Linux User Management
From KevinWiki
(→Add User to sudo List) |
(→Add User to sudo List) |
||
Line 190: | Line 190: | ||
Defaults env_keep += "HOME" | Defaults env_keep += "HOME" | ||
</pre> | </pre> | ||
+ | <div style="background: #ffd; border: 1px solid"> | ||
<b>WARNING</b>: This can be dangerous so please read https://askubuntu.com/a/1187000 first. | <b>WARNING</b>: This can be dangerous so please read https://askubuntu.com/a/1187000 first. | ||
+ | </div> | ||
=== Disable root User ID === | === Disable root User ID === |
Latest revision as of 06:38, 13 March 2022
Contents |
Add a new user on Linux
Use THIS!!!
Details: https://www.linode.com/docs/security/securing-your-server
$ adduser yourusername $ usermod -a -G sudo yourusername
Now, use the new username to log in.
Essential
One way to add a new user on Linux is using useradd command.
$ useradd <username>
# You probably need to use Sudo command. $ sudo useradd <username>
With Home Directory
However, the user added will have neither the password nor the home directory. If you want to specify the home directory, you can use -d option. If you also want to create home directory and set it for the user when adding a new user, you can use -m option with -d.
$ useradd -d <home directory path> -m <username> $ useradd -d /home/newuser -m newuser
With Specifying Login Shell
After using useradd above, you may realise that the new user's login shell is not the one you want him or her to have. So in order to specify the login shell, you can -s option.
$ useradd -d <home directory path> -m <username> -s <shell> $ useradd -d /home/newuser -m newuser -s /bin/bash
Set User Password
$ passwd USERNAME Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
To get valid login shell list, check out /etc/shells file.
$ cat /etc/shells # /etc/shells: valid login shells /bin/csh /usr/bin/es /usr/bin/ksh /bin/ksh /usr/bin/rc /usr/bin/tcsh /bin/tcsh /usr/bin/esh /usr/bin/screen /bin/sh /bin/dash /bin/false /bin/bash /bin/rbash
useradd
Help Result
$ useradd --help Usage: useradd [options] LOGIN Options: -b, --base-dir BASE_DIR base directory for the new user account home directory -c, --comment COMMENT set the GECOS field for the new user account -d, --home-dir HOME_DIR home directory for the new user account -D, --defaults print or save modified default useradd configuration -e, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE -f, --inactive INACTIVE set password inactive after expiration to INACTIVE -g, --gid GROUP force use GROUP for the new user account -G, --groups GROUPS list of supplementary groups for the new user account -h, --help display this help message and exit -k, --skel SKEL_DIR specify an alternative skel directory -K, --key KEY=VALUE overrides /etc/login.defs defaults -m, --create-home create home directory for the new user account -o, --non-unique allow create user with duplicate (non-unique) UID -p, --password PASSWORD use encrypted password for the new user account -r, --system create a system account -s, --shell SHELL the login shell for the new user account -u, --uid UID force use the UID for the new user account
Modify User
Change Home Directory
$ sudo usermod -d /userhome/path/ <username>
usermod
Help Result
$ usermod --help Usage: usermod [options] LOGIN Options: -c, --comment COMMENT new value of the GECOS field -d, --home HOME_DIR new home directory for the user account -e, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE -f, --inactive INACTIVE set password inactive after expiration to INACTIVE -g, --gid GROUP force use GROUP as new primary group -G, --groups GROUPS new list of supplementary GROUPS -a, --append append the user to the supplemental GROUPS mentioned by the -G option without removing him/her from other groups -h, --help display this help message and exit -l, --login NEW_LOGIN new value of the login name -L, --lock lock the user account -m, --move-home move contents of the home directory to the new location (use only with -d) -o, --non-unique allow using duplicate (non-unique) UID -p, --password PASSWORD use encrypted password for the new password -s, --shell SHELL new login shell for the user account -u, --uid UID new UID for the user account -U, --unlock unlock the user account
Remove User
Essential
A simple way to remove the existing Linux user is using userdel command.
