User accounts

Understanding user accounts
Like most modern OSs; Linux is a multi-user OS, this means it supports many users and each user can have their own unique account.

Admin accounts
The root account is for special admin tasks.

User accounts 
User accounts allow for the tracking. Who is doing what on the system and who is using system resources

Account Location
Most accounts are located in /etc/passwd, in the file, user accounts are stored and contain information  in comma delimited lines, each comma delimited line has a record of each user accounts, which contain fields with information about the user account. In a user account you will find the following information.

Username
Most linux user names contain lowercase letters and occasionally some numbers, underscores and dashes are considered valid characters as are dollar signs at the ends. You can’t use spaces.

Passwords
User accounts are usually protected by a password which is required to login to a computer as that user. The password in the /etc/passwd file normally contains an “x” which is actually code which tells us the actual password is stored in another file known as the shadow file, this file is is stored in the /etc/shadowfile

UID
UID stands for User identification, which is in the format of a number, the first UID begins with a 0. User accounts normally start from 1000 and above, with lower numbers reserved for system accounts.

GID
GID is a group ID, accounts can be tied to different groups, for example, you may have a group of students, teachers, school administrators. A group is simply a group of accounts, the purpose is for example to give a group of users access to certain resources such as files and folders and stop other people from accessing

Comment Field
The comment field usually holds the full user name, but you can put in any information you want.

Home Directory
This shows where the home user directory is located. Each user account and system account does have a home directory, or homebase is where all your folders, pictures and documents are located. Normally the home directory is reserved only for the that specific user account

Default shell
You can choose which shell you wish to use on a linux system and this will be stored in this line. A default shell is going to be associated with every single account. By default this is defined as /bin/bash (bourne again shell) , but the individual user can change this if they want to-

Account Security
A user account is protected with a password, in the past the /etc/passwd file actually held the password information and since it must be readable by all users, storing your password here was really risky. So to protect users the password was moved outside into the /etc/shadow file. Users can’t read the shadow file, this file associates passwords stored in what is known in a salted hash. A salted hash uses a one way mathematical process, with additional random input to produce what looks like nonsense or gibberish to humans, when a user types a password it is usually salted and hashed, and if that salted hash matches what’s in the shadow file you get access to the system.

A Typical ETC shadows file contains comma delimited fields , just like the password file did, let’s take a look at these fields:

Username
The user name is going to be on each line and it’s going to start that line, note your are not going to see the UID here inside the shadow file, like you did with the password file

Password
The password is going to be stored as a salted hash, this means it will bares no resemblance to the actual password. For example the password “puppy!23!” but the password will look nothing like “puppy!23!” 

An asterix (*) or an exclamation mark (!) is going to denote that the account is locked, this may have happened because of too many failed logins.

Last Password Change
This is the date that shows when the last password change occurred since January first 1970, this will be denoted by days, for example 3295, this would be 3295 days after 1st January 1970.

Days until a change is allowed
Some password policies have a number of days that you have to keep a password before changing it, this prevents your password from changing your password when it expires and then immediately changes back to the old Password.

Days before a change is required
Users are required after a certain amount of days, most organizations use the 45, 60, and 90 days to force users to change their password for security reasons.

Password expiration warning
Users are required after a certain amount of days, most organizations use the 45, 60, and 90 days to force users to change their password for security reasons.

Days between expiration and deactivation
Linux allows a gap in time before the expiration of an account and its complete deactivation. You can have an expired account that cant be used and it may requiere the user to change the password immediately after they login because the account has expired. This means for instance you had 60 days to change the password, you didnt change it and now its day 61, it will let you log in one more time but it will force you to change that password now, or, if your system is set and you cant login anymore, you may have to contact the system administrator to unlock your account. Whatever the case may be your password is still intact sitting in the shadow file.

A deactivated account the password will be erased, and that account cant be used again till the system admin reactivates it.

Expiration date
This shows on the account the actual date the account expires, just like the last password change date, this date is expressed as a whole number in the numbers of days since 1st of January 1970

Special flag
This field is reserved for future use, it isn’t really used by most people or it may have some meaningless value.

