One of the key components of any system are the users and groups. Linux is no different. Let’s get right into it.
The important files
So there are three important files when talking about users and groups. They are..
/etc/passwd
This file (despite it’s name) stores the locally defined user accounts. Each line of the file is for a single user. For instance…
[root@CentosBox etc]# more /etc/passwd | grep test
test_user:x:500:500::/home/test_user:/bin/bash
A line is broken into a couple of fields delimited by a colon. Here’s what each field is starting from the left..
Username
Place holder – Used to be the encrypted password
User ID (UID) – User defined users should have a UID thats above 500. 0 is reserved for root and 1-499 are system defined (for daemons etc).
Group ID (GID) – Every user has a ‘primary group’ created for them. They are the only people that can be a member of this group. The GID field represents this group.
Comment Field – I guess it’s actually the ‘name’ field in the GUI
Home Directory – The user’s home directory
Login Shell – The user’s login shell
/etc/shadow
This file keeps track of the locally defined user passwords as well as account items related to things like password aging, password expiration, and so on. A line in the file would look like this…
[root@CentosBox etc]# more /etc/shadow | grep test_user
test_user:$1$/6caNEpK$C4Xo005ZQ3FckzMDwTmc31:15532:0:99999:7:::
The first field shows the user name. The second field is related to account status. For instance, if I create an account and don’t set the passwords it will show as $!!$. If I lock the account, it might shows as $!$. Seems that if everything is in order it looks like $1$. The third field is the encrypted password. And the forth field is really another set of colon delimited integers. These, relate to the aforementioned account settings. These can be set/read with the ‘chage’ command…
[root@CentosBox etc]# chage -l test_user
Last password change : Jul 11, 2012
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
/etc/group
This file keeps track of the locally defined groups and their members. Again, it’s pretty straight forward. Here I created a group called ‘test’ and added two users to it (test_user and test_user2).
[root@CentosBox etc]# more /etc/group | grep test
test_user:x:500:
test:x:501:test_user2,test_user
test_user2:x:502:
Note that the grep returned the primary group numbers for each of the users as well. The group ‘test’ has a secondary group ID of 501 and has members test_user2 and test_user in it. The second field (shown as an X) is described as ‘password’. Not sure what the deal with that is though.
Other useful commands for users and groups
o let’s imagine that I just created the test_user user (which I did by the way). I would have done something like this…
[root@CentosBox etc]# useradd test_user
That’s it. The only other thing I have to do is to set the user’s password. This is done with the ‘passwd’ command.
[root@CentosBox etc]# passwd test_user
Changing password for user test_user.
New UNIX password:
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
Now the account is ready to use. what if we wanted to add the user to a group through? That’s done with the ‘usermod’ tool. We’d do something like this…
[root@CentosBox etc]# usermod -aG test test_user
Make SURE you include the -a flag in the usermod command. The ‘a’ stands for append, and without it, you are removing the user from any previously defined group they were in.
We can also user usermod to lock and unlock accounts with the ‘L’ and ‘U’ flags.
[root@CentosBox etc]# usermod -L test_user
[root@CentosBox etc]# passwd -S test_user
test_user LK 2012-07-10 0 99999 7 -1 (Password locked.)
[root@CentosBox etc]# usermod -U test_user
[root@CentosBox etc]# passwd -S test_user
test_user PS 2012-07-10 0 99999 7 -1 (Password set, MD5 crypt.)
Also, if you ever want a quick run down on a user, use the ‘id’ command.
[root@CentosBox etc]# id root
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),500(AwesomeRootGroup)
This tells us the user ID, the primary group ID, and which groups the user is in.
Now let’s say I want to clean all of this up. Easy, just use the ‘userdel’ and ‘groupdel’ commands.
[root@CentosBox etc]# groupdel test
[root@CentosBox etc]# userdel -r test_user
[root@CentosBox etc]# userdel -r test_user2
The -r flag tells the command to cleanup the folders defined for that user as well. If you don’t you’ll need to cleanup those directories manually.