SysAdmin - Users and groups management
Linux Foundation Certified SysAdmin (LFCS): Users and groups management
User accounts
- Create user
1
2
3
4
5
6
7
8
9
10# old method
# create user
# specify directoryUserName and userName
useradd -d /home/testuser1 testuser1
# give the user a password, it will prompt the value
passwd testuser1
# you should also copy files from bash, etc
# new method, all the previous in 1 line
adduser testuser2 - Change directory owner
1
2
3
4
5# create a folder and pass the ownership to user1
mkdir testuser1Dir
chown testuser1:testuser1 testuser1Dir
# switch user, to act as testuser1
su - testuser1 - Remove user
1
2
3
4
5
6
7
8
9
10# manual
cd /home
userdel testuser2
# its data is still there so we change teh ownsership
chown -R user1:user1 testuser1
# delete all
rm -r testuser2
# delete all related to testuser2
userdel -R testuser2
Local groups and group memberships
- Add group
1
2
3
4
5# see groups
cat /etc/group
# groupName:x:groupId:userName
addgroup testGroup1
groupadd test2 - add a user to group
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16nano /etc/group
# write down on the file
# groupName:x:groupId:userName
# test1:x:1002:user1
# after that you can check the groups you are in with
groups
# other option: add user1 to docker group
usermod -aG docker user1
```
* change password for group
```bash
sudo gpasswd test1
# add the new password
# the switch to that group
newgrp test1
# type password
System-wide environment profiles
- Session variables (usually in
.bashrc,.profile or.bash_profile`).bash_profilecontents can be executed any time the user logged into the system1
2
3
4
5
6
7
8# check environment variables
env
# define env var for the session
export PAPAS_VAR="papasconchoco"
# checkenv var value
echo $PAPAS_VAR
#remove env var
unset PAPAS_VAR - Remote session variables location
1
2cd /etc/environment
cd /etc/profile - Unset
1
2
3
4# execute to be in absence of environment variables
env -i
# unset via null value
export PAPAS_VAR=''
Template user environment
- Skeleton directory
1
2
3
4
5# the templates for new users are here
cd /etc/skel
# add environment variables
sudo nano .bashrc
# type the values, valid for users created from now on
Configure user resource limits
Configuration on limits.conf
1 | sudo nano /etc/security/limits.conf |
- columns on the file:
[domain] [type] [item] [value] - domain (user, group, wildcards (
*, %)) -> no limit with wildcard for root - soft and hard (only increased by root) limits
ulimitfor more resources with soft, until reaching hard limit value
- item (core, data, cpu, memlock, nproc, as (address space limit), maxlogins, maxsyslogins)
Manage user privileges
Configuration on access.conf when login for privileges
1 | sudo nano /etc/security/access.conf |
- Can he log-in? -> example ‘root’ should not be able to login remotely
- Not everyone should be able to
sudo1
2
3
4# change the command "mycommand" to only be used for certain groups
sudo chgrp adm mycommand
# eliminate the execute bit for "other users"
sudo chmod 754
Configure PAM
- Plugable Authetication Modules -> separate the authentication from the privilege grating software
- Privilege grating software attaches to the PAM API
/etc/pam.conf(mostly ignored, backup) and/etc/pam.d(takes precedence)1
2# check auth for common services
less common-account- select the authentication scheme you prefer (permit, paranoid)
1
2
3@include common-account
@include common-session
@include common-password- types of management
- authentication
- account
- session
- password
- modules
- pam-access (grant access)
- cracklib (password against dictionary)
- debug (login)
- deny (prevent access)
- echo (write messages)
- types of management