The Shadow File
The shadow file is usually store with restrictive permissions, the ownership is controlled by the root user, this is important that means the shadow password utility keeps all non-root users, all regular users from reading the file and prevents obtaining the password list even though its in that salted hashed form, because their are tools that can take that salted and hashed form and try to crack the salted and hashed passwords. By contrast the password file /etc/passwd/ must be readable by all users including the ordinary users, therefore it has less restrictive permissions. It’s important to know that an account is not a single entity like a program binary file.

Account information is spread amongst several configuration files across your system, this includes

/passwd/etc
/passwd/etc/shadow
/passwd/etc/group

and other configuration files depending on your distribution.

Understanding groups
Groups are collections of accounts that are defined in the /etc/group/ file. Just like the /etc/passwd file the /etc/group file contains colon delimited records or lines and each one defines a single group.

Fields in a group file

Name of the group – This is in the first field, its used with most commands that associated with the commands that manipulate group data.

Password – Groups can also have passwords, a value x means the password is defined elsewhere, but it can also be disabled.

An empty password field, which means the group has no password
GID – Group identification – linux uses GID values, just like it uses User ID values and it uses them internally. Translation to and from the group names is done for the benefit of us as humans, users and administrators.

User list – this will specify the users that belong to a group in this comma delimited list at the beginning of your /etc/group record. Users can be identified as members of a group in a couple of different ways. 

The first way is by specifying the groups GID in the users /etc/passwd file and look at their entry there is only room for one group ID value, so only one group can be defined in this way, this is the users primary or default group. If you want to have additional groups assigned you can do it a different way, and that is by specifying user names inside of the group file. So a single user can appear multiple times in the /etc/group file, and a single group can have lots of users associated with it this way, so if a user is associated with a group this way, but not via users password entry, this group association is considered secondary.

When you are creating new files, those files will be associated with the current users group. When a user logs into the system, the user’s current group is set to their primary group. To create files that are associated with another group the users belongs with, they have to use the command newgrp

newgrp [groupname]

Any new files that are created after the group name has been will belong to the new group.
Group ownership of files is really important in file security.

Using Accounting Tools
Let’s take a look at some commands that can be used to learn about the users and groups on a Linux system. Most notably, we have the whoami and the id utilities, which can tell a user about their own identity and the who and the W utilities, which can give information about who is currently using the computer.

If the user has multiple accounts, and they can’t remember which one they’re logged in as, well, that’s when you use the whoami command. To do this, just type in whoami + Enter at the command line, and it will display the current user I-D.

Typing whoami in the prompt will display a currently logged in user name, and, therefore, you’ll know who you are. If you need more information, that’s where the id utility can be used.

Typing ID will usually show the current UID for the user name. It’ll also give you the current GID, and all of the group’s memberships for that user.

The id command displays both the numeric UID and the GID values, as well as their associated names.This way you know what the computer thinks, and the way we read it as humans. The current group is the one that’s always going to be active, either by default or because they used the new group command last.

Now, Linux is going to let multiple users access a computer simultaneously because it’s a multi user OS. Most often, this is done through remote access by using something like Secure Shell or SSH. However, users can also use the VT, which is Linux’s virtual terminal feature, to log in multiple times with a single keyboard and monitor.

In some instances, it’s good to know when you’re using the computer before shutting it down, and that way you can avoid the inconvenience to other users who may still have other work to do. So, to do this, you want to figure out who’s online. And we do this using a command known as who. Information provided in the default output for the who command has a couple of pieces of information. 

First, we’re going to get the username, which’ll be the first column of the who’s output command, this tells us who was logged in.

Second, we have the terminal identifier. This second column of the who’s output will show a code associated with the terminal. If you see zero as the identifier, it means you’re logged in locally using the graphical user interface.

There’s also a thing showing as PTS or TTY with a number. So, if you have something like TTY 1, that indicates a text session in terminal one.

Now, a text session can be a terminal launched inside of a GUI, it can be a text mode console login, or it could be an SSH or other protocol using a remote login.

