Skip to content

Changes to the file 06-users.md, For a long time #893

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Oct 24, 2022
Merged

Changes to the file 06-users.md, For a long time #893

Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
4bbfc66
A supplement to the newgrp command
jimcat8 Oct 7, 2022
68c8705
update01
jimcat8 Oct 7, 2022
1af6cf7
update02
jimcat8 Oct 8, 2022
c4f7641
Update docs/books/admin_guide/06-users.md
sspencerwire Oct 12, 2022
b2b905c
Update docs/books/admin_guide/06-users.md
sspencerwire Oct 12, 2022
6f127fc
update03
jimcat8 Oct 24, 2022
5011569
change back missed
sspencerwire Oct 24, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
241 changes: 164 additions & 77 deletions docs/books/admin_guide/06-users.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,8 @@ $ sudo groupdel GroupC
Each group has a unique `GID`. A group can be used by multiple users as a supplementary group. By convention, The GID of super administrator is 0. The GIDS reserved for some services or processes are 201~999, which are called system groups or pseudo user groups. The GID for users is usually greater than or equal to 1000. These are related to <font color=red>/etc/login.defs</font>, which we will talk about later.

```bash
shell > egrep -v "^#|^$" /etc/login.defs
# Comment line ignored
shell > cat /etc/login.defs
MAIL_DIR /var/spool/mail
UMASK 022
HOME_MODE 0700
Expand Down Expand Up @@ -652,7 +653,7 @@ uid=1000(alain) gid=1000(GroupA) groupes=1000(GroupA),1016(GroupP)

### `newgrp` command

The `newgrp` command allows you to temporarily use a secondary group for file creation.
The `newgrp` command can select a group from the user's supplementary groups as the user's new **temporary** primary group. The `newgrp` command every time you switch a user's primary group, there will be a new **child shell**(child process). Be careful! **child shell** and **sub shell** are different.

```
newgrp [secondarygroups]
Expand All @@ -661,44 +662,71 @@ newgrp [secondarygroups]
Example:

```
[alain]$ newgrp GroupB
Shell > useradd test1
Shell > passwd test1
Shell > groupadd groupA ; groupadd groupB
Shell > usermod -G groupA,groupB test1
Shell > id test1
uid=1000(test1) gid=1000(test1) groups=1000(test1),1001(groupA),1002(groupB)
Shell > echo $SHLVL ; echo $BASH_SUBSHELL
1
0

Shell > su - test1
Shell > touch a.txt
Shell > ll
-rw-rw-r-- 1 test1 test1 0 10月 7 14:02 a.txt
Shell > echo $SHLVL ; echo $BASH_SUBSHELL
1
0

# Generate a new child shell
Shell > newgrp groupA
Shell > touch b.txt
Shell > ll
-rw-rw-r-- 1 test1 test1 0 10月 7 14:02 a.txt
-rw-r--r-- 1 test1 groupA 0 10月 7 14:02 b.txt
Shell > echo $SHLVL ; echo $BASH_SUBSHELL
2
0

# You can exit the child shell using the `exit` command
Shell > exit
Shell > logout
Shell > whoami
root
```

!!! Note

After using this command, the files will be created with the `GID` of its subgroup.

The command `newgrp` without parameters reassigns the primary group.

## Securing

### `passwd` command

The `passwd` command is used to manage a password.

```
passwd [-d] [-l] [-S] [-u] [login]
```

Examples:

```
$ sudo passwd -l albert
$ sudo passwd -n 60 -x 90 -w 80 -i 10 patrick
Shell > passwd -l albert
Shell > passwd -n 60 -x 90 -w 80 -i 10 patrick
```

| Option | Description |
| ------ | ------------------------------------------------------ |
| `-d` | Removes the password. |
| `-l` | Locks the account. |
| `-S` | Displays the account status. |
| `-u` | Unlocks the account. |
| `-e` | Expires the password. |
| `-n days` | Minimum password lifetime. |
| `-x days` | Maximum password lifetime. |
| `-w days` | Warning time before expiration. |
| `-i days` | Delay before deactivation when the password expires.|

With the `passwd` command, locking an account is accomplished by adding `!!` before the password in the `/etc/shadow` file.

