Linux in which group the user is in. How to add a user to a group (or secondary group) in Linux. Linux Group Management
Original: Linux Fundamentals
Author: Paul Cobbaut
Published date: October 16, 2014
Translation: A. Panin
Translation date: December 23, 2014
Chapter 29. User Groups
System user accounts can be combined within groups. The concept of user groups allows you to set access rights at the user group level instead of setting the same access rights for each individual user.
Every Unix or Linux distribution has a GUI tool for managing user groups. Users who do not have experience with these systems are recommended to use these tools. More experienced users can use command-line tools to manage user accounts, but be careful: some distributions do not allow you to use both GUI and command-line user group management tools (an example is Novell's YaST tool). Suse). Experienced system administrators can directly edit the corresponding files using the vi text editor or the vigr utility.
groupadd utility
User groups can be created using the groupadd utility. The example below shows how to create five groups (without adding users to them). root@laika:~# groupadd tennis root@laika:~# groupadd football root@laika:~# groupadd snooker root@laika:~# groupadd formula1 root@laika:~# groupadd salsa
group file
Users can belong to several groups. User group membership is defined in the /etc/group file. root@laika:~# tail -5 /etc/group tennis:x:1006: football:x:1007: snooker:x:1008: formula1:x:1009: salsa:x:1010: root@laika:~#
The first field on the user group description line is the group name. The second field contains the (encrypted) group password (this field can be empty). The third field contains the group identifier or GID value. The fourth field is a list of group members, which in this case is empty because there are no users in the groups.
groups command
A user can run the groups command to view a list of groups to which they belong. $groups harry sports$
usermod utility
A user's group membership can be changed using the useradd or usermod utility. root@laika:~# usermod -a -G tennis inge root@laika:~# usermod -a -G tennis katrien root@laika:~# usermod -a -G salsa katrien root@laika:~# usermod -a -G snooker sandra root@laika:~# usermod -a -G formula1 annelies root@laika:~# tail -5 /etc/group tennis:x:1006:inge,katrien football:x:1007: snooker:x:1008:sandra formula1:x:1009:annelies salsa:x:1010:katrien root@laika:~#
Use caution when using the usermod utility to add users to groups. By default, the usermod utility will remove the user from all groups in which he was a member if the names of these groups were not passed as part of the command! Using the -a (append) option avoids this behavior.
groupmod utility
You can change the user group name using the groupmod utility. root@laika:~# groupmod -n darts snooker root@laika:~# tail -5 /etc/group tennis:x:1006:inge,katrien football:x:1007: formula1:x:1009:annelies salsa:x: 1010:katrien darts:x:1008:sandra
groupdel utility
You can permanently delete a user group using the groupdel utility. root@laika:~# groupdel tennis root@laika:~#
gpasswd utility
You can also delegate control over membership of a specific user group to another user using the gpasswd utility. In the example below, we delegate the rights to add and remove users to the sports group to serena. We then use the su command to add the user harry to the sports group on behalf of the user serena. # gpasswd -A serena sports # su - serena $ id harry uid=516(harry) gid=520(harry) groups=520(harry) $ gpasswd -a harry sports Adding user harry to the group sports $ id harry uid=516( harry) gid=520(harry) groups=520(harry),522(sports) $ tail -1 /etc/group sports:x:522:serena,venus,harry $
User group administrators are not required to be members of these groups. They can remove their accounts from the user groups they administer without affecting their ability to add or remove users from those groups. $ gpasswd -d serena sports Remove user serena from the sports group $ exit
Information about user group administrators is stored in the /etc/gshadow file. # tail -1 /etc/gshadow sports:!:serena:venus,harry #
To remove all administrator accounts from a user group, use the gpasswd utility with options to specify an empty list of administrators. # gpasswd -A "" sports
newgrp utility
You can start a child shell with a new temporary primary user group by using the newgrp command. root@rhel65:~# mkdir prigroup root@rhel65:~# cd prigroup/ root@rhel65:~/prigroup# touch standard.txt root@rhel65:~/prigroup# ls -l total 0 -rw-r--r- -. 1 root root 0 Apr 13 17:49 standard.txt root@rhel65:~/prigroup# echo $SHLVL 1 root@rhel65:~/prigroup# newgrp tennis root@rhel65:~/prigroup# echo $SHLVL 2 root@rhel65: ~/prigroup# touch newgrp.txt root@rhel65:~/prigroup# ls -l total 0 -rw-r--r--. 1 root tennis 0 Apr 13 17:49 newgrp.txt -rw-r--r--. 1 root root 0 Apr 13 17:49 standard.txt root@rhel65:~/prigroup# exit exit root@rhel65:~/prigroup#
vigr utility
By analogy with the vipw utility, the vigr utility can be used to edit the /etc/group file manually, since it correctly locks this file during the editing process. The text editor vi or the vigr utility can only be used by experienced system administrators to manage user groups.
