users Command in Linux

Introduction to Linux User Account Management

This lab provides a comprehensive guide to mastering user account management within your Linux environment. You'll gain hands-on experience in creating, modifying, and deleting user accounts. Additionally, you'll delve into understanding and implementing user privileges, permissions, and robust password policies. This tutorial utilizes fundamental commands like useradd, passwd, and cat /etc/passwd, providing practical examples that empower you to effectively manage users on your Linux machine as a systemadmin.

Managing User Accounts on Linux

This section focuses on the essential aspects of user account management on a Linux system. We'll explore the processes of creating new user accounts, modifying existing ones, and securely deleting accounts, all while gaining a clear understanding of user privileges and permissions within the Linux operating system.

Let's begin by creating a new user account:

sudo useradd -m -s /bin/bash newuser

Example output:

The useradd command is the tool for creating new user accounts. In this example, we create a user with the username newuser. The -m option ensures that a home directory is automatically created for this user, and the -s option defines the default shell to be used, in this case, /bin/bash.

Now, let's set a strong password for the new user account:

sudo passwd newuser

Example output:

Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

To confirm that the new user account has been successfully created, you can list all user accounts present on the system using the following command:

sudo cat /etc/passwd

Example output:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
labex:x:1000:1000:labex,,,:/home/labex:/bin/bash
newuser:x:1001:1001::/home/newuser:/bin/bash

By examining the contents of the /etc/passwd file, you can confirm that the new user, newuser, has been successfully added to the system.

To remove a user account, including their home directory and associated files, you can use the userdel command with the -r option:

sudo userdel -r newuser

The -r option ensures complete removal by deleting the user's home directory and mail spool, maintaining a clean system.

Understanding User Privileges and Permissions in Linux

This section explores the vital topic of user privileges and permissions within the Linux operating system. You will learn how to effectively view and manage user permissions, granting and revoking privileges as needed to maintain a secure and organized system.

To begin, let's create a new user and a new group:

sudo useradd -m -s /bin/bash newuser
sudo groupadd devgroup

Now, we'll add the newly created newuser to the devgroup group:

sudo usermod -a -G devgroup newuser

To verify that the user has been added to the group, we can use the id command:

id newuser

Example output:

uid=1001(newuser) gid=1001(newuser) groups=1001(newuser),1002(devgroup)

The output shows that newuser is now a member of both their default group (newuser) and the devgroup group.

Next, let's create a new directory and set specific permissions on it to control access:

sudo mkdir /opt/myapp
sudo chown newuser:devgroup /opt/myapp
sudo chmod 770 /opt/myapp

The chown command is used to change the ownership of the directory to newuser and the group ownership to devgroup. The chmod command sets the permissions to rwxrwx---, granting read, write, and execute permissions to the owner (newuser) and members of the devgroup, while denying access to others.

To verify the directory's permissions, we can use the ls -l command:

ls -l /opt

Example output:

total 4
drwxrwx--- 2 newuser devgroup 4096 Apr 17 12:34 myapp

Now, let's attempt to access the directory as a different user who is not a member of the devgroup:

sudo -u otheruser ls -l /opt/myapp

Example output:

ls: cannot open directory '/opt/myapp': Permission denied

As demonstrated, otheruser is denied access to the myapp directory due to the restricted permissions enforced by the chmod command. This highlights the importance of proper permission management in Linux.

Implementing Password Policy and Effective User Management

In this final section, we'll explore how to implement a strong password policy and manage user accounts effectively to enhance the security and integrity of your Linux system.

First, let's configure a password policy using the pam_cracklib module. This powerful module performs password strength checking, enforcing rules such as minimum length, character requirements, and password history to prevent weak passwords.

Open the /etc/pam.d/common-password file using a text editor with root privileges:

sudo nano /etc/pam.d/common-password

Add the following lines to the file:

password        requisite                       pam_cracklib.so retry=3 minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1
password        [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512

This configuration enforces a password policy requiring passwords to be at least 8 characters long and contain at least one digit, one uppercase letter, one lowercase letter, and one special character, significantly improving password security.

Next, let's create a new user and test the implemented password policy:

sudo useradd -m -s /bin/bash newuser2
sudo passwd newuser2

Example output:

Enter new UNIX password:
Retype new UNIX password:
Sorry, passwords do not match.
Enter new UNIX password:
Retype new UNIX password:
BAD PASSWORD: it is based on a dictionary word
passwd: Authentication token manipulation error

As you can see, the password policy is actively enforced, preventing the user from setting a weak password that could compromise the system's security.

Finally, let's examine some essential user management commands:

## Lock a user account
sudo usermod -L newuser2

## Unlock a user account
sudo usermod -U newuser2

## Expire a user's password
sudo passwd -e newuser2

## Set a user's password to never expire
sudo chage -M -1 newuser2

These commands provide you with the tools to manage user accounts effectively, including locking accounts to prevent unauthorized access, forcing password changes for security reasons, and configuring password expiration policies to maintain a secure Linux environment. These tools help a systemadmin manage their users effectively.

Conclusion

This lab provided a comprehensive understanding of user account management on Linux systems, covering the creation, modification, and deletion of user accounts, as well as user privileges and permissions. You successfully created a new user account, set a password, and verified the account's creation.

Furthermore, you learned how to implement password policies and manage user accounts effectively, ensuring the security and integrity of your Linux system. These are important skills for any systemadmin.

Tác giả

Tôi là một chuyên gia System Administrator (SysAdmin) & DevOps Engineer với hơn 10 năm kinh nghiệm trong lĩnh vực quản trị hệ thống, bảo mật mạng, và tối ưu hạ tầng Cloud. Tôi đã từng làm việc tại các tập đoàn công nghệ lớn và tham gia triển khai nhiều hệ thống High Availability (HA), Load Balancing, Database, container và CI/CD giúp doanh nghiệp hoạt động ổn định với hiệu suất cao. Bài này tôi viết với thời gian đọc khoảng 7 phút. I also wrote a Vietnamese version.