Sysadmin Academy

ltd

EMPOWERING SYSTEM ADMINISTRATORS

RHCSA
RHEL - 7

Pvt

SESSION 2
User Management

Linux User Management

Part 1 User Management

Step 1 Files and Directories for user
Step 2 Password File Format
Step 3 User Management Commands

Part 2 Group Management

Step 4 Password Aging

Step 5 Group Administration
Step 6 Switching Accounts
Step 7 Sudo
Step 8 GUI Tool for user management

Step 1 Files and Directories

for
1. Basic files for
useruser
& groups
/etc/shadow

Secure user account information

/etc/passwd

User account information

/etc/gshadow
/etc/group
/etc/sudoers

Contains the shadowed information for accounts

Define the groups to which user belong
List of who can run what by sudo

2. User Environment Files and Directory

/etc/skel

files and directories automatically copied over to new user's home

directory

/
etc/default/user useradd defaults file
add
/etc/login.defs define the site-specific configuration for the shadow password suite.
/etc/profile

controls system-wide default variables such as export variables. File

creation mask(umask). Terminal types, Mail messages

~/.bash_profile

execute to configure your shell before the initial command prompt.

/etc/bashrc

interactive non-login shell started at the command-line using a shell

program such as /bin/bash or /bin/sh. Executed by ~/.bashrc

1.

Step 2 Password file

Format
Password File
Format ( /etc/passwd )
sami:x:501:501::/home/sami:/bin/bash
username password uid gid Description Home directory Login shell

2.

Password, X=reference to /etc/shadow, empty=no password,

*or !=no login possible

Shadow File Format ( /etc/shadow )

sami:
$6$i7.SAQK2$U9dSrT4E9tEoLEBfS:16729:0:99
3 4 5 6
1
2
999:7:::

1. User name: your login name

2. Password : encrypted password. $1$ stands for MD5, $2a$ is Blowfish, $5$
is SHA-256 and $6$ is SHA-512.
3. Last password change: When was the password last changed.
4. Minimum: The minimum number of days required between password change i.e the
number of days left before the user is allowed to change his/her password.
5. Maximum: The maximum number of days the password is valid ( after that user is
forced to change his/her password)
6. Warn: number of days before password is expire that user is warned that password
must be changed
7. Inactive: The number of days after password expire that account is disabled
8. Expire: When was that account is disabled. i.e an absolute specifying when the

Step 3 User Management

Commands
1. Useradd
- add new user
a. Adding new user
#useradd sami
b. List default setting
#useradd -D
#useradd -D -s /bin/sh
//change default shell
c. Primary and supplementary groups
#useradd -g admin -G mail sami
d. Home Directory
#useradd -d /home/sami-home sami
e. Change skel directory
#useradd m -k /etc/skel2 sami
f. Specific shell
#useradd -s /din/sh sami
// /etc/shells
g. Specific uid
#useradd -u 550 sami
h. Account expire
#useradd e 2015/10/30 sami

Step 3 User Management

Commands
2. Usermod
- modify users data
a. Shell and directory change
#usermod -s /bin/csh -d /home/sami-home -m sami
b. Login name change
#usermod -l nathan (new) sami (old)
c. Lock and unlock user
#usermod -L sami
//lock
#usermod -U sami
//unlock
d. New UID and GID
#usermod -u 510 -g 600 sami
e. Expire date
#usermod -e 2015/11/30 sami
#usermod -e sami
//remove expire date
3. Userdel
- delete user
a. Delete user and leaving home directory
#userdel sami
h. Delete user with home directory
#userdel r sami

Step 3 User Management Commands

4. Pwconv & pwunconv : combine or separate /etc/passwd and /etc/shadow
#pwconv
#grep root /etc/shadow
#pwunconv
#grep root /etc/shadow ; grep root /etc/passwd
#ls -l /etc/passwd /etc/shadow
5. Creating password for user
a. Passwd
#passwd sami
#passwd -S sami
// To check the passwd status of user account
6. Password lock and unlock for user
#passwd -l sami
#passwd -u sami
7. Chown
- change ownership for file and directory
a. #chown root /dir
//change user ownership
b. #chown root.named /dir //change user and group ownership
8. Login without password - empty field
#grep sami /etc/shadow
sami::16729:0:99999:7:::

Step 3 User Management Commands

8. Blocking login by emergent situation
#cat /etc/nologin
Under system checking currently
Please login again after 20:00!!!
9. Listing user information
#finger l sami
10. How to monitor user
a. Monitor file
/var/run/utmp : keeps track of the current login state of each user.
/var/log/wtmp : records all login and logouts history.
/var/log/btmp : records failed login attempts.
b. Monitoring command
Show who is logged on and what they are doing.
#w
Reports the most recent login of all users or of a given user from /var/log/lastlog
#lastlog
Contains all the bad or failed login attempts.
#lastb
Show who is logged on
#who

