ADVANCED

USER

MANAGEMENT

IN LINUX
BY - Gauri Yadav
LIST OF TOPICS

01 WHAT IS PASSWORD AGING ?

TYPES OF COMMANDS TO SET

02 AND CONFIRM PASSWORD?

03 HOW TO SET AND CONFIRM

PASSWORD AGING WITH CHAGE?

HOW TO SET AND CONFIRM

04 PASSWORD AGING WITH
PASSWD?

05 HOW TO LOCK AND UNLOCK A

USER ACCOUNT ?

06 WHAT ARE LINUX GROUPS?

LIST OF TOPICS

07 HOW TO MANAGE LINUX GROUPS

08 TYPES OF COMMANDS FOR

GROUP MANGEMENT?

09 HOW TO CREATE A GROUP AND

ADD MEMBERS?

HOW TO MODIFY AND DELETE A

10 GROUP ACCOUNT ?

TOOLS TO MANAGE PRIVELAGES

11 OF A USER?

12 HOW TO SUBSTITUTE (OR

SWITCHI) USERS?
LIST OF TOPICS

13 HOW TO WORK AS SUPERUSER?

14 WHAT IS OWNING USER AND

OWNING GROUP?

15 HOW TO MODIFY FILE OWNER

AND OWNING GROUP OF A FILE ?
 What is Password Aging

Q1 What is Password Aging?

Password aging in Linux is a security and administrative feature
that forces users to change their passwords regularly.
This practice helps in minimizing potential breaches by
reducing the window of opportunity for password-related
attacks, such as brute force attacks or using stolen credentials.
It encourages a cycle of changing passwords periodically,
ensuring that even if a password is compromised, it will be valid
for only a limited time.
types of commands To Set
and Confirm Password?
 How to Set and Confirm
Password Aging with chage?
Lets understand this by a real time example:
Scenario:
we will configure password aging for user600 using the chage
command. We will set mindays to 10, maxdays to 29, and
warndays to 4, and verify the new settings. You will then rerun
the command and set account expiry to April 30, 2024.

Step 1 : Set password aging parameters for user600

to mindays (-m) 10, maxdays (-M) 29, and warndays
(-W) 4
chage -m 6 -M 29 -W 4 user600
Step 2 : Confirm the new settings:
chage -l user600

Step 3 : Set the account expiry to April 30, 2024 &

verify
chage -E 30304-04-30 user600
Step 4 : verify
chage -l user600
 How to Set and Confirm
Password Aging with
passwd?

Lets understand this by a real time example:

Scenario:
you will configure password aging for user700 using the passwd
command. We will set mindays to 10, maxdays to 90, and
warndays to 14, and verify the new settings.

Step 1 : Set password aging parameters for user700

to mindays (-n) 10, maxdays (-x) 90, and warndays
(-W) 14
chage -m 6 -M 29 -W 4 user700
Step 2 : Confirm the new settings:
chage -l user700
 How to Lock and Unlock a
User Account ?
Lets understand this by a real time example:
Scenario:

Step 1 : Obtain the current password information for

user700 from the shadow file:
grep user700 /etc/shadow

An unlocked user account never has its password field begin with an
exclamation mark (!).
Step 2 : Unlock the account with either of the
following:
usermod -U user700
OR
passwd -u user700

Step 3 : verify
grep user700 /etc/shadow
Step 4 : lock the account with either of the following:
usermod -L user700
OR
passwd -l user700

Step 5 : verify
grep user700 /etc/shadow
 What are Linux Groups?
Linux groups are collections of one or more users with
identical permission requirements on files and directories.
They allow group members to collaborate on files of common
interest.
Group information is stored in the /etc/group file and the
default policies in the /etc/login.defsconfiguration file.
Furthermore, the /etc/gshadow file stores group administrator
information and group-level passwords.
 How to manage Linux
Groups?
Group management tools—groupadd, groupmod, and groupdel
—and looks at how to utilize them to create, alter, and remove
groups. Additional group administration operations, such as
adding and deleting group administrators, and setting and
revoking group-level passwords, are beyond the scope.
This set of management commands is used to add, modify,
and delete a group from the system.
The groupadd command adds entries to the group and
gshadow files for each group added to the system.
The groupadd command picks up the default values from the
login.defs file.
You can modify the attributes of a group with the groupmod
command. The syntax of this command is very similar to the
groupadd with most options identical.
The only flag that is additional with this command is -n, which
can change the name of an existing group.
The groupdel command is straightforward. It removes entries
for the specified group from both group and gshadow files.
Types of group commands?
 How to Create a Group and
Add Members?
Lets understand this by a real time example:
Scenario:
,you will create a group called linuxadm with GID 5000 and
another group called dba sharing the GID 5000. You will add
user1 as a secondary member to group linuxadm

