Dealing with user passwords
Since it’s always a bad idea to know someone else’s password, admins will generally use a temporary password when they set up an account and then run a command that will force the user to change his password on his first login. Here’s an example:
$ sudo chage -d 0 jdoe
When the user logs in, he will see something like this:
WARNING: Your password has expired. You must change your password now and login again! Changing password for jdoe. (current) UNIX password:
Adding users to secondary groups
To add a user to a secondary group, you might use the usermod command as shown below -- to add the user to the group and then verify that the change was made.
$ sudo usermod -a -G sudo jdoe $ sudo grep sudo /etc/group sudo:x:27:shs,jdoe
Keep in mind that some groups -- like the sudo or wheel group -- imply certain privileges. More on this in a moment.
Removing accounts, adding groups, etc.
Linux systems also provide commands to remove accounts, add new groups, remove groups, etc. The deluser command, for example, will remove the user login entries from the /etc/passwd and /etc/shadow files but leave her home directory intact unless you add the --remove-home or --remove-all-files option. The addgroup command adds a group, but will give it the next group id in the sequence (i.e., likely in the user group range) unless you use the --gid option.
$ sudo addgroup testgroup --gid=131 Adding group `testgroup' (GID 131) ... Done.
Managing privileged accounts
Some Linux systems have a wheel group that gives members the ability to run commands as root. In this case, the /etc/sudoers file references this group. On Debian systems, this group is called sudo, but it works the same way and you’ll see a reference like this in the /etc/sudoers file:
%sudo ALL=(ALL:ALL) ALL
This setting basically means that anyone in the wheel or sudo group can run all commands with the power of root once they preface them with the sudo command.
You can also add more limited privileges to the sudoers file -- maybe to give particular users the ability to run one or two commands as root. If you do, you should also periodically review the /etc/sudoers file to gauge how much privilege users have and very that the privileges provided are still required.
In the command shown below, we’re looking at the active lines in the /etc/sudoers file. The most interesting lines in this file include the path set for commands that can be run using the sudo command and the two groups that are allowed to run commands via sudo. As was just mentioned, individuals can be given permissions by being directly included in the sudoers file, but it is generally better practice to define privileges through group memberships.
Sign up for Computerworld eNewsletters.