11. The /etc/login.defs File
Now there may be some defaults that you want to use for every single user, like the location of their mail, the length of their password, the password expiration, and the range of user and group IDs. Maybe you already know where the home directory should be going, and so you don’t want to type that in with each of those particular user accounts.
And so there is a file that you can use. It’s under the slash etsy or etc directory called in the login definitions file, and there you can put these default definitions in so that for every user that logs in, they’ll already have these settings set up for them. So you don’t have to go through the hassle of putting it all together again. Another nice thing about having the etc directory, as we said, with the computer configuration files, is to be able to have the ability to make life as an administrator a whole lot easier, especially in dealing with user accounts.
12. The /etc/default/useradd File
Now, there’s also a default user ad file that you’ll find under the same etc. So the path would be, etc. default slash user ad, and this file will have a default primary group, default home directory locations, default grace period, default expiration dates, and a default shell, skeleton, and directory location. This stuff is again preconfigured and predefined for every user account.
So as you add a user with a command like “user,” you add that information, unless you override it, which is automatically provided, making the administration and the adding of users very easy. It’s almost as though in Windows we use the term “cloning a user,” meaning I like how this user is set up, so let’s clone them and use those settings. Or we might even call it a template type of a user account, whatever you want to use as a term. It makes the creation of users much simpler, and it guarantees a consistency that can be very important in managing your users later on.
13. The /etc/skel Directory
And then also in the etc. directory is this file called the scale, short for the skeleton. All right, so now this would be the files that we use for the user’s home directory, the skeleton location. The skeleton directory is usually a series of startup files and directories that are going to be copied to the user’s home directory. So those might have files that include things like information about the shell, the type of shell, and your profile information, and those files like the bash underscore logout, the bash RC, or the dot in the profile are preceded with a dot, which means that the file is hidden so that it’s not seen. When they do the LS, they have to go out of the way, as any hidden file would be, in order to view it. So this gives me the location of the skeleton directory for these users. And again, that’s kind of the start-up. This stuff is common to every user, so when they login, put it in their home directory so they have it.
14. The adduser Command
Now, as I said, the add user command can also do the same thing as the user add command, but it might just be that it’s a shortcut link to the actual user add command. Or, as in some operating systems, there could be a perl script that’s going to go through and actually ask you questions, which you answer as you go through the command. The nice thing about having a script is that it becomes wizardlike, and it helps add consistency and make sure you don’t miss any of the settings that might be important as you’re adding these user commands. So that can be a very useful thing to have “add user” as an option when creating user accounts, especially through the command line.
15. The /etc/adduser.conf File
Now, if you already have some of the default settings that you need for the add user under the etc directory, you’ll have a pre-created set of answers or defaults in a file called the add user CNF. Often considered a config file, it can contain information like the default shell, home directory location, and an acceptable range of user and group IDs. If you get into it with disc quotas and disc usage, the defaults for the home directory, and possibly extragroups that the user might be a member of other than the main user group, but we’ll talk about that when we get into permissions. So anyway, you can again build those defaults so that as they’re going through the ad user, these defaults can show up and you can say, “Yeah, that’s what I want, hit enter,” or just continue on and override it with some other setting.
16. Demo – Creating User Accounts at the Command Line
Okay, now we’re actually going to create some user accounts, and I’m back in my terminal. I’ve ensured that I’m back as my live user account rather than root. And we’re going to take a look at some of these little folders that log the definitions or configurations that we use for some of our user accounts. So here are some login definitions, and I’m going to pipe them out to the More command so we can see them all in one screen of green. And this tells me all of the different locations I remember. These little pounds are the REMS, or remarks.
And this first directory is telling me where I would go to look for the mailboxes again. The password ageing controls come next. And you can see that this is set up to never expire. You may change your password at any time. It has to be a five-character warning as to how long until we tell you about it expiring. I think you’ll expire before this one does. So anyway, these are just some of the ageing controls that we see. I’ll hit the space bar again for the user IDs.
