Linux users - Hello, Humans !

mail

What's the difference between expired password / locked account / disabled account ?

password account
expired
  • the password has reached its maximum age
  • there is a grace time
    • during which the user is forced to change his password before being allowed to log in
    • after which the account is locked if the password is not changed
    • that can be set with :
  • expired account == disabled account
  • expired account does not always imply expired password
  • but expired password + passed inactive days == expired account
  • will not accept logins, whatever the authentication mechanisms (SSH keys, smart card, RSA SecurID, ...)
  • changing the user shell to any flavor of nologin has a not-totally-equivalent effect :
    • it forbids command-line login for any authentication method, as expected
    • but if the system has other services like email or FTP that use the system passwords for authentication, changing the shell may not disable access to them.
disabled N/A
locked
  • this is done by invalidating the corresponding /etc/shadow entry
  • when an account is locked,
    • its owner
      • won't be able to perform a password-based login
      • must contact the system administrator to be able to log in again
    • but logins using alternate authentication tokens —such as SSH keys— still work
  • to forbid any kind of login, consider changing the user's shell to any flavor of nologin
password account
mail

system vs regular user accounts

Technically, there is little difference between system and regular user accounts, they are made different mostly for administrative and auditing reasons :
Same goes on with regular vs system groups, won't be repeating "accounts or groups" hereafter .
As for the differences :

Creation of system accounts

Can be achieved :

Read current ranges :

UID

awk '
/\yUID_MIN\y/		{ uidMin=$2 }
/\yUID_MAX\y/		{ uidMax=$2 }
/\ySYS_UID_MIN\y/	{ sysUidMin=$2 }
/\ySYS_UID_MAX\y/	{ sysUidMax=$2 }
END { print "Range of UIDs :\n\tsystem accounts : \t"sysUidMin"-"sysUidMax"\n\tregular accounts :\t"uidMin"-"uidMax }
' /etc/login.defs
Range of UIDs :
	system accounts :	100-999
	regular accounts :	1000-60000

GID

awk '
/\yGID_MIN\y/		{ gidMin=$2 }
/\yGID_MAX\y/		{ gidMax=$2 }
/\ySYS_GID_MIN\y/	{ sysGidMin=$2 }
/\ySYS_GID_MAX\y/	{ sysGidMax=$2 }
END { print "Range of GIDs :\n\tsystem groups : \t"sysGidMin"-"sysGidMax"\n\tregular groups :\t"gidMin"-"gidMax }
' /etc/login.defs
Range of GIDs :
	system groups :		100-999
	regular groups :	1000-60000
mail

How to manage users and groups

On a Linux system, users belong to 2 group types :

Action Linux FreeBSD
add a user account adduser + follow on-screen instructions
delete a user account userdel -r kevin
-r : delete the user's home directory too.		 rmuser kevin
lock a user account usermod -L kevin Details about LOCKED accounts
unlock a user account
usermod -U kevin
This removes the ! in front of the encrypted password in /etc/shadow
get date of latest user login lastlog | grep kevin
create a new group groupadd newGroupName pw group add groupName
delete a group pw group del groupName
list all groups less /etc/group (also shows group members) pw group show -a
add a user into an existing group
  • Primary group : pw usermod kevin -g groupName
  • Group list : pw usermod kevin -G current,groups,groupName
remove a user from a group
  • gpasswd -d kevin groupName
  • deluser kevin groupName
  • edit /etc/group
list the members of a group grep 'groupName' /etc/group
  • grep 'groupName' /etc/group
  • pw group show groupName
list the last n logins of a user last -n stuart | less
List the groups a user belongs to
to know which unix users are currently connected who
to read details about a user account on a local/distant host
  • finger
  • finger kevin@host
  • finger @host

About the FreeBSD LOCKED accounts (source) :

  • Check whether an account is LOCKED :
    • vipw (to edit the password file with vi)
    • or : less /etc/master.password

    This will display the users list, the encrypted passwords and *LOCKED* before it when applicable.

  • How to lock a user account :

    pw lock kevin

  • Now, this user can not log in anymore into telnet, ftp, ssh and rlogin. But he still has access to Samba.
mail

How to limit users' resource usage ?

With /etc/security/limits.conf and PAM (details) :

  1. Make sure PAM limits are enabled (source) : in /etc/pam.d/login, you should have 
    session	required	pam_limits.so
  2. To limit the maximum number of processes for a given user, add into /etc/security/limits.conf a line such as (source, configuration details) : 
    stuart hard nproc maximumNumberOfProcesses
  3. At this step, settings will be applied after stuart's next login. To reload settings now : sudo -i -u stuart (source)
  4. Then, as stuart, check that limits settings have been reloaded : ulimit -a
  5. A potentially unsafe QnD solution would be to restart the init process : kill -HUP 1 (source)

With ulimit

Just read the linked article

With /etc/limits and shadow :

This is a now obsolete method, deprecated by the PAM method described above.