LPI 010-160 – User Accounts and Groups part 1

1. Understanding User Accounts

Let’s talk about user accounts. Like most other modern operating systems, Linux is a multiuser operating system. This means that a single Linux computer can support many users. Each of these can have their own unique account. Now, in previous videos I’ve referred to accounts in passing but we really haven’t covered them in detail yet. In this video we’re going to describe the important account principles and some commands that can be used to work with these accounts. As we move further along in the course we’re also going to talk about groups which are collections of accounts that can be given special permissions within the Linux system.

Another special account, known as Root has special permissions that perform most system administration tasks and we’re going to discuss that in a later video too. Now, user accounts are going to enable multiple users to share a single physical computer without causing each other any kind of trouble. Now it allows system administrators to track who is doing what on the system and what resources they’re using. This way you can know what people are doing and whether it’s allowed or whether doing bad things. Now, most account features are defined in the etc pawed file known commonly as the etc password file. This contains a list of comma delimited lines and each of those comma delimited lines has a record defining a single user account.

Now each of those lines has a lot of different fields that contain information about that user. Let’s take a look at the information. First, we have a username. An account’s username is the most relevant feature here. Most Linux account usernames consist of lowercase letters and occasionally some numbers. So for instance, my username might be Jason Dion. Underscores and dashes are also considered valid characters in some Linux distributions as our dollar signs at the end. But you cannot use spaces, so I can use Json dion, but not Jason space Dion. Next, we have a password. User accounts are typically protected by a password which is required to log into the computer as that user.

The password field in the etsy password file though usually contains an x, which is a code meaning that the password is actually stored in a different file known as the shadow file. This is stored in the etc shadowFile. After that we have the UID, which in reality is just a user identification. Now the username is just a label that the computer displays to make it human readable. But again, computers like numbers, not names. So the computer uses a user identification number, a UID, to track the accounts. This UID begins with Zero. In most distributions your user accounts are going to start at 10 or above with lower numbers reserved for system accounts. After that we have a Gid. Gid is a group ID.

Accounts can be tied to one or more groups and the way we do this is by gathering up different accounts that are acting in similar ways for instance, I might have a group of students and a group of teachers and a group of administrators. The difference is that a group is a collection of accounts. One of the primary purposes of groups is to enable users to give certain users access to their files while preventing other people from doing that. And by best practice, you want to do this through groups and not through the direct user identification number. After that, we have a comment field. The comment field normally holds the user’s full name, although you can really hold any information you want inside this field. After that, we have the home directory.

This says where the user account’s home directory is. Each user account and some of the system accounts will have a home directory. A home directory is an account or homebase where all your files, folders, documents and pictures will be. Normally, the ownership of the account’s home directory is reserved to the account that it belongs to. After that, we have the default shell. As we talked about before, you can choose which shell you want to use on a Linux system and this is going to be stored inside this line. A default shell is going to be associated with every single account by default. This is normally the slash bash, so you have the bash shell, but the individual user can change this if they want to.

2. Account Security

So we’ve talked about the fact that the user account is protected with a password. In the past, the etsy password file actually held the password information. And since it must be readable by all users, storing your password here was really risky, because if I had the Json dion and then password right next to it, you could just go in and read my password. So to correct this, we have moved the passwords out of that password file and into the shadow file. Ordinary users can’t read the shadow file because this file associates passwords stored using what’s known as a salted hash. Now, assaulted hash uses a one way mathematical process with additional random input to produce what looks like nonsense or gibberish to us humans. When the user types a password, it’s actually salted and hashed.

And if that salted hash matches what’s in the shadow file, you get access to the system. Now, a typical etsy shadow file is going to contain comma delimited fields, just like the password file did. Let’s take a look at these fields. First, we have the username. The username is going to be on each line, and it’s going to start that line. Note that you’re not going to see the UID here inside the shadow file, like you did with the password file. Second, we have the password. The password is going to be stored as a salted hash, like I just said. So it bears no obvious resemblance to the actual password. So, for instance, here the password might really be the word puppy or cupcake, but this doesn’t look anything like that.

