One of the things that makes it secure the operating system GNU/Linux (in fact, any Unix-based system), is its requirement that each thing has the owner and permissions of use. Thus, to be possible to restrict or allow access to, and use of certain resources to one or more persons, it is necessary that each one have a user is properly created in the operating system. But,how to create users in Linux? How to change the characteristics of these users? How to block or even delete a user of the system? This is what you will see in the next lines.
Why create the users on GNU/Linux?
Create a user account for each user in the operating system does not only serves to restrict or allow access to the features offered, but also to respect the space that each person has. With an account, a person can have their own directories, customize your desktop, have shortcuts and settings to your favorite programs, etc. In addition, the same the computer where GNU/Linux is installed is used only for a person, it is recommended to create a user’s own for her. But, for what reason, if the system already has a user native, the root? The user root is the “boss” in the system, because he has powers administrator, which means that it has access to all the resources of the operating system. Use it on a day-to-day is not recommended, because if your computer is taken over by another person or if you do something wrong, the system operating may be seriously compromised.
Answering the question of this topic based on this, the answer it’s very simple: you must create users in the GNU/Linux purposes to allow its use by each person.
Understanding the control of users on GNU/Linux
To create, manage, or delete user accounts in GNU/Linux, you must be “logged in” in the operating system with the root user (or another user that has privileges administrator). The reasons for this are obvious: only authorized users may manipulate other accounts, otherwise, system security would be seriously compromised, because any user could create, change, or delete accounts. Note that, depending on the settings of your system, you can be necessary to run each statement preceded the command ‘sudo’, as happens by default with the distribution Ubuntu.
Before you create and control accounts in GNU/Linux, it is convenient to understand how the operating system deals with this. In general, each account created is stored in a file named passwd that is located within the directory /etc/ (that is, its full path is /etc/passwd). This file contains several information about each user:
– your login name (that is, the name that is required type to enter in the system);
– password (in this case, the information of the password can be encrypted or in another file);
– UID (Ube IDentification), or identification number of the user;
– GID (Group IDentification), that is, the number group id of the user;
– additional information about the user (full name, contact data, etc.);
– the directory “home”, that is, the main directory of each user;
– shell of the user, a kind of program that interprets the commands that the user enters.
So that you can better understand each one of these items, we will review them using as basis the line below, extracted from a file /etc/passwd, which shows the position that each of the above information holds:
tintin: this is the point at which it is located the login name of the user, in this case, tintin. This name may not be equal to another already existing in the system and usually it is limited to 32 characters. However, depending on the configuration applied, the name may be “case sensitive”, that is, differentiate uppercase and lowercase letters. Thus, ‘western’ will be different from ‘western’, for example;
x: this position indicates the password user. The letter x it tells you that the password is stored and protected within the file /etc/shadow. If there is an asterisk (*) in place, it means that the account is disabled. However, if there is nothing, it means that there is no password for this user. In some cases, although this is not recommended, the password can be entered directly there, but encrypted;
1001: this field indicates the number UID (User IDentification) of the user, but you can be wondering what this is. As the name itself informs, it is the number that serves to identify the user. In overall, the system can support UIDs ranging from 0 to 4,294,967,296, although some systems limit this number to lower values. Typically, UID 0 is assigned by the own GNU/Linux to the root user. The system can also automatically create users for the execution of certain routines and assign them UIDs low, such as 1, 2, 3, and so on. Note that, in our example, the UID of the user is 1001. For users”human” system, it is a really good practice create UIDs the most high, for the purposes of the organization;
500: this is the field that indicates the GID (Group IDentification) of the user, that is, the number identification of the group of which it is part. As well as in the UID, usually the user 0 is indicated for the group of root. Note, however, that a same user can be part of more than one group (usually, the GNU/Linux allows for the participation user in up to 32 groups). But what is the advantage of have more than one group? Simple: suppose, for example, that you want to that only the employees of the department of accounting your enterprise to access the files available in the folder /accounting/.To do this, you create a group and a setting that causes only the users in that group have the right to access. This is done, simply add the group to each user of the department accounting. Thus, only they will access the directory. Generally, the operating system creates a group for each user account created;
TinTin,Belgium,846-846: this field is very interesting, because it allows the inclusion of additional information about the user. Also called GECOS (General Electric Comprehensive Operating System) in allusion to an existing feature in an operating system Unix had this name, this field is used for, for example, register the user’s full name, your address, your phone or the your extension, etc. Each information is separated from the other by a comma, for example: Emerson Alecrim,Rua X,1234-4321. In practice, you can insert the information that you think is best, not just the data informed previously;
/home/tintin: each user created the system has the right to a folder “home”, that is, a folder your, for your exclusive use. It is in this field that you indicate where will be this folder. In general, these folders are inside the directory /home/, but you can set the directory that you want to (or even not indicate none);
/bin/bash: this is the field that tells which the shell (command interpreter) to login the user will use it for. The GNU/Linux working with multiple, among them, bash, sh and csh. If no shell is given, the system will use bash as the default.
