Chapter 10 Administering Users and Groups
The useradd command's commonly used options
-c --comment Comment field contents. Traditionally it contains the user's full name. Optional. -d --home or --home-dir User's home directory specification. Default action is set by the HOME and CREATE_HOME directives. -D --defaults Display /etc/default/useradd directives. -e --expiredate Date of account's expiration in YYYY-MM-DD format. Default action is set by the EXPIRE directive. -f --inactive Number of days after a password has expired and has not been changed until the account will be deactivated. A -1 indicates account will never be deactivated. Default action is set by the INACTIVE directive. -g --gid Account's group membership, which is active when user logs into system (default group). -G --groups Account's additional group memberships. -m --create-home If it does not exist, create the user account's home directory. Default action is set by the CREATE_HOME directive. -M N/A or --no-create-home Do not create the user account's home directory. Default action is set by the CREATE_HOME directive. -s --shell Account's shell. Default action is set by the SHELL directive. -u --uid Account's User Identification (UID) number. -r --system Create a system account instead of a user account.
he usermod command's commonly used options
-c --comment Modify the comment field contents. -d --home Set a new user home directory specification. Use with the -m option to move the current directory's files to the new location. -e --expiredate Modify the account's expiration date. Use YYYY-MM-DD format. -f --inactive Modify the number of days after a password has expired and has not been changed that the account will be deactivated. A -1 indicates account will never be deactivated. -g --gid Change the account's default group membership. -G --groups Update the account's additional group memberships. If only specifying new group membership, use the -a option to avoid removing the other group memberships. -l --login Modify the account's username to the specified one. Does not modify the home directory. -L --lock Lock the account by placing an exclamation point in front of the password within the account's /etc/shadow file record. -s --shell Change the account's shell. -u --uid Modify the account's User Identification (UID) number. -U --unlock Unlock the account by removing the exclamation point from the front of the password within the account's /etc/shadow file record.
shows the more commonly used passwd switches; all of these options require super user privileges. Table 10.6 The passwd command's commonly used option
-d --delete Removes the account's password. -e --expire Sets an account's password as expired. User is required to change account password at next login. -i --inactive Sets the number of days after a password has expired and has not been changed until the account will be deactivated. -l --lock Places an exclamation point (!) in front of the account's password within the /etc/shadow file, effectively preventing the user from logging into the system via using the account's password. -n --minimum Sets the number of days after a password is changed until the password may be changed again. -S --status Displays the account's password status. -u --unlock Removes a placed exclamation point (!) from the account's password within the /etc/shadow file. -w --warning or --warndays Sets the number of days a warning is issued to the user prior to a password's expiration. -x --maximum or --maxdays Sets the number of days until a password change is required. This is the password's expiration date.
The id command's commonly used options
-g --group Displays the account's current group's GID, which is either the account's default group or a group reached by using the newgrp command. -G --groups Displays all the account's group memberships via each one's GIDs. -n --name Displays the account's name instead of UID or group name instead of GID by using this switch with the -g, -G, or -u options. -u --user Displays the account's UID.
Understanding User Entries
.bash_profile .bash_login .profile .bashrc,
Which of the following files and directories may be involved in setting up the environment for all system users? (Choose all that apply.)
/etc/profile /etc/profile.d/ /etc/bashrc /etc/bash.bashrc
/etc/default/useradd
A file that contains default values for user creation.
normal account
A user account, sometimes called a normal account, is any account an authorized human has been given to access the system
A few vital /etc/login.defs directives
ASS_MAX_DAYS Number of days until a password change is required. This is the password's expiration date. PASS_MIN_DAYS Number of days after a password is changed until the password may be changed again. PASS_MIN_LENGTH Minimum number of characters required in password. PASS_WARN_AGE Number of days a warning is issued to the user prior to a password's expiration. CREATE_HOME Default is no. If set to yes, a user account home directory is created. ENCRYPT_METHOD The method used to hash account passwords.
