Luca's System Engineer Learning Path

Linux - User and Group Management

  • Jan 07, 2023

Users

UIDs

All local users are given an identification number that is stored along with the corresponding username in /etc/passwd.

Remote users: typically a range of UID’s is reserved for non-local users in order to prevent UID collision with local users.

Note: Note: When logging into the system, a user MUST use their username. Logging in via UID is not permitted, even if the UID exists.

UID User Description
0 superuser always assigned to the superuser account, root.
1-200 system users UID 1-200 is a user ID range for system users for system processes. These are statically assigned by the
201-999 system users user ID range given to system users for system processes but don’t own files on the system. These are dynamically assigned when the packages that require them are installed. These user
1000+ regular users IDs have restricted access only to the resources they need for operating.

Note: Special UIDs

  • UID 1: bin user (system binaries and non-login accounts)
  • UID 48: Apache user (if installed)
  • UID 99: nobody account (used for a variety of things, FTP anonymous access for example, may also map to a root account for certain NFS configurations (the root_squash option))

User Shells

A shellis a program that acts as an interface between the user and the operating system (OS) kernel. A shell is started each time a user logs in and is responsible for executing programs based on user input.

The shell also provides a user environment that can be customized by configuring the profile initialization files for each user. These files contain user settings for:

  • Paths where commands are located
  • Defining variables
  • Customizable values, such as terminal prompt

User shell set to /sbin/nologin: print the following message /etc/nologin.exe/and exit: “the user account is currently not available”

User shell set to /bin/false: the user is immediately logged out. This file is just a binary that immediately exits, returning false.

Working with Home Directories

A users home directory is the directory in which a user enters upon login. It is intended to store a user’s files, directories and executables.

  • identified by ~
  • resides on the / partition

The /etc/skel contains files and directories that are copied over to a new user’s home directory when it is created with the useradd command.

Standard Users

  • provided a login shell, a home directory
  • limited permissions for view system configs
  • no permissions for modifying system configs

Standards account may have be granted the ability to perform privileged actions with sudo - super-user do.

Root User

Root is the system administrator account and has full access to all permissions on the system. Linux administrators need to be careful with the use of sudo privileges, it is a security best practice not to log into a system directly as root, but “become” root.

  1. su You will provide the root password and will then become root (su = superuser)
  2. sudo su: You will provide your password and, as long as you have sudo privileges (sudo = superuser do), you will then become root

For example: Become the root user, but login shell scripts (.bash_login, .bashrc, etc.) will not execute so you will not inherit values in them.

su root

For example: Become root and all login shell scriptswill execute and the full environment and settings will be available.

su - root
su -l root

Applies to regular users as well (as long as you know the associated password)

Note: Root can su to any user without knowing the user’s password.

Users that can execute commands with elevated root level privileges are listed in /etc/sudoers. The formate of the file requires the user be listed (or a group if an entire group should have root privileges) along with what they can do.

For example: Provide the user account sudo rights for any command using elevated privileges.

user ALL=(ALL) ALL

For example: Limit the user to only be able to run systemctl with sudo privileges (so they can restart services).

user ALL=(ALL) /bin/systemctl

Use visudo is a special editing mode for vi that will allow editing and syntax/error checking of the /etc/sudoers file or allow the creation config files in /etc/sudoers/d.

Note: The editor used can be changed by setting the EDITOR environment variable to any other available text editor.

/etc/sudoers

System User

Application Service Accounts - System users are generally deployed when applications are installed:

  • their home directories are set to application folders
  • they normally do not have a login shell /usr/sbin/nologin

The purpose of having discreet users is to seperate functional privileges from other applications and services.

User Management

Note: Although it is possible to create a user by directly editing the /etc/passwd and /etc/group files, this poses security risks AND can contain errors that will prevent user login or cause unintended consequences.

User Management Files: /etc/passwd, /etc/shadow, /etc/group

Getting relevant user information can be done a few different ways.

  • id command
  • getent command: Utility to allow you to search both local (/etc/passwd and /etc/shadow) for account information, as well as network sources.
  • Manually looking at /etc/passwd, /etc/shadow files

User Management tools:

Tool /etc/passwd /etc/shadow
pwck X X
pwconv-pwunconv X X

/etc/passwd:

/etc/passwd is a text file that contains the attributes for all user accounts on the system. This includes name, password, UID, GID, gecos, home directory, and shell. The file contains 7 attribute fields for each local user.

  • username
  • password
  • user ID
  • group ID
  • GECOS
  • home directory
  • login shell

/etc/shadow:

/etc/shadow is a text file that stores the passwords for all user accounts, in encrypted format, as well as a few configurable password properties. Each line contains 8 fields.

