w3resource

Linux users

identify yourself

whoami

The whoami command tells you your username.

datasoft @ datasoft-linux /$ whoami
datasoft
 datasoft @ datasoft-linux /$ su - datasoft
Password: 
 datasoft @ datasoft-linux ~$ whoami
datasoft
 datasoft @ datasoft-linux ~$
 

who

The who command will give you information about who is logged on the system.

datasoft @ datasoft-linux ~$ who
datasoft :0           2014-08-18 15:14 (:0)
datasoft pts/11       2014-08-18 15:15 (:0)

who am i

With who am i the who command will display only the line pointing to your current session.

datasoft @ datasoft-linux ~$ who am i
datasoft pts/11       2014-08-18 15:15 (:0)

w

The w command shows you who is logged on and what they are doing.

ritwik@ritwik-pc:~$ w
 17:18:34 up 7 min,  2 users,  load average: 1.16, 1.61, 0.91
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
ritwik   tty7     :0               17:11    7:26  10.43s  0.28s gnome-session -
ritwik   pts/1    :0               17:17    0.00s  0.11s  0.00s w
ritwik@ritwik-pc:~$ 

id

The id command will give you your user id, primary group id and a list of the groups that you belong to.

datasoft @ datasoft-linux ~$ id
uid=1000(datasoft) gid=1000(datasoft) groups=1000(datasoft),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)
 datasoft @ datasoft-linux ~$ su - brel
No passwd entry for user 'brel'
 datasoft @ datasoft-linux ~$ id
uid=1000(datasoft) gid=1000(datasoft) groups=1000(datasoft),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)

users

user management

User management on any Unix can be done in three complementary ways. You can use the graphical tools provided by your distribution. These tools have a look and feel that depends on the distribution. If you are a novice Linux user on your home system, then use the graphical tool that is provided by your distribution. This will make sure that you do not run into problems.

Another option is to use command line tools like useradd, usermod, gpasswd, passwd and others. Server administrators are likely to use these tools, since they are familiar and very similar across many different distributions. This chapter will focus on these command line tools.

A third and rather extremist way is to edit the local configuration files directly using vi (or vipw/vigr). Do not attempt this as a novice on production systems!

/etc/passwd

The local user database on Linux (and on most Unixes) is /etc/passwd.

datasoft @ datasoft-linux ~$ tail /etc/passwd
rtkit:x:107:114:RealtimeKit,,,:/proc:/bin/false
saned:x:108:115::/home/saned:/bin/false
whoopsie:x:109:116::/nonexistent:/bin/false
speech-dispatcher:x:110:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
avahi:x:111:117:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
lightdm:x:112:118:Light Display Manager:/var/lib/lightdm:/bin/false
colord:x:113:121:colord colour management daemon,,,:/var/lib/colord:/bin/false
...

As you can see, this file contains seven columns separated by a colon. The columns contain the username, an x, the user id, the primary group id, a description, the name of the home directory and the login shell.

root

The root user also called the superuser is the most powerful account on your Linux system. This user can do almost anything, including the creation of other users. The root user always has userid 0 (regardless of the name of the account).


datasoft @ datasoft-linux ~$ head -1 /etc/passwd
root:x:0:0:root:/root:/bin/bash

useradd

You can add users with the useradd command. The example below shows how to add a user named yanina (last parameter) and at the same time forcing the creation of the home directory (-m), setting the name of the home directory (-d), and setting a description (-c).

 
datasoft @ datasoft-linux /$ sudo useradd -m -d /home/psr -c "psr" psr
 datasoft @ datasoft-linux /$ tail -1 /etc/passwd
psr:x:1001:1001:psr:/home/psr:

The user named yanina received userid 529 and primary group id 529.

