Advanced User Account Management

You ve also seen how to manage user accounts and groups via the User Manager, and you ve seen how Fedora Core stores this user information in the configuration files /etc/passwd , /etc/shadow , and /etc/ group .

It s evident that these configuration files are just plain text files, and perhaps you re tempted to put aside the User Manager and edit those files manually, using a text editor such as gedit . It is quite possible to manage your user information this way, but it is safer to use the User Manager or the CLI commands instead. First, the files are of critical importance to the successful execution of your Fedora Core installation, and their integrity must be ensured at all times. The tools are designed to ensure the integrity of these files, but if you edit them manually you are on your own. Second, the tools carry out proper file locking . This is a mechanism that prevents overwriting problems in a situation where several administrators try to manage users at the same time. It is definitely convenient to be able to examine these configuration files, but when you need to make adjustments to them, it s safest to use the designated tools ”the graphical User Manager interface that you ve already seen, and the command line tools that are examined next .

Some Useful Command Line Tools

If you plan to use the command line tools to manage your users and groups, you ll need to do so in the context of the root account. Having fired up a terminal window, there are a few clues to remind you which account you re logged in as ”remember that the typical root shell prompt is denoted with the # character, while the prompt for an ordinary user account is denoted with $ or >.

You can also use the id command to check your identity:

   $ id   uid=500(eziodm) gid=500(eziodm) groups=500(eziodm),503(authors)

This output shows that the user is logged in as the eziodm account. (Note that it also confirms information about the account s group membership ”in particular, that its primary group is also called eziodm and that the user is a member of two groups, eziodm and authors.)

To run in the context of the root account in a terminal window, simply execute the switch user ( su ) command at the command line:

   $ su -   Password:

You ll be prompted to type the root password, as shown. The effect of the su command is to execute a new shell under a different user account. Note that the new shell isn t a substitute for the existing shell. Instead, the new shell runs on top of the existing shell. To demonstrate this point, take a look at Figure 7-13, which shows a user switching from eziodm to root, using the root shell, and then leaving it.

Figure 7-13

 As you can see, the new (root) shell terminates (via the exit command), and the terminal window remains open and reverts to the context of the original account.

Note	The default behavior of Fedora Core is to clear the screen after a user types the exit command; therefore the /root/.bash_logout file has been temporarily renamed to avoid executing the clear command at the end of the su session.

Note that the su command here is accompanied by a dash ( “) symbol. This ensures that the new shell is treated just like any other login shell. In particular, it means that the login scripts associated to the user account ( root , in this case) will be executed just as if root were logging in from a terminal. These scripts have a number of effects. For example, in this case, they do the following:

They set the current working directory to be that of root s home directory.
They set the $ PATH environment variable (the search path for executable programs) to the value associated with the root user by adding the directories /sbin and /usr/sbin . These two directories contain administrative programs that are used only by administrative accounts.
The user s login and logout scripts are executed.

If the dash character (-) is omitted, the su command will execute a shell but will not execute the login scripts.

Note

If you use su to switch to the root account, and then find that various administrative commands are missing, it could be that you omitted the “ switch; that is, you typed just su instead of su “ .

Note also that you can use su to execute a shell with an account other than root, as in the following example:

   $ su kapils     $ su  kapils

We re now ready to add new users to the system using the command line.

Adding Users at the Command Line

Adding users can be a straightforward task on a standalone PC, but when you re a professional system administrator with a lot of settings to get through, the graphical User Manager tool can make the task a time-consuming one.

Hence, it sometimes makes more sense to make use of command line tools instead. Once you ve got the hang of the command line tools, it s easy to include them in automated scripts and perform complex or lengthy operations more quickly. As you d expect, the command line tools also have lots of options and are rather more flexible than their GUI counterparts.

Try It Out Adding Users with the Command Line Interface

In its simplest form, here s the sequence of commands that replicates the behavior of the graphical tool, using default values when possible.

