Windows-to-Linux roadmap: Part 4. User administration

Passwords, groups, and their shadows

IBM e-business architect Chris Walden is your guide through a nine-part developerWorks series on moving your operational skills from a Windows® to a Linux® environment. He covers everything from logging to networking, and from the command-line to help systems -- even compiling packages from available source code. In this part, you learn how to add and delete users and groups, both via the Webmin interface and at the command line. Shadow password and group files are also covered.

Share:

Chris Walden (dwinfo@us.ibm.com), e-business Architect, IBM, Software Group

Chris Walden is an e-business Architect for IBM Developer Relations Technical Consulting in Austin, Texas, providing education, enablement, and consulting to IBM Business Partners. He is the official Linux fanatic on his hallway and does his best to spread the good news to all who will hear it. In addition to his architect duties, he manages the area's all-Linux infrastructure servers, which include file, print, and other application services in a mixed-platform user environment. Chris has ten years of experience in the computer industry ranging from field support to Web application development and consulting.



11 November 2003

Also available in Russian Japanese

Administering users in Linux is both very similar to and very different from administering Windows users. Both systems are multi-user, and control access to resources is based on user identity. Both systems allow collecting users into groups so that access control can be done more easily without having to touch many users for each change. From there, the two systems begin to diverge.

The super user

In Linux, the Super User is called root. The root user can control every process, access every file, and perform any function on the system. Nothing can ever be hidden from root. Administratively speaking, root is the supreme being. It is, therefore, very important that the root account be protected by having a secure password. You should not use root for day-to-day tasks.

Other users can be given root privileges, but this should be done with care. Usually you will configure specific programs to be run as root by certain users, rather than granting broad root access.


Creating new users

New users can be created either from the console line, or using a tool such as Webmin.

The command to add a user is useradd. For example, to create a new user from the console:

useradd -c "normal user" -d /home/userid -g users\
-G webadm,helpdesk -s\ /bin/bash userid

This command creates a new user called "userid," the last parameter in the command. A comment is entered that says "normal user." Userid's home directory will be "/home/userid." Userid's primary group will be users, but userid will also be placed in the "webadm" and "helpdesk" groups. Userid will use the "/bin/bash" shell as the normal console environment.

Using Webmin, creating a new user is easy and visual. Log into Webmin with your favorite browser, and go to the System section. Select the "Users and Groups" tool, and then click Create a new user.

Figure 1. Webmin's Create User screen
Figure 1. Webmin's Create User screen

Fill in the details for the user, and click Create. The user will be created.

Adding users with GUI system tools is also covered in "Basic tasks for new Linux developers."


Changing passwords

Changing a user's password can be done from the console by using the passwd command:

passwd userid

Only root can change the password for another user with the passwd command. When the command is entered, you will be prompted to enter, then confirm, the password you are setting. If they match, then the user tokens are updated and the password is changed. A user can also change his own password from the console by typing passwd; in this case, the user is prompted for his old password prior to entering the new one.

Most Linux distributions install with a password cracker module activated for password changes. This module will test a password to see if it follows good password practices. If not, a warning will be given that the user is using a bad password. Depending on your configuration, a user may be required to use a secure password before it will be accepted. Root may be warned when a password is set, but the action cannot be stopped.

In Webmin, a password is changed using the "Change Passwords" module from the System section. Select a user from the list and enter the new password into the blanks.


Deleting users

From the console, users are deleted using the userdel command.

userdel -r userid

The optional -r switch will delete the user's home directory and all its contents in addition to the user. If the directory is to be preserved, omit the -r switch. This switch will not automatically delete all the files on the system that belong to the user, just the home directory.


How users are organized

Linux configuration is text based. So all users in Linux reside in a file called /etc/passwd. You can view the file one page at a time with the more command:

more /etc/passwd

the /etc directory

Remember that most configuration files for Linux live in the /etc directory.

The construction of this file is fairly straightforward. Each line contains a new user with parameters separated by a colon.

userid:x:75000:75000::/home/userid:/bin/bash

The first column contains the user name. The second column contains the user's password. The third column contains the user's numeric id. The fourth column contains the numeric id for the user's primary group. The fifth column contains the user's full name, or a comment. The sixth column contains the location of the user's home directory. Normally this directory lives in the /home directory and has the same name as the user id. The seventh column contains the user's default console shell.

