User Management

User Account#

/etc/passwd#

Linux uses the /etc/passwd file to store user account information. Because many service processes need to read user account information, you can see that the file’s permissions are all readable.

-rw-r--r-- 1 root root 2010 Aug 24 15:12 /etc/passwd

View the account information of a user.

grep kuga /etc/passwd

kuga:x:1000:1000:,,,:/home/kuga:/bin/bash

The system will reserve a certain range of UID, and the new user ID added to Ubuntu starts from 1000. The following command will sort by the third field UID in reverse order, then output the first 10 lines, and only display 136 fields (username, UID, directory location).

sort -t ':' -k 3 -nr /etc/passwd | cut -d ':' -f1,3,6 | head -n 10

nobody:65534:/nonexistent
soda:1001:/home/soda
kuga:1000:/home/kuga
lxd:999:/var/snap/lxd/common/lxd
ecs-instance-connect:998:/home/ecs-instance-connect
fwupd-refresh:115:/run/systemd
_chrony:114:/var/lib/chrony
usbmux:112:/var/lib/usbmux
landscape:111:/var/lib/landscape
tss:110:/var/lib/tpm

/etc/shadow#

For historical reasons, the early user passwords were stored in /etc/passwd, so the file name is passwd. Later, because passwords are easy to crack, the current passwords have been moved to the new file /etc/shadow. This file is only readable by root and shadow group.

-rw-r----- 1 root shadow 1255 Aug 24 15:08 /etc/shadow

You can roughly look at the contents of this file.

root:*:19955:0:99999:7:::
daemon:*:19103:0:99999:7:::
bin:*:19103:0:99999:7:::
sys:*:19103:0:99999:7:::
sync:*:19103:0:99999:7:::

These fields are generally related to password management (such as how many days must be changed), which is not expanded here.

Useradd#

HOME Directory#

By default, the user directory is not created.

useradd foo

Use the -m parameter to create the user directory.

useradd -m foo

Use the -M parameter to not create the user directory.

useradd -M foo

Default Configuration#

Use the -D option to view the default configuration used when adding a user.

useradd -D

GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/sh
SKEL=/etc/skel
CREATE_MAIL_SPOOL=no

• GROUP: User default group ID.
• HOME: User directory location.
• INACTIVE: Number of days to disable the account after the password expires.
• EXPIRE: Account expiration date.
• SHELL: Default login Shell used.
• SKEL: Skeletal, the contents of this directory will be copied to the user’s home directory.
• CREATE_MAIL_SPOOL: Whether to create a mail storage file.

/etc/default/useradd#

The default configuration file for the useradd command.

-rw-r--r-- 1 root root 1118 Aug 28 10:58 /etc/default/useradd

cat /etc/default/useradd | head -n 20

# Default values for useradd(8)
#
# The SHELL variable specifies the default login shell on your
# system.
# Similar to DSHELL in adduser. However, we use "sh" here because
# useradd is a low level utility and should be as general
# as possible
SHELL=/bin/sh
#
# The default group for users
# 100=users on Debian systems
# Same as USERS_GID in adduser
# This argument is used when the -n flag is specified.
# The default behavior (when -n and -g are not specified) is to create a
# primary user group with the same name as the user being added to the
# system.
# GROUP=100
#
# The default home directory. Same as DHOME for adduser
# HOME=/home

If you change the SHELL to /bin/bash, then useradd -D will be automatically updated.

/etc/login.defs#

The core configuration file for user account and login management. Functions include: password policy, UID/GID range, HOME directory management, user and group management, login settings, etc. Settings in the file will affect the behavior of commands such as useradd, usermod, passwd, etc., it is recommended to back up before making changes.

-rw-r--r-- 1 root root 10734 Nov 11  2021 /etc/login.defs

Take a look at the USERGROUPS_ENAB parameter separately.

grep -B 4 -E "USERGROUPS_ENAB (yes|no)" /etc/login.defs

# If set to yes, userdel will remove the user's group if it contains no
# more members, and useradd will create by default a group with the name
# of the user.
#
USERGROUPS_ENAB yes

If the value of USERGROUPS_ENAB is yes:

• userdel: When deleting a user, it will also delete the empty user group.
• useradd: When creating a user, it will also create a group with the same name as the user.

This is why the default parameter GROUP=100 was not used when creating a user.

Modify Conf By Cmd#

Modify the default login Shell.

sudo useradd -D -s /bin/bash

Modify the default group ID.

sudo useradd -D -g 100

Modify the default HOME directory.

sudo useradd -D -b path

After executing the command, you will find that the file permissions have changed from 644 to 600.

-rw------- 1 root root 1195 Aug 28 11:22 /etc/default/useradd

The corrected permissions are as follows.

sudo chmod 644 /etc/default/useradd

Look at the source code, the execution process in the set_defaults(void) method is roughly as follows:

/*
 * set_defaults - write new defaults file
 *
 * set_defaults() re-writes the defaults file using the values that
 * are currently set. Duplicated lines are pruned, missing lines are
 * added, and unrecognized lines are copied as is.
 */
static int
set_defaults(void)
{
...
}

• Use the mkstemp function to create a temporary file A.
• Process the /etc/default/useradd file and copy it to A.
• Backup the original useradd file, rename it to useradd-.
• Overwrite the A file with the original useradd file.
• The file created by the mkstemp function has permissions of 0600.

Check the useradd and its backup useradd- files.

ls -li /etc/default/useradd*

655124 -rw------- 1 root root 1197 Aug 28 16:28 /etc/default/useradd
655237 -rw------- 1 root root 1197 Aug 28 16:07 /etc/default/useradd-

If you use the command to modify the default login Shell.

sudo useradd -D -s /bin/sh

Check the inode of the two files again.

655454 -rw------- 1 root root 1195 Aug 28 17:27 /etc/default/useradd
655124 -rw------- 1 root root 1197 Aug 28 16:28 /etc/default/useradd-

It is not difficult to find that the inode of useradd- is the same as the inode of useradd before the modification. The issue of permissions being modified is obviously unreasonable, the command should not modify the file permissions. You can check this pull request on GitHub.

Usermod#

Modify User Login Name#

sudo usermod -l newuser olduser

Add User to a Group#

The -a means to append to the group, not to replace the current group list.

sudo usermod -aG group user

Modify User Default Shell#

usermod does not check the legality of the Shell, you can use chsh instead.

sudo chsh -s /bin/bash user

Modify User ID#

sudo usermod -u newuid user

Passwd#

Modify Current User PWD#

Without parameters, it is to change the password of the current user.

passwd

Modify User PWD#

sudo passwd soda

Login Management#

Disable PWD Login#

The following two methods are the same, and will not disable SSH public key authentication.

sudo usermod -L user

sudo passwd -l user

After execution, the password field in the /etc/shadow file will be prefixed with !.

sudo grep user /etc/shadow

user:!$y...:19959:0:99999:7:::

Enable PWD Login#

The following two methods are the same, and can be used together.

sudo usermod -U user

sudo passwd -u user

After execution, the password field in the /etc/shadow file will delete the ! prefix.

Disable SSH Auth#

Without a login Shell, naturally the password cannot be used for login.

sudo usermod -s /usr/sbin/nologin user

Enable SSH Auth#

sudo usermod -s /bin/bash user

Userdel#

Delete User Only#

This method only deletes the user and keeps the main directory.

sudo userdel user

With Home and Mail#

Not only delete the user, but also delete the main directory and mail.

sudo userdel -r user

If a file or directory does not exist, a prompt will appear in the terminal.

Adduser Package#

This package provides two useful commands, adduser and deluser, which are high-level encapsulated tools.