LPI 010-160 – User Accounts and Groups part 3

7. Managing Groups

In this lesson, I want to show you how to manage groups. This includes creating a group, adding people to those groups and renaming a group. So before we can get started here, we need to create a user. And I’m going to do that by using pseudo. I’m going to put the user adm, which says create me a matching home directory for this username and whatever that username is going to be. In my case I’m going to use Tim. Then I’m going to go ahead and give Tim a password by using dash p and going ahead and using whatever password I want to assign him. In this case, I’m going to create a username tim, a home directory for him named Tim and give him a password of password.

Go ahead and hit enter. And there we go. If I do ID Tim, you’ll see that Tim has been created as user 1001. He has group ID of Tim with 1001 and he is a member of the Tim group by default. In Ubuntu, whenever you create a user, you’re going to get an imaging user group as well for that person. But let’s say you’re going to create different groups because you’re running a server for a company. Maybe I hired you on to be my Linux administrator and I need to have three groups created. I need one for students, one for teachers, and one for administration. Can we do that? Well, certainly we can do a pseudo group ad command and then we’re going to use students.

We can then do sudo group ad and we can use teachers, and then we can do pseudo group ad. And now we have admin. So now that we have our students, our teachers and our admin groups, we have three groups here that we can start putting people in. If I look at the users I currently have in the system, I still only have my Deon training account, the account I’m logged into right now, and this new account I created named Tim. So I may be able to put Tim inside my admin group, but I might put Deon training inside the teachers group. Now to do this, we need to add our user to the group, and to do that, we’re going to use pseudo usermod A.

G for group A says add this feature. G says add this group and then we’re going to say what group we want. So I’m going to put Tim inside the admin group. So I’ll put the group of admin and the name of Tim. There we go. Now if I do pseudo usermod A g teachers Dion training. Deon Training is now placed into the teachers group. So you can see how this starts working as we put people around. Now how would you know who is in which group? Well, there’s a file inside the Etsy folder called group, and we can actually grab that file for the group name. So if I wanted to say, hey, who’s in the Admin group? I can just do it this way by doing grepmintsegroup.

And here you can see that there are two groups that have Admin in it. There’s one called LP Admin, which is for something else, and then there is Admin, and LP Admin is the printer Admin group. So Tim is a member of the Admin group. And so now if I want to see who’s in the teachers group, I can do the same thing by looking in here. And there you go. If you want to see the entire group of everything on this system, you can do that. But it may be a long file. And so we’re going to go ahead and do Cat etsy group. And if you do a pipe more, it’ll show you one page at a time.

So here we go. We have all of these different groups on the system. If I hit space, you’ll see even more groups. Keep hitting space, I get even more groups. And now as I go down, we see the end of the groups. And you’ll see the newest four groups are the group for Tim, the student Tim, the group called Students with no members, the group called Teachers with one member dion Training, and the group called Admin with one member, which is Tim. And so you can see who is in which of these groups. Now the next thing we want to do is we want to be able to rename a group. Maybe I don’t like the fact that it’s called Admin for the group that Tim is in, because maybe that doesn’t really say what that group really does.

In fact, it really doesn’t, because when I hear Admin, I think about system administration. In this case, Tim works in my office and so he’s one of my staff members. So maybe we want to call this staff instead. Well, we can go ahead and change that group by renaming them. Now, if I want to change the name from the Admin group to the staff group, I can do that using a command known as groupmod. Now I’m going to show you how I would look this up myself here if I didn’t know the exact syntax. So here you can see that we have a synopsis group mod, the options and the group name. So whatever I want to do to that group, it’s going to be in the middle and whatever the last thing is, that’s going to be assumed to be the group name.

So I know now this command is going to say group, mod some amount of stuff, and then the word admin. Now how do I figure out how to change the name of this group? Well, let’s go ahead and hit spacebar and we see. Here, N says that we’re going to take the name of the group and change it from group to new group. And so the way I’m going to format this command. If I hit Q is I’m going to clear my screen here. So to do this, we’re going to use pseudo. We’re going to use group mod N, the name of the new group. And in my case, I’m going to call this staff with a capital S, and then Admin, which was the former name of the group. So I’m going to go from Admin to staff if I hit enter. Now, if I want to verify that worked, I can go ahead and cat out the file of etsy group.

And now you can see those last four groups, tim, students, teachers and staff. Where before it was admin with the user Tim, it’s now staff with the user Tim. Notice Tim didn’t get kicked out of the group, the group name just changed. So again, just like everything else, we’ve done hands on. I would love for you to get into your Ubuntu machine, create some groups, create some users, move those groups around, move those users around, put them into different groups, rename the groups and get comfortable with these commands. Again, if you get lost, you can always type man and the command to get information about it, or info and the command to get information about that. Good luck and I’ll see you in the next lesson.

