Understanding users and groups
Linux is a multi-user system. Its security model depends on defining users (individual accounts) and groups (collections of users) to control who can access and modify files, run programs, and use system resources.
Understanding how users and groups are managed is fundamental to system administration and security.
/etc/passwd
The /etc/passwd file is a plain text file that lists all user accounts recognized by the system. It traditionally held user passwords in encrypted form, but for better security, this is no longer the case.
Each entry in /etc/passwd occupies one line and consists of seven colon-separated fields:
Username (Login Name): The user’s login name, which must be unique. Login names cannot contain colons or newlines.
Password Placeholder: This field now typically contains an x on Linux, This indicates that the actual encrypted password is stored in the /etc/shadow file. Leaving this field empty creates a major security hole, as no password would be required to access the account.
User ID (UID): The unique numeric identifier for the user.
Group ID (GID): The default GID for the user’s primary group.
Comment (GECOS) Field: Can contain any user information, such as the user’s full name, office number, and phone numbers. The chfn command allows users to change their own GECOS information.
Home Directory: The absolute path to the user’s home directory, where they are placed upon login and store their personal files.
Login Shell: The program that runs when the user logs in, typically /bin/bash for the BASH shell, or /bin/tcsh for the TCSH shell. Linux systems support the chsh command to change a user’s shell, limiting choices to those listed in /etc/shells.
Directly editing the /etc/passwd file is not recommended; user management tools like useradd, usermod, and userdel, or GUI tools like GNOME’s users-admin or KDE’s KUser, should be used instead. If manual editing is necessary, vipw should be used, as it locks the file to prevent conflicts
The /etc/group file defines UNIX groups and lists their members. It helps manage permissions for multiple users collectively.
Each entry in /etc/group occupies one line and consists of four colon-separated fields:
Group Name: The unique name of the group.
Password Placeholder: This field often contains an x when shadow security is implemented, indicating that the actual group password is stored in /etc/gshadow. Group passwords are rarely used, though Linux has real support for them.
Group ID (GID): The unique numeric identifier for the group.
Members List: A comma-separated list of user login names that belong to this group
/etc/shadow
The /etc/shadow file stores encrypted passwords and advanced password aging information. Access to this file is strictly restricted to the root user, significantly enhancing security by preventing unauthorized access to hashed passwords.
Each line in /etc/shadow represents a user and contains nine colon-separated fields:
Login Name: The user’s login name, linking the shadow entry to the /etc/passwd entry.
Encrypted Password: The hashed password. Different encryption algorithms are supported, such as traditional crypt (DES-based), MD5, Blowfish, and SHA256. MD5 passwords start with $1$ or $md5$, Blowfish with $2a$, and SHA256 with $5$. Accounts can be disabled by prefixing the password with ! or *.
Date of Last Password Change: The number of days since January 1, 1970, that the password was last changed.
Minimum Days Between Password Changes: The minimum number of days a user must wait before being able to change their password again. Setting this to 0 is common to allow immediate changes if needed.
Maximum Days Between Password Changes: The maximum number of days a user can go without changing their password, used to enforce password aging.
Warning Period: The number of days before password expiration that the user will receive a warning message.
Inactivity Period: On Linux, this specifies how many days after the maximum password age the account remains active before being disabled.
Account Expiration Date: The date on which the account will expire. If blank, the account never expires.
Reserved Field: Currently empty on Linux and HP-UX, but Solaris uses it to count failed login attempts.
User Management Commands
Now that you understand the configuration files (/etc/passwd, /etc/group, /etc/shadow), it’s time to learn the commands used to modify them. These commands are the tools for creating users, changing permissions, and performing administrative tasks.
A Word of Caution: These commands can significantly change your system’s security and functionality. Always use them carefully.
1. sudo (SuperUser DO)
The sudo command provides a controlled way for ordinary users to execute commands with root-level administrative access for specific tasks.
Purpose and Usage
◦ It allows users to perform specified superuser operations without needing full root-level control.
◦ To use sudo, a user precedes the command with sudo (e.g., sudo date).
◦ Unlike su, sudo typically prompts for the user’s own password (not the superuser’s) for authentication
# Basic syntax
sudo [command]
# Update the package list (requires root privileges)
sudo apt update
# Edit a system configuration file (e.g., the hosts file)
sudo nano /etc/hosts
# View the protected /etc/shadow file (will only show your user's entry)
sudo less /etc/shadow
# Run a command as another user (e.g., 'www-data')
sudo -u www-data whoami
2. su (Substitute User)
The su command allows a user to temporarily switch to another user’s identity within the same login session, most commonly used to become the root user.
Purpose and Usage
◦ When invoked without arguments (e.g., su), it prompts for the root password and starts a root shell.
◦ The user retains root privileges until they exit the new shell, typically by typing exit or CTRL-D.
◦ Once logged in as root, su can be used to switch to any other user account without requiring that user’s password.
◦ The -l option (or simply -) is crucial as it makes the resulting shell a login shell, loading the target user’s environment variables and changing the working directory to their home directory.
# Switch to the root user (you will be prompted for root's password)
su -
# Switch to another user (e.g., 'alice')
su - alice
3. useradd (Create User Account)
The useradd command is a command-line utility used to create new user accounts on a Linux system.
