comp.org.uk

Networking | Programming | Security | Linux | Computer Science | About

Linux Account Maintenance

Account maintenance operations are potentially risky. You might accidentally delete or modify the wrong account. Even account creation poses risks, particularly when you use advanced options; you might accidentally give two accounts the same user ID (UID) codes, which would make them essentially interchangeable. Thus, you should be particularly cautious when using these commands. Because these commands require root access to work, the usual caveats concerning working as root also apply.

Linux and Unix systems have traditionally stored account information in the /etc/passwd file. This file consists of a series of lines, each of which represents a single account, as in:

dsmith:x:512:100:Dale Smith:/home2/dsmith:/bin/bash

This line consists of a series of colon-delimited fields that contain the account’s username, password, UID number, group ID (GID) number, a free-form comment, home directory, and default shell. Note that in this example the password field contains a single x. This is a code that means the password is encoded in another file, /etc/shadow. Most Linux systems today use this shadow password system as a way of increasing security; the /etc/passwd file must be world-readable to enable programs to access information such as the user’s default shell and the comment field. Even an encrypted password could be broken if it were readable, so the shadow password system locks this sensitive data, as well as additional account information, in /etc/shadow, which is readable only by root. The format of the /etc/shadow file is similar to that of /etc/passwd in that it consists of colon-delimited fields. The first two fields contain the username and encrypted password, while remaining fields contain account aging and other advanced information.

Account management involves creating, deleting, or modifying the information in /etc/ passwd and /etc/shadow. In principle, this can be done with a text editor, and in fact some extraordinarily street-savvy administrators work this way. Most administrators, though, use command-line or GUI tools to help manage the task. These tools obviate the need to remember what fields hold what data and minimize the risk of encountering problems from typos, such as accidentally deleting a colon.

The basic Linux account management tools are useradd, userdel, and usermod. These tools add, delete, and modify existing user accounts, respectively. Linux also provides groupadd, groupdel, and groupmod tools to perform similar tasks with groups, although some of the details of operation differ.

Adding User Accounts

To add an account, you use the useradd command. At its simplest, you can use this command followed by the username you want to use: #

useradd tbrown

This command creates an account called tbrown, using defaults for various account parameters. On most systems, the user’s home directory will be /home/tbrown, the shell will be /bin/bash, the comment field will be empty, and the UID and GID will be assigned based on the lowest available numbers for both. Most importantly, the account’s password will be disabled (more on that shortly).

You can create an account with different defaults by placing appropriate parameters between useradd and the account name. Alternatively, you can create an account with the defaults and then use usermod to change them. Some features you’re particularly likely to want to adjust include:

Comment The -c comment parameter passes the comment field for the user. Some admin- istrators store public information like a user’s office or telephone number in this field. Others store just the user’s real name or no information at all.

Home directory You specify the account’s home directory with the -d home-dir parameter. This defaults to /home/username on most systems.

Do or do not create a home directory The -M option forces the system to not automatically create a home directory, while -m forces the system to create one. Which behavior is the default varies from one system to another.

Default group You set the name or GID of the user’s default group with the -g default- group option. The default for this value varies from one distribution to another.

Default shell Set the name of the user’s default login shell with the -s shell option. On most systems, this defaults to /bin/bash.

Specify a UID The -u UID parameter creates an account with the specified user ID value (UID). This value must be a positive integer, and it is normally above 500 for user accounts. System accounts typically have numbers below 100. The -o option allows the number to be reused so that two usernames are associated with a single UID.

No user group In some distributions, such as Red Hat, the system creates a group with the same name as the specified username. The -n parameter disables this behavior.

This list of options isn’t complete; consult useradd’s man page for more options. As an example of some of these options in action, suppose you want to place Trevor Brown’s real name in the comment field and set his home directory to /home2/trevor. You could do so at account creation time by including appropriate parameters:

# useradd -c "Trevor Brown" -d /home2/trevor tbrown

After typing this command (or the simpler version shown earlier), be sure to check for the existence of the home directory. If it’s not present, you must create it yourself and change its ownership (including its group):

# mkdir /home2/trevor # chown tbrown.users /home2/trevor

Alternatively (and preferably), you could add the -m option to the useradd command. This option has the advantage that the system copies a starting set of files from /etc/skel. These files include things such as bash configuration files.

The useradd command won’t ordinarily set a starting password for the account. (There is a -p option to do this, but it requires a pre-encrypted password.) The best way to deal with this issue is to create new accounts in the presence of their users; you can then, as root, use passwd to begin the password-changing process and allow the users to type their own desired passwords:

# passwd tbrown 
New UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

You would type passwd tbrown, then let the user type a password (twice). The system doesn’t echo the password for security reasons. Alternatively, you can set the password yourself to some random value and find a way to com- municate this value to the user. The trouble with this approach is that the communication could be intercepted or copied, leading to an immediate security breach. Users might also leave their pass- words set at the value you give them, which is non-optimal but might be acceptable if you choose a unique and good password for each account.

Deleting User Accounts

You can delete an account with userdel, which works much like useradd:

# userdel sjones

This command deletes the sjones account. It does not, however, delete the user’s home directory or mail spool, much less other files that may be owned by the user elsewhere on the computer. You must manually delete or otherwise deal with these files.

You can pass the -r option to have userdel delete the user’s home directory and mail spool. This option won’t delete other files the user may own elsewhere on the computer, though. To locate those files, use find (described in Task 1.4) with its -uid n option to search for files owned by UID n. If you search for files before deleting the account, you can use find’s -user username option to search by username.

Modifying User Accounts

What if an account already exists and you want to change it in some way? You can modify the account with usermod, which takes most of the same options as useradd. Another important usermod option is -l name, which alters the username associated with the account. To change the home directory of Dale Smith’s (dsmith’s) account from /home2/dsmith to /home/ dsmith, you’d type the following command:

# usermod -d /home/dsmith

Changing the account’s home directory won’t move the files in the directory. To do that, you must use the cp command. In this case, the -a option to cp will copy the entire directory tree and preserve ownership, permissions, and other file characteristics. You’ll then delete the original directory:

# cp -a /home2/dsmith /home/dsmith 
# rm -r /home2/dsmith

To be 100 percent safe, though, you might want to check that the new directory contains all the files it should before deleting the old one. If possible, wait for the user to log in and use the account before deleting the old directory.


Published on Wed 08 April 2009 by Larry Epson in Linux with tag(s): linux accounts