What is a user account? –
A user account is a collection of information that tells Windows what files and folders you can access, what changes you can make to the computer, and your personal preferences, such as your desktop background or color theme. User accounts make it so that you can share a computer with several people, but still have your own files and settings. Each person accesses their user account with a user name and password.
There are three different kinds of accounts:
1- Standard
2- Administrator
3- Guest
Each account type gives the user a different level of control over the computer. The standard account is the account to use for everyday computing. The administrator account provides the most control over the computer, and should only be used when necessary. The guest account is primarily for people who need temporary access to the computer.
A user account allows one to authenticate to system services. It also generally provides one with the opportunity to be authorized to access them. However, authentication does not automatically imply authorization. Once the user has logged on, the operating system will often use an identifier such as an integer to refer to them, rather than their username. On UNIX systems this is called the user identifier or user id.
Computer systems are divided into two groups based on what kind of users they have:
- single-user systems do not have a concept of several user accounts
- Multi-user systems have such a concept, and require users to identify themselves before using the system.
What is a group? –
In personal or business computing, a user group is a set of people who have similar interests, goals, or concerns. The members have regular meetings where they can share their ideas.
Ideally, the members of a user group live in the same geographic area, so they can get together in person. However, some user groups have members distributed throughout the world, and they meet using Internet chat rooms, message boards, or mailing lists. Members may also correspond by telephone and e-mail on a one-to-one basis. User groups often have Web sites that each member can visit on a regular basis to stay informed.
A user group may be devoted to a particular technology, application, or corporation. For example, a digital-photography user group might discuss the assets and limitations of various digital cameras and image-processing programs. A user group devoted to wireless Internet would share their experiences with the various providers of that technology. Some user groups are involved only with the products of a particular corporation. When devoted to a narrow range of products or ideas, the user group is sometimes called a special interest group.
Benefits of Linux User Management –
Linux User Management and Directory work together to simplify administration and provide users with access to network resources.
Administrator Benefits –
Using LUM and Directory to manage user login information eliminates the need to create local users in the /etc/passwd and /etc/shadow files on each Linux computer. It simplifies user account management by consolidating user accounts into a central point of administration. Administrators can use Directory tools and technologies to manage access to Linux resources on the network. After authenticating, users have the rights and privileges as specified in Directory. These are the same rights and privileges that would typically need to be stored in a local account or redirected to other authentication methods, such as NIS. The user account information stored in Directory lets users’ access file and printer resources on the network.
User Benefits –
Users can log in to Linux computers using access methods such as login, ftp, ssh, su, rsh, rlogin, xdm (KDE*), and gdm (GNOME). They need only enter their familiar directory username and password. There's no need to remember a full context—Linux User Management searches out the correct user in directory. Users can log in once, using a single username and password, and have seamless access to all their network resources regardless of platform.
Understanding Linux User Accounts –
Setting up and using directory to manage Linux access requires you to understand how the Linux operating system manages user logins. Users who want to log in to a Linux computer must have an existing user account, which consists of properties that allow a user to access files and folders stored on the computer. This account information can be created and stored on the computer itself or on another computer on the network. Accounts stored on the computer are called local user accounts. Accounts stored in directory are called directory user accounts, regardless of whether they are stored on the same or another computer. A typical account used to log in to a Linux computer consists of the following information:
1- Username and user ID (UID)
2- Password
3- Primary group name and group ID (GID)
4- Secondary group names and group IDs
5- Location of home directory
6- Preferred shell
When a local user account is created, Linux records the user-login information and stores the values in the etc/passwd file on the computer itself. The passwd file can be viewed and edited with any text editor. Each user account has an entry recorded in the following format:
Username:password:UID:GID:name:home directory:shell
Username and User ID –
The username and user ID (UID) identify the user on the system. When created, a user account is given a name and assigned a UID from a predetermined range of numbers. The UID must be a positive number and is normally above 500 for user accounts. System accounts typically have numbers below 100.
Password –
Each user account has its own password which is encrypted and stored on the computer itself or on another computer on the network. Local passwords are stored in the /etc/passwd file or /etc/ shadow file. When the user logs in by entering a username and password, Linux takes the entered password, encrypts it, and then compares the encrypted value to the value of the password stored in the user account. If the entered value is the same as the value stored in the password field on the computer, the user is granted access. Administrators often use the /etc/passwd file to hold user account information but store the encrypted password in the /etc/shadow file; if using this method, the passwd file entry has an x in the password field.