Purpose and Usage
◦ It creates a new login name and, by default, a home directory for the new user, populating it with skeleton initialization files.
◦ useradd takes various options to specify user properties, overriding default values
# Basic syntax (requires sudo)
sudo useradd [options] <username>
# Create a new user with a home directory and default settings
sudo useradd -m -s /bin/bash alice
# Create a user with a specific UID and a comment (GECOS)
sudo useradd -m -u 1501 -c "Alice Smith" -s /bin/bash alice
m (–create-home): Crucial! Creates the user’s home directory (e.g., /home/alice).s (–shell): Sets the user’s login shell (e.g., /bin/bash).c (–comment): Adds a description, usually the full name.u (–uid): Manually specifies a UID.
4. usermod (User Modifier)
The usermod command is used to modify existing user account properties
# Basic syntax
sudo usermod [options] <username>
# Add a user to a supplementary group (e.g., the 'sudo' group)
sudo usermod -aG sudo alice
# Change a user's primary group
sudo usermod -g developers alice
# Change a user's home directory (use -m to move contents)
sudo usermod -d /new/home/alice -m alice
# Change a user's login shell
sudo usermod -s /bin/zsh alice
# Lock a user account (disables password login)
sudo usermod -L alice
# Unlock a user account
sudo usermod -U alice
• -aG (–append –Groups): Extremely important. The -a flag ensures the user is added to the new groups without being removed from their current ones. Forgetting -a will remove the user from all other groups!
5. passwd (Change Password)
The passwd command is a utility used to set or change a user’s password.
◦ An ordinary user can use passwd to change their own password.
◦ The root user can use passwd to change the password for any user on the system.
◦ When changing a password, the command typically prompts for the old password (if applicable) and then the new password twice for confirmation
Viewing and managing processes
A process is a running instance of a program with its own allocation of system resources like memory and CPU time. A service (or daemon) is a special type of process that runs in the background, usually starting at boot and providing functionality to other programs (e.g., a web server, scheduler, or database).
Understanding how to view and control these is essential for system administration, troubleshooting, and optimization.
Viewing Processes
1. ps (Process Status)
The ps command provides a snapshot of current processes at the moment the command is executed.
◦ By default, ps shows processes associated only with the current terminal session.
◦ Adding the x option displays all processes owned by the user, regardless of whether they are controlled by a terminal.
◦ The aux option (BSD-style behavior) provides more comprehensive information for processes belonging to every user.
Output can be very long, so it’s often piped to less for easier viewing, allowing you to scroll through the results.
◦ PID: The unique Process ID assigned by the kernel.
◦ PPID: Parent Process ID, which is the PID of the process that created it.
◦ TTY: The terminal identifier (teletype) controlling the process. A ? indicates no controlling terminal.
◦ TIME: The amount of CPU time consumed by the process.
◦ CMD (COMMAND): The name of the command or process being executed. Kernel threads are often displayed in brackets, like [kacpid].
◦ USER: The username of the process’s owner.
◦ %CPU: CPU usage in percent.
◦ %MEM: Memory usage in percent.
◦ VSZ: Virtual memory size.
◦ RSS: Resident Set Size, the amount of physical memory (RAM) the process is using in kilobytes.
◦ STAT: The current status of the process. Common states include:
▪ R: Running or ready to run.
▪ S: Sleeping, waiting for an event.
▪ D: Uninterruptible sleep, waiting for I/O.
▪ T: Stopped, instructed to pause.
▪ Z: Defunct or “zombie” process, a terminated child not cleaned up by its parent.
▪ <: High-priority process (less “nice”).
▪ N: Low-priority process (nice).
# Show processes for the current user and terminal (basic)
ps
# Show all processes for the current user
ps -u $USER
# The most common usage: Show all processes on the system
ps aux
# Show processes in a forest view (shows parent/child relationships)
ps auxf
2. top (Display Tasks Dynamically)
The top command provides a continuously updating display of system processes, typically refreshing every three seconds by default.
It shows a system summary at the top, followed by a table of processes sorted by CPU activity.
# Start top
top
3. htop (Interactive Process Viewer)
A modern, more user-friendly replacement for top.
It is not always installed by default but is highly recommended (sudo apt install htop).
Advantages over top:
- Full-color output.
- Scroll vertically and horizontally.
- Easily kill processes with function keys (F9).
- Mouse support.
- Tree view by default.
# Start htop
htop
Managing Processes (Controlling Processes)
1. kill (Terminate Processes)
These commands don’t immediately “kill” processes.
The kill command is used to send signals to processes, most commonly to terminate them
They send a signal to a process. The default signal is SIGTERM which asks the process to terminate gracefully. The nuclear option is SIGKILL
# Basic syntax for kill (uses Process ID - PID)
kill [signal] <PID>
# Gracefully ask process ID 1234 to shut down
kill 1234 # or explicitly: kill -TERM 1234
# Forcefully kill process ID 1234 (use as last resort)
kill -9 1234 # or: kill -KILL 1234
2. systemctl (Controlling System Services)
This is the primary tool for managing services (daemons) on modern Linux distributions using systemd.
It controls what starts at boot and allows you to manage long-running background processes.
