October 5, 2016

So You Think You Know Linux User Management

herd-of-cats.jpg

Linux user management
Carla Schroder offers some useful tips and tricks for managing Linux users and groups.

Sure, managing users and groups on a Linux system is Linux 101. Not even that, it's Linux pre-school. But maybe this roundup of tips and tricks will show you something useful you didn't already know.

View UID, GID, Group

The id command shows a user's UID, GID, and group assignments:


$ id carla
uid=1000(carla) gid=1000(carla) groups=1000(carla),
4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),
113(lpadmin),128(sambashare),999(docker)

Use the -u flag to show only the UID, -g for GID only, and -gn to display the user's primary group name.

Find All User Files

Use the find command to list all files belonging to a user. This example searches only /home, and records the results in a text file. You might want to search the entire filesystem, especially when you're listing the files of a user that you are planning to remove from the system:


# find /home -uid 1001 | tee 1001-files.txt

You may search by -gid as well, to find files per group ownership.

Transfer File Ownership

You can transfer ownership of all the files belonging to one user to another user, perhaps a system user that you created especially for this purpose. This example changes ownership of all the files in a user's home directory:


# chown -R newuser:newuser /home/username

The sure way to find and change ownership on all of a user's files is to use find again, and search your entire filesystem. This may take a long time:


# find / -uid 1003 -exec chown -v 1010:1010 {} \;

You may use the user and group name if you prefer: chown -v newuser:newuser.

You may perform this same operation by -gid as well.

Adding and Removing Users

There is a lot of cruft in the Linux user management commands, and so we have useradd, userdel, usermod, groupadd, groupdel, groupmod, adduser, and addgroup.

adduser and addgroup exist on Debian and Debian derivatives such as Ubuntu. adduser and addgroup are Perl wrappers for useradd and groupadd. adduser walks you through a wizard for creating a new user. adduser and addgroup get their default settings from /etc/adduser.conf.

adduser is on Red Hat/CentOS/Fedora, but it is only a symlink to useradd, so it behaves like useradd.

useradd, userdel, usermod, groupadd, groupdel, and groupmod are present on all Linux distributions. Defaults for useradd are in /etc/default/useradd, or view them with useradd -D.

There is a funny quirk with useradd. Back in the olden days, it defaulted to putting all users into the same group, users (100), which meant that all users' files were visible to all users. Then Red Hat created the "User Private Group" modification, which put every user into their own personal group, and nobody else could access their files without permission. There were raging flamewars over which way was the right way. Ah, the good old days, when the smallest change guaranteed months of fighting.

I'm sure you know all this, but let's review adding and removing users anyway. adduser walks you through all the steps:


# adduser newbie
Adding user `newbie' ...
Adding new group `newbie' (1009) ...
Adding new user `newbie' (1007) with group `newbie' ...
Creating home directory `/home/newbie' ...
Copying files from `/etc/skel' ...
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
Changing the user information for newbie
Enter the new value, or press ENTER for the default
        Full Name []: newbie user
        Room Number []: 
        Work Phone []: 
        Home Phone []: 
        Other []: 
Is the information correct? [Y/n]

/etc/skel is a nice little convenience; just put any files you want copied into all new users' home directories in it.

useradd makes you do more:


# useradd -m -s /bin/bash -c User_Six,,,, user6

That creates the user's home directory, assigns a login shell, and uses the comment field for the full name. This is how it looks in /etc/passwd:


user6:x:1010:1012:User_Six,,,,:/home/user6:/bin/bash

The commas are optional, and distros differ: Ubuntu uses four commas, and CentOS 7 doesn't use any. The commas separate the GECOS fields. GECOS is a holdover from the very olden days and stands for "General Electric Comprehensive Operating System." You can see what each field is for in the adduser output, though you can use them for anything you want.

deluser has several useful options for removing users. You can delete the user without deleting their files:


# deluser user7

Or remove all files on the system that belong to them:


# deluser user7 --remove-all-files

Backup the files in their home directory to /$user.tar.bz2:


# deluser user7 --backup

Or use --backup-to to select your backup directory.

userdel has an additional useful option, and that is --selinux-user to remove the user's SELinux mappings.

Find and Slay User Processes

When you remove a user from your system, you should look for any stray processes they may have left behind:


$ ps U 1010

Or search by username:


$ ps U username

Then kill their leftover processes in the usual way, # kill [process number]. Or try the slay command, which finds and kills all processes belonging to a user, saving you the trouble of hunting down all of them. Use the -clean option to make clean shutdowns:


# slay -clean username
slay: Whoa, I have the power supreme.

slay has four modes, which you set in /etc/slay_mode: nice, normal, mean, and butthead.

Please refer to the fine man pages for these commands to learn about all of their options; yes, the man pages, because consulting the authoritative reference is a lot faster than testing bad answers from a Web search.

Advance your career in Linux System Administration. Check out the Essentials of System Administration course from The Linux Foundation.

Click Here!