Manage Local Users and Groups

# Manage Local Users and Groups
 ## Dennis Kibbe
 ### Mesa Community College
 Note: This slide presentation was created using [Reveal.js](https://revealjs.com/). You can access a transcript of this presentation by pressing S for speaker notes. You can access navigation help by pressing the question mark key. Audio for this presentation is artificially generated.
 ---
 
 # Module Outline
 1. Introduction
 1. Describe User and Group Concepts
 1. Gain Superuser Access
 1. Manage Local User Accounts
 1. Manage Local Group Accounts
 1. Manage User Passwords
 1. Key Takeaways
 1. Resources
 1. Graded Lab
 Note: 
 ---
 
 # Learning Objectives
 *After completing the work in this module you will be able to:*
 1. Describe the purpose of users and groups on a Linux system.
 1. Use `su` and `sudo` to gain root privileges.
 1. Create, modify, and delete local user accounts.
 1. Create, modify, and delete local group accounts.
 1. Set a password management policy for users
 1. Manually lock and unlock user accounts.
 Note:
 ---
 
 # Describe User and Group Concepts
	 ![People holding hands around the globe](../images/users_around_globe.png)
 Note: Every file on a Linux system has an owner and belongs to a group. Every user on the system with the exception of the superuser has a limited set of permissions. The proper configuration of these permissions helps to secure the Linux operating system.
 ---
 
 # What is a user?
 ![clipart of girl using a computer](../images/girl_at_computer.png)
 Note: A user account provides security boundaries between different people and programs that can run commands. User accounts are fundamental to system security. Every process on the system runs as a particular user. Every file has a particular user as its owner and belongs to a group.
 ---
 
 # Three Classes of User Accounts
 - Root (UID 0)
 - System accounts (UID 1-999)
 - Regular user accounts (UID 1000 and up)
 Note: A user belongs to one of these categories.
 ---
 
 # Four Configuration Files
 - `/etc/passwd`
 - `/etc/group`
 - `/etc/shadow`
 - `/etc/login.defs`
 Note: There are four files in the `etc` directory used to configure accounts on a Linux system.
 ---
 
 # The `/etc/passwd` File
 ```
 [student@workstation ~]$ grep student /etc/passwd
 student:x:1000:1000:Jay Student:/home/student:/bin/bash
 ```
 Note: The `/etc/passwd` file contains details about each account on the system. Each line is a separate account and each account contains seven fields. Here the `grep` command is used to filter on the term `student` to show only the information for that account.
 >>>
 
 # Account ID
 <pre>student:x:1000:1000:Jay Student:/home/student:/bin/bash</pre>
 Note: Each account entry in the `/etc/passwd` file is separated into fields separated by a colon. The first field is the name of the account.
 >>>
 
 # Deprecated Password Field
 <pre>student:x:1000:1000:Jay Student:/home/student:/bin/bash</pre>
 Note: At one time this field held a user's encrypted password. Passwords are now kept in the `/etc/shadow` file which has restricted access.
 >>>
 
 # UID
 <pre>student:x:1000:1000:Jay Student:/home/student:/bin/bash</pre>
 Note: This is the user ID field. The UID for unprivileged users starts at 1000.
 >>>
 
 # GID
 <pre>student:x:1000:1000:Jay Student:/home/student:/bin/bash</pre>
 Note: This is the primary group a user belongs to. Most Linux distributions create a unique group for each unprivileged user.
 >>>
 
 # Comment (GECOS)
 <pre>student:x:1000:1000:Jay Student:/home/student:/bin/bash</pre>
 Note: This field contains information such as the full name of the user, phone number, etc.
 >>>
 
 # User's Home Directory
 <pre>student:x:1000:1000:Jay Student:/home/student:/bin/bash</pre>
 Note: This is the directory where a user's personal files can be found.
 >>>
 
 # User's Default Shell
 <pre>student:x:1000:1000:Jay Student:/home/student:/bin/bash</strong</pre>
 Note: This is the default shell for the user. System accounts will have a `nologin` or `false` shell.
 ---
 
 # Primary and Secondary Groups
 ```
 student@workstation:~$ id
 uid=1000(student) gid=1000(student) groups=1000(student),10(wheel)
 ```
 Note: The `id` command shows the groups a user belongs to. Here user, `student` belongs to the primary group `student` and to the supplementary group `wheel`.
 ---
 
 # The `/etc/group` File
 ```
 student:x:1000:student
 ```
 Note: 
 >>> 
 
 # Account ID
 <pre>student:x:1000:student</pre>
 Note: Like the `/etc/passwd` file each account entry in the `/etc/group` file is separated into fields separated by a colon. The first field is the name of the account.
 >>>
 
 # Group Password
 <pre>student:x:1000:student</pre>
 Note: An optional group password can be assigned.
 >>>
 
 # GID
 <pre>student:x:1000:student</pre>
 Note: This is the Group ID field.
 >>>
 
 # Group Members
 <pre>student:x:1000:student</pre>
 Note: This fields includes the members of the group. Here is the primary group of user, student.
 --- 
 
