Even if only one person works on the computer, you should understand some aspects of user management in the Linux system. It is important to create at least one user name (apart from the root user) for routine work.
Every individual user should have his or her own user name. It is very rarely useful for several people to share the same user name. Apart from security aspects, aspects of user management and control are also important, and users should be identified in the system by their names.
The system stores the following information about any user:
This name must be unique within the system. Only Latin letters, digits and _ and . (period) symbols can be used in user names.
This ID, abbreviated to UID, is the user's unique identifier in the system. In fact, the system uses UID's to identify users, rather than their names.
This ID (abbreviated to GID) identifies a group to which the user belongs by default. Groups help regulate access of multiple users to various resources. Every user belongs to one or more groups. Users are added to groups by the system administrator.
The user's encrypted password. To create or change a password, use the passwd command.
Apart from the user's system name, the system stores the name (first name, last name, etc.) of the “real” user. For example, user schmoj may in real life be named Joe Schmo.
This is the name of a directory that opens when a user starts up the system, and where his or her private files are stored. Every user has such a directory and all such directories are gathered in one directory, usually named /home.
This is the command shell launched when the system starts up, for example, /bin/bash or /bin/zsh.
All this information is stored in the file /etc/passwd. Every string of this file has the following format:
user name:encrypted password:UID:GID:full name:home directory:login shell
Examples:
kiwi:Xv8Q981g71oKK:102:100:Laura Poole:/home/kiwi:/bin/bash
In this example, a user name, Ô.šĹ. kiwi, is the first record. The next field stores an encrypted password: Xv8Q981g71oKK. Passwords are stored in the system in an encrypted (unreadable) form, with the password itself used as a key. In other words, in order to decrypt a password, you must know it. This encryption type is secure enough.
Some systems use “shadow passwords”, with information about the password stored in the file /etc/shadow. This system is a bit safer, since the file /etc/passwd can be read by anyone, while the access rights for the file /etc/shadow are much more strictly limited. Shadow passwords have some additional functions, for example, they have a password expiration option.
The third field, 102, is UID. This number must be unique. The fourth field, 100, is GID, Ô.šĹ. the user belongs to a group with number 100. Information about groups is stored in the file /etc/group.
The fifth field is the real name of the user, in our case this is Laura Poole. The last two fields are the user's home directory (/home/kiwi) and login shell (/bin/bash). There is no need for the user name and home directory to coincide, but such organization helps determining the ownership of a directory.
To create a new user, you should follow a number of steps. First, create a record for the user in /etc/passwd. In this file, each user must have a unique name and UID. UID's of ordinary users must be greater than 100, since smaller UID's are reserved for system purposes. Besides this, GID (group ID), the user's real name and some other information should be provided. After that, a home directory is created for the user and access rights are set up in such a way that the user becomes the owner of this directory. Login shell initialization files are placed in this directory. Besides this, configuration files in the entire system are updated (for instance, the spool for users' incoming mail).
Manual creation of users is not difficult, but when a system with a large number of users operates, you may forget about some details. The easiest way to create new users in this case is by using an interactive program that automatically updates the contents of all the required system files. This program is called useradd or adduser, depending on which software is installed on the computer.
File /etc/default/useradd contains information about the standard initial configuration for all new users. In this file, you can assign values for variables used by the useradd program. Besides, this file specifies the location of configuration files containing default settings. Location of these files is specified by the SKEL variable. Files placed in this directory (such as the file .profile that sets the default mode for the entire system and the files .zshrc or .bashrc) are automatically copied to the home directory of the user that is being created by the useradd command.
To delete a user from the system, use commands userdel or deluser.
If you need to temporarily prohibit a user to enter the system, but you do not want to delete this user's home directory and other personal settings, you may simply place an asterisk (*) in front of his or her password in the /etc/passwd file. For example, the string for user kiwi modified in this way will look as follows:
kiwi:*Xv8Q981g71oKK:102:100:Laura Poole:/home/kiwi:/bin/bash
By doing this, you have made it impossible for the user kiwi to log into the system.
After you have created a name for the new user, you may need to change some of the attributes assigned to this user, for example, his or her home directory or password. The simplest way to do this is just changing the data in /etc/passwd file. To create a password, use the passwd command. The command
passwd larry
changes user larry's password. Only the root user has rights to change any other user's password, but other users may change their own passwords themselves using the passwd command without any parameters.
As stated above, every user belongs to a group or several groups. The only essential characteristic of any group is access rights. Every file does not only have a personal owner, but also a group owner, and a set of access rights which determine how users from this group may access this file. When a new user is created, a group is also created with a name coinciding with the name of that user. It contains only the new user himself or herself.
There are several groups defined by the system, for instance, bin, mail, sys. These groups are created to manage access rights to system files, and users should not belong to these groups. For users, special groups are created, for example, users. You may create several groups for users, for example, student, staff, and faculty.
Information about groups is contained in /etc/group file. The format of every string in this file is as follows:
group name:password:GID:other group members
Examples of groups:
root:*:0: users:*:100:mdw,larry guest:*:200: other:*:250:kiwi
The first group, root, is a special group for the root user. The second group, users, contains regular users. The GID of this group is 100, and it contains users: mdw and larry. Let us remember that in the /etc/passwd file, each user has a group defined for him or her by default. Nevertheless, users may belong to more than one group, and this is done by listing their names in the /etc/group file. The command groups displays a list of groups to which a given user belongs (or has access).
The third group is called guest and is intended for visitors. For all other users, the group other is used. This group contains the user kiwi.
Sometimes the password field is filled in the /etc/group file in order to set a password for group access. This is rarely needed. To prevent users from entering privileged groups (by the newgroup command), enter an asterisk (*) in this field.
To create a new user group, the commands addgroup or groupadd may be used. Usually, it is easiest to enter a new string into the /etc/group file manually, since no other configuration is required. To delete a group, delete the corresponding string from the /etc/group file.