Home Linux Admin Introduction Directory Tree Disks/File Systems Memory Mgmt Monitoring Startup/ShutDown Logging in/out User Accounts Backups Processes Cron Packages Books

User Accounts: Part 2

Contents

Groups

A group consists of users. This is something very common in computer systems in general and also in frameworks, software, databases. The notion of groups allows us to set permissions on a group. Now if a new user is created we can assign the user to a group and permissions are assigned automatically else we would have to assign permissions to each user. On the hills server we can see how many users there are. 
[amittal@hills ~]$ cat /etc/passwd  | wc -l
10721
[amittal@hills ~]$

It's true that many of these users might be old with expired accounts but still there are quite a few users. The file that contains groups is "/etc/group" . My entry in the group file is as: 
[amittal@hills ~]$ groups
csdept
[amittal@hills ~]$ cat /etc/group | grep "csdept"
csdept:x:1258:
[amittal@hills ~]$

From the above entry the "x" tells us that the password is not being used and the last entry is empty. All the users that belong to this group have their default group as "csdept". We can use the "groupadd" command to add a group. We do not have permissions to do this on the hills server. 

groupadd [ -r ] [ -g gid ] groupname

The "-r" indicates a system group instead of a user group. A
system group is special purpose group that can perform certain
operations such as backup, granting access to hardware, maintenacne,
etc.
The "-g" is the group id. If we do not give a group id then for a user
group the command will pick the highest user group id plus one and for
a system group it will pick up the highest system group id plus one.
We cannot create a group with an existing same name or id.

root@ajkumar08-PC:/home/ajay# groupadd computerscience
groupadd: group 'computerscience' already exists
root@ajkumar08-PC:/home/ajay# cat /etc/group | grep computerscience
computerscience:x:1003:
root@ajkumar08-PC:/home/ajay# groupadd -g 1003 group1
groupadd: GID '1003' already exists
root@ajkumar08-PC:/home/ajay#

The system group id's will have lower values than user groups. 

root@ajkumar08-PC:/home/ajay# cat /etc/group

...
pulse-access:x:120:
scanner:x:121:saned,ajay
saned:x:122:
colord:x:123:
geoclue:x:124:
Debian-gdm:x:125:
ajay:x:1000:
systemd-coredump:x:999:
ajay1:x:1001:
student:x:1002:
computerscience:x:1003:
...

From the above; the ids such as 1000 and above are user groups and id's like 120 and 123 are system group id's. What is the cutoff id that the user group id will start at ? 
root@ajkumar08-PC:/home/ajay# cat /etc/login.defs | grep GID_MIN
GID_MIN                  1000
#SYS_GID_MIN              100
root@ajkumar08-PC:/home/ajay#

The cut off is indicated by the variable GID_MIN. The same cut off applies to user id's also. The command "groupmod" can be used to modify the group information.

groupmod [ -n newgname | -g newgid ] [ -p encryptedpass ] gname 


ajay1:x:1001:
student:x:1002:
computerscience:x:1003:

root@ajkumar08-PC:/home/ajay# groupmod -n cs computerscience
root@ajkumar08-PC:/home/ajay# cat /etc/group
...
ajay1:x:1001:
student:x:1002:
cs:x:1003:

The command "groupdel" can be used to delete a group.

groupdel group

This will delete the group. If a user has this group as the default group then the group will not be deleted. In that case we need to delete the user first. Recall from part 1 that we can add a default group when using the command "useradd". 
root@ajkumar08-PC:/home/ajay# useradd -g cs user1
root@ajkumar08-PC:/home/ajay# groupdel cs
groupdel: cannot remove the primary group of user 'user1'
root@ajkumar08-PC:/home/ajay# userdel user1
root@ajkumar08-PC:/home/ajay# groupdel cs

Recall that a file has an owner and a group. We need to be careful about the files that the user may have created before deleting the user. The file will still exist and refer to the user id and group id( not names ). If a new user or group is created with that id then the file user or group has been changed to the new user or group. 

root@ajkumar08-PC:/home/ajay# groupadd cs
root@ajkumar08-PC:/home/ajay# cat /etc/group | grep "cs"
cs:x:1003:
root@ajkumar08-PC:/home/ajay# useradd -g cs user2
root@ajkumar08-PC:/home/ajay# cat /etc/passwd | grep "user2"
user2:x:1004:1003::/home/user2:/bin/sh

We have created a "user2" with an id of 1004 who belongs
to a group "cs" with an id of 1004.

