Table of Contents Link to heading
User Private Group (UPG) Link to heading
a group account created automatically for a new user account. The group and username would be the same, and the only member of this new group would be the new user.
For distributions that do not create a UPG, new users are typically given the users group as their primary group.
Configuring Groups Link to heading
provide a way for users to share files.
The administrator can manually create group accounts that are private for the user, but it is more common for the administrator to create groups for multiple users that need to collaborate.
User accounts can be modified at any time to add or remove them from group account memberships, but users must belong to at least one group for use as their primary group.
Read this section for commands used to view group information.
Working with groups require administrative privileges, either by logging in as
the root user or by beginning with the sudo
command.
Creating a Group Link to heading
The
groupadd
command adds user groups to the system.
Create a new group:
sudo groupadd group_name
Create a new system group:
sudo groupadd --system group_name
Create a new group with the specific GID:
sudo groupadd --gid id group_name
- If -g option is not used, the new group will automatically be assigned a GID that is one value higher than the last added in /etc/group file.
Group Naming Conventions Link to heading
- The first character of the name should be either an underscore _ character or a lower-case alphabetic a-z character.
- Up to 32 characters are allowed on most Linux distributions, but using more than 16 can be problematic as some distributions may not accept more than 16.
- After the first character, the remaining characters can be alphanumeric, a dash - character, or an underscore _ character.
- The last character should not be a hyphen - character.
Group Identifier (GID) Considerations Link to heading
- In some distributions, when a UID is created, a UPG is also created.
- Avoid creating GIDs in the same range as UIDs created in the future.
- GIDs under 1000 are reserved for system use. To bypass this and assign a GID < 1000, use the -r (–system) option.
Deleting a Group Link to heading
The
groupdel
command deletes existing user groups (only supplementary groups) from the system.
Files in the deleted group will become orphaned. To search for orphaned files, use the find command with the -nogroup option
Delete an existing group:
sudo groupdel group_name
Modifying a Group Link to heading
The
groupmod
command modifys existing user groups in the system.
Change the group name:
sudo groupmod --new-name new_group group_name
- Changing the group name won’t cause any problems with accessing files
Change the group id:
sudo groupmod --gid new_id group_name
- Changing the GID will cause files to no longer be associated with that group, called an orphaned file.
Configuring Users Link to heading
User Configuration Files Link to heading
/etc/default/useradd File Link to heading
contains default values used by the
useradd
command; can be viewed or changed using theuseradd -D
command.
Field | Description |
---|---|
Group | Default primary group for a new user. This setting affects the primary group ID field of the /etc/passwd file. |
Home | The default base directory under which the user’s new home directory will be created. This setting affects the home directory field of the /etc/passwd file. |
Inactive | This value represents the number of days after the password expires that the account is disabled. This setting affects the inactive field of the /etc/passwd file. |
Expired | By default, there is no value set for the expiration date. This setting affects the expire field of the /etc/passwd file. |
Shell | The default shell for a user when they log in to the system. This setting affects the shell field of the /etc/passwd file. |
Skeleton Directory | The contents of this directory are copied into the new user’s home directory. This setting affects the expire field of the /etc/passwd file. |
Create Mail Spool | File where the incoming email is placed. |
/etc/login.defs File Link to heading
contains values that are applied by default to new users you create with the useradd command, which is edited directly by the administrator to alter its values.
This file contains many comments and blank lines, so to only view lines that are
not comments or blank lines (the real configuration settings), execute the
following grep
command:
grep -Ev '^#|^$' /etc/login.defs
Field | Description |
---|---|
Mail Directory | The directory in which the user’s mail spool file will be created. |
Password Max Days | The maximum number of days that a user can continue to use the same password. |
Password Min Days | The shortest time that a user is required to keep a password. |
Password Minimum Length | The minimum number of characters that a password must contain. |
UID Minimum | Determines the first UID that will be assigned to an ordinary user. |
UID Maximum | Although it can go up to four billion, for maximum compatibility it’s recommended to leave it at its default value of 60000. |
GID Minimum | Determines the first GID that will be assigned to an ordinary group. |
GID Maximum | The maximum number of days that a user can continue to use the same password. |
Home Directory | Determines whether or not a new directory will be created for the user when their account is created. |
Umask | Determines what the default permissions will be on the user home directory. |
UPG | If UPG is used in the distribution, it will have a value of yes. If not, a value of no. |
Encryption | The encryption method that is used to encrypt the users’ passwords in the /etc/shadow file. |
Creating a New User Link to heading
useradd
Command
Link to heading
a lower level user addition utility that is available on all Linux distributions. It requires additional parameters to set up the account entirely.
