User Management:

Administering User and Groups

Course Instructor: Debjani Ghosh
 Outline
User Account Management Group Management
• Types of Users on Linux • Group Configuration Files
• User Configuration Files • Group Management Commands
• Contents of /etc/passwd & /etc/shadow • Group Configuration Commands
• User Management Commands • Adding an User to a Group
• User Configuration Commands
• User Account Modification Utilities
Configure Privilege Escalation
• Elevate Privilege using su command
• Configuring /etc/sudoers
 • Manage user accounts.
• Manage group accounts.
• Configure privilege escalation.
Objectives • Troubleshoot user and group
issues.
Manage User
Accounts
 • There are three types of accounts
Types of on Linux systems:
• root,
Accounts • standard user, and
• service.
on Linux
USER CONFIGURATION FILES
• USER ACCOUNT STORAGE
• /etc/passwd file stores the actual user account and maintains various settings
related to accounts.

• /etc/shadow file stores password information for the accounts.

• /etc/profile to set system-wide environment variables and startup programs

for new user shells.
• /etc/bashrc to establish system-wide functions and aliases for new user shells.
User account storage
1. /etc/passwd
a. The /etc/passwd file contains information about user accounts.
b. Each line in this file represents a single user account and contains seven fields separated by
colons (:).
c. Example Entry in /etc/passwd:

d. Explanation:
• username: The user's login name.
• x: Placeholder for the password. The actual password is stored in /etc/shadow.
• 1000: User ID (UID).
• 1000: Group ID (GID).
• User Name,,,: GECOS field, often used for the user's full name and other information.
• /home/username: The user's home directory.
• /bin/bash: The shell that the user will use after logging in (in this case, Bash).
User account storage
1. /etc/shadow
a. The /etc/shadow file contains encrypted password information for user accounts
along with other password-related settings.
b. Example Entry in /etc/passwd:

c. Explanation:
• username: The user's login name.
• $6$randomhash$VdQxL...: The user's encrypted password (the $6$ indicates the hash
algorithm, in this case, SHA-512).
• 18958: The date of the last password change, in days since January 1, 1970.
• 0: Minimum number of days between password changes.
• 99999: Maximum number of days the password is valid.
• 7: Number of days before the password expires that the user is warned
• :::: Unused fields for account inactivity and expiration
Contents of /etc/passwd & /etc/shadow
/etc/passwd /etc/shadow
Field Content
User name The name the user logs into the system with
Field Content Password Hash value of the user's password
User The name the user logs into the Days since last password Number of days since the last password change; counted
Name system with change from January 1, 1970
Days before password
User password represented as an x; Minimum changeable period, typically set at 1 day
may be changed
Password the actual password is stored Maximum number of days since the last password change
elsewhere Days before password before the password must be changed again; a value of
Unique number representing the must be changed 99999 means the password never needs to be changed, but
User ID
user to the system often set at 90 days
Unique number representing the Days until the user is
Group ID Days before the date the password must be changed that
user's primary group warned to change
the warning is issued, often set to 7 days
password
Comment Typically displays the user's full name Days after password
Number of days after the password expires until the
Home Absolute path to the user's home expires that the account is
account is disabled; should be immediate
directory directory disabled
Login Absolute path to the user's default Number of days until the account expires and cannot be
Days until account expires
shell shell (usually /bin/bash) used
Unused field Reserved for potential future use
User account storage:
/etc/bashrc or
/etc/bash.bashrc

• Explanation:
• /etc/bash_completion:
Loads Bash completion
for command-line
autocompletion.
• PS1: Sets the default
command prompt format.
• Aliases: Defines shortcuts
for commonly used
commands (ll for ls -l, la
for ls -A, etc.).
User account storage
• /etc/profile
o Used to set system-wide environment variables and startup programs for all
users' shells.
o It is executed by the shell during login.
User account storage: /etc/profile

• Explanation:
• PATH: Sets the default executable
search path.
• umask 022: Sets the default file
creation permissions.
• /etc/profile.d/*.sh: Loads additional
scripts for system-wide settings.
User account storage
• /etc/bashrc or /etc/bash.bashrc
o Used to establish system-wide functions, aliases, and
other configurations that apply to all Bash shell
sessions (not just login shells).
User account storage: /etc/bashrc or
/etc/bash.bashrc
• Explanation:
• /etc/bash_completion: Loads
Bash completion for command-
line autocompletion.
• PS1: Sets the default command
prompt format.
• Aliases: Defines shortcuts for
commonly used commands (ll
for ls -l, la for ls -A, etc.).
Account management commands
1. useradd – Create User Accounts
o The useradd command is used to create a new user account in the system.
o This will add an entry to the /etc/passwd, /etc/shadow, and /etc/group files.
Account management commands
Account management commands
Account management commands
Account management commands
Account management commands Link
Account management commands
Account management commands
Account management commands
Passwd command
• The passwd command is primarily used for changing user passwords
but can also control password policies like expiration, locking
accounts, and more.
• It is essential for managing user authentication securely in a Linux
environment.
• Always be cautious with options like -d and -u, as they directly affect
user access to the system.
Passwd command
Passwd command
Passwd command