Now you probably noticed I didn’t point it out. I don’t think on the password file that the first created user, which was Live User, started out at 500, but we just put in the range, and supposedly we’ll let this Linux operating system just magically pick a number within that range. Same with group IDs, and on it goes. It’s our way of being able to basically set up information about where or what should happen with the user accounts, especially as we make them as they log in. So that was one of the first configuration files, and remember, you can edit these files as long as you have permissions. I just used the word “cat” so you could see the contents of those. And now let’s take a look at what the defaults are for the user’s added configuration stuff.
And I’m going to mark that one, because it says I can’t look at this one. So now suddenly we say, “Okay, if I can’t get to a specific file, then it’s probably because I don’t have the root account.” So I’m going to su to get over to the root account, and let’s see if I can do that same command again. Oh, that was the shadow command. Let’s get out of that one. Let’s try again. Pipe the FD default and user add to More. And there we go. Now I have the ability to examine things, and in this case, group information, the defaultgroup, if I add a user, the home location, it will not become inactive at this time. So all of these things—the location of the shell—are kind of the default configurations when we add these users. All right, now that I am the root, I don’t need to su or do a pseudo or pseudo. However, you’d like to pronounce it to run these commands because I’m going to stay this way and we’re going to use the user add command. We’re going to create Jane Doe. So I’m going to click on that, and, you know, before I do it real quick, hold on a second.
Let’s talk about the Etsy password. Just to be clear, I did not pipe it into the More command at the end, but there is Live User. That was the last one we created. So let me clear this screen. Let’s do the user ad, Jane Doe. And now we’ll do that same look at the password, and as it goes to the very end of the list, you can see there’s Jane Doe. There are their user and group IDs, 501. So it doesn’t look very random there at all. It created the home directory in the path of home, just as we expect, and it used the information about where the shells are. Okay, so let’s do a little bit more. Let’s actually look at that shadow file and see if we can get it to show up. Here we go. Let’s take a look at the shadow file, and you can see that Jane Doe and Live have the same password information. It’s because we don’t have any password information. So let’s do the command. Let’s enter the password here, Jane Doe. And then it wants us to type it in there. So I’m going to type it in there. Hopefully I’ll do it the same way both times.
And it says it was updated successfully. So let’s take a look at the shadow file. And now, when we look at it, look what we see here. We actually see a password for that particular user, whereas before it was all empty and didn’t have anything. Okay, so now we have a password. It is hashed. If you wanted to crack it, it actually wouldn’t be very difficult to go to a rainbow table online and make those changes, or not make it, but copy it and crack it. But that was the idea—to be able to go out there and make these changes knowing that, as the route, I should be the only one who sees the password and everything looks good. All right, we’re going to try another command that was a user addition. Now we’re going to try adding a user, and we’ll create John Doe, the husband of Jane Doe, I suppose. Okay, now that I’ve done it, add user John Doe. What I’m hoping for here is that it will ask me some questions about what needs to be answered in a split second.
Because add user is either, as we said before, a soft link to the user add command or it can actually run a Perl script, In this case, add a user who just says “John Doe.” So we’re going to check it out and see if this is just a soft link or symbolic link to the actual user account programmer by checking out the password file. And there’s John Doe. Okay, so in this case, we discovered that we had a soft link by using either the command “add user” or the user ad. Remember that it’s something that changes with each different distribution. And if you use the add user command and get nothing, you’re pretty sure you did the user ad. I know it’s a technical way in which they put things together. Some distributions, though, might try to open up a little wizard to help you answer the questions. But that’s our easy way of creating these user accounts. Now remember, these are local. That means only these user accounts work on this particular version of an installation of Linux. If you have other Linux machines and servers out there, this account doesn’t work for them. If you made any remote connections, you would still need to authenticate to those machines.
