dcsimg

User and Group Management 101

Whether you're new to managing users and groups or just need a quick refresher, this tutorial will sharpen your sys admin chops.

OK, class settle down, find your seats, fire up your Linux systems and follow along with me for this user and group administration tutorial. This article is your short course on user and group administration using some commands that you’ve perhaps never seen or used before. User management doesn’t have to induce hair pulling (yours or theirs) nor does it have to make you hate user’s existence. Following a single, simple rule will make your life as a system administrator easier: Give your users access to what they need, no more and no less.

Any salty system administrator (SA) will tell you that you’re supposed to manage users with group permissions, and that’s true, but you still have to create those users, place them into groups, remove users and manage user access. It is these basic user management activities that you’ll explore in this week’s post.

Group Commands

Let’s appease those rusty old system administrators by first learning about groups and how to manage them. Group definitions reside in the /etc/group file. A standard Linux /etc/group file contains the following information: groupname:x:groupid:user list.

The “x” in the group definition file is a deprecated placeholder for a group password.

To find out which groups you belong to, type groups at a command prompt.

$ groups
khess rdpusers

By default on most Linux systems, when an administrator creates a new user account, the system automatically creates a group account with the same name as the user account. An SA can specify a group when he creates the account but the group must already exist.

Here are two illustrative examples:

# useradd fred

# grep fred /etc/passwd
fred:x:504:506::/home/fred:/bin/bash

# grep fred /etc/group
fred:x:506:
# useradd -g 100 -c "Bob Alobdob" bob

# grep bob /etc/passwd
bob:x:505:100:Bob Alobdob:/home/bob:/bin/bash

# grep bob /etc/group
#

Why did the system return no response when you typed in grep bob /etc/group? It’s because the users group is Bob’s primary group. If users were a secondary group, Bob’s username would appear in the list. For example, create a new user with rpdusers (Group ID 504) as a secondary group.

# useradd -G 504 -c "Jon Shmon" john

# grep john /etc/passwd
john:x:506:507:Jon Shmon:/home/john:/bin/bash

# grep john /etc/group
rdpusers:x:504:khess,john
john:x:507:

A group must exist before you assign users to it. The groupadd command creates new groups with a specific Group ID (GID) and name.

# groupadd -g 1040 accounting

# grep 1040 /etc/group

accounting:x:1040:

You may also create a new group with just a group name and the system will assign a GID for you with the command, # groupadd groupname.

The groupmod command allows you to change the group name but the SA will have to change any files associated with the old group manually.

# groupmod -n accounting beancounters
# grep 1040 /etc/group
beancounters:x:1040:

Note: Don’t confuse chgrp (changes group permissions) with groupmod (changes the name of a group).

You can remove a group with the groupdel command.

# groupdel beancounters

If you prefer to edit configuration files directly, although you shouldn’t, the vigr command edits the /etc/group file in a safe manner by setting locks so that only one administrator at a time can edit the file.

Administrators rely heavily on the “group” commands for group administration, user administration and in scripting those functions for automated solutions.

User Commands

I call this collection of utilities the “user” commands because their functionality centers on user administration and not on action taken by the users themselves. Even if a user knows the location of these commands (/usr/sbin), they still can’t issue them without root privilege.

For example, a clever user on your system tries to issue useradd and vipw.

$ /usr/sbin/useradd steve
useradd: Only root may add a user or group to the system.

$ /usr/sbin/vipw
vipw: Couldn't lock file: Permission denied
vipw: /etc/passwd is unchanged

The User commands have their Group analogs; you add a new user with useradd, modify a user account with usermod and delete a user account with userdel. And you edit the /etc/passwd file directly with vipw. You’ve already seen the useradd command in action in the Group Commands discussion.

The usermod allows SAs to alter any user account attribute including the user’s real name (comment field), home directory name, account expiration date, disabling functionality, group add and change, login name, account locking and unlocking, alter the user’s shell and more.

# grep khess /etc/passwd
khess:x:500:500:Kenneth Hess:/home/khess:/bin/bash

# usermod -c "Ken Hess" khess

# grep khess /etc/passwd
khess:x:500:500:Ken Hess:/home/khess:/bin/bash

The usermod command requires some restraint and careful typing when issuing commands that can make a user account unusable. Let’s say that Bob Alobdob, from an example in the Group discussion, wants his login name and home directory changed to robert.

# usermod -d "/home/robert" -m -l robert bob 

# grep robert /etc/passwd
robert:x:505:100:Bob Alobdob:/home/robert:/bin/bash

Notice how I explicitly entered “/home/robert” in the command? If you don’t specify the whole path, Robert won’t have a home directory nor will its contents exist anymore. The command, as shown, changes his current home directory from /home/bob to /home/robert, his login from bob to robert and the -m moves the contents of his “bob” home directory to his “robert” home directory. User permissions change to robert as well for all files in his home directory.

Note: You cannot change the login name of a currently logged in user.

The userdel command’s function might seem obvious to you but you might surprise yourself after issuing the command to find that the user’s home directory is still intact.

