User Account Management

User Administration

User Account Management

Different Kinds of Users

The Shadow Password Suite

The /etc/passwd File

The /etc/group File

The /etc/shadow File

The /etc/gshadow File

The /etc/login.defs File

Command Line Tools

Adding Users Directly

vipw
Add a user home directory.
Populate the user home directory.

Add Users to a Group Directly

vigr
vigr -s

Add Users at the Command Line

useradd

Assign a Password

passwd username

Add or Delete a Group at the Command Line

# groupadd -g 60001 project
# groupdel project

Delete a User

userdel

By default, this command does not delete that user’s home directory, so administrators can transfer files from that user perhaps to an employee who has taken over the tasks of the deleted user.

userdel -r username

deletes that user’s home directory along with all of the files stored in that home directory.

Modify an Account

More User and Group Management Commands

usermod

-aG group1 Appends to existing group memberships; multiple groups may be specified, split with a comma, with no spaces. -l newlogin Changes the username to newlogin, without changing the home directory. -L Locks a user’s password. -U Unlocks a user’s password.

chage
Option Purpose
-d YYYY-MM-DD Sets the last change date for a password; output shown in /etc/shadow as the number of days after January 1, 1970.
-E YYYY-MM-DD Assigns the expiration date for an account; output shown in /etc/ shadow as the number of days after January 1, 1970.
-I num Locks an account num days after a password has expired; can be set to
-1 to make the account permanent.
-l Lists all aging information.
-m num Sets a minimum number of days that a user must keep a password.
-M num Sets a maximum number of days that a user is allowed to keep a password; can be set to -1 to remove that limit.
-W num Specifies the number of days before a password must be changed; a user is warned at that time.

Administrative Control

The Ability to Log In as root

/etc/securetty

[root@jason ~]# vi /etc/securetty 

console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11
~                                                           
"/etc/securetty" 23L, 122C
The virtual consoles listed in /etc/securetty determine the consoles where the root
administrative user is allowed to log in. If the directives in this file were commented
out, administrators would not be able to log in directly to the root account. They’d
have to log in to a regular account and use either the su or sudo command for
administration.

/etc/init/start-ttys.conf

[root@jason ~]# vi /etc/init/start-ttys.conf 

#
# This service starts the configured number of gettys.
#
# Do not edit this file directly. If you want to change the behaviour,
# please create a file start-ttys.override and put your changes there.

start on stopped rc RUNLEVEL=[2345]

env ACTIVE_CONSOLES=/dev/tty[1-6]
env X_TTY=/dev/tty1
task
script
        . /etc/sysconfig/init
        for tty in $(echo $ACTIVE_CONSOLES) ; do
                [ "$RUNLEVEL" = "5" -a "$tty" = "$X_TTY" ] && continue
                initctl start tty TTY=$tty
        done
end script
~                                                  
~                                                  
~                                                  
~                                                  
"/etc/init/start-ttys.conf" 18L, 473C

/etc/sysconfig/init

[root@jason ~]# vi /etc/sysconfig/init 

BOOTUP=color
# to something like "tput hpa ${RES_COL}" if your terminal supports it
MOVE_TO_COL="echo -en \\033[${RES_COL}G"
# terminal sequence to set color to a 'success' color (currently: green)
SETCOLOR_SUCCESS="echo -en \\033[0;32m"
# terminal sequence to set color to a 'failure' color (currently: red)
SETCOLOR_FAILURE="echo -en \\033[0;31m"
# terminal sequence to set color to a 'warning' color (currently: yellow)
SETCOLOR_WARNING="echo -en \\033[0;33m"
# terminal sequence to reset to the default color.
SETCOLOR_NORMAL="echo -en \\033[0;39m"
# Set to anything other than 'no' to allow hotkey interactive startup...
PROMPT=yes
# Set to 'yes' to allow probing for devices with swap signatures
AUTOSWAP=no
# What ttys should gettys be started on?
ACTIVE_CONSOLES=/dev/tty[1-6]
# Set to '/sbin/sulogin' to prompt for password on single-user mode
# Set to '/sbin/sushell' otherwise
SINGLE=/sbin/sushell

The Ability to Log In

Login access control table.

