Intro to User Administration

The system depends on users. Indeed, many systems are created only to service the end user in order to accomplish some form of meaningful work. The following sections describe which files and commands can be used to manipulate users and their environment.

User Configuration Files

The following two tables list several system files that contain critical user configuration settings. The first table shows the files that create a user's environment. Invoke the `env` command to see the effects of these files in action.

Table 3.9. User Administration Environment Files

File Location Description
'/home/{user}' or '/root' Typical home directory locations.
'/etc/skel' Contents copied to home directory of each new user.
'~/.bashrc' User level config file with custom aliases and functions.
'~/.bash_profile' User level config file with custom paths, variables, and environment settings.
'/etc/bashrc' System-wide functions and aliases.
'/etc/profile' System-wide profile settings that are xecuted with each user login. Sets paths, variables, etc. Runs scripts in '/etc/profile.d'.
'/etc/profile.d' System-wide profile scripts that extend '/etc/profile', usually added by applications.

The following table lists critical user configuration files as seen and maintained by the operating system. These files are what actually create and maintain the user's existence on the system. These files can be manipulated directly, or they can be edited by various command line utilities, see further down.

Table 3.10. User Administration Config Files

Config File Description
'/etc/passwd' World-readable file of user information.
'/etc/shadow' Restricted-access file with password and expiry info.
'/etc/group' World-readable file of group information
'/etc/gshadow' Restricted-access group password, admin, membership info.

[Tip] Editing User Files Directly

If editing directly, the `vipw` and `vigr` commands can be used.

Below is a sample of the structure of /etc/passwd.

    Name:Password:UID:GID:Comments:Homedir:Shell

    $ cat /etc/passwd
    root:x:0:0:root:/root:/bin/bash
    sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
    ntp:x:38:38::/etc/ntp:/sbin/nologin
    gdm:x:42:42::/var/gdm:/sbin/nologin
    bob:x:500:500:Bob Carnaghi:/home/bob:/bin/bash
    

Consider the structure of '/etc/shadow'. The "x" in the password field indicates that the actual password hashes have been moved to '/etc/shadow' in order to implement the shadow password system.

    Name:Password:Lastchange:May:Must:Warn:Disable:Expire

    # cat /etc/shadow
    root:$1$IyApEyOS$dZ5SMuC7Yw9/PDMyWi1H11:14373:0:99999:7:::
    sshd:!!:14373:0:99999:7:::
    ntp:!!:14373:0:99999:7:::
    gdm:!!:14373:0:99999:7:::
    bob:$1${...}:14374:7:30:7:7:14457:
  

The values in field 3 and field 8 are dates - rendered as a count of days elapsed since the start of the "Unix Epoch" (1/1/1970). The "{...}" marks where the actual encrypted password is stored.

The structure of '/etc/group' is shown below.

    Name:Password:GID:Users
  
    # cat /etc/group
    root:x:0:root
    bob:x:500:
    mary:x:502:
    sales:x:503:bob,mary
    training:x:504:scott
  

The example below shows the structure of '/etc/gshadow'.

    Name:Password:Admins:Members

    # cat /etc/gshadow
    root:::root
    bob:!::
    mary:!::
    sales:!::bob,mary
    training:!::scott
  

Commands for User Administration

The following commands show several utilities that can be invoked for user administration via CLI tools.

Table 3.11. User Administration CLI Tools

Command Description
`useradd`, `usermod`, `userdel` Create, delete, and modify user accounts.
`groupadd`, `groupmod`, `groupdel` Create, delete, and modify group accounts.
`chage` Modify password aging and expiration.
`chown [-R] <file or directory>` Change ownership of files and directories [Recursively].
`passwd` Set and/or change user passwords.

The GUI tool for managing users and groups is the Red Hat User Manager. It can be launched from the menu at System | Administration | Users and Groups or from the CLI as `system-config-users`.

Figure 3.2. Red Hat User Manager GUI

Red Hat User Manager GUI

[Tip] Getting Meaningful Info from User Config Files

You can use the command `sort -t: -k3 -n /etc/group` for sorting the existing GIDs in order to choose unique out-of-sequence GIDs for the instructions above:

The following command is useful for converting dates in '/etc/shadow' to calendar dates:

    `date -d "1 January 1970 + `cat /etc/shadow | tail -n 1 | cut -d: -f3` days"`[7]

Let's take a look at the `env` command.

Access Control Lists

File Access Control Lists provide more granular control of permissions. In fact, one can creates some exotic access restrictions using this mechanism. The filesystem must be mounted with the 'acl' option or be configured with that option by default. There are three ways to establish (and/or verify) whether the file system is mounted with the 'acl' option:

  • Use `mount -o acl` to mount the partition (non-persistently) with ACLs enabled.
  • Add 'acl' in the options field of '/etc/fstab' to persistently enable ACLs.
  • Use the command `tune2fs -o user_xattr,acl /path/to/device` to configure those attributes as default mount options.

The table below lists the key commands that are used to manipulate Access Control Lists.

Table 3.12. Access Control List Commands

Command Description
`getfacl` Used to view file ACL settings.
`setfacl` Used to configure file ACL settings.

Below is a listing that shows what ACL listings look like at the command line:

    `getfacl acldir`

    # file: acldir
    # owner: frank
    # group: frank
    user::rwx
    user:bob:-wx
    user:mary:rw-
    group::rwx
    mask::rwx
    other::r-x
    ...
    `ls -l acldir`

    drwxrwxr-x+ 2 frank frank 4096 2009-05-27 14:15 acldir
  

Reference Material for this Chapter

For this chapter's supporting material, please reference Chapters 7 & 8 in the RHCSA/RHCE Linux Certification Study Guide text book.



[7] Note that this command deals only with the last line of the '/etc/shadow' file. The exercise is left to the reader to obtain the last changd date of a specific user.