Skip to content

User Management Reference Guide

Jump to bottom
Ryan edited this page Oct 20, 2017 · 5 revisions

User Management Reference Guide

  • This guide serves as a reference of commands that can be used to manage users on a Linux machine
  • Commands here are notes taken from this Pluralsight course
  • consult man pages for definite specifications

Table of Contents

  1. User Commands
  2. Finding User Information
  3. Group Commands
  4. Finding Group Information
  5. Create Locked Users for Running Scripts

1. User Commands

Common Usage Patterns:

useradd -m <username> creates and home directory

useradd -m -g <group_name> <name> creates belonging to <group_name>

useradd -N -m <username> creates and overwrites the group to be the default group

useradd -D see defaults

userdel <username> deletes

userdel -r <username> deletes user and home directory as well

usermod <username> -c <"comment"> adds a <"comment"> to <"username">

usermod -G <group_name> <username> adds existing user to secondary group <group_name>

passwd <username> changes the password of

passwd -l <username> will lock the account

passwd -u <username> will unlock the account

passwd -e <username> force new password to be created at login

2. Finding User Information

/etc/passwd contains user information excluding password info

/etc/shadow contains user information plus encrypted passwords

grep <username> /etc/passwd to view 's information

cat /etc/passwd | cut -d: -f1 to view all users without additional user information

For each user in /etc/passwd, there are the following 7 ':' delimited fields:

  1. login name
  2. optional encrypted password or "x"
  3. numerical UID
  4. numerical GID
  5. user name or comment if it exists
  6. user home directory
  7. optional command interpreter (usually specifying a shell or lack of)

For each user in /etc/shadow, there are the following 8 ':' delimited fields:

  1. login name
  2. encrypted password (if it starts with '!', the account is locked; begining values specify encryption)
  3. date of last password change
  4. minimum password age
  5. maximum password ag
  6. password warning
  7. password inactivity
  8. account expiry date

Additional information on these fields can be found with the command: man 5 passwd and man 5 shadow

3. Group Commands

Common usage patterns:

groupadd <group_name> creates a new group

groupdel <group_name> deletes <group_name>

gpasswd -M <comma separated names> <group_name> sets the member(s) of the group

gpasswd <group_name> sets the group password for <group_name>

newgrp <group_name> logs YOU into that group (use id to verify you are a member of <group_name>)

  • only for this session, you are not a permanent member
  • this is good for picking up a groups permissions temporarily
  • type "exit" to exit out of interactive shell

Notes on Private Groups (usually the default)

  • if enabled, users will belong to a group with the same name as the user when they are added
  • if disabled, users will belong to the group users specified in /etc/default/useradd
  • use useradd -N <username> to overwrite private group
  • enable or disable private groups by editing USERGROUPS_ENAB in /etc/login.defs
  • Primary group is used as the group owner when creating files
  • Secondary groups are more traditional groups and used for access to resources that we have rights to through any of our GIDs

4. Finding Group Information

/etc/group contains group information

/etc/gshadow contains additional group information

grep <group_name> /etc/group to get <group_name> info

For each group in /etc/group, there are the following 4 ':' delimited fields:

  1. group name
  2. password
  3. numerical GID
  4. user list, comma separated

For each group in /etc/gshadow, there are the following 4 ':' delimited fields:

  1. group name
  2. encrypted password (* means no password for group yet)
  3. admin list, comma separated (use -A with gpasswd to manage admins)
  4. members (-M with gpasswd to manage member passwords)

Additional information on these fields can be found with the command: man 5 group and man 5 shadow

5. Create Locked Users For Running Scripts

The following script can be used to create users which have the following properties:

  • no home directory
  • password is locked
  • no shell access
#!/bin/bash

# This script is used for creating users for the sole purpose of 
# running scripts, owning files, and other tasks which do not 
# require an individual to interact with it.

# MUST BE RUN WITH SUDO PERMISSIONS
# If this user needs to access files or directories, you MUST enable those
# permissions for "other".

# One argument should be supplied: the desired <username>
# If one argument is not passed, usage instructions will be printed
if (( $# != 1))
then
    echo "Usage: $0 <username>"
    exit 1
# If valid argument is passed, execute the following commands:
else
    useradd -M $1 && \    # adds the user without creating a home directory
    usermod -L $1 && \    # locks the user password so that it can't be used
    usermod -s /bin/false $1 && \    # disables the shell
    echo "Created locked user: $1"   # print the result
fi

exit 0

Step By Step Manual Explanation

Step 1: Creating a "non-user" type user

With sudo permissions, run the following commands:

useradd -M <username> : this adds the user without creating a home directory

usermod -L <username> : this locks the user password

usermod -s /bin/false <username> : this disables any shell use to prevent further interaction with the user

Step 2: Checking that the user was created properly

Enter the following command:

cat /etc/passwd | grep <username> <-- additional information about /etc/passwd can be found by using the man 5 passwd command

The output should resemble this:

<username>:x:1001:1001::/home/<username>:/bin/false

The last field delimited by : says /bin/false which means the user can't access a shell.

A home directory is listed, however typing ls -alh /home should reveal that there actually isn't a home directory for this user.

Next, enter the following command:

cat /etc/shadow | grep <username> <-- additional information about /etc/shadow can be found by using the man 5 shadow command

The output should resemble this:

<username>:!$6$FgAhWtTM$GEmTvG9zeNF1iZn8.VN7IMwKJBwheno7FN067Y4zYXF1NEyIFv3PG0drF9v8d2eHfAao2.950p3GiBWMLDtzO1:17457:0:99999:7:::

The second field after contains an encrypted password (i had set no up earlier), however this second field needs to begin with ! which signifies that the password (even if there isn't one) is locked.

Finally, try to log into that account you just made with the following command:

sudo su - <username>

The output should look like this:

No directory, logging in with HOME=/

Now enter the command: whoami

It should return YOUR username and not the one we just created. We were not able to effectively log in because 1. the password is locked, and 2. the shell is disabled...

Step 3: Running scripts as this user

Now that the user is set up, we can run scripts as that user by specifying that in the crontab file located at /etc/crontab.

Because the user has no home folder, you MUST give the appropriate permissions to the files and directories which the user will interact with or else the cron job won't run. (The user does not have permissions outside of its home, which we know has no home..)

See this guide for an in depth guide on how to do this but TLDR:

chmod o+x <script_name> : so that the user can execute <script_name>

chmod o+rw <file_or_directory_name> : so that the user can read and write to a file or directory

notes

Reasoning behind this usage pattern comes from this post.

Clone this wiki locally