Configuring user and group accounts

SM1: Open-source Operating Systems

ASIX/DAW/DAM-1

Task A5: Managing users and grups accounts on Linux

20-11-23

Task A5: Managing users and groups accounts on Linux

1- Deadline: 3-12-2023
2- Send your report as a PDF file attached to an e-mail with the following specifications:
    a) E-mail address: cf(at)collados.org or jordi.binefa(at)fje.edu depending who is your teacher
    b) File Name:
        b.1) ASIX1:
            asix1_surname_name_sm1act05.odt
            asix1_surname_name_sm1act05.pdf
        b2.) DAW1:
            daw1_surname_name_sm1act05.odt
            daw1_surname_name_sm1act05.pdf
     c) Subject:
         c.1) ASIX1: asix1_surname_name_sm1act05
       c.2) DAW1: daw1_surname_name_sm1act05
3- Make this report individually.
4- Left, right, top and bottom margins: 2cm.
5- Character format: a) Font:Arial, b) Size: 10, c) Questions typeface: Bold, d) Answers typeface: Regular.

DOCUMENTATION

1- Introduction

On Linux:
* A user is a real person or program which can access to some resources of a computer such as folders, files, programs, hardware and so on.
* A group is a collection of users. Groups are used as a basis for determining file access permissions. It depends on your groups membership that you will be able to access or not to certain folders, files, hardware, databases and so on.

In order to define properly a new user, you must provide to the system some basic information. A system user will need:
a) A username
b) Usually, an encrypted password
c) Most times (but it is not mandatory), a personal home directory where the user can store his/her/its personal data and personal configuration files and enviroment variables.
d) A numerical value called User IDentifier or UID associated with the username. The user will be identified by the system thanks to its UID rather than its username.
e) A default group. A user must be member of one or more groups. If a user is member of just one group, that group will be its default group. The group name must exist. Instead of a group name, you can write the unique number that identifies the group.
f) A default shell, usually /bin/bash.
g) Another additional characteristics like comments, expiry date, additional groups memberships and so on.
h) User environment variables. This variables are a tool to customize how the user interacts with the system. The value of an environment variable can for example be the location of all executable files in the file system, the default editor or browser that should be used, default language, colors used in the terminal, location of some personal configuration files and folders,.....
i) An entry in files /etc/passwd and /etc/shadow where the vast majority of this information about the user is stored.

In order to define properly a new group, you must provide to the system some basic information. A system group will need:
a) A group name.
b) A numerical value called Group IDentifier or GID associated with the group name. The group will be identified by the system thanks to its GID rather than its group name.
c) Users which are member of that group.
h) An entry in files /etc/group and /etc/gshadow where all this information about the group is stored.

In order to configure and manage system users and groups, the Linux operating provides you with a set of command-line utilities: a) useradd adds a new user account to the system, b) userdel deletes a user's account, c) usermod modifies a user's account, d) groupadd adds a new group to the system, e) groupdel removes a group and f) groupmod modifies a group.

The purpose of this exercise is:
     a) Firstly, to learn how to manage (add, delete and modify) user and group account on Linux.
     b) Secondly, we will study the main chararacterisitics of system user and groups, and how to modify these characteristics.
     c) Finally, we will study the contents of /etc/passwd, /etc/group and /etc/shadow.

2- mkpasswd

a) Descrition: The command-line utility mkpasswd encrypts a given password. This command is part of a package called whois. You have to install whois in order to install mkpasswd on your system.

b) Synopis: mkpasswd PASSWORD

c) As a result, a encrypted version of PASSWORD will be displayed on screen

d) Example:
linux:~ # mkpasswd FjeClot@20
Ab1VoXikXZ6E2

3- useradd

a) Descrption: The useradd command adds a new user to the system. This command adds a new entry to /etc/passwd and /etc/shadow.

b) Synopsis: useradd   username <options>

c) Important options:
        -u --> The User IDentifier or UID. By default, will be the first free ID after the greatest used one.
        -g --> The group name or number of the user's default group (or primary group). The group name or number must refer to an already existing group. If not specified, the default from /etc/default/useradd is used.
        -d --> This option specifies the user personal directory. If not specified, the default from /etc/default/useradd is used.
      -m --> If it does not exist, the home directory for the new user account will be created.
        -s --> Specify user's login shell. The default for normal user accounts is taken from /etc/default/useradd.
        -k --> The skeleton directory, by default /etc/skel, that contains files and directories to be copied in the user's home directory when the home directory is created by useradd. This option is only valid if the -m option is specified.
        -G --> A list of supplementary groups which the user is also a member of. Each group is separated from the next by a comma.
        -p --> Encrypted password as returned by mkpasswd.

