Linux user management

The primary user database in Linux systems is /etc/passwd. The file reserves a single line for each user account and each line contains 7 fields seperated by colons. Let us see a single line extract from the passwd file.

enterprisedb:x:517:523:Enterprise Database Server:/home/enterprisedb:/bin/bash

Field 1 - enterprisedb : Username/loginname of the account

Field 2 - x : In older linux versions this filed was used to store passwords (in encrypted format), but rescent systems store this in a seperate file /etc/shadow to which only root has access permissions. Now the 'x' character indicate that the password is stored seperately (reffered to as password shadowing).

Field 3 - 517 : Numeric user id. Associated with every user/group account will be a numeric identifier called user id / group id.

Field 4 - 523 : Numeric group id of user's primary group.

Field 5 - Enterprise Database Server : Comment section or additional information section, can contain any inforamtion about the user (usually his Real name or, purpose of account if it is a system/service account). Here the user enterprisedb was created when I installed enterprise database on my server. Hence the comment Enterprise Database Server.

Field 6 - /home/enterprsiedb : Home directory of the user

Field 7 - /bin/bash : The shell from which the user can execute commands when he is logged in

We need to manipulate this database (and many more) for adding, modifying and deleting user accounts from the system. Linux provides many handy command line tools for this.

useradd

Used to add users to the system, you can change all the 7 fields of the passwd file using this command.

Syntax:
useradd [options] LOGIN
useradd -D [OPTIONS]

The first syntax is used to adding an account to the system

options :

-c comment : Add additional information or comment about the user (blank by default)

-b HOME_DIR: The prefix path that will be appended to username to make the full path to users home directory. The default is "/home". Thus the user "safeer" will have home directory /home/safeer by default.

-d HOME: complete path to homedirectory

-e EXPIRE DATE: the expiration date for the account.

-f INACTIVE: number of days after which the accoount will be disabled once the password is expired.

-g GID: Group id/group name to which the user should belong (this group should already exist) of the user (automatically assigned by default)

-G group1,[group2]....... : List of additional groups the user is a memebr of

-p password: the password for the account in the irreversible crypt format. This option is not recommented, instead use passwd command.

-s shell : The shell used by the account. To find out the shells availiable in your machine, check /etc/shells (can be listed using the command chsh -l).

-u UID : User's numeric userid

there are a lot more options, to obtaim a complete list use man pages

One special feature of useradd availiable in Redhat systems is the User Private Group (UPG) scheme which creates a unique group for every user created, and the user will be the only memebr of that group. This adds a certain level of security to user permissions. To turn off this behaviour use the option -n.

The second syntax is used to set the default values for useradd. When specified without any options, it will display current default values. There are only limitted number of options.

-b HOME_DIR: The home directory prefix

-e EXPIRE DATE: the expiration date for the account.

-f INACTIVE: number of days after which the accoount will be disabled once the password is expired.

-g GID: Group id

-s SHELL: shell

Consider an example where the user baiju will be added to the system with following criteria:
He should be the member of developers group, he should also be a memeber of staff group
His home directory should be /usr/dev/baiju
He should have cshell as his login shell

[root@LinuxBox1 ~]#useradd -d /usr/dev/baiju -s /bin/csh -G developers,staff baiju

Now, set password for baiju
[root@LinuxBox1 ~]#passwd baiju
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

Instead of setting all the options when the user is first created, we can simply create a user with default options and modify the user properties later as and when the need arises. We can use the usermod command for this

usermod

Syntax:
usermod [OPTIONS] login

login : user loginname

OPTIONS:

many options of the useradd command are applicable here, they include -[c/d/e/f/g/G/p/s/u]. Othe options are:

-l login_name : Change user login name. If we want to change the login name 'baiju' to 'baijujohn'
use
[root@LinuxBox1 ~]#usermod -l baijujohn baiju

-L : lock user password, effectively disabling the user login
-U : unlock the user locked by -L option

If you want to change a users login shell later you can use "usermod -s /bin/ksh login_name". Linux provides another command for achieving this - 'chsh':
[root@LinuxBox1 ~]#chsh -s /bin/ksh baiju

To remove a user use userdel command

userdel

Syntax:
userdel [-r] login

-r : if this option is used the user's home directory and mail spool will be deleted from the system. User's files in other locations wil have to be removed manually. (Use find command with user UID as search criteria)

The files affected by above commands are /etc/passwd, /etc/shadow, /etc/groups

You can manually edit /etc/passwd & /etc/shadow using the command "vipw".