Practical task: user groups
Correct procedure for completing a practical task: user groups
1. Create user groups tennis, football and sports.
Groupadd tennis; groupadd football; groupadd sports
2. Using one command, make the user venus a member of the tennis and sports groups.
Usermod -a -G tennis,sports venus
3. Rename the user group fotball to foot.
Groupmod -n foot football
4. Use the vi text editor to add the user serena to the tennis user group.
5. Use the id command to ensure that the user serena is a member of the tennis user group.
Id (after logging out and logging in, user serena must be a member of the group)
6. Make one of the users responsible for managing user membership in the foot and sports groups. Check the functionality of the mechanism used.
Gpasswd -A (to make the user responsible for managing user group membership) gpasswd -a (to make the user a member of the user group)
Creating a new group in the system
With this command you can create a new user group (hereinafter referred to as group) group in system:
Adding a new user to the system
New user user can be added with the command:
He will automatically be placed in a custom group named after him.
To add a user user to an existing group group we write:
With this command, you can add a user to several groups at once. To do this, we list the group names separated by commas.
To add a user to a new group with a name different from the username, do the following:
useradd -g groupname user
This group will be the main one for the user.
Setting a user password
User password user is given by the command:
This command will ask you to enter your password twice. Never leave a user without a password!
Sometimes it is necessary to prevent a user from logging in. For example, if you only need access to a network share. (More about this.) To do this, you need to change the file passwd with the following command:
In the password field, I add an asterisk “*” before the password itself (this file is described in more detail at the end of the article). Save the changes made and exit with the keys Ctrl+X, key Y we confirm our choice. For greater security, this file can be edited with the command vipw. To exit the editor while saving changes, you need to run :wq. To exit without saving changes, write :q or :q! if any changes have been made.
User information files
The following information is provided for a better understanding of system user creation and fine-tuning. To edit users, in most cases it will be easier to use the command usermod. You can learn more about this command by running
All information about system users and groups is stored in the following files:
- /etc/passwd this file contains the entire list of users that the system knows about. Each line of this file describes a user and contains seven fields that contain user information. Fields are separated by colons.
1.
2. Encrypted user password (never leave this field blank);
3. User ID (UID);
4. Group ID (GID);
5. The GECOS field, in which you can specify the user’s full name, work home phone number, place of work, etc.;
6. Path to home directory;
7. Registration shell.
- /etc/shadow Passwords are stored here in encrypted form. This file is read-only for the superuser. Each line corresponds to one user. It contains nine fields separated by colons:
1.
User registration name;
2.
Encrypted user password;
3.
Date the password was last changed;
4.
Minimum number of days between password changes;
5.
Maximum number of days between password changes;
6.
Number of days before warning about password expiration;
7.
Number of days until the password expires;
8.
Account validity period;
9.
A reserved empty field that is not used.
The date fields in this file are filled with the number of days that have passed since January 1, 1970. The first two fields must be filled in!
- /etc/group contains a list of groups and the names of users included in these groups. Similar to the previous files, each line corresponds to one group and has four fields, which are separated by colons:
1.
Group name;
2.
Encrypted password or character x indicating the use of a file gshadow(when to connect a user to a group using the utility newgrp you need to enter a password);
3.
