Featured image

Table of Contents Link to heading

User Accounts and Groups Link to heading

User accounts designed to provide security since each person on the system must log in using a user account which either allows the person to access specific files and directories or disallows such access, accomplished using file permissions.

Each user belongs to at least one group (often many) to allow users to more easily share data that is stored in files with other users.

User and group account data is stored in database files. Knowing the content of these files allows you to better understand which users have access to files and directories on the system. These database files also contain vital security information that may affect the ability of a user to log in and access the system.

Several commands provide the ability to see user and group account information, as well as to switch from one user account to another (provided you have the appropriate authority to do so). These commands are valuable for investigating usage of the system, troubleshooting system problems, and monitoring unauthorised access to the system.

Administrative Accounts Link to heading

allows logging in to the system as the root user to execute a command that requires administrative or root privileges.

Risks with logging in as the root user:

  1. Everything about your session (background processes, executables) runs as the root user
  2. May forget you are logged in as root and run a command that could cause problems on the system
  3. May forget to log out to do their non-administrative work, allowing programs such as browsers and email clients to be run as the root user without restrictions on what they could do

Thus, it is not recommended to log in as the root user directly to perform administrative tasks. If the root account is disabled, as it is on the Ubuntu distribution, then administrative commands can be executed using the sudo command. If the root account is enabled, then a regular user can execute the su command to switch accounts to the root account.

Switching Users (su) Link to heading

The su command allows a user to switch shell to another user.

  • Using the login shell option results in fully configuring the new shell with settings of new user. If username is not specified su opens a new shell as root user.
  • After pressing Enter, user must provide password of root user.
  • Use the exit command to return to original shell (user account).

Commands:

  • Switch to superuser (requires the root password):

    su

  • Switch to a given user (requires the user’s password):

    su username

  • Switch to a given user and simulate a full login shell:

    su - username

  • Execute a command as another user:

    su - username --command "command"

Executing Privileged Commands Link to heading

The sudo command allows a user to execute a single command as the superuser or another user.

  • Can be used in distributions that do not allow root user login.
  • Prompts for the user’s own password instead that of the root user.
  • Results in an entry placed in a log file for accountability and reduces risk associated with using root.

Commands:

  • Run a command as the superuser:

    sudo less /var/log/syslog

  • Edit a file as the superuser with your default editor:

    sudo --edit /etc/fstab

  • Run a command as another user and/or group:

    sudo --user=user --group=group id -a

  • Repeat the last command prefixed with sudo (only in bash, zsh, etc.):

    sudo !!

  • Launch the default shell with superuser privileges and run login-specific files (.profile, .bash_profile, etc.):

    sudo --login

  • Launch the default shell with superuser privileges without changing the environment:

    sudo --shell

  • Launch the default shell as the specified user, loading the user’s environment and reading login-specific files (.profile, .bash_profile, etc.):

    sudo --login --user=user sudo --user=user --group=group id -a

  • List the allowed (and forbidden) commands for the invoking user:

    sudo --list

User Accounts: /etc Link to heading

contains files which contain account data of users and groups defined on the system.

The /etc/passwd file defines some account information for user accounts.

  • Each line contains information about a single user.
  • Name, password placeholder, user ID (UID), primary group ID, comment, home directory, and shell.
  • Fields are separated by a colon

An efficient way to check if a specific user has been defined on a system is to search the /etc/passwd file using the grep command. For example, to see the account information for the user named sysadmin, use the following command:

grep sysadmin /etc/passwd

Passwords: /etc/shadow Link to heading

This file contains account information related to the user’s password.

However, only the root user is allowed to view the the file’s contents for security reasons.

FieldDescription
UsernameUsername of the account (matches username in /etc/passwd)
PasswordEncrypted password for the account
Last ChangeLast time password was changed
MinMinimum number of days between password changes
MaxMax number of days password is valid
WarnNumber of days before password expiry in the system warns the user
InactiveGrace period in which user’s password can be changed
ExpireNumber of days when user accounts will expire (from January 1, 1970)
ReservedCurrently not used, this field is reserved for future use

In addition to the grep command, another technique for retrieving user information contained in the /etc/passwd and /etc/shadow files is to use the getent command, which retrieves account information that is defined locally, in files such as /etc/passwd and /etc/shadow, or on a network directory server.

