21. The finger Command
Now if you want to get information about a particular user, you know what they currently have as their data. So maybe it helps you make a better choice about whether to make a change or even if a change is necessary. This very old command has been around forever. It’s called the finger command. The finger command allows you to retrieve information about Abuser just by simply typing in “finger,” and the name of the user gives you all that information that you would see in that password file.
22. Demo – Modifying a User Account
So we earlier created a couple of users, John Doe and Jane Doe. And now we’re going to try to see if we can make a couple of changes using a command, using the command line with the user mod. Now I’m already logged in as root, or at least I should say I’ve switched to the root user in this particular shell. And I’m going to type in the command “user mod.” In fact, let’s do what I’ve done for a couple of these: show you the heading, help type it into the box, and we see that we have a couple of options here. And what I’m going to change is the login name of that user.
Now, that’s just basically changing their name. So instead of it being John Doe, we’re going to make it one Doe, and that means it’s the L. There are numerous other options available to you for these specific users. Locking an account means that they can’t get in until you unlock it, forcing a new use of a group ID and giving you lots of options. Even something as simple as adding a comment to the gets goes field would be beneficial. All right, so let’s clear this off our screen. Let’s get started, supermodel.
And we’re going to put in one dub for the account that was John Doe. And then we’re going to take a look at the password file under Etsy’s password. And down at the bottom, you now see Wando instead of John Doe. Now you might notice that these IDs are out of order. That’s because John was made before Kevin, but because we did a rename, it basically deleted it from one line and added it to the next one. And so now these are out of order. I doubt that’s going to drive very many of you crazy, but I just wanted to point out that it is a simple text file. If it really bothers you, you can just move things around and reorder them. Okay, so let’s clear that screen off there and try using the finger command. Finger one doe, and there it says that it couldn’t find that particular command. So, how about we try the where’s the finger? It says that she doesn’t live there. Let’s see: what exactly is a finger?
And there is no finger command on the system. Now “finger” is an old, old command that has been around for decades, literally. And not every system has it. So we can’t finger the account, but that’s okay. We were able to get all of the information because I showed it to you in probably the best way to view it, which is by printing out the contents of the password directory. All right, so that gave us the information we needed. Now we’re going to try to see if we can change some other types of information about this particular account. We’ll return to the user mod help screen pipeit in case we need the room. And we’re going to move the home directory. It says here that we’re going to move the contents of the home directory to a new location, and it says I can only use it with the dash D. So basically, the dash means I’m going to move it, and then I’m going to have to use the letter D to specify the new home directory.
And I’m not going to put dash MD; I’ll just say dashed to do that, and then I have to add the new directory that will be there. So let’s give that a shot here and see. Now you’ll notice that in this actual help, they don’t show you examples of how a particular command should actually be run. In other words, a context for all of the steps So you might find yourself sometimes fighting with some of these commands, not knowing the right order in which you should put in the parameters. Now we know that far is what we need, but we don’t really know what goes after this part. I could hope if I hit Enter and it didn’t give it to me sometimes, but I didn’t. When I hit Enter, it actually replayed my help command. But that’s still not going to be as helpful as looking at the manual pages. That’s where I was going: we wanted to make sure you always chose to look for the manuals, the online help, and now I’m going to do this, I’m going to change to Juan’s home directory, and we also wanted to move any existing files that he has to that directory.
I don’t know if Juan has any existing files; we didn’t look at them. But let’s take a look at what happens if I do this. And yes, it says that that particular directory does not exist because we haven’t actually logged in with Wando. Let’s try it one more time, adding Wando in there to make sure that we’re saying we need to create that directory. And let’s do the LS; let’s see what’s out there. If I go home, there’s Wando, and if I do that same thing with Wando, let’s see if there are any files in there. There is nothing in there yet, so I didn’t think there would be anything in there. Now that command, by putting in not only the path but also the information of who that user is, gave me the opportunity to make that new directory and move anything that he had there. Okay, so again, we have that information, and if we wanted to, we could also change some information about the user’s full name.
Now we’ll go over that information again by looking at the actual account etsy password, and we’ll just leave it at that. And I really don’t see anything in here that is an indication of an actual full name, right between these two colons. It’s empty, where normally if you had a full name, that information would show up. So we don’t have anything there. And that’s our goal: to use the CHFN command. Again, I’ll put it with your assistance and pipe it more so we can see the few options. And what we’re going to do is just use the dash F to create the new full name for this particular user. Remember that anything you create will have a space in it, so let’s add the dash F for the full name. If it’s got a space, you have to put quotes around it, and we’re going to use the full name Juan Doe with that space. And of course, we have to include the user account that this is going to go to, which is Wando.