Password file structure
Login IDPasswordUser IDGroup IDCommentHome directoryDefault shell
useridx7500075000 /home/userid/bin/bash

Shadow passwords and user rights

One of the idiosyncrasies of Linux user management that is a legacy of the UNIX style is the password file. A user who logs in must be able to read the /etc/password file to see if his username exists. Having the passwords contained in the same file would enable potential crackers to discover passwords; they could download the /etc/passwd file and have the names and scrambled passwords to work on with a separate brute force tool. A shadow password file does not need to be world readable, so crackers would not have the passwords in any form to work with.

This approach is still not optimal, because it provides some user information to a potential cracker. A better option is to keep users in a separate repository such as LDAP.

Notice that the example above has an "x" in the Password column. This does not mean that the user has a password of "x." At one time passwords were normally stored in plain text within this file. This configuration is still possible, but it is rare because of the implications. The solution was to create something called a shadow password. An "x" is placed in the password portion of the /etc/passwd file, and an encrypted version of the password goes into the /etc/shadow file. This technique improved the security by separating the user information from the password data. The MD5 password encryption algorithm further improved security by allowing more robust passwords. An example of a shadow password entry is below:

userid:$1$z2NXZR19$PZpyL84DmPKBXMeURaXXM.:12138:0:186:7:::

All of the shadow password function is handled behind the scenes, and you will rarely need to do anything more with it than turn it on.


Groups

Groups in Linux are much the same as in Windows. You create a group and add members into the group's list. Then resources can have rights assigned by group. Members of a group have access to a resource associated with that group.

Creating a group is simple, using the console command groupadd:

groupadd mygroup

This will create a group with no members called "newgroup." Groups live in a file called /etc/group. Each group is listed on a separate line like the following:

mygroup:x:527:

Taking care in editing the passwd file

The real danger to editing the /etc/passwd and /etc/group file directly is accidental duplication of an id number. All resources use the id number rather than the name of the user or group. If you accidentally duplicate an id number, then you may grant access to things you did not intend. For example, if you change a user's id number to 0, which is root, when userid logs in, that userid will be root! Also if you delete a user or group line in the file, that user or group is deleted.

These are errors a human would make. The tools keep that straight. However, sometimes a quick edit to the /etc/group file is the quickest fix to a simple problem. Just bear in mind that you are dealing with some real power when you edit those files. Be careful.

The first column shows the name of the group. The second column is a password. Again, the "x" indicates that the real password is stored in a shadow file called /etc/gshadow. The third column is a numeric index for the group. Everything after the third column will be the group members' user ids separated by commas.

To add members to the group, use the gpasswd command with the -a switch and the user id you wish to add:

gpasswd -a userid mygroup

Remove users from a group with the same command, but a -d switch rather than -a:

gpasswd -d userid mygroup

It is also possible to make changes to groups by editing the /etc/group file directly.

Groups can be created, edited, and destroyed in Webmin with the same tool used above for working with users.


User and group associations

While this is not the place for a thorough discussion on access control, you will need some idea about how users and groups are applied to files. If you look at a long directory listing of a file, you'll see something like the following.

-rw-r--r-- 1 userid mygroup 703 Jun 23 22:12 myfile

Ignoring the other columns for the moment, look at the third, fourth, and last columns. The third column contains the name of the owner of the file, userid. The fourth column contains the group associated with the file, mygroup. The last column is the file name. Each file can have only one owner and one group. It is possible to assign rights to Other, the users who don't fall into either category. Think of Other as the equivalent of the Windows group Everyone.

A single file owner is common in operating systems, but the single group ownership feels limiting to administrators new to the technique. It is not. Since users can be members of any number of groups, it is simple to create new groups to handle resource security. In Linux, group definitions tend to be based more on the resource access required than on business units. If resources are logically organized on the system, then create more groups to finely tune access to resources.

More detailed information about associating users and groups is in the Resources section at the end of this article. For details on how to change file permissions, see man chmod.


Summary

Users and groups work essentially the same way in Linux that they do in Windows, except that only one group can be associated with a system resource. To think about groups in Linux, consider groups to be cheap and don't be afraid to create a lot of them for a complex environment. Create your groups based on resource access rather than on business units.

User and group information are stored in the /etc/passwd and /etc/group files, respectively. Your system will also probably have an /etc/shadow and /etc/gshadow file, which contain the encrypted passwords for added security. It is possible to work with users and groups by editing these files directly, but this should be done with great care.

All user and group functions can be handled from the console, which makes them scriptable. Tools, such as Webmin, also provide graphical ways of working with users and groups.

Resources

Learn

Get products and technologies

  • Build your next development project on Linux with IBM trial software, available for download directly from developerWorks.

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Linux on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Linux
ArticleID=11352
ArticleTitle=Windows-to-Linux roadmap: Part 4. User administration
publish-date=11112003