Top

A Linux User Reference

Search tips
  • search ignores words that are less than 4 characters in length
  • searches are case insensitve
  • if a search does not return anything try it in Boolean mode then Query expansion mode by checking the appropriate radio button e.g. searching for 'cron' in just the Administration category returns nothing - presumably because the 50% threshold is reached. Boolean mode ignores this threshold so a search for 'cron' returns several hits
  • in Boolean mode preceding a word with a '+' means the result must include that word, a '-' means it must not
  • in Boolean mode '+crontab -anacron' means match articles about crontab that DO NOT mention anacron
  • to match a phrase e.g. 'manage system' check the Boolean mode radio button and enclose the phrase in quotes "some phrase ..."
  • in Query expansion mode the search context is expanded beyond the keywords you entered - relevancy of hits may well be degraded

ADMINISTRATION

Users & groups

  • User profile template files
    /etc/skel

    A directory containing templates of user profile files. Used to populate a default user account.

    Possible contents

    .bash_logout
    .bash_profile
    .bashrc
    
  • User and group IDs
    /etc/login.defs
    • Some newer systems start user IDs at 1000 rather than 500.
    • Values of 1000 (or 500) and greater normally signify ordinary users.
    • Values below 1000 (or 500) are reserved for system users.

    Maximum and minimum UIDs, GIDs are defined in /etc/login.defs

    .....
    UID_MIN        1000
    UID_MAX        60000
    .....
    GID_MIN        1000
    GID_MAX        60000
    .....
    

    This file is the configuration file for the login program and also for the Shadow Suite as a whole. It also contains:

    • settings that control what the prompts will look like
    • flags that control the amount of logging that takes place
    • pointers to other configuration files
    • default assignments for things like password aging, expiration ...
  • Create, update a user account
    /usr/sbin/useradd

    Add a user with default settings using '/etc/skel'

    # useradd jbloggs
    

    Add user, create home dir, GECOS field and 'tcsh' as login shell

    # useradd -mc "John Doe" -s /bin/tcsh jdoe
    

    Display current account-creation defaults

    $ useradd -D                                  
    GROUP=100
    HOME=/home
    INACTIVE=-1
    EXPIRE=
    SHELL=/bin/sh
    SKEL=/etc/skel
    CREATE_MAIL_SPOOL=no
    
  • More user and group account commands

    Delete a user account - /usr/sbin/userdel

    userdel [options] user
    

    Modify a user account - /usr/sbin/usermod

    usermod [options] user
    

    Create a group account - /usr/sbin/groupadd

    groupadd [options] group 
    

    Delete a group account - /usr/sbin/groupdel

    groupdel group
    

    Modify a group account - /usr/sbin/groupmod

    groupmod [options] group
    

    Change a group ID - /usr/bin/newgrp

    newgrp [-] group
    

    Changes the current group ID during a login session. If '-' option is used the user's environment is reinitialised as though the user had just logged in.

  • Modify a user account password
    /usr/bin/passwd

    Display status of user mark's password

    # passwd -S mark
    Mark P 2007-11-09 0 99999 7 -1
    

    Change own passwd

    $ passwd
    

    You are prompted for current password, then new one then confirmation of new one

    Change another user's password

    # passwd mark                       (as root)
    or
    $ sudo passwd mark  
    
  • Change user password expiration details
    /usr/bin/chage

    The date may also be expressed in the format YYYY-MM-DD

    List user's account aging information

    # chage -l mark
    Last password change                       : Nov 09, 2007
    Password expires                           : never
    .....
    
  • User account password file
    /etc/passwd

    Plain text, readable by all, no passwords in it if shadow passwd compiled in. Passwords of 'x', '!', '*' or 'blank/null' is a space filler. This prevents someone from being able to determine if a password has been set or not.

    Sample entries -/etc/passwd

    # Format:
    # username:password:UID:GID:comments:home dir:default shell
    
    mark:x:1000:1000:mark,,,:/home/mark:/bin/bash
    debian-tor:x:113:124::/var/lib/tor:/bin/bash
    .....
    

