User Tools

Site Tools


accounts-and-permissions

Accounts & Permissions


ACCOUNTS
whoami / echo $USER prints the user name corresponding with the effective UID
who am i / who -m prints the login name of the user, terminal name and login time
logname prints the login name of the user
users prints currently logged-in user names, their number corresponds with the current open sessions (data from /var/run/utmp)
who prints currently logged-in user names, their terminal names and login times (data from /var/run/utmp), -u including PID of their current process, -q only user names and their number, -m identical to "who am i” command
w (<user>) prints the currently logged-in user name, his terminal, connection method, login time, idle time, processor usage and current process name; without the parameter the information about all currently logged-in users is printed; besides the system time, time since the computer was last started, number of currently logged-in users and the system load averages for the past 1, 5 and 15 minutes are displayed (identical to "uptime" command)
last / last <user> prints time information about all users / particular user logged into the system during the last period (since /var/log/wtmp was created) including the terminal name and connection method, -n <n> last n logins only, -d prints hostnames for remote logins, -i prints IP addresses for remote logins, -x prints the system shutdown entries and run level changes
lastb / lastb <user> prints time information about unsuccessful login attempts of all users / particular user into the system during the last period (since /var/log/btmp was created) including the terminal name and connection method, -n <n> last n logins only, -d prints hostnames for remote logins, -i prints IP addresses for remote logins
lastlog prints a list of all users in the system and their last login times including the terminal names (data from /var/log/lastlog), -u <user> information about the particular user only, -t <n> information about users logged in during last n days
faillog prints information about login failures of all users (data from /var/log/faillog), -a all data, -u <user> information about the particular user only, -m <n> sets the maximum number of unsuccessful login attempts, -r resets the unsuccessful login attempts counter; uses pam_tally modul
# faillog -u kuba -r
pam_tally2 -u <user> prints information about login failures of a particular user (data from /var/log/faillog), --reset resets the unsuccessful login attempts counter
# pam_tally2 --reset -u jan
id / id <user> prints the UID and GID of the logged-in / particular user, including all his groups, -u only the effective UID, -g only the effective GID, -G GID of all user groups, -n with the "-u", "-g" or "-G" option prints the user or group name instead of the numeric designation
finger (<user>) prints the login and real name of the user, his home directory, login shell, last login time and inbox information; without the parameter the login and real names of the logged-in users are displayed, including their terminal, idle time, login time and connection method
chfn / chfn <user> changes GECOS field in /etc/passwd of the logged-in / particular user, -f <name> a real name, -p <number> office phone number, -h <number> private phone number; if no option is specified, an interactive mode starts (none = empty field)
chsh / chsh <user> (-s <shell>) changes a login shell of the logged-in / particular user, -l prints a list of available shells from /etc/shells
useradd <user> creates a user account including its home directory /home/<user> (copies the contents of /etc/skel directory inside), e-mail spool /var/spool/mail/<user> and primary group of the same name; when creating a new account, data from /etc/default/useradd and /etc/login.defs are taken into consideration, -m creates a home directory, -d <directory> specifies a particular home directory, -g <group/GID> assigns an existing group as a primary group, -G <group> assigns a user into other, comma separated, supplementary groups, -u <UID> assigns a particular UID (otherwise the first available one is used), -o assigns a duplicate UID (available with "-u" option only), -r creates a system account (with a lower UID, nonexpiring password and without a home directory), -s <shell> assigns a login shell, -e <YYYY-MM-DD> sets an account expiration date, -f <DD> sets the number of days after a password expires until the account is permanently disabled, -c <comment> provides any information about a user (GECOS field in /etc/passwd)