Group ID (GID);
4.
A list of members of this group, separated by commas.
There are times when it becomes necessary to find out which users are registered in the Linux operating system. This may be necessary to determine whether there are redundant users, or whether any specific user or a whole group of them needs to change their personal data.
People who regularly use this system can do this using a number of methods, but for beginners this is very problematic. Therefore, the instructions that will be described below will help an inexperienced user cope with the task. This can be done using the built-in terminal or a number of programs with a graphical interface.
Method 1: Programs
In Linux/Ubuntu, you can manage users registered in the system using parameters, the operation of which is provided by a special program.
Unfortunately, the programs for the graphical desktop shell Gnome and Unity are different. However, they are both capable of providing a set of options and tools for checking and editing user groups in Linux distributions.
Accounts in Gnome
First you should open system settings and select the section called "Accounts". Please note that system users will no longer be displayed here. The list of registered users is in the panel on the left; to the right there is a section for settings and changing the data of each of them.
The Users and Groups program in a distribution with the Gnome graphical shell is always installed by default, but if you do not find it on the system, you can automatically download and install it by running the command in "Terminal":
sudo apt-get install unity-control-center
KUser in KDE
There is one utility for the KDE platform, which is even much more convenient to use. It's called KUser.
The program interface displays all registered users; if necessary, you can also see system users. This program can change user passwords, move them from one group to another, delete them if necessary, and the like.
As with Gnome, KDE comes with KUser installed by default, but can be uninstalled. To install the application, run the command in "Terminal":
sudo apt-get install kuser
Method 2: Terminal
This method is universal for most distributions developed based on the Linux operating system. The fact is that it has a special file in its software where information about each user is located. This document is located at:
All entries in it are presented in the following form:
- the name of each user;
- unique identification number;
- ID password;
- Group ID;
- group name;
- home directory wrapper;
- home directory number.
To increase security, each user's password is stored in the document, but it is not displayed. In other modifications of this operating system, passwords are even stored in separate documents.
Full list of users
You can redirect to a file with saved user data using "Terminal" by entering the following command into it:
If the user ID has less than four digits, then this is system data, which is highly undesirable to make changes to. The fact is that they are created by the OS itself during the installation process to ensure the most secure operation of most services.
Names in the user list
It is worth noting that this file may contain quite a lot of data that is not interesting to you. If you only need to know the names and basic information about users, you can filter the data in the document by entering the following command:
sed "s/:.*//" /etc/passwd
View active users
In a Linux-based OS, you can see not only the users who have been registered, but also those who are currently active in the OS, and at the same time see what processes they are using. For such an operation, a special utility is used, called with the command:
This utility will issue all commands that are executed by users. If he simultaneously uses two or more commands, they will also be displayed in the output list.
Browsing history
If necessary, it is possible to analyze user activity: find out the date of their last login. It can be used based on the log /var/wtmp. It is called by entering the following command on the command line:
Last activity date
In addition, in the Linux operating system, you can find out when each of the registered users was last active - this is done by the command lastlog, executed using the request of the same name:
This log also displays information about users who have never been active.
Conclusion
As you can see, in "Terminal" provides more detailed information regarding each user. It allows you to find out who logged into the system and when, determine whether unauthorized people were using it, and much more. However, for the average user, it would be better to use a GUI program so as not to delve into the essence of Linux commands.
It’s quite easy to view the list of users; the main thing is to understand on what basis this operating system function works and for what purposes it is used.
The basis for the distribution of access rights in the Linux operating system lies on the concept of user. The user who owns the file is given certain permissions to work with it, namely to read, write and execute. Read, write, and execute permissions are also set separately for all other users. Since everything in Linux is a file, such a system allows you to regulate access to any action in this operating system by setting file access rights. But even when creating Linux, the developers realized that this was clearly not enough.
That's why user groups were invented. Users can unite into groups in order to grant the groups the necessary permissions to access certain files, and, accordingly, actions. In this article we will look at user groups in Linux, look at why they are needed, how to add a user to a group and manage groups.
