Updated: 2014-11-26 02:35 EST
/etc/passwd
/etc/passwd
/etc/shadow
useradd
– create new useruserdel
– delete userusermod
– modify user informationchsh
– change shellpasswd
– change passwordsu
– substitute useridsudo
– do command as another userwhoami
– who am I/etc/group
id
and chown
/etc/passwd
and /etc/shadow
useradd
– add a user accountuserdel
– remove a user account (but not its HOME directory, unless you use the -r
option)usermod
– modify userid info, e.g. userid, comment, UID, GID, HOME, etc.chfn
– change the Full Name (the GECOS/comment/name field)chsh
– change shellpasswd
– change passwordsu
– start a subshell (usually as root
): log in as a new useridsudo
– execute a single command, or start a shell, as another useridwhoami
– display only the current userid/etc/group
and /etc/gshadow
groupadd
– create a new groupgroupdel
– delete a groupgroupmod
– modify group name, GID, passwordgpasswd
– manage groups: set group administrator, add/delete membersgroups
– display all current groupsnewgrp
– start a subshell: log in to a new group with a passwordid
– display user UID
and group GID
and groupschown
– change owner and/or group of a file system object/etc/passwd
Index/etc
directory is where “Host-Specific Configuration” files are storedsu
or sudo
)/etc/passwd
IndexWhen a user is created on the system, the following information is stored in seven colon-separated fields in /etc/passwd
:
username:x:UID:GID:comment:home_directory:login_shell
1 2 3 4 5 6 7
root:x:0:0:Super User:/root:/bin/bash
idallen:x:500:500:Ian! D. Allen:/home/idallen:/bin/bash
$USER
or $LOGNAME
in the shell)/etc/shadow
)UID
)GID
) – but users can be in more groups, too/home/$USER
/bin/bash
/etc/passwd
root
access for modifications (writing)passwd
, chsh
/etc/shadow
, accessible only by root
GECOS
name because it was used on the original Unix systems to store GECOS
mainframe account information for printing./etc/shadow
Index/etc/passwd
is replaced by an x
and the user’s real encrypted password is stored in the second field of /etc/shadow
./etc/shadow
is only readable by the root
user, so even the encrypted password is hidden and can’t be used in a password-cracking program/etc/shadow
contains the user’s login userid, their encrypted password, and several fields relating to password expiry.man shadow
):
!
means the password (and thus account) is locked*
indicates the account has been disableduseradd
– create new userIndexadduser
, but sometimes adduser
is a different program with different options (e.g. Ubuntu).userdel
– delete userIndex-r
option!
-r
, you will leave a home directory with no owner!Files owned by deleted users and groups show up with numeric owners and groups in the output of ls
:
# useradd redshirt
# id redshirt
uid=508(redshirt) gid=509(redshirt) groups=509(redshirt)
# ls -la /home/redshirt # shows redshirt owner and group
drwx------ 2 redshirt redshirt 4096 Nov 20 02:38 .
drwxr-xr-x. 13 root root 4096 Nov 20 02:38 ..
-rw-r--r-- 1 redshirt redshirt 18 Feb 21 2013 .bash_logout
-rw-r--r-- 1 redshirt redshirt 176 Feb 21 2013 .bash_profile
-rw-r--r-- 1 redshirt redshirt 124 Feb 21 2013 .bashrc
# userdel redshirt # does *NOT* remove HOME directory
# id redshirt
id: redshirt: No such user
# ls -la /home/redshirt # now shows numeric owner and group
drwx------ 2 508 509 4096 Nov 20 02:38 .
drwxr-xr-x. 13 root root 4096 Nov 20 02:38 ..
-rw-r--r-- 1 508 509 18 Feb 21 2013 .bash_logout
-rw-r--r-- 1 508 509 176 Feb 21 2013 .bash_profile
-rw-r--r-- 1 508 509 124 Feb 21 2013 .bashrc
# useradd goldshirt # new account gets same uid/gid
# id goldshirt
uid=508(goldshirt) gid=509(goldshirt) groups=509(goldshirt)
# ls -la /home/redshirt # old files now owned by goldshirt
drwx------ 2 goldshirt goldshirt 4096 Nov 20 02:38 .
drwxr-xr-x. 14 root root 4096 Nov 20 02:47 ..
