LPI Linux Essentials Objective 5.2 – Creating Users and Groups

By | 2020-11-11
0 Comment

Linux Essentials Objective 5.2 is about creating users and groups. How you go about this depends on your system, but this section is written with the assumption that you are using local files. Just be aware that some systems can use things like Hesiod or LDAP to store login information. This topic can get pretty deep. I am only scratching the surface here.

The /etc/passwd File

The /etc/passwd file stores information about users. Most systems ship with a man page that explains it. To view the man page, use this command:

$ man 5 passwd

/etc/passwd is broken up into seven fields delimited by :. These fields, in order are:

  1. Username
  2. Encrypted password. Although the vast majority of systems use shadow passwords and populate this field with x. In this case, passwords are actually stored in /etc/shadow.
  3. The numerical user ID (UID). This is how the user is represented internally. E.g. it is how filesystems refer to file owners, the kernel uses the UID when it stores process information.
  4. The group ID (GID). Every user has at least one group. Like users, groups have an associated numerical GID used by the system.
  5. A comment field. Usually this is a user’s real name or a system account’s purpose.
  6. The user’s home directory.
  7. The user’s shell. Sometimes system accounts have this set to /bin/false or similar to prevent anyone from being able to obtain an interactive session.

Here are a few lines from my /etc/passwd file:

ntp:x:116:125::/home/ntp:/bin/false
openldap:x:132:142:OpenLDAP Server Account:/var/lib/ldap:/bin/false
tyler:x:1000:1000::/home/tyler:/bin/bash

Linux systems have a UID and GID range that is reserved for system accounts. On most systems, this any UID, or GID less than 1000. It is possible to create accounts in this range, but I don’t recommend this. Some systems login processes are configured to handle system accounts differently.

The /etc/group File

/etc/group is similar to /etc/passwd. For the most part, it is self explanatory. Like /etc/passwd, it is : delimited. The most important thing to remember is the member list in the last field is , delimited.

For the sake of completeness, here are the fields, in order:

  1. The name of the group
  2. The encrypted group password. On most systems, this will always be an x, as the actual passwords will be stored in /etc/gshadow. Group passwords are rarely used in practice.
  3. The numeric GID.
  4. A list of group members. Just because this is empty, doesn’t mean there are no members. Make sure to check /etc/passwd for users that have it is their primary group. Remember this field is , delimited.

Here is a sample of my /etc/group:

scanner:x:105:saned,tyler
messagebus:x:106:
colord:x:107:

There is a man page available for this file on most systems:

$ man 5 group

The /etc/shadow File

Password hashes and aging information are stored in /etc/shadow. Like the other files covered so far, the /etc/shadow file has a man page:

$ man 5 shadow

As with other user account related files, it is : delimited. The fields, in order from left to right, are as follows:

  1. The username of the user the line applies to.
  2. The password hash or status
  3. When the password was last changed. It is stored as the number of days since 1970 January 1.
  4. How many days a user must wait after changing a password before they are allowed to change it again. If it is empty or 0, they can change it at any time.
  5. The password expiration in days since the last change. If the user has had the same password for this many days or more, they will be required to change their password the next time they login. If it is 0 or empty, the password will never expire.
  6. How many days before a password expires that a user should be warned. 0 or empty means no warnings will be given.
  7. How many days an account can remain inactive after the password expires before being locked out. E.g. if this is 5, a user will no longer be able to login if it has been 5 or may days since their password has expired. Like the other fields a 0 or no entry means an inactive account will never be locked.
  8. The number of days since 1970 January 1 that an account remains valid. Once this date is reached, a user won’t be allowed to login, regardless of password expiration status.
  9. Unused.

Memorizing all of these fields to use on the job isn’t so important as the aginig options will likely be set by defaults. At least know the expiration fields.

