Chapter 15. User management

Table of Contents
15.1. Introduction
15.2. Adding and removing users
15.3. Avoiding root usage with su
15.4. Disk quota

15.1. Introduction

GNU/Linux is a multi-user operating system. This means that multiple users can use the system, and they can use the system simultaneously. The GNU/Linux concepts for user management are quite simple. First of all, there are several user accounts on each system. Even on a single user system there are multiple user accounts, because GNU/Linux uses unique accounts for some tasks. Users can be members of groups. Groups are used for more fine grained permissions, for example, you could make a file readable by a certain group. There are a few reserved users and groups on each system. The most important of these is the root account. The root user is the system administrator. It is a good idea to avoid logging in as root, because this greatly enlarges security risks. You can just log in as a normal user, and perform system administration tasks using the su and sudo commands.

The available user accounts are specified in the /etc/passwd. You can have a look at this file to get an idea of which user account are mandatory. As you will probably notice, there are no passwords in this file. Passwords are kept in the separate /etc/shadow file, as an encrypted string. Information about groups is stored in /etc/group. It is generally speaking not a good idea to edit these files directly. There are some excellent tools that can help you with user and group administration. This chapter will describe some of these tools.

15.2. Adding and removing users

15.2.1. useradd

The useradd is used to add user accounts to the system. Running useradd with a user name as parameter will create the user on the system. For example:


# useradd bob
      

Creates the user account bob. Please be aware that this does not create a home directory for the user. Add the -m parameter to create a home directory. For example:


# useradd -m bob
      

This would add the user bob to the system, and create the /home/bob home directory for this user. Normally the user is made a member of the users group. Suppose that we would like to make crew the primary group for the user bob. This can be done using the -g parameter. For example:


# useradd -g crew -m bob
      

It is also possible to add this user to secondary groups during the creation of the account with the -G. Group names can be separated with a comma. The following command would create the user bob, which is a member of the crew group, and the www-admins and ftp-admins secondary groups:


# useradd -g crew -G www-admins,ftp-admins -m bob
      

By default the useradd only adds users, it does not set a password for the added user. Passwords can be set using the passwd command.

15.2.2. passwd

As you probably guessed the passwd command is used to set a password for a user. Running this command as a user without a parameter will change the password for this user. The password command will ask for the old password,once and twice for the new password:


$ passwd
Changing password for bob
(current) UNIX password: 
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
      

The root user can set passwords for users by specifying the user name as a parameter. The passwd command will only ask for the new password. For example:


# passwd bob
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
      

15.2.3. adduser

The adduser command combines useradd and passwd in an interactive script. It will ask you to fill in information about the account to-be created. After that it will create an account based on the information you provided. The screen listing below shows a sample session.


# adduser

Login name for new user []: john

User ID ('UID') [ defaults to next available ]: <Enter>

Initial group [ users ]: <Enter>

Additional groups (comma separated) []: staff

Home directory [ /home/john ] <Enter>

Shell [ /bin/bash ] <Enter>

Expiry date (YYYY-MM-DD) []: <Enter>

New account will be created as follows:

---------------------------------------
Login name.......:  john
UID..............:  [ Next available ]
Initial group....:  users
Additional groups:  [ None ]
Home directory...:  /home/john
Shell............:  /bin/bash
Expiry date......:  [ Never ]

This is it... if you want to bail out, hit Control-C.  Otherwise, press
ENTER to go ahead and make the account.
<Enter>

Creating new account...


Changing the user information for john
Enter the new value, or press ENTER for the default
        Full Name []: John Doe
        Room Number []: <Enter>
        Work Phone []: <Enter>
        Home Phone []: <Enter>
        Other []: <Enter>
Changing password for john
Enter the new password (minimum of 5, maximum of 127 characters)
Please use a combination of upper and lower case letters and numbers.
New password: password
Re-enter new password: password


Account setup complete.
      

You can use the default values, or leave some fields empty, by tapping the <Enter> key.

15.2.4. userdel

Sometimes it is necessary to remove a user account from the system. GNU/Linux offers the userdel tool to do this. Just specify the username as a parameter to remove that user from the system. For example, the following command will remove the user account bob from the system:


# userdel bob
      

This will only remove the user account, not the user's home directory and mail spool. Just add the -r parameter to delete the user's home directory and mail spool too. For example:


# userdel -r bob
      

15.3. Avoiding root usage with su

It is a good idea to avoid logging in as root. There are many reasons for not doing this. Accidentally typing a wrong command could cause bad things to happen, and malicious programs can make a lot of damage when you are logged in as root. Still, there are many situations in which you need to have root access. For example, to do system administration, or to install new software. Fortunately the su can give you temporal root privileges.