As I already said, groups in Linux appeared at the very beginning of the development of this operating system. They were designed to enhance rights management capabilities. Let's look at a small example, let's take an organization in which there is only one computer, we have administrators and users. Each person has their own account on our computer. Administrators can customize the system, but it is better for users not to give free rein so as not to break something. Therefore, administrators are united in the admin group, and it is given access to all equipment, in fact, to all files in the dev directory, and users are united in the users group, and this group is given the ability to read and write files to a common directory, with the help of which they can share the results of your work. We could assign rights for each user separately, allowing him access to a particular file, but this is too inconvenient. That's why groups were invented. You say, it’s okay, can I appoint you? Well, now imagine that our users are processes. This is where the beauty of groups comes to the fore; groups are used not so much to provide access for users, but to manage program rights, especially their access to hardware. Separate groups are created for services and the user on whose behalf it is launched; a service can be a member of several groups, which provides it with access to certain resources.
Now let's look at how to view Linux groups.
Groups in Linux
All groups created on the system are located in the /etc/group file. By looking at the contents of this file, you can find out the list of Linux groups that are already on your system. And you will be surprised.
In addition to the standard root and users, there are a couple of dozen more groups here. These are groups created by programs to control those programs' access to shared resources. Each group allows reading or writing a specific file or directory on the system, thereby regulating the permissions of the user, and therefore the process running as that user. Here we can consider that a user is the same as a process, because the process has all the rights of the user from which it is launched.
Let's take a closer look at each of the groups to better understand why they are needed:
- daemon- services that need the ability to write files to disk are launched on behalf of this group and the daemon user.
- sys- the group provides access to kernel sources and include files saved in the system
- sync- allows you to execute the /bin/sync command
- games- Allows games to write their settings files and history to a specific folder
- man- allows you to add pages to the /var/cache/man directory
- lp- allows the use of parallel port devices
- mail- allows you to write data to mailboxes /var/mail/
- proxy- used by proxy servers, no access to write files to disk
- www-data- the web server starts with this group, it gives access to the /var/www entry, where the web document files are located
- list- allows you to view messages in /var/mail
- nogroup- used for processes that cannot create files on the hard drive, but only read them, usually used in conjunction with the nobody user.
- adm- allows you to read logs from the /var/log directory
- tty- all devices /dev/vca allow read and write access to users from this group
- disk- opens access to hard drives /dev/sd* /dev/hd*, we can say that this is an analogue of root access.
- dialout- full access to the serial port
- cdrom- access to CD-ROM
- wheel- allows you to run the sudo utility to escalate privileges
- audio- audio driver management
- src- full access to the sources in the /usr/src/ directory
- shadow- allows reading the /etc/shadow file
- utmp- allows writing to files /var/log/utmp /var/log/wtmp
- video- allows you to work with the video driver
- plugdev- allows you to mount external devices USB, CD, etc.
- staff- allows writing to the /usr/local folder
Now that you know why you use groups in Linux and what they are by default, let's look at managing LInux groups.
Linux Group Management
You can also manage groups using the graphical interface. KDE has a program called Kuser specifically designed for this, and in Gnome it is done using the system settings. In addition, popular distributions have separate tools, such as YaST in OpenSUSE or Ubuntu Settings. But I think you'll figure it out with the graphical interface. And we will look at managing Linux groups through the terminal. First, let's deal with the files, and only then with the users.
When a file is created, it is assigned the primary group of the user who created it. It's just like this:
Here you can see that the owner of all folders is sergiy and the group is also sergiy. Correct, since these users were created by me. But let's go further:
Here we see that the sd* disk devices are assigned to the disk group, which all means that a user belonging to this group can access them. Or another example:
Everything is as we discussed in the previous paragraph. But these groups can not only be set by the system, but you yourself can manually change file groups; for this there is the chgrp command:
chgrp group_name file_name
For example, let's create a file test:
And let's change the group for it:
If you want to create a linux group, you can do this with the newgrp command:
sudo groupadd test
The situation with users is a little more complicated. The user has a main group, which is specified during creation, as well as several additional ones. The main group differs from the usual ones in that all files in the user's home directory have this group, and when it is changed, the group of these directories will also change. Also, all files created by the user receive this group. Additional groups are needed so that we can allow users to access different resources by adding him to these groups in Linux.