And now that we’ve said that we’ve changed that information, we’ll go look at that password file again. And now you can see at the very end of it that Wando has a new full name. All right, so that’s only really important when we’re trying to do searches or send emails or some other types of things. But again, these are just ways in which you can manipulate user accounts using nothing but the command line. Now let’s take a look at it with the GUI. I’m just going to minimise this and we’re going to go to system administration, where we’re working with users and groups, and from here now, we can take a look at some of the folks like Jane Doe. If I click on Jane Doe, I can click on Properties, and there’s an opportunity right there for me to try to put in a new full name. That was something we did with the change option. And just like that, we have a new full name for that particular user. So it’s pretty straightforward, I think, in looking at the options that you have.
If I click there again, I’ll select Properties. Obviously, we were able to deal with passwords. If we want to change the default passwords, we have that information available to us. If you want to lock out the account or expire it, I should say you can do that as well. So a lot of these are the same options that you had through the command lines, and it’s just giving you information about how easy and straightforward it is to be able to make those types of changes with each of these users. Okay, so that’s how we’re going to use these GUI tools, which I believe will be very simple. That was under system administration, so you could work with it at that point. Okay, I’m going to close that GUI down and leave it at that. You’ve now seen working with and manipulating user accounts with the GUI. Very straightforward. And I think the command line is straightforward as well, but it’s a little more flexible in some ways.
23. Creating Groups
Now, we talked about creating groups. Groups are a way of being able to give mass permissions to groups of people without having to add them one at a time.
Now, a group is just a logical construction for permissions that simply creates or consists of a groupID, a password for the group, or a system group that it’s a member of. These are just some of the options. Generally, you’re going to create a group and just tell me which users are in that group without going through the password or system group options. It’s pretty straightforward. Now, the purpose again is that I might find it easier to give permissions to a file to a group rather than go out and try to give them individually to every single user that I’m trying to manage. especially if you’re dealing with hundreds of users. Groups make more sense.
24. Adding Users to Groups
Now, the user mod command with the capital G allows you to add a user to an existing group. Then you type in the actual group and the username that goes into the group. Unfortunately, there’s no command for removing a user from the group.
That means that you would have to actually go into the file, the Etsy group file, and manually remove the users from that comma-delimited listing that follows the name of each group. That way, you can manually remove them. You can also alter your groups differently than deleting a user, but make changes to your group with the group mod command. So you can create the groups, and you can use the groupmod or the user mod to make changes to the membership. But remember, we can’t remove anybody unless you actually go and edit that out of the file.
25. Demo – Creating Groups and Adding Members
All right, now it’s time to work with some group accounts. So again, as always, we’re going to start off with our command line. I am logged in as root just to make my life a little bit easier, so I don’t have to add the switch user command. And we’ll do something as straightforward as group add accounting. All right, let’s take a look and see what happened. Wow. Okay. I like it when it’s that hard. Now the next thing we want to do is add people to the group, group ad.
Well, let’s take a look at the group ad help.not the manual page, but just plain old help. And it looks like here that it says if I wanted to work with some of these forces, I could use the command to change the group IDs, change some other key values, and change the password for the group. All right, so we don’t see here, which is kind of odd, the answer of actually adding a new user to this account. But let’s give this a shot anyway. User. “Oh, I’m sorry,” I usually say, because I was in Salemi and in group ad.
We needed assistance with user-generated content. And there’s what I’m looking for—the capital G for adding the user to a particular group. Now I need to double-check that I created a group called accounting. All right, just so I don’t forget what I’m doing. Now what we’re going to do is, as you probably noticed then, it was a user ad and a user mod command. So I’m actually modifying an existing user with the capital G, and the account I’m putting them into is accounting, and I’m going to put Jane Doe in it. And just like that, they’re a member of that group. Okay, how do you know? Well, that’s the Etsy group directory, and there is a list of the groups. And as you can see, there is a group called accounting. The group ID is 504, it has no password, and Jane Doe is a member. So what would happen if I modified this and added wando to the same command? So let’s move this into Wando and do that same cat command. This is where I love that up arrow. I can just bang. Hit that. And there we go.
