Remove a user from a group. We manage users: useradd, usermod and userdel. Linux Group Management
UNIX-like operating systems are multi-user. Users and the groups they belong to are used to control access to system files, directories and peripherals. By default, Linux offers relatively simple access control mechanisms. These can be extended using LDAP and ACLs, but in this topic we will look at standard access controls.
Users and Groups in Linux
Users:
Business – Internet Access #1.
User– this is anyone who uses a computer. The user is assigned a name, the name must be unique on the system (Linux has reserved names such as "root", "hal", and "adm"). The name can consist of letters English alphabet, Arabic numbers and symbols "_" (lower space) «.» (dot).
Root(from English root- root; read “root”), the superuser is an account in UNIX-like operating systems with an identifier (UID) of 0, the owner of this account has the right to perform any operation. For security reasons, work as superuser root Not recommended.In addition to the system name, the system can be entered and stored full name(for example, full name) of a real user. For example, the user newuser in real life could match a man named John Smith. This information will allow the system administrator to better control and identify users, especially if there are hundreds or even thousands of users in the system.
For each user, a home directory is created. The user enters this directory after he has logged in and the user’s personal files and folders are stored in it. All user directories are collected in one place, usually /home.
Also, the user is assigned a command shell (a command interpreter used in operating systems of the UNIX family). For example: /bin/bash, /bin/zsh, /bin/sh, etc. On many Linux distributions, users are assigned the bash shell by default.
Each user is assigned an identification number (User ID). The number is abbreviated as UID and is a unique user identifier. The operating system tracks the user by UID, not by their name.
Also, each user is assigned a password to log into the system. The password is stored in encrypted form. To create and change a password, use the passwd command. The system administrator can assign a password himself or allow the user to enter his password upon first login.
Each user belongs to at least one or more groups. (users and groups in linux)
Groups:
To differentiate rights in Linux, in addition to users, there are groups. Just like a user, a group has access rights to certain directories, files, and peripherals (the system has reserved groups). For each file, not only a user is defined, but also a group. Groups group users together to provide the same permissions to do something.
Each group is assigned an identification number ( group ID). Abbreviated as GID, it is a unique group identifier. A user's group membership is determined by the administrator.
View users
(users and groups on linux) All the above information is stored in the /etc/passwd file. To view the list of users you need to enter the command:
# cat /etc/passwd
Each account occupies one line. The output could be as follows:
Root:xD928Jhs7sH32:0:0:root:/root:/bin/bash newuser:Xv8Q981g71oKK:1000:100:John Smith:/home/newuser:/bin/bash
This line has the following format:
Account:password:UID:GID:GECOS:directory:shell
Account - Username password - encrypted user password UID - user ID number GID- user's primary group identification number GECOS- optional field used to indicate additional information about the user (for example, full username) directory - user's home directory ($HOME) shell - user shell (usually /bin/sh)
To view the list of users who are currently in the system, there is the who command.
The conclusion could be as follows:
Newuser pts/0 2013-11-13 14:19 (:0)
Creating, managing and deleting users
(users and groups in linux) When creating new users, a sequence of certain actions is performed. First, an entry is created in the /etc/passwd file, where the user is assigned a unique name, UID, GID and other information. The UID must be greater than 1000, and the GID must be greater than 100, this is due to the fact that the system reserves small values for its needs. Also, a directory is created, rights are set, command shell initialization files are placed and configuration files are modified.
To avoid entering this information manually, there is a useradd (or adduser) program. The settings for this program are stored in the file /etc/default/useradd.
# cat /etc/default/useradd
The conclusion is as follows:
GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL=/bin/bash SKEL=/etc/skel CREATE_MAIL_SPOOL=no
You can change the default settings here. For example, a directory for users from /home to /home/user or an interpreter from /bin/bash to /bin/sh.
To create a new user, use the useradd command:
# useradd -m -g users -G audio,lp,optical,storage,video,wheel,games,power,scanner -s /bin/bash newuser
Explanation:
# useradd -m -g [main group] -G [list of additional groups] -s [shell] [username]
- -m- creates a home directory, like /home/[username].
- -g- name or number of the user's main group.
- -G- a list of additional groups that the user belongs to.
- -s- defines the user's command shell.
For more detailed information, use the manual:
#man useradd
Using the chfn command, you can enter or change user account information (full name, work phone number, work coordinates, etc.) (username - user name).
