Linux administrators do three basic things with user accounts.They add new users. They delete users. They manage the access parameters of existing users. While a Red Hat Linux graphical tool is available for this purpose (see redhat-config-users in Chapter 19 ), most administrators perform these functions from the command-line interface.
Linux administrators generally prefer tools at the command-line interface. While this may appear archaic to a Microsoft Windows administrator, there are good reasons to use command-line tools:
Command-line tools are more versatile. Generally, more options are available when you use a command-line tool than when you use a GUI.
Command-line tools are faster. You don t have to wait for Linux to process the GUI or to place another GUI tool on your screen.
GUI tools are just front ends. In other words, Linux GUI tools take the entries you make and run the corresponding command in the shell.
GUI tools are another layer of software ”which is another way things can go wrong.
GUI tools don t show all errors. While command-line interface tools give you error messages that you can see at the console, GUI tools may not show these errors on a graphical desktop.
There are three basic ways to add users in Red Hat Linux:
Edit the /etc/passwd file directly, adding desired files to new users home directories.
Work with some of the commands designed for this purpose, such as useradd .
Open the graphical front end, redhat-config-users , which is covered in Chapter 19 .
Alternatively, the newusers command lets you add a whole group of users based on a batch file configured to the same format as /etc/passwd .
It s instructive to go through the steps required to create a new user . It can help you appreciate all of the parameters associated with existing users. For this example, assume you re creating an account for James K. Polk (U.S. president 1845 “1849), and plan to assign him user ID and group IDs 600. (If 600 is already taken, substitute a different unused number between 500 and 60000.) Follow these steps to set up the user account:
Open /etc/passwd in a text editor.
Start a new line. The easiest way to do this is by copying the applicable information from a current user.
Change the username, user ID, group ID, and home directory. Insert jkp as the username in the first column, 600 in the third column for the user ID, 600 in the fourth column for the group ID, James K Polk in the fifth column, and /home/jkp as the user s home directory in the sixth column. Make sure that the information you enter (except for the shell) is unique relative to other entries in your /etc/passwd file. Save your changes to this file.
Open /etc/shadow in a text editor. Create a new line by copying the applicable information from a current user. Insert jkp for the new user in the first column. Save your changes to this file. This is a read-only file; in vi , the wq! command overrides read-only settings.
Open /etc/group in a text editor. Create a new line by copying the applicable information from a current group. For this user, insert jkp as the group name in the first column and 600 as the group ID in the third column.
Set up your new user s home directory. For user jkp, the appropriate command is
mkdir -p /home/jkp
Give your new user access to his home directory. In this case, assign ownership with these commands:
chown jkp /home/jkp chgrp jkp /home/jkp
Assign a new password with the passwd jkp command. Give the new password to your new user. Tell him to assign a new password to himself with the passwd command.
Copy the basic initialization files, which are normally stored in the /etc/skel directory. (We covered these files, such as .bashrc and .bash_profile , in Chapter 08 .) Change your identity to the new user with the
su - jkp
command. Copy these files with the
cp /etc/skel/.* /home/jkp
Copy any subdirectories in /etc/skel to /home/jkp . For example, you can copy the /etc/skel/.kde directory with the command
cp -r /etc/skel/.kde /home/jkp
Change the user and group ownership of the files that you copied from /etc/skel .
Log out from the jkp user account and tell your new user about his new username and password.
Assuming you re using the default Shadow Password Suite, run the pwconv and grpconv commands. These commands are discussed later in this chapter.
It s a lot easier to use the useradd command to create a new user. For example, to set up a new account for jkp, all you need to do is type in the following command:
# useradd jkp
This command sets up user jkp with the defaults as described earlier in the /etc/login.defs configuration file. It also copies the files from /etc/skel and modifies the ownership of these files. You still need to assign a new password for jkp, as described in step 8 of the previous section.
Inspect your /etc/passwd , /etc/shadow , and /etc/group configuration files to verify that the useradd command added entries for jkp to these files.
The newusers command is designed to handle a large number of users from a batch file of usernames and passwords, in the same format as the /etc/passwd file. The only difference is that the password column requires an encrypted password, which you can copy from the /etc/passwd or /etc/shadow entry for a known user. If you create a list of new users in a file named new-batch , you can then set up these users with the following command:
# newusers new-batch
The new-batch file must be in the same format as /etc/passwd; the passwords must be entered in clear text. Therefore, if you save this batch file, make sure it s secure. You might want to hide it, encrypt it, or delete it. A list of usernames and clear text passwords is a very tempting tool for anyone who wants to crack your system.
It s easy to copy text like an encrypted password. Try it yourself. Open /etc/shadow in the text editor of your choice. Highlight the password. Exit from the editor. Right-click your mouse. You should see an exact copy of what you just highlighted. Open up the file of your choice. In insert mode, when you right-click your mouse again, you should see another copy of the encrypted password.
You can delete users directly, or you can use the userdel command. You can even deactivate a user temporarily, while retaining the files in that user s home directory.
It s easy to deactivate a user. Just substitute an asterisk ( * ) for the target user s password in /etc/passwd . That user won t be able to log into her account with any password. This works even if you re using the default Red Hat Linux Shadow Password Suite.
Deleting users is easier than adding them. You just need to ensure that the user s entries are deleted from the respective configuration files, and then delete that user s home directory. The basic steps are as follows :
Delete the user s entry from /etc/passwd .
Delete the user s entry from /etc/group .
Delete the user s entry from /etc/shadow .
Delete the user s entry from /etc/gshadow .
Delete the user s home directory after saving the files you need.
When working with commands, two steps are required to delete a user. The userdel command is straightforward. If you have a user named James K. Polk who just left your company, you ll want to deactivate his account. Retrieve and save any files you need from his home directory, and then run the following command:
# userdel -r jkp
This command deletes jkp s information from the /etc/passwd file. The -r switch deletes the /home/jkp directory, including any files and directories that it may contain.
But you also need to delete that user s group with the groupdel command, as shown here. Otherwise, the next user that you add will have a user ID and a group ID that differ from each other, which can cause problems when you manage new users in the future.
# groupdel jkp
You can manage user passwords with the chage command. It can help you specify the information described in the earlier discussion on /etc/shadow , based on regulating the lifetime of a password. In fact, chage changes the settings in this file. You can review the switches associated with chage in Table 9.5.
chage -m days user
Sets the minimum life of a password to days days.
chage -M days user
Sets the maximum life of a password to days days.
chage -I days user
Sets the number of days that an account can be inactive before it s locked.
chage -E date user
Sets the date after which an account is inaccessible.
chage -W days user
Sets an advance warning, in days , of an upcoming required password change.
chage -l user
Lists the current user s password and account information. Can be run by regular users on their own accounts.
The date can be in YYYY-MM-DD format, or in the number of days after January 1, 1970.