Windows-to-Linux roadmap: Part 4. User administration

Document options Document options requiring JavaScript are not displayed Discuss Rate this page Help us improve this content

Level: Introductory

Chris Walden (dwinfo@us.ibm.com), e-business Architect, IBM

11 Nov 2003

IBM e-business architect Chris Walden is your guide through a nine-part developerWorks series on moving your operational skills from a Windows® to a Linux® environment. He covers everything from logging to networking, and from the command-line to help systems -- even compiling packages from available source code. In this part, you learn how to add and delete users and groups, both via the Webmin interface and at the command line. Shadow password and group files are also covered.

Administering users in Linux is both very similar to and very different from administering Windows users. Both systems are multi-user, and control access to resources is based on user identity. Both systems allow collecting users into groups so that access control can be done more easily without having to touch many users for each change. From there, the two systems begin to diverge.

The super user

In Linux, the Super User is called root. The root user can control every process, access every file, and perform any function on the system. Nothing can ever be hidden from root. Administratively speaking, root is the supreme being. It is, therefore, very important that the root account be protected by having a secure password. You should not use root for day-to-day tasks.

Other users can be given root privileges, but this should be done with care. Usually you will configure specific programs to be run as root by certain users, rather than granting broad root access.

Back to top

Creating new users

New users can be created either from the console line, or using a tool such as Webmin.

The command to add a user is useradd. For example, to create a new user from the console:

useradd -c "normal user" -d /home/userid -g users\
-G webadm,helpdesk -s\ /bin/bash userid

This command creates a new user called "userid," the last parameter in the command. A comment is entered that says "normal user." Userid's home directory will be "/home/userid." Userid's primary group will be users, but userid will also be placed in the "webadm" and "helpdesk" groups. Userid will use the "/bin/bash" shell as the normal console environment.

Using Webmin, creating a new user is easy and visual. Log into Webmin with your favorite browser, and go to the System section. Select the "Users and Groups" tool, and then click Create a new user.

Fill in the details for the user, and click Create. The user will be created.

Adding users with GUI system tools is also covered in "Basic tasks for new Linux developers."

Back to top

Changing passwords

Changing a user's password can be done from the console by using the passwd command:

passwd userid

Only root can change the password for another user with the passwd command. When the command is entered, you will be prompted to enter, then confirm, the password you are setting. If they match, then the user tokens are updated and the password is changed. A user can also change his own password from the console by typing passwd; in this case, the user is prompted for his old password prior to entering the new one.

Most Linux distributions install with a password cracker module activated for password changes. This module will test a password to see if it follows good password practices. If not, a warning will be given that the user is using a bad password. Depending on your configuration, a user may be required to use a secure password before it will be accepted. Root may be warned when a password is set, but the action cannot be stopped.

In Webmin, a password is changed using the "Change Passwords" module from the System section. Select a user from the list and enter the new password into the blanks.

Back to top

Deleting users

From the console, users are deleted using the userdel command.

userdel -r userid

The optional -r switch will delete the user's home directory and all its contents in addition to the user. If the directory is to be preserved, omit the -r switch. This switch will not automatically delete all the files on the system that belong to the user, just the home directory.

Back to top

How users are organized

Linux configuration is text based. So all users in Linux reside in a file called /etc/passwd. You can view the file one page at a time with the more command:

more /etc/passwd

the /etc directory Remember that most configuration files for Linux live in the /etc directory.

The construction of this file is fairly straightforward. Each line contains a new user with parameters separated by a colon.

userid:x:75000:75000::/home/userid:/bin/bash

The first column contains the user name. The second column contains the user's password. The third column contains the user's numeric id. The fourth column contains the numeric id for the user's primary group. The fifth column contains the user's full name, or a comment. The sixth column contains the location of the user's home directory. Normally this directory lives in the /home directory and has the same name as the user id. The seventh column contains the user's default console shell.

