7. Users and Groups
You need to identify which user accounts on the Linux system have encrypted passwords. Which character in the password field of the /etc/shadow file indicates that an encrypted password is set for the user account?
$ The $ preceding the password identifies the password as an encrypted entry. The following example indicates that the user account has an encrypted password: pclark:$ab7Y56gu9bs:12567:0:99999:7::: Be aware of the following details about the /etc/shadow file: Using the /etc/shadow file to separate usernames from passwords increases the security of the user passwords. Each entry corresponds to a user account, and each entry contains multiple fields, with each field separated by a colon.
gpasswd
Changes a group password. groupname prompts for a new password. -r removes a group password. e.g. gpasswd sales prompts for a new group password.
Managing Groups
Groups can be very helpful when managing users. For example, security permissions can be added to a group, which grants these permission to all in the group. If permissions need to be changed, they can be changed on the group instead of needing to change them for each individual user in the group. The following tables lists the most common commands and options used with managing group accounts and group membership.
7.2.9 Change a User's Password
Salman Chawla (schawla) forgot his password and needs access to the resources on his computer. You are logged on as wadams. The password for the root account is 1worm4b8. In this lab, your task is to: Change the password for the schawla user account to G20oly04 (0 is a zero). Make sure the password is encrypted in the shadow file. Do not use the usermod -p command to change the password, as this stores the unencrypted version of the password in the /etc/shadow file. Complete this lab as follows: > At the prompt, type su -c "passwd schawla" and press Enter. > Type 1worm4b8 and press Enter for the root user password. > Type G20oly04 and press Enter for the new password for the schawla user account. > Type G20oly04 as the new password and press Enter.
Shadow
Shadow files, such as the /etc/shadow file, holds passwords and password expiration information for user accounts. The /etc/gshadow file holds passwords for groups
/etc/default/useradd
The /etc/default/useradd file contains default values used by the useradd utility when creating a user account, including: Group ID Home directory Account expiration Default shell Secondary group membership Skeleton directory
7.3.3 Group Management Facts
This lesson covers the following topic: Managing groups
7.2.4 User Management Facts
This lesson covers the following topics: Managing users and passwords User account management files Troubleshooting user access
7.1.4 User and Group Facts
This lesson covers the following topics: User groups and types User and group databases Commands for managing password file entries
You need to change the default home directory value, which is used by the useradd utility when creating a user account. What is the full path and filename of the file you should edit?
/etc/default/useradd The /etc/default/useradd file contains default values used by the useradd utility when creating a user account, including: Group ID Home directory Account expiration Default shell Secondary group membership
A file contains the following entry: sales:x:1001:pclark,mmckay,hsamson Which of the following files contains similar enties? /etc/group /etc/passwd /etc/gshadow /etc/shadow
/etc/group The following line is a sample entry in the /etc/group file: sales:x:1001:pclark,mmckay,hsamson The /etc/group file holds group information, including the group name, group password, group ID, and group membership information. Be aware of the following details: Each entry in the group file identifies a group. Each entry contains multiple fields, and fields are separated by colons.
Group
A collection of users which can be used to help manage users, such as assigning and revoking permissions to files and directories.
Shadow files
A system file in which encryption user password are stored.
Commands for Managing Password File Entries
Additional commands for managing file entries include the following:
User Account Management Files
Be aware of the following configuration files when managing user accounts:
7.1.7 Practice Questions
CIST 2431
7.2.11 Practice Questions
CIST 2431
7.3.10 Practice Questions
CIST 2431
groups
Displays the primary and secondary group membership for the specified user account. groups pmaxwell displays group membership for the pmaxwell account. *The command options listed here are not applicable to every distribution of Linux. Consult the man pages for the options that are supported by the Linux distribution you are using.
Primary group
Primary groups (also called the private group) are created by default on most Linux distributions when a standard user is created and are used to manage access to files and directories.
/etc/login.defs
The /etc/login.defs file defines: Values used to define allowed group and user ID numbers. Protocols to be used for password encryption in the shadow file. Password aging values for user accounts. The path to the default mailbox directory. Whether a home directory should be created by default.
/etc/skel
The /etc/skel directory contains a set of configuration file templates that are copied into a new user's home directory when it is created, including the following files: .bashrc .bash_logout .bash_profile .kshrc
The following table explains the files where user and group databases are stored.
The following table explains the files where user and group databases are stored.
The following line is a sample entry in the /etc/shadow file: lclark:$ab7Y56gu9bs:12567:0:99999:7::: What does the second field represent? The users unencrypted password. The users UID number. The users GUID number. The users encrypted password.
The users encrypted password. The second field in this example identifies the user lclark's password. The $ at the beginning indicates the password has been encrypted. The following apply to the password field: $ preceding the password identifies the password as an encrypted entry. ! or !! indicates that the account is locked and cannot be used to log in. * indicates a system account entry and cannot be used to log in.
In the /etc/shadow file, which character in the password field indicates that a standard user account is locked?
! ! or !! in the password field of /etc/shadow indicates the account is locked and cannot be used to log in. The /etc/shadow file holds passwords and password expiration information for user accounts. $ preceding the password identifies the password as an encrypted entry. * indicates a system user account entry (which cannot be used to log in).
In the /etc/shadow file, which character in the password field indicates that the password is an encrypted entry? ! $ !! *
$ In the password field of the /etc/shadow file, $ preceding the password identifies the password as an encrypted entry. The /etc/shadow file holds passwords and password expiration information for user accounts. ! or !! indicates that the account is locked and cannot be used to log in. * indicates a system user account entry (which cannot be used to log in).