/etc/passwd file
Account information is stored in the /etc/passwd file. Each account's data occupies a single line in the file. When an account is created, a new record for that account is added to the /etc/passwd file
The environment files that Bash processes depend on the method you use to start the Bash shell. You can start a Bash shell in three ways:
As a default login shell, such as when logging into the system at a tty# terminal As an interactive shell that is started by spawning a subshell, such as when opening a terminal emulator in a Linux GUI As a noninteractive shell (also called non-login shell) that is started, such as when running a shell script
A user has logged into the tty3 terminal. Which of the following user environment files is executed first if found in the user's home directory?
The .bash_profile user environment file is run first if it is found in the user account's home directory. Therefore, option E is the right answer
Once you have user (or group) quotas modified, you need to establish the grace period for any soft limits set. To do this, you use the edquota -t command. These grace periods are used for all users and groups. An example is shown in Listing 10.37.
Employing edquota -t to set soft limit grace periods # edquota -t Grace period before enforcing soft limits for users: Time units may be: days, hours, minutes, or seconds Filesystem Block grace period Inode grace period /dev/sdb1 7days 7days
With the quota files created, you can start creating quota limits for user accounts and/or groups by employing the edquota utility. To edit user quotas, use the -u option (which is the default), and to edit group quotas, use the -g switch. A snipped example of editing a user account's quota is shown in Listing 10.36.
Employing edquota to create user and group quota files # edquota -u user1 Disk quotas for user user1 (uid 1000): Filesystem blocks soft hard inodes soft hard /dev/sdb1 212 4096 6144 2 0 0
The passwd utility works hand in hand with pluggable authentication modules (PAMs).
For example, when you set or change a password via the passwd utility, the pam-cracklib PAM checks the password to flag easily guessed passwords or passwords that use words found in the dictionary.
Another way to view account records in the /etc/passwd and /etc/shadow files is via the getent utility.
For this program you pass only the file name followed by the account name whose record you wish to view
Grasping Global Entries
Global configuration files modify the working environment and shell sessions for all users starting a Bash shell. As mentioned earlier, the global entries in these files can be modified by the account user via adding user entries into their $HOME environment files.
Managing Groups
Groups are organizational structures that are part of Linux's discretionary access control (DAC) DAC is the traditional Linux security control, where access to a file, or any object, is based upon the user's identity and current group membership.
A few environment variables associated with a user environment
HISTCONTROL Governs how commands are saved within the history list HISTSIZE Controls the maximum number of commands saved within the history list PATH Sets the directories in which the shell searches for command programs PS1 Configures the shell's primary prompt SHELL Sets the shell program's absolute directory reference USER Contains the current process's user account name
A few vital /etc/default/useradd directives
HOME Base directory for user account directories. INACTIVE Number of days after a password has expired and has not been changed until the account will be deactivated. See PASS_MAX_DAYS in Table 10.1. SKEL The skeleton directory. SHELL User account default shell program.
When creating an account, you can create a password via the crypt utility and then add it when the account is created via the -p option on the useradd utility.
However, that is not only cumbersome but considered a bad practice. In the next section, we'll cover creating and managing account passwords properly.
/etc/skel directory
If a home directory is created for a user, these files are to be copied to the user account's home directory, when the account is created.
/etc/login.defs file
It contains directives for use in various shadow password suite commands. Shadow password suite is an umbrella term for commands dealing with account credentials, such as the useradd, userdel, and passwd commands.
you have some sort of odd problem when enabling filesystem quotas, you can quickly turn them off with the quotaoff command, using super user privileges. The -a option will allow you to turn them off for all the system's quota-enabled filesystems. You will need to specify user quotas (-u) and/or group quotas (-g) in the command. Once you have fixed the issues, turn back on filesystem quotas using the quotaon command.