Now, an asterisk or an exclamation mark is going to denote that an account has been locked. And this might be because the person entered the password in too many times incorrectly. If you see an exclamation or an asterisk on that password, that’s what this means. After that, we have the last password change. This is the date stored as a number of days since January 1, 1970. So if you have the number 3205, you could figure out what date that was last changed from. Next, we have the days until a change is allowed. Some password policies will have a number of days that you have to keep a password before changing it. This prevents your passwords from changing their passwords when it expires and then immediately changing it back to the old password.

Now, the next thing we have is our days before a change is required. Like I just said, users are going to have to change their passwords after a certain number of days. Most organizations, this is 45, 60, or 90 days. After that time, the password is considered expired and must be changed for security reasons. Next, we have days of warning before password expiration. When should the system tell you, hey, you have seven days until your password is going to expire? You get to make that setting. In our organization, we use ten days that gives most people at least two weeks to be able to go forward and change their password before it expires but not allow them to change it too early. Next we have the days between expiration and deactivation.

Linux is going to allow for a gap in time between the expiration of an account and its complete deactivation. Now you can have an expired account that can’t be used and it may require the user to change their password immediately after they log in because the account is expired. This means, for instance, we had 60 days to change your password you didn’t change it and now it stays 61. It will let you log in one more time but it will force you to change that password now or if your system is set up where you can’t log in anymore, you might have to contact the system administrator to unlock your account. In either case, your password remains intact sitting here in the shadow file.

Now, a deactivated account, on the other hand the password will actually be erased and that account cannot be used until the system administrator reactivates it again. That’s the difference between an expired account and a deactivated account. After that, we have the expiration date. This shows the date on when the account will actually expire. Just like the last password change date. This date is expressed as a whole number in the number of days since January 1. One, 1970. After that, we have our last field, the special flag. This field is reserved for future use. And really, it isn’t used by most people or it has some meaningless value. That’s it. That’s all the fields we have inside the shadow file. Now, the shadow file is usually stored with very restrictive permissions which has the ownership of it by the root user.

This is important because that means the shadow password system utility keeps non root users, all your regular users from reading the file and obtaining the password list even though it’s in that salted and hashed form because there are tools that can take that salted and hashed form and try to crack the passwords. Now, by contrast, the password file, the etc password, must be readable by all users including the ordinary users and therefore it has less restrictive permissions. It’s also important to realize that an account isn’t a single entity like a program binary file account information is really spread across several configuration files across your system. This includes the files like the etsy password, etsy shadow and slash etsy group and even some other configuration files depending on your distribution.

3. Understanding Groups

Let’s talk about groups. Groups are collections of accounts. They’re defined inside the Etsy group file. Just like the password file, the group file contains colondelimited records or lines, and each one defines a single group. Now, as we look through the group file, let’s take a look at some of these fields. First, we have a group name. The first field is the name of the group use with most commands that associate or manipulate group data. Second, we have a password. Groups, just like users, can have passwords. A value of x here means the password is defined elsewhere, but it also can be disabled. An empty password field means the group has no password. After that, we have the Gid, which is the group identification.

Linux uses Gid values just like it uses user. ID values and it uses them internally. Translation to and from the group names is done for the benefit of us as humans, users and administrators. After that we have a user list. This will specify the users who belong to the group in this comma delimited list at the beginning of your Etsy group record. Now, it’s important to recognize that users can be identified as members of a group in a couple of different ways. The first way is by specifying the group’s gid in the user’s individual Etsy password file. Now, if you look through the Etsy password file and look at their entry, there is room for only one group ID value.

