# Management of users and groups.

## Preliminary notes on using this notebook.

The notebooks in this course have been designed to run inside one of the virtual machines provided by Cloudevel<sup>®</sup>.

These virtual machines are configured with a user with administration permissions.

* User: ```hi```.
* Password ```0p3n5t4ck```.

If you run the following cells on a different system, they most likely won't work.

**WARNING:** Privilege escalation on a system can have serious consequences if used recklessly. It is strongly recommended that you use the commands in this notebook in a test environment.

## Access control through users and groups.

Both the directories and files as well as the processes of the *UNIX* and *GNU/Linux* systems are linked from their creation to a user and a group of users.

Similarly, each of these items is assigned a set of permissions for the owning user, the owning group, and all other users.

Users do not necessarily have to be people who access the system. It is also possible to create special users who are assigned certain applications or specific services.

**Example:**

The virtual machine provided by Cloudevel<sup>®</sup> has the *Apache* web server up and running.

The Apache server is configured to display the contents of the ```/var/www/html``` directory at http://localhost:8980

* The next cell will display the extended listing of ```/var/www/html```.

In [None]:
ls -al /var/www/html

The result is something similar to the following:

```
total 500
drwxr-xr-x 2 root root   4096 May 10 05:05 .
drwxr-xr-x 3 root root   4096 May 10 05:01 ..
-rw-rw-r-- 1 oi   oi   489252 Jan 31 10:28 adminer.php
-rw-r--r-- 1 root root  10918 May 10 05:02 index.html
```

* The third column indicates the name of the user who owns the file.
* The fourth column indicates the name of the group that owns the file.

## The ```root``` user.

The ```root``` user is the system administrator or superuser and has access to all system resources.

The home directory of ```root``` is ```/root/```.

**Warning:** Never log in to a system as ```root``` unless absolutely necessary. It is recommended to create a user other than ```root``` for everyday activities.

Some *GNU/Linux* distros do not assign a password to ```root``` upon installation, so it is necessary to define a user capable of escalating their privileges.

## User privilege escalation.

It is possible to grant superuser privileges to a user to execute a particular command, as long as they are authorized.

### The ```sudo``` command.

This command allows authorized users to run a command with ```root``` privileges.

Usually the user running the ```sudo``` command is required to enter their password.

```
sudo <opciones> <comando>
```
* If you run ```sudo``` with no options, the command will be executed as if you were ```root```.


**WARNING:** The virtual machines provided by Cloudevel<super>®</super> allow the user ```oi``` to use the ```sudo``` command without the need to enter a password. This is not a good practice, so these virtual machines should not be used for purposes other than educational ones.

**Example:**

* The next cell will try to list the contents of the ```/root``` directory.
* Because the user ```oi``` does not have the access permissions, an error will be generated.

In [None]:
ls /root

* The next cell will execute the previous command with privileges escalated by ```sudo```.

In [None]:
sudo ls -al /root

#### Some options.

* ```-u``` or ```--user``` allows you to define the user the command will be executed as. The default user is ```root```.
* ```-g``` or ```--group``` allows you to define the group with which the command will be executed. The default user is ```root```.
* ```-H``` or ```--set-home``` indicates that the user's *home* directory will be set.

#### The *man page* for ```sudo```.

In [None]:
man sudo

### The ```/etc/sudoers```.

The ```/etc/sudoers``` file contains the configuration of the users enabled to run the ```sudo``` command.

**Example:**

* The next cell will display the contents of the system ```/etc/sudoers``` file.

In [None]:
sudo cat /etc/sudoers

### The ```visudo``` command.

The ```/etc/sudoers``` file is protected and cannot be edited directly.

The ```visudo``` command allows you to edit that file if you have the privileges.

#### The *man page* for ```visudo```.

In [None]:
man visudo

## The ```/etc/passwd``` file.

It is the file that has the list of system users.

```
<usuario>:<contraseña>:<uid>:<gid>:<nombre>:<homedir>:<shell>
```

Where:

* ```<user>``` is the name of the user.
* ```<password>``` is the user's password, which is usually defined in ```/etc/shadow``` and replaced by ```x```.
* ```<uid>``` is the user id number.
* ```<gid>``` is the user's home group identifier number.
* ```<name>``` is the real name of the user.
* ```<homedir>``` is the path to the user's *home*.
* ```<shell>``` is the shell that will be executed when the user accesses a terminal.