Which useradd option displays the default values specified in the /etc/default/useradd file?
-D useradd -D displays the default values specified in the /etc/default/useradd file. The /etc/default/useradd file contains default values used by the useradd utility when creating a user account. useradd creates new user accounts. The following options override the settings as found in /etc/default/useradd: -c adds a description for the account in the GECOS field of /etc/passwd. -d assigns an absolute pathname to a custom home directory location. -e specifies the date on which the user account will be disabled. -f specifies the number of days after a password expires until the account is permanently disabled. -g defines the primary group membership. -G defines the secondary group membership. -M does not create the user's home directory. -m creates the user's home directory (if it does not exist). -n, N does not create a group with the same name as the user (Red Hat and Fedora). -p defines the encrypted password. -r specifies the user account is a system user. -s defines the default shell. -u assigns the user a custom UID. This is useful when assigning ownership of files and directories to a different user.
What is the full path to the directory that contains a set of configuration file templates that are copied into a new user's home directory when it is created?
/etc/skel The /etc/skel directory contains a set of configuration file templates that are copied into a new user's home directory when it is created, including the following files: .bashrc .bash_logout .bash_profile .kshrc
During installation, you must create a root user account for the system. Which of the following user account number does this account use? 0 1 10 100
0 The root user has an account number of 0 and belongs to group 1.
During a Fedora distribution installation, you choose to add a regular user account. The only other user that has been added to the system was root. Which of the following user IDs is MOST likely to be associated with the new user? 0 1 2 101 400 1000
1000 On Fedora (and in most modern distributions of Linux), accounts below 100 or 500 are used for system accounts, and user accounts begin with 1000.
Given this entry in the /etc/passwd file: pmallory:x:1001:1050:Paul Mallory:/home/pmallory:/bin/bash Which of the following is the user ID associated with this entry. 1001 pmallory 1050 x
1001 The user ID (UID) is in the third field of the line for the user. In this question, that value is 1001. The format for the /etc/passwd file is as follows: name:password:UID:GID:GECOS:homedirectory:shell (GECOS is a field that allows a text description of the user account.)
Local Access
> Verify that the username and password being entered are correct. When doing this, ensure that the proper capitalization for both the name and password are being used, since both are case sensitive. > From a shell prompt (terminal), verity that the user's account has not been locked and that a password has been assigned by typing: sudo grep username /etc/shadow Example: sudo grep mary /etc/shadow Result: mary: ! ! $6$OLrJmRgu$4hiY8j ehfAAZ1m3v4T4/OWkJ j IJ6XHYaRErwrhGnY5/eXH2ba6Xj rL11/ : 17940 : O : : 7 : : : The account is locked if there are two exclamation marks (!!) after the user name. If this is the case, and you know the account should not be locked, use this command to unlock the account: passwd -u username If there are two exclamation marks, but no encrypted password, a password will need to be assigned (see the passwd command above). > In some cases, the graphical user interface (GUI) may have issues (such as a broken graphics driver) preventing a user from logging in. In this case, open a tty session and test a no GUI login: - To access a tty login, press Ctrl + Alt + F# (where # is some number, typically 2-9). - From the tty prompt, try logging in using the user's account and password. If the login is unsuccessful, take the proper steps to troubleshoot the GUI.
Managing Users and Passwords
Although it is possible to manage user accounts by manually editing the /etc/passwd and /etc/shadow files, if not done properly, doing so can disable your system. The best practice is to manage user account using the graphic user interface (GUI) tools or by using commands from the shell prompt as follows:
7.2 User Management
As you study this section, answer the following questions: Which directory contains configuration file templates that are copied into a new user's home directory? When using useradd to create a new user account, what type of default values create the user account? How can you view all the default values in the /etc/default/useradd file? What is the purpose of the /etc/login.defs file? How would you create a user using useradd without using the default values in the /etc/default/useradd file? At the shell prompt, how do you create a password for a user? What does it mean if a user account is locked? Which command deletes a user and their home directory at the same time? In this section, you will learn to: Create, rename, lock, and unlock a user account. Change a user's password. Rename or remove a user account. Key terms for this section include the following:
7.1 User and Group Overview
As you study this section, answer the following questions: Which file stores user accounts? Which file contains the passwords for each user account? What are the differences between standard user accounts and system user accounts? What is the default primary group for each user? How can you determine whether a user account is locked? In this section, you will learn to: View the user account information in the /etc/passwd file. View the group membership information in the /etc/group file. Key terms for this section include the following:
7.3 Group Management
As you study this section, answer the following questions: Which usermod option changes the secondary group membership? Which command removes all secondary group memberships for specific user accounts? How can you display the primary and secondary group membership for a single user? Which groupmod option changes the group's name? In this section, you will learn to: Rename and create groups. Add users to a group. Add a user to additional groups. Delete groups and users. Remove a user from a group. Remove a user from all groups. Key terms for this section include the following:
passwd
Assigns or change a password for a user. > passwd (without a username or options) changes the current user's password. > Users can change their own passwords. The root user can execute all other passwd commands. Be aware of the following options: > -S username displays the status of the user account. - LK indicates that the user account is locked. - PS indicates that the user account has a password. > -l disables (locks) an account. This command inserts a !! before the password in the /etc/shadow file, effectively disabling the account. > -u enables (unlocks) an account. > -d removes the password from an account. > -n sets the minimum number of days a password exists before it can be changed. > -x sets the number of days before a user must change the password (password expiration time). > -w sets the number of days before the password expires that the user is warned. > -i sets the number of days following the password expiration that the account will be disabled. e.g. passwd jsmith changes the password for the jsmith account. passwd -d removes the password from an account. passwd -d jsmith removes the password from the jsmith account. passwd -x 40 jsmith requires jsmith to change his password every 40 days. passwd -n 10 jsmith means that jsmith cannot change his password for 10 days following the most recent change. passwd -w 2 jsmith means that jsmith will be warned 2 days before his password expires. passwd -i 7 jsmith disables the jsmith account after 7 days if the password is not changed. passwd -l jsmith locks the jsmith account. passwd -u jsmith unlocks the jsmith account.