Why would any programmer allow that directory to remain as clutter on your home filesystem? This is actually a failsafe mechanism and you should thank the thoughtful programmer who maintains userdel.

What if two user names only differ by a single letter and you removed the wrong one? The incorrectly deleted user’s home directory and files were wiped from the system with a slip of your finger. With the failsafe mechanism in place, you have to manually remove the home directory and hopefully you would catch your error before doing so.

This introduction to user and group administration will point you in the right direction in your own duties as a new system administrator. Remember to think in terms of groups and add users to those groups as needed. Use the administrative tools and utilities provided to you and avoid directly editing any system file.

Have you ever wanted to see more information from your system than proc files or dmesg could give you? Well, your search is over. There are native tools that give you more than you imagined and we’ll have a look at them next week.

Comments on "User and Group Management 101"

bthoward

I find that this is all fine and dandy until you want to get just a tad more complicated.

For example I have a folder for the documents my wife and I keep on hand. I have a group called hoyt-trusted that my wife and I are members of. This group is intended to provide read/write access. However I have some users who visit that are trusted enough to have read access to that directory structure I put them in a group called hoyt. I want to use owners in this folder in the sense that I want my wife\’s files to be under her user account and I want my files to be under my user account. However we should be able to read and write to one another\’s files.

With the current structure this was not possible. After some digging I found ACL\’s. I really think that ACL\’s should become the standard way of doing things. Unless there is something better, but at the moment when I ran into this problem I found ACL\’s and I\’m loving the way they work! I also very much like the default control list which has solved other permissions issues that arise when you have many people creating files in a set folder. There are all sorts of ways that you can tweak things and you can usually find a way to get exactly the functionality that you want.

Now that I have all my groups and access control lists setup I only manage users by placing them into the groups to which they should belong. Their user then inherits all the permissions they should have and everyone gets along.

Reply
peterstoops

Very basic. I wouldn\’t allow any sysadmin on our servers who isn\’t familiar with these commands.

More interesting for me would be:
- I need to change the UID for a user.
- I need to change the GID for a group.
- I have usernames and groupnames with mixed cases, and want them all to be lowercase.

These are real cases we\’re facing, and after some thought, appear not too complex, until you\’re facing a big mixed environment with Linux, HP-UX, Solaris,… and you need all UIDs for a certain user to match, and GIDs for a group to match…

Ah, but we\’re nearly there, and then our nightmares will (hopefully) be over.

Good advise: Pay real close attention to this, you won\’t regret it! Good user and group management is a MUST!

Thanks for the article!

Reply
khess

@bthoward: You\’re right. ACL management is in a future post.

@peterstoops: You got it. I\’ll schedule those topics for a future post. In large, mixed environments, you would typically use some enterprise-level user management software. There are some good ones out there. I wouldn\’t want to manage an environment of any size without one. Imagine removing a user account from say, 500 systems, or even 50.

Reply
grabur

Small nitpick – you suggest bob changes his name to bobby, and then change it to robert!

Reply
khess

@grabur: fixed.

Reply

I am trying to find out what a primary and secondary group are in group management.

Thankyou, Chuck

Reply

Nice tutorial, than you…;)

Reply

Nice tutorial, thank you…;)

Reply

I loved your post.Really thank you! Really Cool.

Reply

Thanks again for the article.Really thank you! Awesome.

Reply

you’ve an ideal blog right here! would you like to make some invite posts on my blog?

Reply

I’ve read several just right stuff here. Certainly value bookmarking for revisiting. I surprise how so much effort you place to create any such fantastic informative site.

Reply

That is really fascinating, You are an overly skilled blogger. I’ve joined your feed and stay up for in the hunt for more of your excellent post. Also, I have shared your web site in my social networks!

Reply

I was just looking at your User and Group Management 101 | Linux Magazine site and see that your site has the potential to get a lot of visitors. I just want to tell you, In case you don’t already know… There is a website network which already has more than 16 million users, and the majority of the users are looking for websites like yours. By getting your site on this network you have a chance to get your site more visitors than you can imagine. It is free to sign up and you can read more about it here: http://yxbp.com/5kje – Now, let me ask you… Do you need your site to be successful to maintain your way of life? Do you need targeted traffic who are interested in the services and products you offer? Are looking for exposure, to increase sales, and to quickly develop awareness for your site? If your answer is YES, you can achieve these things only if you get your website on the network I am describing. This traffic service advertises you to thousands, while also giving you a chance to test the network before paying anything. All the popular sites are using this service to boost their traffic and ad revenue! Why aren’t you? And what is better than traffic? It’s recurring traffic! That’s how running a successful site works… Here’s to your success! Read more here: http://todochiapas.mx/C/3l0

Reply

Magnificent goods from you, man. I have understand your stuff previous to and you’re just too magnificent. I actually like what you’ve acquired here, certainly like what you’re stating and the way in which you say it. You make it enjoyable and you still take care of to keep it smart. I cant wait to read far more from you. This is actually a wonderful website.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>