Using the command `usermod -U` command only removes one of the `!`. So, the account remains locked.
| `-d` | Permanently removes the password. For root (uid=0) use only. |
| `-l` | Permanently lock user account. For root (uid=0) use only. |
| `-S` | Displays the account status. For root (uid=0) use only. |
| `-u` | Permanently unlocks user account. For root (uid=0) use only. |
| `-e` | Permanently expires the password. For root (uid=0) use only. |
| `-n DAYS` | Minimum password lifetime. Permanent change. For root (uid=0) use only. |
| `-x DAYS` | Maximum password lifetime. Permanent change. For root (uid=0) use only. |
| `-w DAYS` | Warning time before expiration. Permanent change. For root (uid=0) use only. |
| `-i DAYS` | Delay before deactivation when the password expires. Permanent change. For root (uid=0) use only.|

Copy link
Contributor

@sspencerwire sspencerwire Oct 12, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since all of these commands are "For root (uid=0) only." Why not specify that ahead of the table and limit the number of words in the table itself? If you are trying to add clarity to the document, (which appears to be your goal) then this would help.

Use `password -l`, that is, add "!!" at the beginning of the password field of the user corresponding to `/etc/shadow`.

Example:

Expand Down Expand Up @@ -736,7 +764,7 @@ $ sudo echo "azerty,1" | passwd --stdin philippe

### `chage` command

The `chage` command is used to manage the account strategy.
The `chage` command is change user password expiry information.

```
chage [-d date] [-E date] [-I days] [-l] [-m days] [-M days] [-W days] [login]
Expand All @@ -750,34 +778,30 @@ $ sudo chage -m 60 -M 90 -W 80 -I 10 alain

| Option | Description |
| ------ | ---------------------------------------------- |
| `-I days` | Delay before deactivation, password expired.|
| `-I DAYS` | Delay before deactivation, password expired. Permanent change.|
| `-l` | Displays the policy details. |
| `-m days` | Minimum lifetime of the password. |
| `-M days` | Maximum lifetime of the password. |
| `-d AAAA-MM-JJ` | Last password change. |
| `-E AAAA-MM-JJ` | Account expiration date. |
| `-W days` | Warning time before expiration. |

The `chage` command also offers an interactive mode.

The `-d` option forces the password to be changed at login.
| `-m DAYS` | Minimum lifetime of the password. Permanent change. |
| `-M DAYS` | Maximum lifetime of the password. Permanent change. |
| `-d LAST_DAY` | Last password change. You can use the days' timestamp style or the YYYY-MM-DD style. Permanent change. |
| `-E EXPIRE_DATE` | Account expiration date. You can use the days' timestamp style or the YYYY-MM-DD style. Permanent change. |
| `-W WARN_DAYS` | Warning time before expiration. Permanent change. |

Examples:

```
# The `chage` command also offers an interactive mode.
$ sudo chage philippe

# The `-d` option forces the password to be changed at login.
$ sudo chage -d 0 philippe
```

!!! Note

If no user is specified, the order will concern the user who enters it.

![User account management with chage](images/chage-timeline.png)

## Advanced management

Configuration files:

* `/etc/default/useradd`
* `/etc/login.defs`
* `/etc/skel`
Expand All @@ -798,42 +822,83 @@ This file contains the default data settings.

This file is modified by the command `useradd -D` (`useradd -D` entered without any other option displays the contents of the `/etc/default/useradd` file).

| Value | Comment |
```
Shell > grep -v ^# /etc/default/useradd
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
```

| Parameters | Comment |
| ---------- | ------------------------------------------------------------------------ |
| `GROUP` | Default group. |
| `HOME` | Path where the login directory for the user's name will be created. |
| `INACTIVE` | Number of days after the password expires before the account is disabled.|
| `EXPIRE` | Account expiration date. |
| `GROUP` | Default primary group GID. |
| `HOME` | Define the directory path of the upper level of the common user's home directory. |
| `INACTIVE` | Number of days of grace after password expiration. Corresponds to the 7th field of the `/etc/shadow` file. `-1` value means that the grace period feature is turned off.|
| `EXPIRE` | Account expiration date. Corresponds to the 8th field of the `/etc/shadow` file. |
| `SHELL` | Command interpreter. |
| `SKEL` | Skeleton directory of the login directory. |
| `CREATE_MAIL_SPOOL` | Mailbox creation in `/var/spool/mail`. |
| `CREATE_MAIL_SPOOL` | Mailbox creation in `/var/spool/mail/`. |

!!! Warning
If you do not need a primary group with the same name when creating users, you can do this:

Without the `-g` option, the `useradd` command creates a group of the user's name name and places it there.
```
Shell > useradd -N test2
Shell > id test2
uid=1001(test2) gid=100(users) groups=100(users)
```

In order for the `useradd` command to retrieve the value of the `GROUP` field from the `/etc/default/useradd` file, you must specify the `-N` option.
### `/etc/login.defs` file

Example:
```bash
# Comment line ignored
shell > cat /etc/login.defs
MAIL_DIR /var/spool/mail
UMASK 022
HOME_MODE 0700
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
UID_MIN 1000
UID_MAX 60000
SYS_UID_MIN 201
SYS_UID_MAX 999
GID_MIN 1000
GID_MAX 60000
SYS_GID_MIN 201
SYS_GID_MAX 999
CREATE_HOME yes
USERGROUPS_ENAB yes
ENCRYPT_METHOD SHA512
```

`UMASK 022`: This means that the permission to create a file is 755 (rwxr-xr-x). However, for the sake of security, GNU/Linux does not have **x** permission for newly created files, this restriction applies to root(uid=0) and ordinary users(uid>=1000). For example:

