Lecture 3

User Management
 Outline
• Linux User Types
• Adding users
• Adding Groups
• Changing ownership
• Changing Group
• Shutting-down and start-up a system
 Linux Users
• User accounts and authentication are two of the
most important areas for which a system
administrator is responsible.
• User accounts are the means by which users
present themselves to the system, and are granted
or denied access to the information and resources
on a system.
• Accordingly, properly setting up and managing user
accounts is one of the administrator’s chief tasks
 Linux User Types

• There are different types of accessibility

options provided by Linux, from which one
can choose respective access as per
requirement.
• Linux provides 5 different alternatives to
choose the accessibility.
 1. Super User or Root User
• A special kind of user account which holds all kinds of
permissions to do any alteration to a programs or service of
Linux.
• Especially this kind of user account is used for system
administration.
• He/she can control and limit the access of other Users.

• As all the powers is vested for Root User, care has to be

taken before performing each and every modifications- if
anything goes wrong, no option left other than crash of
Kernel.
• It is so sensitive with unlimited accessibility.

• Take care while logged in as Root

 2. System User
• It is created by default by the OS.
• This type of user is similar to normal user but
got more privileges and accesses to secure
programs which normal user doesn’t got
authentication.
 3. Normal User

• These are the users which have been created

by the Root and has limited access to the
resources and need permission from Root to
access any secure resources and services.
 4. Network User
• Users opt this type of user account to check
network activities and to manage them.
• Especially system administrators and
network engineers use this account for
various network activities and to connect to
different systems on the network using
various services like LDAP, NFS, SAMBA,
APACHE, NTP etc.
 5. Pseudo User

• It’s a replica of Root User.

• It is used when a user needs the
permissions similar to Root User.
• Only Root User can give the access to this
user account for others.
• Every User has their own identity and authenticity.
• UID (User identifier) is a unique identity, simply a
number given to the user.
• Every kind of User type is given a particular range of
UID’s.
• Root User has the UID ‘0‘ .
• This can be altered in the configuration file if we want
to.
• UID for System User lies with in the range of 1 to 499.
• It’s just a default range provided by the OS, it can be
altered and can add system users greater than 500 but
less than a saturation value which depends on the type
of Linux OS.
• UID for Normal User lies with in the range of 500 to
6000.
• UID for Network User lies with in the range of >6000.
 Commands whoami and id
• If you want to verify yourself or want to see
who you logged in as,
• You can type:
[root@localhost~]# whoami
And you will see this outpot.
root
• OR you can use id command to know the id of
the user, as follows:
[root@localhost~]#id
uid=0( root ) gid=0( root )
groups=0( root )
 command su
• You can use su command to switch from one
user to an other.
• Syntax: su username
• Example
• [root@localhost~] # su student
• Password: ********* { Enter the password
of student}
• We can tell the type of user logged in by
seeing the prompt.
• # -- root user
• $ -- normal user (not root user)
 What Users and Groups Are
• The control of users and groups is a core
element of Linux system administration.
• The user of the system is either a human
being or an account used by specific
applications identified by a unique numerical
identification number called user ID (UID).
• Users within a group can have read
permissions, write permissions, execute
permissions or any combination of
read/write/execute permissions for files owned
by that group.
• Linux supports access control lists (ACLs) for
files and directories which allow permissions
for specific users outside of the owner to be
set
• A group is an organization unit tying users together
for a common purpose, which can be reading
permissions, writing permission, or executing
permission for files owned by that group.
• Similar to UID, each group is associated with a
group ID (GID).
• A user who creates a file is also the owner
and primary group owner of that file.
• Each member of the system is a member of at least
one group, a primary group.
• A supplementary group is an additional group for
accessing files owned by this group.
 How Linux User Accounts
Work
 Username
 Password

By default, all user home directories are created and
maintained in the /home drectory.