    An 'x' in 2nd. field indicates that shadow ('/etc/shadow') passwd file is being used.

  • User account shadow password file
    /etc/shadow

    Plain text, readable by root, contains encrypted passwords omitted from /etc/passwd. A password that is not a valid 'crypt' string or has not been set, can be '!', 'x' or '*'.

    Sample entries - /etc/shadow

    # Format: 
    # username:encrypted password:"info :on:password:ageing":::
    
    mark:$1hfasdtyutdjm3wwSng1:13826:0:99999:7:::
    debian-tor:*:14183:0:99999:7:::
    .....
    
  • Group account password file
    /etc/group

    Plain text, readable by all. The password field can be 'blank/null', '!' or 'x' depending on the implementation, may indicate whether a password is set or not. Commonly it is set to 'x', and one should not be able to determine if a password is set by looking into this file.

    Sample entries - /etc/group

    # Format:
    # grp name:grp password:grp ID:members list
    
    adm:x::root,adm,daemon
    sambashare:x:126:mark,mary
    fuse:x:107:mark,mary
    ..... 
    
  • Group account shadow password file
    /etc/gshadow

    Plain text, readable by root, contains encrypted group passwords omitted from /etc/group. If the password field is '!', 'x' or a non valid 'crypt' string it means that the group password is not set.

    Sample entries - /etc/gshadow

    # Format:
    # grp name:encrypted password:administrators list:members list
    
    adm:*::mark
    sambashare:NBHlVgBRKqBek:mark:mark,mary
    fuse:!::mark,mary
    .... 
    
  • The Shadow Suite

    Shadow configuration involves the installation of the 'shadow suite of programs' (pretty much the default these days). They provide an extra layer of security to the original /etc/passwd and /etc/group files. Passwords are removed from these files and are encrypted and stored in shadow files.

    Account management programs (as above i.e. useradd, userdel ...) are written to operate on both sets of files.

    On debian systems front-ends to these commands such as adduser, deluser ... also exist. Their default behaviour is controlled by configuration files such as /etc/adduser.conf, /etc/deluser.conf ...

  • Manage group account file
    /usr/bin/gpasswd

    Allows for the administration of the /etc/group file (and /etc/gshadow file).

    Every group can have administrators, members and a password. When called by a group administrator with group name only 'gpasswd' prompts for the group password.

    If a password is set, group members can still 'newgrp' without a password, non-members must supply the password.

    Command usage

    gpasswd [options] group
    

    Assign user mark as an administrator for the 'sambashare' group

    $ sudo gpasswd -A mark sambashare
    

    Change a group password

    $ gpasswd sambashare
    Changing the password for group sambashare
    New Password: 
    Re-enter new password:
    
  • Convert files to, from shadow system
    /usr/sbin/pwconv, pwunconv, grpconv, grpunconv

    The commands have no options. Their behaviour is configured via variables in /etc/login.defs.

    Variable that alters the behaviour of 'grpconv' and grpunconv'

    MAX_MEMBERS_PER_GROUP
    

    Variables that alter the behavior of 'pwconv'

    PASS_MAX_DAYS
    PASS_MIN_DAYS
    PASS_WARN_AGE
    
  • Verify integrity of password files
    /usr/sbin/pwck

    Verifies the integrity of the system authentication information. All entries in the /etc/passwd and /etc/shadow are checked to see that the entry has the proper format and valid data in each field

    Report errors only – no warnings reported

    pwck [-q] [passwd [ shadow ]]
    

    Execute command in read only mode

    pwck [-q] [-r] [passwd shadow]
    

    All questions are defaulted to 'no'. User receives no prompts to make changes.

    '-s' sort entries by UID

  • Verify integrity of group files
    /usr/sbin/grpck

    Verifies the integrity of the system authentication information. All entries in the /etc/group and /etc/gshadow are checked to see that the entry has the proper format and valid data in each field

    Comand usage

    grpck [-r] [group [ shadow ]]
    grpck [-s] [group [ shadow ]]
    

    Options same as for 'pwck'.