# chfn [-f full-name][-o office][-p work-phone][-h home-phone][-u][-v]
To set the password, use the passwd command:
If we want to force the user to change the password to his own when logging in for the first time, we need to use the command:
# change -d 0
You can read more about the chage command in the manual, enter:
# man change
In order to delete a user, there is the userdel command
# userdel -r
The -r parameter specifies that the home directory and mailbox should be deleted together with the user.
Group management
To view all groups systems and how user they belong you need to enter the following:
# cat /etc/group
The /etc/group file defines the groups on the system. To see what groups the user is in, you need to type:
# groups
The id command shows more detailed information.
#id
To create a new group:
#groupadd
To add a user to a group:
# gpasswd -a
Removing a user from a group:
# gpasswd -d
And in order to delete a group, enter the following:
#groupdel
(users and groups in linux) That’s basically it, the most basic things are outlined.
There are times when there is a need to find out which users are registered in the operating room. Linux system. This may be necessary to determine whether there are redundant users, whether a specific user needs it, or whether whole group of which in changing personal data.
People who constantly use this system, can do this using a number of methods, but for beginners this is very problematic. Therefore, the instructions that will be described below will help an inexperienced user cope with the task. This can be done using the built-in terminal or a number of programs with a graphical interface.
Method 1: Programs
In Linux/Ubuntu, you can manage users registered in the system using parameters, the operation of which is provided by a special program.
Unfortunately, the programs for the graphical desktop shell Gnome and Unity are different. However, they are both capable of providing a set of options and tools for checking and editing user groups in Linux distributions.
Accounts in Gnome
First you should open system settings and select the section called "Accounts". Please note that system users will no longer be displayed here. The list of registered users is in the panel on the left; to the right there is a section for settings and changing the data of each of them.
The Users and Groups program in a distribution with the Gnome graphical shell is always installed by default, but if you do not find it on the system, you can automatically download and install it by running the command in "Terminal":
sudo apt-get install unity-control-center
KUser in KDE
There is one utility for the KDE platform, which is even much more convenient to use. It's called KUser.
The program interface displays all registered users; if necessary, you can also see system users. This program can change user passwords, move them from one group to another, delete them if necessary, and the like.
As with Gnome, KDE comes with KUser installed by default, but can be uninstalled. To install the application, run the command in "Terminal":
sudo apt-get install kuser
Method 2: Terminal
This method is universal for most distributions developed based on the Linux operating system. The point is that she has it in her software a special file containing information regarding each user. This document is located at:
All entries in it are presented in the following form:
- the name of each user;
- unique identification number;
- ID password;
- Group ID;
- group name;
- home directory wrapper;
- home directory number.
To increase security, each user's password is stored in the document, but it is not displayed. In other modifications of this operating system, passwords are even stored in separate documents.
Full list of users
You can redirect to a file with saved user data using "Terminal" by entering the following command into it:
If the user ID has less than four digits, then this is system data, which is highly undesirable to make changes to. The fact is that they are created by the OS itself during the installation process to ensure the most secure operation of most services.
Names in the user list
It is worth noting that in this file there may be quite a lot of data that you are not interested in. If you only need to know the names and basic information about users, you can filter the data in the document by entering the following command:
sed "s/:.*//" /etc/passwd
View active users
In a Linux-based OS, you can see not only the users who have been registered, but also those who are currently active in the OS, and at the same time see what processes they are using. For such an operation, a special utility is used, called with the command:
This utility will issue all commands that are executed by users. If he simultaneously uses two or more commands, they will also be displayed in the output list.
Browsing history
If necessary, it is possible to analyze user activity: find out the date of their last login. It can be used based on the log /var/wtmp. It is called by entering the following command on the command line:
Last activity date
In addition, in the Linux operating system, you can find out when each of the registered users was last active - this is done by the command lastlog, executed using the request of the same name:
This log also displays information about users who have never been active.
Conclusion
As you can see, in "Terminal" provides more detailed information regarding each user. It allows you to find out who logged into the system and when, determine whether unauthorized people were using it, and much more. However, for the average user there will be the best option use a program with a graphical interface so as not to delve into the essence of Linux commands.
The list of users is quite easy to view; the main thing is to understand on what basis this operating system function works and for what purposes it is used.
I touched on the issues of user membership in a group, as well as the fact that users and groups have their own UID And GID. The topic of . Today I would like to systematize knowledge about local user base on Linux, how manage users and about files responsible for user management.
Linux is a multi-user operating system. Every user in Linux belongs to one core group and one or more additional groups. In Linux, as in most other operating systems, working with users consists of a set of the following manipulations: adding a user/group, deleting a user/group, modifying user/group settings. These manipulations are performed using the commands: useradd, groupadd, userdel, groupdel, usermod, groupmod, and passwd, gpasswd, id. In more detail: There are also graphical user administration tools, usually they are located in the X shell in the section Administration - Users and Groups.