-rw-r--r-- 1 goldshirt goldshirt 18 Feb 21 2013 .bash_logout
-rw-r--r-- 1 goldshirt goldshirt 176 Feb 21 2013 .bash_profile
-rw-r--r-- 1 goldshirt goldshirt 124 Feb 21 2013 .bashrc
# find / -user 508 -ls
usermod
– modify user informationIndexChange any of the information about a user account. This command changes the stored information about the account, usually kept in the password and group files.
The command modifies each account attribute separately. For example: Changing the name of an account only changes its name. It doesn’t change the groups for that user, nor does it change the home directory.
Modifying user account information does not always automatically move or modify all the files owned by the account in the file system. If you change some account information, you may still have to walk the entire file system to find files owned by the old account and change them to match the new values you have set.
usermod
:
-d
and -m
options, the usermod
command is able to both change and move a home directory and all the files under it.usermod -m -d /home/bar foo
su
or sudo
) before you can change that user’s accounting information.The last argument on the usermod
command line must always be the login name of the existing account you want modified. Never put a new account name or directory last. RTFM!
-l
– change the login name (the userid), but not the HOME directory-p
– change the encrypted password (this is not like passwd
, since you must supply the encrypted password here)-u
– change the numeric user UID
and also all HOME directory files-g
– change the numeric group GID
and also all HOME directory files-c
– change the GECOS/comment/name field (can also use chfn
)-s
– change the login shell (can also use chsh
)-d
– change the HOME directory, but do not move the old one-m
– move the existing HOME directory to the new one, if used with -d
-L
– lock an account by inserting !
in front of the password field-U
– unlock an account by removing !
from the password field-d
changes only the field in /etc/passwd
; it does not actually move the old HOME directory to the new location unless you also give -m
.
-d
option must be followed by the new HOME directory name-m
option in between the -d
and the HOME directory-d
without using -m
, you can’t do the command a second time with -m
– it will say “nothing changed”, since you have already changed the name of the HOME in the password file. To do the command properly, you first have to put things back the way they were by using -d
(without -m
) to undo the change you made, then use -d
with -m
to redo the change.chsh
– change shellIndex/etc/passwd
– does not affect current shellroot
can change shells of other accountspasswd
– change passwordIndex/etc/passwd
(or /etc/shadow
)root
can change passwords of other accountssu
– substitute useridIndexsu
sudo
– do command as another userIndexroot
) privilegessudo
whoami
– who am IIndexid -un
/etc/group
Index/etc/group
and /etc/gshadow
/etc/group
file./etc/group
IndexWhen a group is created on the system, the following information is stored in four colon-separated fields in /etc/group
:
groupname:x:GID:userid1,userid2,userid3
1 2 3 4
root:x:0:
cdrom:x:500:idallen,alleni
/etc/gshadow
)/etc/group
root
or by the Group Administrator for a group/etc/gshadow
, accessible only by root
/etc/gshadow
Index/etc/group
is replaced by an x
and the user’s real encrypted password is stored in /etc/gshadow
./etc/gshadow
is only readable by the root
user, so even the encrypted password is hidden and can’t be used in a password-cracking program/etc/gshadow
contains the group name, the group encrypted password, an optional list of Group Administrators, and an optional list of Group Members (which should be the same as in /etc/group
)man gshadow
):
!
means the group password is locked*
indicates the group cannot be logged into by non-membersgroupadd, groupdel, groupmod, gpasswd, group, id, newgrp
Indexgroupadd
– create a new group in /etc/group
groupdel
– remove a group from /etc/group
groupmod
– modify the name or GID of a group in /etc/group
gpasswd
– administer the /etc/group
and /etc/gshadow
files
root
-a
and -d
, or set the entire member list at once using -M
root
can set the entire list of Group Administrators for a group using -A
groups
– list all the groups a user belongs toid
– more detailed version of “groups” showing userid and numeric valuesnewgrp
– (rarely used) use the group password to start a new shell with additional group privilegessu
– substitute user or set useridIndexsu --login abcd0001
root
user.-
or --login
option (options must be surrounded by spaces) means use a full login shell that clears the environment, sets groups and goes to the specified user’s home directory as if the user had just logged in.PATH
and unchanged current directory (that may not grant the new user any permissions!).Without the --login
function, you get a new shell with new permissions but much of your existing shell environment and your current directory are unchanged. You may not have a $PATH
that includes system administration commands.