However, the root user’s home directory is /root
 No two user accounts on the system will have
the same UID.
 To view the UID for a given user account, you
can use the id username command from the
shell prompt.
 On a SUSE Linux system, the first regular user
account created on the system is always assigned
a UID of 1000. The next user account will be
assigned a UID of 1001...
 Other distributions may use a different numbering
scheme for the UID, however. For example, UIDs on
a Fedora system start at 500 instead of 1000.
 The root user account is always assigned a UID of 0
on most Linux distributions.
 It’s this UID that the operating system actually uses
to control access to files and directories in the file

Where Linux User Accounts Are
Stored
 Linux is a very flexible operating system.

One of its flexible features is the location of

user accounts on the system.
When you originally installed the system, your
distribution may have given you several
options for where you wanted to store your
user accounts.
This screen allows you to choose from the
following authentication methods:
 This option stores user accounts in the
/etc/passwd file.
 This has been the default configuration used
by Linux systems for many years.
 LDAP
 This is a newer option that many Linux
administrators are starting to adopt.
 Instead of storing user accounts in a file in
the file system, user accounts are stored in a
directory service provided by OpenLDAP.
(allows you to sort and organize your user
 This option stands for Network Information Service.
 NIS is also designed to provide centralized user
account management when you have multiple
systems that all need the same user accounts.
 To do this, NIS configures systems to all use a
common passwd and shadow file.
 Windows Domain
 If you have a Windows domain controller in your
network (or another Linux server running the
Samba service), you can configure your Linux
system to use the user accounts in the domain to
 Local option
 /etc/passwd
 This file contains the user account information for your
system.
 /etc/shadow
 This file contains passwords for your user accounts.
 /etc/group
 This file contains your system’s groups.
- The /etc/passwd File

Username:Password:UID:GID:Full_Name:Home_Director
y:Default_Shell
 Username: The Username field simply identifies the
username the user will supply when logging in to the
system
 Password: This is a legacy field. At one time, the user’s
password was stored in encrypted form in this field in the
passwd file. However, for security reasons, the password
has been moved from /etc/passwd to /etc/shadow.
 UID This is the user ID for the user account
 GID This field references the group ID number of the user’s
default group
 Full_Name This field contains the user’s full name
 Home_Directory This field contains the path to the user’s
home directory.
 Default_Shell This field specifies the shell that will be used
by default
 - The /etc/shadow File

Username:Password:Last_Modified:Min_Days:Max_Days:Days
_Warn:Disabled_Days:Expire

Username This is the user’s login name from /etc/passwd.
 Password This is the user’s password in encrypted format
 Last_Modified This field displays the number of days since
January 1, 1970 that the password was last changed
 Min_Days This field displays the minimum number of days
required before a password can be changed.
 Max_Days This field displays the maximum number of days
before a password must be changed.
 Days_Warn This field displays the number of days prior to
password expiration that the user will be warned of the pending
expiration.
 Disabled_Days This field displays the number of days to wait
after a password has expired to disable the account.
 Expire This field displays the number of days since January 1,
1970 after which the account will be disabled.
 To verify your /etc/passwd and /etc/shadow files, you can use the
pwck command at the shell prompt.
 This utility will verify each line in the two files and make sure they
are valid.
 Any errors are reported on the screen.
 If, for some reason, the /etc/passwd and the /etc/shadow files
were out of synchronization, you could use the pwconv
command at the shell prompt to fix the files.
 This utility will add any missing user accounts from /etc/passwd
to /etc/shadow.
Creating and Managing User
Accounts from the Command
Line
 Using adduser/useradd
 Using passwd
 Using usermod
 Using userdel
Using useradd
Syntax: useradd options username ex
(options default): useradd ncth

ncth account is created using the default

parameters contained in the following
configuration files: /etc/default/useradd
/etc/login.defs This file contains values that can
be used for the GID and UID parameters when
creating an account with useradd.