 # Graded Quiz
 ## Describe User and Group Concepts
 ![clipart](../images/clipboard-check.png)
 Note:
 ---
 
 # Gain Root Access
 ![Man sitting in front of multiple computer monitors.](../images/superuser.png)
 Note: When .mp3ed in as root, the entire desktop environment unnecessarily runs with administrative privileges. A security vulnerability that might normally compromise only a normal user account could potentially compromise the entire system. An ordinary, unprivileged user has limited permissions on the system and as such can not accidentally edit or delete system files.
 ---
 
 # The `su` Command
 ```
 [student@workstation ~]$ su -l megan
 Password:
 megan@workstation ~]$ pwd
 /home/megan
 ```
 Note: Here student uses the `su` command to become user, megan. Student must first know Megan's password. The l option assures that the shell environment changes to that of Megan's. If no user name is given then the `root` account is assumed and the root password must be given.
 ---
 
 # The `sudoers` File
 ```
 [student@workstation ~]$ sudo grep wheel /etc/sudoers
 ## Allows people in group wheel to run all commands
 %wheel ALL=(ALL) ALL
 # %wheel ALL=(ALL) ALL=(ALL) NOPASSWD: ALL
 ```
 Note: Users in the `sudoers` file have elevated privileges and can run some or all commands as root. On a Red Hat system users in the `wheel` group have full superuser privileges. Lines starting with a hash tag are commented out.
 ---
 
 # The `sudo` Command
 ```
 [megan@workstation ~]$ sudo cd /etc/ssh/
 [sudo] password for megan:
 megan is not in the sudoers file. This incident will be reported
 [megan@workstation ~]$
 ```
 Note: Users in the `sudoers` file can use `sudo` to run commands with elevated privileges. Here Megan's attempt to use `sudo` fails because she is not in the `sudoers` file. 
 ---
 
 # The Incident
 ![Cartoon showing a Sudo violation being reported to Santa Claus.](https://imgs.xkcd.com/comics/incident.png)
 Note: Sudo violations are .mp3ed.
 ---
 
 # The Advantages of Sudo
 - The root password isn’t shared.
 - The root account can be locked.
 - Fine-grained permissions can be assigned.
 - Permissions are easy to revoke.
 - An audit trail is created.
 Note:
 ---
	 
	 # Guided Exercise
	 ## Gain Superuser Access
 ![clipboard](../images/clipboard-check.png)
	 Note: In this exercise, you practice switching to the root account and running commands as root. 
	 ---
	 
	 # Manage Local User Accounts
 Note:
 ---
 
 # Add User Accounts
 ```
 [root@workstation ~]# useradd megan 
 [root@workstation ~]# passwd megan
 ```
 Note: Adding a user in Red Hat Enterprise Linux takes two steps. First the account must be created then a password assigned to the account. Until a password is assigned the account is locked.
 ---
 
 # Modify User Accounts
 ```
 [root@workstation ~]# usermod -G wheel megan 
 ```
 Note: In this example, user, megan is added to the wheel group which gives her sudo privileges.
 ---
 
 # Delete User Accounts
 ```
 [root@workstation ~]# userdel -r megan
 ```
 Note: The `userdel` command removes a user from the system. The optional -r removes that user's home directory and mail spool.
 ---
 
 # Getting Go
 ![Cartoon of a couple breaking up](https://imgs.xkcd.com/comics/letting_go.png)
 Note: This XKCD cartoon shows the user megan account being removed from the system.
 ---
 
 # Guided Exercise
 ## Manage Local User Accounts
 Note: In this exercise, you create several users on your system and set passwords for those users.
 ---
 
 # Manage Local Group Accounts
 Note:
 ---
 
 # Add Group Accounts
 ```
 [root@workstation ~]# groupadd consultants
 ```
 Note: The groupadd command adds a new group to the system.
 ---
 
 # Modify Group Accounts
 ```
 [root@workstation ~]# groupmod -n consoltants consultants
 ```
 Note: Here the `groupmod` command is used to correct a misspelling.
 ---
 
 # Delete Group Accounts
 ```
 [root@workstation ~]# groupdel consultants
 ```
 Note: Before deleting a group use the `find` command to locate all files owned by the group. You can not remove the primary group of a user.
 ---
 
 # Guided Exercise
 ## Manage Local Group Accounts
 Note: In this exercise, you create groups, use them as supplementary groups for some users without changing those users' primary groups, and configure one of the groups with sudo access to run commands as root.
 ---
 
 # Manage User Passwords
 Note:
 ---
 
 # The `/etc/shadow` File
 <pre>student:$6$CcEalNBfkHMG283...c8FA8DA1:19420:0:99999:7:::</pre>
 Note: Access to the `/etc/shadow` is restricted. The file contains encrypted passwords and expiry information. Similar to the `passwd` file each row represents a single account and fields are separated by a colon.
 >>>
 