The /etc/gshadow File

The /etc/gshadow has a role similar to the /etc/shadow file. It allows administrators to set a password for accessing a group instead of requiring users to be explicitly added. I.e. a user can obtain access to the group if they can provide the password. As with other account related files, it is : delimited. Although group passwords are something I have never seen in practice, it is something you should be aware of. The file has the following fields:

  1. The name of the group. It must be in /etc/group.
  2. The encrypted password. Group passwords are rarely used, so this is usually !, *, or empty. Anything except a valid encrypted password means a password cannot be used to access the group.
  3. A , delimited list of administrators. Administrators can change the password, add members to the group, and remove members from the group.
  4. Users who can access the group without a password. This should be the same as those listed in /etc/group.

To view the man page:

$ man 5 gshadow

The /etc/skel Directory

Files in this directory can be, but aren’t always by default, automatically copied to a user’s home directory when their account is first created. Typically you will find default per user configuration files for things like shells and editors in here.

The useradd Command

The useradd command is used to create new accounts on a Linux system. It has many options, but it only requires the username of the user you wish to create. The default behavior can be modified by editing /etc/default/useradd and /etc/login.defs. Some common options and their usage are in the table below:

Option Description
-G A , separated list of supplementary groups to add a user to. Either group names or numeric group IDs can be used.
-d Allows you to specify the home directory of the new user.
-g Sets the user’s primary group. Either group names or numeric group IDs can be used.
-m Creates a user’s home directory and copies the contents of /etc/skel to it. The default is to not do this, but the default can be configured in /etc/login.defs.
-s Sets the user’s login shell. The default shell is configured in /etc/default/useradd. If no default is configured the password field in /etc/passwd is left blank. If a user logs in and the shell field is blank, the system defaults to /bin/sh.
-u This options sets the numeric ID of the user. By default, it increments the smaller value of the minimum configured value of UID_MIN from /etc/login.defs and the user with the biggest UID that is also less than UID_MAX from /etc/login.defs.

For more details and more options, consult the man page. 

$ man 5 useradd

Here is an example where all options from the table are used:

# useradd -g adm -G 5,24,27,105 -m -d /admins/tyler -s /bin/zsh -u 60004 tyler

In the example, I create a new user called tyler. It has a default group of 5 and supplementary groups of tty, cdrom, sudo, and scanner. While this is different from what appears in the command, I looked up the GIDs and names from the /etc/group file to show that the GIDs and names are interchangeable with groupadd. The home directory is set to /admins/tyler, which will be created and filled with the contents of /etc/skel. The shell is set to /bin/zsh. Finally, the UID was manually set to 60004.

Sometimes useradd automatically creates a group with the same name as the user. If automatic group creation is not enabled in /etc/login.defs and no default group is configured in /etc/default/useradd, then a GID of 100 is used.

The groupadd Command

The groupadd command is used to create new groups. As with useradd, the only requirement is the name of the group. It doesn’t have as many options or defaults as useradd. Use the -g option to specify a specific GID.

Here are a few examples:

# groupadd admin
groupadd -g 2000 developer

The groupadd man page

$ man groupadd

The passwd Command

The passwd command changes passwords, locks accounts, unlocks accounts, and modify aging rules. To change the password of the user you are logged in as, simply run passwd by itself. If you are the root user, you can set another user’s password by specifying the user on the command line. When you are root, passwd won’t prompt you for the current password.

$ passwd
Changing password for tyler.
Current password: 
New password: 
Retype new password: 
passwd: password updated successfully
# passwd tyler
New password: 
Retype new password: 
passwd: password updated successfully

For information about passwd options consult the man page:

$ man passwd

Preparation

To prepare for the exam, skim through the man pages and files referenced. Get on a Linux system and play around with the files and commands shown. Once you get comfortable enough with the material covered where you can perform the tasks below, you are probably ready for this exam objective.

  • Resetting a user’s password.
  • Creating a system account with a specific UID and GID for a server application.
  • Setting and troubleshooting password aging on a users account.
  • Adding users to supplementary groups.
  • Creating a new group with a specific GID.
  • Reading the /etc/passwd, /etc/group, and /etc/shadow files without looking at the man pages.

References