O'Reilly logo

Linux Cookbook by Carla Schroder

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 8. Managing Users and Groups

Introduction

On a Linux system, both human users and system processes have user accounts. Some system processes need user accounts to control privileges and access rights, just like human users.

Remember the most fundamental Linux security principles:

  1. Use the minimum necessary privileges to get the job done.

  2. Strong passwords work.

Following these two principles will prevent all sorts of aggravation and mishaps.

Linux has a collection of utilities for managing users and groups: useradd, groupadd, userdel, groupdel, usermod, groupmod, passwd, chfn, and chsh. These are part of the “Shadow Suite.”

The Shadow Suite was created by Julianne Frances Haugh to improve password security and to make user account management easier. In the olden days, all the relevant files had to be edited individually, and encrypted passwords were stored in /etc/passwd . But because /etc/passwd must remain world-readable, storing passwords in it, even if they’re encrypted, is asking for trouble. Anyone who copies it can then crack the passwords at their leisure. Relocating the encrypted passwords to /etc/shadow, which is accessible only by root, adds a useful layer of protection.

useradd behaves differently on different systems. Traditionally, it lumped all new users into the same login group, users (100). This meant that all home directories were wide open by default, because users all belonged to the same group. Red Hat changed this with their “User Private Group” scheme. Red ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required