Primary Group Name and Group ID –
Groups are used to administer and organize user accounts. When rights and permissions are assigned to a group, all user accounts that are part of the group receive the same rights and permissions. The group has a unique name and identification number (GID). The primary GID and group name are stored as entries in the /etc/passwd file on the computer itself or in directory. Each user has a designated primary (or default) group and can also belong to additional groups called secondary groups. When users create files or launch programs, those files and programs are associated with one group as the owner. A user can access files and programs if he is a member of the group with permissions to allow access. The group can be his primary or any of his secondary groups.
Secondary Group Names and Group IDs –
Although not strictly part of the user account, secondary groups are also a part of the user login experience. Groups and GIDs are used to manage rights and permissions to other files and folders. Secondary groups for each user are listed as entries in /etc/group on the computer itself.
Home Directory –
The home directory is a folder used to store a user’s personal documents. In addition, it offers a place to store configuration files unique to the user. Therefore, a user can log in and find his environment with the same settings as he had before, even if another user has used the computer. Typically, most computers have all home directories at /home, and then individual directories listed by login name (for example, /home/jsmith). The root user’s home directory is an exception. It is traditionally located at / or /root. Placing home directories under /home is not required—but it does make organizational sense. Some administrators divide the /home directory by function or department and then subdivide the /home directory with users in that department (for example, /home/engineering/jsmith).
User Accounts in directory –
User accounts residing on the Linux computer are said to be local user accounts and are stored as entries in the /etc/passwd file. User accounts in directory are represented by User objects stored in the directory tree. A directory User object has a rich set of properties and fields to hold user-login properties. When a directory User object is extended to hold Linux user-login properties, it is said to be LUM enabled or enabled for Linux. When enabled for Linux, a user can simply access the Linux computer (using Telnet, SSH, or other supported method) and enter his username and password. The access request is redirected to find the appropriate username and login information stored in directory. When extended for Linux, the directory User object holds Linux-related properties, such as user ID, primary group ID, primary group name, location of home directory, and preferred shell.
Group Objects in directory –
When a group is enabled for Linux, the group ID is stored as a property of a Linux/UNIX Workstation object. When the user attempts to log in to a Linux computer, he only needs to enter his username and password—no context is required. The Linux computer checks its corresponding Linux/UNIX Workstation object in directory for the list of groups approved to log in. Each approved group is searched for the username of the user requesting access. When the first matching username is found, the login is allowed using the UID, GID, password, and other login information stored in directory. If the username is not found in any of the groups, the login is not allowed.
User in Linux –
Internally Linux users manage with their Identity. The use root has the UID 0 and other system users have (bin, IP etc) home use ids from 1 to 499 and the other users have ID about the 500 or more.
Following commands are use to manage a user account –
#useradd or adduser –
System administration command. Create new user accounts or update default account information. Unless invoked with the -D option, user must be given. useradd will create new entries in system files. Home directories and initial files may also be created as needed.
-c (comment) –
Comment field.
-d (dir) –
Home directory. The default is to use user as the directory name under the home directory specified with the
-e (date) –
---------- Account expiration date. Use the format MM/DD/YYYY. Two-digit year fields are also accepted. The value is stored as the number of days since January 1, 1970. This option requires the use of shadow passwords.
-f (days) –
Permanently disable account this many days after the password has expired. A value of -1 disables this feature. This option requires the use of shadow passwords.
-g (group) –
Initial group name or ID number. If a different default group has not been specified using the -D option, the default group is 1.
-G (groups) –
Supplementary groups given by name or number in a comma-separated list with no whitespace.
-k (dir) –
Copy default files to the user's home directory. Meaningful only when used with the -m option. Default files are copied from /etc/skel/ unless an alternate dir is specified.
-m -
Make user's home directory if it does not exist. The default is not to make the home directory.
-M –
Do not create a home directory for the user, even if the system default in /etc/login.defs is to create one.
-n –
Red Hat-specific option. Turn off the Red Hat default that creates a group with the same name as the username and puts the user in that group.