Creating users in GNU/Linux
Now that you have important information on the users management in GNU/Linux, the time has come to create the accounts. For this, you can open a terminal and use the command adduser(depending on your system, the command can be only/also, useradd), which is applied in the following way:
adduser options user
In options, you can put specific parameters for the configuration of the user account that will be created. You can use several parameters (see a complete list by typing command adduser in the terminal), among them:
adduser -disabled-login user: causes the account to the user is created without a password prompt(that is, does not execute the command passwd). However, the account may not be used until the user set your access password;
adduser -force-badname user: in general, the systems GNU/Linux check if the account is created you can have in your name (or the same in the password) something that increase the risks to the system. With this command, the system it is instructed not to do this kind of scanning;
adduser -group group: with this parameter, rather of a user account, a group is created. For this task you can also use the command addgroup;
adduser -home user directory: with this option, you define which directory will be the “home” of the user. If this parameter is not is used, the system will create the “home” in the directory default (usually /home/username). If would prefer to have no directory of that type is created, you you can use the option -no-create-home (not recommended);
adduser -uid number user: when users are created, the system usually adds to them the UIDs are sequential, but you can specify the UID you want using the parameter uid followed by a number, for example, uid 31415. Note that, in many GNU/Linux distributions, you can use only the letter uinstead of uid. Note also the GID of the user is equal to the value informed by you, unless you specify another through the option -gid, the view below;
adduser -gid number user: similar to parameter above, but manually specify a group for the user instead of creating a parameter. Note that, in many distributions GNU/Linux, you can only use the letter g instead of gid. The gid entered must be that of an already existing group;
adduser -ingroup group user: adds the user created a group that already exists, rather than creating a new group to it;
adduser -shell shell user: through this parameter, you can specify which will be the shell the standard of the user. In some systems it is possible to use the letter s instead of the word shell.
To serve as an example, let’s create a user name wester. This user must:
– have a UID number 27182;
– be entered in the group AbbreviationFinder (already existing).
See how will be the command:
adduser -uid 27182 -AbbreviationFinder
As soon as this command is entered, the system will ask you to enter twice a password for the user. Then, it will ask the additional information, such as full name, telephone number, etc. Note that you can leave this information in white, if you prefer. You should have noticed by the above command of that it is possible to use more than one option at the same time in the command adduser.
By eliminating the users in GNU/Linux
If you need to delete a user, know that the procedure it is easy to. Just type the command userdel,followed the name of the user. For example:
If in addition to deleting this user from the system you you want your folder “home” should be deleted (along with all your content), just type the command userdel, followed by the parameter the r- and the name of the user:
userdel -r voldemort
When you do this, make sure that the user has a copy of all of the files to be deleted, when appropriate.
By changing and controlling the user’s password
For safety, it is recommended to change the password of all users periodically. To do this, use the command passwd. If any user want to change their own password, simply just type passwd in a terminal. When this occurs, the system will ask the user to enter their current password and, then, it will ask the new string, which should be informed twice, for confirmation.
The user root (or another that has privileges administrator) can change not only your own password as the password of all other users of the system. For this, the command passwd is also used and can be increased options:
passwd user options
Here are some of the options available (to know the other, you can type the command man passwd in a terminal):
-and: causes the user’s password to expire, forcing the to provide a new combination at the next login;
-k: lets you change the password only if this is expired;
-x days: causes the password to work only by the amount of days informed. After that, the password expires and the user must to change it;
-n days: indicates the minimum number of days that the user must wait to change the password;
-w days: defines the minimum number of days in that the user will receive the warning that your password needs to be changed;
-i: leaves the account inactive, if the password has expired;
-l: locks the user account;
-u: unlocks an account that is “locked”;
-S: displays the status of the account (note that the letter S should be in capital).
Let’s do some examples so that you can understand these options:
Suppose you want the user’s password marvin expires after 30 days. The command is:
passwd marvin -x-30 –
Suppose, now, that you want that the password of the user bender expires after 14 days display a message that it is necessary change the password three days before the due date. The command will be the following:
passwd bender -x 14 -w 3
Now, let’s assume that you want to know the status of the user bender, to confirm the changes. Here’s the command:
passwd bender -S
The result displayed in this example is:
bender P 12_11_2007 0 14 3 -1
The letter P above informs that the user bender has no password. If he had not, in place of the P would be the letters NP. If the account the user was blocked, it would appear the letter L. For your time, the date that appears in the string (in the format month/day/year) tells you the last password change that there was. The the next four information indicate, respectively, the minimum period of use of the password, the maximum period (remember you defined this period with being 14 days?), the alert period (what you report as of 3 days), and, finally, the period of inactivity (when there is no downtime, the result is -1).