So only one group can be defined in this way. This is the user’s primary or default group. But if you want to have additional groups assigned, you can do it a different way. And that’s by specifying usernames in the user list inside of the group file. So a single user can appear multiple times in the Etsy group file, and a single group can have lots of users associated with it in this way. So if a user is associated with a group in this way, but not via the user’s password entry, this group association is considered secondary. Now, when you’re creating new files, those files will be associated with the user’s current group.

When a user logs into the system, the user’s current group is set to their primary group. To create files that are associated with another group the user belongs with, they have to use the command new groupgrp, then they’ll give it the group name. So for instance, if I use new group group two, that makes group II the current group. So the files created from this point forward will be associated with that group. Group ownership of files is really important in file security, and we’re going to talk about that more in a different video.

4. Using Account Tools

Let’s take a look at some commands that can be used to learn about the users and groups on a Linux system. Most notably we have the who am I and the ID utilities which can tell a user about their own identity and the who and the W utilities which can give information about who is currently using the computer. If the user has multiple accounts and they can’t remember which one they’re logged in as well, that’s when you use the who am I command. To do this, just type in who am I and hit Enter at the command line and it will display the current user ID. Typing who am I in the prompt will display a currently logged in username and therefore you’ll know who you are if you need more information.

That’s where the ID utility can be used. Typing ID will usually show the current UID for the username. It will also give you the current gid and all of the group’s memberships for that user. The ID command displays both the numeric UID and the gid values as well as their associated names. This way you know what the computer thinks and the way we read it. As humans, the current group is the one that’s always going to be active, either by default or because they use the new group command last. Now, Linux is going to let multiple users access a computer simultaneously because it’s a multiuser OS. Most often this is done through remote access by using something like Secure Shell or Ssh.

However, users can also use the VT, which is Linux’s virtual terminal feature, to log in multiple times with a single keyboard and monitor. In some instances it’s good to know when you’re using the computer before shutting it down and that way you can avoid the inconvenience to other users who may still have other work to do. So to do this you want to figure out who’s online and we do this using a command known as who. Information provided in the default output for the who command has a couple of pieces of information. First we’re going to get the username, which will be the first column of the who’s output command. This tells us who is logged in. Second we have the terminal Identifier.

This second column of the who’s output will show a code associated with the terminal. If you see zero as the Identifier, it means you’re logged in locally using the graphical user interface. There’s also a thing showing as Pts or Tty with a number.So if you have something like Tty one that indicates a text session in Terminal One. Now a tech session can be a terminal launched inside of a Gui. It can be a text mode console login, or it could be an Ssh or other protocol using a remote login. After that we have the login date and time. This will tell you when the person actually logged into the system. So if they’ve been logged in for five minutes or 5 hours or five weeks.

You can know that information. After that we have the remote host and this final column will tell you what the login source was. Again, you can have a console login using both text mode or graphical logins. And these won’t have a source, but if you have a source like a number number or a number listed, this will indicate the terminal open that the person is using. You might see a host name or an IP address telling you that there’s a remote access to this computer from somebody at IP address, whatever that IP address is. Another alternative to who is a program called W. Now W is similar to who, but it produces more verbose output, including terminal Identifiers, login times and other things in different formats.

So in addition to the stuff we just talked about with who, w can also tell you the session’s idle time. This tells you how long somebody’s been on, but they haven’t interacted with the session. So if I logged on two weeks ago, but I haven’t done anything since, you’ll know that, and then you might be more comfortable with shutting down the computer. Next we see a column called Jcpu. This column identifies the total amount of CPU time that was associated with that particular session. So you can know if that user is actually using the computer and doing things with it.

We also have another column called Pcpu and this will tell you the amount of CPU time with the current processes running inside that session. So again, you’re going to see the total amount with that user and the total amount for from the current process. And then we have the what column and this tells you what the session is actually running and doing. As you can see, you can use the who and the W command to figure out who is actually logged into a system at any given time and what they’re really doing. W gives you more information than who, but both are really useful.