User & Groups
A user account provides security boundaries between different people and programs that can run commands.
Users have user names to identify them to human users. Internally, the system distinguishes user accounts by the unique identification number assigned to them, the user ID or UID. If humans use a user account, it's generally assigned a secret password that the user uses to prove that they are the actual authorized user when logging in.
User accounts are fundamental to system security. Every process (running program) on the system runs as a particular user. Every file has a particular user as its owner. File ownership helps the system enforce access control for users of the files. The user associated with a running process determines the files and directories accessible to that process.
There are three main types of user account: the superuser, system users, and regular users.
-
The superuser account is for the administration of the system. The name of the superuser is
root, and the account has UID0. The superuser has full access to the system. -
The system has system user accounts which are used by processes that provide supporting services. These processes, or daemons, usually do not need to run as the superuser. They are assigned non-privileged accounts that allow them to secure their files and other resources from each other and regular users on the system. Users do not interactively log in using a system user account.
-
Most users have regular user accounts which they use for their day-to-day work. Like system users, regular users have limited access to the system.
Local user account can be found in /etc/passwd. The actual passwords are stored encrypted in /etc/shadow.
A group is a collection of users that need to share access to files and other system resources. Use groups to grant access to files to a set of users instead of just a single user.
Like users, groups have group names to make them easier to use. Internally, the system distinguishes groups by the unique identification number assigned to them, the group ID or GID.
By default, systems use the /etc/group file to store information about local groups.
Most operating systems have some a superuser, a user that has all power over the system. In RHEL this is the root user. This user has the power to override standard privileges on the file system and is used to manage and administer the system. To perform tasks such as installing software or manage system files and directories, users must escalate their privileges to the root user.
The su command allows users to switch to a different user account. If you run su from a regular user account, you'll be prompted for the password of the account to which you want to switch.
In some cases, the root user's account may not have a valid password at all for security reasons. In this case, users cannot log in to the system as root directly with a password, and su cannot be used to get an interactive shell. One tool that can be used to get root access, in this case, is sudo.
Unlike su , sudo typically requires users to enter their password for authentication, not the password of the user account they are trying to access. Users who use sudo to run commands as root does not need to know the root password. Instead, they use their passwords to authenticate access.
Additionally, sudo can be configured to allow specific users to run any command as some other user, or only some commands as that user.
One additional benefit to using sudo is that all commands executed are logged by default to /var/log/secure
The sudo su - command and sudo -i do not behave the same. The sudo su - command sets up the root environment precisely like a standard login because the su - command ignores the settings made by sudo and sets up the environment from scratch.
The default configuration of the sudo -i command sets up some details of the root user's environment differently than a standard login. For example, it sets the PATH environment variable slightly differently, which affects where the shell looks to find commands.
To add a user.
To add a group.
To add a user to a supplementary group.
When a user tries to log in, the system looks up the entry for the user in /etc/shadow, combines the salt for the user with the unencrypted password and encrypts them using the hashing algorithm specified. If the result matches the encrypted hash, the user typed in the right password. If the result does not match the encrypted hash, the user typed in the wrong password, and the login attempt fails. This method allows the system to determine if the user typed in the correct password without storing that password in a form usable for logging in.
You can use the chage command to set account expiration dates. When that date is reached, the user cannot log in to the system interactively. The usermod command can lock an account with the -L option.
If a user leaves the company, the administrator may lock and expire an account with a single usermod command. The date must be given as the number of days since 1970-01-01, or in the YYYY-MM-DD format.
How to set a users password to never expire.
Disbale the login shell for a user account.
Set password expiry to 90 days.
Force change password next login.
Set a password to expire in 180 days.
Summary
There are three main types of user account: the superuser, system users, and regular users.
A user must have a primary group and maybe a member of one or more supplementary groups.
The three critical files containing user and group information are /etc/passwd, /etc/group and /etc/shadow.
Use the su and sudo commands to run commands as the superuser.
Use the useradd , usermod and userdel commands to manage users.
Use the groupadd, groupmod and groupdel commands to manage groups.
Use the chage command to configure and view password expiration settings for users.
Command References:
su, sudo, useradd, usermod, userdel, groupadd, groupmod, groupdel and chage.