Managing Linux groups for a user is done using the usermod command. Let's look at its syntax and options:
$usermod options Username
- -G- additional groups to which you need to add the user
- -g change primary group for user
- -R remove a user from a group.
You can add a user to a group using the usermod command:
sudo usermod -G -a group_name username
You can add a user to the linux group temporarily using the newgrp command. A new shell will open, and in it the user will have the necessary permissions, but after closing everything will return as it was:
sudo newgrp group_name
As an example, let's add our user to the disk group so that we can directly access the hard drives without the sudo command:
sudo usermod -G -a disk sergiy
Now you can mount disks without the sudo command:
mount /dev/sda1 /mnt
You can view the linux groups in which the user is a member with the command:
You can also use the id command. In the first case, we simply see a list of Linux groups; in the second, the group and user id are additionally indicated. To add a user to a Linux group, use the -g option for the primary group.
I touched on the issues of user membership in a group, as well as the fact that users and groups have their own UID And GID. The topic of . Today I would like to systematize knowledge about local user base on Linux, how manage users and about files responsible for user management.
Linux is a multi-user operating system. Every user in Linux belongs to one core group and one or more additional groups. In Linux, as in most other operating systems, working with users consists of a set of the following manipulations: adding a user/group, deleting a user/group, modifying user/group settings. These manipulations are performed using the commands: useradd, groupadd, userdel, groupdel, usermod, groupmod, and passwd, gpasswd, id. In more detail: There are also graphical user administration tools, usually they are located in the X shell in the section Administration - Users and Groups.
Features of user management in Linux
Example of adding a user using a shell:
User-add-server:~# groupadd test user-add-server:~# useradd -c "Test Test" -g test -m test user-add-server:~# passwd test Enter the new UNIX password: Re-enter the new password UNIX: passwd: password updated successfully user-add-server:~# id test uid=1001(test) gid=1001(test) groups=1001(test) user-add-server:~# ls -ld /home/test / drwxr-xr-x 2 test test 4096 Dec 16 10:24 /home/test/ user-add-server:~#
In the example, we add a group for a new user (groupadd), then create a new user with the full name Test Test, having a main group test and login test, then set a password for the user test (passwd test) and check the parameters of the created user (id and created directory user /home/test/). The listing shows that UID and GID are more than 1000. This feature is a sign regular user. Values below (less than) 1000 (and on some distributions less than 500) indicate that the user is system user.
According to the agreement, system users usually have an id less than 100, and root user has an id equal to 0. Automatic numbering of regular users starts with values UID_MIN , set in the file /etc/login.defs, this value is usually set to 500 or 1000.
Besides regular user accounts and user account root, there are usually several in the system special purpose accounts for daemons such as FTP, SSH, mail, news, etc. These accounts often manage files, but cannot be accessed through regular login. Therefore they usually have login shell, defined as /sbin/nologin or /bin/false so that attempts to register with the system will fail.
On some systems, the add user command(s) have extended functionality. That is, for example, the useradd command in the Fedora and Red Hat distributions by default creates a new group for a new user and to cancel this function, you must use the -n option. To clarify such questions, you must refer to the distribution documentation.