After that, we have the login date and time. This’ll tell you when the person actually logged into the system. So, if they’ve been logged in for 5 minutes, or 5 hours, or 5 weeks, you can know that information.

After that, we have the remote host, and this final column will tell you what the login source was. Again, you can have a console login using both text mode or graphical logins, and these won’t have a source. But, if you have a source, like a number.number or a number listed, this’ll indicate the terminal that the person is using.

You might see a host name or an IP address telling you that there’s remote access to this computer from somebody at an IP address, whatever that IP address is.

Another alternative to who is a program called W. Now W is similar to who, but it produces more verbose output, including terminal identifiers, login times, and other things in different formats.

So, in addition to the stuff we just talked about with who, W can also tell you the session’s idle time. This tells you how long somebody’s been on, but they haven’t interacted with the session. So, if I logged on two weeks ago, but I haven’t done anything since, you’ll know that, and then you might be more comfortable with shutting down the computer.

Next, we see a column called JCPU. This column identifies the total amount of C-P-U time that was associated with that particular session.

So, you can know if that user is actually using the computer, and doing things with it.

We also have another column called PCPU, and this’ll tell you the amount of CPU time with the current processes running inside that session.

So again, you’re going to see the total amount with that user, and the total amount from the current process. And then we have the WHAT column, and this tells you what the session is actually running and doing.

As you can see, you can use the who and the W command to figure out who is actually logged into a system at any given time, and what they’re really doing. W gives you more information than who, but both are really useful.

Creating accounts from the Shell
If I want to create a new user, you have to do that using sudo, because I have to be a root or an admin to create new users on a system.

So, let’s go ahead and use Sudo, we’re going to use adduser which is the command we want to use  and the person’s name that we want to add.

Let’s say I wanted to add Robert Welks as a new account on the system. I can go ahead and do that and hit enter, and up it’s going to ask for a new UNIX password.

What is the password I want Robert Welks to log in with? So, I’m just going to go ahead and type in the password, and I’m going to go ahead and type in the password again. You could choose whatever password you want, and hopefully it’s something big and long and strong.

Now, by doing that, I have changed the user information for Robert Welks. Now, I can go ahead and put some other information into the directory for him.

What is his full name?
Well, it’s Robert Michael Welks.
What is his Room Number?
Maybe he is in Office 1.
What is his work number? 555-555-5555.
And what is his home phone number? 555-555-5555.

And any other information I want:
Robert is the CEO.

Is this information correct? Yes it is. Hit enter.

That’s it. We just created a new user, and you can see here, we added user Robert Welks into a new group called Robert Welks, and we added that new user with group Robert Welks.

We created his home directory as Home/Robert Welks and we also copied files from the Skel ETC Skel, which is the skeleton or the shape of what a normal user’s home drive would be into that new home/robertwelks area. We gave him a password and we gave him some information.

This is how you create a basic user on an account like this. Now, if we want to verify that this actually worked, how can we do that? Well, there’s this password file, located in the /etc/passwd file. And if we display it to the screen, using something like ‘cat’, we’re going to be able to see if Robert Welks is listed as one of those users.

So, if I go through here, this has all the different users on the system. And you’ll see, the last user there is Robert Welks. You’ll see it says Robert Welsh X which is where they store the password, it’s just stored in a different area. You’ll see his user ID and his group number, you’ll see his name, his office, his phone number, his home phone number, the comments we made, his directory, and what his default shell is. In this case, bin/bash.If you go up a couple lines higher, you’ll see Robert Wellks, which is the user account

I’m using right now, and again you’ll see the information about that person, in that case, it was owned by

Jason Dion as well, he is the home directory of Dion training, and he’s bin/bash, as you can see, right here on this line. And so you can see that, and you can see here the new Robert account. So, we have created that person effectively and correctly. Now, on a system that has thousands and thousands of users like a Linux server might, there’s got to be a better way, than searching through it with your eyes.

Well, there is ! If you remember, we learned about grep right and so we can use grep, and we can find something that begins with the word Robert Wellks. Because that’s the user we’re looking for, that first line that has Robert Welks.