/etc/default/useradd

Both Red Hat Enterprise Linux and Debian/Ubuntu have a file called /etc/default/useradd that contains some default user options. Besides using cat to display this file, you can also use useradd -D.

 datasoft @ datasoft-linux /$ sudo useradd -D
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/sh
SKEL=/etc/skel
CREATE_MAIL_SPOOL=no

userdel

You can delete the user yanina with userdel. The -r option of userdel will also remove the home directory.

usermod

You can modify the properties of a user with the usermod command. This example uses usermod to change the description of the user psr.

datasoft @ datasoft-linux /$ tail -1 /etc/passwddatasoft:x:1000:1000:datasoft,,,:/home/datasoft:/bin/bash
 datasoft @ datasoft-linux /$ sudo useradd -m -d /home/psr -c "psr" psr
 datasoft @ datasoft-linux /$ tail -1 /etc/passwd
psr:x:1001:1001:wizard:/home/psr:
 datasoft @ datasoft-linux /$ 

passwords :.

passwd

Passwords of users can be set with the passwd command. Users will have to provide their old password before twice entering the new one.

datasoft @ datasoft-linux /$ passwd
Changing password for datasoft.
(current) UNIX password: 
Enter new UNIX password: 
Retype new UNIX password: 
You must choose a longer password
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
 datasoft @ datasoft-linux /$ 

As you can see, the passwd tool will do some basic verification to prevent users from using too simple passwords. The root user does not have to follow these rules (there will be a warning though). The root user also does not have to provide the old password before entering the new password twice.

/etc/shadow

User passwords are encrypted and kept in /etc/shadow. The /etc/shadow file is read only and can only be read by root. We will see in the file permissions section how it is possible for users to change their password. For now, you will have to know that users can change their password with the /usr/bin/passwd command.


 datasoft @ datasoft-linux /$ tail /etc/shadow
saned:*:16177:0:99999:7:::
whoopsie:*:16177:0:99999:7:::
speech-dispatcher:!:16177:0:99999:7:::
avahi:*:16177:0:99999:7:::
lightdm:*:16177:0:99999:7:::
colord:*:16177:0:99999:7:::
hplip:*:16177:0:99999:7:::
pulse:*:16177:0:99999:7:::
datasoft:$6$jH/aE9bK$8Kc6vqN8/1cYbbysQb2m7QZBus.19EdHJM3hTaOipaI.ioqmlW59TD4eZAITsuRBkhoNNqNrH1whrafr2.Rvg/:16300:0:99999:7:::
psr:!:16300:0:99999:7:::

The /etc/shadow file contains nine colon separated columns. The nine fields contain (from left to right) the user name, the encrypted password (note that only inge and laura have an encrypted password), the day the password was last changed (day 1 is January 1, 1970), number of days the password must be left unchanged, password expiry day, warning number of days before password expiry, number of days after expiry before disabling the account, and the day the account was disabled (again, since 1970). The last field has no meaning yet.

password encryption

encryption with passwd

Passwords are stored in an encrypted format. This encryption is done by the crypt function. The easiest (and recommended) way to add a user with a password to the system is to add the user with the useradd -m user command and then set the user's password with passwd.

 datasoft @ datasoft-linux /$ sudo useradd -m saha
 datasoft @ datasoft-linux /$ sudo passwd saha
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
 datasoft @ datasoft-linux /$

encryption with openssl

Another way to create users with a password is to use the -p option of useradd, but that option requires an encrypted password. You can generate this encrypted password with the openssl passwd command.


datasoft @ datasoft-linux /$ sudo openssl passwd stargate
[sudo] password for datasoft: 
poTPZHPnIoGyg
 datasoft @ datasoft-linux /$ sudo useradd -m -p poTPZHPnIoGyg mohamed

encryption with crypt

A third option is to create your own C program using the crypt function and compile this into a command.


datasoft @ datasoft-linux /$ cat MyCrypt.c
#include <stdio.h>
#define __USE_XOPEN
#include <unistd.h>
int main(int argc, char** argv)
{
if(argc==3)
{
printf("%s\n", crypt(argv[1],argv[2]));
}
else
{
printf("Usage: MyCrypt $password $salt\n" );
}
return 0;
}

This little program can be compiled with gcc like this.