Troubleshooting User Access
At times, a user may have difficulties logging into a system. When this happens the following may be helpful:
7.2.6 Rename a User Account
Brenda Cassini (bcassini) has recently married. You need to update her user account to reflect her new last name. In this lab, your task is to use the usermod command to complete the following: Rename the user account bpalmer. Use the -l switch followed by the new account name. Change the comment field to read Brenda Palmer. Use the -c switch followed by the new comment in quotes. Change the home directory to /home/bpalmer, moving the contents of the old home directory to the new location. Use the -d switch followed by the home directory path and then the -m switch to move the contents to the new location. When you're finished, view the /etc/passwd file and /home directory to verify the modification. Complete this lab as follows: > At the prompt, type usermod -c "Brenda Palmer" -d /home/bpalmer -m -l bpalmer bcassini and press Enter. > Type cat /etc/passwd and press Enter. > Type ls /home and press Enter to verify that the account was modified.
newgrp
Changes your current or real group ID to the group ID specified in the command. As long as the user knows the group password, this lets a user switch to a different group without being added to the group. Typing exit removes the user from the group. e.g. newgrp sales logs the user into the group named sales after being prompted for the sales group password.
7.3.8 Remove a User from a Group
Corey Flynn (cflynn) currently belongs to several groups. Due to some recent restructuring, he no longer needs to be a member of the hr group. To preserve existing group membership, use the usermod -G command listing all groups to which the user must belong. Do not include the primary group name in the list of groups. In this lab, your task is to: Remove cflynn from the hr group. Preserve all other group memberships. View the /etc/group file or use the groups command to verify the changes. Complete this lab as follows: > At the prompt, type groups cflynn and press Enter to view a list of all groups to which the user belongs. You will see that cflynn currently belongs to the mgmt1, it, and hr secondary groups. The cflynn group is the user's primary group. > Type usermod -G mgmt1,it cflynn and press Enter to change group membership. > Type groups cflynn and press Enter to verify the user account's group membership.
groupadd
Creates a new group. The following options override the settings found in /etc/login.defs: -g defines the group ID (GID). -p defines the group password. -r creates a system group. e.g. groupadd sales creates the sales group.
useradd
Creates a user account. The following options override the settings found in /etc/default/useradd: -c adds text for the account in the description field of /etc/passwd. This option is commonly used to specify the user's full name. -d assigns an absolute pathname to a custom home directory location. -D displays the default values specified in the /etc/default/useradd file. -e specifies the date, on which the user account will be disabled. -f specifies the number of days after a password expires until the account is permanently disabled. -g defines the primary group membership. -G defines the secondary group membership. -M does not create the user's home directory. -m creates the user's home directory (if it does not exist). -n, N does not create a group with the same name as the user (Red Hat and Fedora, respectively). -p defines the encrypted password. -r specifies that the user account is a system user. -s defines the default shell. -u assigns the user a custom UID. This is useful when assigning ownership of files and directories to a different user. e.g. useradd pmaxwell creates the pmaxwell user account. useradd -c "Paul Morril" pmorril creates the pmorril account with a comment. useradd -d /tmpusr/sales1 sales1 creates the sales1 user account with home directory located at /tmpusr/sales1. useradd -u 789 dphilips creates the dphilips account with user ID 789.
The graphics driver was recently updated on a system. Now, the graphical user interface (GUI) is not displaying, preventing the user from logging in. You need to access the system locally to login. Which of the following commands will access the virtual terminal tty2? Ctrl+Alt+F2 tty echo tty2 ssh localhost tty
Ctrl+Alt+F2 On most Linux systems, tty2 can be accessed using Ctrl+Alt+F2. ssh localhost tty will not access tty2, but returns "Not a tty." tty will display "/dev/pts/0". echo tty2 will display the text "tty2" and does not provide access to the virtual terminal tty2.
7.3.4 Rename and Create Groups
Currently, all the sales people in your company belong to a group called sales. The VP of sales wants two sales groups, a western sales division and an eastern sales division. In this lab, your task is to: Rename the sales group western_sales_division. Create the eastern_sales_division group. Remove aespinoza as a member of the western_sales_division group. Assign aespinoza as a member of the eastern_sales_division group. When you're finished, view the /etc/group file or use the groups command to verify the changes. Complete this lab as follows: > At the prompt, type groupmod -n western_sales_division sales and press Enter to rename the sales group to western_sales_division. > Type groupadd eastern_sales_division and press Enter to create the eastern_sales_division group. > Type usermod -G eastern_sales_division aespinoza and press Enter to modify group membership. When you assign aespinoza to the eastern_sales_division group with the usermod -G option, the user account is removed from the western_sales_division group. > Use cat /etc/group or groups aespinoza to verify the aespinoza's group membership.
groupdel
Deletes a group. e.g. groupdel mktg deletes the mktg group.