We create a home directory for our new user.

root@ajkumar08-PC:/home# ls -l
total 16
drwxr-xr-x 20 ajay ajay 4096 Feb 21 04:38 ajay
drwxr-xr-x  2 root root 4096 Feb 25 07:45 ajay1
drwxr-xr-x  2 root root 4096 Feb 25 21:29 student
drwxr-xr-x  2 root root 4096 Mar  3 19:51 user2

Notice the username and group are "root" and "root" for
user2 so we change that with the command "chown" and
"chgrp" .

root@ajkumar08-PC:/home# chown user2 user2
root@ajkumar08-PC:/home# chgrp cs user2
root@ajkumar08-PC:/home# ls -l
total 16
drwxr-xr-x 20 ajay  ajay 4096 Feb 21 04:38 ajay
drwxr-xr-x  2 root  root 4096 Feb 25 07:45 ajay1
drwxr-xr-x  2 root  root 4096 Feb 25 21:29 student
drwxr-xr-x  2 user2 cs   4096 Mar  3 19:51 user2

We login as the "user2" and create a file "1.txt".
As expected we see the owner as "user2" and group as
"cs"

root@ajkumar08-PC:/home/user2# ls -l
total 0
-rw-r--r-- 1 user2 cs 0 Mar  3 19:52 1.txt

We delete the user.

root@ajkumar08-PC:/home/user2# userdel user2
root@ajkumar08-PC:/home/user2# ls -l
total 0
-rw-r--r-- 1 1004 cs 0 Mar  3 19:52 1.txt

We delte the group.

root@ajkumar08-PC:/home/user2# groupdel cs
root@ajkumar08-PC:/home/user2# ls -l
total 0
-rw-r--r-- 1 1004 1003 0 Mar  3 19:52 1.txt

The owner has an id of 1004 and group id is 1003. No current
user or group (right now) has these id's.


Group Administration

Linux has a feature that lets a normal user act as a group administrator. The group administrator can add or remove users. 
A speical group is created normally with the "groupadd" command.

root@ajkumar08-PC:/home# groupadd project1
root@ajkumar08-PC:/home# cat /etc/group | grep project1
project1:x:1003:

We now create 3 users; and the "project1Admin" user will
be the user who will manage the addition and deletion of
users to the group project1.

root@ajkumar08-PC:/home# useradd -g 1003 project1Admin
root@ajkumar08-PC:/home# useradd -g 1003 user1
root@ajkumar08-PC:/home# useradd -g 1003 user2
root@ajkumar08-PC:/home# mkdir project1
root@ajkumar08-PC:/home# ls -l
total 20
drwxr-xr-x 20 ajay  ajay     4096 Feb 21 04:38 ajay
drwxr-xr-x  2 root  root     4096 Feb 25 07:45 ajay1
drwxr-xr-x  2 root  root     4096 Mar  3 20:54 project1
drwxr-xr-x  2 root  root     4096 Feb 25 21:29 student
drwxr-xr-x  2 user1 project1 4096 Mar  3 19:52 user2
drwxr-xr-x  2 user1 project1 4096 Mar  3 19:52 user1
root@ajkumar08-PC:/home#


root@ajkumar08-PC:/home# chgrp project1 project1
root@ajkumar08-PC:/home# ls -l
total 20
drwxr-xr-x 20 ajay  ajay     4096 Feb 21 04:38 ajay
drwxr-xr-x  2 root  root     4096 Feb 25 07:45 ajay1
drwxr-xr-x  2 root  project1 4096 Mar  3 20:54 project1
drwxr-xr-x  2 root  root     4096 Feb 25 21:29 student
drwxr-xr-x  2 user1 project1 4096 Mar  3 19:52 user2