# useradd -c "Jan Novak" -g users -G admins jan
usermod <user> modifies a user account, the same options as for "useradd" command are used, besides -a together with "-G" assigns a user into other, comma separated, supplementary groups without having to name also all the previously defined groups (because "-G" option itself always defines all valid supplementary groups from the beginning, which overwrites the former settings), -l <new_user> renames a user account, -L locks a user's password (puts a "!" in front of the encrypted password), -U unlocks a user's password (removes a "!" in front of the encrypted password)
# usermod -l jack -d /home/jack john
# usermod -c "" kuba
userdel <user> removes a user account, -r including a home directory and e-mail spool, -f including a home directory and e-mail spool, even if the user is logged in
groupadd <group> creates a group account, -g <GID> assigns a particular GID (otherwise the first available one is used), -o assigns a duplicate GID (available with "-g" option only), -r creates a system group (with GID in range of 101–499)
groupmod <group> modifies a group account, the same options as for "groupadd" command, besides these exist: -n <new_group> renames a group account
groupdel <group> removes a group account (it is not possible to remove an existing user's primary group, the user has to be removed as first)
groups / groups <user> prints groups to which the logged-in / particular user belong (identical to "id -nG" command)
newgrp <group> logs a user into one of the groups available in /etc/group, if no group is specified, the primary GID is assigned (used especially when creating new files)
passwd / passwd <user> sets or changes a logged-in / particular user's password, --stdin reads the password from STDIN (pipe), -d sets no password for an account, -n <DD> sets the minimum password lifetime in days, -x <DD> sets the maximum password lifetime in days, -w <DD> sets the number of days in advance the user is warned of the password expiration, -l locks a user's password (puts "!!" in front of the encrypted password), -u unlocks a user's password, -S <user> prints information about the settings of the user's password (password status: "PS" = password assigned, "NP" = no password, "LK" = account locked, the date of the last password's change, minimum and maximum lifetime in days, a warning period before the password's expiration and a period between the password's expiration and the account being locked in days); the default password expiration settings can be found in /etc/login.defs
# for user in $(awk -F : '{print $1}' /etc/passwd); do passwd -S $user | grep LK; done
(prints users with locked accounts)
mkpasswd creates a random password, -l <n> sets the password's length (9 characters by default), -C <n> sets the minimum number of capital letters (2 by default), -c <n> sets the minimum number of small letters (2 by default), -d <n> sets the minimum number of digits (2 by default), -s <n> sets the minimum number of special characters (1 by default)
chpasswd <user>:<password> modifies a particular user's password and encrypts it by algorithm defined in /etc/login.defs, -c <NONE|DES|MD5|SHA256|SHA512> specifies a different encryption algorithm, -e indicates the newly submitted passwords are in encrypted form (by default they are specified in clear-text)
# for user in $(awk -F ":" '{if (length($2) > 2 && $2 !~ /^(!!)?(\$[1256]\$)/) print $1":"$2 }' /etc/shadow); do echo "$user" | chpasswd -c SHA512; done
(encrypts clear passwords of all users)
chage <user> changes a user's account and password lifetime settings, -d <DD> sets the number of days since January 1st, 1970 when the password was last changed, -E <YYYY-MM-DD> sets an account expiration date ("-1” = unlimited account expiration), -I <DD> sets the number of days of inactivity after a password has expired before the account is locked, -l prints information about an account and password expiration settings, -m <DD> sets the minimum number of days between password changes ("0” = the user may change the password at any time), -M <DD> sets the maximum number of days during which a password is valid ("-1” = unlimited password expiration), -W <DD> sets the number of days of warning before a password change is required; if no option is specified, an interactive mode starts; the default password expiration settings can be found in /etc/login.defs
# chage -d 0 james
(changes the user's password expiration date, forcing him to change it on first log in)
cat /etc/passwd prints existing users, their encrypted password (character "*” means that an account is locked) or an "x" character (the password is in /etc/shadow), UID, primary GID, comment field (GECOS), home directory and login shell
$ grep 501 /etc/passwd
(prints all users in the group whose GID is "501")