7.2.10 Lock and Unlock User Accounts
Every seven years, your company provides a 6-week sabbatical for every employee. Vera Edwards (vedwards), Corey Flynn (cflynn), and Bhumika Kahn (bkahn) are leaving today, while Maggie Brown (mbrown), Brenda Cassini (bcassini), and Arturo Espinoza (aespinoza) are just returning. The company security policy mandates that user accounts for employees gone for longer than two weeks be disabled. In this lab, your task is to complete the following: Lock the following user accounts: vedwards cflynn bkahn Unlock the following user accounts: mbrown bcassini aespinoza When you're finished, view the /etc/shadow file to verify the changes. Complete this lab as follows: > At the prompt, type usermod -L vedwards or passwd -l vedwards and press Enter to lock the user account. > Type usermod -L cflynn or passwd -l cflynn and press Enter to lock the user account. > Type usermod -L bkahn or passwd -l bkahn and press Enter to lock the user account. > Type usermod -U mbrown or passwd -u mbrown and press Enter to unlock the user account. > Type usermod -U bcassini or passwd -u bcassini and press Enter to unlock the user account. > Type usermod -U aespinoza or passwd -u aespinoza and press Enter to unlock the user account. > Type cat /etc/shadow to verify the changes. The inclusion of the exclamation point (!) in the password field indicates whether the account is disabled.
7.3.7 Delete a Group and Users
Linda Blaine (lblaine) and Rhonda Conger (rconger) are temporary employees who were auditing your organization's financial documents. Their user accounts are members of the auditors group. They have completed their work and have moved on to new assignments. You need to remove their user accounts, home directories, and the auditors group from the system. In this lab, your task is to: Delete the following user accounts and their corresponding home directories: lblaine rconger Delete the auditors group. View the /etc/group file to verify the changes. Complete this lab as follows: > At the prompt, type userdel -r lblaine and press Enter to delete the lblaine user account and home directory. The inclusion of the -r switch removes the home directory. > Type userdel -r rconger and press Enter to delete the rconger user account and home directory. > Type groupdel auditors and press Enter to delete the auditors group. > Type cat /etc/group and press Enter. > Type ls /home and press Enter to verify the changes.
7.3.5 Add Users to a Group
Maggie Brown (mbrown) and Corey Flynn (cflynn) have recently been hired in the Human Resources department. You have already created their user accounts. In this lab, your task is to complete the following: Add the hr group as a secondary group for the mbrown and cflynn user accounts. When you're finished, view the /etc/group file or use the groups command to verify the changes. The -g switch with the usermod command sets the primary group membership, not the secondary group membership. Complete this lab as follows: > At the prompt, type usermod -G hr mbrown and press Enter to make mbrown a member of the hr group. > Use usermod -G hr cflynn and press Enter to make cflynn a member of the hr group. > Use groups mbrown and press Enter to verify the mbrown's group membership. > Use groups cflynn and press Enter to verify the cflynn's group membership.
groupmod
Modifies a group definition. groupmod options include: -n changes the name of a group. -A adds specified users from the group (not available on all distributions) -R removes specified users from the group (not available on all distributions) e.g. groupmod -n sales2 sales renames the sales group to sales2. groupmod -R rsem sales removes the rsem account from the sales group.
usermod
Modifies an existing user account. usermod uses several of the same switches as useradd. Be aware of the following switches: -a appends the user to the supplementary groups specified with the -G option. -c changes the description for the account. This is usually used to modify the user's full name. -d home_dir assigns the user a new home directory. If -d is used with the -m option, the contents of the user's current home directory will be moved to the new home directory. -e date specifies the date when the account will be disabled. -f specifies the number of days after a password expires until the account is permanently disabled. -g specifies the primary group membership. -G specifies the secondary group membership. This option is usually used in conjunction with the -a option. If you don't use the -a option, then -G will overwrite all existing supplementary group memberships. -l renames a user account. When renaming the account: Use -d to rename the home directory. Use -m to copy all files from the existing home directory to the new home directory. -L locks the user account. This command inserts a ! before the password in the /etc/shadow file, effectively disabling the account. -m moves the contents of the user's home directory to the new location specified by the -d option. -p password assigns the specified encrypted password to the account. -s shell sets the user's default login shell. -u UID assigns a new user ID number. -U unlocks the user account. e.g. usermod -c "Paul Morril" pmorril changes the comment field for user pmorril. usermod -l esmith -d /home/esmith -m ejones renames the ejones account to esmith, renames the home directory, and moves the old home directory contents to the new location. usermod -s /bin/tsch esmith points the shell for esmith to /bin/tsch. usermod -U esmith unlocks the esmith account.
usermod
Modifies group membership for the user account. Be aware of the following options: -g assigns a user to a primary group. -G assigns a user to a secondary group (or groups). Follow the command with a comma-separated list of groups. If the user already belongs to any secondary groups, the user will be removed from those groups if the groups are not in the list. -aG assigns a user to a secondary group (or groups) by appending them to any groups the user already belongs to. Follow the command with a comma-separated list of groups. -G "" removes the user from all secondary group memberships. Do not include a space between the quotes. e.g. usermod -g pmaxwell pmaxwell assigns primary group membership for user pmaxwell to the pmaxwell group. usermod -G sales,mktg pmorril removes all existing secondary group assignments for pmorril and makes the user account a member of the sales and mktg groups. usermod -aG acct,prod pmorril keeps existing secondary group assignments for pmorril intact and makes the user account a member of the acct and prod groups. usermod -G "" pmaxwell removes the pmaxwell from all groups.
Primary group
Primary groups (also called the private group) are created by default on most Linux distributions when a standard user is created and are used to manage access to files and directories. Primary groups: > Have the corresponding user as the only member. > Are automatically assigned as the owner of files and directories when they are created in the file system. > Are similar to any other group. The only difference is that the group is identified as the primary group in the user account's configuration.