Accounting now has Jane Doe as comma-wando. All right, so it’s a comma-delimited add to each group that you put them in there. The tail command was now one of the options for inspecting files. And with the tail command, we’re going to say that we want to see the last line of the Etsy group. And the last line is that one line. That was the accounting. In fact, if you didn’t see it, let’s clear this up. If I just said “tail” and “Etsy group,” remember, “tail” should show me the last ten lines of a file by default. By adding that tail to the one, it looks like it says minus one, but with the dash one, I’m saying, really just show me the last line. And that’s a nice, quick way to be able to look at the last entry that you made. Okay, so that was the command line, adding people to it, and moving from there. Now, remember, taking them out means opening up the file, editing it, and removing those people manually. We don’t really have a command to take them out of those groups. Now we’re going to go up to our system and look at the GUIs for users and groups.
And I did add a password. I was kind of embarrassed by actually having an insecure version of this particular programme or installation. So I actually added a password to root, which is probably a good idea. So now I opened up this file, noticed it, and it asked me to open it as root. In some prior examples, it didn’t ask at all. It just did it because root didn’t have a password, and it let me go right in. All right, I am now here, and I’m going to work on the groups. I’m going to click right down here under groups. So I see my accounting group, and I see my members. And from here, I’m actually going to look at the properties of that group, at the group users. And now here’s a nice thing. I’m going to take Wando out.
And now that was pretty straightforward. Again, a GUI, of course, has a lot more code behind it that can help me with those things I just couldn’t do so easily with my command line. All right, now that I’ve done that and shown you how easy it was to actually manage that group, I just clicked on it and clicked down on the properties. It’s also just as easy to add a group here. I could have made a group called HR; change the group ID if that’s what you want to do. But just like that, you have new groups, and it’s not so hard. You probably noticed that when I click on it and go to the properties of the group, go to the group users, that I can come down here and add whoever I want to be a member of HR. So just like that—much simpler, I have to admit, than my command line. I’m able to create those groups.
26. Deleting Accounts
And then finally, when it comes time to actually delete an account again, consider whether it is better to lock the account or actually delete the account. The user dell command is the command you would use to get rid of the user account. So I deleted the name of the user, and they’re gone. Now you can choose whether or not you want to reuse their user IDs.
But consider that user IDs are what we actually use in determining permissions, not the actual user name. So if you have a user ID that you use for a new user, you might inadvertently be giving somebody permission to access files or directories that you didn’t intend them to have. So be careful when recycling those to make sure that you don’t violate any of your existing permission structures. Those types of things often lead to what we call “permission creep,” which is people getting permission to do things they’re not supposed to. Now, if you want to delete a group, again, it’s easy enough to delete the group. It was the user in the group that was tough. The group del command for group delete will easily get rid of any groups that you have.
27. Demo – Deleting Users and Groups
Okay. Now we are going to work on deleting users. Now, you’ll probably see us use the user dell command. So I’ll show you that with some help, and you can see how hard that one is. R stands for remove. to reinforce the removal, even if owned by the user. Okay. Or help. But I cheated and already showed it to you. All right, so that’s great.
Now, one of the things we said, though, is that before you actually go out and delete a user, you ought to lock the user’s account in case it’s a temporary thing. And so, just like that, I locked Wando rather than actually deleting it. Let’s take a look and see what that looks like. So I’m going to chase the Etsy shadow. not the password, sorry. There we go. And down at the bottom, we’ve just locked the John Doe account. And oh, let’s look at it. I’m sorry, I started typing shadow before shadow. There we go. That’s what I was looking for—that this account is now locked out. I’ve got a nice little set of exclamation points that tells me where his password is supposed to be and that he is now locked out. So the goal there is, technically, “I have locked the password,” if you want a more precise definition. They won’t be able to log in because you’ve locked that password. So in a way, I’ve locked out their account.
Okay, let’s go back and clear our screen, and then we’ll go in there and actually delete them with the user dell command ruando, while we patiently wait for Wando to leave. This is one of those things where the process is running in the foreground. I didn’t run it in the background. So you often don’t get your command line back until that command actually finishes. Now we’ll look at the Etsy password file, and Wando is not there at the bottom of our list where he was before. We’ll look at the shadow as well, and Wando is not down there at the end of that. Don’t forget that you could have done the same for Etsy’s shadow. And there it goes. It didn’t really give me a whole lot of information for the very last line.
