 In previous demos, we've seen how permissions work in a Linux operating system. In this demo, we're going to look at how the users are created on a multi-user operating system in Linux. How do we create users, delete users, and where the information about the users are stored. I'm currently logged in as the instructor user, which has administrator access on this computer. They have sudo privileges, means they can execute any command if I proceed it with sudo. In previous demos, we've seen there are a set of users, and their home directory is under the slash home directory. The user sgordon, nuppart, mrsmith, and so on. How are those users created, or how can we create a new user on the command line? We'll see how that works. First, where is the information about these users stored? In the slash etc directory, there are several files that store information about the username, their login, details, home directory, and password. The first file, which we'll take a look at, is in the etc directory, and it's called passwd, short for password. If I run cat to look at the contents, we see each line has a user and some details about that user. Many of these users have been automatically created by the operating system when it was installed, the first set here. But towards the bottom, we can see some of the users that we recognized from before. sgordon is one user, there's the username, and the other users that have been created on this example system. Just to hide some of the details, let's look at, I'll just clear the screen and look at just one of those users. So grep, searching for sgordon, so I just show one line of this file, the one that contains sgordon. And let's look at the basic structure of this line. So there are fields separated by columns, where the first field is the username. So username sgordon. The second field contains an x, that's to indicate that the password for that user is not stored in this file, but it's stored in a different file, the shadow file that we'll see in the next file we look at. Next two fields are numbers indicating the user number, user ID, and the group number for that user. And then there's some information about the user, including their full name, and some information that you can set about the user, including their office number, their work and home telephone numbers, and some other details. So that's what these four values here, they're just, when I created the user sgordon in this demo system, gave these dummy values, for example, one, two, three, four. We'll see shortly how we edit those values when we create a user. The next field is the home directory of the user, slash home slash sgordon. By default, when we create a user, the home directory will be their username in the slash home directory. The final field is the shell that's used by the user when they log in. So in this case, the bash shell is used. So this is the program that interprets all your commands on the command line. So it provides the syntax for all the different things I can do on the command line. There are different shells. Bash is the default shell that's used in the Ubuntu Linux operating system. So that's about the user sgordon. So when I log in, I supply my username, and I also supply the password, and the operating system checks whether my username and password match what's stored here. Well, we can see this. The username's stored here, but where is the password? It's stored in a different file for security reasons. The file is called shadow, also in the ETC directory. But a normal user doesn't have permission to access that, because it stores some information about the passwords for all users. As I'm a sudo user, I can view that file. I need to supply my password to view the file. And it's a file which contains information for each of the users that we saw in the past wd file and information about some of their passwords. Again, so we can see the instructor user sgordon and some of our other users, as well as some of those users which were created by the operating system. They don't have passwords. That is, they don't have a password to log on, and that's why we see a star here. Let's, again, clear and look at just one of those entries. sudo grep for sgordon and look at the structure of that entry. Again, our fields are separated by colons. The first field is the username, so that must match the one in the past wd file. The next field, which is this long random looking set of characters, that goes up to here, is information about the password. And it's separated into three sub-fields, and we see them separated by dollar signs. The first value here, the number six, indicates the algorithm used to store the password. So rather than storing the actual password in the file, we normally apply a hash of that password and store just the hash value. Then when someone tries to log in, they supply a hash of their password, and it compares against the hash value stored in this shadow file, and if they match, then the assumption is that the passwords match. And that's typically true if you have good hash algorithms. The number six here indicates what hash algorithm is used, and the number six represents the hash algorithm char, the secure hash algorithm. Other algorithms can be used, but char algorithms is considered secure and is used by default in a Linux operating system. The next value here related to the password is what's called assault. There's a random set of characters here. This is a value that's added to the password so that a random value added to the password for some extra security precautions. One is that if two users with the same password have their data stored in the shadow file, that if we don't use assault, then the hash values of that same password will be the same. So if sGordon and Tanarak had the same password just by luck, then if we didn't have a salt value, then that hash value will be the same in both files. So if sGordon could see the shadow file, then he would also see that Dr. Tanarak has the same password as him. Another reason for using the salt, and it's quite useful, is to stop people who have access to the shadow file for looking up and finding the password based on the hash value by using large tables of pre-computed hash values, rainbow tables, for example. The next field is the hash value itself. So the first field was the hash algorithm used, and then the salt, and then this long random string is the hash value from taking the password of the user sGordon, concatenating with the salt value, and taking the hash of that. The hash value is stored here. The remaining fields to do with information about the duration of which the password and the login account can be used, things like expiring the password after so many days. That's the last set of fields here. Rather than