-o –
Override. Accept a non unique UID with the -u option. (Probably a bad idea.)
-p passwd –
The encrypted password, as returned by crypt.
-r –
Red Hat-specific option. Create a system account with a non-expiring password and a UID lower than the minimum defined in /etc/login.defs. Do not create a home directory for the account unless -m is also specified.
-s shell -
Login shell.
-u uid –
Numerical user ID. The value must be unique unless the -o option is used. The default value is the smallest ID value greater than 99 and greater than every other uid.
-D [options] –
Set or display defaults. If options are specified, set them. If no options are specified, display current defaults. The options are:
-b dir –
Home directory prefix to be used in creating home directories. If the -d option is not used when creating an account; the user name will be appended to dir.
-e date –
Expire date. Requires the use of shadow passwords.
-f days –
Number of days after a password expires to disable an account. Requires the use of shadow passwords.
-g group –
Initial group name or ID number.
-s shell –
Default login shell.
Some use full commands –
1- #adduser or #useradd –
This command is used for creating a new user account in linux.
2- #usermod –
This command is used to change the permission of any user.
3- #Userdel –
This is used for delete the user account.
There is a number of ways to creating a user and managing the user account in RHEL -5 or other version of linux.
1- Click Applications then select System Settings and click Users and Groups. This will launch the User Manager window.
2- In the User Manager window, click Add User. This will show the Create New User window.
3- In the Create New User window, fill in the User Name, Full Name, Password and Confirm Password. Click Ok when you’re done.
4- That’s it; you have just created a new user. To remove a user, select the user you want to remove and click Delete.
You can also do this from the command line, below are the equivalent commands. You need to have root level access to use the commands below.
1- usr/sbin/useradd [options] login_name
---creates a new user
2- usr/sbin/usermod [options] login_name
---modifies a user’s attributes
3- usr/sbin/userdel [options] login_name
---deletes the specified user. Use the -r option to automatically remove the user’s home directory and mail spool.
4- usr/bin/passwd login_name
---sets the password for the specified user
5- usr/sbin/groupadd [options] group_name
---creates a new group
6- usr/sbin/groupmod [options] group_name
---modifies a group’s attributes
7- usr/sbin/groupdel group_name
---deletes the specified group
How to Setup User Password Expiration in RHEL
Ideally, passwords should be changed regularly. This article describes how to setup password expiration using the User Manager application in Red Hat Enterprise Linux 5.
1- Click Applications then select System Settings and click Users and Groups. This will launch the User Manager window.
2- Select the user you wish to configure and click Properties.
3- in the User Properties windows, click the Password Info tab.
4- Check the Enable Password Expiration checkbox to enable password expiration. The list below describes the available settings.
- Days before change allowed –
Number of days from the last password change to allow another password change.
- Days before change required –
Number of days from the last password change to require another password change.
- Days warning before change –
Number of days before the expiry of the password to notify the user.
- Days before account inactive
Number of inactive days after the expiry of the password to deactivate the account. 0 means do not deactivate.
You can also do this from the command line, below are the equivalent commands.
chage login_name
modifies the password expiry information of the specified login name. You need root access to use this command.
chage -l login_name
shows the password expiry information of the specified login name
chage displays the help information
You can notify the users with expiring password via email using the checkpwexpire script. Copy the script into the /etc/cron.daily and give it execute permission so it will automatically run every day.
Create a user by file editing –
#vi /etc/passwd
This file keeps the information of user name
#vi /etc/group
This file keeps the information of every user
#vi /etc/shadow
This file keeps the information of user password
#vi /etc/gshadow
This file keeps the information of group password to access resources.
Create user through the files. It will start from root-
#vi /etc/passwd
ajay:x:516:1002::/home/ajay:/bin/bash
| Ajay : username X : represent user password 516 : user identity number (UID) 1002 : group identity number (GID) :: : extra information /home/ajay : home directory of this user :/bin/bash : shell |
-- This user will also use graphic home. We will have to copy some file in ajay.
#cp /etc/skel/ .kde /home/ajay
#cp /etc/skel/ * /home/ajay
-- We want to give some right as root to a user.
#vi /etc/passwd
Ajay:x:516:1002::/home/ajay:/bin/bash
Ajay:x:0:0::/home/ajay:/bin/bash
