Managing users and groups is a fundamental aspect of system administration in Linux, ensuring that access control and permissions are properly maintained. This article will cover the essential concepts of users and groups, gaining superuser access, managing local user accounts, managing local group accounts, and managing user passwords. We will also touch upon password hashing concepts, login policy configurations, tools like chage, and managing password restrictions with pwquality.
Users and Groups Concepts
Users
In Linux, a user is an entity that can perform actions on the system. Each user has a unique user ID (UID) and is associated with a home directory, shell, and other configurations stored in /etc/passwd.
Groups
A group is a collection of users, defined to manage permissions collectively. Each group has a unique group ID (GID) and is listed in /etc/group. Users can belong to multiple groups.
Gaining Superuser Access with sudo
To perform administrative tasks, you need superuser (root) privileges. Instead of logging in as the root user, it’s recommended to use the sudo command to temporarily elevate your privileges.
# To gain root access
sudo -i
# To execute a single command with root privileges
sudo commandManage Local User Accounts
- Adding a User: To add a new user, use the useradd command followed by passwd to set the password.
# Add a new user named 'exampleuser'
sudo useradd exampleuser
# Set the password for 'exampleuser'
sudo passwd exampleuser
Changing password for user exampleuser.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.- Modifying a User: The usermod command is used to modify existing user accounts.
# Change the home directory of 'exampleuser'
sudo usermod -d /home/new_home exampleuser
# Add 'exampleuser' to an additional group
sudo usermod -aG groupname exampleuser- Deleting a User: To delete a user and their home directory, use the userdel command with the -r option.
# Delete 'exampleuser' and their home directory
sudo userdel -r exampleuserManage Local Group Accounts
- Adding a Group: To add a new group, use the groupadd command.
# Add a new group named 'examplegroup'
sudo groupadd examplegroup- Modifying a Group: The groupmod command is used to modify existing groups.
# Change the name of 'examplegroup' to 'newgroupname'
sudo groupmod -n newgroupname examplegroup- Deleting a Group: To delete a group, use the groupdel command.
# Delete 'examplegroup'
sudo groupdel examplegroupManage User Passwords
Password Hashing
Passwords in Linux are hashed and stored in /etc/shadow. Common hashing algorithms include MD5, SHA-256, and SHA-512.
# Generate a SHA-512 hashed password
openssl passwd -6Password Policies
Password policies are crucial for enforcing security standards and ensuring that users create strong passwords. These policies can be configured in /etc/login.defs and managed with tools like pwquality.
- Configuring Password Policies in /etc/login.defs: The /etc/login.defs file defines the configuration for various aspects of user account creation, including password policies.
# Example of /etc/login.defs settings
PASS_MAX_DAYS 90
PASS_MIN_DAYS 1
PASS_MIN_LEN 8
PASS_WARN_AGE 7- Using chage for Password Aging: The chage command manages user password expiry and aging. It can be used to set password expiry dates, minimum and maximum age, and more.
# Display password expiry information for 'exampleuser'
sudo chage -l exampleuser
# Set password to expire in 30 days for 'exampleuser'
sudo chage -M 30 exampleuser
# Set minimum number of days between password changes to 7 for 'exampleuser'
sudo chage -m 7 exampleuser
# Set number of days warning before password expiry to 10 for 'exampleuser'
sudo chage -W 10 exampleuserEnforcing Password Quality with pwquality
The pwquality module enforces password quality requirements, ensuring users create strong passwords that adhere to your security policies. The configuration file for pwquality is /etc/security/pwquality.conf.
- Installing libpwquality: First, ensure that the libpwquality package is installed:
sudo dnf install libpwquality- Configuring pwquality: Edit the /etc/security/pwquality.conf file to set your password quality requirements:
# /etc/security/pwquality.conf
minlen = 12 # Minimum password length
dcredit = -1 # Require at least one digit
ucredit = -1 # Require at least one uppercase letter
lcredit = -1 # Require at least one lowercase letter
ocredit = -1 # Require at least one special character
maxrepeat = 3 # Maximum number of repeated characters
maxclassrepeat = 3 # Maximum number of consecutive characters of the same classWith the above configuration, users must create passwords that are at least 12 characters long and include at least one digit, one uppercase letter, one lowercase letter, and one special character. Additionally, no character class can repeat more than three times consecutively.
Examples and Best Practices
Adding a New User with Default Settings
sudo useradd -m -s /bin/bash newuser
sudo passwd newuserAdding a User to Multiple Groups
sudo usermod -aG group1,group2 newuserSetting Password Expiration Policy
sudo chage -M 60 -m 7 -W 10 newuserConfiguring Strong Password Policies
Edit /etc/login.defs:
PASS_MAX_DAYS 60
PASS_MIN_DAYS 7
PASS_MIN_LEN 12
PASS_WARN_AGE 14Edit /etc/security/pwquality.conf:
minlen = 12
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1
maxrepeat = 3
maxclassrepeat = 3Proper management of users and groups is critical for system security and efficiency in Linux. By understanding and implementing the concepts discussed, you can ensure that your system is secure and that users have appropriate access. Regularly reviewing and updating password policies, managing user accounts, configuring group permissions, and enforcing strong password quality will help maintain a well-organized and secure system.