Chapter 9 General Linux Administration 293
Every Linux system requires basic system administration, which includes the creation and management of users and groups of users. In order to allow your
users and groups to access data, you must set up permissions to the required files and directories on the system. The administrator must manage these permissions in order to prevent unauthorized access to the file systems, and accidental damage to core system files.
Basic User and Group Administration
Basic user and group administration on a Linux system is an important skill. Among the expectations of this skill is the ability to add and remove users and groups of users. The current users and groups of users must be modified throughout the life of a Linux system.
What are users and groups?
A user account is an individual account that is created for the purpose of granting access based on an individual login. This login is used to determine access levels to the Linux system, including file access, directory access, program access, and access for any other user task. User accounts prevent each user that logs in from having administrative rights. Restricting administrative rights is an important security measure and prevents mischievous activity by allowing only the appropriate system rights for each user.
The administrator must also assign appropriate rights for groups of users. A group is a logical grouping of users who have the same needs, and group accounts are used to simplify administration of file and directory permissions. This is accomplished by creating a group account, assigning permissions rights to this account, and then adding the appropriate individual users to the group. An example of this might be a payroll department for a company. By creating a Payroll group, you can assign the users who are responsible for payroll activities to a group with access permissions to payroll files. Furthermore, it’s probably not a good idea to allow others access to the payroll system. Because the payroll system is most likely comprised of many systems, you can cut down on the overhead of assigning permissions by using groups instead of enabling access to each system for each individual user.
Creating users
4.1 Create and delete users
294 Part IV Administration
Some users can be created during the installation of the Linux operating system; however, you will need to add more users as the system is used. You can add more users by employing the adduser command. To use the adduser command, you must have administrative rights. With the adduser command, you can choose from several different options to assign to created users — these options are shown in Table 9-1.
|
Table 9-1 |
|
Options for adduser |
|
|
Option |
Description |
|
|
-c comment |
The new user’s password file comment field. |
|
|
-d <home directory> |
The new user will be created using <home directory> as the |
|
value for the user’s login directory. |
|
|
-e YYYY-MM-DD |
The date the user account will be disabled in the format year- |
|
month-date (2001-12-31) |
|
|
-f # |
Sets the number of days after a password expires until the |
|
account is permanently disabled. -1 disables the feature and 0 |
|
disables the user account when the password expires. |
|
|
-g |
The group name or number of the user’s initial login group. |
|
|
-G |
A list of groups of which the user is also a member. |
|
|
-m |
The user’s home directory will be created if it does not already |
|
exist. The -k option copies the files contained in skeleton_dir to |
|
the home directory; if this option is not used, then the files in |
|
/etc/skel will be used. |
|
|
-M |
The user’s home directory will not be created even if the default |
|
is to create the home directory. |
|
|
-n |
A group having the same name, because the user will not be |
|
created. This is distribution-specific. |
|
|
-r |
Used to create a system account and requires the -m option to |
|
create a home directory. |
|
|
-p <password> |
The encrypted password as returned by the password generator. |
|
|
-s <shell> |
Assigns the <shell> as the user’s login shell. |
|
|
-u <uid> |
The numerical value of the user’s ID must be unique, unless |
|
the -o option is used. The default is to the next available number |
|
greater than 99. |
|
|
No Options |
The useradd command displays the current default values. |
|
|
--help |
Provides program help. |
|
|
Chapter 9 General Linux Administration 295
With these switches and options, you can use the adduser command to create new users. The following files are used to support the addition of users:
/etc/passwd: Contains user account information
/etc/shadow: Contains secure user account information
/etc/group: Contains group information
/etc/default/useradd: Contains the default information for adding users
/etc/login.defs: Contains the system-wide default login settings
The most common command used to add a user is adduser <username>. In enterprise environments, however, the command often includes the -p to assign an initial password and -g to assign a group. The adduser command is an important tool in the administration of users.
Change user information
4.2 Modify existing users (e.g., password, groups, personal information)
You can change user information by using several tools. The tools that are most often used are chfn, chsh, and usermod. Linux administrators use these commands to provide basic user management in the Linux environment.
The usermod command
The usermod command is the command most often used to administer user accounts. This command uses the -c, -d, -e, -f, -g, -p, -s, and -u options that were shown previously in Table 9-1 and the following options shown in Table 9-2.
|
Table 9-2 |
|
Options for usermod |
|
|
Option |
Description |
|
|
-l <login name> |
Changes only the user’s account name to <login name>. This |
|
does not change the home directory of the user. |
|
|
-L |
Locks the user’s password, effectively disabling the password. |
|
|
-U |
Unlocks the user’s password, reverses the -L option. |
|
|
--help |
Provides program help. |
|
|
296 Part IV Administration
The usermod command provides access to not only the settings available when creating an account, but also to the settings for changing an account name and locking and unlocking an account. These settings make the usermod command an excellent tool for basic administration of the user account.
The chfn command
Another tool that is often used to provide basic user account administration is chfn. The chfn command is used to change the finger information provided by the /etc/passwd file. This file provides four fields that are displayed when the finger command is used to identify a user.
Use the finger command to gather information based on a user name. The command can accept user names and return real information about that user.
The Linux finger command displays four pieces of information: full name, location, work phone, and home phone. This information can be useful to identify users by using the finger command. The command employs options to assign this information, as shown in Table 9-3.
|
Table 9-3 |
|
Options for chfn |
|
|
Option |
Description |
|
|
-f <full name> |
Assigns the full name of the user. |
|
|
-o <office> |
Allows the assignment of the location or office room. |
|
|
-p <phone number> |
Assigns the office phone number. |
|
|
-h <phone number> |
Assigns the home phone number. |
|
|
-v |
Prints version information. |
|
|
-u |
Prints usage message. |
|
|
--help |
Provides program help. |
|
|
The chfn command allows administrators to provide basic real world information about a user to the finger command.