When running a shell with root
privileges, most shells change the $
in your prompt to be a #
character, to remind you that you have full permissions to change anything, so be careful. See the example below:
$ whoami ; pwd ; echo "$PATH"
idallen
/home/idallen
/bin:/usr/bin
$ su # assumes root; does not do full login
Password:
# whoami ; pwd ; echo "$PATH" # note new prompt includes '#' character
root
/home/idallen # current directory is unchanged
/bin:/usr/bin # PATH does not include system directories
# exit # exit the subshell; return to previous shell
$
$ whoami ; pwd ; echo "$PATH"
idallen
/home/idallen
/bin:/usr/bin
$ su - # assumes root; does full login this time
password: XXX
# whoami ; pwd ; echo "$PATH"
root
/root # current directory is now root HOME
/bin:/usr/bin:/sbin:/usr/sbin # PATH includes system directories now
# exit # exit the subshell; return to previous shell
$
sudo
– do as if su
Indexroot
) privileges.root
tasks (avoids running a whole shell as root
).sudo
is your account password, not the root password./etc/sudoers
file to use sudo
root
account can use the visudo
command to update file /etc/sudoers
with the list of who is allowed to use sudo
and which commands they are allowed to run.-i
option to sudo
functions the same way as the --login
option to the su
command. (RTFM)Example use of sudo
: $ sudo userdel -r someuser
$ whoami ; pwd
idallen
/home/idallen
$ sudo whoami
[sudo] password for idallen: XXXXXXXXXX
root
$ whoami
idallen
$ sudo id
uid=0(root) gid=0(root) groups=0(root)
$ sudo pwd
/home/idallen
$ sudo -i pwd
/root
$ whoami
idallen
$ wc /etc/shadow
wc: /etc/shadow: Permission denied
$ sudo wc /etc/shadow
48 48 1831 /etc/shadow
sudo
not su
IndexFor most actions that involve root
privilege, use the sudo
command to make the privilege change just for that one command. Do not start a root
subshell (e.g. using su
) until you have more experience. Mistakes made in a root
subshell can destroy your system!
If you do start a full subshell using the su
or sudo -s
commands, remember to exit
your subshell to return to your previous account. Don’t keep layering multiple subshells inside each another.
sudo
doesn’t affect shell redirectionIndexRemember that redirection is done by the shell before it runs a command, so sudo
doesn’t affect the permissions of a redirection done in the same command line:
$ sudo echo "mygroup:x:123:" >>/etc/group
bash: /etc/group: Permission denied
Above, the redirection is done by the unprivileged shell, before the sudo
command is run, and so the redirection fails. More examples:
$ sudo touch foo >bar # foo is touched by root; bar is not
$ sudo cp /etc/shadow foo # foo is written by root
$ sudo cat /etc/shadow >bar # bar is *not* written by root
newgrp
– log in to a new groupIndexid
and chown
IndexThese commands deal with both the user/owner and the groups/group.
The match between your logged-in user/groups and the file system owner/group determines the permissions you have on a file system object.
id
– show user and UID
, groups and GIDs
IndexThe id
command tells you everything about your logged-in account.
$ id
uid=777(idallen) gid=777(idallen) groups=777(idallen),4(adm),6(disk)
On SELinux systems, you are also shown information about your security context.
chown
– change owner and/or group of file system objectIndexThe command that changes the owner and/or group of a file system object (e.g. of a file, directory, etc.) is chown
. Only the root
user can change the owner of an object. The owner of an object can change the group of an object to any one of his/her list of groups.
You can change both the owner and the group by separating the two with a colon character, you can change just the owner by leaving off the colon and the group, and you can change just the group by leaving off the owner while keeping the leading colon character:
# chown idallen:staff mydir # change both user and group
# chown idallen mydir # change only the owner, not the group
# chown :staff mydir # change only the group; use a leading colon