#

Comment line must start with "#", no space at front.

Order of lines is important.

#

When someone logs in, the table is scanned for the first entry that

matches the (user, host) combination, or, in case of non-networked

logins, the first entry that matches the (user, tty) combination. The

permissions field of that table entry determines whether the login will

be accepted or refused.

#

Format of the login access control table is three fields separated by a

":" character:

#

[Note, if you supply a 'fieldsep=|' argument to the pam_access.so

module, you can change the field separation character to be

'|'. This is useful for configurations where you are trying to use

pam_access with X applications that provide PAM_TTY values that are

the display variable like "host:0".]

#

permission : users : origins

#

The first field should be a "+" (access granted) or "-" (access denied)

character.

#

The second field should be a list of one or more login names, group

names, or ALL (always matches). A pattern of the form user@host is

matched when the login name matches the "user" part, and when the

"host" part matches the local machine name.

#

The third field should be a list of one or more tty names (for

non-networked logins), host names, domain names (begin with "."), host

addresses, internet network numbers (end with "."), ALL (always

matches), NONE (matches no tty on non-networked logins) or

LOCAL (matches any string that does not contain a "." character).

#

You can use @netgroupname in host or user patterns; this even works

for @usergroup@@hostgroup patterns.

#

The EXCEPT operator makes it possible to write very compact rules.

#

The group file is searched only when a name does not match that of the

logged-in user. Both the user's primary group is matched, as well as

groups in which users are explicitly listed.

To avoid problems with accounts, which have the same name as a group,

you can use brackets around group names '(group)' to differentiate.

In this case, you should also set the "nodefgroup" option.

#

TTY NAMES: Must be in the form returned by ttyname(3) less the initial

"/dev" (e.g. tty1 or vc/1)

#

#

#

Disallow non-root logins on tty1

#

-:ALL EXCEPT root:tty1

"/etc/security/access.conf" 122L, 4620C

/etc/security/access.conf

# Login access control table.
#
# Comment line must start with "#", no space at front.
# Order of lines is important.
#
# When someone logs in, the table is scanned for the first entry that
# matches the (user, host) combination, or, in case of non-networked
# logins, the first entry that matches the (user, tty) combination.  The
# permissions field of that table entry determines whether the login will
# be accepted or refused.
#
# Format of the login access control table is three fields separated by a
# ":" character:
#
# [Note, if you supply a 'fieldsep=|' argument to the pam_access.so
# module, you can change the field separation character to be
# '|'. This is useful for configurations where you are trying to use
# pam_access with X applications that provide PAM_TTY values that are
# the display variable like "host:0".]
#
#       permission : users : origins
#
# The first field should be a "+" (access granted) or "-" (access denied)
# character.
#
# The second field should be a list of one or more login names, group
# names, or ALL (always matches). A pattern of the form user@host is
# matched when the login name matches the "user" part, and when the
# "host" part matches the local machine name.
#
# The third field should be a list of one or more tty names (for
# non-networked logins), host names, domain names (begin with "."), host
# addresses, internet network numbers (end with "."), ALL (always
# matches), NONE (matches no tty on non-networked logins) or
# LOCAL (matches any string that does not contain a "." character).
#
# You can use @netgroupname in host or user patterns; this even works
# for @usergroup@@hostgroup patterns.
#
# The EXCEPT operator makes it possible to write very compact rules.
#
# The group file is searched only when a name does not match that of the
# logged-in user. Both the user's primary group is matched, as well as
# groups in which users are explicitly listed.
# To avoid problems with accounts, which have the same name as a group,
# you can use brackets around group names '(group)' to differentiate.
# In this case, you should also set the "nodefgroup" option.
#
# TTY NAMES: Must be in the form returned by ttyname(3) less the initial
# "/dev" (e.g. tty1 or vc/1)
#
##############################################################################
#
# Disallow non-root logins on tty1
#
#-:ALL EXCEPT root:tty1
"/etc/security/access.conf" 122L, 4620C
-:ALL EXCEPT root:tty1

disallow (with the -) access to the first virtual console (tty1) to ALL users but root:

-:ALL EXCEPT (wheel) shutdown sync:LOCAL

disallow access to all users, except users who are members of the wheel group, along with the shutdown and sync users, on the LOCAL system.

