“User
management” is very crucial and very important for
“Server Administrator”.
I have compiled this document for Linux
Admins to get overview of User Management in Linux.
Please
note that I have used CentOS or RedHat Linux here. Each linux flavor has
differences. However basic is same.
“User
management” is very crucial and very important for
“Server Administrator”.
I have compiled this document for Linux
Admins to get overview of User Management in Linux.
Please
note that I have used CentOS or RedHat Linux here. Each linux flavor has
differences. However basic is same.
Important
Phases of “User Management”:
1.
Add Users
2.
Delete Users
I. Add User
By default when we add user to Linux
machine, many steps happen inside OS.
I have mentioned major steps below:
1.
Entry gets added to /etc/passwd,
/etc/shadow, /etc/group, /etc/gshadow
2.
Home directory gets created & common
Files get copied from /etc/skell to User’s home directory for eg. .bashrc,
.bash_profile, etc.
3.
Mail box gets created
We will see in details one by one.
Step1:
Entries in /etc/passwd, /etc/shadow, /etc/group, /etc/gshadow:
a.
To add a user we use command “adduser” or
“useradd” command. “adduser” is nothing but symlink
to “useradd” both are located under “/usr/sbin/” directory, so both
can be executed by “root”
user only.
Usage – adduser USER_NAME
For eg. – adduser
neelesh
When we add user in Linux, entry of user gets
added in “/etc/passwd” as given below:
neelesh:x:500:500::/home/neelesh:/bin/bash
Please note Fields are separated by ‘:’
Description
of fields in “/etc/passwd”:
First field : Login name of the User
Second field : Clear text encrypted password
Note: In case if shadowing is enabled it always denotes a
“x” which means the password is stored in /etc/shadow file. If
“x” is deleted from 2nd field of ‘/etc/passwd’, then user can login
without a password.
Third field :
User id which is unique to every
user
Fourth field : Group id
which is unique to every group
Fifth field : Comments i.e. user related info like
Full Name, Office Add.,Off. No., Home No.
Sixth field : Home directory
Seventh field : Login shell
It also adds one entry to /etc/shadow
neelesh:!:15121:0:99999:7:::
Please note Fields are separated by ‘:’
Description
of Fields in “/etc/shadow”:
First field : Login name of the User
Second field : Clear text
encrypted password
Third field : Number of days since January 1 1970,
when the password was last changed
Fourth field : Minimum
number of days gap before a password can be changed again
Fifth field : Maximum number of days for the
validity of a password
Sixth field : Warning for password expiry to be
given before the stipulated number of days
Seventh field : Number of days
after the expiration of password that the account should be disabled
Eighth field : Number of
days since 1 January 1970, the account is disabled
Ninth field : Reserved field
b.
Providing Password to user:
After
using “adduser / useradd”, user is still not active. We need to give password
to user using “passwd” command
Password given to user by using the passwd
command which is to be used as given below -:
Usage : passwd
USER_NAME
For eg. : passwd neelesh
Enter your password twice. Make sure your
password must be touch to crack.
New password:
Retype new password:
passwd: all authentication tokens updated
successfully.
After providing password, Entry in
“/etc/shadow” for that user will get change.
neelesh:$1$DXl6dFbJ$gHlxMdwiKRZfQ2oUiAqJ.1:15121:0:99999:7:::
Here second field got changed. Now it has
clear text encrypted password.
c.
Group add:
At
the same time “useradd” adds entries to /etc/group & /etc/gshadow.
It
adds primary group of user with the same name as name of user.
In /etc/group it adds below line
neelesh:x: 15121:
Description
of fields in “/etc/group”:
First field : Group name
Second field : Clear text
encrypted password
Note: In case if shadowing is enabled it always
denotes a
“x” which means the password is stored in
/etc/gshadow file
Third field :
Group id which is unique to
every group
Fourth field : Members of
the group
In /etc/gshadow it adds below line:
neelesh:!::
Description
of fields in “/etc/gshadow”:
First field : Group name
Second field : Clear text
encrypted password
Note: “!” means no password is set
Third field : comma-separated list of group
administrators
Fourth field : comma-separated
list of group members
Step2:
Home Directory & mailbox creation:
When user gets added, “useradd” creates
home directory of user and copies files from “/etc/skell” to its home
directory.
“useradd” reads “/etc/default/useradd”.
“/etc/default/useradd” is an ASCI text
file. It has below entries:
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
Description
of directives in “/etc/default/useradd” : –
GROUP –
Maximum number of groups for
which a user can be a member of
HOME –
Directory where the user’s home
directory will be created
INACTIVE
– Number of days the account should be inactive after
creation
Note: “-1” means never inactive i.e. always
active
EXPIRE
– Date on which the account should expire. It is given in the
form YYYY-MM-DD.
