10 Users, groups. Passwd, shadow, group files.

In this lecture we will talk about users (accounts) and user groups. As I have repeatedly said, the Linux operating system is a multi-user system in which there can simultaneously exist a sufficiently large number of users that can be combined into groups.
All users on the local system are listed in the / etc / passwd file . Let's look at the contents of this file with the command less / etc / passwd . Each line in the / etc / passwd file describes one account. Despite the fact that you may have only two users on the system (root and yourself), there are much more lines in the / etc / passwd file . The fact is that for most of the services of the Linux operating system there is its own account with the rights necessary for the normal functioning of this service. This approach allows to increase the security of the system. Each line consists of seven fields separated by a colon. Let's look at these fields. For example, take the following line: igor: x: 1000: 1000: igor ,,,: / home / igor: / bin / bash .

1. igor - mnemonic account view. Although the system works only with numeric user names, it is easier for us to remember names in this form.

2. х - earlier there was a password in this field. Now he is in a different place, but the field remains and now there is just a symbol x .

3. 1000 - digital account designation. His UID .

4. 1000 is the numeric designation of the user's primary group ( GID ). Each user can belong to several groups, but only one of the groups is for the user - the main one. The one that is listed in the fourth field of the / etc / passwd file . Also, the user must necessarily belong to at least one group. As a rule, when creating a new user, a group of the same name is created for this user, which is the main one.

5. igor ,,, - This field may contain a description of the user, which allows the administrator to more fully describe a particular user or service. This field has a standard format that we will talk about later when we consider the program for creating a new user in the system.

6. / home / igor - path to the user's home directory.

7. / bin / bash - user command interpreter. If you look at the seventh field of other accounts, you will notice that / bin / bash is the default interpreter for regular users, / bin / sh is the interpreter for various services. If the service does not need a command interpreter for its work, then you can find the / bin / false or / bin / nologin entry . Both of these lines do not allow to register in the system, with the only difference that the latter writes in the log entry attempts.

Now consider the file in which user passwords are stored. This file is called / etc / shadow . In it, by analogy with the / etc / passwd file, each line describes one user and has 9 fields separated by a colon. You need administrator rights to view this file. Let's consider the fields of this file on the example of the line: root:!: 14438: 0: 99999: 7 :::

1. root - the mnemonic name of the user to which this string belongs.

2.! - This field stores the password, or rather its hash (password hash). What is a password hash? A password hash is a certain sequence of characters that is obtained after certain irreversible transformations over a user password. Irreversible because the reverse procedure: obtaining the original type of password from the password hash is a complex mathematical task impossible in a certain predetermined period of time (usually decades or more). When you log in to the system every time, an operation (let's call it hash) is performed with your password every time you calculate the password hash and compare it with the password hash from the / etc / shadow file. If the password hashes match, the user is authenticated.

By default, most distributions use the md5 hash algorithm . But nothing prevents you from replacing this algorithm with even more stable versions (for example, md6 ). True, in the framework of the lecture, we will not consider this issue. Let's go back to the second field of the / etc / shadow file. In the example you see a symbol there! (exclamation mark). This is not a password hash in this example. The password hash looks like this: $ 1 $ 4vN1osMk $ EWywQfrBWxCtK45.4ARgc . The first three characters are the same for a particular hashing algorithm and allow it (algorithm to identify). In the example, $ 1 $ is the identifier of the md5 algorithm. If you put a symbol in front of any password hash in the / etc / shadow file ! or * , such a password will be invalidated and the account will be blocked.

An example of when instead of password hash is worth ! characteristic of the Ubuntu distribution where the root user really cannot register with the system by default. Thus, if you want to block a user account, it is enough to set a character before the password hash ! , and to unlock the account you need to remove this symbol.

Fields 3-7 contain temporary password parameters. See more in
man shadow .

Field 8 is the date until which the account will be considered valid. Upon reaching the specified time, the recording will be blocked. If the field is empty, then the time is unlimited.

Field 9 is a reserved field.

Groups Information about groups is stored in the / etc / group file. The principle is the same: the line describes one group, there are several fields. Fields only 4th. Consider an example string: shara: x: 1002: igor, test .

1. shara is the mnemonic name of the group.

2. x - password for the group.

3. 1002 - digital code of the group.

4. igor, test - users who belong to the group. Listed through a comma.

The easiest file of the reviewed. More will not stop. All the above files can be edited with any text editor, but for most operations there are appropriate commands. In the next lecture, we will look at how to add a user to Linux , how to create a group for a user, add a user to a group, delete a user, and also how to change user credentials.