If we do that, we’re going to find that inside the etc password file, and hit enter, and here you go. We found that one line. Now, if we wanted to figure out what user number he was, I can actually go ahead and use the -nu as well and I get the number right there.

And that gives me he was on line xx of the password file, and there is the information on Robert. Now, that is one way to create our user, using that add user command. And again, if you want to learn more about add user, go ahead and type man add user, and you get all the information here as you go through the pages of the man doc.

But, there’s other ways to add users as well. One way is to use a low level utility, that’s in ubuntu called user add. To do this, we’re going to give them the path to the shuttle that you want to assign, so if you didn’t want bin/bash,you could use something else, I still like bin/bash so I’m going to use that. You’re going to give them the directory you want, in our case we want home/jason, and then we’re going to give them what group it’s going to be in, it’s called the Robert group, and the username of Robert

sudo useradd -s /bin/bash -d /home/ -d /home/robert -m -G robert robert

useradd: group ‘robert’ does not exist

And so, then we are going to go ahead and hit enter, and it says group Robert doesn’t exist, well, of course it doesn’t, because we haven’t created it yet, right? So we have to create it, or, we can put him into the other group, which was Robert Welks, that was just added. So, go ahead and do that, and there we go. So now we have- with the super user we’ve added a new user named Robert. So, now I have three users on the system. Roberts training, Robert Welks, and Robert. Now, if I wanted to set the password for this new user, how would I do that?

Because I haven’t set it yet. Well, I’m going to use 

sudo password

And then the name of the account, Robert. Hit enter and now we are going to give him a new password. There we go. Now if we want to verify that the new account, Robert, has been created, how would we do that?

Well, let’s go ahead and use that grep command we were using before. But instead of searching for Robert Welks, let’s search for Robert. Now, I should get back two things here, right? I should get the Robert Welks account, and the Robert account we just created. And, there we go. Xx  is the one that we created using the add user command at the beginning, and 44 is the one we just did, using the user add command that we just did. As you can see, in Linux, there’s lots of different ways to do lots of different things. 

Personally, I like the add user command better. It’s a little bit more interactive, it asks you more questions along the way, and lets you put in the additional information that you may need such as the phone numbers, the office number, and information like that. But, both of these will work, and both of these will create a new user for you. It just depends which one you like better

Modifying and deleting accounts

So in our last lesson, I created two new accounts, as we saw by going through and we created Robert Welks and Robert. Now, what if Robert or Robert Welks forgot their password? How can we reset that?

Well if we’re the system administrator, we can do that for them.

To do that we are going to use sudo to run the command as root, we’re going to use the password command, and then if we give it an argument, we can change the password for that person.

So for example, I want to change the password for Robert. I can go ahead and type in 

sudo passwd robert
Enter new unix password:

I can set it to whatever I want. 1,2,3,4,5. What’s his new password? Confirm password 1,2,3,4,5. and hit enter. 

His password has now been reset to 1,2,3,4,5. Notice the power here – As the root user, I didn’t even need to know what his old password was. I can just override it with a new password whenever I feel like.This is something that’s very powerful and something you need to remember as a system admin. Now the password command has a lot of other features there too.

For example, we can get information about that user’s account as well. Let’s go ahead and take a look at the password for Robert. So if we use Robert and we put -S, that’s going to give us the status of this user Jason’s account, in terms of his password security. So here we get a line that comes up.

sudo passwd -S robert

Robert P 09/21/2019 0 99999 7 -1

You can see I have robert, which is the user, I have P. That P indicates this user account has a locked password, no password, or a usable password. The fact that he has P means he has a valid good password.

If he had NP, that means there’s no password assigned. And if he had something that said L, that means that he’s been locked out of his account, because he forgot his password and entered it wrong too many times. Next you’ll see the date of the last password change.

{Time 12:00}

In this case it was last changed. 9/21/2019. After that, you’ll see the minimum password expiry age. In my case, it’s set to 0. That means this person can have their password and change it as many times as they want, as frequently as they want.