Create a new user (UID is one higher than the last user created):
sudo useradd username
Create a new user with the specified UID:
sudo useradd --uid id username
Create a new user with the specified shell:
sudo useradd --shell path/to/shell username
- It is common to specify the /sbin/nologin shell for system accounts.
Create a new user belonging to additional groups (mind the lack of whitespace):
sudo useradd --groups group1,group2,... username
Create a new user with the default home directory:
sudo useradd --create-home username
Create a new user with the home directory filled by template directory files:
sudo useradd --skel path/to/template_directory --create-home username
Create a new system user without the home directory:
sudo useradd --system username
Give a short description of the account, mostly used to hold the user’s full name.
sudo useradd --comment 'string' username
adduser
Command
Link to heading
a higher level user addition utility that is not available on all Linux distributions. The command adds a user to the system with standard settings.
Create a new user with a default home directory and prompt the user to set a password:
sudo adduser username
Create a new user without a home directory:
sudo adduser --no-create-home username
Create a new user with a home directory at the specified path:
sudo adduser --home path/to/home username
Create a new user with the specified shell set as the login shell:
sudo adduser --shell path/to/shell username
Create a new user belonging to the specified group:
sudo adduser --ingroup group username
Username Conventions Link to heading
Similar to group naming conventions
Use with the –badname option to allow names that do not conform to standards.
User Identifier (UID) Considerations Link to heading
If attached to a network with other systems, ensure that this UID is the same on all systems to help provide consistent access.
UIDs typically can range anywhere from zero to over 4,000,000,000, but for greatest compatibility with older systems, the maximum recommended UID value is 60,000.
The root user has a UID of 0, which allows that account to have special privileges. Any account with a UID of 0 would effectively be able to act as the administrator.
System accounts used by services generally use UIDs that are in the reserved range (1-499 or 1-999 on some modern systems). One system account that is an exception to this rule is the user nfsnobody, which has a UID of 65534.
When setting up a new system, it is a good practice to start UIDs no lower than 1000 ensuring there are sufficient UIDs available for many system services and giving you the ability to create many GIDs in the reserved range.
Passwords Link to heading
Factors to Consider Link to heading
Factor | Description |
---|---|
Length | Minimum length specified in /etc/login.defs file |
Composition | A combination of alphabetic, numeric and symbolic characters |
Lifetime | Amount of time that a password can be used at maximum should be limited to minimise security threats |
- For highly-sensitive accounts, passwords should be changed frequently (every 30 days), while non-critical accounts only need to change their passwords every 90 days.
- If an account is compromised and the time that the password is valid is limited, the intruder will ultimately lose access when the password becomes invalid.
- If an account is not being used, then it can automatically be disabled when the password is no longer valid.
- If attackers are attempting a “brute-force” attack by trying every possible password, then the password can be changed before the attack can succeed.
Setting a User Password Link to heading
The
passwd
command changes a user’s password.
Change the password of the current user interactively:
passwd
Change the password of a specific user:
passwd username
Get the current status of the user:
passwd -S
Make the password of the account blank (it will set the named account passwordless):
passwd -d
Managing Password Aging Link to heading
The
chage
command changes user account and password expiry information found in the */etc/shadow file..
List password information for the user:
chage --list username
Enable password expiration in 10 days:
sudo chage --maxdays 10 username
Disable password expiration:
sudo chage --maxdays -1 username
Set account expiration date:
sudo chage --expiredate YYYY-MM-DD username
Force user to change password on next log in:
sudo chage --lastday 0 username
Set the number of days of warning before a password expires:
sudo chage --warndays 3 username
Display the maximum number of days between password change:
sudo grep kali /etc/shadow | cut -d: -f1,5
Deleting a User Link to heading
The
userdel
command removes a user account or remove a user from a group.
Remove a user without deleting the user’s home directory:
sudo userdel username
Remove a user in other root directory:
sudo userdel --root path/to/other/root username
Remove a user along with the home directory and mail spool:
sudo userdel --remove username
Modifying a User Link to heading
The
usermod
command modifies a user account.
Change a username:
sudo usermod --login new_username username
Change a user id:
sudo usermod --uid id username
Change a user shell:
sudo usermod --shell path/to/shell username
Add a user to supplementary groups (mind the lack of whitespace):
sudo usermod --append --groups group1,group2,... username
Change a user home directory:
sudo usermod --move-home --home path/to/new_home username
Set account expiration date:
sudo usermod --expiredate YYYY-MM-DD username
sudo usermod --expiredate INT username
- Integers as input are interpreted as days after 1970-01-01.
- An input of -1 or an empty string will blank the account expiration field and the account will remain available with no date limit.