When i used useradd command in linux, the user_id and group_id for the account is automatically chosen as 500. Now if i delete the account and create it again, then also the user_id and group_id is 500. From where is this default value chosen ?
I used this command :
$ useradd ping
password:
and then looked into the following file
$ cat /etc/group /etc/passwd
root::0:root
tty::5:
disk:x:100:
floppy:x:101:
uucp:x:102:
utmp:x:103:
lp:x:104:
kmem:x:105:
vcsa:x:106:
sshd:x:74:
ping:x:500:
root:x:0:0:root:/root:/bin/bash
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:106:106:vcsa privsep:/var/empty:/sbin/false
sshd:x:74:74:sshd privsep:/var/empty:/sbin/false
ping:x:500:500::/home/ping:/bin/bash
The defaults are dependent upon the linux distribution you're running.
My debian box has UID_MIN 1000 set in the /etc/login.defs file.
If your goal is to use a different UID, then you need to use the -u | --uid option for useradd.
Related
How can I check if the current user has all privileges to use useradd and groupadd for creation of users and groups?
I don't want to request root privileges (e.g. requireing to be root or calling sudo) for my bash script unnecessarily. Instead I just want to ensure that the privileges are there to just use those commands.
The commands:
$ ls -l $(which useradd) $(which groupadd)
-rwxr-xr-x 1 root root 93136 Mai 28 2020 /usr/sbin/groupadd
-rwxr-xr-x 1 root root 147160 Mai 28 2020 /usr/sbin/useradd
As useradd and groupadd commands need some extra priviledges to run, you can setup access to sudo for specific commands like useradd and groupadd like below :-
Please go through it once, it will make most of the things clear to you
Controlling Access To sudo
The /etc/sudoers file configures the programs that users can access using sudo, along with whether or not a password will be needed.
The system administrator adds users to this file using the /usr/sbin/visudo command. Each non-comment line in the file has two parts:
A username ("<USER_NAME>"), or a group name ("%<GROUP_NAME>").
A list of machine names where a program may be run, or the keyword ALL. Following an equal sign (=), a list of user identities the command may be run as, enclosed in round brackets (parenthesis); the wildcard ALL may also appear. Finally, a list of applications that may be run as the named users; the keyword ALL is a wildcard.
The following examples should help make this clear:
<USER_NAME> ALL=(ALL) ALL
# User <USER_NAME> can execute any command as any user, but must know the password to the <USER_NAME> account.
<USER_NAME> ALL=(root) shutdown
# User <USER_NAME> can execute only command shutdown, but must know the password to the <USER_NAME> account.
<USER_NAME> ALL=(root) NOPASSWD: /usr/bin/id
# User <USER_NAME> can execute only the application /usr/bin/id; no password will be needed.
<USER_NAME> ALL=() NOPASSWD: /usr/bin/id
# User <USER_NAME> can execute only the application /usr/bin/id; no password will be needed.
Once the system administrator has entered the necessary setup into the /etc/sudoers file, users can safely access privileged system resources and activities like this:
$ sudo useradd username
No awkward quoting on the command line, just prefix the command you want with the word sudo. If you want to run the command as a user other than root, just add the -u username switch:
$ sudo -u <USER_NAME> useradd username
There will be a log entry written to the /var/log/secure file to show who did the deed.
Of course, the sysadmin can configure sudo not to request a password. In this case, the command is immediately executed although the audit trail entry will still be written.
Reference :- Sudo Tutorial
Please reach in the comments section for any help
Will be glad to help !!!
Assuming that you need root or sudo to add new users (same for group), you can check if the user has sudo rights, by checking if he is in the corresponding groups.
getent group sudo // shows all users in groupd sudo
Dont know what system/distro you are on - but on arch for example sudoers are in group wheel...
On Linux debian-linux 5.10.0-6-amd64 #1 SMP Debian 5.10.28-1 (2021-04-09) x86_64 GNU/Linux,
you can try this way in your script.
groupadd 2>/dev/null ; if test $? -eq 2 ; then echo ok ; else echo bad ; fi
If you can access groupadd or useradd, the return value is 2 because there is missings arguments.
If you can't acess groupadd or useradd, the return value is 127.
I am using Bash on Lubuntu 16.04. LTS, but I'm not sure if this matters much for this question.
I noticed, that when I create a file as standard user, the file has 664 permissions. But when I am root and execute the same command for the same user via the -u argument, it has 644 permissions, so the write permissions for the group are missing.
