dcsimg

User and Group Management 101

Whether you're new to managing users and groups or just need a quick refresher, this tutorial will sharpen your sys admin chops.

OK, class settle down, find your seats, fire up your Linux systems and follow along with me for this user and group administration tutorial. This article is your short course on user and group administration using some commands that you’ve perhaps never seen or used before. User management doesn’t have to induce hair pulling (yours or theirs) nor does it have to make you hate user’s existence. Following a single, simple rule will make your life as a system administrator easier: Give your users access to what they need, no more and no less.

Any salty system administrator (SA) will tell you that you’re supposed to manage users with group permissions, and that’s true, but you still have to create those users, place them into groups, remove users and manage user access. It is these basic user management activities that you’ll explore in this week’s post.

Group Commands

Let’s appease those rusty old system administrators by first learning about groups and how to manage them. Group definitions reside in the /etc/group file. A standard Linux /etc/group file contains the following information: groupname:x:groupid:user list.

The “x” in the group definition file is a deprecated placeholder for a group password.

To find out which groups you belong to, type groups at a command prompt.

$ groups
khess rdpusers

By default on most Linux systems, when an administrator creates a new user account, the system automatically creates a group account with the same name as the user account. An SA can specify a group when he creates the account but the group must already exist.

Here are two illustrative examples:

# useradd fred

# grep fred /etc/passwd
fred:x:504:506::/home/fred:/bin/bash

# grep fred /etc/group
fred:x:506:
# useradd -g 100 -c "Bob Alobdob" bob

# grep bob /etc/passwd
bob:x:505:100:Bob Alobdob:/home/bob:/bin/bash

# grep bob /etc/group
#

Why did the system return no response when you typed in grep bob /etc/group? It’s because the users group is Bob’s primary group. If users were a secondary group, Bob’s username would appear in the list. For example, create a new user with rpdusers (Group ID 504) as a secondary group.

# useradd -G 504 -c "Jon Shmon" john

# grep john /etc/passwd
john:x:506:507:Jon Shmon:/home/john:/bin/bash

# grep john /etc/group
rdpusers:x:504:khess,john
john:x:507:

A group must exist before you assign users to it. The groupadd command creates new groups with a specific Group ID (GID) and name.

# groupadd -g 1040 accounting

# grep 1040 /etc/group

accounting:x:1040:

You may also create a new group with just a group name and the system will assign a GID for you with the command, # groupadd groupname.

The groupmod command allows you to change the group name but the SA will have to change any files associated with the old group manually.

# groupmod -n accounting beancounters
# grep 1040 /etc/group
beancounters:x:1040:

Note: Don’t confuse chgrp (changes group permissions) with groupmod (changes the name of a group).

You can remove a group with the groupdel command.

# groupdel beancounters

If you prefer to edit configuration files directly, although you shouldn’t, the vigr command edits the /etc/group file in a safe manner by setting locks so that only one administrator at a time can edit the file.

Administrators rely heavily on the “group” commands for group administration, user administration and in scripting those functions for automated solutions.

User Commands

I call this collection of utilities the “user” commands because their functionality centers on user administration and not on action taken by the users themselves. Even if a user knows the location of these commands (/usr/sbin), they still can’t issue them without root privilege.

For example, a clever user on your system tries to issue useradd and vipw.

$ /usr/sbin/useradd steve
useradd: Only root may add a user or group to the system.

$ /usr/sbin/vipw
vipw: Couldn't lock file: Permission denied
vipw: /etc/passwd is unchanged

The User commands have their Group analogs; you add a new user with useradd, modify a user account with usermod and delete a user account with userdel. And you edit the /etc/passwd file directly with vipw. You’ve already seen the useradd command in action in the Group Commands discussion.

The usermod allows SAs to alter any user account attribute including the user’s real name (comment field), home directory name, account expiration date, disabling functionality, group add and change, login name, account locking and unlocking, alter the user’s shell and more.

# grep khess /etc/passwd
khess:x:500:500:Kenneth Hess:/home/khess:/bin/bash

# usermod -c "Ken Hess" khess

# grep khess /etc/passwd
khess:x:500:500:Ken Hess:/home/khess:/bin/bash

The usermod command requires some restraint and careful typing when issuing commands that can make a user account unusable. Let’s say that Bob Alobdob, from an example in the Group discussion, wants his login name and home directory changed to robert.

