Detailed Explanation of Linux Account and Permission Management - Part 1

Click the blue text above to follow us

Managing User Accounts

1. Overview of User Accounts

2. Group Accounts

3. UID and GID

UID: User Identifier
GID: Group Identifier

The UID and GID numbers for the root user account are fixed values of 0.

The UID and GID numbers for system user accounts default to 1-499.

The UID and GID numbers for regular users default to 500-60000.

4. User Account Files

User account, password, and other information in Linux systems are stored in the respective configuration files. You can manage user accounts by directly modifying these files or using user management commands.

The two main configuration files related to user accounts are /etc/passwd and /etc/shadow. The former is used to store basic information such as user names, home directories, and login shells, while the latter is used to store user passwords and account expiration information. In these two configuration files, each line corresponds to a user account, and different configuration items are separated by colons “:”.

4.1 User Account File /etc/passwd

Saves basic information such as user names, home directories, and login shells.
File location: /etc/passwd.
Each line corresponds to a user’s account record.

For system operation and management needs, all users can access the contents of the /etc/passwd file, but only the root user can make changes.

In early UNIX operating systems, user account password information was stored in the passwd file, and unauthorized users could easily obtain the password strings and perform brute force attacks, posing certain security risks. Later improvements transferred passwords to a dedicated shadow file, with the passwd file retaining only the password placeholder “x”.

Each line corresponds to a user’s account record:

root:x:0:0:root:/root:/bin/bashField 1: User account name (root)Field 2: Password placeholder "x" (x)Field 3: User account UID number (0)Field 4: GID number of the associated primary group account (0)Field 5: Full name of the user (root)Field 6: Home directory (/root)Field 7: Login shell information (/bin/bash allows login; /sbin/nologin and /bin/false prohibit user login.)Note: In Field 7, /bin/nologin is denied login with a refusal message; /bin/false has no message

4.2 User Account File /etc/shadow

Saves user passwords, account expiration information, etc.

By default, only the root user can read the contents of the /etc/shadow file, and direct editing of this file’s contents is not allowed.

Each line corresponds to a user’s password record

9 fields (separated by colons)

root:$6$VyOUGqOC$v5HlLM1wagZC/FwGfnrtJFnlT:18445:0:99999:7:::Field 1: User account name (root)Field 2: MD5 encrypted password string. When it is "*" or "!!", it indicates that this user cannot log into the system. If this field is empty, the user can log in without a password ( $6$VyOUGqOC$v5HlLM1wagZC/FwGfnrtJFnlT)Field 3: The last time the password was changed, expressed as the number of days since January 1, 1970 (18445)Field 4: Minimum password age, the user must wait this number of days after changing the password before changing it again. Default is 0, meaning no restriction (0)Field 5: Maximum password age, after this number of days, the user must change the password again. Default is 99999, meaning no restriction (99999)Field 6: Number of days before expiration to warn the user (default is 7) (7)Field 7: Number of days after password expiration to disable this user (empty)Field 8: Account expiration date, specified in days since January 1, 1970, default is empty, meaning the account is permanently available (empty)Field 9: Reserved field (not used) (empty)Note: Fields 7, 8, and 9 are rarely used, generally default to understand

5. User Account Management

5.1 Adding User Accounts with useradd or adduser

Add the user account record to the end of the /etc/passwd and /etc/shadow files.

If the user’s home directory is not explicitly specified, a home directory with the same name as the user account will be automatically created under the /home directory, and various initial configuration files for the user will be established in that directory.

If no primary group is specified for the user, a primary group account with the same name as the user account will be automatically created, and the group account’s record information will be saved in the /etc/group and /etc/gshadow files.

When using useradd or adduser to add a user, no operations can be performed until the user is activated. Only after configuring a password for this user can they be activated and perform operations.

Format: useradd [options] username

Common options: -u: Specify the user's UID number, which must not be in use by another user.-d: Specify the user's home directory location (does not take effect when used with -M).-e: Specify the user's account expiration date, can use YYYY-MM-DD date format.-g: Specify the user's primary group name (or use GID number), the corresponding group name must already exist.-G: Specify the user's additional group name (or use GID number), the corresponding group name must already exist.-M: Do not create a home directory.-s: Specify the user's login shell (e.g., /bin/bash allows login; /sbin/nologin and /bin/false prohibit user login).For example: useradd -d /admin -g wheel -G root admin1 useradd -e 2020-12-31 -s /sbin/nologin admin2

When adding the user account zhangsan, the user’s directory is created simultaneously:

Establish a user named lisi with a UID of 2000, specify the user’s additional group name as zhangsan, do not create a home directory, and set the user’s account expiration date to 2021-12-31

5.2 Setting Passwords for User Accounts with passwd

The root user can specify the username as a parameter to manage the password of the specified account.

Regular users can only execute the standalone “passwd” command to change their own password.

Command format: passwd [options] usernameCommon options: -d: Clear the specified user's password, allowing login using only the username.-l: Lock the user account, locked accounts will no longer be able to log into the system.-S: Check the status of the user account (whether it is locked).-u: Unlock the user account. (-u unlocks, if there is no password, it will prompt, use -f to force unlock)

Set password

After clearing the password, you can log in directly

5.3 Modifying User Account Attributes with usermod

Command format: usermod [options] usernameCommon options: -u: Modify the user's UID number.-d: Modify the user's home directory location.-e: Modify the user's account expiration date, can use YYYY-MM-DD date format.-g: Modify the user's primary group name (or use GID number).-G: Modify the user's additional group name (or use GID number).-s: Specify the user's login shell.-l: Change the user's login name.-L: Lock the user account.-U: Unlock the user account.

Change the login name of user zhengsan to wangwu

5.4 Deleting User Accounts with userdel

Command format: userdel [-r] usernameAdding the "-r" option will delete the user's home directory as well

Create the chenliu account and use -r to delete it, and you will find the home directory has been deleted.

If the home directory to be deleted contains other accounts, the home directory will not be deleted

Detailed Explanation of Linux Account and Permission Management – Part 1

Leave a Comment Cancel reply

Related posts

Leave a Comment Cancel reply