It also contains defaults for creating passwords

in /etc/shadow.
You can also view these default values by
entering useradd –D at the shell prompt.
 Options
 –c Includes the user’s full name.
 –e Specifies the date when the user account

will be disabled. Format the date as yyyy-mm-

dd.
 –f Specifies the number of days after
password expiration before the account is
disabled.
Use a value of –1 to disable this functionality,

e.g., useradd –f –1 jmcarthur.

 –g Specifies the user’s default group.
–G Specifies additional groups that the user is
to be made a member of.

–M Specifies that the user account be created

without a home directory.

–m Specifies the user’s home directory.

–n Used only on Red Hat or Fedora systems. By

default, these systems create a new group with
the same name as the user every time an
account is created. Using this option will turn
off this functionality.

–p Specifies the user’s password.

–r Specifies that the user being created is a
system user.

–s Specifies the default shell for the user.

–u Manually specifies a UID for the user.

EX: adduser –c “Tomas Jaferson” tom1

adduser –c “Seada Kasim Ahmed” –m /etc/seada

–p “seada123” –s “/bin/bash” Seada
Using passwd
 The passwd utility is used to change an
existing user’s password
You can find out this information using the –S
option with passwd.
For example, we could enter passwd –S vmk
at the shell promp
Syntax: passwd username
 options
–l Locks the user’s account. This option
invalidates the user’s password.
–u Unlocks a user’s account.
–d Removes a user’s password.
–n Sets the minimum number of days required
before a password can be changed.
–x Sets the maximum number of days before a
password must be changed.
–w Sets the number of days prior to password
expiration when the user will be warned of the
pending expiration.
–i Sets the number of days to wait after a
password has expired to disable the account.
Using usermod

 From time to time, you will need to modify an

existing user account.
 The syntax for usermod is very similar to that
used by useradd.

Syntax:

usermod options username

 options
–c Edits the user’s full name.

–e Sets the date when the user account will be

disabled. Format the date as yyyy-mm-dd.

–f Sets the number of days after password

expiration before the account is disabled. Use a
value of –1 to disable this functionality.

–g Sets the user’s default group.

–G Specifies additional groups that the user is to be

made a member of.
 options
–l Changes the username.

–L Locks the user’s account. This option

invalidates the user’s password.

–m Sets the user’s home directory.

–p Sets the user’s password.

–s Specifies the default shell for the user.

–u Sets the UID for the user.

–U Unlocks a user’s account that has been

 If, for some reason, you want to change the
user’ home directory invoke the usermod
command with by the -d option followed the
absolute path of the new home directory and
the name of the user:
 usermod -d HOME_DIR USER
 Create a user account using your system’s
default settings by entering useradd abc
 Passwd abc -> enter password
Using userdel

Syntax:
userdel username

ex: userdel ncth

 Using userdel
 It’s important to note that, by default, userdel
will not remove the user’s home directory
from the file system.
 If you do want to remove the home directory
when you delete the user, you need to use
the –r option in the command line.
 For example, entering userdel –r ncth will
remove the account and delete her home
directory.
Linux Groups

 How Linux groups work

 Managing groups from the command line
 How Linux Groups Work
 If your Linux system has been configured to use local
authentication, your groups are defined in the /etc/group
file.
 Each record is composed of the following four fields:

Group:Password:GID:Users
 Group Specifies the name of the group.
 Password Specifies the group password.
 GID Specifies the group ID (GID) number of the group.
 Users Lists the members of the group.
 As with /etc/shadow, each line in /etc/gshadow represents
a record for a single group.
 Each record is composed of the following fields:
Group_Name:Password:Group_Admins:Group_Members
 Managing groups from the
command line
 Using addgroup/groupadd
 Using groupmod
 Using groupdel
Using groupadd

 Syntax:

addgroup options groupname

 Options:

–g Specifies a GID for the new group.

–p Specifies a password for the group.

–r Specifies that the group being created is a system group.

