Linux User Management

From KevinWiki

(Difference between revisions)
Jump to: navigation, search
(Add User to sudo List)
Line 184: Line 184:
<code>i -> edit -> ESC -> : -> wq</code>
<code>i -> edit -> ESC -> : -> wq</code>
 +
 +
***
 +
If <code>sudo -s</code> in new Ubuntu doesn't add user's <code>HOME</code> to the environment, add the following line to <code>/etc/sudoers</code>.
 +
<pre>
 +
Defaults  env_keep += "HOME"
 +
</pre>
 +
<b>WARNING</b>: This can be dangerous so please read https://askubuntu.com/a/1187000 first.
=== Disable root User ID ===
=== Disable root User ID ===

Revision as of 06:37, 13 March 2022

Contents

Add a new user on Linux

Use THIS!!!

Details: https://www.linode.com/docs/security/securing-your-server

$ adduser yourusername 
$ usermod -a -G sudo yourusername 

Now, use the new username to log in.


Essential

One way to add a new user on Linux is using useradd command.

 $ useradd <username> 
# You probably need to use Sudo command.
$ sudo useradd <username> 


With Home Directory

However, the user added will have neither the password nor the home directory. If you want to specify the home directory, you can use -d option. If you also want to create home directory and set it for the user when adding a new user, you can use -m option with -d.

$ useradd -d <home directory path> -m <username> 

$ useradd -d /home/newuser -m newuser 

With Specifying Login Shell

After using useradd above, you may realise that the new user's login shell is not the one you want him or her to have. So in order to specify the login shell, you can -s option.

$ useradd -d <home directory path> -m <username> -s <shell> 

$ useradd -d /home/newuser -m newuser -s /bin/bash 

Set User Password

$ passwd USERNAME 
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

To get valid login shell list, check out /etc/shells file.

$ cat /etc/shells 
# /etc/shells: valid login shells
/bin/csh
/usr/bin/es
/usr/bin/ksh
/bin/ksh
/usr/bin/rc
/usr/bin/tcsh
/bin/tcsh
/usr/bin/esh
/usr/bin/screen
/bin/sh
/bin/dash
/bin/false
/bin/bash
/bin/rbash


useradd Help Result

$ useradd --help 
Usage: useradd [options] LOGIN

Options:
  -b, --base-dir BASE_DIR	base directory for the new user account
				home directory
  -c, --comment COMMENT		set the GECOS field for the new user account
  -d, --home-dir HOME_DIR	home directory for the new user account
  -D, --defaults		print or save modified default useradd
				configuration
  -e, --expiredate EXPIRE_DATE	set account expiration date to EXPIRE_DATE
  -f, --inactive INACTIVE	set password inactive after expiration
				to INACTIVE
  -g, --gid GROUP		force use GROUP for the new user account
  -G, --groups GROUPS		list of supplementary groups for the new
				user account
  -h, --help			display this help message and exit
  -k, --skel SKEL_DIR		specify an alternative skel directory
  -K, --key KEY=VALUE		overrides /etc/login.defs defaults
  -m, --create-home		create home directory for the new user
				account
  -o, --non-unique		allow create user with duplicate
				(non-unique) UID
  -p, --password PASSWORD	use encrypted password for the new user
				account
  -r, --system			create a system account
  -s, --shell SHELL		the login shell for the new user account
  -u, --uid UID			force use the UID for the new user account


Modify User

Change Home Directory

$ sudo usermod -d /userhome/path/ <username> 

usermod Help Result

$ usermod --help 
Usage: usermod [options] LOGIN

Options:
  -c, --comment COMMENT         new value of the GECOS field
  -d, --home HOME_DIR           new home directory for the user account
  -e, --expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE
  -f, --inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -g, --gid GROUP               force use GROUP as new primary group
  -G, --groups GROUPS           new list of supplementary GROUPS
  -a, --append                  append the user to the supplemental GROUPS
                                mentioned by the -G option without removing
                                him/her from other groups
  -h, --help                    display this help message and exit
  -l, --login NEW_LOGIN         new value of the login name
  -L, --lock                    lock the user account
  -m, --move-home               move contents of the home directory to the
                                new location (use only with -d)
  -o, --non-unique              allow using duplicate (non-unique) UID
  -p, --password PASSWORD       use encrypted password for the new password
  -s, --shell SHELL             new login shell for the user account
  -u, --uid UID                 new UID for the user account
  -U, --unlock                  unlock the user account


Remove User

Essential

A simple way to remove the existing Linux user is using userdel command.

