Linux is a multi-user operating system i.e., it allows multiple users on different computers or terminals to access a single system. This makes it mandatory to know how to perform effective user management; how to add, modify, suspend, or delete user accounts, along with granting them the necessary permissions to do their assigned tasks. For this multi-user design to work properly there needs to be a method to enforce concurrency control. This is where permissions come in to play.
Normally Linux/Unix based systems have two user accounts; a general user account, and the root account, which is the super user that can access everything on the machine, make system changes, and administer other users. Some variants of Linux work a little differently though. Like in Ubuntu, we can’t login directly as root by default, and need to use sudo command to switch to root-level access when making changes.
User Permissions
Permissions or access rights are methods that direct users on how to act on a file or directory. There are three basic access rights viz., read, write, and execute.
- Read – read permission allows the contents of a file to be viewed. Read permission on a directory allows you to list the contents of a directory.
- Write – write permission on a file allows you to modify contents of that file. Write permission allows you to edit the contents of a directory or file.
- Execute – for a file, execute permission allows you to run the file as an executable program or script. For a directory, the execute permission allows you to change to a different directory and make it your current working directory.
The command ls -l <directory/file>
is used to view the permissions on a file or directory, remember to replace the information in the < > with the actual file or directory name. Below is sample output for the ls
command:
-rw-r--r-- 1 root wheel 5581 Sep 10 2014 /etc/passwd |
The access permissions are denoted by the first ten characters. Starting with “_”, indicating the type of resource viz., ‘d’ for directory, ‘s’ for any special file, and “_” for a regular file. Following three characters “r w -” define the owner’s permissions to the file. Here, file owner has ‘read’ and ‘write’ permissions only. The next three characters “r – –” are the permissions for members of the same group as the file owner, which in this instance is ‘read’ only. The last three characters show permissions for all other users and in this instance it is ‘read’ only.
Creating and Deleting User Accounts
In order to create a new standard user, we use useradd
command. The syntax is as follows:
useradd <user-name> |
The useradd command is the most portable command to create users across various Linux distributions. It provides with it a range of variables, some of which are explained in the table below:
Variable | Description | Usage |
---|---|---|
-d <home_dir> |
<home_dir> will be the user’s home directory on login to the system. | useradd <name> -d /home/<user's home> |
-e <date> |
optional expiry date for the user account | user add <name>** -e <YYYY-MM-DD> |
-f <inactive> |
Inactive period, in days, before actual expiration of user account | useradd <name> -f <0 or -1> |
-s <shell> |
Default shell type for the user account | useradd <name> -s /bin/<shell> |
Once a user is created, passwd
command is used to set a password for the new user. Root privileges are needed to change a user password. The syntax is as follows:
passwd <user-name> |
The user will be able to change password anytime using passwd
command once the user is logged in. Below is an example:
$ > > > > > |
passwd Changing password for testuser. old password: Enter new password: Retype new password: passwd: password updated successfully |
This is useful when you want to create a user who just needs to login and use the system in it’s current state without having to store any personal files, etc. For example, an administrator needs access to do his/her duties while a regular user might want their own home directory to store their files etc.
We have another convenient way of creating user accounts which might come in handy for first-time system administrators. There is an adduser utility which, however, needs to be installed as a new package. The installation command for Debian/Ubuntu system is as under:
apt-get install adduser |
The adduser utility automatically creates a home directory and sets default group, shell, etc. To create a new standard user use adduser
command; the syntax is as follows:
adduser <user-name> |
Running this command will result in a series of optional information prompts. We should include user-name and a password along with the command.
Once the user account is created, full account information is stored in /etc/passwd file. This file contains a record per system user account and has the following format.
[username]:[x]:[UID]:[GID]:[comment]:[home_dir]:[default-shell]
|
- [username] is the created user and [comment] part is the optional description.
- x in field indicates that the account is protected by a shadowed password stored in /etc/shadow, which is required for the user login.
- [UID] and [GID] fields are integers representing User ID and the primary Group ID to which user belongs.
- [home_dir] indicates the absolute path to user’s home directory.
- [default-shell] is the shell that is allocated to this user when it logs into the system.
Group information is stored in /etc/group file. Each record has the following format:
[group]:[group-password]:[GID]:[group-members] |
- [group] is the name of the user group.
- An x in [group-password] indicates group passwords are not being used.
- [GID]: is the Group ID same as in /etc/passwd.
- [group-members]: a comma separates list of users that belong to [group].
Removing a user account can be simply done by using userdel command. The syntax is explained below:
1 |
userdel <user-name> |
Using the command above will only delete user’s account. User’s home directory and other files will not be deleted.
In order to completely remove the user, his home directory, and other files belonging to user, use userdel command with additional parameters as shown below:
userdel -r <user-name> |
It is important to follow security policies and therefore, it is strongly recommended to use unique passwords for each account, without any compromises.
Modifying User Accounts
Once a user account is created, we can edit information associated with the user using usermod command, whose basic syntax is as follows:
usermod [options] [user-name] |
Setting the Expiry Date for an Account
Use —expiredate flag followed by a date in YYYY-MM-DD format.
usermod --expiredate 2015-08-30 testuser |
Adding User to Supplementary Groups
Use the combined -aG or —append —groups option, followed by a comma separating list of groups.
usermod --append --groups root,test-users testuser |
Changing Default Location of User’s Home Directory
Use -d or —home option, followed by the absolute path to the new home directory.
usermod --home /tmp testuser |
Changing the Shell the User will use by Default
Use -s or –shell option, followed by the path to the new shell.
usermod --shell /bin/sh testuser |
These operations can be carried out together using the command below:
usermod --expiredate 2015-08-30 --append --groups root,users --home /tmp --shell /bin/sh testuser |
Disabling Account by Locking Password
Use -L or –lock option to lock a user’s password or disable a user account.
usermod --lock testuser |
Unlocking User Password
Use –u or –unlock option to unlock a user’s password that was previously locked or a user that was disabled.
usermod --unlock testuser |
Creating a New Group with Proper Permissions
To create a new group we can simply use <b>groupadd</b> command.
$ groupadd test_group |
The following command will change group owner of test_file.txt to test_group.
$ chown :test_group test_file.txt |
In order to add a test-user to test_group we run the following command:
$ usermod -aG test_group test-user |
Deleting a Group
We can delete a group using the following command,
$ groupdel [group] |
If there are files owned by a group, they will not be deleted, but the group owner will be set to the GID of the group that was deleted.
System administrators need to have effective user and file management skills. In this piece of work we have explained the basics and hope you can use it as a reference to build upon.
Post a comment /query and I will get back to you.