root@ajkumar08-PC:/home# su project1Admin
$ gpasswd -a user1 project1Admin
gpasswd: group 'project1Admin' does not exist in /etc/group
$ gpasswd -a user1 project1
Adding user user1 to group project1
$ gpasswd -a user2 project2
gpasswd: group 'project2' does not exist in /etc/group
$ gpasswd -a user2 project1
Adding user user2 to group project1
$
The users user1 and user2 have been added to the project1
$ cat /etc/group | grep project1
project1:x:1003:user1,user2

root@ajkumar08-PC:/home# chmod 770 project1
root@ajkumar08-PC:/home# ls -l
total 20
drwxr-xr-x 20 ajay  ajay     4096 Feb 21 04:38 ajay
drwxr-xr-x  2 root  root     4096 Feb 25 07:45 ajay1
drwxrwx---  2 root  project1 4096 Mar  3 20:54 project1
drwxr-xr-x  2 root  root     4096 Feb 25 21:29 student
drwxr-xr-x  2 user1 project1 4096 Mar  3 19:52 user2

Now login as "user1" and we can access project1 folder.

root@ajkumar08-PC:/home# su user1
$ pwd
/home
$ cd project1
$ date > 1.txt
$ ls -l
total 4
-rw-r--r-- 1 user1 project1 32 Mar  4 07:19 1.txt

su

We have been using the "su" command in the above sections. The "su" stands for switch user and allows us to login as a different user. This is useful if we want to execute commands that we don't have permissions for. 
Without any options su assumes we want to switch to the root user.

ajay@ajkumar08-PC:~$ su
Password:
root@ajkumar08-PC:/home/ajay#

Confirm that with the "whoami" command.
root@ajkumar08-PC:/home/ajay# whoami
root

The "-" option changes the user but the new shell is similar to what we
would have if we had actually logged in as that user. The enviornment variables
for the old user are cleared as an example.

ajay@ajkumar08-PC:~$ su - root
Password:
root@ajkumar08-PC:~#

When using "su" from the root we do not have to provide a password.

root@ajkumar08-PC:~# su ajay1
$
$

We can use the "-c" command option to run a command as the new user
without changing shells.

ajay@ajkumar08-PC:~$ su -c ps
Password:
  PID TTY          TIME CMD
10191 pts/1    00:00:00 su
10192 pts/1    00:00:00 ps
ajay@ajkumar08-PC:~$


sudo

The problem with su is that we need to provide the root password to users. The root user can basically do anything so a user can easily bring down the whole system.

Another alternative is to use the sudo command. We can add trusted users to the sudo group( we need to be root in order to do this). Then the user can run a command by using the word "sudo" and will be asked for his/her password. The command can then be executed. 

The user "ajay" does not have permissions to run
the fdisk command.
ajay@ajkumar08-PC:~$ fdisk /dev/sdb1

Welcome to fdisk (util-linux 2.36.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

fdisk: cannot open /dev/sdb1: Permission denied

We su into root and add ajay to the sudo group.

root@ajkumar08-PC:/home/ajay# usermod -aG sudo ajay

Verify that the group has been added.

root@ajkumar08-PC:/home/ajay# groups ajay
ajay : ajay cdrom floppy sudo audio dip video plugdev netdev
bluetooth lpadmin scanner
root@ajkumar08-PC:/home/ajay#


root@ajkumar08-PC:/home/ajay# exit
exit

Run "fdisk" again with the sudo in front of it .
ajay@ajkumar08-PC:~$ sudo fdisk /dev/sdb1

Welcome to fdisk (util-linux 2.36.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.


This is one way of granting user sudo acces. Another way involves the "/etc/sudoers" file. 


root@ajkumar08-PC:/home/ajay#  gpasswd --delete ajay sudo
Removing user ajay from group sudo
root@ajkumar08-PC:/home/ajay#

We can


We can modify the file "/etc/sudoers" using a special editor called "visudo". Let's see the contents of this file: 

root@ajkumar08-PC:/etc# cat sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "@include" directives:

@includedir /etc/sudoers.d


The line
Defaults env_reset

resets the environment variables
ajay ALL=(ALL:ALL) ALL