cat /etc/shadow prints existing users, their encrypted password (if the field is empty the account is without a password; character "*”, "!" or "!!" before the password means that the account is locked; by default, the "useradd” command creates a locked user account – i.e. only "!!" characters are present instead of a password), last password change in days since January 1st, 1970, the minimum number of days between password changes ("0” = the user may change the password at any time), the maximum number of days during which a password is valid ("-1” = unlimited password expiration), the number of days of warning before a password change is required, the number of days of inactivity after a password has expired before the account is locked and the number of days since January 1st, 1970 the account has been locked
cat /etc/group prints existing groups, their encrypted password (character "*” means that an account is locked) or an "x" character (the password is in /etc/gshadow), GID and a list of comma separated secondary mebers
$ grep admin /etc/group
(prints GID of "admin” group)
cat /etc/gshadow prints existing groups, their encrypted password (character "*” means that an account is locked) or "!” character (a passwordless account), a list of comma separated administrators and a list of comma separated secondary mebers
vipw edits /etc/passwd file (the same as "vi /etc/passwd”)
vigr edits /etc/group file (the same as "vi /etc/group”)
pwconv creates /etc/shadow file based on data from /etc/passwd and /etc/login.defs, which ensures a safe storage of users' passwords
pwunconv removes /etc/shadow (opposite of "pwconv" command)
grpconv creates /etc/gshadow based on data from /etc/group and /etc/login.defs, which ensures a safe storage of groups' passwords
grpunconv removes /etc/gshadow file (opposite of "grpconv" command)
pwck verifies the integrity of /etc/passwd and /etc/shadow, the user is prompted to correct eventual errors, -r prints errors only, -s sorts the output by UID
grpck verifies the integrity of /etc/group and /etc/gshadow, the user is prompted to correct eventual errors, -r prints errors only, -s sorts the output by GID


PERMISSIONS
chown <owner> <file/directory> changes the user and/or group ownership of a file/directory, -R recursively, -c prints the files whose ownership is being changed; if the user name or UID is followed by a colon or dot and a group name or GID, the group ownership of the files is changed as well; if no group follows a colon or dot (chown user: /tmp /var/tmp), the user's primary group is considered; if a colon or dot and group are given, but the user is omitted (chown :group /tmp /var/tmp), only the group ownership of the files is changed (the same as "chgrp” command)
# chown user:group /tmp /var/tmp
chgrp <group> <file/directory> changes the group ownership of a file/directory; the group is specified by its name or GID, -R recursively, -c prints the files whose ownership is being changed
chmod <permissions> <file/directory> changes a file/directory access permissions
1) in a symbolic expression
in the following order – user definition (u = user (owner), g = group, o = others, a = all), operator (+ adds permissions, - removes permissions and = sets permissions) and permission specification (r = read, w = write, x = execute a file / access a directory, s = SUID or SGID bit, t = sticky bit)
# chmod +x script.sh
(for all by default)
# chmod ug=rw,o-w text.txt
2) in a numeric (octal) expression
in the following order – (special attribute) - user (owner) - group - others (4 = read permission, 2 = write permission, 1 = file execute permission / access to a directory); the values are summed
$ chmod 660 text.txt
# chmod 700 /usr/bin/top
with both the expressions it is possible to use option -R for recursive mode and -c to see the files whose permissions are being changed; a directory must always have an access permission set
# chmod -R 755 /home/user/xxx
special attributes concern mostly executable files (programs and scripts) or directories and have these values: 4 = SUID bit (an executed process runs with the permissions of the owner of the file, not with the permissions of the user who executed it), 2 = SGID bit (an executed process runs with the permissions of the group of the file, not with the permissions of the user who executed it; if the SGID bit is set for a directory, it ensures that its new contents will be owned by the same group of owners who own the directory), 1 = sticky bit (used for directories to ensure that only the owner of a file or directory inside them can rename or delete his items, not any user with write and access permissions for the directory)
