Contents


Windows-to-Linux roadmap

Part 4. User administration

Passwords, groups, and their shadows

Comments

Content series:

This content is part # of # in the series: Windows-to-Linux roadmap

Stay tuned for additional content in this series.

This content is part of the series:Windows-to-Linux roadmap

Stay tuned for additional content in this series.

Administering users in Linux is both very similar to and very different from administering Windows users. Both systems are multi-user, and control access to resources is based on user identity. Both systems allow collecting users into groups so that access control can be done more easily without having to touch many users for each change. From there, the two systems begin to diverge.

The super user

In Linux, the Super User is called root. The root user can control every process, access every file, and perform any function on the system. Nothing can ever be hidden from root. Administratively speaking, root is the supreme being. It is, therefore, very important that the root account be protected by having a secure password. You should not use root for day-to-day tasks.

Other users can be given root privileges, but this should be done with care. Usually you will configure specific programs to be run as root by certain users, rather than granting broad root access.

Creating new users

New users can be created either from the console line, or using a tool such as Webmin.

The command to add a user is useradd. For example, to create a new user from the console:

useradd -c "normal user" -d /home/userid -g users\
-G webadm,helpdesk -s\ /bin/bash userid

This command creates a new user called "userid," the last parameter in the command. A comment is entered that says "normal user." Userid's home directory will be "/home/userid." Userid's primary group will be users, but userid will also be placed in the "webadm" and "helpdesk" groups. Userid will use the "/bin/bash" shell as the normal console environment.

Using Webmin, creating a new user is easy and visual. Log into Webmin with your favorite browser, and go to the System section. Select the "Users and Groups" tool, and then click Create a new user.

Figure 1. Webmin's Create User screen
Figure 1. Webmin's Create User screen
Figure 1. Webmin's Create User screen

Fill in the details for the user, and click Create. The user will be created.

Adding users with GUI system tools is also covered in "Basic tasks for new Linux developers."

Changing passwords

Changing a user's password can be done from the console by using the passwd command:

passwd userid

Only root can change the password for another user with the passwd command. When the command is entered, you will be prompted to enter, then confirm, the password you are setting. If they match, then the user tokens are updated and the password is changed. A user can also change his own password from the console by typing passwd; in this case, the user is prompted for his old password prior to entering the new one.

Most Linux distributions install with a password cracker module activated for password changes. This module will test a password to see if it follows good password practices. If not, a warning will be given that the user is using a bad password. Depending on your configuration, a user may be required to use a secure password before it will be accepted. Root may be warned when a password is set, but the action cannot be stopped.

In Webmin, a password is changed using the "Change Passwords" module from the System section. Select a user from the list and enter the new password into the blanks.

Deleting users

From the console, users are deleted using the userdel command.

userdel -r userid

The optional -r switch will delete the user's home directory and all its contents in addition to the user. If the directory is to be preserved, omit the -r switch. This switch will not automatically delete all the files on the system that belong to the user, just the home directory.

How users are organized

Linux configuration is text based. So all users in Linux reside in a file called /etc/passwd. You can view the file one page at a time with the more command:

more /etc/passwd

The construction of this file is fairly straightforward. Each line contains a new user with parameters separated by a colon.

userid:x:75000:75000::/home/userid:/bin/bash

The first column contains the user name. The second column contains the user's password. The third column contains the user's numeric id. The fourth column contains the numeric id for the user's primary group. The fifth column contains the user's full name, or a comment. The sixth column contains the location of the user's home directory. Normally this directory lives in the /home directory and has the same name as the user id. The seventh column contains the user's default console shell.

Password file structure
Login IDPasswordUser IDGroup IDCommentHome directoryDefault shell
useridx7500075000 /home/userid/bin/bash

Notice that the example above has an "x" in the Password column. This does not mean that the user has a password of "x." At one time passwords were normally stored in plain text within this file. This configuration is still possible, but it is rare because of the implications. The solution was to create something called a shadow password. An "x" is placed in the password portion of the /etc/passwd file, and an encrypted version of the password goes into the /etc/shadow file. This technique improved the security by separating the user information from the password data. The MD5 password encryption algorithm further improved security by allowing more robust passwords. An example of a shadow password entry is below:

userid:$1$z2NXZR19$PZpyL84DmPKBXMeURaXXM.:12138:0:186:7:::

All of the shadow password function is handled behind the scenes, and you will rarely need to do anything more with it than turn it on.