Using su is very simple. Just executing su will ask you for the root password, and will start a shell with root privileges after the password is correctly entered:


$ whoami
bob
$ su
Password: 
# whoami
root
# exit
exit
$ whoami
bob
    

In this example the user bob is logged on, the whoami output reflects this. The user executes su and enters the root password. su launches a shell with root privileges, this is confirmed by the whoami output. After exiting the root shell, control is returned to the original running shell running with the privileges of the user bob.

It is also possible to execute just one command as the root user with the -c parameter. The following example will run lilo:


$ su -c lilo
    

If you want to give parameters to the command you would like to run, use quotes (e.g. su -c "ls -l /"). Without quotes su cannot determine whether the parameters should be used by the specified command, or by su itself.

15.3.1. Restricting su access

You can refine access to su with suauth(5). It is a good security practice to only allow members of a special group to su to root. For instance, you can restrict root su-ing in a BSD fashion to members of the wheel group by adding the following line to /etc/suauth:


root:ALL EXCEPT GROUP wheel:DENY
      

15.4. Disk quota

15.4.1. Introduction

Disk quota is a mechanism that allows the system administrator to restrict the number of disk blocks and inodes that a particular user and group can use. Not all filesystems supported by Linux support quota, widely used filesystems that support quota are ext2, ext3 and XFS. Quota are turned on and managed on a per filesystem basis.

15.4.2. Enabling quota

Quota can be enabled per filesystem in /etc/fstab, by using the usrquota and grpquota filesystem options. For example, suppose that we have the following entry for the /home partition in /etc/fstab:


/dev/hda8        /home            xfs         defaults         1   2
      

We can now enable user quota by adding the usrquota filesystem option:


/dev/hda8        /home            xfs         defaults,usrquota 1   2
      

At this point the machine can be rebooted, to let the Slackware Linux initialization scripts enable quota. You can also enable quota without rebooting the machine, by remounting the partition, and running the quotaon command:


# mount -o remount /home
# quotaon -avug
      

15.4.3. Editing quota

User and group quotas can be edited with the "edquota" utility. This program allows you to edit quotas interactively with the vi editor. The most basic syntax of this command is edquota username. For example:


# edquota joe
      

This will launch the vi editor with the quota information for the user joe. It will look like this:


Disk quotas for user joe (uid 1143):
  Filesystem                   blocks       soft       hard     inodes     soft    hard
  /dev/hda5                      2136          0          0         64        0       0
      

In this example quotas are only turned on for one file system, namely the filesystem on /dev/hda5. As you can see there are multiple columns. The blocks column shows how many block the user uses on the file system, and the inodes column the number of inodes a user occupies. Besides that there are soft and hard columns after both blocks and inodes. These columns specify the soft and hard limits on blocks and inodes. A user can exceed the soft limit for a grace period, but the user can never exceed the hard limit. If the value of a limit is 0, there is no limit.

Note

The term "blocks" might be a bit confusing in this context. In the quota settings a block is 1KB, not the block size of the file system.

Let's look at a simple example. Suppose that we would like to set the soft limit for the user joe to 250000, and the hard limit to 300000. We could change the quotas listed above to:


Disk quotas for user joe (uid 1143):
  Filesystem                   blocks       soft       hard     inodes     soft    hard
  /dev/hda5                      2136     250000     300000         64        0       0
      

The new quota settings for this user will be active after saving the file, and quitting vi.

15.4.4. Getting information about quota

It is often useful to get statistics about the current quota usage. The repquota command can be used to get information about what quotas are set for every user, and how much of each quota is used. You can see the quota settings for a specific partition by giving the name of the partition as a parameter. The -a parameter will show quota information for all partitions with quota enabled. Suppose that you would like to see quota information for /dev/hda5, you can use the following command:


repquota /dev/hda5
*** Report for user quotas on device /dev/hda5
Block grace time: 7days; Inode grace time: 7days
                        Block limits                File limits
User            used    soft    hard  grace    used  soft  hard  grace
----------------------------------------------------------------------
root      --       0       0       0              3     0     0       
[..]
joe       --    2136  250000  300000             64     0     0       
[..]