 datasoft @ datasoft-linux ~$ gcc MyCript.c -o MyCript -lcrypt

To use it, we need to give two parameters to MyCript. The first is the unencrypted password, the second is the salt. The salt is used to perturb the encryption algorithm in one of 4096 different ways. This variation prevents two users with the same password from having the same entry in /etc/shadow.


datasoft @ datasoft-linux ~$ ./MyCript stargate 12 12L4FoTS3/k9U
 datasoft @ datasoft-linux ~$ ./MyCript stargate 01 01Y.yPnlQ6R.Y
datasoft @ datasoft-linux ~$ ./MyCript stargate 33 330asFUbzgVeg
 datasoft @ datasoft-linux ~$ ./MyCript stargate 42 42XFxoT4R75gk

Did you notice that the first two characters of the password are the salt?

The standard output of the crypt function is using the DES algorithm which is old and can be cracked in minutes. A better method is to use md5 passwords which can be recognized by a salt starting with $1$.


 datasoft @ datasoft-linux ~$ ./MyCript stargate '$1$12'
$1$12$xUIQ4116Us.Q5Osc2Khbm1
 datasoft @ datasoft-linux ~$ ./MyCript stargate '$1$01'
$1$01$yNs8brjp4b4TEw.v9/IlJ/
 datasoft @ datasoft-linux ~$ ./MyCript stargate '$1$33'
$1$33$tLh/Ldy2wskdKAJR.Ph4M0
 datasoft @ datasoft-linux ~$ ./MyCript stargate '$1$42'
$1$42$Hb3nvP0KwHSQ7fQmIlY7R.

The md5 salt can be up to eight characters long. The salt is displayed in /etc/shadow between the second and third $, so never use the password as the salt!


 datasoft @ datasoft-linux ~$ ./MyCript stargate '$1$stargate'
$1$stargate$qqxoLqiSVNvGr5ybMxEVM1

password defaults

/etc/login.defs

The /etc/login.defs file contains some default settings for user passwords like password aging and length settings. (You will also find the numerical limits of user ids and group ids and whether or not a home directory should be created by default).


datasoft @ datasoft-linux ~$ grep -i pass /etc/login.defs
# Password aging controls:
#	PASS_MAX_DAYS	Maximum number of days a password may be used.
#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
#	PASS_WARN_AGE	Number of days warning given before a password expires.
PASS_MAX_DAYS	99999
PASS_MIN_DAYS	0
PASS_WARN_AGE	7
...

chage

The chage command can be used to set an expiration date for a user account (-E), set a minimum (-m) and maximum (-M) password age, a password expiration date and set the number of warning days before the password expiration date. Much of this functionality is also available from the passwd command. The -l option of change will list these settings for a user.

disabling a password

Passwords in /etc/shadow cannot begin with an exclamation mark. When the second field in /etc/passwd starts with an exclamation mark, then the password can not be used.

Using this feature is often called locking, disabling, or suspending a user account. Besides vi (or vipw) you can also accomplish this with usermod.

The first line in the next screenshot will disable the password of user subho, making it impossible for harry to authenticate using this password.

The root user (and users with sudo rights on su) still will be able to su to harry (because the password is not needed here). Also note that harry will still be able to login if he has set up passwordless ssh!


datasoft @ datasoft-linux /$ sudo su psr
psr@datasoft-linux:/$ 

You can unlock the account again with usermod -U.

Watch out for tiny differences in the command line options of passwd, usermod, and useradd on different distributions! Verify the local files when using features like "disabling, suspending, or locking" users and passwords

editing local files

If you still want to manually edit the /etc/passwd or /etc/shadow, after knowing these commands for password management, then use vipw instead of vi(m) directly. The vipw tool will do proper locking of the file.


ritwik@ritwik-pc:~$ sudo vipw /etc/passwd

home directories

creating home directories

The easiest way to create a home directory is to supply the -m option with useradd (it is likely set as a default option on Linux).