Groups

Groups in Linux are much the same as in Windows. You create a group and add members into the group's list. Then resources can have rights assigned by group. Members of a group have access to a resource associated with that group.

Creating a group is simple, using the console command groupadd:

groupadd mygroup

This will create a group with no members called "newgroup." Groups live in a file called /etc/group. Each group is listed on a separate line like the following:

mygroup:x:527:

The first column shows the name of the group. The second column is a password. Again, the "x" indicates that the real password is stored in a shadow file called /etc/gshadow. The third column is a numeric index for the group. Everything after the third column will be the group members' user ids separated by commas.

To add members to the group, use the gpasswd command with the -a switch and the user id you wish to add:

gpasswd -a userid mygroup

Remove users from a group with the same command, but a -d switch rather than -a:

gpasswd -d userid mygroup

It is also possible to make changes to groups by editing the /etc/group file directly.

Groups can be created, edited, and destroyed in Webmin with the same tool used above for working with users.

User and group associations

While this is not the place for a thorough discussion on access control, you will need some idea about how users and groups are applied to files. If you look at a long directory listing of a file, you'll see something like the following.

-rw-r--r-- 1 userid mygroup 703 Jun 23 22:12 myfile

Ignoring the other columns for the moment, look at the third, fourth, and last columns. The third column contains the name of the owner of the file, userid. The fourth column contains the group associated with the file, mygroup. The last column is the file name. Each file can have only one owner and one group. It is possible to assign rights to Other, the users who don't fall into either category. Think of Other as the equivalent of the Windows group Everyone.

A single file owner is common in operating systems, but the single group ownership feels limiting to administrators new to the technique. It is not. Since users can be members of any number of groups, it is simple to create new groups to handle resource security. In Linux, group definitions tend to be based more on the resource access required than on business units. If resources are logically organized on the system, then create more groups to finely tune access to resources.

More detailed information about associating users and groups is in the Related topics section at the end of this article. For details on how to change file permissions, see man chmod.

Summary

Users and groups work essentially the same way in Linux that they do in Windows, except that only one group can be associated with a system resource. To think about groups in Linux, consider groups to be cheap and don't be afraid to create a lot of them for a complex environment. Create your groups based on resource access rather than on business units.

User and group information are stored in the /etc/passwd and /etc/group files, respectively. Your system will also probably have an /etc/shadow and /etc/gshadow file, which contain the encrypted passwords for added security. It is possible to work with users and groups by editing these files directly, but this should be done with great care.

All user and group functions can be handled from the console, which makes them scriptable. Tools, such as Webmin, also provide graphical ways of working with users and groups.


Downloadable resources


Related topics

  • Check out the other parts in the Windows-to-Linux roadmap series (developerWorks, November 2003).
  • IBM Directory Server implements the Lightweight Directory Access Protocol (LDAP) for accessing directory services, especially those that are X.500 based. Read "Authenticating Linux users with IBM Directory Server" (developerWorks, February 2005) for details.
  • File permissions and security are addressed in Chapter 3 of the Introduction to Linux guide at the Linux Documentation Project.
  • The Linux Shadow Password HOWTO gives background history and rationale on the shadowing system as well as step-by-step guidelines for implementation.
  • System security is a vast and complex topic, but in an interconnected world, it affects everyone. Luckily, it is never too early nor too late to get started with it. Strategies for Keeping a Secure Server will help you to do just that.
  • Find more resources for Linux developers in the developerWorks Linux zone, including our newest how-to tutorials.
  • Build your next development project on Linux with IBM trial software, available for download directly from developerWorks.
  • Hone your skills in Linux basics and systems administration with our certification exam study guides. Whether you choose to take the exams or not, our Linux skill-building tutorial series will immerse you in Linux fundamentals as well as advanced topics.
  • Learn how to acquire kernel source, configure and boot your new kernel, add a feature, fix a flaw, or just have fun tinkering with operating system source code in our Hacking the Linux kernel tutorial series. Hack and be free.
  • The Linux at IBM site offers software, links, end-to-end Linux solutions, and more.
  • The Linux Documentation Project is a repository of Linux documentation including documents about individual software, HOWTO documents, FAQs, and more.
  • The O'Reilly Network is an excellent resource for technical books on Linux.

Comments

Sign in or register to add and subscribe to comments.

static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Linux
ArticleID=11352
ArticleTitle=Windows-to-Linux roadmap: Part 4. User administration
publish-date=11112003