# chmod 4755 /usr/bin/passwd
# chmod 2770 /web
# chmod +t /usr/local/tmp
setfacl <option> (:<permissions>) <file/directory> -m sets ACL permissions to a file/directory according to the given options (u:(<user>) for a particular single user, if it is not specified, the settings are valid for all users, g:(<group>) for a particular group, if it is not specified, the settings are valid for all groups, o for others, d: ensures inheriting of the ACL permissions from a directory to its newly created contents, m: changes the mask), -x removes ACL permissions from a file / directory according to the given options (u:(<user>) for a particular single user, if it is not specified, the settings are valid for all users, g:(<group>) for a particular group, if it is not specified, the settings are valid for all groups), -b removes all ACL permissions from a file / directory, -R recursively
# setfacl -m u:kuba:rw /home/dookie/soubor.txt
# setfacl -x g:users /home/dookie/soubor.txt
# setfacl -m d:u:david:rwx /home/dookie
# setfacl -m o:000 /web
# setfacl -m u::rwx,g::rx,o::rx /bin/chmod
# setfacl -m m::rwx /web/logs
# setfacl -bR /home/dookie
getfacl <file/directory> prints ACL permissions to a file/directory for particular single users or groups (provided they are set up), -n prints UID and GID instead of an account name, -R recursively, -s skips files with basic permission entries
chattr <operator><attribute> <file/directory> changes attributes of a particular file/directory on ext2, ext3 or ext4 file system; operator + adds, - removes and = sets an attribute; attribute a prevents from removing and modifying a file (applicable even for root), permits appending new data to the file only, d prevents from backup by "dump" program, i prevents from removing and any kind of modifying a file (applicable even for root); -R recursively
# chattr +i /etc/inittab
lsattr / lsattr <file/directory> prints attributes of the contents of the working directory / a particular file or the contents a particular directory on ext2, ext3 or ext4 file system, -a prints hidden files as well, -d directory itself, without its contents, -R recursively
su <user> / su - <user> changes the effective UID and GID to that of the given user / including the user's environment
su (root) / su - (root) changes the effective UID and GID to root / including root's environment
sudo (<parameter>) (<command>) allows a permitted user to execute a command as root or another user (without knowing the password) as specified in /etc/sudoers in the following order: <user> <host> = (<original_user>) (<verification>:) <command> (in absolute form); at the beginning of the file it is possible to define by capital letters aliases representing the permitted users, original users, hosts and commands, considering that "ALL" expression represents any value in the mentioned items:
dookie ALL = (root) /bin/mount -t iso9660 /dev/cdrom /mnt/cdrom, NOPASSWD: /bin/umount /mnt/cdrom
(dookie is allowed to mount cdrom and unmount it without a password requirenment)
tim localhost = /bin/su [!-]*, !/bin/su *root*
(tim is allowed to switch to any user except root on the particular host without loading the user's environment)
%admin ALL = SERVICES, PROCESSES, STORAGE
(the members of "admin" group are allowed to execute all the commands represented by the particular aliases on all hosts)
-b runs the given command in the background, -l prints information whether the logged-in user is allowed to use "sudo" and eventual commands he may execute on the current host, -u <user> runs the specified command as a user other than root; only root is allowed to edit /etc/sudoers by "visudo" command; the usage of "sudo" is logged to /var/log/secure
$ sudo /sbin/shutdown -h now
$ sudo -u tom ls ~tom
$ sudo sh -c "cd /home ; du -s * | sort -rn > usage"
$ sudo su - root -c /bin/bash
visudo edits /etc/sudoers, -c verifies the integrity of the file, -f <file> specifies an alternative sudoers file instead of /etc/sudoers
umask / umask <permissions> prints/sets default permissions for newly created files and directories in the following order: user (owner) - group - others in a numeric (octal) expression, however the digits stand for the permissions that are to be taken from the given system value 666 for files and 777 for directories, -S symbolic expression; (permanent setup in ~/.bashrc or ~/.bash_profile, the default global value is 002 for ordinary users and 022 for root in /etc/bashrc)
$ umask 0027 / umask 27
(the owner has all permissions, the group has read permissions and access to directories and others have no permissions)
Last modified: 2019/02/23 16:21 by Miroslav Bernát

visits: