Linux notes
This note will be updated from time to time as I am currently in the process of self studying for RHEL RHCSA certification. The notes should be clear to understand. If you do not understand, contact me.
Users & Groups
/etc/passwd
The password aka passwd file holds information of users in the system. Following is output of /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:111::/run/uuidd:/usr/sbin/nologin
avahi-autoipd:x:106:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
dnsmasq:x:108:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
rtkit:x:109:114:RealtimeKit,,,:/proc:/usr/sbin/nologin
cups-pk-helper:x:110:116:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:111:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
whoopsie:x:112:117::/nonexistent:/bin/false
kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:114:119::/var/lib/saned:/usr/sbin/nologin
pulse:x:115:120:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
avahi:x:116:122:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
colord:x:117:123:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
hplip:x:118:7:HPLIP system user,,,:/var/run/hplip:/bin/false
geoclue:x:119:124::/var/lib/geoclue:/usr/sbin/nologin
gnome-initial-setup:x:120:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:121:125:Gnome Display Manager:/var/lib/gdm3:/bin/false
vgnshlvnz:x:1000:1000:vigneshwaran ravichandran,,,:/home/vgnshlvnz:/bin/bash
nvidia-persistenced:x:122:128:NVIDIA Persistence Daemon,,,:/nonexistent:/sbin/nologin
The entries are delimited with colon. First will be the username, root for example. Following is x indicate that the password is stored in /etc/shadow. Next is the user id, which is 0 as root is the primary user of any Linux or Unix operating system. Following will be 0 as well, which indicates the group id followed by real name of the user root. Next column refers to the home directory, /root and finally the shell that will be available for user.
/etc/shadow
The shadow file will contain password of users listed in /etc/password and other relevant information about the user. Following is an output of /etc/shadow.
root:!:18206:0:99999:7:::
daemon:*:18113:0:99999:7:::
bin:*:18113:0:99999:7:::
sys:*:18113:0:99999:7:::
sync:*:18113:0:99999:7:::
games:*:18113:0:99999:7:::
man:*:18113:0:99999:7:::
lp:*:18113:0:99999:7:::
mail:*:18113:0:99999:7:::
news:*:18113:0:99999:7:::
uucp:*:18113:0:99999:7:::
proxy:*:18113:0:99999:7:::
www-data:*:18113:0:99999:7:::
backup:*:18113:0:99999:7:::
list:*:18113:0:99999:7:::
irc:*:18113:0:99999:7:::
gnats:*:18113:0:99999:7:::
nobody:*:18113:0:99999:7:::
systemd-network:*:18113:0:99999:7:::
systemd-resolve:*:18113:0:99999:7:::
syslog:*:18113:0:99999:7:::
messagebus:*:18113:0:99999:7:::
_apt:*:18113:0:99999:7:::
uuidd:*:18113:0:99999:7:::
avahi-autoipd:*:18113:0:99999:7:::
usbmux:*:18113:0:99999:7:::
dnsmasq:*:18113:0:99999:7:::
rtkit:*:18113:0:99999:7:::
cups-pk-helper:*:18113:0:99999:7:::
speech-dispatcher:!:18113:0:99999:7:::
whoopsie:*:18113:0:99999:7:::
kernoops:*:18113:0:99999:7:::
saned:*:18113:0:99999:7:::
pulse:*:18113:0:99999:7:::
avahi:*:18113:0:99999:7:::
colord:*:18113:0:99999:7:::
hplip:*:18113:0:99999:7:::
geoclue:*:18113:0:99999:7:::
gnome-initial-setup:*:18113:0:99999:7:::
gdm:*:18113:0:99999:7:::
vgnshlvnz:$6$Ix4rSZSn$AowKU3/ItWXnRuJBgmRmugTrOZVzB5rjXiF1wJuENRWDpvmJw7SROtXED0:18206:0:99999:7:::
nvidia-persistenced:*:18246:0:99999:7:::
For example, user vgnshlvnz has cryptographic hash of the password, followed by other information of the user.
/etc/group
The group file contains information about groups present in the system. Following is an output of /etc/group.
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog,vgnshlvnz
tty:x:5:
voice:x:22:
cdrom:x:24:vgnshlvnz
floppy:x:25:
tape:x:26:
sudo:x:27:vgnshlvnz
audio:x:29:pulse
dip:x:30:vgnshlvnz
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:vgnshlvnz
staff:x:50:
games:x:60:
vgnshlvnz:x:1000:
sambashare:x:126:vgnshlvnz
vboxusers:x:127:
nvidia-persistenced:x:128:
Take root and sambashare group. The x indicates there is no password in /etc/shadow for this user. Next indicates the group id, for sambashare it’s 126. The last column represents users or members of the group.
Creating & Modifying Users
Create User
In GNU/Linux operating system, one can add users by typing the useradd command. Following command is an example of user account creation with explanation.
useradd -s /bin/bash -d /home/<username> -m <username>
The 1st parameter, -s or --shell will assign a shell for the user you want to create. Next parameter, -d or --home-dir will specify the location of the user’s home directory, in this case in /home directory. The last parameter, -m or --create-home will create home directory for the user specified. For more information, just type useradd or man useradd. You will get a lot other parameters you can pass to the binary/program/tool.
Modify User
Assuming a user account has been created, we need to assign password to the user account. By typing passwd <username> will prompt user to enter new password and confirm the password. Now that we have created an account without name, you can use the command usermod to modify user account values. For example, usermod -c "<comment>" <username> will assign new GECOS value for the username you would specify. Let’s say for example, you have created an account and you need to add the user to another group, usermod -a -G <group_username> <username> command will help you to achieve that. The -a parameter tells usermod to append the group together with -G parameter.
Deleting Users
To delete a user from the Linux system, you can use the command userdel command. The syntax for the command will be userdel <username> . Take note that this will only remove the user and relevant entries in /etc/shadow and /etc/group. To remove the home directory, you can pass -r parameter. So the command will be userdel -r <username>.
Password Policy
There are two files that defines the password policy of a Linux system. /etc/login.defs and /etc/pam.d/system-auth are the files.
/etc/login.defs
In this file, you can define password policies such as number of days the password is valid before needing a change, minimum number of characters used. Following is an excerpt of /etc/login.defs.
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
In above, you can see that PASS_MAX_DAYS,PASS_MIN_DAYS,PASS_MAX_LEN, and PASS_WARN_AGE are set with a value. You can change the values accordingly. For instance, you would like to have a password policy of maximum 180 days and keep the password for a minimum of 14 days. You could change the first two values mentioned.
/etc/pam.d/system-auth
In this file, you can things like types of characters needed to use in order to create a password like special characters, lowercase & uppercase and etc. Following is an excerpt of /etc/pam.d/system-auth file.
ccount required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
You need to change this line,
password requisite pam_pwquality.so try_first_pass local_users_only
to enforce things like how many retries, minimum length of the password, uppercase & lowercase, numeric values and other characters as defined below.
password requisite pam_pwquality.so try_first_pass retry=3 minlength=12 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=4
The retries is set at 3 tries, minimum length is 12 character, and the -1 in lowercase, uppercase, digit, other characters and the password is set such as the password must be different than 4 previous passwords1.
To be updated.
Written with StackEdit.