5.2. Managing Unix Users and Unix Groups
The database of Unix users and groups consists of the textual files
/etc/passwd (list of users),
/etc/shadow(encrypted passwords of users),
/etc/group (list of groups), and
/etc/gshadow (encrypted passwords of groups). Their formats are documented in passwd(5), shadow(5), group(5), and gshadow(5) respectively. While these files can be manually edited with tools like
vigr, there are higher level tools to perform the most common operations.
Although Kali is most often run while authenticated as the root user, you may often need to create non-privileged user accounts for various reasons, particularly if you are using Kali as a primary operating system. The most typical way to add a user is with the
adduser command, which takes a required argument: the username for the new user that you would like to create.
adduser command asks a few questions before creating the account but its usage is fairly straightforward. Its configuration file,
/etc/adduser.conf, includes many interesting settings. You can, for example, define the range of user identifiers (UIDs) that can be used, dictate whether or not users share a common group or not, define default shells, and more.
The creation of an account triggers the population of the user’s home directory with the contents of the
/etc/skel/ template. This provides the user with a set of standard directories and configuration files.
In some cases, it will be useful to add a user to a group (other than their default main group) in order to grant additional permissions. For example, a user who is included in the sudo group has full administrative privileges through the
sudo command. This can be achieved with a command such as
adduser user group.
The following commands allow modification of the information stored in specific fields of the user databases:
passwd—permits a regular user to change their password, which in turn, updates the
chfn—(CHange Full Name), reserved for the super-user (root), modifies the
GECOS, or “general information” field.
chsh—(CHange SHell) changes the user’s login shell. However, available choices will be limited to those listed in
/etc/shells; the administrator, on the other hand, is not bound by this restriction and can set the shell to any program chosen.
chage—(CHange AGE) allows the administrator to change the password expiration settings by passing the user name as an argument or list current settings using the
-l useroption. Alternatively, you can also force the expiration of a password using the
passwd -e usercommand, which forces the user to change their password the next time they log in.
You may find yourself needing to disable an account (lock out a user) as a disciplinary measure, for the purposes of an investigation, or simply in the event of a prolonged or definitive absence of a user. A disabled account means the user cannot login or gain access to the machine. The account remains intact on the machine and no files or data are deleted; it is simply inaccessible. This is accomplished by using the command
passwd -l user(lock). Re-enabling the account is done in similar fashion, with the
-u option (unlock).
delgroup commands add or delete a group, respectively. The
groupmod command modifies a group’s information (its
gid or identifier). The command
gpasswd group changes the password for the group, while the
gpasswd -r group command deletes it.