At a root shell prompt, type the following command to add a new user without having to worry about details such as choosing UID and GID:
```
   # useradd -c 'Mark Mamone' -s /bin/bash markm   
```

Before proceeding, use the gedit text editor to examine the configuration files. First, in /etc/passwd , you should find the following new entry, for the account you ve just created:

 ...      eziodm:x:500:500:Pancrazio 'Ezio' de Mauro:/home/eziodm:/bin/bash      kapils:x:501:501:Kapil Sharma:/home/kapils:/bin/bash      deepakt:x:502:502:Deepak Thomas:/home/deepakt:/bin/bash   markm:x:503:504:Mark Mamone:/home/markm:/bin/bash

The UID is 503 and the primary, private GID is 504. Next, from /etc/group , you read the following:

 ...      eziodm:x:500:      kapils:x:501:      deepakt:x:502:      authors:x:503:eziodm,kapils,deepakt   markm:x:504:

From this, you can deduce that the group with GID 504 is called markm . Finally, there s a new line in /etc/shadow :

 ...      eziodm:$W/RgbXrI$OP9t9IyVmQyvPfxNLUFwQ1:12100:0:99999:7:::      kapils:!!Q7Ci4g$CqbN8rdCBw4GmxDlouQ2q/:12100:0:99999:7:::      deepakt:$sUejrHGF$I3cSo2TRmKIbN55wfLgfB1:12100:0:99999:7:::   markm:!!:12100:0:99999:7:::

The !! in the second field means that the account is disabled. In fact, this is the default behavior of useradd ”it creates disabled accounts.

To enable the newly created account, you must assign a password. Still using the root account, use the passwd command to assign a password for markm :

   # passwd markm   Changing password for user markm.   New password: (password not shown)     Retype new password: (password not shown)   passwd: all authentication tokens updated successfully.

Now refresh your view of the /etc/shadow , to see what has changed:

 ...      eziodm:$W/RgbXrI$OP9t9IyVmQyvPfxNLUFwQ1:12100:0:99999:7:::      kapils:!!Q7Ci4g$CqbN8rdCBw4GmxDlouQ2q/:12100:0:99999:7:::      deepakt:$sUejrHGF$I3cSo2TRmKIbN55wfLgfB1:12100:0:99999:7:::   markm:afRsVjz$mg9zGakhspD.fcpDwx4wv0:12100:0:99999:7:::

Now the markm account has a password, and is fully operative .

To test out the markm account, open a new terminal window as a normal user. Then use the su command to verify that the account works:
```
   $ su - markm   Password: (password not shown)   $ id   uid=503(markm) gid=504(markm) groups=504(markm) 
```
As you can see, the new user identity is now markm . The new current directory is /home/markm because you used the su “ form:
```
   $ pwd   /home/markm   $ ls -a   .  ..  .bash_logout  .bash_profile  .bashrc  .emacs  .gtkrc 
```

How it works

The useradd command creates a new user called markm. The description, Mark Mamone , is delimited by single quotation marks to instruct the shell to keep it as a single parameter. The shell is /bin/bash :

 # useradd -c 'Mark Mamone' -s /bin/bash markm

The passwd command assigns a password to the account. The password is to be accepted but not displayed:

   # passwd markm

Other aspects of the account are determined automatically from the system defaults and from the arguments specified. By default, the home directory will be /home/markm; the UID and GID will be the first available (in this case, 503 and 504, respectively); and the account and password expiration data are taken from /etc/login.defs and /etc/default/useradd .

You might be surprised to find that the newly created home directory is not empty. Its content is copied from the /etc/skel directory, which contains the files and directories that should be added to a new home directory whenever a new user account is created. This is a particularly handy feature for the system administrator: if every user needs a similar setup, it is sufficient to put the desired files in /etc/skel .

Other defaults, such as password-aging values, are taken from /etc/login.defs .

