User Tools

Site Tools


accounts-and-permissions

Accounts & Permissions


ACCOUNTS
whoami / echo $USER prints the user name corresponding with the effective UID
who am i / who -m prints the login name of the user, terminal name and login time
logname prints the login name of the user
users prints currently logged-in user names, their number corresponds with the current open sessions (data from /var/run/utmp)
who prints currently logged-in user names, their terminal names and login times (data from /var/run/utmp), -u including PID of their current process, -q only user names and their number, -m identical to "who am i” command
w (<user>) prints the currently logged-in or specified user names, their terminal, connection method, login time, idle time, processor usage and current process name; in addition it displays the system time, the time since the computer was last started, number of currently logged-in users and the system load averages for the past 1, 5 and 15 minutes (identical to "uptime" command)
last (<user>) prints the time of logging of all or specified users in to the system during the last period (since /var/log/wtmp was created) including the terminal name and connection method, -n <n> last n logins only, -d prints hostnames for remote logins, -i prints IP addresses for remote logins, -x prints the system shutdown entries and run level changes
lastb (<user>) prints the time of unsuccessful login attempts of all or specified users in to the system during the last period (since /var/log/btmp was created) including the terminal name and connection method, -n <n> last n logins only, -d prints hostnames for remote logins, -i prints IP addresses for remote logins
lastlog prints a list of all users in the system and their last login times including the terminal names (data from /var/log/lastlog), -u <user> information about the specified user only, -t <n> information about users logged in during last n days
faillog prints information about login failures of all users (data from /var/log/faillog), -a all data, -u <user> information about the specified user only, -m <n> sets the maximum number of unsuccessful login attempts, -r resets the unsuccessful login attempts counter; uses pam_tally module
# faillog -u kuba -r
pam_tally2 -u <user> prints information about login failures of a specified user (data from /var/log/faillog), --reset resets the unsuccessful login attempts counter
# pam_tally2 --reset -u jan
id (<user>) prints the UID and GID of the logged-in or specified user, including all his groups, -u only the effective UID, -g only the effective GID, -G GID of all user groups, -n with the "-u", "-g" or "-G" option prints the user or group name instead of the numeric designation
finger (<user>) prints the login and real name of the user, his home directory, login shell, last login time and inbox information; without an argument the login and real names of the logged-in users are displayed, including their terminal, idle time, login time and connection method
useradd <user> creates a user account including its home directory /home/<user> (copies the contents of /etc/skel directory inside), e-mail spool /var/spool/mail/<user> and primary group of the same name; when creating a new account, data from /etc/default/useradd and /etc/login.defs are taken into consideration, -m creates a home directory, -d <directory> specifies a specified home directory, -g <group/GID> assigns an existing group as a primary group, -G <group> assigns a user into other, comma separated, supplementary groups, -u <UID> assigns a specified UID (otherwise the first available one is used), -o assigns a duplicate UID (available with "-u" option only), -r creates a system account (with UID in range of 201–999, never expiring password and without a home directory), -s <shell> assigns a login shell, -e <YYYY-MM-DD> sets an account expiration date, -f <DD> sets the number of days after a password expires until the account is permanently disabled, -c <comment> provides any information about a user (GECOS field in /etc/passwd)
# useradd -c "Jan Novak" -g users -G admins jan
userdel <user> removes a user account, -r including a home directory and e-mail spool, -f including a home directory and e-mail spool, even if the user is logged in
usermod <user> modifies a user account, the same options as for "useradd" command are used, besides -a together with "-G" assigns a user into other, comma separated, supplementary groups without having to name also all the previously defined groups (because "-G" option itself always defines all valid supplementary groups from the beginning, which overwrites the former settings), -l <new_user> renames a user account, -L locks a user's password (puts a "!" in front of the encrypted password), -U unlocks a user's password (removes a "!" in front of the encrypted password)