Features of user management in Linux
Example of adding a user using a shell:
User-add-server:~# groupadd test user-add-server:~# useradd -c "Test Test" -g test -m test user-add-server:~# passwd test Enter the new UNIX password: Re-enter the new password UNIX: passwd: password updated successfully user-add-server:~# id test uid=1001(test) gid=1001(test) groups=1001(test) user-add-server:~# ls -ld /home/test / drwxr-xr-x 2 test test 4096 Dec 16 10:24 /home/test/ user-add-server:~#
In the example, we add a group for a new user (groupadd), then create a new user with the full name Test Test, having a main group test and login test, then set a password for the user test (passwd test) and check the parameters of the created user (id and created directory user /home/test/). The listing shows that the UID and GID are more than 1000. This feature is a sign regular user. Values below (less than) 1000 (and on some distributions less than 500) indicate that the user is system user.
According to the agreement, system users usually have an id less than 100, and root user has an id equal to 0. Automatic numbering of regular users starts with values UID_MIN , set in the file /etc/login.defs, this value is usually set to 500 or 1000.
Besides regular user accounts and user account root, there are usually several in the system accounts special purpose for daemons such as FTP, SSH, mail, news, etc. Such Accounts often manage files, but cannot be accessed through normal logging into the system. Therefore they usually have login shell, defined as /sbin/nologin or /bin/false so that attempts to register with the system will fail.
On some systems, the add user command(s) have extended functionality. That is, for example, the useradd command in the Fedora and Red Hat distributions by default creates new group and to disable this function, you must use the -n option. To clarify such questions, you must refer to the distribution documentation.
When a user is deleted, his directory is not deleted. As a result, you can get an interesting situation:
User-add-server:~# userdel test user-add-server:~# groupdel test user-add-server:~# ls -ld /home/test/ drwxr-xr-x 2 1001 1001 4096 Dec 16 10:24 /home/test/ user-add-server:~# groupadd test123 user-add-server:~# useradd -c "Test Test" -g test123 -m test123 user-add-server:~# ls -ldn /home/ test* drwxr-xr-x 2 1001 1001 4096 Dec 16 14:30 /home/test drwxr-xr-x 2 1001 1001 4096 Dec 16 14:29 /home/test123 user-add-server:~# ls -ld / home/test* user-add-server:~# ls -ld /home/test* drwxr-xr-x 2 test123 test123 4096 Dec 16 10:24 /home/test drwxr-xr-x 2 test123 test123 4096 Dec 16 14 :25 /home/test123 user-add-server:~# passwd test123 Enter new UNIX password: Re-enter new UNIX password: passwd: password updated successfully user-add-server:~# su -l test123 test123@user-add- server:~$ pwd /home/test123 test123@user-add-server:/home/mc-sim$ ls /home/ mc-sim test test123 test123@user-add-server:~$ cd /home/mc-sim / test123@user-add-server:/home/mc-sim$ ls -la total 24 drwxr-xr-x 2 mc-sim mc-sim 4096 Nov 15 12:31 . drwxr-xr-x 6 root root 4096 Dec 16 14:25 .. -rw------- 1 mc-sim mc-sim 99 Nov 15 13:45 .bash_history -rw-r--r-- 1 mc-sim mc-sim 220 Oct 1 17:42 .bash_logout -rw-r--r-- 1 mc-sim mc-sim 3116 Oct 1 17:42 .bashrc -rw-r--r-- 1 mc- sim mc-sim 675 Oct 1 17:42 .profile test123@user-add-server:/home/mc-sim$ rm /home/mc-sim/.bash_logout rm: delete write-protected regular file `/home/mc -sim/.bash_logout"? y rm: unable to delete `/home/mc-sim/.bash_logout": Permission denied test123@user-add-server:/home/mc-sim$ rm /home/test/.bashrc test123@user-add-server:/home/mc-sim$
In the above example we delete user and group test, created earlier. In this case, the directory of this user remained untouched. As can be seen from the listing, the rights of the directory remained for id 1001. Next we create a new user and group, but with a different name - test123. This user is assigned UID And GID- a previously existing user test. Looking at the list of directories starting with /home/test*with key -n and without it, we see what happened - the user directory test became owned by the user test123 what access rights tell us -rw-r--r-- test123 test123. Login as user test123 and to check access rights in the directory /home/test We try to delete the file, and we also try to delete the file from the directory of the third user - mc-sim. This example illustrates well that in Linux everything is tied to identifiers.
