Skip to main content

Managing Local Users

A number of command-line tools can be used to manage local user accounts.
useradd Creates Users
  • useradd username sets reasonable defaults for all fields in /etc/passwd when run without options. The useradd command does not set any valid password by default, and the user cannot log in until a password is set.
  • useradd --help will display the basic options that can be used to override the defaults. In most cases, the same options can be used with the usermod command to modify an existing user.
  • Some defaults, such as the range of valid UID numbers and default password aging rules, are read from the /etc/login.defs file. Values in this file are only used when creating new users. A change to this file will not have an effect on any existing users.
usermod Modifies Existing Users
  • usermod --help will display the basic options that can be used to modify an account. Some common options include:
    Option Description
    -c, --comment COMMENT Add a value, such as a full name, to the GECOS field.
    -g, --gid GROUP Specify the primary group for the user account.
    -G, --groups GROUPS Specify a list of supplementary groups for the user account.
    -a, --append Used with the -G option to append the user to the supplemental groups mentioned without removing the user from other groups.
    -d, --home HOME_DIR Specify a new home directory for the user account.
    -m, --move-home Move a user home directory to a new location. Must be used with the -d option.
    -s, --shell SHELL Specify a new login shell for the user account.
    -L, --lock Lock a user account.
    -U, --unlock Unlock a user account.
userdel Deletes Users
  • userdel username removes the user from /etc/passwd, but leaves the home directory intact by default.
  • userdel -r username removes the user and the user's home directory.

    Warning

    When a user is removed with userdel without the -r option specified, the system will have files that are owned by an unassigned user ID number. This can also happen when files created by a deleted user exist outside that user's home directory. This situation can lead to information leakage and other security issues.
    In Red Hat Enterprise Linux 7 the useradd command assigns new users the first free UID number available in the range starting from UID 1000 or above. (unless one is explicitly specified with the -u UID option). This is how information leakage can occur: If the first free UID number had been previously assigned to a user account which has since been removed from the system, the old user's UID number will get reassigned to the new user, giving the new user ownership of the old user's remaining files. The following scenario demonstrates this situation:
    [root@serverX ~]# useradd prince
[root@serverX ~]# ls -l /home
drwx------. 3 prince  prince    74 Feb  4 15:22 prince
[root@serverX ~]# userdel prince
[root@serverX ~]# ls -l /home
drwx------. 3    1000    1000   74 Feb  4 15:22 prince
[root@serverX ~]# useradd bob
[root@serverX ~]# ls -l /home
drwx------. 3 bob     bob       74 Feb  4 15:23 bob
drwx------. 3 bob     bob       74 Feb  4 15:22 prince
    Notice that bob now owns all files that prince once owned. Depending on the situation, one solution to this problem is to remove all "unowned" files from the system when the user that created them is deleted. Another solution is to manually assign the "unowned" files to a different user. The root user can find "unowned" files and directories by running: find / -nouser -o -nogroup 2> /dev/null.
id Displays User Information
  • id will display user information, including the user's UID number and group memberships.
  • id username will display user information for username, including the user's UID number and group memberships.
passwd Sets Passwords
  • passwd username can be used to either set the user's initial password or change that user's password.
  • The root user can set a password to any value. A message will be displayed if the password does not meet the minimum recommended criteria, but is followed by a prompt to retype the new password and all tokens are updated successfully. 
    [root@serverX ~]# passwd student
Changing password for user student.
New password: redhat123
BAD PASSWORD: The password fails the dictionary check - it is based on a dictionary word
Retype new password: redhat123
passwd: all authentication tokens updated successfully.
  • A regular user must choose a password which is at least 8 characters in length and is not based on a dictionary word, the username, or the previous password.

UID Ranges

Specific UID numbers and ranges of numbers are used for specific purposes by Red Hat Enterprise Linux.
  • UID 0 is always assigned to the superuser account, root.
  • UID 1-200 is a range of "system users" assigned statically to system processes by Red Hat.
  • UID 201-999 is a range of "system users" used by system processes that do not own files on the file system. They are typically assigned dynamically from the available pool when the software that needs them is installed. Programs run as these "unprivileged" system users in order to limit their access to just the resources they need to function.
  • UID 1000+ is the range available for assignment to regular users.

Note

Prior to Red Hat Enterprise Linux 7, the convention was that UID 1-499 was used for system users and UID 500+ for regular users. Default ranges used by useradd and groupadd can be changed in the /etc/login.defs file.

Guided Exercise: Creating Users Using Command-line Tools

In this exercise, you will create a number of users on your Linux system, setting and recording an initial password for each user.
Outcome
Be able to configure a Linux system with additional user accounts.
Before You Begin
Start your Amazon EC2 instance and use ssh to log in as the user ec2-user. It is assumed that ec2-user can use sudo to run commands as root.
Steps
  1. Become the root user at the shell prompt.
    [ec2-user@ip-192-0-2-1 ~]$ sudo su -
[root@ip-192-0-2-1 ~]#
  2. Add the user juliet. 
    [root@ip-192-0-2-1 ~]# useradd juliet
  3. Confirm that juliet has been added by examining the /etc/passwd file. 
    [root@ip-192-0-2-1 ~]# tail -2 /etc/passwd
ec2-user:x:1000:1000:Cloud User:/home/ec2-user:/bin/bash
juliet:x:1001:1001::/home/juliet:/bin/bash
  4. Use the passwd command to initialize juliet's password. For this and any other passwords you set in this section, the values are not important but should be "secure". Be careful, the root user can set arbitrarily weak passwords!
    The example below assumes you typed something (the same thing!) for the New password and Retype new password prompts.