When a user is deleted, his directory is not deleted. As a result, you can get an interesting situation:
User-add-server:~# userdel test user-add-server:~# groupdel test user-add-server:~# ls -ld /home/test/ drwxr-xr-x 2 1001 1001 4096 Dec 16 10:24 /home/test/ user-add-server:~# groupadd test123 user-add-server:~# useradd -c "Test Test" -g test123 -m test123 user-add-server:~# ls -ldn /home/ test* drwxr-xr-x 2 1001 1001 4096 Dec 16 14:30 /home/test drwxr-xr-x 2 1001 1001 4096 Dec 16 14:29 /home/test123 user-add-server:~# ls -ld / home/test* user-add-server:~# ls -ld /home/test* drwxr-xr-x 2 test123 test123 4096 Dec 16 10:24 /home/test drwxr-xr-x 2 test123 test123 4096 Dec 16 14 :25 /home/test123 user-add-server:~# passwd test123 Enter new UNIX password: Re-enter new UNIX password: passwd: password updated successfully user-add-server:~# su -l test123 test123@user-add- server:~$ pwd /home/test123 test123@user-add-server:/home/mc-sim$ ls /home/ mc-sim test test123 test123@user-add-server:~$ cd /home/mc-sim / test123@user-add-server:/home/mc-sim$ ls -la total 24 drwxr-xr-x 2 mc-sim mc-sim 4096 Nov 15 12:31 . drwxr-xr-x 6 root root 4096 Dec 16 14:25 .. -rw------- 1 mc-sim mc-sim 99 Nov 15 13:45 .bash_history -rw-r--r-- 1 mc-sim mc-sim 220 Oct 1 17:42 .bash_logout -rw-r--r-- 1 mc-sim mc-sim 3116 Oct 1 17:42 .bashrc -rw-r--r-- 1 mc- sim mc-sim 675 Oct 1 17:42 .profile test123@user-add-server:/home/mc-sim$ rm /home/mc-sim/.bash_logout rm: delete write-protected regular file `/home/mc -sim/.bash_logout"? y rm: unable to delete `/home/mc-sim/.bash_logout": Permission denied test123@user-add-server:/home/mc-sim$ rm /home/test/.bashrc test123@user-add-server:/home/mc-sim$
In the above example we delete user and group test, created earlier. In this case, the directory of this user remained untouched. As can be seen from the listing, the rights of the directory remained for id 1001. Next we create a new user and group, but with a different name - test123. This user is assigned UID And GID- a previously existing user test. Looking at the list of directories starting with /home/test*with key -n and without it, we see what happened - the user directory test became owned by the user test123 what access rights tell us -rw-r--r-- test123 test123. Login as user test123 and to check access rights in the directory /home/test We try to delete the file, and we also try to delete the file from the directory of the third user - mc-sim. This example illustrates well that in Linux everything is tied to identifiers.
Managing user and group databases in Linux
The main files containing information about users and groups are four files in the directory /etc.
/etc/passwd
password file containing basic information about users
/etc/shadow
shadow encrypted password file containing encrypted passwords
/etc/group
groups file containing basic information about groups and users belonging to these groups
/etc/gshadow
shadow groups file containing encrypted group passwords
It is highly not recommended to edit these files with a regular text editor. They (files) are updated when the above commands are executed, and when changed, they are blocked and synchronized.
If there is still an urgent need to edit the specified files, then using the command vipw you can safely edit the file /etc/passwd, and using the vigr command it is safe to edit the file /etc/group. These commands will lock the necessary files while changes are made using the help. If you make changes to the file /etc/passwd, team vipw will prompt you to check whether the file also needs to be updated /etc/shadow. Similarly, if you update a file /etc/group using the vigr command, you will receive a prompt that you need to update the file /etc/gshadow. If you need to remove group admins, you must use the command vigr, since the command gpasswd only allows you to add administrators.
Please note that in modern systems, passwd and group files do not store passwords in clear text. This is done for security reasons. Sami passwd and group files should be readable by everyone, and encrypted passwords should not be readable by anyone. That's why encrypted passwords are stored in shadow files, and these files are only readable by the root user. The necessary access to change authentication data is provided by a suid program, which has root privileges but can be run by any user.
File /etc/passwd
user-add-server:~# cat /etc/passwd root:x:0:0:root:/root:/bin/bash lp:x:7:7:lp:/var/spool/lpd:/bin/ sh sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin test123:x:1001:1001:Test Test:/home/test123:/bin/shThe /etc/passwd file contains one line for each user on the system. Each line contains seven fields separated by colons (:), a description of the fields using the root user as an example:
| field | meaning | description |
| Username | root | name used to login (login) |
| Password | x | user password (if encrypted, use - x) |
| user id (UID) | 0 | User ID |
| group id (GID) | 0 | Group ID |