User Tools

Site Tools


accounts-and-permissions

Accounts & Permissions


ACCOUNTS
whoami / echo $USER prints the user name corresponding with the effective UID
who am i / who -m prints the original login name of the user, terminal name and login time
logname prints the original login name of the user
users prints currently logged in users, their number corresponds with the current open sessions (data from /var/run/utmp)
who prints currently logged in users, their terminal names and login times (data from /var/run/utmp), -u including their executed processes, -q prints user names and their number only, -m the same as command "who am i”
w prints currently logged in users, their number, terminals, processes, login times, inactive time, current time, how long the system has been running and its average load by the users (data from /var/run/utmp and /proc)
last / last <user> prints time information about all users / particular user logged into the system during the last period (since /var/log/wtmp was created) including the terminal names, -n <n> last n logins only, -d prints hostnames for remote logins, -i prints IP addresses for remote logins, -x prints the system shutdown entries and run level changes
lastb / lastb <user> prints time information about unsuccessful login attempts of all users / particular user into the system during the last period (since /var/log/btmp was created), -n <n> last n logins only, -d prints hostnames for remote logins, -i prints IP addresses for remote logins
lastlog prints a list of all users in the system and their last login times including the terminal names (data from /var/log/lastlog), -u <user> information about the particular user only, -t <n> information about users logged in during last n days
faillog prints information about login failures of all users (data from /var/log/faillog), -a all data, -u <user> information about the particular user only, -m <n> sets the maximum number of unsuccessful login attempts, -r resets the unsuccessful login attempts counter
# faillog -u kuba -r
id / id <user> prints UID, GID and groups of the logged in / particular user, -u effective UID only, -g effective GID only, -n prints a name instead of a number with option "-u" or "-g"
finger <user> prints information about a particular user - a home directory, login shell, last login time, terminal and eventually a real name or phone number
chfn / chfn <user> changes GECOS field in /etc/passwd of the logged in / particular user, -f <name> a real name, -p <number> office phone number, -h <number> private phone number; if no option is specified, an interactive mode starts (none = empty field)
chsh / chsh <user> (-s <shell>) changes a login shell of the logged in / particular user, -l prints a list of available shells from /etc/shells
useradd <user> creates a user account including its home directory /home/<user> (copies the contents of /etc/skel directory inside), e-mail spool /var/spool/mail/<user> and primary group of the same name; when creating a new account, data from /etc/default/useradd and /etc/login.defs are taken into consideration, -m creates a home directory, -d <directory> specifies a particular home directory, -g <group / GID> assigns an existing group as a primary group, -G <group> assigns a user into other, comma separated, supplementary groups, -u <UID> assigns a particular UID (otherwise the first available one is used), -o assigns a duplicate UID (available with "-u" option only), -r creates a system account (with a lower UID, nonexpiring password and without a home directory), -s <shell> assigns a login shell, -e <YYYY-MM-DD> sets an account expiration date, -f <DD> sets the number of days after a password expires until the account is permanently disabled, -c <comment> provides any information about a user (GECOS field in /etc/passwd)
# useradd -c "Jan Novak" -g users -s /bin/tcsh jan
usermod <user> modifies a user account, the same options as for "useradd" command are used, besides -a together with "-G" assigns a user into other, comma separated, supplementary groups without having to name also all the previously defined groups (because "-G" option itself always defines all valid supplementary groups from the beginning, which overwrites the former settings), -l <new_user> renames a user account, -L locks a user's password (puts a "!" in front of the encrypted password), -U unlocks a user's password (removes a "!" in front of the encrypted password)
# usermod -l jack -d /home/jack john
# usermod -c "" kuba
userdel <user> removes a user account, -r including a home directory and e-mail spool, -f including a home directory and e-mail spool, even if the user is logged on
groupadd <group> creates a group account, -g <GID> assigns a particular GID (otherwise the first available one is used), -o assigns a duplicate GID (available with "-g" option only), -r creates a system group (with GID in range of 101 - 499)
groupmod <group> modifies a group account, the same options as for "groupadd" command, besides these exist: -n <new_group> renames a group account
groupdel <group> removes a group account (it is not possible to remove an existing user's primary group, the user has to be removed as first)
groups / groups <user> prints groups to which the logged on / particular user belong
newgrp <group> logs a user into one of the groups available in /etc/group, if no group is specified, the primary GID is assigned (used especially when creating new files)
