Linux User Configuration in BASH
From bib. source
Like most Linux settings, user accounts are stored in text files. However, adminstrators do not simply edit these files directly to manage user accounts. Instead, specific applications are used to create, modify and remove user accounts on the Linux system.
That is to say, there are a set of official commands for managing users on Linux, and these commands, among other things, manipulate the data in specific configuration files as part of this process (Garn 2022, 32). Primarily, there are (Ibid):
From bib. source
Two files that store user account data,
/etc/passwdand/etc/shadow. […] both of them are stored in the/etcdirectory, where most Linux configuration files reside. The/etc/passwdfile stores the actual user account and maintains various settings related to the account. The/etc/shadowfile stores password information for the accounts.
Hence (Ibid):
- The filepath
/etc/passwdstores user accounts and their various settings. - The filepath
/etc/shadowstores password information for user accounts.
The reason that user accounts are handled by two files is that there was interest in making some user account information able to be read by all users on the Linux system (this is called world-readablity), but not other account information–namely not that information related to passwords and user account expiration or password expiration (Garn 2022, 33). Consequently, while /etc/passwd remains world-readable, /etc/shadow is only accessible to root user accounts (i.e., administrative accounts) (Ibid).
The /etc/password file stores user accounts and their settings in a format that involves colon-separation. The position of a datum in a colon-separated single-line list in the file, determines its meaning–that is, this way of writing a line in the file constitutes the syntax of the file. These meaningful positions can be understood as fields, and the data at the given position as field values.
The position of a datum and its corresponding meaning in a line in /etc/passwd is as follows (Garn 2022, 32):
| position / field | meaning |
|---|---|
| 0 | The username, i.e. the name the user logs into the system with |
| 1 | The password, whose value is typically an “x” to represent that the actual password is stored elsewhere (namely in /etc/shadow) |
| 2 | The user ID, or UID, a number–usually unique–representing the user to the system |
| 3 | The group ID, or GID, a number–usually unique–representing the user’s primary group to the system |
| 4 | A comment–this can be anything, but many Linux distributions / distros use it for the user’s full name. |
| 5 | The absolute path of the home directory of the user |
| 6 | The absolute path to the user’s default shell program, e.g. BASH whose path is typically /bin/bash–this is the shell that immediately launches on user login |
The /etc/shadow file uses similar per-line syntax as /etc/passwd, but with different semantics (Garn 2022, 33):
| position / field | meaning |
|---|---|
| 0 | The username, i.e. the name the user logs into the system with |
| 1 | The hashed value of the user’s password |
| 2 | Number of days since the last password change, counted from 01/01/1970 |
| 3 | Minimum period within which the password may be changed |
| 4 | Maximum number of days from last password change for it to be required to change the password again–value of “99999” implies it never needs to be changed |
| 5 | Days prior to the required password change for a warning about that password change requirement to be issued |
| 6 | The number of days after password expiration that it will take to disable the user account |
| 7 | The number of days until the user account itself expires and can no longer be used |
| 8 | Reserved field for future use |
Other sources of configuration relevant to users are those that affect the user’s environment and shell behavior and appearance (Garn 2022, 34):
- The
/etc/profilefile, within which is stored environment variables and startup programs that apply system-wide, and thereby affect all users - The
/etc/bashrcfile, within which is stored BASH functions and command aliases that apply system-wide, and thereby affect all users - The
.bash_profilefile at the path of the home directory, within which is stored the same type of data as is stored in/etc/profilebut applying only to that home directory’s user - The
.bashrcfile at the path of the home directory, within which is stored the same type of data as is stored in/etc/bashrcbut applying only to that home directory’s user
The order of processing these files is the inverse of the order of precedence they have in their application: the files that apply system-wide get processed before the files applying only to specific users; yet, it is the files that apply to specific users that have precedence over the files with system-wide effects, such that they can override anything set in the latter (Ibid).
Linux User Management Commands
The three essential primary commands for managing user accounts in Linux are (Ibid):
- The
useraddprimary command, used to create new user accounts with unique UIDs or names (hence the user account to be created cannot have its UID or username be the same as that of–and thereby conflict with–an existing one) - The
userdelprimary command, used to remove user accounts that already exist on the system - The
usermodprimary command, used to modify existing user accounts
These user management commands typically have some default configuration or settings for user accounts, especially (Ibid):
- Home directory location
- Preferred shell
- User account expiration values
- Acceptable UID and GID range
- The mailbox location
- The default
umaskvalues - The password hash encryption algorithm
- Password expiration values
These defaults are defined in the file /etc/login.defs and have special relevance to the useradd command (Ibid).