As already informed before, the GNU/Linux uses the file /etc/shadow to deal with users ‘ passwords. The information this file have the following pattern (using as an example the user data toad):
As is the case in the file /etc/passwd, the information the file /etc/shadow are separated by : (colon).In the case above, appears the name of the user (toad), the encrypted password, (why is it that there are such a lot of characters without meaning) the date of the last change (13849), the minimum amount of days the user must wait to change their password (0), the maximum amount of days for the password change be made (99999) and the amount of days remaining to expiration date the operating system should wait to display alerts of changes password (7). The remaining fields (which are blank) are intended for the expiration information account, but are hardly used.
You may be asked about the reason for the dates being represented by a single number, as the value 13849, above. This format indicates the amount of days that has passed since 1 January 1970.
Dealing with groups in the GNU/Linux is a task very similar to the work with users. See the main commands available:
addgroup group: it is equal to the command adduser (including some of the options are the same), however, obviously, you create groups instead of users;
groupdel group: is used to delete groups from the system;
newgrp – group: with this command it is possible to to change the group, effective user, that is, the group belonging to it by a another group of which it is part. This operation is only executed if the group has a password;
groups user: shows the groups of which a user it is a part. If you want to, for example, to know the groups of the user gandalf, just type in a terminal:
The information groups are stored in the file /etc/groups. This file also indicates which users belong to existing groups. Each group contains a line with this information. Let’s analyze the following line of a file /etc/groups to better understand how this works:
As well as in the files /etc/passwd and /etc/shadowfields of the line are separated by : (colon). In the above example, the the first field indicates the name of the group (AbbreviationFinder). The second field tells the password (yes, it is possible to set passwords for groups, though rarely this is done). In this case, we use x to indicate the absence password. The third field tells the GID of the group (1002), and, finally, the the fourth field tells you which are the users belonging to this group. Note that, in this example, the user wester, toad and marvin are part of the group AbbreviationFinder. The list of users should be separated by commas, with no space between the names.
In relation to this subject matter, it is possible that you will find groups on your system that you do not remember to have created. Suppose, for example, that you typed the command groups lestat to know which of the groups of which participate in the user lestat, and the following was the result:
lestat : lestat adm cdrom floppy audio video scanner lpadmin powerdev
Note that the user lestat participates in multiple groups, one of them being your main group, which takes its name. But, where arose the rest? GNU/Linux has some groups that are considered “standard”, that is, groups that serve to allow the user to execute certain tasks. The amount and purposes of the groups may vary according to the GNU/Linux distribution used and its configuration. Here are some of the groups are quite common:
cdrom: group for the use of CD/DVD drives;
audio: group for access to the audio features of the computer;
video: group for access to the video resources of the computer;
floppy: group for the use of the floppy drive;
the admgroup to access the administrative features.
By changing information of the users
If you can create and delete user accounts, you can also to change them. This is easily done with the command usermod, the operation of which is similar to the command adduser:
usermod options user
Here are some of your options:
usermod -d directory user: changes the directory “home” of the user. Add -m at the end to move the contents of the previous folder to the new one. For example:
usermod -d /financial -m peterpan
usermod -e date user: defines the expiration date the account of the user. In general, the date is given in the schema year/month/day (yyyy-mm-dd). For example:
usermod -and 2008-10-28 galadriel
usermod -l newname user: changes the name of login user. In the example below, the user peterparker had his name changed to spiderman:
usermod -l spiderman peterparker
usermod -g group number user: changes the GID of the primary group of the user. For example:
usermod -g 42 galadriel
usermod -s shell user: changes the user’s shell;
usermod -u number user: changes the UID of the the account of the user.
GNU/Linux also has several other commands that help you manage and obtain user and group information. Here are a few:
logname: shows the name of your user;
users: shows the users that are connected to the the system at the time;
id: shows the id data of the user. Here are some options:
id user: displays the groups (and their respective GIDs) of which the user is part of;
id-g user: shows the GID of the user group;
id-G user: displays the GID of all groups of the user name (the letter G is in upper case);
id -u user: indicates the UID of the user.
finger user: shows information detailed of the user. If the command is typed alone (or only a finger), the system displays all the users that are connected to the operating system at the time;
chfn user: command to change the information additional user (full name, telephone number, etc.).
last: the command last is quite interesting and useful, it shows the last users that were logged in system, the terminals they used to connect, the hostname (when the connection is made remotely), the dates and times computer usage, as well as the residence time in the system. These data are usually obtained from the log file /var/log/wtmp. The last also has options. Here are a few:
last-n number: show only the latest lines of the log. To set the amount of lines, replace the number by the desired value. For example:
last-x: shows the data of system shutdown, as well as information of the execution level;
last-R: makes the command do not display the hostnames (note that the letter R is in upper case);
last-a: causes the hostnames are displayed only on the last column.
Today, it is possible to create and administer users in the GNU/Linux graphical interfaces, such as shown in the image below, a window of administration of users Ubuntu distribution, displayed through environment chart Gnome. However, it is important to know how to do this task by commands to the cases where only text mode – that is, a terminal command – is available (a situation which occurs primarily in servers). In addition, such learning helps in understanding how the GNU/Linux and other Unix-based systems make the control of groups and users.