+ : root : 192.168.200.1 192.168.200.4 192.168.200.9
  • : root : 127.0.0.1
The following lines allow (with the +) the root
user to access the system from three specific remote IP addresses, along with the
localhost address:
- : ALL : ALL
the following
directive denies access to all other users from all other local or remote systems:

The Proper Use of the su Command

su - username

su -c

su -c '/usr/bin/tail -1 /etc/sh

adow'

[jason@jason root]$ su -c '/usr/bin/tail -1 /etc/sh
adow'
Password: 
jason:$6$.u7PW0Cg$fnrrDMyN/2daWCst/W4VYpi4qjprb36Pa9lVSKzoWitstfFbBjk7LVzNBhDL8IE54vM7az4foTLWtES0umrcG0:16982:0:99999:7:::
[jason@jason root]$

Limit Access to su

wheel:x:10:root

/etc/pam.d/su

[root@jason ~]# vi /etc/pam.d/su

#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            required        pam_wheel.so use_uid
auth            include         system-auth
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         optional        pam_xauth.so
~                                                  
...//省略                                               
~                                                  
~                                                  
:wq

The Proper Use of the sg Command

$ sg project -c ‘cp important.doc /home/project’

Custom Administrators with the sudo Command

To access /etc/sudoers in the vi editor, run the visudo command

/etc/sudoers

## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.

## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias     FILESERVERS = fs1, fs2
# Host_Alias     MAILSERVERS = smtp, smtp2

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem


## Command Aliases
## These are groups of related commands...

## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

#
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
#         You have to run "ssh -t hostname sudo <cmd>".
#
Defaults    requiretty
"/etc/sudoers" [readonly] 118L, 4002C
visudo
root ALL=(ALL) ALL

allows the root user full access to administrative commands

%wheel ALL=(ALL) NOPASSWD: ALL
the following directive in /etc/sudoers
would allow all users who are members of the wheel group to run administrative
commands without a password
%users localhost=/sbin/shutdown -h now
if you want
to allow users who are members of the %users group to shut down the local system,
activate the following directive
%
In many Linux configuration files, the % sign in front of a directive specifies a group.
Even though the users group has a GID of 100, it’s acceptable to make regular users
members of that group.

Other Administrative Users

/etc/cups/cupsd.conf

User and Shell Configuration

Home Directories and /etc/skel

Home Directory

/etc/skel

File Purpose
.bashrc This basic bash configuration file may include a reference to the general /etc/bashrc configuration file. Can include commands to run when the bash shell is started. One example is an alias such as rm=’rm -i’.
.bash_logout This file is executed when you exit a bash shell and can include commands appropriate for this purpose, such as commands for clearing a screen.
.bash_profile Configures the bash startup environment. Appropriate place to add environment variables or modify the directories in your user account PATH.
.gnome2/ Includes settings for the GNOME Desktop Environment
.kde/ Specifies settings for the K Desktop Environment. Not added to /etc/skel and not copied to user home directories if KDE is not installed.
.mozilla/ Includes options associated with the Firefox web browser, developed by the Mozilla project.

/etc/bashrc

/etc/profile

The /etc/profile file is used for system-wide environments and startup files.

/etc/profile.d

Shell Confi guration Files in User Home Directories

Users and Network Authentication

Special Groups

Two-Minute Drill

Self Test

results matching ""

    No results matching ""