Remote Access
Remote access can be accomplished using a variety of methods. For the purpose of this lesson, troubleshooting remote access will be limited to connecting using Secure Shell (ssh). When creating a remote connection, you can use the ssh command from a Linux computer or use a utility, such as PUTTY on a Windows computer. When you connection attempt fails, consider the following: > Verify the hostname is properly spelled or if you are using an IP address, that the IP address is correct. > Verify that you can resolve the hostname or IP address from your client machine using the ping command. If the ping command fails, your issue is probably a network issue and not ssh. Example: ping mywks or ping 192.16.8.1.25 > Verify that your network supports connectivity over the ssh port being used. For example, the default port of 22, may be blocked. > Verify that a firewall is not blocking your connection or the desired port. > Verify that the ssh daemon is enabled and running (and bound to the correct port) - To see if the daemon is running enter: sudo systemctl status sshd.serviceNote that the name of your daemon may be different.The output will show you if the daemon is running and if so, on what port it is listening. - To see if the daemon exist run: sudo systemctl list-unit-files | grp sshLook for the ssh daemon, such as sshd.service. Verify that the daemon is enabled.If needed, enable the daemon and start the daemon as follows:systemctl enable daemon_namesystemctl start daemon_name - If the port is incorrect, make the applicable changes in the /etc/ssh/sshd.config file.
userdel
Removes the user from the system. Be aware of the following options: userdel username (without options) removes the user account. -r removes the user's home directory. -f forces the removal of the user account even when the user is logged into the system. e.g. userdel pmaxwell deletes the pmaxwell account while leaving the home directory on the hard drive. userdel -r pmorril removes both the account and the home directory.
7.3.9 Remove a User from All Groups
Salman Chawla (schawla) is no longer part of the sales team and is waiting to be assigned a new position. In the meantime, you do not want him to have access to sales resources. In this lab, your task is to: Remove the schawla user from all secondary group memberships. View the /etc/group file to verify the changes. Complete this lab as follows: > At the prompt, type usermod -G "" schawla and press Enter to remove the user from all groups. Do not include a space between the quotes. > Type cat /etc/group or groups schawla to verify the changes.
Secondary group
Secondary groups are also used to manage access to files and directories.
Secondary group
Secondary groups are also used to manage access to files and directories. Secondary groups: > Are not automatically assigned user accounts as members. > Receive their membership as assigned by the system administrator.
Standard user
Standard user accounts can log into the system.
Standard user
Standard user accounts can log into the system. Standard user accounts: > Have friendly usernames (such as Mary or bkaun). An administrator must create the usernames. > Have an ID of 500 or more (on some distributions) or 1000 or more (on other distributions). The ID is automatically assigned by the system when the account is created.
A user type has the following qualities: Created by default during the Linux installation Used by the system for specific roles Not used to log into the system Which of the following user types has these qualities? Standard user Guest user Root user System or service user
System or service user A system or service user is created by default during the Linux installation and used by the system for specific roles. A standard user account can log into the system. A root user can log into the system and perform administrative tasks. A guest user account is not created on a Linux system. Other operating systems, such as Windows, create a guest account that can log in to the system.
System or service user
System user accounts (also called service user accounts) are created by default during the Linux installation and are used by the system for specific roles.
System or service accounts
System user accounts (also called service user accounts) are created by default during the Linux installation and are used by the system for specific roles. System user accounts: > Have names that correspond with their roles, such as ftp and mail. > Cannot be used to log into the system. > Have an ID of 500 or less (on some distributions) or 1000 or less (on other distributions). The ID is automatically assigned by the system when the account is created. *The root user account is created by default and has a UID of 0; however, it can be used to log into a system and perform tasks.
7.2.7 Delete a User
Terry Haslam (thaslam) was dismissed from the organization. His colleagues have harvested the files they need from his home and other directories. Your company security policy states that upon dismissal, users accounts should be removed in their entirety. In this lab, your task is to: Remove the thaslam user account and the home directory from the system. The -r switch removes the home directory when the user is also removed. When you're finished, view the /etc/passwd file and /home directory to verify the account's removal. Complete this lab as follows: > At the prompt, type userdel -r thaslam and press Enter to remove the user account and the home directory. > Type cat /etc/passwd and press Enter. > Type ls /home and press Enter to verify that the account was removed.
/etc/group
The /etc/group file holds group information including the group name, GID, and group membership information. Be aware of the following details: > Each entry identifies a group. > Each entry contains multiple fields, with each field separated by a colon. The following line is a sample entry in the /etc/group file: sales:x:510:pclark,mmckay,hsamson The fields within this line are as follows: > Group name. > Group password. An x indicates the group passwords are contained in the /etc/gshadow file. > Group ID. > Group members (contains a comma-separated list of user accounts that are members of the group).
/etc/gshadow
The /etc/gshadow file holds passwords for groups. Be aware of the following details: > Like the /etc/group file, each line corresponds to a group. > Each line consists of fields separated by colons. The following line is a sample entry in the /etc/gshadow file: sales:!:pclark:pclark,mmckay,hsamson The fields within this line are as follows: > Group name. > Group password. The group password allows users to add themselves as members of the account. - If the field contains a single exclamation point (!), the group account cannot be accessed using the password. - If the field contains a double exclamation point (!!), no password has been assigned to the group account (and it cannot be accessed using the password). - If there is no value, only group members can log in to the group account. > Administrators. Contains a comma-separated list of users who have authorization to administer the account. > Group members. Contains a comma-separated list of user accounts that are members of the group.