Step 1 : Create the group linuxadm with GID 5000

groupadd -g 5000 linuxadm
Step 2 : Create a group called dba with the same
GID as that of group linuxadm:
groupadd -o -g 5000 dba

Step 3 : Confirm the creation of both groups:

grep linuxadm /etc/group
OR
grep dba /etc/group
Step 4 : Add user1 as a secondary member of group
dba using the usermod command. The existing
membership for the user must remain intact.
usermod -aG dba user1

Step 5 : Verify the updated group membership

information for user1 by extracting the relevant entry
from the group file, and running the id and groups
command for user1:
grep dba /etc/group
&
id user1
&
groups user1
 How to Modify and Delete a
Group Account ?
Lets understand this by a real time example:
Scenario:
you will change the linuxadm group name to sysadm and the
GID to 6000. You will modify the primary group for user200 to
sysadm. Finally, you will remove the sysadm group and verify
the actions.

Step 1 : Alter the name of linuxadm to sysadm:

groupmod -n sysadm linuxadm
Step 2 : Change the GID of sysadm to 6000:
groupmod -g 6000 sysadm

Step 3 : Confirm the above actions:

grep sysadm /etc/group
Step 4 : Delete the sysadm group and confirm:
groupdel sysadm
Tools to manage privelages of
a user?
How to Substitute (or Switchi)
Users?
Even though you can log in to the system directly as root, it is
not a recommended practice. Instead, log in with a normal
user account and then switch to the root account if necessary.
This is safer and ensures system security and protection.
. In addition to becoming root, you can switch into another
user account. In either case, you’ll need to know the password
for the target user in order for a successful switch.

Lets understand this by a real time example:

Scenario:
RHEL offers two tools—whoami (who am i) and logname (login
name)—that show a user’s current identity (after su’ing into the
target user) and the identity of the user who originally logged in.
Let’s see what they report after switching into user100:

Step 1 : su - user100
Step 1 : su - user100
&
whoami
&
logname

The whoami command returns the effective (current) username (user100), and
the logname command reports the user’s real (original) username (root).
 How to work as Superuser?

RHEL provides normal users the ability to run a set of

privileged commands or to access non-owning files without
the knowledge of the root password. This allows the flexibility
of assigning a specific command or a set of commands to an
individual user or a group of users based on their needs.
These users can then precede one of those commands with a
utility called sudo (superuser do, a.k.a. substitute user do) at
the time of executing that command. The users are prompted
to enter their own password, and if correct, the command is
executed successfully for them.
The sudo utility is designed to provide protected access to
administrative functions as defined in the /etc/sudoers file or
files in the drop-in directory /etc/sudoers.d.
It can also be used to allow a user or a group of users to run
scripts and applications owned by a different

Lets understand this by a real time example:

Scenario:
When user1 or a dba group member attempts to access a
privileged function, they will be required to enter their own
password. For instance:
Step 1 : sudo head /etc/sudoers

user1 ALL=(ALL) NOPASSWD:ALL %dba ALL=(ALL) NOPASSWD:ALL Rather

than allowing them full access to the system, you can restrict their access to the
functions that they need access to
 What is Owning User and
Owning Group?
In Linux, every file and directory has an owner. By default, the
creator assumes the ownership, but this may be altered and
allocated to a different user if required. Similarly, every user is
a member of one or more groups. A group is a collection of
users with common permission requirements. By default, the
owner’s group is assigned to a file or directory

Step 1 : Let’s create a file file1 as user1 in their home

directory and exhibit the file’s long listing:
touch file 1 & ls -l file1
 How to Modify File Owner
and Owning Group of a file ?
Lets understand this by a real time example:
Scenario:
you will first create a file file10 and a directory dir10 as user1
under /tmp, and then change the ownership for file10 to user100
and the owning group to dba in two separate transactions. Then
you’ll apply ownership on file10 to user200 and owning group to
user100 at the same time. Finally, you will change the two
attributes on the directory to user200:dba recursively. Make
sure to use sudo where necessary

Step 1 : Change into the /tmp directory and create

file10 and dir10:
cd /tmp & touch file10 & mkdir dir10
Step 2 : Check and validate that both attributes are
set to user1:
ls -l file10 & ls -ld dir10

Step 3 : Set the ownership to user100 and confirm:

sudo chown user100 file1
Step 4 : Alter the owning group to dba and verify:
sudo chgrp dba file1

Step 5 : Change the ownership to user200 and

owning group to user100 and confirm:
sudo chown user200:user100 file1
THANK

YOU