# usermod -d "/home/robert" -m -l robert bob 

# grep robert /etc/passwd
robert:x:505:100:Bob Alobdob:/home/robert:/bin/bash

Notice how I explicitly entered “/home/robert” in the command? If you don’t specify the whole path, Robert won’t have a home directory nor will its contents exist anymore. The command, as shown, changes his current home directory from /home/bob to /home/robert, his login from bob to robert and the -m moves the contents of his “bob” home directory to his “robert” home directory. User permissions change to robert as well for all files in his home directory.

Note: You cannot change the login name of a currently logged in user.

The userdel command’s function might seem obvious to you but you might surprise yourself after issuing the command to find that the user’s home directory is still intact.

Why would any programmer allow that directory to remain as clutter on your home filesystem? This is actually a failsafe mechanism and you should thank the thoughtful programmer who maintains userdel.

What if two user names only differ by a single letter and you removed the wrong one? The incorrectly deleted user’s home directory and files were wiped from the system with a slip of your finger. With the failsafe mechanism in place, you have to manually remove the home directory and hopefully you would catch your error before doing so.

This introduction to user and group administration will point you in the right direction in your own duties as a new system administrator. Remember to think in terms of groups and add users to those groups as needed. Use the administrative tools and utilities provided to you and avoid directly editing any system file.

Have you ever wanted to see more information from your system than proc files or dmesg could give you? Well, your search is over. There are native tools that give you more than you imagined and we’ll have a look at them next week.

Comments on "User and Group Management 101"

bthoward

I find that this is all fine and dandy until you want to get just a tad more complicated.

For example I have a folder for the documents my wife and I keep on hand. I have a group called hoyt-trusted that my wife and I are members of. This group is intended to provide read/write access. However I have some users who visit that are trusted enough to have read access to that directory structure I put them in a group called hoyt. I want to use owners in this folder in the sense that I want my wife\’s files to be under her user account and I want my files to be under my user account. However we should be able to read and write to one another\’s files.

With the current structure this was not possible. After some digging I found ACL\’s. I really think that ACL\’s should become the standard way of doing things. Unless there is something better, but at the moment when I ran into this problem I found ACL\’s and I\’m loving the way they work! I also very much like the default control list which has solved other permissions issues that arise when you have many people creating files in a set folder. There are all sorts of ways that you can tweak things and you can usually find a way to get exactly the functionality that you want.

Now that I have all my groups and access control lists setup I only manage users by placing them into the groups to which they should belong. Their user then inherits all the permissions they should have and everyone gets along.

Reply
peterstoops

Very basic. I wouldn\’t allow any sysadmin on our servers who isn\’t familiar with these commands.

More interesting for me would be:
- I need to change the UID for a user.
- I need to change the GID for a group.
- I have usernames and groupnames with mixed cases, and want them all to be lowercase.

These are real cases we\’re facing, and after some thought, appear not too complex, until you\’re facing a big mixed environment with Linux, HP-UX, Solaris,… and you need all UIDs for a certain user to match, and GIDs for a group to match…

Ah, but we\’re nearly there, and then our nightmares will (hopefully) be over.

Good advise: Pay real close attention to this, you won\’t regret it! Good user and group management is a MUST!

Thanks for the article!

Reply
khess

@bthoward: You\’re right. ACL management is in a future post.

@peterstoops: You got it. I\’ll schedule those topics for a future post. In large, mixed environments, you would typically use some enterprise-level user management software. There are some good ones out there. I wouldn\’t want to manage an environment of any size without one. Imagine removing a user account from say, 500 systems, or even 50.

Reply
grabur

Small nitpick – you suggest bob changes his name to bobby, and then change it to robert!

Reply
khess

@grabur: fixed.

Reply

I am trying to find out what a primary and secondary group are in group management.

Thankyou, Chuck

Reply

Nice tutorial, than you…;)

Reply

Nice tutorial, thank you…;)

Reply

I loved your post.Really thank you! Really Cool.

Reply

Thanks again for the article.Really thank you! Awesome.

Reply

you’ve an ideal blog right here! would you like to make some invite posts on my blog?

Reply

I’ve read several just right stuff here. Certainly value bookmarking for revisiting. I surprise how so much effort you place to create any such fantastic informative site.

Reply

That is really fascinating, You are an overly skilled blogger. I’ve joined your feed and stay up for in the hunt for more of your excellent post. Also, I have shared your web site in my social networks!

