgrp 0 Feb 12 07:51 ttt

change group by chown

oldhorse@dclab:~$ chown :oldhorse ttt
oldhorse@dclab:~$ ls -ltr ttt
-rw-rw-r-- 1 oldhorse oldhorse 0 Feb 12 07:51 ttt

useradd

# useradd -m -d /home2/sally -g project4 -G project1,project4 sally

oldhorse@dclab:/etc/skel$ cat /etc/login.defs|grep HOME
DEFAULT_HOME yes

The /etc/login.defs file specifies whether or not to create a user’s home directory when the account is created via the CREATE_HOME setting. If set to yes,
the -m option has no effect. If set to no, the -m option toggles this specification and a user’s home directory is created.

-g default group
-G groups

passwd

passwd // change new password
-l parameter locks an account by prefixing the hashed password with an exclamation mark (!)
-u parameter unlocks an account by removing a leading exclamation mark

oldhorse@dclab:/etc/skel$ passwd -S oldhorse
oldhorse P 09/13/2015 0 99999 7 -1

oldhorse@dclab:/etc$ cat /etc/passwd|grep oldhorse
oldhorse:x:1000:1000:dreamcloud,,,:/home/oldhorse:/bin/bash

7 fields
username:password:UID:GID:comment:home:shell

root@dclab:/etc# cat shadow|grep oldhorse
oldhorse:$1$MySBJvCJ$emv0BL6gQweU13kzUqLqi1:16691:0:99999:7:::
root@dclab:/etc# ls -ltr shadow
-rw-r----- 1 root shadow 1282 Sep 14 06:42 shadow

usermod

# groups sally
sally : sally users project1
# usermod -a -G Production sally
# groups sally
sally : sally users project1 Production

chage

modify account settings relating to account expiration

chage [-l] [-m mindays] [-M maxdays] [-d lastday] [-I inactivedays] [-E expiredate] [-W warndays] username

userdel

-f, --force force removal of files,even if not owned by user
-r, --remove remove home directory and mail spool

if user files out of home, can find them by before delete user account
cat /etc/passwd|grep // find uid
# find / -uid

smbpasswd -x sally to delete the sally account from Samba’s database

groupadd

groupadd [-g GID [-o]] [-r] [-f] groupname

groupmod

groupmod [-g GID [-o]] [-n newgroupname] oldgroupname

gpasswd

gpasswd [-a user] [-d user] [-R] [-r] [-A user[,...]] [-M user[,...]] group

gpasswd // changes the password for the group

gpasswd -d      // remove one user from group 

## /etc/group
root@dclab:/etc# cat group|grep oldhorse
adm:x:4:syslog,oldhorse
cdrom:x:24:oldhorse
sudo:x:27:oldhorse
dip:x:30:oldhorse
plugdev:x:46:oldhorse
lpadmin:x:115:oldhorse
oldhorse:x:1000:
sambashare:x:131:oldhorse

4 fields
group:password:GID:user list

## /etc/gshadow

root@dclab:/etc# cat gshadow|grep oldhorse
adm:*::syslog,oldhorse
cdrom:*::oldhorse
sudo:*::oldhorse
dip:*::oldhorse
plugdev:*::oldhorse
lpadmin:!::oldhorse
oldhorse:!::
sambashare:!::oldhorse
root@dclab:/etc#

## groupdel

root@dclab:/etc# groupdel -h
-h, --help display this help message and exit
-R, --root CHROOT_DIR directory to chroot into

if delete group, better to find all this group owned files , delete the files or assign them other group ownership using the chown or chgrp
# find / -gid 1003

## getent

The getent command allows you to access records stored in one of the system databases.

getent database key

passwd (the /etc/passwd fi le)
shadow (the /etc/shadow fi le)
group (the /etc/group fi le)

root@dclab:/etc# getent passwd oldhorse
oldhorse:x:1000:1000:dreamcloud,,,:/home/oldhorse:/bin/bash
root@dclab:/etc# getent group sudo
sudo:x:27:oldhorse
root@dclab:/etc# getent shadow oldhorse
oldhorse:$1$MySBJvCJ$emv0BL6gQweU13kzUqLqi1:16691:0:99999:7:::

root@dclab:/etc# groups oldhorse
oldhorse : oldhorse adm cdrom sudo dip plugdev lpadmin sambashare