Unlock a User account

Passwd command
Removing the password for a user
Demonstration

1. Sign in to the System

• Log in to your Linux system with
administrative privileges. Ensure
you have sudo or root access to
perform these tasks.
2. Display the Contents of /etc/login.defs
• The /etc/login.defs file contains
configuration settings for user
account creation and password
policies.
 • Create a User with useradd
Demonstration
 • Create a User with useradd and Define a Non-Default Home
Demonstration Directory
 • Create a User with useradd and Define a Non-Bash Shell
Demonstration
 • Set a Password for Each New User
Demonstration
Demonstration

• Create a User with adduser

o The adduser command is typically
more interactive than useradd and
is used primarily in Debian-based
systems.
o It prompts for information such as
full name, home directory, and
password during the process.
Modify and Delete • usermod

User Accounts • userdel

35
USER ACCOUNT
• usermod provides options for changing most of the fields in
MODIFICATION the /etc/passwd file.
UTILITIES
Chage Command

• Used to change and view the

password expiration information for
user accounts.
• It allows you to manage account
aging by setting policies like
o how often a user must change
their password,
o when the password expires,
and
o when the user is warned about
upcoming password
expiration.
• Example
Chage command

• Example
Chage command

• Powerful tool for managing

password policies and
account aging on Linux
systems.
• It is particularly useful for
enforcing security policies
that require regular
password changes and
account expiration
management.
 The chage Command
Option Purpose

-l Display the current values

Specify the maximum number of days between

$chage -l -M
password changes

Specify the minimum number of days between

-m
password changes

Specify the number of warning days before a

-W
password expires

-E Lock an account after a specified date

Key Demonstration: Account Configuration
Commands
Sign in to at least one system (either RH or Debian-
based), then

Display output of any of the following:

• whoami
• w
• who 4
1
• id
• /etc/login.defs file
• Password configurations with chage
$w & $who display all current logins on the system, including those that might have remote terminal connections.
 Review Activity: User Account Management

1. Why are user passwords stored in the /etc/shadow file and not
the /etc/passwd file?
2. What is the purpose of the /etc/skel directory?
3. Why might an administrator change a user's default shell?
4. Link for the answer of above questions 4
2
Group Management
GROUP CONFIGURATION FILES

Easier to grant permissions to a resource to a single group with five

members than it is to individually grant access to each user account.

Groups are a standard administrative tool for controlling access to

resources.

/etc/group stores the group configuration files

Group Configuration Files: /etc/group

The /etc/group file uses four fields:

 Group Management Commands

Group Management
Purpose
Command
groupadd create a group in the /etc/group files
groupmod Modify an existing group
4
groupdel Remove an existing group 6
Key Demonstration: Group Management
Sign in to at least one system (either RH or Debian-based), then
create several groups and display the /etc/group file contents.
The focus of this demo is group management. Adding users to the
group is in a later demonstration.

1. Sign in
2. Create a new group named sales - groupadd sales

3. Create a new group named marketing - groupadd

marketing
4
7
4. Display the contents of /etc/group to show the two new
groups - tail /etc/group

(continued on next slide)

Key Demonstration: Group Management
(continued from previous slide)

5. Modify the marketing group by changing its name to publicity -

groupmod -n publicity marketing

6. Display the contents of /etc/group to show the renamed

group - tail /etc/group

7. Delete the sales group - groupdel sales

8. Display the contents of /etc/group to show the sales group

4
no longer exists 8
 Add Users to a Group
• Use the usermod command covered earlier to add a user to an existing
group. • usermod –aG sales USERNAME
Option Purpose
-a Append the user to the group, and maintain any existing group memberships
-G Specify a group to which the user will be added

4
9

$ groupmod -n publicity marketing

Key Demonstration: Add Members to Groups
Sign in to at least one system (either RH or Debian-based), then
create a group and add members to it. The focus of this demo is
adding users to groups; creating a group was covered in a previous
demonstration.

1. Sign in
2. Create a group named Labs - groupadd Labs

3. Display the contents of /etc/group to show there are no

members listed for the Labs group
5
0

(continued on next slide)

Key Demonstration: Add Members to
Groups

(continued from previous slide)

4. Add USER to the Labs group - usermod -aG Labs USER

5. Display the contents of /etc/group to show that USER is a

member of Labs

6. Display information about the USER account to show group

membership - id USER 5
1
 Review Activity: Group Account Management

1. Suggest at least two ways to display group membership

information.
2. What command adds a user to a group?
3. What is the result if an administrator forgets to add the -a option
when adding a user to a group?
4. Why might a user be a member of multiple groups?5
2
Configure Privilege Escalation
 Root Users

• Do not log on as the root user

• Many distributions disable the root account
• Use suor sudoto elevate privileges, or “get root”
• Delegate tasks by configuring the /etc/sudoers file
5
4
 Elevate Privileges with su Command

• su root – switches to the root user in the original user’s context.

