(LFCS) 3. User and Group Management - 10%

Linux Foundation Certified System Administrator (LFCS)

1. Essential Commands - 25% 2. Operation of Running Systems - 20% 3. User and Group Management - 10%

3.1 Create, delete, and modify local user accounts
3.2 Create, delete, and modify local groups and group memberships
3.3 Manage system-wide environment profiles
3.4 Manage template user environment
3.5 Configure user resource limits
3.6 Manage user privileges
3.7 Configure PAM
4. Networking - 12% 5. Service Configuration - 20% 6. Storage Management - 13%

3.1 Create, delete, and modify local user accounts

useradd

Add users
useradd -D print the default configuration used by useradd command

GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes

GROUP=100 -> default group

HOME=/home -> base for home directory

INACTIVE=-1 -> user password won't expire

EXPIRE= -> user account won't expire

SHELL=/bin/bash -> default shell

SKEL=/etc/skel -> skeleton directory. It's content will be copied in new user home directory

CREATE_MAIL_SPOOL=yes -> User will have a mail spool to receive email

This configuration is saved in /etc/default/useradd
Also /etc/login.defs parameter are evaluated during user add
Some parameter of /etc/login.defs will overwrite /etc/default/useradd parameters
/etc/login.defs contains:

Location of mail spool
Settings about password
CREATE_HOME yes -> create home directory
USERGROUPS_ENAB yes -> means that a group with same name of user must be created. This group will become default user group. This means that value of GROUP in /etc/default/useradd is overwritten

useradd parameters:

-c Any text string. It is generally a short description of the login, and is currently used as the field for the user's full name.
-e date after which the/ user will be disabled
-g primary group. NOTE: if not specified it will be created a new group with same name of user that will be become user's primary group
-G secondary groups
-m create home directory. Useless because CREATE_HOME is yes
-p configure password. NOTE: value must be provided encrypted

Normally password is not provided during user add

-s shell to use

When a user is created two file will be changed:

/etc/passwd It contains users information, no passwords

Syntax:

user name
x: means that password isn't stored here
userid: user id (UID)
groupid: primary group id (GID)
User Info: The comment field
home: home directory
shell: shell

To edit file: vipw

/etc/shadow It contains passwords plus passwords properties

To edit file: vipw -s

usermod

used to modify a user
usermod parameters:

-Llock user password
-U unlock user password

usermod -e 1 user disable user
usermod -e "" user enable user

userdel

remove user
userdel -r user

-r remove home and email spool. NOTE: if it won't be used, if it will be tried to insert same user, there will be a conflict
-f force. Delete user though he is logged

passwd

Change password of current user
passwd user

Used by root
Change password of user

passwd -l user

Used by root
Lock password of user

echo newpass | passwd --stdin brenda

It will change password of brenda
Can be used in a script
NOTE: Dangerous, password is in clear text

chage

Change user password expiry information
If used without parameters will prompt for information
It will permit to change date when the password was last changed
chage -E 2014-09-11 user

Set a date after which user will be locked

3.2 Create, delete, and modify local groups and group memberships

groupadd

add group
When a group is created /etc/group file will be changed

Syntax:

group_name: It is the name of group. If you run ls -l command, you will see this name printed in the group field.
Password: Generally password is not used, hence it is empty/blank. It can store encrypted password. This is useful to implement privileged groups.
Group ID (GID): group id

For each user must be assigned a group ID. You can see this number in your /etc/passwd file.

Group List: It is a list of user names of users who are members of the group. The user names, must be separated by commas.

NOTE: The groups without group list are used as primary group for some users

groupdel

delete group

groupmod

modify group
usermod -aG group user

Add group to user
-G list of secondary groups
-a append. NOTE: If not specified new group list will override current value

3.3 Manage system-wide environment profiles

The variable for all users are stored in /etc/environment
The variable for a user are stored in his home directory in file .bash_profile

NOTE: It is an hidden file, it is visible only running ls -la

3.4 Manage template user environment

/etc/skel skeleton directory. It's content will be copied in new user home directory

3.5 Configure user resource limits

ulimit

It limits the use of system-wide resources
Limits can be configured changing file /etc/security/limits.conf
Typical configuration1. @student hard nproc 20 2. @faculty soft nproc 20 3. ftp hard nproc 0 4. @student - maxlogins 4

Members of student group can run only 20 processes
Members of faculty group will receive and info after that more than 20 processes were run (soft limit)
ftp user cannot run any process
Members of student can have maximum 4 logged user. - means both hard and soft

man limits.conf for manual
Limits will be enforced in next opened session
Also ulimit command can be used to change limits

3.6 Manage user privileges

Refer to sudo configuration

3.7 Configure PAM

PAM = plugable authentication modules
A command/program can be PAM aware
PAM can be used to configure e.g. login to use Active Directory or LDAP
Use ldd to see if command use PAM libraries

ldd /usr/bin/passwd | grep pam

Each command that will use PAM will have an entry in /etc/pam.d with its PAM configuration
A good example of PAM configuration is showed in pam_tally2 module man page

pam_tally2: The login counter (tallying) module
At the end of man page there is an example to configure login to lock the account after 4 failed logins
man pam_tally2