# usermod -l jack -d /home/jack john
# usermod -c "" kuba
chfn (<user>) changes GECOS field in /etc/passwd of the logged-in or specified user, -f <name> a real name, -p <number> office phone number, -h <number> private phone number; if no option is specified, it works interactively (none = empty field)
chsh (<user>) (-s <shell>) changes a login shell of the logged-in or specified user, -l prints a list of available shells from /etc/shells; if no option is specified, it works interactively
chage <user> changes a user's account and password lifetime settings, -d <DD> sets the number of days since January 1st, 1970 when the password was last changed, -E <YYYY-MM-DD> sets an account expiration date ("-1” = unlimited account expiration), -I <DD> sets the number of days of inactivity after a password has expired before the account is locked, -l prints information about an account and password expiration settings, -m <DD> sets the minimum number of days between password changes ("0” = the user may change the password at any time), -M <DD> sets the maximum number of days during which a password is valid ("-1” = unlimited password expiration), -W <DD> sets the number of days of warning before a password change is required; if no option is specified, it works interactively; the default password expiration settings can be found in /etc/login.defs
# chage -d 0 james
(changes the user's password expiration date and prompts him to change it at the first login)
passwd (<user>) sets or changes the password of the logged-in or specified user, --stdin reads the password from STDIN (pipe), -d sets no password for an account, -n <DD> sets the minimum password lifetime in days, -x <DD> sets the maximum password lifetime in days, -w <DD> sets the number of days in advance the user is warned of the password expiration, -l locks a user's password (puts "!!" in front of the encrypted password), -u unlocks a user's password, -S <user> prints information about the settings of the user's password (password status: "PS" = password assigned, "NP" = no password, "LK" = account locked, the date of the last password's change, minimum and maximum lifetime in days, a warning period before the password's expiration and a period between the password's expiration and the account being locked in days); the default password expiration settings can be found in /etc/login.defs
# for user in $(awk -F : '{print $1}' /etc/passwd); do passwd -S $user | grep LK; done
(prints users with locked accounts)
mkpasswd creates a random password, -l <n> sets the password's length (9 characters by default), -C <n> sets the minimum number of capital letters (2 by default), -c <n> sets the minimum number of small letters (2 by default), -d <n> sets the minimum number of digits (2 by default), -s <n> sets the minimum number of special characters (1 by default)
chpasswd <user>:<password> modifies a specified user's password and encrypts it by algorithm defined in /etc/login.defs, -c <NONE|DES|MD5|SHA256|SHA512> specifies a different encryption algorithm, -e indicates the newly submitted passwords are in encrypted form (by default they are specified in clear-text)
# for user in $(awk -F ":" '{if (length($2) > 2 && $2 !~ /^(!!)?(\$[1256]\$)/) print $1":"$2 }' /etc/shadow); do echo "$user" | chpasswd -c SHA512; done
(encrypts clear passwords of all users)
cat /etc/passwd prints existing local users, their encrypted password (character "*” means that an account is locked) or an "x" character (the password is in /etc/shadow), UID, primary GID, comment field (GECOS), home directory and login shell
$ grep 501 /etc/passwd
(prints all users in the group whose GID is "501")
cat /etc/shadow prints existing local users, their encrypted password (if the field is empty the account is without a password; character "*”, "!" or "!!" before the password means that the account is locked; by default, the "useradd” command creates a locked user account – i.e. only "!!" characters are present instead of a password), last password change in days since January 1st, 1970, the minimum number of days between password changes ("0” = the user may change the password at any time), the maximum number of days during which a password is valid ("-1” = unlimited password expiration), the number of days of warning before a password change is required, the number of days of inactivity after a password has expired before the account is locked and the number of days since January 1st, 1970 the account has been locked
groupadd <group> creates a group account, -g <GID> assigns a specified GID (otherwise the first available one is used), -o assigns a duplicate GID (available with "-g" option only), -r creates a system group (with GID in range of 201–999)
groupdel <group> removes a group account (it is not possible to remove an existing user's primary group, the user has to be removed as first)