Okay, so again, your choice comes last, however you want to look at these files. But the reason I’m going to the end is because the end is where all of these new changes are going to take place. All right, now, from that part of it, we’re going to look at the user groups. Let’s check out the Etsy group. And I have an accounting group, an HR group, and we’re going to use the Dell group. By the way, if you didn’t see them on the list, those are the last two that I made. So we’re going to use the group Dell command, and we’re going to get rid of accounting as long as I can spell it the right way, and just like that, it should be gone. So now if I do the same thing to that command file, there we go: HR is there, but no accounting. So just like that, we’re able to work with and manipulate all of these files without any problems. And it’s designed again to be straightforward. Now, you wonder what would happen if I tried to do “auser Dell” with a dash R for somebody who doesn’t exist. That’s an interesting thought. Because we did this nice and easy, I was able to make my own mistakes all on my own.
But let’s try it with user JohnDoe, who says, “Oh, it doesn’t exist.” So you’re going to be used to seeing those types of things, especially when you have user names that might alternate between uppercase and lowercase. So if you’re not sure how an account is spelled, use the password file, open it up, and see how that account is spelled so you can make sure that you get it right. It is very sensitive. Obviously, Linux is case-sensitive when it comes to names and spelling. Okay, now go to system administration and then to uses and groups. And again, I have to provide my new password for the root account. I have a list of groups. In fact, HR is the only one I have left. Now, be careful. This takes a lot of work to delete this group. You move the mouse a few inches up the screen, you click delete, verify that you actually meant to do that, and you’re done. I wish I could have made this a little easier for you, or a little harder, or more exciting, but that’s all it takes to be able to delete those with the GUI. So I’ll close that down, and hopefully you got the idea. User dell, group dell, and user mod lock out a user rather than delete them.
28. Topic B: File and Directory Permissions
All right. Now we’re going to move on beyond the authentication of the users and the groups and talk about the authorization or the permissions that we can give to the files and directories. You’re actually, I think, going to find that the permission system is very straightforward, not at all complex like you might find in a Windows environment.
Now, being a good politician, I can make an argument on both sides as to why one is better than the other because, again, they have different features and fulfil different needs that you have in your business solutions. So always keep in mind that one way is not the best way, but by having choices, you have flexibility to meet your business needs. If it’s Linux, you’re going to find that it’s very simplistic to deal with file and director permissions, maybe too simplistic for some complex security solutions. So we’ll take a look at them anyway. The file and directory permissions.
29. File Ownership
Now when you take a look at the ownership of a file, one of the things that you’re going to see is in your actual inodes that contain the information about the permissions, you’re going to see a listing of who the user owner is and the group owner. When it comes to overall security, I believe this is extremely important. It’s part of a discretionary access control model. Now there are many different types of access control models in military systems.
We talk about things like mandatory access control, which doesn’t care who made the file; it only matters whether it is classified and under what category. In other words, top-secret weapons programs, top-secret naval deployments, those types of things, and if I open up a file within a certain top-secret category, then that’s how the file is classified. I have no choice over who can read it. Anyone with that clearance could see it. In a discretionary access control system like this one in Linux or like in Windows, the person who creates the file is almost always going to be the owner of the file, and as the owner, they have some choices about the permissions they can give to that file. Obviously, a root user, or someone with administrative privileges, can change any of those permissions at any time. They may or may not have to take ownership of the file to be able to change those permissions depending on the operating system; in Windows, for instance, you actually have to take ownership of it as the administrator to change the file. But you get the picture anyway: whoever creates it is the owner, and whatever ever their primary group is, that becomes the group owner as well.
30. Managing File Ownership
Now, that’s where we see some differences. And I am trying to contrast this with Windows because most of you out there are from a Windows background. It’s just a prevalent operating system. So I want to try to make some sense out of it. In a Windows operating system, you could continue to add new groups to the access control list. Each entry is called an “Ace and Access Control” entry. And so you could say that this group has received permission. This group has full control. This group has read and modified whatever your choices are.
You can go through that, and when a user logs in, if they’re a member of any of the groups that have any of those permissions, or all of the groups in that list, they get that accumulated permission. Now, here’s the simplistic part of it. When you create a file, you are the owner, and your primary group that is attached to your account becomes the group owner. So as long as any other person is a member of that group as a primary group member, they would be able to have the same permissions that you give to that group. All right, so that’s listed inside the information about each file. What you won’t see is multiple groups, multiple users, or those types of setups. That’s a different creature there. Okay? Now, that’s the file owner. That’s the simplistic part of this process. If you’re the owner, you can set the permissions or change the permissions.