DevOps / Sys Admin Q & A #24 : Linux User Account Management

Let's look at the /etc/passwd:

# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
...
syslog:x:104:108::/home/syslog:/bin/false
k:x:1000:1000:K Hong,,,:/home/k:/bin/bash
...
kafka:x:1002:1002::/home/kafka:

The /etc/passwd file is a colon-separated file that contains the following information:

1. User name.
2. Encrypted password.
3. User ID number (UID).
4. User's group ID number (GID).
5. Full name of the user.
6. User home directory.
7. Login shell.

Note that the password is stored as a single "x" character (ie. not actually stored in this file), and the actual password data is stored in a file called /etc/shadow.

The /etc/shadow file contains encrypted password as well as other information such as account or password expiration values, etc. The /etc/shadow file is readable only by the root account and is therefore less of a security risk.

# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
...
k:$6$Sguv0Sl...V5HkJo/:17059:0:99999:7:::
...
logstash:!:17212::::::
kibana:!:17215::::::
elasticsearch:*:17217:0:99999:7:::
kafka:!:17235:0:99999:7:::

Note that this /etc/shadow file, unlike the /etc/passwd, is not readable by unprivileged users.

If the password field contains some string that is not a valid result of crypt, for instance ! or *, the user will not be able to use a unix password to log in.

The /etc/group file stores group information or defines the user groups i.e. it defines the groups to which users belong.

# head -5 /etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog,k

1. Group_name: The name of group.
2. Password: Generally password is not used, hence it is empty/blank. It can store encrypted password.
3. Group ID (GID): Each user must be assigned a group ID.
4. Group List: It is a list of users who are members of the group.

Users can be created using a useradd command:

# useradd -m -d /home/testuser -s /bin/bash testuser

Here we difined user's home directory, the shell type, and the username.

# tail /etc/passwd
...
kafka:x:1002:1002::/home/kafka:
testuser:x:1003:1003::/home/testuser:/bin/bash

We can see the user and group ids have been auto incremented from the previous user.

# tail /etc/shadow
...
testuser:!:17254:0:99999:7:::

Note that we cannot login (see the '!' in password column).

So, we need to set a password:

# passwd testuser
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

Then, let's look into the shadow file again:

# tail /etc/shadow
...
testuser:$6$SY5Idvn1$oM0D3MDRlDnSJ7oSekayG3Dj9jGtQnIAVzqFy1lGZqJVWTLp8m81acIiunfFqgnlTvc/eGTBUWIqGw4WoIe4L/:17255:0:99999:7:::

Now, we see that the password has been set.

But we can lock it using usermod -L:

# usermod -L testuser

# tail /etc/shadow
...
testuser:!$6$SY5Idvn1$oM0D3MDRlDnSJ7oSekayG3Dj9jGtQnIAVzqFy1lGZqJVWTLp8m81acIiunfFqgnlTvc/eGTBUWIqGw4WoIe4L/:17255:0:99999:7:::

We can unlock:

# usermod -U testuser

The lock/unlock can be done with passwd:

# grep testuser /etc/shadow
testuser:$6$ynuBla7u$.34OeavRiWPS.7sF3/UZPlw7i21Rj94SCqfBa5ZbxitAJUGI0p12gnHUw/lNIWI1nUN0V9WWTalADI6MLBpu8/:18483:0:99999:7:::    

Lock the account:

# passwd -l testuser
Locking password for user testuser.
passwd: Success

# grep testuser /etc/shadow
testuser:!!$6$ynuBla7u$.34OeavRiWPS.7sF3/UZPlw7i21Rj94SCqfBa5ZbxitAJUGI0p12gnHUw/lNIWI1nUN0V9WWTalADI6MLBpu8/:18483:0:99999:7:::    

Unlock the account:

# passwd -u testuser
Unlocking password for user testuser.
passwd: Success

# grep testuser /etc/shadow
testuser:$6$ynuBla7u$.34OeavRiWPS.7sF3/UZPlw7i21Rj94SCqfBa5ZbxitAJUGI0p12gnHUw/lNIWI1nUN0V9WWTalADI6MLBpu8/:18483:0:99999:7:::    

Let's check what's in the home directory:

# ls /home/testuser
examples.desktop

Note that the "examples.desktop" came from /etc/skel:

# ls /etc/skel
examples.desktop

We can also see the owner of the "testuser" has been set:

# ls -l /home
drwxr-xr-x 86 k        k        4096 Mar 27 22:04 k
drwxr-xr-x  2 testuser testuser 4096 Mar 29 16:57 testuser

# grep testuser /etc/group
testuser:x:1003:

To delete a user, we can use userdel command:

# userdel testuser

At this point, the user has been removed from the three files: '/etc/passwd', '/etc/shadow', and '/etc/group'. However, we still need to delete the user's home directory:

# rm -rf /home/testuser

The chage command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change his/her password.

# chage testuser
Changing the aging information for testuser
Enter the new value, or press ENTER for the default

	Minimum Password Age [0]: 7
	Maximum Password Age [99999]: 90
	Last Password Change (YYYY-MM-DD) [2020-08-09]: 
	Password Expiration Warning [7]: 
	Password Inactive [-1]: 
	Account Expiration Date (YYYY-MM-DD) [-1]:     

The list of groups for "testuser":

# id testuser
uid=1001(testuser) gid=1001(testuser) groups=1001(testuser)    

Let's add "sales" group to "testuser":

# groupadd sales

# usermod -aG sales testuser

# id testuser
uid=1001(testuser) gid=1001(testuser) groups=1001(testuser),1002(sales)    

DevOps

DevOps / Sys Admin Q & A