explaining now to find out more about what those exact fields are, then you can look in the man page for the shadow file. Man shadow will explain those fields. The login name encrypted password, which refers us to the program crypt to do the hashing, and those other fields about the password age and so on. If we man crypt, look at the man page. It talks about the format of the hash value that's stored. If we scroll down, we see that the format that we saw has the idea of the algorithm used, where the idea is 1, 2a, 5, or 6, resource 6, which means char512 was used as the hash algorithm, the salt value, and then the encrypted or the hashed password combined with the salt value. That provides an explanation of how that works and how the algorithms are selected. The passwd file stores the user details. The shadow file stores the password information, or at least a hash of the password. Another file is the list of groups, slash ETC group. As we know, we have groups and users can be parts of groups. We see down the bottom that we have the CSS322 group and the group ID 1001. There is no password for that group. The X refers to the group shadow file. We could potentially have a password for a group and a set of users that are in that group. So how do we add and manage users on a Linux operating system? We could manually set those files, but it's much more convenient to use some programs that are provided to do it for us. There's add user and delete user, or del user. Let's have a look and see how they work. To add and delete users, we need to have administrator access, so we proceed the commands with sudo. Let's add a user, and the program we'll use is simply called add user. And give a user name. Let's add the user la leader. That's the user name of the new user. And it creates the user, putting the group for the user by default the same as the user name. Creates the home directory. And then prompts for the password for this user. I can supply and select the password. We need to type it in twice to make sure we don't make a mistake. Then we are prompted to provide some information about that user, like their full name and the room number, phone number, which I'm just using some example values and other details. Check if this is correct. Yes. Then after we press enter, then this user has been created. The home directory has been created. And those entries inside those three files should be created. Let's check that the home directory is there. La leader is the directory that's been created for our new user. And let's check in for the user name the slash ETC slash past WD file. We see there's now a new entry for the leader, the user ID, the group ID, that information about the name and those phone numbers, home directory, and by default the bash shell is used. Similar in the password, in the shadow file, we see that using the SHA 5.1.12 hash algorithm, ID 6, a salt has been created and the password that I entered in combined with that salt have been hashed and the hash value is stored here. And finally, let's just check the groups in the slash ETC group file. We see there's a new group called La leader. How do we know that the leader is part of it? Because in this group file it shows that there are no users in this group La leader. The group ID 1006 in the past WD file indicates that La leader's home group is the group La leader. Clear? Another thing we can do is add a group using the add group command and let's add a group IDS332. A new group is added, let's just check in the slash ETC group file the IDS332 group is added. Then there are no users of that group yet. Now let's add another user but add them to the group IDS332 to be their home group. So we use the add user command again and there are many options available. One of them is the in group option. Instead of adding this user to their own group that is based on their username I'll add them directly into the group IDS332 the one we just created. And let's create the user Chanakan. So add the user called Chanakan where their home or primary group will be IDS332. Set a password name and other details. So let's just look in the home directories and see what we can see. We see the home directories for our two new users La leader and it's owned by the user La leader and the group La leader and our second new user Chanakan owned by the user Chanakan and the group IDS332 that was set using the in group option when we add user. Another thing we can do is add users to a particular group using the add user command as well. And we simply give the username and the group that we want to add them to. So in this case add the user La leader to the group IDS332 and if we can check in the groups file we see now the user La leader is a member of the ITS332 group and is also still a member of the primary group which is La leader. There are many different options available with add user the man page gives detailed description of all the options and how add user add group can be used to add users to modify user details and add groups. Final thing let's remove some users we delete some users using the del user command. Simply supply the username I want to delete or remove the user La leader the one we've just created and remove the user gives a warning that the group La leader no longer has any members and that group has been removed as well. Note that without any options the home directory of that user is not deleted so the directory slash home slash La leader still exists we can delete a user using the remove home option and then the username Chanakan in this case which will also delete the home directory so the directory Chanakan which existed before has been deleted because we use the remove home option when we deleted the user Chanakan and let's just check in the files in the past WD file although we've shown all we would we did not see at the bottom the two news that we've created La leader and Chanakan because we've deleted them so those users no longer exist on the system. Let's clear have another look at the group file one final thing we can do is remove the users from the particular group rather than removing the users from the system we see in the group CSS322 there are three members S Gordon, Booneck and Nappat let's delete one of those users from the group the user Nappat from the group CSS322 so we removed we didn't remove the user, we removed the user from the group so in the CSS322 group we only have two users now Nappat still has an account we have not removed that user let's just check and he still exists on the system so in summary we can view information about the users in the slash ETC directory under the past WD group and shadow file and we can add and delete users as well as groups using the commands add user, add group del user and many of the different options