Its been a while! I’m glad to have got some time to get back to blogging :)
Recently I had a tech task where I wanted to create users in my Linux Server. The user was created in such a way that it has to be part of a group. Now, why do we need groups? Is there other benefits we can have while adding users, other than giving access ? Lets find out.
So now, how can I find the list of existing users/groups ?
We have a file: /etc/passwd . This file stores the list of the existing users.
The same follows for groups where the file would be /etc/group.
Now lets take each record and understand what it really means:
User : The existing user present in the server.
Password : The ‘x’ represents the hidden password.
UID : User ID is a value unique to each user.
Its interesting to note that 0 to 99 is reserved for the system for static allocation. For root user, it would be 0. UID 100 to 499 is reserved for dynamic allocation for system admins.
GID : Group ID is a value unique for groups.
Comment: Comments for better clarity.
Home Directory : For the Linux Newbies, a Home Directory is the root folder path from which a user can navigate to various other Directory. This will serve as the absolute path. So when a user connects to the server, this is the folder where the user will land.
Shell : The most commonly used shell is /usr/bin , where the executables are store. This will enable normal user to execute commands.
Here is an interesting observation I made for FTP servers. The requirement was that the disable access via SSH to server. This was done by giving the shell as /usr/sbin/nologin — which disables access for security reasons. However to enable SFTP access for the users that are part of a specific group , we can simply modify the sshd_config file. [1]
Now that we know what each parameter means, lets get into the implementation part of it. Here are some of the most used Linux commands for Users/Groups :
NB : Make sure you have root privilege and that you run as a root user. NB2 : Anything between <> is a custom name provided and not part of the syntax.
Creating a User
useradd linu ### useradd <user> Creating a user with a specific UID
useradd -u 1152 linu ###useradd -u <UID> <user>Modifying the username
We are modifying the name of the current user and anything to be modified on user is done using the keyword usermod(User-Modify)
usermod -l linu mary ### usermod -l <current_user> <new_user>Creating a password for the user
passwd linu ### passwd <user>
# This prompts us to create a password for the userWhat happens without password ?
They will still be able to gain shell access to the server, without the need for any password
Where are passwords stored?
The passwords are stored in an encrypted format in /etc/shadow file. However, to clarify, there is no way to see an existing users password in plain text .Storing it in plain text will pose a security threat by unauthorized user.
Creating a group
groupadd devops ### groupadd <group>View groups the current user is assigned to:
groups #(Notice the plural!)View all groups in the server
getent groupAdding new user to the group
useradd -g steve devops ###useradd -g <name> <group>Adding existing user to the group
We are effectively modifying the group of the current user and anything to be modified on user is done using the keyword usermod(User-Modify)
usermod -g devops mary ###usermod -g <group> <name>
#Now you give sudo access to mary bu adding her to sudo group
usermod -aG sudo mary ### -a for append -G for groupAdding a comment for existing user
usermod -c "Adding Mary to devops group" mary ###usermod -c "comment" <user>Adding a home directory
usermod -d /home/devops mary ###usermod -d <home dir> <user>Adding a default shell
usermod -s /usr/sbin/nologin steve ###usermod -s /usr/sbin/nologin <user>Deleting a user
userdel steveDeleting a group
NB : You must remove the users from the group before you remove the group. Else groupdel command will simply refuse.
groupdel devops ###groupdel <group>So that’s it folks! Now we have learnt Lesson 101 or maybe even more for Linux Administrators :)