A less easy way is to create a home directory manually with mkdir which also requires setting the owner and the permissions on the directory with chmod and chown (both commands are discussed in detail in another chapter).


 datasoft @ datasoft-linux /home$ sudo chown subho:subho /home/subho
datasoft @ datasoft-linux /home$ sudo chown subho:subho /home/subho
  datasoft @ datasoft-linux /home$ sudo chmod 700 /home/subho
 datasoft @ datasoft-linux /home$ ls -ld /home/subho/
drwx------ 2 subho subho 4096 Aug 19 17:04 /home/subho/

/etc/skel/

When using useradd the -m option, the /etc/skel/ directory is copied to the newly created home directory. The /etc/skel/ directory contains some (usually hidden) files that contain profile settings and default values for applications. In this way /etc/skel/ serves as a default home directory and as a default user profile.


 datasoft @ datasoft-linux /home$ ls -la /etc/skel/
total 40
drwxr-xr-x   2 root root  4096 Apr 17 06:56 .
drwxr-xr-x 132 root root 12288 Aug 19 17:06 ..
-rw-r--r--   1 root root   220 Apr  9 06:33 .bash_logout
-rw-r--r--   1 root root  3637 Apr  9 06:33 .bashrc
-rw-r--r--   1 root root  8980 Oct  4  2013 examples.desktop
-rw-r--r--   1 root root   675 Apr  9 06:33 .profile

deleting home directories

The -r option of userdel will make sure that the home directory is deleted together with the user account.

user shell

login shell

The /etc/passwd file specifies the login shell for the user. In the screenshot below you can see that user annelies will log in with the /bin/bash shell and user subho with the /bin/ksh shell.


 datasoft @ datasoft-linux /home$ tail -2 /etc/passwd
mohamed:x:1003:1003::/home/mohamed:
subho:x:1004:1004::/home/subho:

You can use the usermod command to change the shell for a user.


 datasoft @ datasoft-linux /home$ usermod -s /bin/bash/subho
datasoft @ datasoft-linux /home$ tail -l /etc/passwd
avahi:x:111:117:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
lightdm:x:112:118:Light Display Manager:/var/lib/lightdm:/bin/false
colord:x:113:121:colord colour management daemon,,,:/var/lib/colord:/bin/false
hplip:x:114:7:HPLIP system user,,,:/var/run/hplip:/bin/false
pulse:x:115:122:PulseAudio daemon,,,:/var/run/pulse:/bin/false
datasoft:x:1000:1000:datasoft,,,:/home/datasoft:/bin/bash
psr:x:1001:1001:wizard:/home/psr:
saha:x:1002:1002::/home/saha:
mohamed:x:1003:1003::/home/mohamed:
subho:x:1004:1004::/home/subho:

chsh

Users can change their login shell with the chsh command. First, user subho obtains a list of available shells (he could also have done a cat /etc/shells) and then changes his login shell to the Korn shell (/bin/ksh). At the next login, subho will default into ksh instead of bash.

switch users with su

su to another user

The su command allows a user to run a shell as another user.


 datasoft @ datasoft-linux /home$ su subho
Password:
 datasoft @ datasoft-linux /home$

su to root

Yes you can also su to become root, when you know the root password.


datasoft @ datasoft-linux /home$ su root
Password:
datasoft @ datasoft-linux /home$

,strong>su as root

Unless you are logged in as root, running a shell as another user requires that you know the password of that user. The root user can become any user without knowing the user's password.

su - $username

By default, the su command maintains the same shell environment. To become another user and also get the target user's environment, issue the su - command followed by the target username.

su -

When no username is provided to su or su -, the command will assume root is the target.

run a program as another user

about sudo

The sudo program allows a user to start a program with the credentials of another user. Before this works, the system administrator has to set up the /etc/sudoers file. This can be useful to delegate administrative tasks to another user (without giving the root password).