Password file structure

Notice that the example above has an "x" in the Password column. This does not mean that the user has a password of "x." At one time passwords were normally stored in plain text within this file. This configuration is still possible, but it is rare because of the implications. The solution was to create something called a shadow password. An "x" is placed in the password portion of the /etc/passwd file, and an encrypted version of the password goes into the /etc/shadow file. This technique improved the security by separating the user information from the password data. The MD5 password encryption algorithm further improved security by allowing more robust passwords. An example of a shadow password entry is below:

Shadow passwords and user rights One of the idiosyncrasies of Linux user management that is a legacy of the UNIX style is the password file. A user who logs in must be able to read the /etc/password file to see if his username exists. Having the passwords contained in the same file would enable potential crackers to discover passwords; they could download the /etc/passwd file and have the names and scrambled passwords to work on with a separate brute force tool. A shadow password file does not need to be world readable, so crackers would not have the passwords in any form to work with. This approach is still not optimal, because it provides some user information to a potential cracker. A better option is to keep users in a separate repository such as LDAP.

userid:$1$z2NXZR19$PZpyL84DmPKBXMeURaXXM.:12138:0:186:7:::

All of the shadow password function is handled behind the scenes, and you will rarely need to do anything more with it than turn it on.

Back to top

Groups

Groups in Linux are much the same as in Windows. You create a group and add members into the group's list. Then resources can have rights assigned by group. Members of a group have access to a resource associated with that group.

Creating a group is simple, using the console command groupadd:

groupadd mygroup

This will create a group with no members called "newgroup." Groups live in a file called /etc/group. Each group is listed on a separate line like the following:

mygroup:x:527:

The first column shows the name of the group. The second column is a password. Again, the "x" indicates that the real password is stored in a shadow file called /etc/gshadow. The third column is a numeric index for the group. Everything after the third column will be the group members' user ids separated by commas.

To add members to the group, use the gpasswd command with the -a switch and the user id you wish to add:

gpasswd -a userid mygroup

Remove users from a group with the same command, but a -d switch rather than -a:

gpasswd -d userid mygroup

It is also possible to make changes to groups by editing the /etc/group file directly.

Taking care in editing the passwd file The real danger to editing the /etc/passwd and /etc/group file directly is accidental duplication of an id number. All resources use the id number rather than the name of the user or group. If you accidentally duplicate an id number, then you may grant access to things you did not intend. For example, if you change a user's id number to 0, which is root, when userid logs in, that userid will be root! Also if you delete a user or group line in the file, that user or group is deleted. These are errors a human would make. The tools keep that straight. However, sometimes a quick edit to the /etc/group file is the quickest fix to a simple problem. Just bear in mind that you are dealing with some real power when you edit those files. Be careful.

Groups can be created, edited, and destroyed in Webmin with the same tool used above for working with users.

Back to top

User and group associations

While this is not the place for a thorough discussion on access control, you will need some idea about how users and groups are applied to files. If you look at a long directory listing of a file, you'll see something like the following.

-rw-r--r-- 1 userid mygroup 703 Jun 23 22:12 myfile

Ignoring the other columns for the moment, look at the third, fourth, and last columns. The third column contains the name of the owner of the file, userid. The fourth column contains the group associated with the file, mygroup. The last column is the file name. Each file can have only one owner and one group. It is possible to assign rights to Other, the users who don't fall into either category. Think of Other as the equivalent of the Windows group Everyone.

A single file owner is common in operating systems, but the single group ownership feels limiting to administrators new to the technique. It is not. Since users can be members of any number of groups, it is simple to create new groups to handle resource security. In Linux, group definitions tend to be based more on the resource access required than on business units. If resources are logically organized on the system, then create more groups to finely tune access to resources.

More detailed information about associating users and groups is in the Resources section at the end of this article. For details on how to change file permissions, see man chmod.