groupmod <group> modifies a group account, the same options as for "groupadd" command, besides these exist: -n <new_group> renames a group account
groups (<user>) prints the groups to which the logged-in or specified user is assigned (identical to "id -nG" command)
newgrp <group> logs a user into one of the groups available in /etc/group; without an argument the primary GID is assigned (used especially when creating new files)
cat /etc/group prints existing local groups, their encrypted password (character "*” means that an account is locked) or an "x" character (the password is in /etc/gshadow), GID and a list of comma separated secondary members
$ grep admin /etc/group
(prints GID of "admin” group)
cat /etc/gshadow prints existing local groups, their encrypted password (character "*” means that an account is locked) or "!” character (a passwordless account), a list of comma separated administrators and a list of comma separated secondary mebers
vipw edits /etc/passwd file (the same as "vi /etc/passwd”)
vigr edits /etc/group file (the same as "vi /etc/group”)
pwconv creates /etc/shadow file based on data from /etc/passwd and /etc/login.defs, which ensures a safe storage of users' passwords
pwunconv removes /etc/shadow (opposite of "pwconv" command)
grpconv creates /etc/gshadow based on data from /etc/group and /etc/login.defs, which ensures a safe storage of groups' passwords
grpunconv removes /etc/gshadow file (opposite of "grpconv" command)
pwck verifies the integrity of /etc/passwd and /etc/shadow, the user is prompted to correct possible errors, -r prints errors only, -s sorts the output by UID
grpck verifies the integrity of /etc/group and /etc/gshadow, the user is prompted to correct possible errors, -r prints errors only, -s sorts the output by GID


PERMISSIONS
chown <owner> <file/directory> changes the user and/or group ownership of a file/directory, -R recursively, -c prints the files whose ownership is being changed; if the user name or UID is followed by a colon or dot and a group name or GID, the group ownership of the files is changed as well; if no group follows a colon or dot (chown user: /tmp /var/tmp), the user's primary group is considered; if a colon or dot and group are specified, but the user is omitted (chown :group /tmp /var/tmp), only the group ownership of the files is changed (the same as "chgrp” command)
# chown user:group /tmp /var/tmp
chgrp <group> <file/directory> changes the group ownership of a file/directory; the group is specified by its name or GID, -R recursively, -c prints the files whose ownership is being changed
chmod <permissions> <file/directory> changes a file/directory access permissions
1) in a symbolic expression
in the following order – user definition (u = user (owner), g = group, o = others, a = all), operator (+ adds permissions, - removes permissions and = sets permissions) and permission specification (r = read a file / list contents of a directory (file or directory names only), w = write to a file / write to a directory (creating, deleting and renaming any files or directories), x = execute a file / access a directory and make its contents available for reading and writing, s = SUID or SGID bit, t = sticky bit)
# chmod +x script.sh
(for all by default)
# chmod ug=rw,o-w text.txt
2) in a numeric (octal) expression
in the following order – (special attribute) - user (owner) - group - others (4 = read a file / list contents of a directory (file or directory names only), 2 = write to a file / write to a directory (creating, deleting and renaming any files or directories), 1 = execute a file / access a directory and make its contents available for reading and writing); the values are summed
$ chmod 660 text.txt
# chmod 700 /usr/bin/top
with both the expressions it is possible to use option -R for recursive mode and -c to see the files whose permissions are being changed; a directory must always have an access permission set
# chmod -R 755 /home/user/xxx
special attributes concern mostly executable files (programs and scripts) or directories and have these values: 4 = SUID bit (an executed process runs with the permissions of the owner of the file, not with the permissions of the user who executed it), 2 = SGID bit (an executed process runs with the permissions of the group of the file, not with the permissions of the user who executed it; if the SGID bit is set for a directory, it ensures that its new contents will be owned by the same group of owners who own the directory), 1 = sticky bit (used for directories whose content can be deleted or renamed only by the owner of the file or directory, not by any user with write and access permissions for the directory)