* The next cell will display the contents of the system ```/etc/passwd``` file.

In [None]:
cat /etc/passwd

## The ```/etc/group``` file.

This file stores a list of groups and the users that belong to them.

```
<grupo>:<contraseña>:<gid>:<usuario 1>,<usuario 2>,...,<usuario n>
```

Where:

* ```<group>``` is the name of the group.
* ```<password>``` is the group password, which is commonly stored in ```/etc/shadow``` and an ```x``` is placed in this file.
* ```<gid>``` is the group identifier number.
* ```<user y>``` is the name of one of the users belonging to the group.

* The next cell will display the contents of the system ```/etc/group``` file.

In [None]:
cat /etc/group

### The *man page* of ```/etc/group```.

In [None]:
man group

## The ```/etc/shadow``` file.

This file saves encrypted passwords.

```
<nombre>:<passwd>:<fecha>:<edad min>:<edad max>:<advertencia>:<inactividad>:<expiración> 
```

Where:

* ```<name>``` is the name of the user or group.
* ```<passwd>``` is the encrypted password of the user or group.
* ```<date>``` is the timestamp of the last password change.
* ```<min age>``` corresponds to the minimum time of existence of the password, Normally it is ```0```.
* ```<max age>``` corresponds to the maximum time of existence of the password, Normally it is ```99999```.
* ```<warning>``` is the number of warning days before the password expires.
* ```<inactivity>``` is the number of days in which a suspended account can be reinstated.
* ```<expiration>``` is the timestamp of the date the password will expire.

* The next cell will display the contents of the system file ```/etc/shadow```.

In [None]:
sudo cat /etc/shadow

### The *man page* of ```/etc/shadow```.

In [None]:
man shadow

## User Management.


The default commands used in *UNIX* and *GNU/Linux* for group management are:

* ```useradd```
* ```userdel```

In some *GNU/Linux* distributions the following commands are available, which are scripts that facilitate the use of the previously listed commands:

* ```adduser```
* ```deluser```

### Creating users with ```useradd```.

```
useradd <opciones> <nombre>
```

Where:

* ```<options>``` are user configuration options.
* ```<name>``` is the name of the user.

#### Main options of ```useradd```.

* ```-b``` or ```--basedir``` defines the directory in which the *shell* will be located when a user logs into a terminal. Default is the user's *home* directory.
* ```-c``` or ```--comment``` defines the text that will be added to the user's real name field.
* ```-d``` or ```--homedir``` defines the path of the user's *home* directory.
* ```-g``` or ```--gid``` defines the ```GID``` of the user's home group.
* ```-G``` or ```--groups``` defines a sequence of groups to which the user belongs.
* ```-m``` or ```--create-home``` tells the system to create the user's *home* directory.
* ```-p``` or ```--password``` defines the user's password. This is not recommended by sew, as that password will not be encrypted in the ```/etc/shadow``` file.
* ```-r``` or ```--system``` indicates whether you are a system user.
* ```-s``` or ```--shell``` defines the *shell* of the user.
* ```-u``` or ```--uid``` defines the ```UID``` of the user.
* ```-U``` or ```--user-group``` defines the name of the user's home group.

**Example:**

* The following cell will create the user ```cloudevel``` along with their *home* directory with the following data:
* Directorio *home*: ```/home/cloudevel```
* Shell: ```/bin/bash```
* Password: ```123qwe```

The rest of the data will be defined by the system.

In [None]:
sudo useradd cloudevel -d /home/cloudevel -m -s /bin/bash -p 123qwe 

* The next cell will detail the contents of the ```/home/cloudevel``` directory.

In [None]:
sudo ls /home/cloudevel -al

* The next cell will show the line from the ```/etc/passwd``` file of the user ```cloudevel```.

In [None]:
grep cloudevel /etc/passwd

* The next cell will display the line from the ```/etc/group``` file containing the string ```cloudevel```.

In [None]:
grep cloudevel /etc/group

* The next cell will show the line from the ```/etc/shadow``` file of the user ```cloudevel```.

In [None]:
sudo grep cloudevel /etc/shadow

#### The manpage for ```useradd```.

In [None]:
man useradd

### Deleting users with ```userdel```.