8. Working as root

Linux can have thousands of users operating on a single computer or server. Now, because of that, we need to have one user with a super amount of power to manage the whole computer. Now, this user, known as root, is also called our super user or our administrator. Most people use computers to do ordinary day to day computer tasks, and these user tasks are usually just something that don’t require special permissions. Our root account, on the other hand, exists to be able to enable performing these administrative tasks, things like installing new software, preparing a new disk for use in the computer, and managing ordinary user accounts by resetting passwords and doing things like that.

These tasks require access to system files that an ordinary user just doesn’t need to modify. So whenever you’re performing a command line task that requires a root privilege, you need to actually change into the root user. You can do this in three different ways. First, you can log in directly as the root user within a text mode shell or by using a remote tool such as Ssh. Some distributions don’t actually let you log in as root because they want you to log in as a regular user and then use one of the other two methods we’re about to talk about. This is considered a best practice within the security world, and so some distributions may or may not allow you to log in directly as root.

The second thing you can do is use the sue command. The sue command enables changing your user identity within the shell. So if I’m logged in as Jason and I want to switch to being Tom or to being the root, I can use the switch user or su command. So by doing this, I type in su and the username I want to go to. If you just type in su and hit enter, it by default assumes you want to become root. Now, you will have to enter the password for that user for that command to work. So if you don’t know the root password, you can’t get root access. Now, once you type su enter and you’ve gotten those root privileges by doing it, any commands you type from this point forward will operate as the root user.

When you’re done doing all the commands you want, type in the word exit and hit enter to revert to your old status as your old user and get out of root. The third thing you can do is use the pseudo command. And sudo works a lot like su, the switch user command, but it only works for one command at a time. So if I want to execute just one command, like removing a file or a directory, I can type in pseudo and then the command and hit enter. It will ask for the root password and then execute that one command as the root user. This way, you can still stay within your ordinary account privileges for everything else and only elevate your privileges for that one thing.

Some distros rely very heavily on the pseudo command and they don’t allow direct route logins by default, like I talked about earlier. So as you can see, route can be very, very powerful, but it can also be very dangerous. Users could accidentally wipe out critical application files and cause lots and lots of downtime and issues if they are not careful. On the other hand, if you have an intruder or an attacker who can get into your system and get root access, they can really do whatever they want on your system. Because this root user is the super user. They can make whatever changes they want and whatever damages they want.

They can change ownership of files, they can install other programs, all sorts of stuff. So you really want to protect that root user account. To be able to protect it, there’s a couple of things you need to do. First, you should always ask yourself if you really need root access to do what you’re doing. For example, if you’re going to log in to go browse the Internet, you should do that as a regular user, not as the root user. Sometimes there’s different ways to achieve your goal than having to use the root account. But if you need the root account, it is there for you. Second, before you press the Enter key when you’re typing a command as root, you should always stop, take your hands off the keyboard, look over the command again and make sure it’s perfect.

In every respect, a simple error can really turn catastrophic. For example, if you’re trying to delete a file in your directory and you type rmspace star star, and you meant to do star bat now instead of deleting all the bat files, you’re going to be deleting all the files. One simple mistake can really cause a lot of damage. Another thing to consider is to never run a suspicious program as root. If you download a program from some random internet site, it could be dangerous and it could have malware or have incorrect security configurations. If you run it as root, you can give it permission to run as root again and it can do lots of damage to your system. So be careful when downloading programs and installing them as root.

Also, you want to make sure you’re using root privileges for a very short period of time. Least is best here. Better yet, I like to use the pseudo command instead of using the sue command whenever I need to be root. Because again, if you forget you’re enroute and you go to delete a file, you could delete your entire hard drive. Also, you never want to leave a root shell sitting there that might be accessible to others. What I mean by this is let’s say I switched users to root, I ran a command and then I got to get some coffee, then somebody can jump on the keyboard and they have root access. We don’t want that to happen, so always log out of root before you move away from your computer.

Whenever you’re performing root maintenance and you get called away, type exit, hit enter, and that way you get out of that root shell before you leave the computer. Also, when it comes to passwords, don’t share your passwords with other people, especially the root password. You should always be cautious if you’re typing in your root password, if you’re seeing in a public area or where somebody else might be looking over your shoulder, remember, anyone with that root password has Godlike privileges on this machine. They can do whatever they want, including accessing the password, file the databases, and getting all sorts of other information from your system and be able to use it for malicious purposes.