# chmod 4755 /usr/bin/passwd
# chmod 2770 /web
# chmod +t /usr/local/tmp
setfacl <option> ((<user>)(:<permissions>)) <file/directory> -m sets ACL permissions to a file/directory depending on the specified options (u:(<user/UID>) for a specified user, if it is not specified, the settings are valid for the owner of the file/directory, g:(<group/GID>) for a specified group, if it is not specified, the settings are valid for the group owner of the file/directory, o for others, d: ensures inheriting of the ACL permissions from a directory to its newly created contents, m: sets the mask – specifies maximum permissions possible for all named users and groups), -x removes ACL permissions from a file/directory depending on the specified options (u:<user/UID> for a specified user, g:<group/GID> for a specified group), -b removes all ACL permissions from a file/directory, -R recursively, --set-file <file/directory> sets ACL permissions based on the specified file/directory
# setfacl -m u:kuba:rw /home/dookie/file.txt
# setfacl -x g:users /home/dookie/file.txt
# setfacl -m d:u:david:rwx /home/dookie
# setfacl -m o:000 /web
# setfacl -m u::rwx,g::rx,o::rx /bin/chmod
# setfacl -m m:rwx /web/logs
# setfacl -bR /home/dookie
# getfacl file1 | setfacl --set-file - file2
(sets file "file2" the same ACL permissions as "file1")
getfacl <file/directory> prints ACL permissions to a file/directory for specified single users or groups (provided they are set up), -n prints UID and GID instead of an account name, -R recursively, -s skips files with basic permission entries
chattr <operator><attribute> <file/directory> changes attributes of a specified file/directory on ext2, ext3 or ext4 file system; operator + adds, - removes and = sets an attribute; attribute a prevents from removing and modifying a file (applicable even for root), permits appending new data to the file only, d prevents from backup by "dump" program, i prevents from removing and any kind of modifying a file (applicable even for root); -R recursively
# chattr +i /etc/inittab
lsattr (<file/directory>) prints attributes of the contents of the working directory or a specified file or the contents a specified directory on ext2, ext3 or ext4 file system, -a prints hidden files as well, -d directory itself, without its contents, -R recursively
su (<user>) switches to root (system administrator) or a specified user account (changes the effective UID and GID), - or -l including the user's environment (initializes HOME, SHELL, USER, LOGNAME and PATH variables), -c <command> only executes the command under another user
sudo (<parameter>) (<command>) allows a permitted user to execute a command as root or another user (without knowing the password) as specified in /etc/sudoers in the following order: <user> <host> = (<original_user>) (<verification>:) <command> (in absolute form); at the beginning of the file it is possible to define by capital letters aliases representing the permitted users, original users, hosts and commands, considering that "ALL" expression represents any value in the mentioned items:
dookie ALL = (root) /bin/mount -t iso9660 /dev/cdrom /mnt/cdrom, NOPASSWD: /bin/umount /mnt/cdrom
(dookie is allowed to mount cdrom and unmount it without a password requirement)
tim localhost = /bin/su [!-]*, !/bin/su *root*
(tim is allowed to switch to any user except root on the particular host without loading the user's environment)
%admin ALL = SERVICES, PROCESSES, STORAGE
(the members of "admin" group are allowed to execute all the commands represented by the particular aliases on all hosts)
-b runs a specified command in the background, -l prints information whether the logged-in user is allowed to use "sudo" and lists possible commands that can be executed, -i switches to root account, -u <user> runs the specified command as a user other than root; only root is allowed to edit /etc/sudoers by "visudo" command; the usage of "sudo" is logged to /var/log/secure
$ sudo /sbin/shutdown -h now
$ sudo -u tom ls ~tom
$ sudo sh -c "cd /home ; du -s * | sort -rn > usage"
$ sudo su - root -c /bin/bash
visudo edits /etc/sudoers, -c verifies the integrity of the file, -f <file> specifies an alternative sudoers file instead of /etc/sudoers
umask (<permissions>) prints or sets default permissions for newly created files and directories in the following order: user (owner) - group - others in a numeric (octal) expression, however the digits stand for the permissions that are to be taken from the system value 666 for files and 777 for directories, -S symbolic expression; (permanent setup in ~/.bashrc and ~/.bash_profile, the default global value is 002 for ordinary users and 022 for root in /etc/profile and /etc/bashrc)
$ umask 0027 / umask 27
(the owner has all permissions, the group has read permissions and access to directories and others have no permissions)
Last modified: 2019/08/09 22:14 by Miroslav Bernát

visits: