Open in app

Sign in

Write

Sign in

The Debian Series: users and groups management

David E Lares S
Nerd For Tech
Published in
7 min readNov 4, 2019

I wanted to create this quick blog post to explain in a simple way, how users and OS groups are managed along with their permissions in the correct way. Take the fact that this is not code intended but certain snippets will be placed along with each explanation. Code is necessary, always.

You might be thinking, why Debian? There are a lot of Linux distributions out there. A lot of people use Ubuntu (highly popular), and Linux Mint, other people like to use OS based on RedHat flavors like CentOS or Fedora and even other users prefer dedicated OS, for example, infosec practitioners, and professionals typically use Slax, Parrot, or the most famous Kali Linux.

Debian is one of the biggest Linux distros available today and is widely used for SysAdmins (related) and coders around the world.

To make things shorter, there’s a lot of history and background information related to Linux, the GNU foundation, the Kernel, and more. If you google it, in a bunch of clicks you will have better and complete information about it, so I will skip that.

All the exercises were done in an old Debian 7 OS with a Gnome 2 graphical environment. Debian 7 is a not-so-old OS all the following examples work very well with more recent Debian versions.

I will talk about the most elemental thing before anything else, the users and the groups. Before going further, we need to make clear that on a fresh install, we set up a su user, which stands for super-user, also known as root.

Key files

In Debian instances, we have two files that are important for user management, those files are responsible for listing and specifying users' directories, passwords, and permissions according to your interests.

The first one is the /etc/passwd which has a record of all system user information, for obvious reasons, in a fresh install the root user is the first one you will see listed on that, but more information is shown there. Here’s a quick example of how it looks.

After you log in with su on the terminal, you can run: cat /etc/passwd

You will see something like:

root:x:0:0:root:/root:/bin/bash
david:x:1000:1000:david,,,:/home/david:/bin/bash
mongodb:x:122:65534::/home/mongodb:/usr/sbin/nologin

Each line represents a user on the system, there’s a lot of parameters that represent something for each user, I will list them next using my user david as an example, we have the following information:

:x (shadow file, password storage)
:1000 (created ID user, starting from 1000)
:1000 (created group user, starting from 1000)
:david (description name)
:/home/david (user directory folder)
:/bin/bash (user console type)

The other key file is the /etc/shadow which handles password encryption and rules for handling user-related security access and more. This file has a similar structure to the /etc/passwd but have a bunch of different parameters that complete the user identity in Debian OS.

Here’s an example using the same david user before.

:david (name of the user - login)
:password (encrypted password)
:16016 (UNIX EPOCH date of the changed password since 1970) 
:0 (remaining days of current password before change)
:99999 (remaining days of password usage)
:7 (warning days to change password)

Simply, both previous files record data into the system to handle user login and terminal access, passing through the password configuration and expiry dates of each user on the system.

With all that said, let’s move to the basic commands for user creation.

Basic commands

Before going into each command, let me give a pro tip: you should always check the manual, you refer to it as man [command]

Let’s move on.

The useradd command

As it sounds, it creates a user on the OS, but it is inaccessible (for the moment), you will know in a bit what I’m talking about.

useradd david

This will create an OS user, but you won’t be able to log in because there’s no password associated, and you either have a personal directory. by using the -d command flag you can provide a directory pathname to it.

With that said, when you type the useradd -d /home/david david a directory will be created for the david user on the/home/david directory. The user will be added to the /etc/passwd list.

During that type, if you see what’s going on in the terminal, you will notice that some files are copied from a /etc/skel directory, this last one contains files for configuring environment variables and other related stuff for the user bash session. Those files are copied to the /home/[user] and managed for each session.

If you execute the useradd david command, you will need to manually create the files by copying them from the /etc/skel the directory itself, and then change the permissions with the chown command.

Here’s an example:

chown esanquiz:esanquiz /home/esanquiz
chown [name]:[group] [directory]

By the moment you log in the first time with that created user, the files will be generated with the following archives.