Listing 10.38: Using quota to check a user's quota limits
There are essentially four steps for enabling quotas on a particular filesystem. You will need to employ super user privileges to accomplish these steps. They are as follows:
Modify the /etc/fstab file to enable filesystem quota support. If the filesystem is already mounted, unmount and remount it. If the filesystem was not previously mounted, then just mount it. Create the quota files. Establish user or group quota limits and grace periods.
Basically, /sbin/nologin displays a brief message and logs you off, before you reach a command prompt. If desired, you can modify the message shown by creating the file /etc/nologin.txt and add the desired text.
The /bin/false shell is a little more brutal. If this is set as a user account's default shell, there are no messages shown, and the user is just logged out of the system.
SYS_UID_
System accounts
Which of the following could be used to view the members of the NCC-1701 group? (Choose all that apply.)
getent group NCC-1701 grep NCC-1701 /etc/group
The global environment files consist of the following:
The /etc/profile file Files within the /etc/profile.d/ directory The /etc/bashrc or the /etc/bash.bashrc file
Active directives in the /etc/login.defs configuration file
grep -v ^$ /etc/login.defs | grep -v ^\#
useradd command
The command used to add a user account to the system.
Which of the following commands will allow you to switch temporarily from your account's default group to another group with whom you have membership?
The newgrp command The newgrp command will let you switch temporarily from your account's default group to another group with whom you have membership. Therefore, option B is the correct answer
Which of the following will allow you to change an account's /etc/shadow file record data? (Choose all that apply.)
The passwd command The usermod command The userdel command The chage command
Which of the following commands will display CPU load data along with information concerning users who are currently logged into the system?
The w command
To add a user to a new group or change the account's default group, the group must preexist.
This task is accomplished via the groupadd utility. The group's GID will be automatically set by the system, but you can override this default behavior with the -g command option
A User Identification Number
UID_MIN
Which of the following are fields within a /etc/passwd file record? (Choose all that apply.)
User account's username Password UID
Deleting Accounts
Using userdel to delete an account The most common option to use is the -r switch. This option will delete the account's home directory tree and any files within it.
Perusing Bash Parameters
You can view all the various environment variables set on your system via the set, env, and printenv commands
System accounts
are accounts that provide services (daemons) or perform special tasks, such as the root user account
Which of the following commands will allow you to view the NUhura account's record data in the /etc/passwd file? (Choose all that apply.)
cat /etc/passwd grep NUhura /etc/passwd getent passwd NUhura
You need to edit quota grace periods. Which of the following commands should you use?
edquota -t
The necessary /etc/fstab file modification is fairly simple. You just edit the file and add either usrquota or grpquota or both to the filesystem's mount options (fourth field). An example is shown in Listing 10.33.
grep /dev/sdb1 /etc/fstab /dev/sdb1 /home/user1/QuotaFSTest ext4 defaults,usrquota,grpquota 0 0 $
The /etc/shadow File
is the encrypted password file
Using quotacheck to create user and group quota files
quotacheck -cug /home/user1/QuotaFSTest # # ls /home/user1/QuotaFSTest aquota.group aquota.user lost+found
A problem has occurred concerning group quotas on three filesystems. You need to quickly remove all filesystems' quota limits to temporarily resolve this issue. What is the best command to employ?
quotaoff -a
useradd -D
same information as /etc/default/useradd
Maintaining Passwords
sudo passwd DAdams
* How to add a user to a group *
sudo usermod -aG Project42 DAdams
Once you have the /etc/fstab file modified, if the filesystem is already mounted, you will need to unmount it via the umount command. You then mount or remount the system, using the mount -a command, which will mount any unmounted filesystems listed in the /etc/fstab file. An example is shown in Listing
umount /dev/sdb1 # mount -a # mount | grep /dev/sdb1 /dev/sdb1 on /home/user1/QuotaFSTest type ext4 (rw,relatime,seclabel,quota, usrquota,grpquota, data=ordered)
Modifying Accounts
usermod
Which of the following are options used in the /etc/fstab file to designate a filesystem as one that uses quotas? (Choose all that apply.)
usrquota grpquota