Daily user management tasks made easy for every Linux administrator

In a previous article, we covered the /etc/passwd and /etc/shadow files used in user and group management in Linux. (And knowing the information that was in that article and this article will also help you when you take the Linux Foundation Certified System Administrator (LFCS) certification exam.) In this article, we will be going over some tasks that a Linux administrator may need to perform daily related to user management. Before starting to check the commands that we need to add to our toolbox, we need to learn to use the --help or -h switches to explore the options available. Using any of those switches, the administrator can see examples and a brief description of the command that we are looking to get more information. The first command that we will check out is useradd -h or useradd --help. We can use the same logic can be applied to any of the commands that we will explore later on in this article.

Not sure if you have tested this, but in Red Hat OS-based systems you can try useradd or adduser and both work. (The real command is useradd.) However, there is a link on the file system for the adduser. In case you want to check out on your Linux, just run find / -name <file> and that will trigger a recursive search for that file. Both files are on the same location (/usr/sbin), We have listed them using ls /usr/sbin/*add* -l. One of them has an l in the first, which means a symbolic link (it is created using ln command).

The useradd command creates users and automatically creates an entry in the /etc/passwd file. However, it does not manage the password for the users, which is managed separately with another command that we are going to explore in a little bit.

To create a new user, we can run the commands listed below. The result of each command will be a new entry in the /etc/passwd file.

useradd anderson
useradd walter

When a user is created a UID (user ID), and GID (group id) is automatically created, and they are associated with the new user. This new group that is labeled with the new user name and it contains only the new user is called primary or private group. We can check the UID and GID in the /etc/passwd file (as depicted in the image below).

Using the id command, we can retrieve that information from any given user. The result will be the UID, GID and any group that the user belongs to, and we can use the following syntax in conjunction with the image below to see in action the id command.

id <username>

To reset the password of any given user logged on as root, the following command can be used to reset/initiate the password for both users created in the previous step. The password itself will be stored in the /etc/shadow file.

passwd Anderson
passwd walter

Important: A security best practice in Linux (well, in any operating system) is to avoid running commands as root/administrator. In Linux, we can take advantage of sudo to delegate some privileged tasks to be executed by a regular user. In this tutorial, we are going to focus on the command required to manage users as root, however, in a production/more professional environment, make sure to use a regular account with proper sudo permissions.

Some daily activities with user management

In this section, we will cover several tasks that an administrator will perform several times when managing users in a Linux system.

A common task for any administrator is to lock and unlock accounts. We can use the first command lock any given account (the result will be an exclamation mark (!) in the /etc/shadow file). Using the second command, we can unlock the account.

usermod -L <username>
usermod -U <username>

Another task is to change the primary group of a user. A primary group is a key concept because all files created by such user will have its primary group associated with the initial permissions. The following sequence of commands helps to understand the process.

id anderson
usermod anderson -g srv-admin
id anderson

In some circumstances, we need to define an expiry date for a user, and that can be accomplished with usermod command as well. We are using chage command, which also can be used to configure all features displayed by the chage -l <username> command.

Note: The chage command requires the use of /etc/shadow file. If you are using just /etc/passwd, then it wouldn’t work.

chage -l aurelio
usermod aurelio -e YYYY-MM-DD
chage -l aurelio

Switching between /etc/password and /etc/shadow

It is straightforward to switch back and forth between password and shadow files. If you are using a Red Hat-based OS, and you are using shadow, to go back to /etc/password, just run this following command. The result will be the removal of /etc/shadow file, and all passwords that were once in this file will be transitioned to /etc/passwd.

pwunconv

If you want to revert what we have just done or configured shadow in a system that has only /etc/passwd, then, you should be using this command.

pwconv

Managing templates and default values

By default, any new user will receive the configuration defined in the definition file. Some of the default configurations are related to where the home directory of that given user will be created, shell to be used, and so forth.

We can manage that initial configuration for any new users by editing the file /etc/default/useradd.

After changing the file, we can create new users (in our case users Anderson and Aurelio)

Another important file is the /etc/login.defs, which is available when using /etc/shadow file. In that file, we can configure the limits that will be applied to all new accounts on the system.

Checking your shadow and password files

We can take advantage of pwck command to validate the integrity of the users and authentication for either /etc/passwd and /etc/shadow files. I recommend using the -r switch, which is read-only and only displays errors and warnings found on the specified files.

pwck -r /etc/passwd
pwck -r /etc/shadow

Featured image: Shutterstock / Wikipedia

Anderson Patricio

Anderson Patricio is a Canadian MVP in Cloud and Datacenter Management, and Office Server and Services, besides of the Microsoft Award he also holds a Solutions Master (MCSM) in Exchange, CISSP and several other certifications. Anderson contributes to the Microsoft Community with articles, tutorials, blog posts, twitter, forums and book reviews. He is a regular contributor here at Techgenix.com, MSExchange.org, ITPROCentral.com and Anderson Patricio.org (Portuguese).

Share
Published by
Anderson Patricio

Recent Posts

Privacy-by-design principles: Getting it right from the start

Embedding privacy-by-design principles in the building and design of a business, website, application, product, or tool is a good thing…

13 hours ago

Check mailbox auditing status in Exchange Online with PowerShell

Office 365 Exchange Online admins must ensure all mailboxes created in Office 365 have auditing enabled. Here’s how to check…

18 hours ago

T-Suite Podcast: Creative destruction — Proper IT asset liquidation

If you plan to liquidate your IT assets, it is critical you have a chain of custody for every device…

21 hours ago

Top 7 open source intelligence tools lighting it up in 2019

As open source becomes the norm, open source intelligence tools are in demand. Here are a few that are already…

2 days ago

Land of the dinosaurs: Is CapEx IT about to go extinct?

As businesses head to the cloud, will CapEx IT be a thing of the past? Or will there always be…

2 days ago

Exchange DAG: Set it up before a disaster takes you down

Don’t be this IT admin: Disaster hits and all you can say is, “I should have set up a database…

2 days ago