17. GUI Admin Tools
And finally, for those of you who just don’t like the command line, there are often tools that we would call GUI (graphical user interface) admin tools that will take you through adding a new user account. The good thing about the tool, the graphical tool, is that you won’t miss anything. And the graphical tool can even help you when you do things wrong and prompt you for options.
In all fairness, it’s a great tool for being able to add a user, do it consistently, do it correctly, and not miss anything, including adding groups and everything else. That’s very important. Now when it comes to adding, say, a few thousand accounts from another system, this tool is going to become your project for half a year. That’s where I’d point you—at the command line, the script, and the file list—and then, bang, move those things over. There are faster ways than Gui’s, but to not make it sound bad, for the one or two different things that you might do with a user account every so often, a Gui tool is a great way to get it done, get it done consistently, and get it done correctly.
18. Demo – Creating User Accounts via the GUI
Okay, we’re going to create a new user, but we’re going to use, look at this, a GUI. So, under System and Administration, users and groups, we’ll open up a list of users. You’ll notice right away that all of these users have been created by us. Basically, the user ID ranged from 500 on up through whatever our maximum was. The same is true with the guru groups, and our groups happen to have the same names as us. Now, having said that, the password files show you many other types of system accounts that we’re not seeing here. These are strictly user accounts. I’m going to click on “Add User,” and we’re going to create a new user called Kevin. Put his full name in the box, and we’ll create a password. Now, let’s leave the password off.
Let’s just leave it as is, click OK, and notice that this is saying no, you’ve got to have a password for the users because we demanded that in our configuration file. Now, oddly enough, when I did the user authentication through my command line, I didn’t have to do that until I actually executed the password command. Then I was forced to do all that stuff the right way. And just like that, we now have new users in there. So, once again, that’s a nice, simple way to create users. You might have noticed that when I created the users, I could have specified an ID and a group if I wanted to, but I had to hit cancel. So there are a lot of things that you could do to create user accounts, as far as some options go. And once you have them created, don’t forget that you probably want to look at their properties and go and put anything else that’s important in that particular account. All right? That was creating user accounts with our graphical user interface.
19. Modifying Users
All right. Now, when it comes time to make changes to the user accounts, you could go right into that password file and change them literally, line by line, if you wanted to. The best recommendation is to actually use the command, the user mod command, to be able to make the changes. So again, consistency, not worrying about doing something wrong—having an extra comma, a new delimiter—and causing other problems with your operating system.
So the user moderator can create a new home directory, change your primary groupnew login, or create new shell information. So that’s an easier and recommended way to change the user accounts. But I don’t want to discount the fact that you have access to the password and a few of the routes. You also have access to the shadow file, and you can make those changes there. In fact, remember that with a shadow file, if you change the user’s login name, you’ve got to make sure you match it up exactly the same on the shadow file. That is why, once again, using user mod may be a safer and more preferred method of making changes.
20. The chfn Command
Now there’s also a command that allows you to change the full name of a user. We call that the CHFN. It almost looks like it says the Chin command or the Cahwa command, whatever. It’s a change full name command, so that allows you, again, to change and add a new full name or other parts of that Geckos type of stuff that we talked about. Room number; work phone; home phone. It’s just an easy way of looking at it. Now there are other things you can do as well. When you make a change or modification, you might consider making a modification about locking out an account rather than deleting an account. and let’s talk about why that is. If you have a user who quits or is fired and you say, “Okay, well, they’re gone; I’m never going to see them again,” delete the account. Well, once an account is deleted, it’s gone. It’s not available for you.
They may have had access to files that you require that user account to handle, or there may be another reason why it is important mailboxes and the rest of it. But the issue is that I don’t want that former employee to come in and cause me problems. So we can use the user mod command with a capital L to lock the account, or if we have to, we could go and use the password command with a capital L and again lock the account. So that’s often the best practise for new changes to your hierarchy or to your actual employees: instead of deleting them, just lock them out so that those accounts are still legally available for you to use to access their files. They’re or whatever else you require.