```
userdel <opciones> <nombre>
```

Where:

* ```<options>``` are user configuration options.
* ```<name>``` is the name of the user.

#### main options of ```userdel```.

* ```-r``` or ```--remove``` will remove the user's *home* directory with all its contents.
* ```-f``` or ```---force``` will remove the user even if they are logged into the system.

**Example:**

* The next cell will remove the user ```cloudevel``` and his *home* directory.

In [None]:
sudo userdel cloudevel -r

* The next cell will detail the contents of the ```/home/cloudevel``` directory.

In [None]:
sudo ls /home/cloudevel -al

* The next cell will display lines from the ```/etc/passwd``` file that include the string ```cloudevel```.

In [None]:
grep cloudevel /etc/passwd

* The next cell will display lines from the ```/etc/group``` file that include the string ```cloudevel```.

In [None]:
grep cloudevel /etc/group

* The next cell will display lines from the ```/etc/shadow``` file that include the string ```cloudevel```.

In [None]:
sudo grep cloudevel /etc/shadow

#### The ```deluser``` *man page*.

In [None]:
man userdel

### Modifying an existing user .

The ```usermod``` command allows you to change the settings of an existing user.


```
usermod <opciones> <usuario>
```

Where:

* ```<options>``` are the possible options of the command.
* ```<user>``` is the name of the user to modify.

#### Main options of ```usermod```.

* ```-c``` or ```--comment``` defines the new text that will be added to the user's real name field.
* ```-d``` or ```--homedir``` defines the path of the user's new *home* directory.
* ```-g``` or ```--gid``` defines the ```GID``` of the user's home group.
* ```-G``` or ```--groups``` defines a sequence of groups to which the user belongs.
* ```-l``` or ```--login``` defines the new username.
* ```-m``` or ```--move-home``` tells the system to change the user's *home* directory to the specified path.
* ```-p``` or ```--password``` defines the user's password. This is not recommended by sew, as that password will not be encrypted in the ```/etc/shadow``` file.
* ```-r``` or ```--system``` indicates whether you are a system user.
* ```-s``` or ```--shell``` defines the *shell* of the user.
* ```-u``` or ```--uid``` defines the ```UID``` of the user.
* ```-U``` or ```--user-group``` defines the name of the user's home group.

* The following cell will create the user ```cloudevel``` along with their *home* directory with the following data:
* Directorio *home*: ```/home/cloudevel```
* Shell: ```/bin/bash```
* Password: ```123qwe```

The rest of the data will be defined by the system.

In [None]:
sudo useradd cloudevel -d /home/cloudevel -m -s /bin/bash -p 123qwe 

* The following cell will change the data of the user ```cloudevel``` to:

* Password: ```123456qwerty```
* Name: ```cd```
* Direcorio *home*: ```/home/cd```

In [None]:
sudo usermod cloudevel -l cd -d /home/cd -p 123456qwerty

* The next cell will try to list the ```/home/cd``` directory, but it was not created.

In [None]:
ls -al /home/cd

* The next cell will display lines from the ```/etc/passwd``` file that include the string ```cd```.

In [None]:
grep cd /etc/passwd

* The next cell will display lines from the ```/etc/group``` file that include the string ```cloudevel```.

In [None]:
grep cd /etc/group 

* The next cell will display lines from the ```/etc/shadow``` file that include the string ```cloudevel```.

In [None]:
sudo grep cd /etc/shadow

#### The ```usermod``` *man page*.

In [None]:
man usermod

## Group management.

The default commands used in *UNIX* and *GNU/Linux* for group management are:

* ```groupadd```
* ```groupdel```

In some *GNU/Linux* distributions the following commands are available, which are scripts that facilitate the use of the previously listed commands:

* ```addgrop```
* ```delgroup```

### Creating groups with ```groupadd```.

```
groupadd <opciones> <nombre>
```

Where:

* ```<options>``` are user configuration options.
* ```<name>``` is the name of the group.

#### Main options of ```groupadd```.

* ```-g``` or ```--gid``` defines the ```GID``` of the group.
* ```-p``` or ```--password``` defines the group password.
* ```-r``` or ```--system``` creates a system group.

**Example:**

* The following cell will create the group ```students```.

In [None]:
sudo groupadd estudiantes

* The next cell will display the lines in ```/etc/group``` that contain the string ```students```.

In [None]:
grep estudiantes /etc/group

#### The *man page* for ```groupadd```.

In [None]:
man groupadd

### Deleting groups with ```groupdel```.