passwd / passwd <user> sets or changes a logged on / particular user's password, --stdin reads the password from STDIN (pipe), -d sets no password for an account, -n <DD> sets the minimum password lifetime in days, -x <DD> sets the maximum password lifetime in days, -w <DD> sets the number of days in advance the user is warned of the password expiration, -l locks a user's password (puts "!!" in front of the encrypted password), -u unlocks a user's password, -S <user> prints information about the settings of the user's password (password status: "PS" = password assigned, "NP" = no password, "LK" = account locked, the date of the last password's change, minimum and maximum lifetime in days, a warning period before the password's expiration and a period between the password's expiration and the account being locked in days); the default password expiration settings can be found in /etc/login.defs
# for user in $(awk -F : '{print $1}' /etc/passwd); do passwd -S $user | grep LK; done
(prints users with locked accounts)
mkpasswd creates a random password, -l <n> sets the password's length (9 characters by default), -C <n> sets the minimum number of capital letters (2 by default), -c <n> sets the minimum number of small letters (2 by default), -d <n> sets the minimum number of digits (2 by default), -s <n> sets the minimum number of special characters (1 by default)
chpasswd <user>:<password> modifies a particular user's password and encrypts it by algorithm defined in /etc/login.defs, -c <NONE|DES| MD5|SHA256|SHA512> specifies a different encryption algorithm, -e indicates the newly submitted passwords are in encrypted form (by default they are specified in clear-text)
# for user in $(awk -F ":" '{if (length($2) > 2 && $2 !~ /^(!!)?(\$[1256]\$)/) print $1":"$2 }' /etc/shadow); do echo "$user" | chpasswd -c SHA512; done
(encrypts clear passwords of all users)
chage <user> changes a user's account and password lifetime settings, -d <DD> sets the number of days since January 1st, 1970 when the password was last changed, -E <YYYY-MM-DD> sets an account expiration date ("-1” = unlimited account expiration), -I <DD> sets the number of days of inactivity after a password has expired before the account is locked, -l prints information about an account and password expiration settings, -m <DD> sets the minimum number of days between password changes ("0” = the user may change the password at any time), -M <DD> sets the maximum number of days during which a password is valid ("-1” = unlimited password expiration), -W <DD> sets the number of days of warning before a password change is required; if no option is specified, an interactive mode starts; the default password expiration settings can be found in /etc/login.defs
# chage -d 0 james
(changes the user's password expiration date, forcing him to change it on first log in)
cat /etc/passwd prints existing users, their encrypted password (character "*” means that an account is locked) or an "x" character (the password is in /etc/shadow), UID, primary GID, comment field (GECOS), home directory and login shell
$ grep 501 /etc/passwd
(prints all users in the group whose GID is "501")
cat /etc/shadow prints existing users, their encrypted password (if the field is empty the account is without a password; character "*”, "!" or "!!" before the password means that the account is locked; by default, the "useradd” command creates a locked user account - i.e. only "!!" characters are present instead of a password), last password change in days since od 1.1.1970, the minimum number of days between password changes ("0” = the user may change the password at any time), the maximum number of days during which a password is valid ("-1” = unlimited password expiration), the number of days of warning before a password change is required, the number of days of inactivity after a password has expired before the account is locked and the number of days since 1.1.1970 the account has been locked
cat /etc/group prints existing groups, their encrypted password (character "*” means that an account is locked) or an "x" character (the password is in /etc/gshadow), GID and a list of comma separated secondary mebers
$ grep admin /etc/group
(prints GID of "admin” group)
cat /etc/gshadow prints existing groups, their encrypted password (character "*” means that an account is locked) or "!” character (a passwordless account), a list of comma separated administrators and a list of comma separated secondary mebers
vipw edits /etc/passwd file (the same as "vi /etc/passwd”)
vigr edits /etc/group file (the same as "vi /etc/group”)
pwconv creates /etc/shadow file based on data from /etc/passwd and /etc/login.defs, which ensures a safe storage of users' passwords
pwunconv removes /etc/shadow (opposite of "pwconv" command)
grpconv creates /etc/gshadow based on data from /etc/group and /etc/login.defs, which ensures a safe storage of groups' passwords
grpunconv removes /etc/gshadow file (opposite of "grpconv" command)
pwck verifies the integrity of /etc/passwd and /etc/shadow, the user is prompted to correct eventual errors, -r prints errors only, -s sorts the output by UID
grpck verifies the integrity of /etc/group and /etc/gshadow, the user is prompted to correct eventual errors, -r prints errors only, -s sorts the output by GID