More on the useradd and passwd Commands

The useradd command has several options that you can use when the defaults are not appropriate. More details are available by typing man useradd in a terminal. The following table provides a list of the most commonly used options.

Option	Purpose
-d	Allows you to specify the user s home directory.
-e	Allows you to specify the expiration date of the account in the format DD-MM-YYYY.
-f	If the password expires , the operating system will wait a number of days before permanently disabling the account. This option allows you to specify the number of days between these two events.
-g	Allows you to specify the GID of this account.
-G	Allows you to specify a comma-separated list of other groups to which the user belongs.
-M	Allows you to omit the creation of a home directory.
-u	Allows you to specify the UID of this account.

You can use the passwd command whenever a password needs to be changed or initialized . Of course, normal (non-root) users are allowed to change only their own passwords ”they can do this via the passwd command. Root users can change anyone s password, and to do that they can specify the passwd command followed by the account name (as you saw in Step 3 of the Adding Users with the Command Line Interface example).

Modifying One s Own User Account

Once a user account has been created, its owner has a certain degree of control over it. Not surprisingly, Fedora Core has graphical and command line tools, and account owners can change things such as the password, account description, and shell.

Modifying One s Own Password

As you ll see in the following two examples, the basic steps for changing your password are identical whether you use the GUI or the command line procedure.

To change your password via the graphical interface, select Main Menu>Preferences>Password or type userpasswd in a terminal window. The dialog box shown in Figure 7-14 appears. For security reasons, you ll have to type your old password first.

Figure 7-14

Then you ll be prompted twice for the new password (see Figure 7-15).

Figure 7-15

If you type the same password twice, and it is not too short or based on a dictionary word, the new password will be accepted. Remember, it is a good idea to change your password regularly, especially if your computer is shared with somebody else, even if the system does not enforce password expiration.

To change your password via the command line, you can use the passwd command. You ll first be challenged to enter your current password ”again, this is to ensure you have the right to change it:

   $ passwd   Changing password for user eziodm. Changing password for eziodm   (current) UNIX password: (password not shown)   Then you're asked to enter the new password. You can take this opportunity to find out the sort of passwords that are acceptable. Try typing ape5 as your new password:   New password: (password not shown)   BAD PASSWORD: it is too short

Because ape5 is too short, try elephant6 instead:

   New password: (password not shown)   BAD PASSWORD: it is based on a dictionary word

The passwd command won t accept dictionary-based passwords either: it has a built-in mechanism that prevents you from choosing passwords that can be easily guessed. Try something a little more complex, such as e!eph4nt :

   New password: (password not shown)     Retype new password: (password not shown)   passwd: all authentication tokens updated successfully.

As you can see, the steps in the command line procedure are identical to those of the GUI-based procedure.

Finally, remember that if a normal user, such as eziodm, forgets his or her password, root can run the following command to reset it to a known value:

   # passwd eziodm

Changing Your Own Account Description and Shell

Red Hat Linux also provides GUI and CLI utilities that allow users to control other aspects of their account. You can launch the GUI utility by selecting Main Menu>Preferences>About Myself, or by typing userinfo at the command line. This brings up the User Information dialog box shown in Figure 7-16.

Figure 7-16

With this dialog box, you can edit the system s record of your name and add contact information, if you wish. All this information is then stored (in comma-separated format) in the description field of the record in /etc/passwd , like this:

   eziodm:x:500:500:Pancrazio 'Ezio' de Mauro,,212 555-4343,:/home/eziodm:/bin/bash

You can also use this dialog box to change your login shell. Note that it is not possible to choose a shell that is not in the list. When you re finished, just click Apply to confirm (if you want to discard your changes, click Close instead). If you modify and confirm anything, the tool asks for your password to verify your identity.

