Managing linux user and group accounts
The system administrator has many responsibilities including configuring user and group accounts, scheduling tasks using the system log daemon and solving problems. In this quick memorandum we will see the basic linux commands to manage user accounts and groups. We will use the low level utilities useradd and groupadd.
Add a group
Let’s say we are sharing our computer with a few friends, add a new group called mates
userk@dopamine ~$ sudo groupadd -g 1024 mates
This command adds a new entry to /etc/group. Unless you use the -g option to assign a group ID, the system will pick up the next available number > 1000.
If you mistyped the name of the group you can rename it with groupmod the option -n
userk@dopamine ~$ sudo groupmod -n newName oldName
To delete use groupdel nameGroup.
Add a user
Now, let’s add a new user account to the system with the useradd utility. The following command adds new entries to /etc/passwd and /etc/shadow files, creates the user’s home directory, adds gabry to the mates group and assigns the next highest unused Id to the new account. Then set the new password.
userk@dopamine ~$ sudo useradd -G mates -d /home/gabry/ -m gabry userk@dopamine ~$ sudo passwd gabry
You will be asked for a new password and few general details. Now login with the newly created account and try to update.
userk@dopamine ~$ su gabry Password:
Ok you are now logged in.
gabry@dopamine ~$ sudo apt-get update We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility.
I love this message! Before executing commands with sudo you need to add Gabry in the sudoers file. So exit the session and run the following command.
gabry@dopamine ~$ exit userk@dopamine ~$ sudo usermod -a -G sudo gabry userk@dopamine ~$ su gabry Password: gabry@dopamine ~$ sudo apt-get update
Fast way to encrypt a string for linux like OS
Let’s say we want to encrypt a string like ‘Esprit Open Source’. We can use the gpg command, which is an encryption and signing tool for Linux/UNIX like operating system. Let’s encrypt the message using AES256 insead of the default option. (check this useful question )
userk@dopamine ~$ echo 'Esprit Open Source' | gpg -c --cipher-algo AES256 --no-use-agent | base64 Enter passphrase: userk jA0ECQMCpRRMo9+LOHNg0kgBajtQ//qqjeljfEbiqwVbTmbZt3iJ2Npeyj57anazz8tlRovlIbON dcqbXviIyS/1iDGxxsBikxocmmw8SsOXZyeLxgZoXQ8=
Ok the encrypted string is ‘jA0ECQMCpRRMo9+LOHNg0kgBajtQ//qqjeljfEbiqwVbTmbZt3iJ2Npeyj57anazz8tlRovlIbON
Now let us try to decrypt it using the passphrase ‘userk’.
userk@dopamine ~$ echo -n 'jA0ECQMCpRRMo9+LOHNg0kgBajtQ//qqjeljfEbiqwVbTmbZt3iJ2Npeyj57anazz8tlRovlIbONdcqbXviIyS/1iDGxxsBikxocmmw8SsOXZyeLxgZoXQ8=' | base64 --decode | gpg -d --cipher-algo AES256 --no-use-agent gpg: AES256 encrypted data gpg: encrypted with 1 passphrase Esprit Open Source
Change the hostname
If you want to change the name of your computer or device you have to change the name saved in the following file
userk@dopamine ~$ cat /etc/hostname dopamine
Change it to whatever you want and reboot. If you get an error like ‘sudo: unable to resolve host’ try to reboot in recovery mode and change the hostname associated with localhost as described in this question.
Custom ssh banner
In order to modify the banner showed during the authentication process using ssh, we need to modify the configuration file as follows:
userk@dopamine ~$ sudo vim /etc/ssh/sshd_config
Remove the ‘#’ before Banner /etc/issue.net
userk@dopamine ~$ sudo vim /etc/issue.net
and insert the welcome message you want to show. If you now try to login with ssh you will see your message and the password request but at the end there will be a message like the following
The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
We don’t want these lines to be shown in the welcome message. So, as reported by Olivier Lalonde in this answer, all we need to do is:
userk@dopamine ~$ touch ~/.hushlogin
Network Setting basics
If you want to set a static ip in order to obtain the same address, first check yout actual ip address netmask and gateway:
userk@dopamine ~$ ifconfig [...] wlp3s0 Link encap:Ethernet HWaddr a4:db:30:a2:19:58 inet addr:192.168.0.10 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::51d4:151b:1970:12d6/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
So in my case, the ip address is 192.168.0.10 and the netmask 255.255.255.0. Check your gateway ip with:
userk@dopamine ~$ ip route show default via 192.168.43.1 dev wlp3s0 proto static metric 600
Ok we have all the ingredients. Now let’s say we want to set the static ip to 192.168.0.8, modify the /etc/network/interfaces file.
userk@dopamine ~$ sudo vim /etc/network/interfaces # interfaces(5) file used by ifup(8) and ifdown(8) auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.1.8 gateway 192.168.1.1 netmask 255.255.255.0 #allow-hotplug wlan0 #iface wlan0 inet manual #wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
Then restart network-manager
userk@dopamine ~$ sudo service network-manager restart
If you get a the following error:
RTNETLINK answers: File exists
Failed to bring up eth0
You might have to flush the eth0 device before ifup and ifdown.
userk@dopamine ~$ sudo ip addr flush dev eth0
Ping : Operation not permitted
If you are getting an error like the following while executing ping
Check to ensure that the ping binary is setuid root:
userk@dopamine ~$ ls -l `which ping` -rwxr-xr-x 1 root root 38844 Feb 12 2014 /bin/ping
The next command will do the trick:
userk@dopamine ~$ sudo chmod u+s `which ping`
Then you will be allowed to ping as anyone. Hope this helps