image
Disabling Accounts
Start course
Difficulty
Intermediate
Duration
2h 42m
Students
295
Ratings
4.6/5
Description

In this course, we'll cover a range of topics designed to help you enhance your Linux scripts. We'll start off by looking at case statements, which are used to make a decision based on the value of a given variable. We'll cover functions before moving and then move on to how to process command-line options using the shell built-in getopts.

In the second part of the course, we'll look at managing users including how to disable, delete, and archive users on a Linux system. We'll then do a walkthrough exercise showing you how to delete a user, which you can follow along with.

This course is part of the Linux Shell Scripting learning path. To follow along with this course, you can download all the necessary resources here.

Learning Objectives

  • Learn about case statements and functions to make your scripts more efficient
  • Process command line options using getopts
  • Manage users in Linux

Intended Audience

  • Anyone who wants to learn Linux shell scripting 
  • Linux system administrators, developers, or programmers

Prerequisites

To get the most out of this course, you should have a basic understanding of the Linux command line.

Transcript

Now let's cover the last piece of this puzzle which is how to disable or how to lock an account without actually deleting it. Let's say you have someone who's going on an extended vacation or taking a leave of absence. You want them to use their account when they get back, but you also know that for every account that exists on a system, there is a chance that someone could break into that account. Since this person is going to be away for a long time, no one may actually notice if the account is being used by someone who should not have access to it. So let's say you decide to go ahead and lock that account for security reasons. The best way to do this is to actually use the C-H-A-G-E command or chage or change age. Actually, you can think of it as the change age command. So let's look at the man page for this command. I'm going to page down here till we get to the dash capital E option. And that's the option to expire an account. Here it says you can specify either a date or the number of days since January 1st, 1970. It also says to unexpire the account use negative one or dash one or hyphen one or the argument to the dash capital E options. So let's go ahead and try this out. So we have a user on the system called Waz. This user has a UID of 1008. If we change to this user, let's see if it's working here. Sure enough it is. I created it with a password of pass123 on my particular system, it may not be that on your system. Just something to keep in mind. Type exit here, now I'm back to the Vagrant user. So let's expire this account. Now let's try to switch to the account. And sure enough, it says, ney, your account has expired, please contact your system administrator. So as we learned from the man page, we can actually unlock this account with dash E dash one. So we'll do sudo change the age of the expiration to negative one on the account of Waz. Now let's see if we can log into this account. And sure enough, we can. And there's been one failed login attempt since we logged in, while the account was live. Let's get back out and go back to our Vagrant user. Some older methods of locking account include using the dash L option to password, something like this. Sudo password dash L Waz and then it says, Hey, you've locked the account. And then to unlock it you would use PASSWD dash U against the account name. And then sure enough, it says, Hey we've unlocked that user, and you're good to go. Now locking an account with a password command like this does not prevent a user authenticating with an SSH key. That's very important to know, especially since more and more we're using SSH keys as our primary method of authentication. So if you're using SSH keys at all, this is not going to do what you think it's going to do. So don't do it. Use C-H-A-G-E instead. Another method is to set the shell to something that is actually not a shell or something that simply exits. To look at the available shells on a system, you can look at the etc shell's file. So we'll do that cat etc shells. And we'll see here has been no log in, user has been no login. Those would, in theory, prevent someone from logging in. So let's do that now. We'll set the shell of the Waz user to be no login with the usermod command. Dash S is to specify the shell. We'll give it no login and we'll set that to Waz. I think I've covered enough in this lesson, so I'm not going to take another diversion and cover the user mod command. So if you want to learn more about how to change all the settings for an existing account, simply read the user mod man page. At first glance, you think that this might actually work because if you SSHN and you have no login set as your shell, you'll get immediately logged out of the system. It does work for interactive log-ins like I just described but you can still do some things with SSH that don't require an interactive login or don't require a shell such as port forwarding. So again, use the C-H age command, where the dash capital E zero option to actually disable the account. We've spent a lot of time here at the command line today so for fun, let's write a quick shell script that deletes a user account using some of what we've seen today. So let's go ahead and go into our shared folder, our /Vagrant. I'm going to call this particular scrip L user demo 12.SH. Goes without saying, we'll need a shebang. Let's give this a description. Since we're doing some system administrator type stuff we want to make sure the user is executing the script with root privileges. We already know how to do this check. If the user ID is not equal to zero that means they are not the root account. So let's give them a little message here. Let's redirect that to standard error and exit one. Okay, let's just assume, which is not a good word by the way. Assume the first argument is the user to delete. We'll keep this script simple here just for demonstration purposes. So we're just going to use a variable to represent the user. We'll call that user. We'll assign that dollar sign one, by the way you could use dollar one throughout the script. That would be acceptable. I just like to have a descriptive variable name. So now let's go ahead and delete the user. And let's make sure the user actually got deleted. And we can do that by checking the return code or exit status of the userdel command. And if it's anything but zero, we know it's bad news. So if we get past this if statement that means the userdel command succeeded. And that means we can tell the user that the account was actually deleted. We can tell them which account was deleted which they specified. And then if we make it to the end of the script we exit with an exit status of zero because we've had a normal completion. Okay, I'm gonna run chmod here and make sure this is executable. And then let's execute it with root privileges and let's delete a user. Actually, let's look at the last user and the etc password file. On this particular system, it is Moore so let's do this. Let's delete the account called Moore. Okay, it says the account Moore was deleted. We check it. Sure enough, it's not there. Let's do something interesting like trying to delete an account that doesn't exist. Okay, says userdel user Jason does not exist. That's actually an error message from the userdel command. And then our error message is displayed, the account Jason was not deleted. And that's because we checked for the exit status of the userdel command. Okay, let's wrap this up. In this particular lesson, you learned how to delete an account using the userdel command. If you want to remove the user's home directory use the dash R option to the userdel command. To find files on a system, use the find locate or LS commands. To create an archive of files, use the tar command.

About the Author
Students
21290
Courses
61
Learning Paths
18

Jason is the founder of the Linux Training Academy as well as the author of "Linux for Beginners" and "Command Line Kung Fu." He has over 20 years of professional Linux experience, having worked for industry leaders such as Hewlett-Packard, Xerox, UPS, FireEye, and Amazon.com. Nothing gives him more satisfaction than knowing he has helped thousands of IT professionals level up their careers through his many books and courses.

Covered Topics