  • username
  • password
  • lastchanged
  • minimum
  • maximum
  • warn
  • inactive
  • expire
cloud user: $5$alskXffMarjd$f1YSNjXfiuhwa: 18249:0:99999:7:::

Note: structure of hashed passwords

username hashed-password-with-salt last min max warn inactive expire –> $5$alskXffMarjd$f1YSNjXfiuhwa = $id$salt$hashed

  • $id [1-6]:
    • 1: MD5
    • 2a: Blowfish
    • 2y: Blowfish
    • 5: SHA-256
    • 6: SHA-512
  • $salt: A salt is a fixed-length cryptographically-strong random value that is added to the password hash to make the password stronger and prevent hacking attempts.
  • $hashed: Hashed password string

/etc/nsswitch.conf:

The /etc/nsswitch.conf file determines the order that user account information is searched for on a system during login.

For example:

password: files nis
shadow: files nis

Will search for LOCAL files for account information and then search the remote user database configured if not found.

Creating Users

Command Description
useradd used to add or create users. Options are available for specifying UID, GID, home dir, and group membership
Option Description
-c text string that is entered into the comment field in /etc/passwd
-m create the home directory
-d set the home directory
-g set the primary group id
-G set supplemental groups
-k set the skeleton directory
-p set the user’s password to this encrypted password
-r create a system account
-s set the user’s login shell
-u set the user id
-o set a non-unique user id 
useradd -c "<COMMENT>" -d <HOME_DIR> -m -g <GROUP> -p <PASSWORD> -s <USER_SHELL> <USERNAME>

Boilerplate files and folders for new accounts - The contents of /etc/skel are automatically copied when a new user’s home dir is created via useradd.

/etc/skel

etc/default/useradd contains the default values for the useradd command when those parameters are not used.

Modifying User Settings

Command Description
usermod modify options and paramters set for a specific user
Option Description
-c modify the user’s password file comment field
-d change the user’s home directory. Often used with the m flag which moves files from the current home dir to the new one
-G change the user’s supplemental groups. Often used with the a flag which appends, rather than replaces, the supplemental groups
-L lock the user account
-U unlock the user account 
usermod -c "COMMENT" -d HOME_DIR -m -g GROUP -p PASSWORD -s USER_SHELL USERNAME

Note: most of the options used with the usermod command are equal to those of useradd.

Removing Users

Command Description
userdel remove the user and the home directory
Option Description
-r also removes all user mail, owned print jobs, cron jobs and the home directory with all contents (All other files owned by the user will still exist, ownership reverting to the UID of the removed user, thus becoming orphaned) 
userdel -r <HOME_DIR> <USERNAME>

Note: You cannot delete a user that is in use or has a process associated with the account.

userdel is often used in combination with other commands like find.

For exmaple: Search the server/directory for files created by the user and remove the files approved for removal.

find <directory to search> -user <USERNAME>

Suspending Users

The passwd -1 username and usermod -I username commands lock a user’s password, but not the full account. It enters a! in the /etc/shadow file at the beginning of the encrypted password to make it unreadable. Users can still log in by other means, such as SSH keys.

WARNING: Never edit the /etc/shadow file manually. If you must edit the file, make a backup copy first with cp /etc/shadow /etc/shadow.bak.date

Use chage -E 0 username for full account locking. To set a date for the account to expire, you can use:

usermod -e YYYY-MM-DD username

Managing User Passwords

See man page for passwd command

Command Description
passwd remove the user and the home directory

Update a user’s password - The passwd utility may be used to update the current user’s password, or another user’s with sufficient privileges.

passwd <USERNAME>
Command Description
chage change password expiry information
Option Description
-d [date] Set number of days since the password was reset. 0 will force a password reset
-m [# days] How long user must wait (in days) between password changes
-M [# days] Maximum number of days a password will be vaild for. Once that number passes a user will be reauired to reset their password
-I [# days] Number of days of inactivity after expiration before locking the account
-E [date] Set the date when the user account will be locked out, requiring admin intervention. -1 value means the account can never expire
-W [# days] How many days before expiration a user will receive a warning that the password will expire
-l Display all values for the indicated user 
chage -l <USERNAME>

Managing User Files and Processes

Search for files owned by a user:

find / -user <USERNAME>

Search for processes owened by a user and kill them:

ps U <USERNAME>
kill <PID>

Remove a user and their home directory from the ystem:

ps U userdel -r <USERNAME>

Note: Users can change their own password, but not other user’s password (without sudo), root can change any user’s password

Groups

Groups allow us to group users together for a set of permissions. Getting relevant information can be don in different ways.

Like users, groups are given an identification number that is stored along with the corresponding groupname in /etc/group.

The groups command will allow a suer to see what primary and secondary group they are a member of.

Note: Special GIDs

  • GID 1: bin group (system binaries and non-login accounts)
  • GID 100: users group (put users in this group to give access to resources by assigning the group ownership to this group)

Group Management

Group Management Files: /etc/group, /etc/gshadow

Group Management tools:

Tool /etc/group /etc/gshadow
gpasswd X X
grpck X X
grpconv-grpconv X X

/etc/group:

/etc/group is a text file that contains all of the groups configured on a system, and the users who belong to those groups. The file contains the following 4 fields.