```
$ sudo useradd -u 501 -N GroupeA
Shell > touch a.txt
Shell > ll
-rw-r--r-- 1 root root 0 Oct 8 13:00 a.txt
```

### `/etc/login.defs` file
`HOME_MODE 0700`: The permissions of an ordinary user's home directory. Does not work for root's home directory.

This file contains many default parameters useful for creating or modifying users. This information is grouped by paragraph according to their use:
```
Shell > ll -d /root
dr-xr-x---. 10 root root 4096 Oct 8 13:12 /root

* Mailboxes;
* Passwords;
* UID and GID;
* Umask;
* Connections;
* Terminals.
Shell > ls -ld /home/test1/
drwx------ 2 test1 test1 4096 Oct 8 13:10 /home/test1/
```

`USERGROUPS_ENAB yes`: "When you delete a user using the `userdel -r` command, the corresponding primary group is also deleted." Why? That's the reason.

### `/etc/skel` directory

When a user is created, their home directory and environment files are created.
When a user is created, their home directory and environment files are created. You can think of the files in the `/etc/skel/` directory as the file templates you need to create users.

These files are automatically copied from the `/etc/skel` directory.

Expand All @@ -857,7 +922,7 @@ Examples:

```
$ sudo su - alain
[albert]$ su -c "passwd alain"
[albert]$ su - root -c "passwd alain"
```

| Option | Description |
Expand All @@ -871,33 +936,55 @@ Standard users will have to type the password for the new identity.

!!! Tip

There are successive 'layers' created (a stack of `bash` environments). To switch from one user to another, you must first type the `exit` command to take back your identity and then the `su` command to take another identity.
You can use the `exit`/`logout` command to exit users who have been switched. It should be noted that after switching users, there is no new `child shell` or `sub shell`, for example:

#### Profile loading
```
Shell > whoami
root
Shell > echo $SHLVL ; echo $BASH_SUBSHELL
1
0

Shell > su - test1
Shell > echo $SHLVL ; echo $BASH_SUBSHELL
1
0
```

`root` endorses the identity of the user `alain` with `su`:
Attention please! `su` and `su -` are different, as shown in the following example:

```
Shell > whoami
test1
Shell > su root
Shell > pwd
/home/test1

Shell > env
...
/home/GroupA/alain/.bashrc
/etc/bashrc
USER=test1
PWD=/home/test1
HOME=/root
MAIL=/var/spool/mail/test1
LOGNAME=test1
...
```

`root` assumes the identity of the user `alain` with `su -`:

```
Shell > whoami
test1
Shell > su - root
Shell > pwd
/root

Shell > env
...
/home/GroupA/alain/.bash_profile
/home/GroupA/alain/.bashrc
/etc/bashrc
USER=root
PWD=/root
HOME=/root
MAIL=/var/spool/mail/root
LOGNAME=root
...
```

A user can temporarily (for another command or an entire session) assume the identity of another account.

If no user is specified, the command will be for `root` (`su -`).

It is necessary to know the password of the user whose identity is being endorsed unless it is `root` that is executing the command.

An administrator can thus work on a standard user account and use the rights of the `root` account only occasionally.
So, when you want to switch users, remember not to lose the `-`. Because the necessary environment variable files are not loaded, there may be problems running some programs.