```
groupdel <opciones> <nombre>
```

Where:

* ```<options>``` are the options of the command.
* ```<name>``` is the name of the group.

**Example:**

* The next cell will remove the group ```students```.

In [None]:
sudo groupdel estudiantes

* The next cell will display the lines in ```/etc/group``` that contain the string ```students```.

In [None]:
grep estudiantes /etc/group

#### The *man page* for ```groupdel```.

In [None]:
man groupdel

### Modifying an existing group .

The ```groupmod``` command allows you to change the settings of an existing user.


```
groupmod <opciones> <grupo>
```

Where:

* ```<options>``` are the possible options of the command.
* ```<group>``` is the name of the group to modify.

#### Main options of ```groupadd```.

* ```-g``` or ```--gid``` defines the new ```GID``` of the group.
* ```-n``` or ```--new-name``` defines the new name of the group.

**Example**

* The next cell will create the ```demo``` group.

In [None]:
sudo groupadd demo

* The next cell will display lines containing the string ```demo```.

In [None]:
grep demo /etc/group

* The next cell will modify the ```demo``` group and rename it ```info```.

In [None]:
sudo groupmod demo -n info

* The next cell will display the lines containing the string ```info```.

In [None]:
grep info /etc/group

#### The *man page* for ```groupmod```.

In [None]:
man groupmod

### Query a user's groups with ```groups ```.

The ```groups``` command displays the groups to which a user belongs.

```
groups <usuario>
```

Where:

* ```<user>``` is the name of a user.

**Example:**

* The next cell will display the groups to which the user ```oi``` belongs.

In [None]:
groups oi

### The *man page* for ```groups```.

In [None]:
man groups

## Query the identifiers of a user.


The ```id``` command allows you to find out the ```uid``` of a user as well as the ```gid``` of the groups to which they belong.


```
id <opciones> <usuario>
```

Where:

* ```<options>``` are the data display options.
* ```<user>``` is the name of a user. If not defined, the command will be applied to the current user.

**Examples:**

* The next cell will display the user and group ids of the current user.

In [None]:
id

* The next cell will display the user and group ids of the ```root``` user.

In [None]:
id root

* The next cell will display the user ids and groups of the ```www-data``` user.

In [None]:
id www-data

* The next cell will display the user and group ids of the ```mysql``` user.

In [None]:
id mysql

### The *man page* for ```id```.

In [None]:
man id

## Change password with ```passwd```.

The ```passwd``` command allows you to change a user's password.

```
passwd <usuario>
```

Where:

* ```<user>``` is the user whose password will be changed. In case of not entering the name, the command will be applied to the current user.

### The *man page* for ```passwd```.

In [None]:
man passwd

## Switch users with ```su```.

The ```su``` command allows you to change the terminal user. Unless you have ```root``` privileges, you need to log in with the new user's password.

To exit the session, type ``` exit``` and the terminal will return to the shell of the original user.


```
su <usuario> - <opciones>
```

Where:

* ```<user>``` is the user you want to log in with.
* ```<options>``` are several options to the command.
* ```-``` indicates that the shell will move to the *home* of the new user.

### The *man page* for ```su```.

In [None]:
man su


## Utility.

### The ```whoami ``` command.

This command displays the name of the current user.

In [None]:
whoami

### ```who```.

This command displays the names and the terminals in which the users of the system are located.

In [None]:
who


### ```w```.

This command displays the names and details of the system users.

In [None]:
w

### ```users```.

This command displays the names of system users.

In [None]:
users

<p style="text-align: center"><a rel="license" href="http://creativecommons.org/licenses/by/4.0/"><img alt="Creative Commons License" style=" border-width:0" src="https://i.creativecommons.org/l/by/4.0/80x15.png" /></a><br />This work is licensed under a <a rel="license " href="http://creativecommons.org/licenses/by/4.0/">Creative Commons Attribution 4.0 International License</a>.</p>
<p style="text-align: center">Content created by: José Luis Chiquete Valdivieso. 2019.</p><p style="text-align: center">Content modified by: Cristian Cardoso Arellano. 2023.</p>