Two of the most important responsibilities of any administrator are the administration and monitoring of users on a Linux network. Good foresight on the part of a system administrator will prevent unnecessary downtime and will uncover security holes before they become a problem. In this Daily Drill Down, I’ll discuss adding, modifying, or deleting user and group accounts with command line tools, and I’ll talk about creating root or privileged user accounts.
Managing users with command line tools
Creating a user
You can create a new user very easily. At the command line, just type:
To create a new user with the username guest, run:
If you see the prompt "command not found," type /usr/sbin/useradd guest. If you still get the same prompt, type which useradd in order to locate the useradd program. Now type:
This command will use system defaults to create a new line in the /etc/passwd file. When I ran the command, /etc/passwd show the following new line:
Look at the second field from the left. The only character that it will contain is an x because it is the password field. To create a password for the user guest, run the following command:
On my system, I entered the word guest for both the username and its password. The passwd command will ask you to enter the password twice. After the password is accepted, it’s encrypted and added to the user's line in /etc/passwd.
The useradd command will create the User Identification (UID) and the Group Identification (GID) automatically. To illustrate what happens, let's examine my /etc/passwd file.
xfs:x:100:102:X Font Server:/etc/X11/fs:/bin/false
The fields with which we're concerned are the first line and the last two lines. The first line is for the root user (or superuser). A root user is mandatory for Linux. This user is created during the installation process, and the person who performs the install supplies the password. The root UID and GID is always 0, and the default group for root is always 0.
Now, look at the last two lines in the file. The user jim was created as soon as I finished installing Linux. The first field is the username; the second field is the password field. You’re probably wondering why there’s an x in the password of the password field instead of a combination of letters and numbers. The x appears because I'm using a process called password shadowing. You should use this process, too. (We'll discuss how to shadow passwords later. For now, let's concentrate on /etc/passwd.) Exclamation points (!!) mean that no password exists for the user yet. A combination of letters, numbers, and characters (such as /-$) would denote an encrypted password without password shadowing. The fifth field is the user's full name—in this case, my name. The sixth filed is the user's home directory; the home directory is created in the top-level home directory. The last field is the user's default login shell—in this case, the bash shell. It’s a typical default for Linux, and it’s selected from a system default.
To override a default, you must specify a command line option. Let's say that you have a group of users from a financial department. They regularly use a spreadsheet application on my system (and not much else). You could create a new group called finance and make it the default group for spreadsheets. To create the group, run groupadd:
Now, if you need to create a spreadsheet user named jane, you could use this command:
/usr/sbin/useradd jane -g finance
This command creates a user named jane with a default group of finance. If existing users need to be placed in the finance group, you could run the following command:
chgrp jim finance
It would make the finance group jim's new default group. If you need to make a particular user a member of more than one group at a time, use the -G option with the useradd command:
/sbin/useradd joe -G wheel, finance
It will create the user joe with a default group of joe. At the same time, this user also will become a member of the groups wheel and finance. To see which groups exist and who the members of any group are, run:
Modifying existing user information
The passwd command can change a user's password, as in:
This command allows you to change joe's password. You’ll be prompted for a new password for this user; then, you’ll be prompted for the password again. As root, you can change any password on the system. As a user, you may only change your own password.
Changing the user's home directory
To change a user’s home directory, run the following command:
usermod -d <new homedir> <username>
To change jim’s home directory from /home/jim to /home/jim1, run:
user mod -d /home/jim1 jim
To move the information that’s contained in a user's home directory to the new location, run:
user -d -m /home/jim1 jim
This command moves all files in jim's current directory to the new home directory.
Changing UIDs and GIDs
To change a user's UID, run the command:
usermod -u -<UID> <username>
The following command changes jim's UID to 555:
usermod -u 555 jim
To change a user's GID, run the command:
usermod -g -<GID> <username>
The following command changes jim's GID to 555:
usermod -g 555 jim
Changing an account expiration date
Changing an account expiration date is useful for situations where you may need only temporary access to a system. The administrator can change the account expiration date so that the account is disabled on a set date. The command syntax is (where YYYY-MM-DD is the month, day, and year when I want the account to expire):
usermod -e YYYY-MM-DD <username>
Let's say that I want an account for user guest to expire on March 1, 2000. The command syntax would be:
usermod -e 03/01/00 guest
This command resets the account expiration date for the user guest to March 1, 2000.
Changing finger information
Using the finger command, we can gain information about users on a system. The syntax to finger a user is:
The user's full name, office location, and phone number are common pieces of information that are obtained from finger. The chfn command is used to change a user's finger information. To change finger information for jim, the syntax would be:
You’ll be prompted for new finger information for the user. Finger information is stored in /etc/passwd, but users can create a file called .plan in their home directory. The new file will be appended to the information that’s shown through the finger command.
Deleting and disabling users
To delete a user from your system, use the userdel command. The syntax for this command is:
To delete the contents of the user's home directory, use the syntax:
userdel -r <username>
To delete the user guest from your system, run:
Often, you’ll want to disable an account temporarily to prevent logins. You can accomplish this task through any of the following methods:
- Use the usermod command to set the user's password to expire immediately.
- Create a file named /etc/nologin. Place a simple text message in the file that explains why users can’t log in. (As long as this file exists, no root users will not be able to log in.)
- Edit /etc/shells and append a shell named /bin/false to it. Then, run the command usermod -s /bin/false <username>. (It prevents the user from logging in.)
Now, you should be able to add, modify, or delete user and group accounts with the commands that I’ve discussed, and you should be able to create root or privileged user accounts. In the long run, this knowledge will make your job of administering and monitoring users a lot easier. As I mentioned earlier, however, nothing is more important than good foresight on your part. If you can spot problems before they arise, then you can curtail a lot of frustration and unnecessary down time.
Jim McIntyre has been training users on IT-related subjects since 1988. He began his training career as a sonar operator in the Canadian Navy. After retiring early from the military in 1996, Jim completed the Novell CNE program, the Adult Education program at Saint Francis Xavier University, and the Webmaster Program at Dalhousie University. He also graduated from the Train the Computer Trainer program at Dalhousie, where he now serves as a contract instructor. Jim has extensive technical support experience, and he tries to see technical problems as training opportunities. If Jim had a motto, it would be: "Share what you know; learn what you don't." He didn't come up with that phrase, but he likes it.