The general syntax of a getent command is:

getent database record

For example, the following command would retrieve account information for the sysadmin user from the /etc/passwd file:

getent passwd sysadmin

Commands:

  • Get list of all groups:

    getent group

  • See the members of a group:

    getent group group_name

  • Get list of all services:

    getent services

  • Find a username by UID:

    getent passwd 1000

  • Perform a reverse DNS lookup:

    getent hosts host

getent

Types of Accounts Link to heading

User Account Link to heading

logs into the system using regular user accounts; UID 500 or > 1000 on some systems.

Root Account Link to heading

The root user has special access to the system and is provided to the account with a UID of 0.

System Account Link to heading

designed to provide accounts for services that are running on the system; 1 > UID > 499.

System accounts have some fields in the /etc/passwd and /etc/shadow that are different from other accounts:

  1. Rarely have home directories as they typically are not used to create or store files.
  2. Have a nologin program in the shell field
  3. Typically have an asterisk * character in place of the password field

Group Accounts Link to heading

Each user can be a member of one or more groups, which can also affect the level of access to the system.

Traditionally, UNIX systems limited users to belonging to no more than a total of 16 groups, but the recent Linux kernels support users with over 65,000 group memberships.

The /etc/passwd file defines the primary group membership for a user.

The /etc/group file is another colon-delimited file that defines supplemental (or secondary) group membership.

FieldDescription
Group NameField contains the group name. The system typically uses group IDs rather than group names.
Password PlaceholderWhile there are passwords for groups, they are rarely used in Linux. If the administrator makes a group password, it would be stored in the /etc/gshadow file. The x in this field is used to indicate that the password is not stored in this file.
GIDUnique group ID associated with a group.
User ListLists members in the group. Users who are assigned to additional groups would have their username placed in this field.

To view information about a specific group, either the grep or getent commands can be used. For example, the following commands display the mail group account information:

grep mail /etc/group
getent group mail

The groups command prints group memberships for a user.

  • Print group memberships for the current user:

    groups

  • Print group memberships for a list of users:

    groups username1 username2 ...

groups

Other commands to work with groups include: groupadd, groupdel, and groupmod.

Viewing User Information Link to heading

id Command Link to heading

displays current user and group identity.

Command:

  • Display current UID, GID, and groups to which they belong:

    id

  • Display the current UID as a number:

    id -u

  • Display the current GID as a number:

    id -g

  • Display all the GIDs:

    id -G

  • Display all the GIDs that have been resolved to group names:

    id -Gn

  • Display an arbitrary UID, GID, and groups to which they belong:

    id username

id

who command Link to heading

displays who is logged in and related data (processes, boot time).

Output:

  1. Username - indicates user who is logged in and has an open session.
  2. Terminal - indicates which terminal window the user is working in.
    • tty indicates a local login whereas pts indicates a pseudo terminal.
  3. Date - indicates when user logged in.
    • A hostname means user logged in remotely.
    • A colon and number means a graphical local login.
    • No location info means user logged in via local command line.

Command:

  • Display the username, line, and time of all currently logged-in sessions:

    who

  • Display information only for the current terminal session:

    who am i

  • Display all available information:

    who -a

  • Display all available information with table headers:

    who -a -H

who

Viewing Current Users Link to heading

The w command shows who is logged on and what they are doing; prints user login, TTY, remote host, login time, idle time, and current process.

  • Show logged-in users info:

    w

  • Show logged-in users info without a header:

    w -h

The users command displays a list of logged in users.

  • Print logged in usernames:

    users

  • Print logged in usernames according to a given file:

    users /var/log/wmtp

Viewing Login History Link to heading

The last command shows previous login sessions as well as current login information by examining the /var/log/wtmp file for all login records.

  • View last logins, their duration and other information as read from /var/log/wtmp:

    last

  • Specify how many of the last logins to show:

    last -n login_count

  • Print the full date and time for entries and then display the hostname column last to prevent truncation:

    last -F -a

  • View all logins by a specific user and show the IP address instead of the hostname:

    last username -i

  • View all recorded reboots (i.e. the last logins of the pseudo user “reboot”):

    last reboot

  • View all recorded shutdowns (i.e. the last logins of the pseudo user “shutdown”):

    last shutdown

last