Back to top

Summary

Users and groups work essentially the same way in Linux that they do in Windows, except that only one group can be associated with a system resource. To think about groups in Linux, consider groups to be cheap and don't be afraid to create a lot of them for a complex environment. Create your groups based on resource access rather than on business units.

User and group information are stored in the /etc/passwd and /etc/group files, respectively. Your system will also probably have an /etc/shadow and /etc/gshadow file, which contain the encrypted passwords for added security. It is possible to work with users and groups by editing these files directly, but this should be done with great care.

All user and group functions can be handled from the console, which makes them scriptable. Tools, such as Webmin, also provide graphical ways of working with users and groups.

Resources

• Check out the other parts in the Windows-to-Linux roadmap series (developerWorks, November 2003).
  
  
• IBM Directory Server implements the Lightweight Directory Access Protocol (LDAP) for accessing directory services, especially those that are X.500 based. Read "Authenticating Linux users with IBM Directory Server" (developerWorks, February 2005) for details.
  
  
• File permissions and security are addressed in Chapter 3 of the Introduction to Linux guide at the Linux Documentation Project.
  
  
• The University of Maryland shares words of wisdom on the selection of secure passwords.
  
  
• The Red Hat Linux Manual documentation offers more detail on the use of Shadow password file.
  
  
• The Linux Shadow Password HOWTO gives background history and rationale on the shadowing system as well as step-by-step guidelines for implementation.
  
  
• System security is a vast and complex topic, but in an interconnected world, it affects everyone. Luckily, it is never too early nor too late to get started with it. The documents Adding Security to Common Linux Distributions and Strategies for Keeping a Secure Server will help you to do just that.
  
  
• "Addressing security issues in Linux" (developerWorks, June 2001) will help you get started with basic security.
  
  
• More information on transitioning to Linux awaits you on the developerWorks New to Linux page.
  
  
• Find more resources for Linux developers in the developerWorks Linux zone, including our newest how-to tutorials.
  
  
• Hone your skills in Linux basics and systems administration with our certification exam study guides. Whether you choose to take the exams or not, our Linux skill-building tutorial series will immerse you in Linux fundamentals as well as advanced topics.
  
  
• Learn how to acquire kernel source, configure and boot your new kernel, add a feature, fix a flaw, or just have fun tinkering with operating system source code in our Hacking the Linux kernel tutorial series. Hack and be free.
  
  
• IBM developerWorks technical events and Webcasts are a great way to learn more about Linux as well as IBM products that run on Linux.
  
  
• The Linux at IBM site offers software, links, end-to-end Linux solutions, and more.
  
  
• The Linux Documentation Project is a repository of Linux documentation including documents about individual software, HOWTO documents, FAQs, and more.
  
  
• Linux Online! offers non-partisan Linux news and information.
  
  
• The O'Reilly Network is an excellent resource for technical books on Linux.
  
  

• Order the SEK for Linux, a two-DVD set containing the latest IBM trial software for Linux from DB2®, Lotus®, Rational®, Tivoli®, and WebSphere®.
  
  
• Build your next development project on Linux with IBM trial software, available for download directly from developerWorks.
  
  

• Participate in the discussion forum.
  
  
• Get involved in the developerWorks community by participating in developerWorks blogs.

About the author

		Chris Walden is an e-business Architect for IBM Developer Relations Technical Consulting in Austin, Texas, providing education, enablement, and consulting to IBM Business Partners. He is the official Linux fanatic on his hallway and does his best to spread the good news to all who will hear it. In addition to his architect duties, he manages the area's all-Linux infrastructure servers, which include file, print, and other application services in a mixed-platform user environment. Chris has ten years of experience in the computer industry ranging from field support to Web application development and consulting.

Rate this page

Please take a moment to complete this form to help us better serve you. Did the information help you to achieve your goal? Yes No Don't know   Please provide us with comments to help improve this page:   How useful is the information? 1 2 3 4 5 Not useful Extremely useful

Back to top