useradd -s /bin/bash -m NEWUSERNAME
adds a user (default group is the username), using bash shell, auto create home directory
usermod -a -G admin NEWUSERNAME
modifies the user's group to add them to the "admin" group (better than visudo)
passwd username
prompts to enter a password for that user
adduser username admin
adds them to the "admin" group -> good for /etc/sudoers file! note we haven't given them a home directory
cat /etc/passwd
lists all the users in the system including their uid or gid and their root directory and login shell
users
if you have permission, shows all of the users currently using the system
id
if you are not root it will show your UID & GID's
groups
shows the groups the current user is a member of
groups user1 user2
shows the groups that the specified user(s) is a member of
cat /etc/group
shows groups uid = unique user id
groupadd
create a new group
groupdel
delete a group
groupmod
modify a group
useradd -G group1,group2 username
usermod -aG groupname username
appends membership to a group
useradd --help //Usage: useradd [options] LOGIN
Options:
-b, --base-dir BASE_DIR base directory for the new user account
home directory
-c, --comment COMMENT set the GECOS field for the new user account
-d, --home-dir HOME_DIR home directory for the new user account
-D, --defaults print or save modified default useradd
configuration
-e, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE
-f, --inactive INACTIVE set password inactive after expiration
to INACTIVE
-g, --gid GROUP force use GROUP for the new user account
-G, --groups GROUPS list of supplementary groups for the new
user account
-h, --help display this help message and exit
-k, --skel SKEL_DIR specify an alternative skel directory
-K, --key KEY=VALUE overrides /etc/login.defs defaults
-m, --create-home create home directory for the new user
account
-o, --non-unique allow create user with duplicate
(non-unique) UID
-p, --password PASSWORD use encrypted password for the new user
account
-r, --system create a system account
-s, --shell SHELL the login shell for the new user account
-u, --uid UID force use the UID for the new user account
TO USE -p or --password option you must include a perl statement to create the encrypted password:
perl -e 'print crypt("string", "salt"),"\n"'
returns sa3tHJ3/KuYvI - that is, the string is encrypted using key salt a salt comprises random bits that are used as one of the inputs to a key derivation function
So we use a variable:
password="example-password"
pass=$(perl -e 'print crypt($ARGV[0], "password")' $password) //to match linux we're using
echo $pass
usermod
userdel
http://linux.die.net/man/8/usermod
change
change user password expiration
ac
not always installed by default, shows users connect time
SEE Permisions page on how to change ownership & permissions for files for users/groups (chown, chgrp)
newgrp groupname //start a new shell with groupname as your default group
Typical Default Group Numbers
Group ID GID
root 0
bin 1
daemon 2
sys 3
adm 4
tty 5
disk 6
lp 7
mem 8
kmem 9
wheel 10
mail 12
man 15
floppy 19
named 25
rpm 37
xfs 43
apache 48
ftp 50
lock 54
sshd 74
nobody 99
users 100
http://www.yolinux.com/TUTORIALS/LinuxTutorialManagingGroups.html
Securing what users can do with /bin/nologin or /bin/false
For security we can run the command
usermod -s /usr/sbin/nologin USERNAME
previously was /bin/false
usermod -d /pathtohomedir/orftp USERNAME
Security through Ownership
Although access permissions are a larger subject not covered here it is important to point out that User or Group ownerhip is the primary way to secure permissions of files and directories:
chgrp UsernameOrGroupname /path/to/directory/or/file
changes ownership of a particular object to a specific User or Group when used in conjunction with setting permissions, e.g.
chmod 400 filename.txt
can prevent anyone else except the owner from reading the file