Changing Your Account Description via the Command Line

From the command line, you can use chfn to change your personal information and chsh to change your shell. Here s an example in which user eziodm uses chfn to change personal information:

   $ chfn   Changing finger information for eziodm.   Password: (password not shown)     Name [Pancrazio 'Ezio' de Mauro]: Pancrazio de Mauro     Office []:     Office Phone [212 555-4343]: +44 20 1234 5678     Home Phone []: +39 02 1234 5678   Finger information changed. The result achieved by this is very similar to that achieved by using the User Information dialog box you saw in the preceding section. You can see that this user was first required to enter a password (to identify themselves), and then changed the account's Name and Office and Home phone numbers.

To change the login shell, you can use the chsh command, which works in a very similar way:

   $ chsh   Changing shell for eziodm.   Password: (password not shown)     New shell [/bin/bash]: /bin/tcsh   Shell changed.

If you want to return to your previous shell, just run chsh again and specify the original one:

   $ chsh   Changing shell for eziodm.   Password: (password not shown)     New shell [/bin/tcsh]: /bin/bash   Shell changed.

You can find out more about chfn and chsh by consulting their manuals from a terminal with man chfn and man chsh .

Using the root Account to Modify Another User Account

When you need to adopt the root account and apply changes to another account, the best tool to use is dependent on the changes you need to make. Some of the more common operations (such as account or password expiry) are easy to perform using the User Manager (you select the account and then press the Properties button).

However, if you need to make more major changes to an account (such as changing the UID), the User Manager is not enough. In fact, you can t even use the CLI-based commands such as the passwd , chfn , and chsh utilities to change the UID of an account.

If you absolutely must change an account home directory, UID, GID, or even login name, here s how to do it using usermod on the command line. Remember, you have to be logged in as root to do this. Suppose you have the following user in /etc/passwd :

   eziodm:x:500:500:Pancrazio 'Ezio' de Mauro:/home/eziodm:/bin/bash

If you want to rename the account from eziodm to eziod, you can run usermod , like this:

   # usermod -l eziod eziodm

We ve used the -l option to indicate that we want to change the login name, and we specify the new login name before the existing one. As a result, the record for this user in /etc/passwd changes to the following:

   eziod:x:500:500:Pancrazio 'Ezio' de Mauro:/home/eziodm:/bin/bash

As you can see, the account has preserved its UID, description, home directory, and so on. If you want to change the location of the user s home directory, you can run this command after the previous one:

   # usermod -d /home/eziod -m eziod

Here s how to read this command:

The -d /home/eziod option specifies the new home directory.
The -m option instructs usermod to move the contents of the old directory to the new one. After the move, the old home directory will not be visible anymore.

The username (eziod) specified at the end of the command is the account on which usermod must operate .

 You can change an account's UID and GID via usermod, using the -u and -g options, respectively.  However, this operation can create undesirable side effects if the user has files outside his  or her home directory. In particular, the command does not update the ownership of those files  accordinglythey have to be changed manually (perhaps with the help of other utilities, such as  find). The manual page of usermod (man usermod in a terminal) warns about this and other  critical points.

Note

To get a list of files whose owner or group does not exist in /etc/passwd or /etc/group , you can use the following command as root:

   # find / -nouser o nogroup

The find command is a very powerful and useful command. You can check other options with man find in a terminal. There s more about it in Chapters 2 and 6.

Deleting User Accounts

Deleting user accounts is all too easy. In the User Manager graphical interface, you can delete a user simply by selecting the user in the Users tab, and then clicking the Delete button.

Note	Be very careful when deleting accounts via the User Manager: there will be no confirmation! However, the user s home directory will not be destroyed . So, in cases of accidental deletion, it is possible to recover the files and create an account with the same properties of the one just deleted.

From the root command line, you can run userdel . Using the command like this will erase the account called test from /etc/passwd , but the associated home directory will not be deleted:

   # userdel markm

If you also specify the -r option, the account information, home directory, and mailbox will also be destroyed:

   # userdel -r markm