  • group
  • password
  • group ID
  • group list

Note: view group membership with groups [USERNAME]

/etc/gshadow:

/etc/gshadow is a text file that contains all of the groups configured on a system, and the encrypted password. if one is set. It also lists group administrators and group members

Creating Groups

Command Description
groupadd used to add or create group
Option Description
-g set the primary group id
-G set supplemental groups
-n set the home directory 
groupadd -g <GID> -n <GROUP_NAME>

For example: adding a user to a group and secondary group

useradd -g <GROUP> -G <SECONDARY_GROUP> username

etc/default/groupadd contains the default values for the groupadd command when those parameters are not used.

Modifying Group Settings

Command Description
groupmod modify options and paramters set for a specific group
Option Description
-g set the primary group id 
groupmod -g <GID> <GROUP_NAME>

Note: most of the options used with the usermod command are equal to those of useradd.

Removing Groups

Command Description
groupdel removes the indicated group. Files/directories that are owned by the group will then revert to the GID; you can change ownership at that point 
groupdel <GROUP_NAME>

Note: You cannot delete a user that is in use or has a process associated with the account.

groupdel is often used in combination with other commands like find.

For exmaple: Search the server/directory for files created by the user and remove the files approved for removal.

find <directory to search> -group groupname

Enabling User and Group Disk Quotas

quotacheck, edquota, quataon and repquota

Configure a system disk with a new 2GB partition. Sync the system disks, and view the newly created partition.

lsblk
fdisk /dev/xvdb
partprobe /dev/xvdb
lsblk

Create the filesystem and the mount point.

mkfs -t ext4 /dev/svdb1
mkdir /app

Get the UUID for the disk and use it to configure /etc/ fstab with a group and user quota. Then mount the filesystem and change permissions on the mount point.

blkid /dev/svdb1
vim /etc/fstab
mount -a
chown test:test /app

Install the quota package, create the quota files, and assign the user and group quotas for the filesystem.

yum install -y quota
quotacheck -cug /app
edquota test
edquota -g test

Enable the user and group quotas on the /app filesystem and verify the quota configuration.

quotaon -vug /app
repquota /app

Configure Advanced PAM

What is PAM

The Pluggable Advanced Modules (PAM) system adds a layer of security to administrative tools and commands. PAM includes dynamically loadable libraries that control how different applications verify and authenticate users.

PAM is also used to standardize user authentication. For example, the /etc/pam.d/login file contains the following line:

auth [user_unknown=ignore success=ok ignore=ignore default=bad) pam_securetty.so

This means that the root user can only log in from the secure terminals defined in /etc/securetty.

Typically, configuration files in /etc/pam.d/ are named according to the program that is using them to authenticate. However, some applications make no changes to default files and will be symlinked instead of having their own PAM configuration files.

You can change how PAM-aware applications like the console login program verify their users by changing the appropriate configuration file

PAM Rule Types

There are four different PAM rule types:

  • Authentication Management (auth): Validates identity
  • Account Management (account): Allows or denies access based on account policies
  • Password Management (password): Manages password change policies
  • Session Management (session): Applies settings for application sessions

PAM Control Flags

There are five different PAM control flags:

  • required - If the module passes, PAM proceeds to the next rule of the same type. If it fails, PAM still proceeds, but the result retums a tailure.
  • requisite - If this module fails. PAM does not check any more rules: it simply returns a failure.
  • sufficient - If this module passes, no other rules of this type get processed. If the module fails, PAM continues processing the rest of the rules of this type.
  • optional - Whether this module passes or fails, PAM isnores the result and proceeds to the next rule.
  • include - Includes all rules of the same type from the desismated configuration file. For example. if the rule savs password include system-auth all password rule types from the PAM system-auth file will be included in this configuration file.

Using LDAP for Authentication

Lightweight Directory Access Protocol (LDAP) is a protocol that allows quick transfer of user information from a central point of authority to any number of clients.

This allows users to be configured in one place, rather than individually throughout the environment.

Microsoft’s Active Directory is a directory service, and you can use LDAP to talk to it.

OpenLDAP is another popular directory service, and as the name implies it can also use LDAP to distribute information.

LDAP with Linux

Using LDAP for user information is easier than it may sound. It requires installing a few packages and then setting up authconfig.

Packages:

  • nss-pam
  • pam_krb5
  • autofs
  • nfs-utils
  • openldap-clients

authconfig command:

authconfig --enableldap \
    --enableldapauth \
    --enablemkhomedir \
    --enableldaptls \
    --ldaploadcacert=<CERT_FILE> \
    --ldapserver=<LDAP_SERVER_HOSTNAME> \
    --ldapbasedn="dc=<DC>,dc=com" \
    --update
Search