/etc/passwd
The /etc/passwd file holds user account information. Be aware of the following details: > Each entry identifies a user account. > Each entry contains multiple fields, with each field separated by a colon. The following line is a sample entry in the /etc/passwd file: pclark:x:501:501:Petunia Clark:/home/pclark:/bin/bash The fields within this line are as follows: > User account name. > Password. An x in the field indicates passwords are stored in the /etc/shadow file. > User ID number. > Primary group ID number (also known as the GID). > Description field. This field is typically used for the user's full name. > Path to the home directory. > Path to the default shell.
/etc/shadow
The /etc/shadow file holds passwords and password expiration information for user accounts. Be aware of the following details: > Using the /etc/shadow file to separate usernames from passwords increases the security of the user passwords. > Like the /etc/passwd file, each entry corresponds to a user account and each entry contains multiple fields, with each field separated by a colon. The following line is a sample entry in the /etc/shadow file: pclark:$ab7Y56gu9bs:12567:0:99999:7::: The fields within this line are as follows: > User account name. > Password. - $ preceding the password identifies the password as an encrypted entry. - ! or !! indicates that the account is locked and cannot be used to log in. - * indicates a system account entry and cannot be used to log in. > Last change. The date of the most recent password change measured in the number of days since 1 January 1970. > Minimum password age. The minimum number of days the user must wait before changing the password. > Maximum password age. The maximum number of days between password changes. > Password change warning. The number of days a user is warned before the password must be changed. > Grace logins. The number of days the user can log in without changing the password. > Disable time. The number of days since 1 January 1970, after which the account will be disabled.
7.2.5 Create a User Account
The VP of Marketing has told you that Paul Denunzio will join the company as a market analyst in two weeks. You need to create a new user account for him. In this lab, your task is to complete the following: Create the pdenunzio user account. Include the full name, Paul Denunzio, as a comment for the user account. Set eye8cereal as the password for the user account. When you're finished, view the /etc/passwd file to verify the creation of the account. Complete this lab as follows: > At the prompt, type useradd -c "Paul Denunzio" pdenunzio and press Enter to create the user and set the comment in a single command. > Type passwd pdenunzio and press Enter. > Type eye8cereal as the password and press Enter. > Retype eye8cereal as the password and press Enter. > Type cat /etc/passwd and press Enter to verify that the account was created.
7.3.6 Add a User to Additional Groups
The VP of sales promoted Salman Chawla (schawla) to regional sales director. Now Salman needs the rights and permissions assigned to the mgmt2 and hr groups. You are logged on as root. When assigning group membership, remember that: When you use the usermod -G command to assign group membership, the user account is removed from all existing secondary groups before being added to the groups specified with the usermod command. When you use the usermod -aG command to assign group membership, the new group is appended to the list of existing secondary groups the user belongs to. In this lab, your task is to: Identify all the groups that the schawla user belongs. Add mgmt2 and hr as secondary groups to the schawla user, but make sure the user is still a member of all current groups. When you're finished, view the /etc/group file to verify the changes. Complete this lab as follows: > At the prompt, type groups schawla and press Enter to view a list of all groups the user belongs to. You will see that schawla currently belongs to the mgmt1 and sales group. The schawla group is the user's primary group. > Type usermod -aG mgmt2,hr schawla and press Enter to add hr and mgmt2 to the secondary group memberships for the schawla user account. > Type cat /etc/group or groups schawla and press Enter to verify the changes.
You are viewing the /etc/passwd file, and you notice the following entry: pclark:x:1001:1001:Petunia Clark:/home/pclark:/bin/bash What statement BEST describes this entry? The pclark user account has not set a password. The pclark user account is locked. The pclark password is stored in the /etc/shadow file. The pclark password is the letter x.
The pclark password is stored in the /etc/shadow file. In this case, the x in the password field indicates that the pclark password is stored in the /etc/shadow file. The /etc/shadow file holds passwords and password expiration information for user accounts. The /etc/passwd file holds user account information. Be aware of the following details: Each entry identifies a user account. Each entry contains multiple fields, with each field separated by a colon. Be aware of the following details about the /etc/shadow file: Using the /etc/shadow file to separate usernames from passwords increases the security of the users' passwords. Each entry corresponds to a user account, and each entry contains multiple fields separated by colons. An x in the password field does not indicate whether the password has been set for the user. An !, !!, or * in the password field of the /etc/shadow indicates that the corresponding user account is locked and cannot be used to log in.
pwconv
The pwconv command is used to move passwords from the less-secure /etc/passwd file to the more secure /etc/shadow file. The opposite of this action can be done with the pwunconv command and will also remove the shadow file. Today, however, virtually all Linux distributions ship with shadow files enabled by default. The synchronization process is as follows: > The entries in the shadowed file that do not exist in the passwd file are removed. > The shadowed entries that don't have x as the password in the passwd file are updated. > Any missing shadowed entries are added. > Passwords found in the passwd file are replaced with x.
What would be the outcome of the following command? userdel -r jjones The user account, jjones, would be deleted, but jjones's home directory would be left untouched. The user account, jjones, would be deleted along with jjones's home directory. The user account, jjones, would be deleted along with jjones's home directory and all files owned by jjones. The user jjones's home directory would be deleted, but the user account would still exist.
The user account, jjones, would be deleted along with jjones's home directory. The command userdel -r would delete the user account along with the user's home directory. Any other files owned by the user would remain untouched.