 # Account ID
 <pre>student:$6$CcEalNBfkHMG283...c8FA8DA1:19420:0:99999:7:::</pre>
 Note: Like the `passwd` file the first field is the name of the account
 >>>
 
 # Encrypted Password
 <pre>student:$6$CcEalNBfkHMG283...c8FA8DA1:19420:0:99999:7:::</pre>
 Note: The next field contains the encrypted password which has be truncated here to get the entire line on the screen.
 >>>
 
 # Date Last Changed
 <pre>student:$6$CcEalNBfkHMG283...c8FA8DA1:19420:0:99999:7:::</pre>
 Note: This field shows the number of days since January 1, 1970 that the password was last changed.
 >>>
 
 # Days Until Next Password Change
 <pre>student:$6$CcEalNBfkHMG283...c8FA8DA1:19420:0:99999:7:::</pre>
 Note: Minimum number of days before password can be changed.
 >>>
 
 # Days Before Password Must Be Changed
 <pre>student:$6$CcEalNBfkHMG283...c8FA8DA1:19420:0:99999:7:::</pre>
 Note: Maximum number of days before password must be changed. Five 9s means that the password doesn't need to be changed.
 >>>
 
 # Days Warning Before Password Must Be Changed
 <pre>student:$6$CcEalNBfkHMG283...c8FA8DA1:19420:0:99999:7:::</pre>
 Note: Days warning before password must be changed.
 >>>
 
 # Date Account Expires
 
 <pre>student:$6$CcEalNBfkHMG283...c8FA8DA1:19420:0:99999:7:::</pre>
 Note: Date the account expires if password is not changed. There is no entry in this example.
 >>>
  
 # Reserved
 <pre>student:$6$CcEalNBfkHMG283...c8FA8DA1:19420:0:99999:7:::</pre>
 Note: The last field is not used currently.
 ---
 
 # Display Password Information
 ![screenshot of the output of the chage command](../images/chage.png)
 Note: The `chage` command displays password information for the listed user. The root user can list password information for any user.
 ---
 
 # Set Password Policy
 ![screenshot of the /etc/login.defs file](../images/login_defs.png)
 Note: The `/etc/login.defs` is used to set a password expiration policy.
 ---
 
 # Guided Exercise
 ## Manage User Passwords
 Note: In this exercise, you set password policies for several users.
 ---
 
 # Key Takeaways
 1. The user account types in Linux are: the superuser, system users, and regular users.
 1. A user has a single primary group and might be a member of one or more secondary groups.
 1. The `/etc/passwd`, `/etc/group`, and `/etc/shadow` are critical files which contain user and group information.
 1. You can run commands as the superuser with the `su` and `sudo` commands.
 1. The `useradd`, `usermod`, and `userdel` commands are used to manage users.
 1. The `groupadd`, `groupmod`, and `groupdel` commands are used to manage groups.
 1. The `passwd` command is used to manage passwords for accounts.
 1. The `chage` command displays and configures password expiration settings for accounts.
 Note:
 ---
 
 # Resources
 - [su(1)](https://www.man7.org/linux/man-pages/man1/su.1.html)
 - [sudo(8)](https://www.man7.org/linux/man-pages/man8/sudo.8.html)
 - [useradd(8)](https://www.man7.org/linux/man-pages/man8/useradd.8.html)
 - [usermod(8)](https://www.man7.org/linux/man-pages/man8/usermod.8.html)
 - [userdel(8)](https://www.man7.org/linux/man-pages/man8/userdel.8.html)
 - [groupadd(8)](https://www.man7.org/linux/man-pages/man8/groupadd.8.html)
 - [groupmod(8)](https://www.man7.org/linux/man-pages/man8/groupmod.8.html)
 - [groupdel(8)](https://www.man7.org/linux/man-pages/man8/groupdel.8.html)
 - [chage(1)](https://www.man7.org/linux/man-pages/man1/chage.1.html)
 - [passwd(5)](https://www.man7.org/linux/man-pages/man5/passwd.5.html)
 - [group(5)](https://www.man7.org/linux/man-pages/man5/group.5.html)
 - [shadow(5)](https://www.man7.org/linux/man-pages/man5/shadow.5.html)
 - [login.defs(5)](https://www.man7.org/linux/man-pages/man5/login.defs.5.html)
 - [Epoch (computing)](https://en.wikipedia.org/wiki/Epoch_(computing))
 Note:
 ---
 
 # Graded Lab
 ## Manage Local Users and Groups
 ![Screenshot of a sample grading script](../images/lab_techs.png)
 Note: In this lab, you set a default local password policy, create a supplementary group for three users, allow that group to use `sudo` to run commands as root, and modify the password policy for one user. When you complete the lab submit a screenshot of the output of the `lab grade users-review` command. The screenshot shown here is for reference only.
 ---
 
 
 ![Mesa Community College logo](../images/mcc_logo.png "Mesa Community College")