Linux User and Group¶
Basic¶
Each file in the system has a owner user and a owner group.
Each user has a UID (User Identifier). The system uses UID to identify users.
Each group has a GID (Group Identifier)
Each process is executed as a user, and its access restricted according to the access restriction of that user.
Each user has an assigned login shell.
User¶
User Identifier (UID)¶
A 32-bit unsigned int that begins from 0.
Usually for compatibility, the numerical value (for auto assigned UID) is smaller than 60000.
But it can be changed in login.defs, for example.
Categories¶
Please note that there is no strong restriction here.
- root
- UID is 0
- no restrictions for name, but somebody or something might expect such a name
- system users
- UID ranges from 1 to 499 or 999 (non-mandatory)
- used for specific services
- no need for shell login
- normal users
Group¶
To conveniently manage users.
Can be created according to the departments or roles.
Group information is stored in /etc/group.
Each user can only have one primary groups and a number of secondary groups. The limit of number of secondary groups are different on different UNIX systems. (16, 32, 6k)
By default, the primary group has the same name as the user does.
Commands¶
id
Display information about current user.
Append different user name to display information about specified user.
passwd
Change password.
Check Logged in Users¶
whoami
who # pts/0 usually means graphic interface
w
Add User¶
Approach 1: adduser¶
If you want an easy and secure and recommended way (possibly not available on some distros).
adduser # follow the prompt and you are all set
Approach 2: useradd¶
First run useradd.
useradd <some-user-name>
Parameters for useradd:
-d
- specify the home directory
-s
- specify the
-u
- specify uid
-g
- specify primary group
-G
- specify secondary group
useradd Will add user information in /etc/passwd
Second, decide whether or not to set password.
If run passwd <same-user-name>, will store the password in /etc/shadow
Third, copy the files in /etc/skel to the home directory of this new user.
If “-d” was not used, a directory with the same name of the user will be created under /home.
- .bash_logout
- file to run when log out
- .bashrc
- file to run when log in
- .profile
If “-g” was not used, a group with the same name of the user will be created
Approach 3: edit /etc/passwd¶
Not recommended.
Change User Config¶
usermod
usermod <options> <username>
-l
- new login name
-u
- new uid
-d
- new home directory
-g
- new primary group
-G
- new secondary group
-L
- lock the password
- not lock the account
-U
- unlock the password
Group Commands¶
groupadd <groupname>
groupmod -n <newname> <oldname>
groupmod -g <newgid> <oldgid>
groupdel <groupname>
# change current group
sg <groupname> 'some command'
## OR
newgrp <groupname>
'some commend'
Config Files¶
/etc/nsswitch.conf
Name Service Switch (NSS)
- set where to store user/group information etc.
- Wiki
/etc/passwd
Stores the user information. Each line is one user.
There are 7 parts separated by ‘:’
- user name
- user password
- “x”
- password is stored in
/etc/shadow
- password is stored in
- “!”
- account is locked
- user might still be able to log in using other ways (e.g. SSH)
- see ‘-l’ in man page of
passwdfor more details - to avoid bugs, keep this field the same as the password field in
/etc/shadowif manually edited
- “x”
- User ID
- Group ID
- Description
- Home directory
- login shell
- no shell
nologin- print a message for user
false- return false
- no shell
/etc/shadow
Store information about password
Same format as passwd
- user name
- user password
- ‘!!’ means the password is not set yet
- might change on different linux distribution
- has 3 parts, separated by “$”
- type of encryption (6 means SHA 512)
- salt
- result after encryption (one-direction)
- can be “solved” using brute force
- other information
- ‘!!’ means the password is not set yet
/etc/group
- group name
- group password
- in old days, it is needed to switch groups. Now rarely used
- group ID
/etc/gshadow
shadow file for group