7.1.5 View User Account Information
Type cat /etc/passwd at the prompt to answer the following questions: What is the UID for the schawla user account? 509 What is the full user's name (GECOS field) for the rcronn user account? Robert Cronn What is the primary group ID for the ftp user account? 50 What is the path of the home directory for the root user account? /root Use cat/etc/passwd to view the contents of the passwd file. 509 is the user ID for the schawla user account. Robert Cronn is the full user's name (GECOS field) for the rcronn user account. 50 is the primary group ID for the ftp user account. /root is the home directory path for the root user account.
User Groups and Types
User accounts control the ability to log on to a system, access resources, and perform certain actions. Groups provide a way to group users for administrative purposes, such as assigning permissions to files. Be aware of the following types of users and groups:
pwck
Verifies the entries in the /etc/passwd and /etc/shadow files to ensure that they have the proper format and contain valid data. Errors are displayed on the screen, and entries may be deleted to solve the errors. For example, checks are made to verify that each entry has: > The correct number of fields > A unique and valid user name > A valid user and group identifier > A valid primary group > A valid home directory > A valid login shell
7.1.6 View Group Membership Information
View the /etc/group file. Type cat /etc/group at the prompt to answer the following questions: Which of the following user accounts is not a member of the mgmt1 group? bcasssini Which of the following users belongs to the devel group? mbrown What is the sales group's ID? 513 What is the name of the group with the ID 503? cflynn
7.2.8 Change Your Password
You use a special user account called administrator to log on to your computer; however, you think someone has learned your password. You are logged on as Administrator. In this lab, your task is to change your password to r8ting4str. The current administrator account uses 7hevn9jan as the password. As you type in the password, the cursor will not move. Continue entering the password anyway. Complete this lab as follows: > A the prompt, type passwd and press Enter. > When prompted, enter 7hevn9jan as the current password and press Enter. > At the New password prompt, enter r8ting4str and press Enter. > Retype r8ting4str as the new password and press Enter.
You are the administrator for a small company. You need to create a new group for users in the sales department. You need to name the group sales. Which command will accomplish this task? groupadd -r sales addgroup sales groupadd sales addgroup -x sales
groupadd sales Use groupadd to add a group to the system. By default, the group will be added with an incrementing number above those reserved for system accounts. If you use the -r option, it will add the account as a system account (with a reserved group id number). Because this is a group that is created for users, the-r option should not be used.
You have a group named temp_sales on your system. The group is no longer needed, and you want remove the group. Which of the following is the BEST command for accomplishing this task? groupmod -n temp_sales newgroup -R temp_sales groupmod -R temp_sales groupdel temp_sales
groupdel temp_sales Use groupdel to delete a group from the Linux system. newgroup logs the user in to a group with the group password, but does not contain an -R option. groupmod modifies the existing group. Be aware of the following options: -A adds specified users from the group (SUSE distribution). -R removes specified users from the group (SUSE distribution). -n changes the name of a group.
Due to a merger with another company, standardization is now being imposed throughout the company. As a result of this, the sales group must be renamed marketing. Which of the following is the BEST command to use to rename the group? grpchange marketing sales grpconv marketing sales groupadd -c marketing sales groupmod -n marketing sales
groupmod -n marketing sales Use the groupmod utility to modify existing groups. Use the-n parameter to change the name of a group to a new text value. Use the groupadd utility to add new groups to the system. Use grpconv to add additional security to the group passwords.
What would you enter at the command prompt to display the primary and secondary group memberships for the gshant user account?
groups gshant groups gshant displays the primary and secondary group membership for the gshant user account. You could also use one of the following commands to display the group membership for only the gshant user account, but it will not be as concise as the output of the groups command. cat /etc/group | grep gshant tail /etc/group | grep gshant more /etc/group | grep gshant less /etc/group | grep gshant
You have been asked to temporarily fill in for an administrator who has just been fired. This administrator was known to have lax security standards, and you suspect that passwords are still kept in the /etc/passwd file. Which of the following entry within the passwd file would indicate that the passwords are stored there? adam:x:341:52:Adam Fox:/users/adam:/bin/bash eddie:x:100:100:://users/eddie: clifford:x:687:301:non secure user:/root: kolton:34uyx:431:0:Back Door:/root:/bin/bash
kolton:34uyx:431:0:Back Door:/root:/bin/bash The second field of the /etc/passwd file holds the password values. If the passwords are stored elsewhere (in /etc/shadow), then an x will appear in this field. If the values are stored in this file, then they will appear in the second field in hashed form.
You suspect that the gshant user account is locked. What should you enter at the command prompt to see the status of the gshant user account?
passwd -S gshant passwd -S gshant displays the status of the gshant user account. LK indicates the user account is locked. PS indicates the user account has a password. Viewing the /etc/shadow file will also display whether the user account is disabled. The second field for each entry in the /etc/passwd file is the password field: $ preceding the password identifies the password as an encrypted entry. ! or !! indicates that the account is locked and cannot be used to log in. * indicates a system account entry and cannot be used to log in.
You are an IT consultant for a small company. The company wants to increase the security of their small network. You want to move their passwords from the /etc/passwd file to the /etc/shadow file. Which of the following utilities will BEST accomplish this task? pwck shadow pwconv sync cp
pwconv Use the pwconv utility to move passwords from the less-secure /etc/passwd file to the more secure /etc/shadow file. You can execute the opposite of this action with the pwunconv utility. Today, however, virtually all Linux distributions ship with shadow files enabled by default. The cp command copies files an directories. The pwck command verifies entry in the passwd and shadow files. The Shadow command manipulates the contents of the shadow password file. The sync command synchronizes cached writes to persistent storage.
