Featured image

Table of Contents Link to heading

User Private Group (UPG) Link to heading

a group account created automatically for a new user account. The group and username would be the same, and the only member of this new group would be the new user.

For distributions that do not create a UPG, new users are typically given the users group as their primary group.

Configuring Groups Link to heading

provide a way for users to share files.

The administrator can manually create group accounts that are private for the user, but it is more common for the administrator to create groups for multiple users that need to collaborate.

User accounts can be modified at any time to add or remove them from group account memberships, but users must belong to at least one group for use as their primary group.

Read this section for commands used to view group information.

Working with groups require administrative privileges, either by logging in as the root user or by beginning with the sudo command.

Creating a Group Link to heading

The groupadd command adds user groups to the system.

  • Create a new group:

    sudo groupadd group_name

  • Create a new system group:

    sudo groupadd --system group_name

  • Create a new group with the specific GID:

    sudo groupadd --gid id group_name

    • If -g option is not used, the new group will automatically be assigned a GID that is one value higher than the last added in /etc/group file.

Group Naming Conventions Link to heading

  1. The first character of the name should be either an underscore _ character or a lower-case alphabetic a-z character.
  2. Up to 32 characters are allowed on most Linux distributions, but using more than 16 can be problematic as some distributions may not accept more than 16.
  3. After the first character, the remaining characters can be alphanumeric, a dash - character, or an underscore _ character.
  4. The last character should not be a hyphen - character.

Group Identifier (GID) Considerations Link to heading

  • In some distributions, when a UID is created, a UPG is also created.
  • Avoid creating GIDs in the same range as UIDs created in the future.
  • GIDs under 1000 are reserved for system use. To bypass this and assign a GID < 1000, use the -r (–system) option.

Deleting a Group Link to heading

The groupdel command deletes existing user groups (only supplementary groups) from the system.

Files in the deleted group will become orphaned. To search for orphaned files, use the find command with the -nogroup option

  • Delete an existing group:

    sudo groupdel group_name

Modifying a Group Link to heading

The groupmod command modifys existing user groups in the system.

  • Change the group name:

    sudo groupmod --new-name new_group group_name

    • Changing the group name won’t cause any problems with accessing files
  • Change the group id:

    sudo groupmod --gid new_id group_name

    • Changing the GID will cause files to no longer be associated with that group, called an orphaned file.

Configuring Users Link to heading

User Configuration Files Link to heading

/etc/default/useradd File Link to heading

contains default values used by the useradd command; can be viewed or changed using the useradd -D command.

FieldDescription
GroupDefault primary group for a new user. This setting affects the primary group ID field of the /etc/passwd file.
HomeThe default base directory under which the user’s new home directory will be created. This setting affects the home directory field of the /etc/passwd file.
InactiveThis value represents the number of days after the password expires that the account is disabled. This setting affects the inactive field of the /etc/passwd file.
ExpiredBy default, there is no value set for the expiration date. This setting affects the expire field of the /etc/passwd file.
ShellThe default shell for a user when they log in to the system. This setting affects the shell field of the /etc/passwd file.
Skeleton DirectoryThe contents of this directory are copied into the new user’s home directory. This setting affects the expire field of the /etc/passwd file.
Create Mail SpoolFile where the incoming email is placed.

useradd-D

/etc/login.defs File Link to heading

contains values that are applied by default to new users you create with the useradd command, which is edited directly by the administrator to alter its values.

This file contains many comments and blank lines, so to only view lines that are not comments or blank lines (the real configuration settings), execute the following grep command:

grep -Ev '^#|^$' /etc/login.defs
FieldDescription
Mail DirectoryThe directory in which the user’s mail spool file will be created.
Password Max DaysThe maximum number of days that a user can continue to use the same password.
Password Min DaysThe shortest time that a user is required to keep a password.
Password Minimum LengthThe minimum number of characters that a password must contain.
UID MinimumDetermines the first UID that will be assigned to an ordinary user.
UID MaximumAlthough it can go up to four billion, for maximum compatibility it’s recommended to leave it at its default value of 60000.
GID MinimumDetermines the first GID that will be assigned to an ordinary group.
GID MaximumThe maximum number of days that a user can continue to use the same password.
Home DirectoryDetermines whether or not a new directory will be created for the user when their account is created.
UmaskDetermines what the default permissions will be on the user home directory.
UPGIf UPG is used in the distribution, it will have a value of yes. If not, a value of no.
EncryptionThe encryption method that is used to encrypt the users’ passwords in the /etc/shadow file.

/etc/login.defs

Creating a New User Link to heading

useradd Command Link to heading

a lower level user addition utility that is available on all Linux distributions. It requires additional parameters to set up the account entirely.

