User Management Basics

“User
management”
is very crucial and very important for
“Server Administrator”.

I have compiled this document for Linux
Admins to get overview of User Management in Linux.

 

Please
note that I have used CentOS or RedHat Linux here. Each linux flavor has
differences. However basic is same.

Enhanced by Zemanta


“User
management”
is very crucial and very important for
“Server Administrator”.

I have compiled this document for Linux
Admins to get overview of User Management in Linux.

 

Please
note that I have used CentOS or RedHat Linux here. Each linux flavor has
differences. However basic is same.

 

 

Important
Phases of “User Management”:

 

1.   
Add Users

2.   
Delete Users

 

 

I.     Add User

 

By default when we add user to Linux
machine, many steps happen inside OS.

 

I have mentioned major steps below:

 

1.   
Entry gets added to /etc/passwd,
/etc/shadow, /etc/group, /etc/gshadow

2.   
Home directory gets created & common
Files get copied from /etc/skell to User’s home directory for eg. .bashrc,
.bash_profile,  etc.

3.   
Mail box gets created

 

 

We will see in details one by one.

Step1:
Entries in /etc/passwd, /etc/shadow, /etc/group, /etc/gshadow:

 

a.           
To add a user we use command “adduser” or
“useradd” command. “adduser” is nothing but symlink

to “useradd” both are located under “/usr/sbin/” directory, so both
can  be executed by “root”
            user only.

 

Usage               adduser USER_NAME

For eg.             adduser
neelesh

 

 

When we add user in Linux, entry of user gets
added in “/etc/passwd” as given below:

 

       
neelesh:x:500:500::/home/neelesh:/bin/bash

 

Please note Fields are separated by ‘:’

 

Description
of fields in “/etc/passwd”:

 

First field           :           Login name of the User

Second field       :           Clear text encrypted password

Note: In case if shadowing is enabled it always denotes a
“x” which means the password is stored in /etc/shadow file. If
“x” is deleted from 2nd field of ‘/etc/passwd’, then user can login
without a password.

Third field         :
          User id which is unique to every
user

Fourth field       :           Group id
which is unique to every group

Fifth field          :           Comments i.e. user related info like
Full Name, Office Add.,Off. No., Home No.

Sixth field          :           Home directory

Seventh field      :           Login shell

 

 

It also adds one entry to /etc/shadow

 

neelesh:!:15121:0:99999:7:::

 

Please note Fields are separated by ‘:’

 

Description
of Fields in “/etc/shadow”:

 

First field           :           Login name of the User

Second field       :           Clear text
encrypted password

Third field         :           Number of days since January 1 1970,
when the password was last changed

Fourth field       :           Minimum
number of days gap before a password can be changed again

Fifth field          :           Maximum number of days for the
validity of a password

Sixth field          :           Warning for password expiry to be
given before the stipulated number of days

Seventh field      :           Number of days
after the expiration of password that the account should be disabled

Eighth field        :           Number of
days since 1 January 1970, the account is disabled

Ninth field         :           Reserved field

 

 

b.           
Providing Password to user:

 

After
using “adduser / useradd”, user is still not active. We need to give password
to user using “passwd” command

 

Password given to user by using the passwd
command which is to be used as given below -:

 

            Usage    :           passwd
USER_NAME

For eg.  :           passwd neelesh

 

Enter your password twice. Make sure your
password must be touch to crack.

 

New password:

Retype new password:

 

passwd: all authentication tokens updated
successfully.

 

After providing password, Entry in
“/etc/shadow” for that user will get change.

 

neelesh:$1$DXl6dFbJ$gHlxMdwiKRZfQ2oUiAqJ.1:15121:0:99999:7:::

 

Here second field got changed. Now it has
clear text encrypted password.

 

c.            
Group add:

 

At
the same time “useradd” adds entries to /etc/group & /etc/gshadow.

It
adds primary group of user with the same name as name of user.

 

In /etc/group it adds below line

 

neelesh:x: 15121:

 

 

 

Description
of fields in “/etc/group”:

 

First field           :           Group name

Second field       :           Clear text
encrypted password

                                    Note: In case if shadowing is enabled it always
denotes a

                                    “x” which means the password is stored in
/etc/gshadow file

Third field         :
          Group id which is unique to
every group

Fourth field       :           Members of
the group

 

 

In /etc/gshadow it adds below line:

 

neelesh:!::

 

Description
of fields in “/etc/gshadow”:

 

First field           :           Group name

Second field       :           Clear text
encrypted password

                                    Note: “!” means no password is set

Third field         :           comma-separated list of group
administrators

Fourth field       :           comma-separated
list of group members

Step2:
Home Directory & mailbox creation:

 

When user gets added, “useradd” creates
home directory of user and copies files from “/etc/skell” to its home
directory.

“useradd” reads “/etc/default/useradd”.

“/etc/default/useradd” is an ASCI text
file. It has below entries:

 

GROUP=100

HOME=/home

INACTIVE=-1

EXPIRE=

SHELL=/bin/bash

SKEL=/etc/skel

CREATE_MAIL_SPOOL=yes

 

Description
of directives in “/etc/default/useradd” : –

 

GROUP             
          Maximum number of groups for
which a user can be a member of

HOME               
          Directory where the user’s home
directory will be created

INACTIVE    
               Number of days the account should be inactive after
creation

Note: “-1” means never inactive i.e. always
active

EXPIRE      
                 Date on which the account should expire. It is given in the

                                    form YYYY-MM-DD.