Next, you’ll see 99999. That says that’s the maximum age that this password can be. That’s set in days. So this person, Robert, can keep this same password I just set for 99,999 days. Pretty much forever. After that you’ll see the password expiry warning. This is 7 days. So a week before it expires, so in this case 99,992 days from now, it will say, hey Robert your password’s about to expire, you might want to change it. And the last thing you see here is this -1. This is the inactivity period for this password.

Now to get more information in an easier to read format, we can use the chage command.

sudo chage -l robert ( -l will list the information for robert )

Now you can see all the information listed for robert in a nice format

sudo chage -l robert

Last password change :Sep 21, 2019
Password expires :never
Password inactive :never
Accounts expires :never
Minimum number of days between password change :0
Maximum number of days between password change :99999
Number of days of warning before password expires :7

sudo chage -l robert

The maximum number is 99999 days and the days of warning will be seven days. Same information we had on that single line but it’s a lot easier to read this way. Now I would recommend going in and doing a quick 

man chage  -d 
man chage -E

On each of these commands and learn a little bit about them. For instance, the change add is going to change your user password expiry information. And as you can see here, we have a lot of ability to change those different pieces of information in regards to the user’s password.

This is really important from a security aspect because these basic settings of being able to change the password as much as you want and keep that password forever essentially, is not good for security. Instead, as a system administrator when you create somebody’s account, you should go in and set when that password will expire.

Generally, we’re going to expire it about 60 days from creation and warn them one to two weeks before that expiration date that they need to change their password.So again using man, you can go through and see that you can do that using the -d option,

the -e option,
the -i option,
the -M option,
or the -W option.

So that’s how you can modify the information about a password in a system. 

How can we change or rename a user name if we need to? For instance, maybe I typed Jason’s name wrong. Maybe his name was actually Roberta. Or Roberto. 

We want to go ahead and change this person’s name. Can we do that? Well certainly we can. Just like in windows, you can rename a user if you need to.

So to do this we’re going to use a couple of commands. We’re going to use the ID command and the user mod command. The first one is ID. So if I ID Jason, what do I see? Well I get his user ID, his group ID, the groups he’s a member of, and that type of information.

Id robert
uid=1002(robert), gid=1002(robert), 1001(robertwelsh)

So right here I see that Robert user ID is 1002. His group ID is 1002, also known as . He’s in two groups. He’s in Robert and robertwelsh. So these are a couple of things that we’re going to want to mess with. First we’re going to use

usermod -l 

and we’re going to put the name we want to go to and the name we want to go from. For instance, maybe we want to have Roberto instead of Robert. And it came from the Robert account. Go ahead and hit enter, permission denied. Why is that? Because we’re not the root user. To make changes to any user on the system, you have to be the root user. So we need to go ahead and use sudo. 

usermod -l roberto robert  

There we go. And so now if I do, id Robert, what’s going to happen? Well I should get an error. Because there is no user Robert anymore. Instead I now have a user named Roberto. Now if I want to go ahead and check Roberto’s information, his information should look a lot like Jason’s old information. Meaning, he is still user ID 1002. But his name has been changed to Roberto. His group is still Jason. Why? Because I only changed his user information. I didn’t change his group information.

Now the other thing we can do, is we can look at the directory. And so if we do an 

ls-ld/home/robert

which was his original home directory, what do we get? We get the information that the home directory hasn’t changed the name but the owner has changed.

Notice the owner is now roberto. because again, all I did was rename Robert to Roberto. 

So how can I change that group ID? This gid 1002 to go to be Roberto as well? 

Well there’s a command for that. And so we’re going to do 

id robert

and here we see there’s no such user, right? But if we do

id roberto

we’ll see there is a user. And so if we want to modify the group, we’re going to do 

sudo groupmod -n roberto robert.

What’s that saying is change it from robert to roberto for the group. Go ahead and hit enter. Now to verify that happened correctly, we’ll do 

id roberto
uid=1002(roberto), gid=1002(roberto), 1001(robertwelsh)

and you can see now that my group ID has changed from robert to roberto.

So what do we learn here?

We learn that we can change names and groups. 

Names are done using user mod

Groups are done using group mod. 