  • Create a new user (UID is one higher than the last user created):

    sudo useradd username

  • Create a new user with the specified UID:

    sudo useradd --uid id username

  • Create a new user with the specified shell:

    sudo useradd --shell path/to/shell username

    • It is common to specify the /sbin/nologin shell for system accounts.
  • Create a new user belonging to additional groups (mind the lack of whitespace):

    sudo useradd --groups group1,group2,... username

  • Create a new user with the default home directory:

    sudo useradd --create-home username

  • Create a new user with the home directory filled by template directory files:

    sudo useradd --skel path/to/template_directory --create-home username

  • Create a new system user without the home directory:

    sudo useradd --system username

  • Give a short description of the account, mostly used to hold the user’s full name.

    sudo useradd --comment 'string' username

useradd

adduser Command Link to heading

a higher level user addition utility that is not available on all Linux distributions. The command adds a user to the system with standard settings.

  • Create a new user with a default home directory and prompt the user to set a password:

    sudo adduser username

  • Create a new user without a home directory:

    sudo adduser --no-create-home username

  • Create a new user with a home directory at the specified path:

    sudo adduser --home path/to/home username

  • Create a new user with the specified shell set as the login shell:

    sudo adduser --shell path/to/shell username

  • Create a new user belonging to the specified group:

    sudo adduser --ingroup group username

adduser

Username Conventions Link to heading

Similar to group naming conventions

Use with the –badname option to allow names that do not conform to standards.

User Identifier (UID) Considerations Link to heading

If attached to a network with other systems, ensure that this UID is the same on all systems to help provide consistent access.

UIDs typically can range anywhere from zero to over 4,000,000,000, but for greatest compatibility with older systems, the maximum recommended UID value is 60,000.

The root user has a UID of 0, which allows that account to have special privileges. Any account with a UID of 0 would effectively be able to act as the administrator.

System accounts used by services generally use UIDs that are in the reserved range (1-499 or 1-999 on some modern systems). One system account that is an exception to this rule is the user nfsnobody, which has a UID of 65534.

When setting up a new system, it is a good practice to start UIDs no lower than 1000 ensuring there are sufficient UIDs available for many system services and giving you the ability to create many GIDs in the reserved range.

Passwords Link to heading

Factors to Consider Link to heading

FactorDescription
LengthMinimum length specified in /etc/login.defs file
CompositionA combination of alphabetic, numeric and symbolic characters
LifetimeAmount of time that a password can be used at maximum should be limited to minimise security threats
  • For highly-sensitive accounts, passwords should be changed frequently (every 30 days), while non-critical accounts only need to change their passwords every 90 days.
  • If an account is compromised and the time that the password is valid is limited, the intruder will ultimately lose access when the password becomes invalid.
  • If an account is not being used, then it can automatically be disabled when the password is no longer valid.
  • If attackers are attempting a “brute-force” attack by trying every possible password, then the password can be changed before the attack can succeed.

Setting a User Password Link to heading

The passwd command changes a user’s password.

  • Change the password of the current user interactively:

    passwd

  • Change the password of a specific user:

    passwd username

  • Get the current status of the user:

    passwd -S

  • Make the password of the account blank (it will set the named account passwordless):

    passwd -d

Managing Password Aging Link to heading

The chage command changes user account and password expiry information found in the */etc/shadow file..

  • List password information for the user:

    chage --list username

  • Enable password expiration in 10 days:

    sudo chage --maxdays 10 username

  • Disable password expiration:

    sudo chage --maxdays -1 username

  • Set account expiration date:

    sudo chage --expiredate YYYY-MM-DD username

  • Force user to change password on next log in:

    sudo chage --lastday 0 username

  • Set the number of days of warning before a password expires:

    sudo chage --warndays 3 username

  • Display the maximum number of days between password change:

    sudo grep kali /etc/shadow | cut -d: -f1,5

Deleting a User Link to heading

The userdel command removes a user account or remove a user from a group.

  • Remove a user without deleting the user’s home directory:

    sudo userdel username

  • Remove a user in other root directory:

    sudo userdel --root path/to/other/root username

  • Remove a user along with the home directory and mail spool:

    sudo userdel --remove username

Modifying a User Link to heading

The usermod command modifies a user account.

  • Change a username:

    sudo usermod --login new_username username

  • Change a user id:

    sudo usermod --uid id username

  • Change a user shell:

    sudo usermod --shell path/to/shell username

  • Add a user to supplementary groups (mind the lack of whitespace):

    sudo usermod --append --groups group1,group2,... username

  • Change a user home directory:

    sudo usermod --move-home --home path/to/new_home username

  • Set account expiration date:

    sudo usermod --expiredate YYYY-MM-DD username

    sudo usermod --expiredate INT username

    • Integers as input are interpreted as days after 1970-01-01.
    • An input of -1 or an empty string will blank the account expiration field and the account will remain available with no date limit.