Using groupmod
 To modify a group, including adding users to the group
membership, you use the groupmod utility.
 Syntax:

groupmod options group

 Options:

–g Changes the group’s GID number.

–p Changes the group’s password.

–A Adds a user account to the group.

–R Removes a user account from the group.

 If we wanted to add ncth to the group student, we would
enter
 groupmod –A “ncth” student

at the shell prompt.

Using groupdel

 Syntax:

groupdel group_name

ex: groupdel student

 Managing ownership and
permissions
 How ownership works
 Managing ownership from the command line
How
• ownership
Anytime a user creates a works
new file or directory,
his or her user account is assigned as that
file’s or directory’s “owner.”
• For example, suppose the vmk user logs in
to her Linux system and creates a file named
linux_introduction.odt using OpenOffice.org in
home directory.
• Because she created this file, automatically
assigned ownership of linux_introduction.odt.

By right-clicking on this file in the system’s

 Managing ownership from
terminal
 You can specify a different user and/or group as the
owner of a given file or directory.
 To change the user who owns a file, you must be logged
in as root.
 To change the group that owns a file, you must be
logged in as root or as the user who currently owns the
file.

Using chown

Using chgrp
Using chown
 The chown utility can be used to change the user or
group that owns a file or directory.

Syntax chown user.group file or directory.

Ex: If I want to change the file’s owner to the ncth1 user, I

would enter

chown ncth1 /tmp/myfile.txt

 chown
 If I want to change this to the users group, of which
users is a member, I would enter
chown .users /tmp/myfile.txt
Notice that I used a period (.) before the group name
to tell chown that the entity specified is a group, not a
user account.
Ex: chown student.users /tmp/myfile.txt
Note: You can use the –R option with chown to change
ownership on many files at once recursively.
-Using chgrp
 In addition to chown, you can also use chgrp to
change the group that owns a file or directory.
 Syntax:
chgrp group file (or directory)
 For example:
chgrp student /tmp/newfile.txt.
 Managing permissions

 How permissions work

 Managing permissions from the command line
 Working with default permissions
- How permissions work
• Each file or directory in your Linux file
system stores the specific permissions
assigned to it.
• These permissions together constitute
the mode of the file. These permissions
are assigned to each of three different
entities for each file and directory in the
file system:

Owner This is the user account that has
been assigned to be the file or directory’s
owner.
o
Permissions assigned to the owner apply
only to that user account.

Group This is the group that has been
assigned ownership of the file or directory.
Permissions assigned to the group apply to all
user accounts that are members of that group.

Others This entity refers to all other users who
have successful authenticated to the system.
Permissions assigned to this entity apply to
ls -l
- Managing Permissions from the
Command Line with chmod

chmod entity=permissions filename

entity portion of the command. You substitute
r, w, and/or x for the permissions portion of
the command. For example, suppose I
wanted to change the mode of contacts.odt to
–rw–rw–r– –
chmod u=rw,g=rw,o=r contacts.odt

 You can also use chmod to toggle a

particular permission on or off using the + or –
signs.
 For example, suppose I want to turn off the
write permission to Group for the contacts.odt
file.
chmod g–w
contacts.odt
at the shell prompt.
You can modify all three entities at once
with only three characters. To do this, enter
chmod numeric_permission filename
ex: chmod 660 contacts.odt
 Working with default
By default, Linux assigns rw–rw–rw– (666)
permissions


permissions to every file whenever it is

created in the file system.
It also assigns rwxrwxrwx permissions to
every directory created in the file system.
To increase the overall security of the
system, Linux uses a variable called umask to
automatically remove permissions from the
default mode whenever a file or directory is
created in the file system. The value of umask
of umask is 022.
 Each digit represents a numeric permission
value to be removed. The first digit references
Owner, the second references Group, the last
references Other.
 If you only need to make a temporary change
to umask, you can enter umask value at the
shell prompt.

For example, if you want to remove the

execute permission that is automatically
assigned to Others whenever a new directory