Managing user and group databases in Linux
The main files containing information about users and groups are four files in the directory /etc.
/etc/passwd
password file containing basic information about users
/etc/shadow
shadow encrypted password file containing encrypted passwords
/etc/group
groups file containing basic information about groups and users belonging to these groups
/etc/gshadow
shadow groups file containing encrypted group passwords
It is highly not recommended to edit these files with a regular text editor. They (files) are updated when the above commands are executed, and when changed, they are blocked and synchronized.
If there is still an urgent need to edit the specified files, then using the command vipw you can safely edit the file /etc/passwd, and using the vigr command it is safe to edit the file /etc/group. These commands will lock the necessary files while changes are made using the help. If you make changes to the file /etc/passwd, team vipw will prompt you to check whether the file also needs to be updated /etc/shadow. Similarly, if you update a file /etc/group using the vigr command, you will receive a prompt that you need to update the file /etc/gshadow. If you need to remove group admins, you must use the command vigr, since the command gpasswd only allows you to add administrators.
Please note that in modern systems, passwd and group files do not store passwords in clear text. This is done for security reasons. Sami passwd and group files should be readable by everyone, and encrypted passwords should not be readable by everyone. That's why encrypted passwords are stored in shadow files, and these files are only readable by the root user. The necessary access to change authentication data is provided by a suid program, which has root privileges but can be run by any user.
File /etc/passwd
user-add-server:~# cat /etc/passwd root:x:0:0:root:/root:/bin/bash lp:x:7:7:lp:/var/spool/lpd:/bin/ sh sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin test123:x:1001:1001:Test Test:/home/test123:/bin/shThe /etc/passwd file contains one line for each user on the system. Each line contains seven fields separated by colons (:), a description of the fields using the root user as an example:
| field | meaning | description |
| Username | root | name used to login (login) |
| Password | x | user password (if encrypted, use - x) |
| user id (UID) | 0 | User ID |
| group id (GID) | 0 | Group ID |
Creating a new group in the system
With this command you can create a new user group (hereinafter referred to as group) group in system:
Adding a new user to the system
New user user can be added with the command:
He will automatically be placed in a custom group named after him.
To add a user user to an existing group group we write:
With this command, you can add a user to several groups at once. To do this, we list the group names separated by commas.
To add a user to a new group with a name different from the username, do the following:
useradd -g groupname user
This group will be the main group for the user.
Setting a user password
User password user is given by the command:
This command will ask you to enter your password twice. Never leave a user without a password!
Sometimes it is necessary to prevent a user from logging in. For example, if you only need access to a network share. (More about this.) To do this, you need to change the file passwd with the following command:
In the password field, I add an asterisk “*” before the password itself (this file is described in more detail at the end of the article). Save the changes made and exit with the keys Ctrl+X, key Y we confirm our choice. For greater security, this file can be edited with the command vipw. To exit the editor while saving changes, you need to run :wq. To exit without saving changes, write :q or :q! if any changes have been made.
User information files
The following information is provided for a better understanding of system user creation and fine-tuning. To edit users, in most cases it will be easier to use the command usermod. You can learn more about this command by running
All information about system users and groups is stored in the following files:
- /etc/passwd this file contains the entire list of users that the system knows about. Each line of this file describes a user and contains seven fields that contain user information. Fields are separated by colons.
1.
2. Encrypted user password (never leave this field blank);
3. User ID (UID);
4. Group ID (GID);
5. The GECOS field, in which you can specify the user’s full name, work home phone number, place of work, etc.;
6. Path to home directory;
7. Registration shell.
- /etc/shadow Passwords are stored here in encrypted form. This file is read-only for the superuser. Each line corresponds to one user. It contains nine fields separated by colons:
1.
User registration name;
2.
Encrypted user password;
3.
date last change password;
4.
Minimum number of days between password changes;
5.
Maximum number of days between password changes;
6.
Number of days before warning about password expiration;
7.
Number of days until the password expires;
8.
Account validity period;
9.
A reserved empty field that is not used.
The date fields in this file are filled with the number of days that have passed since January 1, 1970. The first two fields must be filled in!
- /etc/group contains a list of groups and the names of users included in these groups. Similar to the previous files, each line corresponds to one group and has four fields, which are separated by colons:
1.
Group name;
2.
Encrypted password or character x indicating the use of a file gshadow(when to connect a user to a group using the utility newgrp you need to enter a password);
3.
Group ID (GID);
4.
A list of members of this group, separated by commas.