The useradd command can override the defaults for new user accounts in /etc/login.defs through its command options (Garn 2022, 35):
short-form useradd command option | purpose |
|---|---|
| c | Set the comment value for the user account |
| e | Set an expiration date for the user account, format “YYYY-MM-DD” |
| m | Create a standard home directory |
| s | Set a default shell for the user account |
| u | Set a specific UID for the user account |
| D | Display the default settings for new user accounts |
The argument for the useradd command line is then the name of the user, i.e. the username.
For example (Ibid):
useradd -c "Kai Garcia" -e "2025-12-31" -s /bin/ksh kgarciaAfter a user account is created, it cannot yet be used as useradd does not set a password for the user account. Instead, the primary command passwd then needs to be used to set the password for the given user account (Garn 2022, 35-36):
passwd kgarciaThis same command line can be run again to merely change the password (Garn 2022, 40).
Alternative to
useradd
adduseris an alternative touseraddthat initiates an interactive prompt for configuring and creating a new user account (Garn 2022, 36). The benefit ofadduseris that it includes setting the password as part of user account creation, thereby not needing a separate step (Ibid).
The passwd primary command has some options of its own (Ibid):
shortform passwd command options | purpose |
|---|---|
| d | Delete the user account password, disabling the user account |
| e | Immediately expire a password for a user account so that user is required to change their password |
| l (as in “Lancaster”) | Lock the user account, so while the password for that user account may exist login for that user account is not possible |
| u | Unlock a user account that was previously locked |
Requirements for user account passwords like an expiration time can be changed or reset via the chage primary command, which has the following command options (Ibid):
shortform chage command options | purpose |
|---|---|
| l (as in “Luke”) | Displays the current values for the user account |
| M | Specifies the maximum number of days in-between password changes |
| m | Specifies the minimum number of days in-between password changes |
| W | Specifies the number of warning days prior to password expiration |
| E | Specifies a date after which a user account is to be locked |
The primary command chage also takes a username as argument as passwd does.
Additional forms of authentication
Since something more complex than password authentication is sometimes needed, many Linux distros / distributions implement an authentication system called “Pluggable Authentication Modules” (Garn 2022, 41). The collection of such modules is called PAM. Two PAM modules for limiting and tracking login attempts on Linux, for example, are pam_tally2 and pam_faillock (the former deprecated) (Ibid). Login attempts tracked by either of these once set can be viewed using the faillock primary command (Ibid).
usermod and userdel
The usermod primary command sports similar short-form command options as useradd, and takes a username as argument just as it does (Garn 2022, 37).
Finally, userdel takes a username as argument and does not involve many possible options; however, one behavior of userdel is of note (Garn 2022, 38): by default, the home directory of the user account that is removed is not deleted or removed along with that user account. To remove the home directory of a user account along with that user account, userdel must take the r option flag (Ibid). For example:
userdel -r kgarciaAlternative to
userdelAn alternative to the
userdelprimary command, is the primary commanddeluser.
User account must own no ongoing processes
Both
usermodanduserdelwill refuse to act on a user account that has ownership over an ongoing or active process.
Getting information about users
The primary commands useful for getting information on users is as follows (Garn 2022, 39):
w/who, which displays all active logins or user shell sessions, including those that are remote terminal connectionsid, which displays user account information–absent a username as argument, it assumes the current user ($USER) as its argument
Another useful primary command is getent, which, so long as it uses passwd as a subcommand, displays the entry for the user whose username matches its argument that exists in /etc/passwd.
user_management system_administration password_authentication account_locking account_disabling account_deletion account_creation account_modification account_authentication kernel operating_system exit_code exit_codes Pluggable_Authentication_Modules user_account user_accounts passwords account colon field login identification identification_number primary_group absolute_path relative_path linguistics root_user administrative_account administrative_accounts administrative_user_account administrative_user_accounts environment_variable environment_variables command_alias hash_algorithm encryption_algorithm cryptography command_option command_options command_flag command_flags command_aliases bash_function bash_functions lines command_line command-line command_lines command-lines deprecation management primary_command primary_instruction Linux
bibliography
- Garn, Damon. The Official CompTIA Linux+ Student Guide (Exam XK0-005). 1.0. Downers Grove, IL: CompTIA, 2022.