• su – root – switches to the root user in the root user’s context.
• You must know the password for the account you’re switching to
(unless you are root). 5
5
Elevate Privileges with sudo Command
To create a user account usingnsudo:
• sudo useradd {user- name}

5
6
Configuration Examples for /etc/sudoers
Example1
To grant full administrative privileges to a user, type username
ALL=(ALL:ALL) ALL

• The user will be prompted for their password. Be very careful with
this level of delegation!

Example 2
To delegate the ability to execute these shutdown commands without
entering a password, type SOMEUSER ALL=(ALL) NOPASSWD: 5

SHUTDOWN_CMDS
7

• Assumes that SHUTDOWN_CMDS is aliased to all related options for the

shutdown command
Key Demonstration: Elevate Privileges with sudo

Instructor - sign in to at least one system (either RH or Debian-

based), then demonstrate the process of adding a user to the
sudoers file and delegating the ability to issue the shutdown
command to the system.

1. Log in
2. Get root privileges su - root

3. Select a user to delegate authority to, or create a new user with

5
useradd 8

(continued on next slide)

Key Demonstration: Elevate Privileges with sudo
(continued from previous slide)

4. Open the /etc/sudoers file for editing with vi sudo

5. At the bottom of the file, add the following line:

SOMEUSER ALL=(ALL) NOPASSWD: SHUTDOWN_CMDS

6. Save changes and exit

7. (Optional) Switch to the delegated user and issue the shutdown

-h now command
5
9
 PolicyKit Configuration

Alternative delegation method to sudo

• More granular control via defined rules and actions

Examples of delegated tasks:

• Software management
• System shutdown or hibernation
• Configuration of network devices 6
0

• Device access
• Mounting and unmounting filesystems on removable media
 Polkit Commands
• pkexec - allows an authorized user to execute an action
• pkaction - display details about an action
• pkcheck - display whether a process is authorized
• pkttyagent - provides a text-based authentication agent

6
1
Troubleshoot Privilege Escalation Issues
• User has switched user identities, but variables and other profile
settings are not present.
• User fails to switch identities when using the su command.
• Sudo does not function as expected.
• Cannot exercise administrative privileges.
• User cannot run a command, even when the command is preceded
6
2

by sudo.
 Review Activity: Privilege Escalation
1. A developer at your organization needs the ability to reboot a test
server, but their account's standard privileges do not permit this. The
developer requests the system's root user password in order to use su
to reboot the server. Is there a more secure option that aligns with the
principle of least privilege?
2. How are the su root and su - root commands different?
3. You must delegate the shutdown -h privilege to SOMEUSER. What tool is
used to modify the /etc/sudoers file, and what line must be added to
that file?
6
3
4. Whose password must be entered with sudo? Whose password must be
entered with su?
Troubleshoot User and Group Issues
Troubleshooting User Management Issues
• Only authorized users can manage groups
• root
• Users delegated the privileges with sudo

• Does the group exist?

• Check etc/passwd or etc/group files to confirm

• Halt active user processes with sudo killall -u6

5

{username}
 User Login Attempt Failures
1. Confirm the user has an account on the system by displaying the contents of
/etc/passwd. If necessary, create an account for the user by using the
useradd command.
2. If the account exists, confirm that a password is set. Display the contents of
/etc/shadow and verify a hashed password exists. Use the passwd
command to set a password if one did not exist.
3. If the account exists and a password is set, the user may have forgotten the
correct password. Reset the password with the passwd command.
4. If the account exists and a password is set, the password may be expired. Reset
the password by using the passwd command. 6
6

5. If the account exists and a password is set, the account may be locked. Unlock
the account by using the chage command.
 Reviewing the Login Process
1. The operating system boots and the kernel is loaded. Assume the
system boots to the CLI. An authentication prompt is displayed.
2. The user enters a name and password combination. These are
checked against the /etc/passwd and /etc/shadow files.
Settings such as expired passwords and locked accounts are
checked for at this point.
3. System and user profile files are processed, and the user is
6
7

presented with an authenticated and customized environment.

 Using User Login Commands

• lastlog – displays recent • w – displays current logins to

login information the system, including idle time
• last – pulls login history • who – displays current logins to
information from the system
/var/log/wtmp
Key Demonstration: User Login Commands

Sign in to at least one system (either RH or Debian-based), then run

the following commands and discuss the output. Note that the
output can vary from system to system.

1. Run the last command.

2. Run the lastlog command.

3. Run the w command.

4. Run the who command and compare the results

6
9
to the output
from the w command.
 Review Activity: User and Group Troubleshooting
1. List at least three scenarios where you might need records of who logged in to a
Linux system.
2. Another administrator asks you to explain the value of editing the /etc/sudoer's file
with visudo rather than a traditional text editor. What is your response?
3. List at least three reasons a user account might be locked.
4. During a security audit it is discovered that a user does not have a password set.
When you check the /etc/passwd file, the password field is properly populated with
the x character. What file would actually display whether a password has been set
for the user?
7
5. A user places sudo before a command, but the command still fails
0 to run. What
might be the cause?
6. An administrator asks you how to delegate Linux administrative privileges to a
specific user. What group is used for such delegation?