$ userdel <username>
# You probably need to use Sudo command. $ sudo userdel <username>
Also Remove Home Directory
$ userdel -r <username> $ userdel -r newuser
userdel
Help Result
$ userdel --help Usage: userdel [options] LOGIN Options: -f, --force force removal of files, even if not owned by user -h, --help display this help message and exit -r, --remove remove home directory and mail spool
Sudoer
Add User to sudo
List
-To add a uer to sudo list, run the command below
$visudo
-Add the username after root
# User privilege specification root,username ALL=(ALL) ALL
i -> edit -> ESC -> : -> wq
If sudo -s
in new Ubuntu doesn't add user's HOME
to the environment, add the following line to /etc/sudoers
.
Defaults env_keep += "HOME"
WARNING: This can be dangerous so please read https://askubuntu.com/a/1187000 first.
Disable root User ID
- Do not forget to have at least one sudoer user before running this.
$ passwd -l root
passwd
Help Result
$ passwd --help Usage: passwd [options] [LOGIN] Options: -a, --all report password status on all accounts -d, --delete delete the password for the named account -e, --expire force expire the password for the named account -h, --help display this help message and exit -k, --keep-tokens change password only if expired -i, --inactive INACTIVE set password inactive after expiration to INACTIVE -l, --lock lock the named account -n, --mindays MIN_DAYS set minimum number of days before password change to MIN_DAYS -q, --quiet quiet mode -r, --repository REPOSITORY change password in REPOSITORY repository -S, --status report password status on the named account -u, --unlock unlock the named account -w, --warndays WARN_DAYS set expiration warning days to WARN_DAYS -x, --maxdays MAX_DAYS set maximim number of days before password change to MAX_DAYS
Root Login
If you need a persistent root login, use
$ sudo -i
References
[RootSudo]
Kick Out User Logged in
How to
-Check the processes of the user whom you want to kick out, then kill the user's login shell (e.g. bash)
-To display all the processes belong to the user.
$ ps aux | grep ${USER}
-To display only PIDs and processes belong to the user
$ ps aux | grep ${USER} | awk '{print $2 " " $11}' | sort -gr
-To kill the process
$ sudo kill -s 9 <PID number>
Example
# username is 'user' $ ps aux | grep ${USER} root 19087 0.0 0.7 67964 2904 ? Ss 13:32 0:00 sshd: user [priv] user 19089 0.0 0.4 67964 1724 ? S 13:32 0:00 sshd: user@pts/0 user 19090 0.0 0.6 19336 2248 pts/0 Ss 13:32 0:00 -bash user 19100 0.0 0.2 15056 1088 pts/0 R+ 13:32 0:00 ps aux user 19101 0.0 0.2 5160 828 pts/0 S+ 13:32 0:00 grep user
$ ps aux | grep ${USER} | awk '{print $2 " " $11}' | sort -gr 19105 sort 19104 awk 19103 grep 19102 ps 19090 -bash 19089 sshd: 19087 sshd:
-awk option.
#print the 2nd and the 11th columns print $2 " " $11 (sort options -g, --general-numeric-sort compare according to general numerical value -r, --reverse reverse the result of comparisons)
-Kill the bash
$ sudo kill -s 9 19090
To Kick out Another Login of Yours
$ who user pts/0 2008-08-24 13:25 user pts/1 2008-08-24 12:50 <= to kick this out.
$ ps a PID TTY STAT TIME COMMAND 2552 tty1 Ss+ 0:00 /sbin/getty 38400 tty1 18988 pts/1 Ss+ 0:00 -bash 19044 pts/0 Ss 0:00 -bash 19078 pts/0 R+ 0:00 ps a
$ kill -s 9 18988
$ who user pts/0 2008-08-24 13:25
$ ps a PID TTY STAT TIME COMMAND 2552 tty1 Ss+ 0:00 /sbin/getty 38400 tty1 19044 pts/0 Ss 0:00 -bash 19080 pts/0 R+ 0:00 ps a