SHELL
– Default login shell for the user
SKEL
– Directory from where the default user profile files will be
copied
from to the user’s home directory.
“useradd” binary also reads
“/etc/login.defs”. In “/etc/login.defs”.
“/etc/login.defs” is also ASCI text file
and contains below entries:
MAIL_DIR /var/spool/mail
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
UID_MIN 500
UID_MAX 60000
GID_MIN 500
GID_MAX 60000
CREATE_HOME yes
Please note that there are many entries in
“/etc/login.defs”. Here I have mentioned important one.
Description
of directives in “/etc/login.defs”–
MAIL_DIR – Directory where the user’s mail will be
stored
PASS_MAX_DAYS – Maximum number of
days for the validity of a password
PASS_MIN_DAYS – Minimum number of
days gap before a password can be changed again
PASS_MIN_LEN – Minimum required length of a password
PASS_WARN_AGE – Warning for password
expiry to be given before the stipulated number of days
UID_MIN –
Minimim value for automatic user id
selection
UID_MAX –
Maximum value for automatic user id
selection
GID_MIN –
Minimum value for automatic group
id selection
GID_MAX –
Maximum value for automatic group
id selection
CREATE_HOME – Whether useradd should create home
directories for users
From login.defs, “useradd” gets location to
create “mailbox” for that particular user.
I. Delete User:
To delete a user’s account on the system
(and not his mailbox and home directory) ,i.e to suspend the user temporarily
from the system , we use below command
Usage : userdel USER_NAME
For eg. : userdel neelesh
To delete a user’s account on the system
,i.e to permanently delete all the user’s detail on the system , we use the
command
Usage : userdel -r USER_NAME
For eg : userdel -r neelesh
====================================================================
Miscellaneous Stuff related to User Management
1. Overriding
default settings while adding user
a.
Specify home directory path while adding
user:
$ adduser -d /mnt/home/neelesh neelesh
b.
Specify login shell with adding user:
$ adduser -s /bin/csh neelesh
c.
Specify Primary group while adding user
$ adduser -g users neelesh
2. Modifying
settings of already added user with “usermod” command
a.
Changing home directory
$ usermod -d /mnt/home/neelesh neelesh
b.
Changing login shell
$ usermod -s /bin/csh neelesh
c.
Changing primary group
$ usermod -g users neelesh
3. Playing around
users
a.
Changing age of users
$ chage -d 0 raj
The 3rd field of “/etc/shadow” is: Days since Jan 1, 1970
that password was last changed
We make it 0, which means the passwd was last changed on Jan
1, 1970 and hence has expired,
so it is promptly locked with this : –> !!
$
grep raj /etc/shadow
raj:!!:0:0:99999:7:::
b.
Test the password status:
$ passwd -S raj
Password locked.
User raj cannot login yet.
c.
Unlock the password, forcefully
$ passwd -uf raj
Unlocking password for user raj.
passwd: Success.
This changes the ‘!!’ to a blank which
means the password is now unlocked
Now log in as user “raj”
You are required to change your password immediately
(root enforced)
New password:
Just what you wanted!
Note : When you login, linux checks first and foremost to
see whether this 3rd field is valid and does not care for the passwd expiration
field. The password expiration field is examined after this has passed and user
logs in !
====================================================================
Try some Hacks
/etc/password
hacks
===================
Create a user amar with some password
01 Comment amar line in /etc/passwd
02 Change x to * in 2nd field of
/etc/passwd
03 Change shell of amar in /etc/passwd
# chsh amar [/sbin/nologin]
04 Blank the 2nd field of /etc/passwd for
amar
05 Create file /etc/nologin
06 Comment all tty in /etc/securetty
07 chmod o+w /etc/securetty
08 Delete file /etc/securetty
/etc/shadow
hacks
=================
09. Comment amar line in /etc/shadow
10. Put a 0 in 8th field of /etc/shadow for
amar [disabled]
11. Remove the entire passwd entry in 2nd
field of /etc/shadow for amar
12. Change to 0 the 3rd field of
/etc/shadow for amar
Create a user vijay – DO NOT give it a password
13. Change to 0 the 3rd field of /etc/shadow
for amar – Illogical!!
14. Blank the 2nd field of /etc/shadow for
amar
15. Blank the 2nd field of /etc/shadow for
amar AND
make the 3rd field 0 [expire]
Answers
=======
1. amar cannot login
2. amar cannot login [disabled]
3. amar cannot login
4. amar can login w/o passwd
5. No user can login – although root can
6. root cannot login
7. root cannot login
8. root CAN login
/etc/shadow hacks
=================
09. amar cannot login
10. amar cannot login – disabled
11. amar can login w/o password
12. Asks for current pwd and then asks for
a pwd change
13. No point in doing this !!
14. amar can login w/o a pwd
15. Will ask user for pwd challenge