User Accounts

Even a single-user workstation (Desktop Computer) uses multiple accounts. Such a computer may have just one user account, but several system accounts help keep the computer running.

Accounts enable multiple users to share a single computer without causing each other too much trouble.


User Accounts

The Users in a Linux system are stored in the /etc/passwd file. If you are on your own VM - somewhere near the bottom you should see yourself and joe.

On a brand new install you will see many users listed. Of course if you recall, we only added ourselves and joe. So what are all these other users for? These users are added because we don’t want to give sudo power to all of our programs. So each program installed gets its own user with its own limited permissions. This is a protection for our computer.


User Info /etc/passwd

Examine the /etc/passwd file using cat or less. Here is what we are seeing:


User Info /etc/passwd


Passwords

If passwords are not stored in the /etc/passwd file then where are they stored?

Passwords are actually stored in /etc/shadow. Try and view the contents of this file. Do you notice anything?

This file actually requires sudo power to view it. This is an obvious precaution. We don’t want just anyone being able to see our passwords.

However, when you actually get to see inside the file - the passwords are encrypted. So not even the root user can see your password.


Passwords

Each line in the file is made up of the following:


Passwords

If you are wondering how 17224 (or something similar) could possibly be a date. It actually refers to the number of days since January 1, 1970. So 17224 is actually January 27, 2017


LDAP

An LDAP (Lightweight Directory Access Protocol) Server is a Linux server that allows centralized user login / permission information. All the usernames and passwords are stored in a database. There are several reasons to have a centralized user database.

These are some of the advantages of an LDAP system


LDAP (advantages)


LDAP

The CIT department uses an LDAP Server to store the usernames, passwords and files of all the CIT students. DSU also uses a centralized user database. This is what allows us to log in to any computer with a single username and password. This is what allows us to see the same files on all computers once we’ve logged in.
Using an LDAP Server makes it easier to administrate mulitple users and computers on a network.


/etc/passwd with LDAP

Open a new terminal and log into scratch. Look at the /etc/passwd file. Look for your name. It’s not there. The /etc/passwd file is for local users added on that machine only.

To view all users that have access to the system use


/etc/passwd with LDAP

Try these additional commands on scratch


Groups

The list of groups is stored in /etc/group


Groups

The file consists of the following:

The groups command will show us what groups we are members of


Groups

In Ubuntu there is a special group called the sudo group. This is the sudoers list and gives users of that group sudo power a.k.a admin privileges, root access, superuser privileges and anything else that might sound powerful.

In distributions such as bsd and redhat the sudo group is called the wheel group. No matter the name, it has the same privileges.


High Level vs Low Level Commands

High level programs/commands provide an interface to assist you in creating new users and groups and they do a lot of things automatically for you. High level commands are most commonly used by administrators for one time changes.

Some High Level Commands


High Level vs Low Level Commands

Low level commands require that you set each option manually in the command line. If you fail to set the options then things like home directories and passwords may not be created. Low level commands are particularly useful for automated scripts that run without human interaction.

Some Low Level Commands


Adding Users and Groups

When you add a new user it will automatically create the user, create the required group of the same name, add all the required entries in /etc/passwd, /etc/shadow, and /etc/group, create the home directory, copy the default starter files from /etc/skel, prompt you for the new password and ask for the extra info about the user.

Just like everything else in Linux - usernames are usually lowercase.


Adding Users and Groups

When using the high level command everything is properly set up for the new user.

What is frank’s UID and GID? Who owns frank’s home directory?


Adding Users and Groups

To add a group use the addgroup command


Adding Users and Groups

Add another new user


Adding Users To Groups

There are a few different ways to add users to a group. The easiest is using the addgroup command.


Adding Users To Groups

The id command shows us not only our UID but also the GID of all our groups


Deleting Users and Groups

When you want to delete a user, by default Linux keeps the user’s home directory and all the files they created.

Frank’s home directory still exists - Who owns frank’s home directory now?

Nobody actually owns the frank directory now. It is owned by frank’s UID and GID but Frank doesn’t exist. This is why we have UID’s and GID’s because frank no longer exists but somebody has to own his old files.


Deleting Users and Groups

So what happens when we add a new user


Deleting Users and Groups

If we wanted Scott to own Frank’s files this is a good side-effect. But normally we do not want the newest user owning the long time employee’s files.

If it causes this much trouble - why not have Linux autodelete the files when you remove a user?

For that reason Linux doesn’t automatically delete any files.

So the deluser command offers some options that allow us to choose what to do with those files as we delete the user.


Deleting Users and Groups

To see those options - check out the man page -

This is a great starter man page. It is simple and easy to read.

The first thing to remember while learning man pages is to not worry about reading or understanding everything. Let’s hunt for just the things we want. The synopsis at the top show us how to use the command:


Deleting Users and Groups

This tells us that the command comes first and the user comes last, with options in the middle. It also tells us that we can use all of the above options in conjunction with each other. To know what these options do, scroll down the page and read the descriptions. Which options will help us remove the home directory of a user and which ones will help us make a backup of the files first?

From this page we learn that the best way to delete a user and remove his home directory that we don’t care about is:


Deleting Users and Groups

Try it:


Deleting Users and Groups

To delete a group is simple. But first let’s add some users to the group we want to delete.

See that sally and scott are members of the friends group


Deleting Users and Groups

Now delete the friends group

You can see that the friends group is cleanly removed and all users that were part of the group are no longer part of the group.


Working as Other Users


Working as Other Users


Working as Root

Root user (different from / root directory) allows you to perform administrative tasks.

Normal user accounts are restricted to doing only what is considered safe for the system. As a normal user you won’t have the power to permanently break the computer. Most of your power is limited to breaking your own $HOME directory.


Working as Root

Before you ever use sudo ask yourself if you really need root access. Is this something that logically should require administrative rights?


Working as Root


More about passwords


More about passwords

Password privacy is absolutely important.


More about passwords

Nobody ever, EVER needs your password. A root user has All Power, All The Time, To Do All Damage. A root user already has access to everything necessary. Keep your password private.

If someone claims to need your password, such as your web developer, because they don’t have root access. First make sure you know and trust this person first - in most cases, a separate user can be created, a public/private key pair can be generated to allow temporary access without a password, or use can temporarily change your password to be a generic password that doesn’t match any other login.


More about passwords

To change your password or the passsword of another user is simple.


File Permissions


File and Directory Permissions

There are three general classes of users:


File and Directory Permissions

To see who is the owner, run the ls -l command

-rw-r--r-- 1 ralph admin 2558 Jan 8 07:41 filename


Ownership


Ownership


File Permissions

File ownership is meaningless without some way to specify what particular users can do with their own or other users’ files. That is why we have permissions.


File Permissions

File Permissions Image


File Permissions (Symbolic Mode)


File Permissions (Octal Mode)


Special Permission Rules


More Special Permission Rules

Many of the permission rules don’t apply to root. The superuser can read or write any file on the computer—even files that grant access to nobody (that is, those that have 000 permissions). The superuser still needs an execute bit set to run a program file.


More examples

Without using octal mode, these are the rules:


What if?


One more tidbit

A user mask or umask sets the default permissions on a file when it is created. The umask is the value that is removed from 666. So if the umask is 022, the files will all be 644. Directories will be removed from 777, so would be 755.

You can adjust the umask by using the umask command from the terminal. To make it persist, you would need to edit .bashrc or some such location.


Textbook Time

This chapter is absolutely essential. Read and Complete the Exercises in the Book


Last Updated 02/26/2018