User Management on Linux

Hi people!

Currently, I’m working in a software vendor. Most of all engineers do login to server with same account and the access for some directories is not restricted. To prevent something bad happen intentionally or accidentally, the need to manage user accounts has emerged. I was ordered to create a small manual for configuring user access and files permission. So here, I share to you my case and my solution.

Case :

  1. Create users in a group.
  2. Users must change the password after the first login.
  3. Users are given access to certain directories and they are able to run applications inside without entering authentication phase.
  4. Users are not able to alter anything in those directories

Steps :

  1. Create user in a group.
useradd -G [group name] [username]
  1. Create user in a group along with user home base initiation.
useradd -G [group name] [username] –home [home path]
  1. Edit user home base or initiate it (if user doesn’t have).
usermod -m -d [home path] [username]
  1. (Optional) See user list of a group.
getent group [group name]
  1. (Optional) create or change user’s password.
passwd [username]
  1. Make user able to run application directly without get in authentication first. –

a. Open “sudoers file”

sudo visudo

b. Insert syntax below at “ # User privilege specification” section.

[username] ALL=( [group name] ) NOPASSWD:[application location]

c. Press crtl + X to exit then press Y for saving changes or N for discarding changes.

  1. Changing permission of folder and permisson of files separately.
Find ./[files path] [mode] -exec chmod [type of access] {} \

Type  -type f for file or  -type d for directory at mode. That syntax is recursive, if changing is expected happened for certain layers only, type -maxdepth [layer depth] between mode and -exec .

  1. Force user to change password at first time of login.
    chage -d 0 [username]
  2. Schedule user to change password periodically.
    sudo chage -E[mm/dd/yyyy] -m [number of days] -M [number of days] -I [number of days] -W [number of days] [username]

               E.g:

                    sudo chage -E 11/10/2016  -m 6 -M 90 -I 5 -W 15 first.user  

                Explaination:

    -E : Explicit expiration date.

    User must renew the password at this date and It is the initial time for system to count the age of password and to run the schedule effectively.

    -m : Password minimum age.

    This is a mininum gap between two password renewals. System will reject password update if the time of submitting less than password minimum age.

    -M : Password maximum age.

    It this the due date for user to update his password.

    -I : Inactive period

    If user has not updated his password after due date, his account will be inactive for this period.

    -W : Warning time period

    User will be notified at this time about the expiration of password.

  3. (Optional) See user account status
sudo chage – l [username]

References:

  1. http://askubuntu.com/questions/463299/how-can-i-set-different-permissions-for-files-and-folders-separately
  2. http://www.cyberciti.biz/faq/rhel-debian-force-users-to-change-passwords/
  3. https://help.ubuntu.com/lts/serverguide/user-management.html
  4. http://askubuntu.com/questions/105040/how-do-i-force-a-user-to-change-the-password-periodically