There’s an easy alternative for this complex scenario and that is the adduser command.

The adduser command

This is a PERL script that creates everything, through a wizard. It is very similar to the useradd but handles everything quickly. Also handles the password creation and the /etc/skel file replication to the user folder

The /etc/skel directory contains the .bash_logout, .bashrc and .profile files that a user can configure to specific actions in the bash session.

The passwd command

Simply, you can change the password for a specific user.

By doing passwd inside the user session or providing the name of the user you want to change.

Like this: passwd david you will be following a prompt and that’s it. A lot of changes also occur on the /etc/passwd file as well.

The usermod command

This command helps you to specify changes in a specific user. You can see it as a way to edit specs on a user, Here’s an example:

usermod -s /bin/bash david

You will find more info about the user flags and available configurations on this link.

The whoami command

This command will prompt you to the current user logged on to the OS through the CLI.

The userdel command

Let’s delete a user from the OS by using the userdel command, this also deletes its relations on the OS. The -r flag is key to fully deleting the user documents located in its /home directory. If you do not use the -r flag it will only be deleted on the /etc/passwd and /etc/shadow files.

You can also generate and manage users for the OS from the GUI, If you have the possibility of access to Debian through a GUI and you are not familiar with the previous command explained before, don’t worry about it. You can go to the System Tools -> System -> User Accounts and work from there. (A root password may be required).

To this point, users are pretty much covered from a high-level and simple overview, users are important, but groups are a high priority as well. Let’s talk about it first before going into file permissions.

We ain’t forgetting about groups

Let’s go back to the /etc/passwd for a bit, on the third parameter on each user, you will see the group ID, when you create a user, the user ID and the Group ID are the same. It’s your responsibility to group each user correctly for any particular reason.

Let’s add a group to the system.

We just, groupadd admins where the admins is the name of the group.

On the /usr/sbin/directory you will see a bunch of other commands that represent the other functionalities that groups can do. Many actions are described by the name itself, it keeps the same analogy as the user's functionalities. Things like groupdel or groupmod

We can list all groups using the cat /etc/group other commands are applicable like less, tail, head and nano.

The structure of each group listed there references the following information:

[group]:[file references]:[id]:[members]

Before adding users to groups, there is a simple but useful command, the groups command. If you type just groups you will be prompted to the groups that the logged user belongs to.

Now, you can add users to a group like this.

usermod -g [group] [user]

If you use the -g flag, you will be referencing only one group, if you use -G you will be adding multiple groups to a single user.

Of course, you can handle group management through GUI using the gnome-system-tools package, feel free to download it through the apt or aptitude package managers.

And finally, let’s talk about permissions

When we list something using the ls -l command. It will show something like this:

drwxr-xr — x 2

This string represents and determines the access type to certain files or directories with 10 lineal bits, where the first bit represents the type of file and the other 9 are related to users and group permissions.

If a file does not have any permissions at all, a - will be replacing it.

Of the 9 characters below, the first 3 bits are the permissions to the current user, the second 3 bits represent the permissions for the group where it belongs and the final 3 bits are the permissions to any other user on the system.

Simply, you can represent and assign permissions in both ways, numbers and letters, check the following self-explanatory relation representation.

r (read): 4 bits
w (write): 2 bits
x (execute): 1 bits

To change permissions you will be using the chmod command where you can use both notations. You can use something like chmod 755 [file] or do something like chmod +rw [file]

The first byte previously mentioned represents the data type of the listing. If you see a - (dash) is a file, but instead if you see a d letter, it references a directory.

There’s more to talk about, a huge missing concept here is the chown command, that changes file owners and groups. Permissions are also applicable to groups as well.

Happy coding.

Debian
Unix
Os
Sysadmin

--

--

David E Lares S
Nerd For Tech

Written by David E Lares S

82 Followers
Writer for

Backend Developer, MalDev and InfoSec Student

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams