The course is part of this learning path
In this brief course - the third of six covering the LPIC-1 102 exam and the eighth of eleven courses making up the full LPIC-1 series - we will work with some key areas of Linux administration: managing users and groups, scheduling the execution of unattended tasks, and maintaining accurate and efficient system environment variables and localisation.
If you have thoughts or suggestions for this course, please contact Cloud Academy at firstname.lastname@example.org.
Managing Linux user accounts
Managing users and groups on your system is about as basic an administration task as you can imagine. So you may wonder why it took the LPIC exam objective so long to get here. The answer? I haven't a clue, but since we're here, we might as well get the job done. We're going to talk about managing both user accounts and groups, and also the system files to track user group configurations.
We'll begin by using useradd to create a new user account. We use -m to tell Linux to create a new directory in the /home directory, which by default will be given the same name as the user.
And Terry is the name we'd like to give this user account. That's it. But if we leave it there, the account might not be very useful since it doesn't yet have a password. For that, we'll use the passwd command. Note that for some reason that there is no O or R in the command name, it's passwd.
Passwd will prompt you to enter a new password once, and then a second time to ensure that you haven't mistyped. There are other arguments you can add to the useradd command. -e will set a date by which the account will automatically expire. -G will add the new user to an existing group. You will often use -G sudo to add the user to the sudo group, assuming, of course, that he's going to be an admin. -p allows you to add a password without the need to run passwd later. Note though that you can only add encrypted passwords using this argument. -s will specify the user's default log in shell if you don't want the system default to apply, and -u allows you to manually specify a user ID.
Naturally, there are many more arguments that are documented in the useradd command file. Removing the user is done through userdel, user delete. Adding the -r argument will also remove the user's home directory along with his mail spool if there is one.
Usermod will, as the name suggests, modify a user's account settings. Usermod -m and -d create a new home directory for an existing user. -e will set or change an account expiry date, while dash -G will change the status of the user's group membership. That is to say if the user is not yet a member of the specified group, he'll be added. If he is already a member, he will be removed. -l will allow you to change the log in name for your user. Dash -L will lock password access to an account preventing the user from using his password to log in. Dash -U will unlock the account, re-enabling the original password. Speaking of expiry dates, you can also control account best before dates directly from the command line using change age or C-H-A-G-E. chage --list Max, for instance, will return the time until Max's account expires, which is never in this case, but also the current controls in his password when it was last changed, when it will expire, and then the minimums and maximums you've set for creating new passwords.
There's obviously a security concern with users who keep old and usually weak passwords for years, so change age allows admins to force users to step up their game. You can set the minimum number of days between password changes using change age -m, followed by the number of days and the user name. Running change age with uppercase M as an argument will set the maximum number of days before a new password is required. Change age with -W will set the number of days before password expires that a user will receive a warning message. In this case, the default is already seven.
You may wonder why this kind of control is necessary. After all, we're talking about accounts on a single computer. Just how many users are there likely to be? This might be a point if we're talking about people sitting down in front of most home PCs, but for set ups where users need to log in via secure shell, SSH, remote sessions, it's a different story. In that context, it shouldn't surprise you to learn that it's quite common for server profiles to host remote visits from all kinds of developers and admins. Properly organizing and securing their accounts is therefore a significant concern.
Let's review. You can create a new user with a new home directory using useradd -m. Adding -g will allow you to add the new user to a group. -p lets you set up an encrypted password. -s will specify which shell the user will use, and -u allows you to manually set the user ID. You can add a regular password with passwd followed by the username. Userdel will delete the user. You can use usermod -m to change a user's home directory, -e to set an account expiry date, -g to add the user to or from a group, -l to change his log in name, -L to lock the password, and -U to unlock the password. Change age --list will list the user's account limits. -n and a numeric value will set the minimum time for password change. Dash -M will set the maximum time, and -w will set the warning time.
Working with Linux groups
Let's discuss groups. Groups are treated by your system pretty much the same way as users, but their function is a bit different. When you create a group, you assign permissions over specific system resources, but that by itself is meaningless because groups never do anything on their own. Rather, by adding system or logging users to a group, they are automatically given all the powers of the group. To take an example we've already seen, when the user joins the sudo group, he or she is allowed all the administrative powers that come with sudo.
Interestingly, Amazon's AWS controls resource access for users enrols in very much the same way through identity and access management IAM groups.
The Linux groups tool kit works a lot like the useradd and usermod commands. Groupadd will create a group. Groupdel will remove or delete an existing group, and groupmod will modify a group's values. -n, for instance, allows you to change the group's name. You enter the new name immediately after -n, and then the name of the existing group.
Using Debian's adduser and deluser rather than useradd and userdel
While the LPIC wants you to understand the workings of useradd and groupadd and their command families, you should also be aware that Debian distributions, which include Ubuntu, also use the variants adduser, deluser, and addgroup. These commands are more than just the old useradd and userdel with different names. They're much more simple to use. So for instance, adduser and addgroup will automatically create ID values in line with Debian policies, and adduser will automatically create a home directory for the new user, populated with your system scale for configuration, which we'll discuss a bit later, and require that you create a password right then.
Nonetheless, don't lose sight of the fact that the LPIC exam will only deal with the more universal useradd. And either way, useradd and its friends work on all Linux systems. Finally, let's explore some of the files Linux uses to store user and group profiles. The /etc/password file contains key information on each user on the system. Considering that on currently any virtual LXC container that really only exists for demonstration purposes, there do seem to be a few more users than you'd expect. Most of these like daemon, bin, and sys are actually system users. You can tell them apart from regular users by their user IDs called UID. System users will have IDs below 1000, while regular user IDs are usually 1000 and above.
The /etc/shadow file, which requires admin permission to view, also contains information on regular and system users, but it's different information. Primarily for our purposes, shadow contains an encrypted version of the user's password and any date restrictions on his account. /etc/group contains basic information about all current groups including the group ID, GID, and a list of all members. You can manually add a user to a group by editing this file and adding the user name to a group. Just remember not to insert any space in the line because that will mess things up royally. You can display information from these files using the get end get entry command. This example will politely ask getend to read the password file and display the entry for the user Ubuntu.
We mentioned the skeleton directory a little bit earlier, so we should perhaps give it some flesh and explain just what it is. If you'd like every new user to automatically be created with certain common files and directories in his home directory, you can place them in the /etc/skel directory. Copies of any files down there will be placed in new users' directories ready for use.
Let's review what we've seen. Groupadd will create a new group, groupdel will delete a group, and groupmod -n followed by new name and then the existing name will change its name. The /etc/passwd file contains basic user data like user IDs. /etc/shadow contains encrypted versions of user passwords, and /etc/group contains information about all system groups. Getend displays data directly from any of its user data files, and the /etc/skel directory contains files you'd like to be automatically included with new user home directories.
About the Author
David taught high school for twenty years, worked as a Linux system administrator for five years, and has been writing since he could hold a crayon between his fingers. His childhood bedroom wall has since been repainted.
Having worked directly with all kinds of technology, David derives great pleasure from completing projects that draw on as many tools from his toolkit as possible.
Besides being a Linux system administrator with a strong focus on virtualization and security tools, David writes technical documentation and user guides, and creates technology training videos.
His favorite technology tool is the one that should be just about ready for release tomorrow. Or Thursday.