Reply

I was just looking at your User and Group Management 101 | Linux Magazine site and see that your site has the potential to get a lot of visitors. I just want to tell you, In case you don’t already know… There is a website network which already has more than 16 million users, and the majority of the users are looking for websites like yours. By getting your site on this network you have a chance to get your site more visitors than you can imagine. It is free to sign up and you can read more about it here: http://yxbp.com/5kje – Now, let me ask you… Do you need your site to be successful to maintain your way of life? Do you need targeted traffic who are interested in the services and products you offer? Are looking for exposure, to increase sales, and to quickly develop awareness for your site? If your answer is YES, you can achieve these things only if you get your website on the network I am describing. This traffic service advertises you to thousands, while also giving you a chance to test the network before paying anything. All the popular sites are using this service to boost their traffic and ad revenue! Why aren’t you? And what is better than traffic? It’s recurring traffic! That’s how running a successful site works… Here’s to your success! Read more here: http://todochiapas.mx/C/3l0

Reply

Magnificent goods from you, man. I have understand your stuff previous to and you’re just too magnificent. I actually like what you’ve acquired here, certainly like what you’re stating and the way in which you say it. You make it enjoyable and you still take care of to keep it smart. I cant wait to read far more from you. This is actually a wonderful website.

Reply

Wow! This blog looks exactly like my old one! It’s on a totally different subject but it has pretty much the same page layout and design. Great choice of colors!

Reply

Hey There. I found your blog the use of msn. That is a very neatly written article. I’ll be sure to bookmark it and return to learn more of your helpful information. Thank you for the post. I’ll definitely return.

Reply

Its great as your other content : D, appreciate it for putting up.

Reply

you will have an ideal weblog right here! would you like to make some invite posts on my weblog?

Reply

I appreciate reading through your website. Thanks!|

Reply

the book in it or something. I think that you can do with

Reply

Really superb visual appeal on this internet site, I’d rate it 10 10.

Reply

Outstanding post, I think people should learn a lot from this site its really user friendly.

Reply

z2Kiz2 Pretty! This was a really wonderful post. Many thanks for providing this info.

Reply

Here is a superb Weblog You may Uncover Interesting that we encourage you to visit.

Reply

Here are several of the internet sites we suggest for our visitors.

Reply

It?¦s actually a great and helpful piece of information. I am happy that you just shared this helpful information with us. Please stay us informed like this. Thank you for sharing.

Reply

Usually posts some pretty intriguing stuff like this. If you?re new to this site.

Reply

The time to study or check out the material or sites we’ve linked to below.

Reply

Glad to be one of the visitors on this awing web site : D.

Reply

The time to read or stop by the subject material or web-sites we’ve linked to beneath.

Reply

We came across a cool web page that you just might love. Take a look for those who want.

Reply

Hi, just required you to know I he added your site to my Google bookmarks due to your layout. But seriously, I believe your internet site has 1 in the freshest theme I??ve came across. It extremely helps make reading your blog significantly easier.

Reply

Sites of interest we’ve a link to.

Reply

An impressive share, I just given this onto a colleague who was doing a little analysis on this. And he in fact bought me breakfast because I found it for him.. smile. So let me reword that: Thnx for the treat! But yeah Thnkx for spending the time to discuss this, I feel strongly about it and love reading more on this topic. If possible, as you become expertise, would you mind updating your blog with more details? It is highly helpful for me. Big thumb up for this blog post!

Reply

We prefer to honor numerous other world-wide-web web-sites around the internet, even if they aren?t linked to us, by linking to them. Underneath are some webpages worth checking out.

Reply

One of our visitors not long ago encouraged the following website.

Reply

Please visit the web sites we stick to, which includes this 1, as it represents our picks from the web.

Reply

The information and facts mentioned in the write-up are several of the very best out there.

Reply

Here is a great Weblog You may Obtain Exciting that we encourage you to visit.

Reply

It’s appropriate time to make some plans for the future and it is time to be happy. I’ve read this post and if I could I desire to suggest you few interesting things or tips. Perhaps you can write next articles referring to this article. I desire to read more things about it!

Reply

Check below, are some absolutely unrelated web sites to ours, however, they may be most trustworthy sources that we use.

Reply

Please take a look at the web sites we comply with, which includes this one, as it represents our picks in the web.

Reply

The time to study or pay a visit to the content material or web-sites we have linked to beneath.

Reply

Every once in a even though we select blogs that we read. Listed below are the most current sites that we select.

Reply

We came across a cool web-site that you could appreciate. Take a look in the event you want.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>