d) Example:
If you want to add to the system a new user called tux, with the following characteristics: uid=1001, default group=users, personal directory=/home/tux, default shell=/bin/bash, skeleton directory=/etc/skel, additional groups=adm,sys and password = Clot8Fje@9 , you should run the following single command:

useradd tux -u 1001 -g users -d /home/tux -m -s /bin/bash -k /etc/skel -G adm,sys -p $(mkpasswd Clot8Fje@9)

4- userdel

a) Description: The useradel command deletes an user account.

b) Synopsis 1: userdel username ==> The user will be deleted but not its home folder. Entries in /etc/passwd, /etc/shadow and /etc/group will be deleted. Folder /home/username will not be deleted.

c) Synopsis 2: userdel -r username ==> The user will be deleted and its home folder as well. Entries in /etc/passwd, /etc/shadow and /etc/group will be deleted. Folder /home/username will be deleted.

d) Example: If you want to completely remove the user tux, you should run the following command: userdel -r tux

5- usermod

a) Description: The usermod command modifies an user account.

b) Synopsis: usermod   <options> username

c) Important options:
        -d --> This option specifies the new home directory of the user.
        -g --> The group name or number of the user's new default group.
        -p --> An Encrypted new password.
    -s --> Specifies an user's new login shell.
        -u --> Changes the User IDentifier or UID.
        -a -G --> Adds a user to one or more groups

d) Example 1: The following command changes the UID. The new UID will be 590:
        usermod -u 590 tux

e) Example 2: The following command changes the password. The new password will be ClotFJE@91:
        usermod -p $(mkpasswd ClotFJE@91) tux

f) Example 3: The following command changes the UID and password. The new password will be ClotFJE@91 and the new UID will be 620:
        usermod -p $(master2013) -u 620 tux

g) Example 4: The following command adds a user to a group. A user called tux will be added to a group called teachers if you run:
        usermod -a -G teachers tux

6- groupadd

a) Description: The groupadd command adds a new group. This command adds a new entry to /etc/groups.

b) Synopsis:    groupadd <options> group_name

c) Important options:
        -g --> The Group IDentifier or GID. By default, will be the first free ID after the greatest used one.
        Remember: Last string is the group name.

d) Example: The following command adds a new group called students. The value assigned to GID will be 120.
        groupadd   -g   120 students

7- groupdel

a) Description: The groupdel command deletes a group.

b) Synopsis: groupdel group_name

c) Example: groupdel students

d) Important: A user's default group (also called primary group) is not removeable. Delete the user or modify its primary group if you want to delete that group.

8- groupmod

a) Description: The groupmod command modifies a group using the values specified on the command line.This command modifies an entry in /etc/groups.

b) Synopsis: groupmod   <options> group_name

c) Important options:
        -g --> Changes the Group IDentifier or GID
        -n --> Changes the group name

d) Example 1: The following command changes the GID. The new GID will be 190:
        groupmod -g 190 students

e) Example 2: The following command changes the group_name. The old group name is students.The new group name will be teachers:
        groupmod -n teachers students

9- gpasswd: Removing a user from a group. Adding a user to a group

a) If you are working with Debian or Ubuntu, you can remove a user from a group using the next command: gpasswd -d username group_name

b) If you are working with Debian or Ubuntu, you can add a user to a group using the next command: gpasswd -a username group_name

c) Example 1: The following command adds a user to a group. A new user called teacher02 will be added to a group called teachers if you run:
        gpasswd -a teacher02 teachers

d) Example 2: The following command deletes a user called teacher02 from a group called teachers:
        gpasswd -d teacher02 teachers

NOTE: Read the manual page of gpasswd (run man gpasswd) for any further information about this command.

10- members

a) Description: The members command outputs members of a group.

b) Important: The members command is not installed by default. Run as a root user aptitude install members in order to install members on your system.

b) Synopsis: members -a group_name

c) Example:
        dacomo@debian8:~> members -a sudo
        dacomo
        dacomo@debian8:~>
        The only user member of sudo is dacomo

11- id

a) Description: The id command shows the groups names and identifiers a user is in.

b) Synopsis: id user_name

c) Example:
        dacomo@debian8:~> id dacomo
        uid=1000(dacomo) gid=1000(dacomo) groups=1000(dacomo),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev),112(bluetooth),114(lpadmin),117(scanner),994(vboxsf)
        dacomo@debian8:~>

12- User files, groups and user passwords

a) The /etc/passwd file contains information about all system users. Here we find the username, password, UID, home directory, etc.. A typical line in /etc/passwd looks like :

dacomo:x:1000:100::/home/dai1:/bin/bash

Where the system stores a username, a password in plain text or a x if it is encrypted and saved in /etc/shadow special file, the user uid, the gid of the user primary default group, the user home directory and the shell that runs when user connects.

b) The /etc/group file contains information about all system groups. Here we find the group name, group password, GID, and a list of group members. A typical line in /etc/group looks like :

vboxusers:x:122:dacomo,asix,daw

Where the system stores a group name, a password in plain text or a x if it is encrypted and saved in /etc/gshadow special file, the group gid, and a list of group members.

c) For each line of /etc/shadow, there is a username and the encrypted version of its password (and other items that do not concern us now). If the password field contains ! or *, the user will not be able to use a password to log in (but the user may log in the system by other means).

d) For each line of /etc/gshadow, there is a group name and the encrypted version of the group password. Additionally, a list of group members is stored for each group. If the password field contains ! or *, users will not be able to use a password to access the group (but group members do not need the password).