    Warning

    It is assumed that the AMI used for your Amazon EC2 instance was pre-configured for security reasons to prohibit remote logins over ssh which have been authenticated by password, and that key-based authentication is required. Please read the Warning box at the end of this exercise for further discussion.
    [root@ip-192-0-2-1 ~]# passwd juliet
Changing password for user juliet.
New password:
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@ip-192-0-2-1 ~]#
  5. Continue adding the remaining users in the steps below and set initial passwords. These users will be used in the next exercise.
    • romeo
      [root@ip-192-0-2-1 ~]# useradd romeo
[root@ip-192-0-2-1 ~]# passwd romeo
Changing password for user romeo.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@ip-192-0-2-1 ~]#
    • hamlet
      [root@ip-192-0-2-1 ~]# useradd hamlet
[root@ip-192-0-2-1 ~]# passwd hamlet
    • reba
      [root@ip-192-0-2-1 ~]# useradd reba
[root@ip-192-0-2-1 ~]# passwd reba
    • dolly
      [root@ip-192-0-2-1 ~]# useradd dolly
[root@ip-192-0-2-1 ~]# passwd dolly
    • elvis
      [root@ip-192-0-2-1 ~]# useradd elvis
[root@ip-192-0-2-1 ~]# passwd elvis
  6. This concludes this exercise. Log out and stop your Amazon EC2 instance.

Warning

In this exercise, you set passwords for various accounts on a cloud instance that is accessible from the public Internet. This is not a recommended practice if users can connect to the instance using ssh and authenticate using their password.
Attackers have been known to scan public cloud providers for instances providing remote ssh access and configured with weak passwords. The recommended AMI used to develop this course was configured to prohibit password-based ssh authentication, and to provide only ssh as a public-facing service, so setting those passwords for this exercise should not matter in practice. However, this is not necessarily true of a default Red Hat Enterprise Linux installation.
Additional keys can be installed by users to allow key-based authentication, but the procedure is beyond the scope of this course.

Comments

Post a Comment

thank you for visiting :)

Popular posts from this blog

The Seven-Step Model of Migration

Irrespective of the migration approach adopted, the Seven-step Model of Cloud Migration creates a more rational point of view towards the migration process and offers the ability to imbibe several best practices throughout the journey Step 1: Assess Cloud migration assessments are conducted to understand the complexities in the migration process at the code, design and architectural levels. The investment and the recurring costs are also evaluated along with gauging the tools, test cases, functionalities and other features related to the configuration. Step 2: Isolate The applications to be migrated to the cloud from the internal data center are freed of dependencies pertaining to the environment and the existing system. This step cuts a clearer picture about the complexity of the migration process. Step 3: Map Most organisations hold a detailed mapping of their environment with all the systems and applications. This information can be used to distinguish between the ...
Post a Comment
Read more

Special Permissions in linux

The setuid permission on an executable file means that the command will run as the user owning the file, not as the user that ran the command. One example is the passwd command: [student@desktopX ~]$ ls -l /usr/bin/passwd -rw s r-xr-x. 1 root root 35504 Jul 16 2010 /usr/bin/passwd In a long listing, you can spot the setuid permissions by a lowercase s where you would normally expect the x (owner execute permissions) to be. If the owner does not have execute permissions, this will be replaced by an uppercase S . The special permission setgid on a directory means that files created in the directory will inherit their group ownership from the directory, rather than inheriting it from the creating user. This is commonly used on group collaborative directories to automatically change a file from the default private group to the shared group, or if files in a directory should be...
Post a Comment
Read more

RequestsDependencyWarning: urllib3 (1.24.1) or chardet (3.0.4) doesn't match a supported version

import tweepy /usr/lib/python2.7/dist-packages/requests/__init__.py:80: RequestsDependencyWarning: urllib3 (1.24.1) or chardet (3.0.4) doesn't match a supported version!   RequestsDependencyWarning) Traceback (most recent call last):   File "<stdin>", line 1, in <module>   File "/usr/local/lib/python2.7/dist-packages/tweepy/__init__.py", line 14, in <module>     from tweepy.api import API   File "/usr/local/lib/python2.7/dist-packages/tweepy/api.py", line 12, in <module>     from tweepy.binder import bind_api   File "/usr/local/lib/python2.7/dist-packages/tweepy/binder.py", line 11, in <module>     import requests   File "/usr/lib/python2.7/dist-packages/requests/__init__.py", line 97, in <module>     from . import utils   File "/usr/lib/python2.7/dist-packages/requests/utils.py", line 26, in <module>     from ._internal_utils import to...
Post a Comment
Read more

tag