You need to create a user account with the following parameters: Login name: pmorrill Comment: Paul Morrill Home directory: /home/pmorrill_temp UID: 683 Which of the following commands should you use? Correct Answer: useradd -c "Paul Morrill" -d ~/pmorrill_temp -u 683 pmorrill useradd -c "Paul Morrill" -d /home/pmorrill_temp -u 683 pmorrill useradd pmorrill -c "Paul Morrill" -d /home/pmorrill_temp -u 683 useradd -d "Paul Morrill" -h /home/pmorrill_temp -u 683 pmorrill
useradd -c "Paul Morrill" -d /home/pmorrill_temp -u 683 pmorrill Use useradd -c "Paul Morrill" -d /home/pmorrill_temp -u 683 pmorrill to create a user account with these specific parameters: Login name: pmorrill Comment: Paul Morrill Home directory: /home/pmorrill_temp UID: 683 useradd creates new user accounts. Be aware of the following useradd options: -c adds a description for the account in the GECOS field of /etc/passwd. -d assigns an absolute pathname to a custom home directory location. -u assigns the user a custom UID. This is useful when assigning ownership of files and directories to a different user.
A user with an account name larry has just been terminated from the company. There is good reason to believe that the user will attempt to access and damage files in your system in the very near future. Which command below will disable or remove the user account from the system and remove his home directory? userdel -home larry userdel -r larry userdel -h larry userdel larry
userdel -r larry Use the userdel command to delete a user from /etc/passwd and related files that allow access. Use the -r option to simultaneously remove the home directory.
An employee named Bob Smith, whose username is bsmith, has left the company. Your supervisor has instructed you to delete his user account and home directory. Which of the following commands would produce the required outcome? (Select TWO). userdel bsmith;rm -rf /home/bsmith usermod -r bsmith userdel -h bsmith userdel -r bsmith userdel bsmith
userdel bsmith;rm -rf /home/bsmith userdel -r bsmith userdel -r will delete a user's home directory along with the user account. The command userdel by itself will not delete a user's home directory along with the user account. Executing rm -rf on the user's home directory after executing userdel would remove the home directory. userdel -h will display the syntax and options for the userdel command.
Which of the following utilities would you typically use to lock a user account?(Select TWO. Each answer represents an independent solution.) usermod useradd passwd userdel
usermod passwd Use the following utilities to lock a user account: passwd -l disables (locks) an account. This command inserts a !! before the password in the /etc/shadow file. usermod -L disables (locks) an account. This command inserts a ! before the password in the /etc/shadow file useradd creates new user accounts, and userdel deletes user accounts from the system.
The user emcmann has been transferred from the accounts payable department. She was assigned to several secondary groups that gave her rights to sensitive files and systems. You need to remove her from all her current secondary groups right away. Enter the command that will remove emcmann from all secondary groups.
usermod -G "" emcmann usermod -G "" emcmann will remove emcmann from all secondary groups. The -G option can be used to assign a user to a secondary group while removing any other existing group memberships (unless you include the -a option). Using the quotes with no space between them assigns the user to no groups and removes any groups the user already belongs to.
You have just created the lsmith user account and need to assign this new user to the secondary groups admin and acct. Enter the command you would use to add lsmith to the admin and acct secondary groups.
usermod -G acct,admin lsmith To assign secondary group memberships to a user account, you use the usermod command with the -G option. You can assign more than one group at a time by separating the group names with a comma but no spaces. To add lsmith to both admin and acct, you could enter either of the following commands: usermod -G acct,admin lsmith usermod -G admin,acct lsmith
You have performed an audit and have found active accounts for employees who no longer work for the company. You want to disable those accounts. Which command example will disable a user account? usermod -d joer usermod -L joer usermod -l joer usermod -u joer
usermod -L joer Use usermod -L joer to lock the user's password, thereby disabling the account. usermod -l joer changes the account's login name. -d is used to change the account's home directory. -u changes the account's numeric id.
You need to modify the group membership for the cjensen user to add the staff group to his list of secondary group memberships. He needs to keep his existing secondary group memberships. Which command option will add cjensen to the staff group without removing him from the other groups? usermod -ag staff cjensen usermod -aG staff cjensen usermod -a staff cjensen usermod -G staff cjensen
usermod -aG staff cjensen In order to append a new group to a user's secondary group memberships, you need to use the -a option along with the -G option. The -a option appends a group to a user's existing list of secondary group memberships. -a can only be used with -G, which is used to assign secondary group memberships. To append the staff group to the list of secondary groups cjensen already belongs to, you would use usermod -aG staff cjensen. The -a option cannot be used without the -G option. The -G option could be used to add cjensen to the staff group, but it would also remove his membership in the groups he already belongs to (unless you included all of the groups he already belongs to in the list of groups you are assigning). Using -ag would not work because -a can only be used with -G. The -g option changes a user's primary group membership.
One of your users, Karen Scott, has recently married, and is now Karen Jones. She has requested that her username be changed from kscott to kjones. Which of the following commands will accomplish this task without changing other values? usermod -u kscott kjones usermod -l kjones kscott usermod -u kjones kscott usermod -l kscott kjones
usermod -l kjones kscott Use the usermod utility to modify user settings. Use the -l flag to signal a change to the username. The correct syntax requires that the new username value be given followed by the old username. The -u flag changes the uid number.
A programmer named Brandon calls with an issue. He is currently using the C shell each time he logs in, but his manager has told him to start using the Bash shell. Which command will change brandon's shell to the desired setting? usermod brandon /bin/bash useradd brandon /bin/bash userchange -a brandon /bin/bash usermod -s /bin/bash brandon
usermod -s /bin/bash brandon Use the usermod utility to modify user settings. Use the -s flag to signal a change to the user's shell. The correct syntax requires the new shell value followed by the username.