13- How to disable and lock users. How to enable and unlock users

a) You need to use the usermod command to lock and disable a user account.
Exemple: usermod -L -e 1 fje (After running this command, check the state of the entry fje in /etc/shadow)

b) You need to use the usermod command to unlock and enable a user account.
Exemple: usermod -U -e 99999 fje (After running this command, check the state of the entry fje in /etc/shadow)

PRACTICAL EXERCISE

PART I - Working with commands
1- Install a package called whois on your system. This package contains mkpasswd, a command that provides encrypted versions of any given password.

2- Create a group called clot with GID = 2000. Look at changes at /etc/group. Check and show clearly that a new group called clot has been added to your system.

3- Add to the skeleton the following directories: Desktop, Documents, Downloads, Public and Temporal.

4- Create a new user called clot, with the following characteristics:
a) User identifier will be 2000
b) By default is member of the clot group
c) Home directory will be /home/clot
d) The default shell will be the bash program
e) The password (the version with no encryption for the user) will be p47KL#a$
f) Additionally, the new user will be member of vboxsf and cdrom groups
g) /etc/skel will be the skeleton directory for the new user

5- Create a new user called fje, with the following characteristics:
a) User identifier will be 2001
b) By default is member of the users group
c) The Home directory will be /home/fje
d) The default shell will be the bash program,
e) The password (the version with no encryption for the user) will be At5R@JmK
f) Additionally, the new user will be member of the vboxsf and audio groups.
g) /etc/skel will be the skeleton directory for the new user.

6- Do the following tasks:
    a) Look at changes at /etc/passwd and /etc/shadow. Check and show clearly that a new user called clot has been added to your system.
    b) Check that a new directory called /home/clot has been created on your system.
    c) Check the contents of /home/clot.

7- Working on terminal: Become clot. Check now:
a) Show clearly your personal home folder now that you have become the clot user. Has it changed?. Why?
b) Show the groups user clot is in. Is clot member of sudo?. Can run clot commands as a user with root privileges with the help of sudo?. Why?
c) Can create clot a new user?. Why?.

8- Create a new group called students with GID = 200. Look at changes at /etc/group. Check and show clearly that a new group called students has been added to your system.

9- Modify clot UID and change it to 3000. Look at changes at /etc/passwd. Check and show clearly that user clot has been modified.

10- Add clot and fje users to the students group. Look at changes at /etc/group. Check and show clearly that users clot and fje have been added to the grup students.

11- Change clot default group to adm group. Look at changes at /etc/passwd. Check and show clearly that user clot has been modified.

12- Modify students GID and change it to 300. Look at changes at /etc/group. Check and show clearly that group students has been modified.

13- Show members of group students.

14- Modify clot's password. The new password will be tJEpcRom47@

15- Remove clot and fje from students group. Look at changes at /etc/group. Check and show clearly that users clot and fje have been removed from students.

16- Remove clot and his/her home directory. Check and show clearly that:
a) User clot has been removed from /etc/passwd and /etc/shadow.
b) Directory /home/clot has been removed from your system.

17- Remove students and clot. Look at changes at /etc/group. Check and show clearly that students has been removed from your system.

18- Disable and lock the fje user account. Try to gain access to the fje account. What happens?.

19- Enable and unlock the fje user account again. Try to gain access to the fje account. What happens?.

PART II - Checking the effects of being member of a group or not

a) Mount your 10GiB (11GB Volume) hard drive. We learned how to mount a hard drive in sm1act04.
b) Run the following commands with root privileges:

sudo chmod -R 770 /media

sudo chgrp -R users /media

c) Check that your user is member of a group called users with the help of the command id.
d) Gain access to the 11GB Volume and create a new file called test. Have you experienced any problem. Why?
e) Remove your user from the group users wit the help of gpasswd. Afterwards logout and login again on the system. Check that your user is no member of users any longer.
f) Can you gain access to the 11GB Volume. Why?
g) Add your user to the group users wit the help of gpasswd. Afterwards logout and login on the system. Check that your user is member of users again.
h) Gain access to the volume and create a new file called test01. Have you experienced any problem?.Why?
i) What is the effect of adding users to/deleting user from a group?