I suppose this to be a flaw, since the sudo manpages clearly state:
-u user, --user=user
Run the command as a user other than the default target user (usually root). The user may be either a user name or a
numeric user ID (UID) prefixed with the ‘#’ character (e.g. #0 for UID 0). When running commands as a UID, many
shells require that the ‘#’ be escaped with a backslash (‘\’). Some security policies may restrict UIDs to those
listed in the password database. The sudoers policy allows UIDs that are not in the password database as long as the
targetpw option is not set. Other security policies may not support this.
Now that I know that the -u argument's behavior differs from the behavior that has to be expected, my question is:
How can I make sure, that a command that is started in a root shell gets executed exactly as it would be executed from another user's shell?
Remark: I know that I could fix this one problem by tinkering with the umask, but this won't guarantee me that the behavior doesn't differ in an arbitrary amount of other cases.
It looks like the umask depends on whether the shell is interactive:
$ umask
0002
$ sudo -u $USER bash -c umask
0022
$ sudo -u $USER bash -ic umask
0002
This appears to be from from /etc/bashrc, which applies umask 002 only if
it's not a login shell,
the UID is greater than or equal to 200, and
the username is equal to the group name,
or from /etc/profile, which applies umask 002 if the last two criteria are met. I'm not sure if something else is overriding this, because shopt login_shell prints the same whether the shell is interactive or not, and the UID is also the same.
You can get the user's default shell thusly:
$ getent passwd $USER | cut --delimiter=: --fields=7
/bin/bash
Combining them:
$ sudo -u $USER $(getent passwd $USER | cut --delimiter=: --fields=7) -ic umask
0002
A nice and clean solution that shows the expected behavior is this:
sudo su <username> -c '<any commands>'
One of our user is on leave for few days
and I want to stop him accessing the systems for these days ..
should I
Add * to his encrypted password
or delete the user from etc /password file
or Remove the user encrypted password
or rename username to root
or set his userID to -1
Which option should i go for out of the above
It's for an access to a Linux system (Ubuntu). Not sure where you found those listed options, but in general try to use the system's tools to manage the system.
Simply lock the account:
sudo passwd -l [user_name]
Alternatively you can put an expire date on the account:
sudo passwd -e YYYY-MM-DD [user_name]
To unlock a locked account:
sudo passwd -u [username]
I'm creating user with group in my busybox Linux machine
addgroup group1
adduser user1 -G group1
after creating 20 users I'm getting error like "adduser: unknown group group1",
cat /etc/group
group1:x:1002:user1,user2,user3,user4,user5,user6,user7,user8,user9,user10,user11,user12,user13,user14,user15,user16,user17,user18,user19,user20
So is there any limit of adding member list in /etc/group?
Which Linux distribution do you actually use ? adduser has a different syntax at least in Ubuntu/Debian by the way I've just made group with 200 user without problem
for i in `seq 1 100`; do echo adduser -G group1 "user$i"|| break ; done
So it seems to me problem is in another place.
R creates a group called staff and I want to be able to update packages without starting R as sudo. So I added myself to staff using:
sudo usermod -G adm,dialout,cdrom,plugdev,lpadmin,admin,sambashare,staff matt
(side question is there a way to add yourself to a group without listing every other group you're a member of?)
If i check /etc/groups i see
staff:x:50:matt
and the same for /etc/shadow
staff:*::matt
however if i run groups or id i'm not a member of staff. Also, I can't make changes to anything in /usr/local/lib/R.
Did you log the "matt" account out and back in after running the sudo usermod command? Changes to the groups a user is in under unix only take affect at login time.
https://superuser.com/questions/272061/reload-a-linux-users-group-assignments-without-logging-out
check that out ~
both
newgrp groupname
OR
su - username
will do the trick well ~
In answer to your side question, yes you can add a user to a group without listing them all. If you run a Debian based system, you can do it with
sudo adduser matt staff
The adduser utility is just a friendly wrapper around useradd/usermod etc.
If you don't have the adduser utility, you can still do it with usermod:
sudo usermod -a -G staff matt
The -a flag means append (as opposed to overwrite).
I know the original question is for Linux but OSX users can do the same with this command:
sudo dseditgroup -o edit -a newusertoadd -t user grouptobeaddedto
Explanation: The operation succeeded - that's why your name appears in the right linux files on /etc/passwd & /etc/group but as soon as you open a new terminal process the bash will be updated with this setting and you can perform id matt as well.
Clarification: You added yourself to additional group so you should have used append option -a (and not editing the all bunch of groups names to your user).
sudo usermod -aG staff matt