And again, like everything else I’ve told you, go ahead and open up the man for user mod or group mod and learn a little bit about it. You’ll notice that you can change information and you can add them to different groups.

You can change their names, you can add commas, you can change their home directory, you can do this as an inactive user to turn their account off so they can’t log in. You can expire their account.There’s lots of different things that you can do from within this program. So I recommend you play with it a little bit and get comfortable with it.

As a system administrator, 

*user mod
*group mod

are going to be something you’re going to use a lot.

Time [8.00]

Now let’s say we didn’t want to modify this user anymore. We’ve changed our name, we’ve changed our group, we’ve even gone in and used the -d command maybe and we’ve changed their home directory, but now that person doesn’t work for us anymore. Roberto just got fired. So Roberto’s going to go home. We want to turn off his account and we want to delete the account cause we don’t need it on the server anymore.

Well we can do that as well. And we can use a command called 

deluser

To do that we simply run sudo, the sudo command again, use del user, which is delete the user. We’re going to do –remove-home, which says remove their home directory and then the name of the user. In this case roberto.

sudo deluser – – remove-home roberto

Looking for files to back/remove

Removing files

Removing user roberto

Warning: Group roberto has no more members ( it has not deleted the group)

So if I do that I can go ahead and hit enter and you’ll see that it’s looking for any files to back up or remove. It removes the files. It removes the user. And it now says that group roberto has no more members, because I deleted the user but I didn’t delete the group. So if I arrow up again, I can bring back that old grep command we used. 

Time [9.23] I need to check this ***

grep ‘^ro’ -nu /etc/passwd *** need to insert below an input.

I’m just going to look for ro at the beginning of the line, to see if I can find Robert or Roberto.What do I find? I only found Robert. Because line 44 with Roberto was previously deleted using the sudo deluser command is no longer in there. We’ve deleted that user.

Now there is a second way to delete a user. And I’m going to use this to delete this Jason Dion user to show you that as well. I’ll go ahead and clear my screen,and what we’re going to do is we are going to use the user del command.

sudo deluser -r robertwelsh

So if we do sudo, user del -r and then the name of the person we want to remove. In this case, Jason Dion. If we do that and hit enter, what are we going to see? We get an error saying that Jason Dion mail spool didn’t exist. That’s okay, because we didn’t set up mail for that user. But if we go ahead and do our grep again, let’s see if we find it, we find nothing for robert. If we do an ID for Janson, he’s gone.

If we do an ID for Jason Dion, he’s gone as well. We’ve deleted both those users and now we’ve verified it. Now the nice thing about a bun too is it also will keep a log of every account that’s been created or deleted. And if you want to check that log and see who’s been deleted recently, we can do that too. To do that we need to look at the log that’s located in var/log/auth.log. This is our authentication log. Now we can use grep.

We can use cat, whichever we want to do. The problem is, if we use something like cat, we’re going to see the entire file. And this could be really long, especially on a big server. But if we just deleted somebody recently, they should be right at the end of that file, right? Because tail will show us the last couple things that happened. So let’s do a tail of the last 15 lines of this log,

/var/log/auth.log.

There we go. On the screen we can see the last 15 lines. And if you look the last couple of things that happened, specifically at 16:41:07 was that we deleted a user named Jason Dion.

If you go up a little bit higher, you’ll see at 16:39:35 that we deleted user Janson, we deleted Janson from the group Jason Dion, and we removed the group Janson that was owned by Janson.

So you can see here that these people have been deleted. This is really useful, especially as a cyber security analyst. Because you can find out if people have been messing with your system.

Now, another way you could have done this is by using your grep command. So if I go ahead and look at grep, and I look for the word userdel to see if anybody’s run the user delete command, I can do that against this log as well.

And there you go.

You can see everything that’s been deleted recently, by the user delete command within that log file. Not just within the last 15 lines like tail showed us, but the entire log file. And because we’ve only deleted two users, we only see two of them shown here on the screen.

Usermod and groupmod and deluser are something as a system administrator you will use a lot

Explore the following commands

usermod
groupmod
change
deluser