Linux System Administration

0 of 77 lessons complete (0%)
Exit Course

Managing User Accounts

Advance User Management and Security

You don’t have access to this lesson

Please register or sign in to access the course content.

Advanced User Management & Security

1. Profiles

User profiles in Linux refer to the environment settings and configurations that are loaded when a user logs in. These settings determine how the shell behaves, what commands are available, and where user-specific files are located. They are typically defined in various dotfiles (hidden files) in the user’s home directory.

Key Profile Files:

  • .profile: Sourced by login shells (e.g., when you log in directly to a text console or via SSH). It’s generally used for environment variables that affect all programs, such as PATH, EDITOR, etc.
  • .bashrc: Sourced by interactive non-login Bash shells (e.g., when you open a new terminal window). It’s typically used for Bash-specific configurations like aliases, functions, and shell options.
  • .bash_profile: If present, Bash login shells will read .bash_profile instead of .profile. Often, .bash_profile will source .bashrc to ensure consistency.
  • .bash_logout: Executed when a Bash login shell exits. Useful for cleanup tasks.
  • /etc/profile: A system-wide profile file sourced by all login shells. Administrators use this to set global environment variables and execute commands for all users.
  • /etc/bash.bashrc: A system-wide Bash configuration file sourced by all interactive Bash shells.

Example:

Contents of a typical .bashrc file:

# .bashrc

# Source global definitions
if [ -f "/etc/bash.bashrc" ]; then
    . "/etc/bash.bashrc"
fi

# User specific aliases and functions
alias ll='ls -alF'
alias grep='grep --color=auto'

# Set custom prompt
PS1='\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '

When a user opens a new terminal, these aliases and the custom prompt will be active.

2. Locking Accounts

Locking a user account prevents the user from logging in without actually deleting their account or data. This is useful for temporary suspensions, accounts that are not currently in use, or for security investigations.

Methods to Lock an Account:

  • Using usermod: The most common method.
  • Modifying /etc/shadow: Manually prefixing the password hash with an exclamation mark.

Example:

To lock the account for user ‘john’:

$ sudo usermod -L john

This command adds an exclamation mark (!) at the beginning of the password hash in /etc/shadow, rendering the password invalid.

You can verify the lock by checking /etc/shadow (as root):

$ sudo grep ^john /etc/shadow
john:!$6$rounds=...

To unlock the account:

$ sudo usermod -U john

This removes the exclamation mark, restoring the password’s validity.

3. Setting Passwords

Setting or changing a user’s password is a fundamental aspect of user management. The passwd command is used for this purpose.

Using the passwd command:

  • For your own password: Simply run passwd.
  • For another user’s password: Requires root privileges (sudo).

Example:

To change your own password:

$ passwd
Changing password for user.
(current) UNIX password: 
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

To set a password for a new user ‘student’ (as root/sudo):

$ sudo passwd student
New password: 
Retype new password: 
passwd: password updated successfully

You can also force a user to change their password on next login:

$ sudo chage -d 0 student

This sets the last password change date to January 1, 1970, effectively forcing a password change.

4. Switching Users (`su`)

The su (substitute user) command allows you to switch to another user account from your current terminal session. This is often used to temporarily gain root privileges or to perform tasks as another user without logging out and back in.

Syntax:

su [options] [username]

Key Options:

  • - or -l (login shell): This option makes su behave as if the target user had logged in directly. It changes the environment to that of the target user, including their home directory and environment variables. This is generally recommended when switching to root.
  • No option: If no option is given, su switches to the target user but keeps the current user’s environment.

Example:

To switch to the root user (and load root’s environment):

$ su -
Password: 
# whoami
root
# pwd
/root

To switch to user ‘jane’ (and load jane’s environment):

$ su - jane
Password: 
$ whoami
jane
$ pwd
/home/jane

To switch to user ‘john’ but keep your current environment (less common):

$ su john
Password: 
$ whoami
john
$ pwd
/home/your_original_user

To exit the switched user session, type exit.

5. Switching Groups (`newgrp`)

The newgrp command allows a user to temporarily change their primary group to one of the groups they are a member of. This is useful when you need to create files with a specific group ownership for collaboration or access control.

Syntax:

newgrp [groupname]

Important Notes:

  • The user must already be a member of the target group.
  • newgrp creates a new shell with the new primary group.
  • If no groupname is specified, it attempts to change to the user’s default group.

Example:

Suppose user ‘john’ is a member of ‘developers’ and ‘designers’ groups, and his primary group is ‘john’.

Check current groups:

$ id -gn
john

Switch primary group to ‘developers’:

$ newgrp developers

Now, check the primary group again:

$ id -gn
developers

Any new files created in this shell will have ‘developers’ as their group owner. To revert, simply type exit to return to your previous shell session.

6. Removing Users (`userdel`)

Removing a user account involves deleting their entry from system files and optionally their home directory and mail spool. The userdel command is used for this purpose.

Syntax:

userdel [options] username

Key Options:

  • -r (remove home directory): This is the most common and recommended option. It removes the user’s home directory and mail spool along with the user account.

Important Considerations:

  • Always ensure the user is not logged in when you attempt to delete their account.
  • Back up any important data from the user’s home directory before deletion, especially if not using -r.
  • Check for any processes running under the user’s ID before deletion.

Example:

To remove a user ‘tempuser’ and their home directory:

$ sudo userdel -r tempuser

This command will:

  1. Remove the ‘tempuser’ entry from /etc/passwd.
  2. Remove the ‘tempuser’ entry from /etc/shadow.
  3. Remove the ‘tempuser’ from any groups listed in /etc/group.
  4. Delete the /home/tempuser directory and its contents.
  5. Delete the user’s mail spool.

To remove a user but keep their home directory (less common, usually for data preservation):

$ sudo userdel olduser_without_home

In this case, you would manually need to handle the home directory later if it’s no longer needed.