SHELL       
                 Default login shell for the user

SKEL        
                  Directory from where the default user profile files will be

            copied
from to the user’s home directory.

 

“useradd” binary also reads
“/etc/login.defs”. In “/etc/login.defs”.

“/etc/login.defs” is also ASCI text file
and contains below entries:

 

MAIL_DIR                      /var/spool/mail

PASS_MAX_DAYS 99999

PASS_MIN_DAYS             0

PASS_MIN_LEN               5

PASS_WARN_AGE           7

UID_MIN                        500

UID_MAX                       60000

GID_MIN                        500

GID_MAX                       60000

CREATE_HOME              yes

 

Please note that there are many entries in
“/etc/login.defs”. Here I have mentioned important one.

 

Description
of directives in “/etc/login.defs”

 

MAIL_DIR                     Directory where the user’s mail will be
stored

PASS_MAX_DAYS           Maximum number of
days for the validity of a password

PASS_MIN_DAYS            Minimum number of
days gap before a password can be changed again

PASS_MIN_LEN             Minimum required length of a password

PASS_WARN_AGE        Warning for password
expiry to be given before the stipulated number of days

UID_MIN              
       Minimim value for automatic user id
selection

UID_MAX             
       Maximum value for automatic user id
selection

GID_MIN              
       Minimum value for automatic group
id selection

GID_MAX             
       Maximum value for automatic group
id selection

CREATE_HOME            Whether useradd should create home
directories for users

 

From login.defs, “useradd” gets location to
create “mailbox” for that particular user.

 

 

I.     Delete User:

 

To delete a user’s account on the system
(and not his mailbox and home directory) ,i.e to suspend the user temporarily
from the system , we use below command

 

Usage    :           userdel USER_NAME

For eg.  :           userdel neelesh

 

To delete a user’s account on the system
,i.e to permanently delete all the user’s detail on the system , we use the
command

 

Usage    :           userdel -r USER_NAME

For eg   :           userdel -r neelesh

====================================================================

Miscellaneous Stuff related to User Management

 

1.    Overriding
default settings while adding user

a.   
Specify home directory path while adding
user:

$ adduser -d /mnt/home/neelesh neelesh

 

b.   
Specify login shell with adding user:

$ adduser -s /bin/csh neelesh

 

c.    
Specify Primary group while adding user

$ adduser -g users neelesh

 

 

2.    Modifying
settings of already added user with “usermod” command

a.   
Changing home directory

$ usermod -d /mnt/home/neelesh neelesh

 

b.   
Changing login shell

$ usermod -s /bin/csh neelesh

 

c.    
Changing primary group

$ usermod -g users neelesh

 

3.    Playing around
users

 

a.   
Changing age of users

$ chage -d 0 raj

 

The 3rd field of “/etc/shadow” is: Days since Jan 1, 1970
that password was last changed

We make it 0, which means the passwd was last changed on Jan
1, 1970 and hence has expired,

so it is promptly locked with this : –> !!

 

     $
grep raj /etc/shadow

raj:!!:0:0:99999:7:::

 

b.   
Test the password status:

$ passwd -S raj

Password locked.

 

User raj cannot login yet.

 

c.    
Unlock the password, forcefully

 

$ passwd -uf raj

Unlocking password for user raj.

passwd: Success.

 

This changes the ‘!!’ to a blank which
means the password is now unlocked

 

 

Now log in as user “raj”

You are required to change your password immediately
(root enforced)

 

New password:

 

Just what you wanted!

 

Note : When you login, linux checks first and foremost to
see whether this 3rd field is valid and does not care for the passwd expiration
field. The password expiration field is examined after this has passed and user
logs in !

 

====================================================================

Try some Hacks

 

/etc/password
hacks

===================

  
Create a user amar with some password

01 Comment amar line in /etc/passwd

02 Change x to * in 2nd field of
/etc/passwd

03 Change shell of amar in /etc/passwd

    
# chsh amar [/sbin/nologin]

04 Blank the 2nd field of /etc/passwd for
amar

05 Create file /etc/nologin

06 Comment all tty in /etc/securetty

07 chmod o+w /etc/securetty

08 Delete file /etc/securetty

 

/etc/shadow
hacks

=================

09. Comment amar line in /etc/shadow

10. Put a 0 in 8th field of /etc/shadow for
amar [disabled]

11. Remove the entire passwd entry in 2nd
field of /etc/shadow for amar

12. Change to 0 the 3rd field of
/etc/shadow for amar

 

  
Create a user vijay – DO NOT give it a password

13. Change to 0 the 3rd field of /etc/shadow
for amar – Illogical!!

14. Blank the 2nd field of /etc/shadow for
amar

15. Blank the 2nd field of /etc/shadow for
amar AND

  
make the 3rd field 0 [expire]

 

 

 

 

 

 

Answers

=======

1. amar cannot login

2. amar cannot login [disabled]

3. amar cannot login

4. amar can login w/o passwd

5. No user can login – although root can

6. root cannot login

7. root cannot login

8. root CAN login

 

/etc/shadow hacks

=================

09. amar cannot login

10. amar cannot login – disabled

11. amar can login w/o password

12. Asks for current pwd and then asks for
a pwd change

 

13. No point in doing this !!

14. amar can login w/o a pwd

15. Will ask user for pwd challenge

Enhanced by Zemanta

Neelesh Gurjar has written 122 articles

Leave a Reply