Introduction
In this lab, you will learn how to manage user accounts on your Linux system, including creating, modifying, and deleting user accounts, as well as understanding user privileges and permissions. You will also implement password policy and user management practices. The lab covers the basics of the useradd, passwd, and cat /etc/passwd commands, providing practical examples to help you effectively manage users on your Linux machine.
Manage User Accounts
In this step, you will learn how to manage user accounts on your Linux system. We will cover creating, modifying, and deleting user accounts, as well as understanding user privileges and permissions.
First, let's create a new user account:
sudo useradd -m -s /bin/bash newuser
Example output:
The useradd command creates a new user account with the username newuser. The -m option creates a home directory for the new user, and the -s option sets the default shell to /bin/bash.
Next, let's set a password for the new user:
sudo passwd newuser
Example output:
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
To verify the new user account, you can list all users on the system:
sudo cat /etc/passwd
Example output:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
labex:x:1000:1000:labex,,,:/home/labex:/bin/bash
newuser:x:1001:1001::/home/newuser:/bin/bash
You can see the new user newuser has been added to the /etc/passwd file.
To delete the user account, you can use the userdel command:
sudo userdel -r newuser
The -r option removes the user's home directory and mail spool.
Understand User Privileges and Permissions
In this step, you will learn about user privileges and permissions in Linux. We will cover how to view and manage user permissions, as well as how to grant and revoke privileges.
First, let's create a new user and a new group:
sudo useradd -m -s /bin/bash newuser
sudo groupadd devgroup
Next, let's add the newuser to the devgroup group:
sudo usermod -a -G devgroup newuser
To verify the user and group memberships, we can use the id command:
id newuser
Example output:
uid=1001(newuser) gid=1001(newuser) groups=1001(newuser),1002(devgroup)
We can see that newuser is now a member of the devgroup group.
Now, let's create a new directory and set permissions on it:
sudo mkdir /opt/myapp
sudo chown newuser:devgroup /opt/myapp
sudo chmod 770 /opt/myapp
The chown command sets the owner and group of the directory to newuser and devgroup, respectively. The chmod command sets the permissions to rwxrwx---, which means the owner and group members can read, write, and execute, but others have no access.
To verify the permissions, we can use the ls -l command:
ls -l /opt
Example output:
total 4
drwxrwx--- 2 newuser devgroup 4096 Apr 17 12:34 myapp
Now, let's try to access the directory as a different user:
sudo -u otheruser ls -l /opt/myapp
Example output:
ls: cannot open directory '/opt/myapp': Permission denied
As you can see, the otheruser is not able to access the myapp directory because they are not part of the devgroup group.
Implement Password Policy and User Management
In this final step, you will learn how to implement password policy and manage user accounts more effectively.
First, let's configure password policy using the pam_cracklib module. This module provides password strength checking and can enforce rules like minimum length, character requirements, and password history.
Open the /etc/pam.d/common-password file with a text editor:
sudo nano /etc/pam.d/common-password
And add the following lines:
password requisite pam_cracklib.so retry=3 minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
This configuration requires passwords to be at least 8 characters long, and contain at least one digit, one uppercase, one lowercase, and one special character.
Next, let's create a new user and test the password policy:
sudo useradd -m -s /bin/bash newuser2
sudo passwd newuser2
Example output:
Enter new UNIX password:
Retype new UNIX password:
Sorry, passwords do not match.
Enter new UNIX password:
Retype new UNIX password:
BAD PASSWORD: it is based on a dictionary word
passwd: Authentication token manipulation error
As you can see, the password policy is enforced, and the user is not allowed to set a weak password.
Finally, let's explore some user management commands:
## Lock a user account
sudo usermod -L newuser2
## Unlock a user account
sudo usermod -U newuser2
## Expire a user's password
sudo passwd -e newuser2
## Set a user's password to never expire
sudo chage -M -1 newuser2
These commands allow you to manage user accounts more effectively, such as locking accounts, forcing password changes, and setting password expiration policies.
Summary
In this lab, you learned how to manage user accounts on your Linux system, including creating, modifying, and deleting user accounts, as well as understanding user privileges and permissions. You created a new user account, set a password for the new user, and verified the new user account by listing all users on the system.
The lab also covered implementing password policy and user management. You learned how to enforce password requirements and manage user accounts effectively to maintain the security and integrity of your Linux system.