PERMISSIONS
chown <owner> <file / directory> changes the user and/or group ownership of a file / directory, -R recursively, -c prints the files whose ownership is being changed; if the user name or UID is followed by a colon or dot and a group name or GID, the group ownership of the files is changed as well; if no group follows a colon or dot (chown user: /tmp /var/tmp), the user's primary group is considered; if a colon or dot and group are given, but the user is omitted (chown :group /tmp /var/tmp), only the group ownership of the files is changed (the same as "chgrp” command)
# chown user:group /tmp /var/tmp
chgrp <group> <file / directory> changes the group ownership of a file / directory; the group is specified by its name or GID, -R recursively, -c prints the files whose ownership is being changed
chmod <permissions> <file / directory> changes a file / directory access permissions
1) in a symbolic expression
in the following order - users definition (u = user (owner), g = group, o = others, a = all), operator setting (+ to add permissions, - to remove permissions and = to set permissions) and permission specification (r = read, w = write, x = execute a file / access a directory, s = SUID or SGID bit, t = sticky bit)
# chmod (a)+x script.sh
# chmod ug=rw,o-w text.txt
2) in a numeric (octal) expression
in the following order - (special attribute) - user (owner) - group - others (4 = read permission, 2 = write permission, 1 = file execute permission / access to a directory); the values are summed
$ chmod 660 text.txt
# chmod 700 /usr/bin/top
with both the expressions it is possible to use option -R for recursive mode and -c to see the files whose permissions are being changed; a directory must always have an access permission set
# chmod -R 755 /home/user/xxx
special attributes concern mostly executable files (programs and scripts) or directories and have these values: 4 = SUID bit (an executed process runs with the permissions of the owner of the file, not with the permissions of the user who executed it), 2 = SGID bit (an executed process runs with the permissions of the group of the file, not with the permissions of the user who executed it; if the SGID bit is set for a directory, it ensures that its new contents will be owned by the same group of owners who own the directory), 1 = sticky bit (used for directories to ensure that only the owner of a file or directory inside them can rename or delete his items, not any user with write and access permissions for the directory)
# chmod 4755 /usr/bin/passwd
# chmod 2770 /web
# chmod +t /usr/local/tmp
setfacl <option> (:<permissions>) <file / directory> -m sets ACL permissions to a file / directory according to the given options (u:(<user>) for a particular single user, if it is not specified, the settings are valid for all users, g:(<group>) for a particular group, if it is not specified, the settings are valid for all groups, o for others, d: ensures inheriting of the ACL permissions from a directory to its newly created contents, m: changes the mask), -x removes ACL permissions from a file / directory according to the given options (u:(<user>) for a particular single user, if it is not specified, the settings are valid for all users, g:(<group>) for a particular group, if it is not specified, the settings are valid for all groups), -b removes all ACL permissions from a file / directory, -R recursively
# setfacl -m u:kuba:rw /home/dookie/soubor.txt
# setfacl -x g:users /home/dookie/soubor.txt
# setfacl -m d:u:david:rwx /home/dookie
# setfacl -m o:000 /web
# setfacl -m m::rwx /web/logs
# setfacl -bR /home/dookie
getfacl <file / directory> prints ACL permissions to a file / directory for particular single users or groups (provided they are set up), -n prints UID and GID instead of an account name, -R recursively, -s skips files with basic permission entries
chattr <operator><attribute> <file / directory> changes attributes of a particular file / directory on ext2, ext3 or ext4 file system; operator + adds, - removes and = sets an attribute; attribute a prevents from removing and modifying a file (applicable even for root), permits appending new data to the file only, d prevents from backup by "dump" program, i prevents from removing and any kind of modifying a file (applicable even for root); -R recursively
# chattr +i /etc/inittab
lsattr / lsattr <file / directory> prints attributes of the contents of the working directory / a particular file or the contents a particular directory on ext2, ext3 or ext4 file system, -a prints hidden files as well, -d directory itself, without its contents, -R recursively
su <user> / su - <user> changes the effective UID and GID to that of the given user / including the user's environment
su (root) / su - (root) changes the effective UID and GID to root / including root's environment
sudo (<parameter>) (<command>) allows a permitted user to execute a command as root or another user (without knowing the password) as specified in /etc/sudoers in the following order: <user> <host> = (<original_user>) (<verification>:) <command> (in absolute form); at the beginning of the file it is possible to define by capital letters aliases representing the permitted users, original users, hosts and commands, considering that "ALL" expression represents any value in the mentioned items:
dookie ALL = (root) /bin/mount -t iso9660 /dev/cdrom /mnt/cdrom, NOPASSWD: /bin/umount /mnt/cdrom
(dookie is allowed to mount cdrom and unmount it without a password requirenment)
tim localhost = /bin/su [!-]*, !/bin/su *root*
(tim is allowed to switch to any user except root on the particular host without loading the user's environment)
%admin ALL = SERVICES, PROCESSES, STORAGE
(the members of "admin" group are allowed to execute all the commands represented by the particular aliases on all hosts)
-b runs the given command in the background, -l prints information whether the logged in user is allowed to use "sudo" and eventual commands he may execute on the current host, -u <user> runs the specified command as a user other than root; only root is allowed to edit /etc/sudoers by "visudo" command; the usage of "sudo" is logged to /var/log/secure
$ sudo /sbin/shutdown -h now
$ sudo -u tom ls ~tom
$ sudo sh -c "cd /home ; du -s * | sort -rn > usage"
$ sudo su - root -c /bin/bash
visudo edits /etc/sudoers, -c verifies the integrity of the file, -f <file> specifies an alternative sudoers file instead of /etc/sudoers
umask / umask <permissions> prints / sets default permissions for newly created files and directories in the following order: user (owner) - group - others in a numeric (octal) expression, however the digits stand for the permissions that are to be taken from the given system value 666 for files and 777 for directories, -S symbolic expression; (permanent setup in ~/.bashrc or ~/.bash_profile, the default global value is 002 for ordinary users and 022 for root in /etc/bashrc)
$ umask 0027 / umask 27
(the owner has all permissions, the group has read permissions and access to directories and others have no permissions)
Last modified: 2018/07/10 08:15 by Miroslav Bernát

visits: