7/29/2019 02 Account Management
1/19
User Account Management
WeeSan Lee
7/29/2019 02 Account Management
2/19
Roadmap
Add An Account
Delete An Account
/etc/{passwd,shadow}
/etc/group
How To Disable An Account?
Root Account Q&A
7/29/2019 02 Account Management
3/19
Add An Account
To create an account for user foo Create /home/foo $ cp -a /etc/skel/* /home/foo $ chown -R foo:users /home/foo
$ chmod 711 /home/foo $ chmod u=rwx,g=x,o=x /home/foo
Add foo into /etc/passwd and /etc/shadow $ vipw
$ passwd foo
Alternatively, use useradd $ useradd foo $ passwd foo
7/29/2019 02 Account Management
4/19
Delete An Account
To remove the account foo
Revert what we did before
Or, use userdel
$ userdel foo
$ userdel -r foo
Delete /home/foo as well
To find files left behind $ find -nouser -xdev /
7/29/2019 02 Account Management
5/19
/etc/passwd
A file that contains a list of users recognized by the system
World readable Why?
Each line represents one user, eg.
foo:x:500:500:Foo Bar:/home/foo:/bin/bash 7 fields separated by colons
Login name or username
Encrypted passwd
UID
Default GID GECOS information: fullname, office, extension, phone #
Home directory
Login shell
7/29/2019 02 Account Management
6/19
/etc/passwd (cont)
Login name 32 chars long
8 for NIS (Network Information Service)
Case sensitive, usually lower case Usually used as email address
Encrypted passwd See /etc/shadow
UID
32-bit unsigned integers
Start from 500. See /etc/logins.defs
foo:x:500:500:Foo Bar:/home/foo:/bin/bash
7/29/2019 02 Account Management
7/19
/etc/passwd (cont)
Login name 32 chars long
8 for NIS (Network Information Service)
Case sensitive, usually lower case Usually used as email address
Encrypted passwd See /etc/shadow
UID
32-bit unsigned integers
Start from 500. See /etc/logins.defs
foo:x:500:500:Foo Bar:/home/foo:/bin/bash
7/29/2019 02 Account Management
8/19
/etc/passwd (cont)
Login name 32 chars long
8 for NIS (Network Information Service)
Case sensitive, usually lower case Usually used as email address
Encrypted passwd See /etc/shadow
UID
32-bit unsigned integers
Start from 500. See /etc/logins.defs
foo:x:500:500:Foo Bar:/home/foo:/bin/bash
7/29/2019 02 Account Management
9/19
/etc/passwd (cont)
Default GID Defined in /etc/group
GECOS field For personal information $ finger foo
Home directory Cd to home directory after login
Login shell Valid shells defined in /etc/shells
foo:x:500:500:Foo Bar:/home/foo:/bin/bash
7/29/2019 02 Account Management
10/19
/etc/passwd (cont)
Default GID Defined in /etc/group
GECOS field For personal information $ finger foo
Home directory Cd to home directory after login
Login shell Valid shells defined in /etc/shells
foo:x:500:500:Foo Bar:/home/foo:/bin/bash
7/29/2019 02 Account Management
11/19
/etc/passwd (cont)
Default GID Defined in /etc/group
GECOS field For personal information $ finger foo
Home directory Cd to home directory after login
Login shell Valid shells defined in /etc/shells
foo:x:500:500:Foo Bar:/home/foo:/bin/bash
7/29/2019 02 Account Management
12/19
/etc/passwd (cont)
Default GID Defined in /etc/group
GECOS field For personal information $ finger foo
Home directory Cd to home directory after login
Login shell Valid shells defined in /etc/shells
foo:x:500:500:Foo Bar:/home/foo:/bin/bash
7/29/2019 02 Account Management
13/19
/etc/shadow
A file contains the encrypted passwd for the users Only readable by root or processes with root privilege Each line represents user, eg.
foo:$1$naYPGQnr$2Xyp.Q1KrWSf//VFR.yBL0:13690:0:99999:7:::
9 fields separated by colons
Login name or username Encrypted passwd Date of last passwd change Min. # of days between password changes Max # of days between password changes # of days in advance to warn users about passwd expiration # of days after passwd expiration that account is disabled Account expiration date A reserved field
Usually login name and passwd are enough
7/29/2019 02 Account Management
14/19
/etc/shadow (cont)
usermod
$ usermod -e 2007-06-26
7/29/2019 02 Account Management
15/19
/etc/group
A file contains the names of UNIX groups and a listof groups members, eg.
foo:x:500:
installer:x:200:foo,bar Each line represents one group
4 fields separated by colons
Group name (8 chars)
Encrypted passwd or x for /etc/gshadow GID (starts from 500. see /etc/login.defs)
List of members, separated by commas (no space)
7/29/2019 02 Account Management
16/19
How To Disable An Account?
Append username with a * in /etc/passwd
$ usermod -L foo
Put a ! in front of the encrypted passwd
To undo: $ usermod -U foo
usermod -e yyyy-mm-dd
Replace login shell with
/etc/false
/sbin/nologin
7/29/2019 02 Account Management
17/19
Root Account
Special and powerful account
UID 0
Guard your root passwd with your life!!!
At least 8 chars. long Dont write it down
Mix letters, numbers and punctuations
Eg. Bambo0!
Dont login root as a normal user Use su when needed
Dont share your root passwd with others
7/29/2019 02 Account Management
18/19
Root Account (cont)
Use sudo instead $ sudo /bin/bash
/etc/sudoers
All commands are logged
To edit /etc/sudoers $ visudo
foo ALL=(root) ALL User foo can run ALL commands on ALL machines as root
Host_Alias CS=eon,orpheus Cmnd_Alias SNOOP=/usr/sbin/tcpdump,/usr/sbin/ethereal
bar CS=SNOOP
7/29/2019 02 Account Management
19/19
References
LAH
Ch 3: Rootly Powers
Ch 6: Adding New Users