 $ userdel <username> 
# You probably need to use Sudo command.
$ sudo userdel <username> 

Also Remove Home Directory

$ userdel -r <username> 
$ userdel -r newuser 

userdel Help Result

$ userdel --help 
Usage: userdel [options] LOGIN

Options:
  -f, --force			force removal of files, even if not owned by user
  -h, --help			display this help message and exit
  -r, --remove			remove home directory and mail spool


Sudoer

Add User to sudo List

-To add a uer to sudo list, run the command below

$visudo 


-Add the username after root

# User privilege specification
root,username      ALL=(ALL) ALL

i -> edit -> ESC -> : -> wq


If sudo -s in new Ubuntu doesn't add user's HOME to the environment, add the following line to /etc/sudoers.

Defaults  env_keep += "HOME"

WARNING: This can be dangerous so please read https://askubuntu.com/a/1187000 first.

Disable root User ID

  • Do not forget to have at least one sudoer user before running this.
$ passwd -l root 

passwd Help Result

$ passwd --help 
Usage: passwd [options] [LOGIN]

Options:
  -a, --all                     report password status on all accounts
  -d, --delete                  delete the password for the named account
  -e, --expire                  force expire the password for the named account
  -h, --help                    display this help message and exit
  -k, --keep-tokens             change password only if expired
  -i, --inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -l, --lock                    lock the named account
  -n, --mindays MIN_DAYS        set minimum number of days before password
                                change to MIN_DAYS
  -q, --quiet                   quiet mode
  -r, --repository REPOSITORY   change password in REPOSITORY repository
  -S, --status                  report password status on the named account
  -u, --unlock                  unlock the named account
  -w, --warndays WARN_DAYS      set expiration warning days to WARN_DAYS
  -x, --maxdays MAX_DAYS        set maximim number of days before password
                                change to MAX_DAYS


Root Login

If you need a persistent root login, use

$ sudo -i 

References

[RootSudo]


Kick Out User Logged in

How to

-Check the processes of the user whom you want to kick out, then kill the user's login shell (e.g. bash)

-To display all the processes belong to the user.

$ ps aux | grep ${USER} 

-To display only PIDs and processes belong to the user

$ ps aux | grep ${USER} | awk '{print $2 " " $11}' | sort -gr 

-To kill the process

$ sudo kill -s 9 <PID number> 


Example

# username is 'user'

$ ps aux | grep ${USER} 
root     19087  0.0  0.7  67964  2904 ?        Ss   13:32   0:00 sshd: user  [priv]
user     19089  0.0  0.4  67964  1724 ?        S    13:32   0:00 sshd: user@pts/0
user     19090  0.0  0.6  19336  2248 pts/0    Ss   13:32   0:00 -bash
user     19100  0.0  0.2  15056  1088 pts/0    R+   13:32   0:00 ps aux
user     19101  0.0  0.2   5160   828 pts/0    S+   13:32   0:00 grep user
$ ps aux | grep ${USER} | awk '{print $2 " " $11}' | sort -gr 
19105 sort
19104 awk
19103 grep
19102 ps
19090 -bash
19089 sshd:
19087 sshd:

-awk option.

#print the 2nd and the 11th columns
print $2 " " $11

(sort options
-g, --general-numeric-sort  compare according to general numerical value
-r, --reverse               reverse the result of comparisons)

-Kill the bash

$ sudo kill -s 9 19090 


To Kick out Another Login of Yours

$ who 
user    pts/0        2008-08-24 13:25 
user    pts/1        2008-08-24 12:50  <= to kick this out.
$ ps a 
  PID TTY      STAT   TIME COMMAND
 2552 tty1     Ss+    0:00 /sbin/getty 38400 tty1
18988 pts/1    Ss+    0:00 -bash
19044 pts/0    Ss     0:00 -bash
19078 pts/0    R+     0:00 ps a
$ kill -s 9 18988 
$ who 
user    pts/0        2008-08-24 13:25 
$ ps a 
  PID TTY      STAT   TIME COMMAND
 2552 tty1     Ss+    0:00 /sbin/getty 38400 tty1
19044 pts/0    Ss     0:00 -bash
19080 pts/0    R+     0:00 ps a
Personal tools