Step 4 Password Aging

1. By defaults passwords do not expire
2. Forcing passwords to expire is part of a strong security policy
3. Modify default expiration setting in /etc/login.defs
.PASS_MAX_DAYS 99999
.PASS_MIN_DAYS 0
.PASS_MIN_LEN
5
.PASS_WARN_AGE 7
4. Chage
- to modify password aging
a. Chage
[-m mindays] [-M maxdays] [-d lastday] [-I inactive] [-E expiredate] [-W warndays] user
b. List users current setting
#chage list sami

Step 4 Password Aging

c. Set Password Expire Date for an user chage option M
#chage M 10 sami
d. Password Expire Warning message during login
#chage W 5 sami
e. Set the Account Expire Date for an User
#chage E 2015-11-30 sami
f. Force the user account to be locked after X number of inactivity days
#chage I 10 sami
g. How to disable password aging for an user account
#chage m 0 M 99999 I -1 E -1 sami
#chage list sami

Step 5 Group administration

1. Group Administration
A user can be participant to more than one group at the same time.
A user who is member of a group can change to that group without password but a user NOT member
can only change to that group password exit and the user gives it.
One or more user can become group administrator for specific groups.
Group Administrator can:

1. Add/change/delete the password of the group

2. Add/delete users to the group
3. Reserve the group to member-only.
2. Types of group
every user must be a member of at least one group, which is identified by the numeric GID
in /etc/passwd
A user may be listed as member of additional groups in the relevent entries in the
Secondary group
/etc/group
Created whenever a new user is added to the system and has the same name as the user for
User private group
which it was created
Primary group

Example:
[sami@server~]$id
Uid=501(sami) gid=502(sami) groups=502(sami),506(admin)

Step 5 Group administration

3. Group management commands
a. groupadd adding group
#groupadd admin
#groupadd r admin
//start group id 101 and increase up to GID 499
#groupadd g 600 admin
b. groupmod modifying group
#groupmod [-g newgid] [-n new name] group
#groupmod g 600 n royal rupp
c. groupdel deleting group
#groupdel rupp
d. gpasswd administer /etc/group and /etc/gshadow
#gpasswd rupp
//making new password for rupp
#gpasswd A sami rupp //administrator of rupp
#gpasswd R rupp
//restrict non-member login
#gpasswd r rupp
//delete group passwd
#gpasswd a raj rupp //adding group member
#gpasswd d raj rupp //deleting group member

Step 6 Switching Accounts

1.

Su

a. Syntax
su [-] [user]
su [-] [user] c command
b. Allows the user to temporarily become another user in command line
c. Default user is root
d. The option makes the new shell a login shell
e. Most systems log the use of su to change to the root account
2. Example
.$su
.$su
.$su sami
.$su l sami

Step 7 SUDO
1. Sudo
a. Purpose: to delegate root privileges to non-root users.
b. Users listed in /etc/sudoers execute commands with
An effective user id of 0
A group id of roots group
c. An administrator is contacted if a user not listed in /etc/sudoers attempts to use sudo

2. Example
a. Default Syntax

User MACHINE=COMMANDS
b. Allow root to run any commands anywhere

root

ALL=(ALL) ALL

c. Allows members of the sys groups to run networking, service management apps

%sys

ALL=NETWORKING, SERVICES, DELEGATING, PROCESSESS

d. Allows people in group wheel to run all commands

%whell ALL=(ALL) ALL

e. Same thing without a password

%whell ALL=(ALL) ALL

f. Allows member of the users group to mount and unmount the cdrom as a root

%users

ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

Step 7 SUDO
3. How to use sudo
a. Set up sudo Environment in /etc/sudoers as group member
%whell ALL=(ALL)
ALL
#usermod G 10 sami
Sami$froups
b. Executing a command as super user
$sudo mount /dev/cdrom /media/cdrom
c. If forgot to give sudo for root command, do it again using !!
$head n 4 /etc/sudoers
$sudo !!
d. Get Root Shell Access using Sudo
$sudo bash; id
e. Sudo logging
Defaults logfile=/var/log/sudolog
#touch /var/log/sudolog
$sudo ls /

Step 8 GUI Tool for User Management

1.

Package checking

#rpm qa | grep system-config-users

2. Package installation
#yum install system-config-users

3. Using GUI tool

#system-config-users&
.Making new user
.Making new group

THANK
YOU..!