The screenshot below shows the usage of sudo. User paul received the right to run useradd with the credentials of root. This allows paul to create new users on the system without becoming root and without knowing the root password.

setuid on sudo

The sudo binary has the setuid bit set, so any user can run it with the effective userid of root.

visudo

Check the man page of visudo before playing with the /etc/sudoers file.

sudo su

On some Linux systems like Ubuntu and Kubuntu, the root user does not have a password set. This means that it is not possible to login as root (extra security). To perform tasks as root, the first user is given all sudo rights via the /etc/sudoers. In fact all users that are members of the admin group can use sudo to run all commands as root.

The end result of this is that the user can type sudo su - and become root without having to enter the root password. The sudo command does require you to enter your own password. Thus the password prompt in the screenshot below is for sudo, not for su.

Exercise, Practice and Solution:

1. Create the users Serena Williams, Venus Williams and Justine Henin, all of them with password set to stargate, with username (lower case!) as their first name and their full name in the comment. Verify that the users and their home directory are properly created.

Code:

useradd -m -c "Serena Williams" serena ; passwd serena
useradd -m -c "Venus Williams" venus ; passwd venus
useradd -m -c "Justine Henin" justine ; passwd justine
tail /etc/passwd ; tail /etc/shadow ; ls /home
Keep user logon names in lowercase!

2. Create a user called kornuser, give him the Korn shell (/bin/ksh) as his default shell. Log on with this user (on a command line or in a tty).

Code:

useradd -s /bin/ksh kornuser ; passwd kornuser

3. Create a user named einstime without home directory, give him /bin/date as his default logon shell. What happens when you log on with this user ? Can you think of a useful real world example for changing a user's login shell to an application ?

Code:

useradd -s /bin/date einstime ; passwd einstime

4. Try the commands who, whoami, who am i, w, id, echo $USER $UID .

Code:

who ; whoami ; who am i ; w ; id ; echo $USER $UID 

5. Lock the venus user account with usermod.

Code:

usermod -L venus

6. Use passwd -d to disable the serena password. Verify the serena line in /etc/shadow before and after disabling.

Code:

grep serena /etc/shadow; passwd -d serena ; grep serena /etc/shadow

7. What is the difference between locking a user account and disabling a user account's password ?

Code:

Locking will prevent the user from logging on to the system with his password (by putting
a ! in front of the password in /etc/shadow). Disabling with passwd will erase the password
from /etc/shadow.

8. As root change the password of einstime to stargate.

Code:

Log on as root and type: passwd einstime

9. Now try changing the password of serena to serena as serena.

Code:

log on as serena, then execute: passwd serena... it should fail!

10. Make sure every new user needs to change his password every 10 days.

Code:

For an existing user: chage -M 10 serena
For all new users: vi /etc/login.defs (and change PASS_MAX_DAYS to 10)

11. Set the warning number of days to four for the kornuser.

Code:

chage -W 4 kornuser

12. Set the password of two separate users to stargate. Look at the encrypted stargate's in / etc/shadow and explain.

Code:

If you used passwd, then the salt will be different for the two encrypted passwords.

13. Take a backup as root of /etc/shadow. Use vi to copy an encrypted stargate to another user. Can this other user now log on with stargate as a password ?

Code:

Yes.

14. Put a file in the skeleton directory and check whether it is copied to user's home directory. When is the skeleton directory copied ?

Code:

When you create a user account with a new home directory.

15. Why use vipw instead of vi ? What could be the problem when using vi or vim ?

Code:

vipw will give a warning when someone else is already using
that file.

16. Use chsh to list all shells and compare to cat /etc/shells. Change your login shell to the Korn shell, log out and back in. Now change back to bash.

Code:

On Red Hat Enterprise Linux: chsh -l
On Debian/Ubuntu: cat /etc/shells

17. Which useradd option allows you to name a home directory ?.

Code:

-d

18. How can you see whether the password of user harry is locked or unlocked ? Give a solution with grep and a solution with passwd.

Code:

grep harry /etc/shadow
passwd -S harry

Previous: Linux regular expressions
Next: Linux groups



Follow us on Facebook and Twitter for latest update.