Group Members

NightShade03NightShade03 Member Posts: 1,383 ■■■■■■■□□□
On ubuntu (and I'm sure other distros too) there is a package called members. When you run it you do "members [groupname]" and it lists all the members of a group. My questions is how is this accomplished? I realize that it is probably just a little script parsing something else on the system and returning a list, but what exactly is it looking through?

Comments

  • UnixGeekUnixGeek Member Posts: 151
    It probably parses the /etc/group file, for example:

    cat /etc/group | grep wheel
  • NightShade03NightShade03 Member Posts: 1,383 ■■■■■■■□□□
    Just so I understand what you are saying...

    So if I have a group "admin" and I run the members command I get:

    user1 user2

    Which is just the same as running:

    cat /etc/group | grep -w admin | cut -d ":" -f4

    Which outputs:

    user1,user2
  • UnixGuyUnixGuy Mod Posts: 4,570 Mod
    yes the answer above is very accurate. the file "/etc/group" is responsible for groups and members.

    Read up on how to interpret the contents of this file. It contains group id, members of groups, and other important stuff.


    If you do lot of user administration, u will not use any package and you might not use commands as "grpadd" , you will end up editing the file /etc/group/ directly :) make sure you back it up before you do that.
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Learn GRC! GRC Mastery : https://grcmastery.com 

  • NightShade03NightShade03 Member Posts: 1,383 ■■■■■■■□□□
    I don't do alot of system admin on linux...yet. We are mostly a Windows shop but I run a few ubuntu servers for particular applications.

    I understand the contents of the /etc/group I just want to make sure I understand the differences between using tools such as members, adduser, deluser, etc vs scripting and editing things on my own. I'm already starting to see the power and flexibility that a little bash or python scripting will offer me.
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    I understand the contents of the /etc/group I just want to make sure I understand the differences between using tools such as members, adduser, deluser, etc vs scripting and editing things on my own.

    Here's a dirty little secret -

    There's no difference.

    If you open up adduser and deluser and such, you'll see they're nothing more than perl scripts (on debian and it's derivatives anyway)
  • NightShade03NightShade03 Member Posts: 1,383 ■■■■■■■□□□
    Funny you should mention that because I'm just reading through an article that talks about that. I also believe that adduser is just a pointer to useradd on non-debian systems.
  • UnixGeekUnixGeek Member Posts: 151
    It helps to know what files your distro's miscellaneous utilities are working with. This can help with troubleshooting, but beyond that, it helps to make your skills more portable. Many of these files are consistent from distro to distro, and are even the same, or very similar when you branch out to Unix variants. That's not as true of the utilities that use these files.
  • NightShade03NightShade03 Member Posts: 1,383 ■■■■■■■□□□
    Follow up question:

    Looking through the shadow file I see all the user accounts.

    Most service accounts have a * which means they are locked. Does this mean that those accounts can still function but no one can login as them?

    Also if an account has a ! for the password this I think means "no password"? Can it be that there is no password & the account is locked?
  • darkerosxxdarkerosxx Banned Posts: 1,343
    That's correct.

    Extra info you didn't ask for: "usermod -L username" edits the user's info in the shadow file to begin with a "!". Encrypted passwords can't start with a "!", so it effectively locks the account since no password will work when logging in. You can manually do this, yourself, by editing the shadow file and it's a nice way to lock a user's account without actually getting rid of their password. When you want to unlock the account, just remove the "!" or run "usermod -U username".
  • NightShade03NightShade03 Member Posts: 1,383 ■■■■■■■□□□
    Although I'm probably beating a dead horse....last question.

    I did the following:

    useradd james
    passwd james (gave him a password)
    su james (logged in fine)
    exit (back to my primary user)
    sudo usermod -L james
    sudo cat shadow (saw james's password now has ! in front)
    su james

    Doing the last su james does lock the account but it still provides a password prompt and just gives back a "Authentication Failure" for any password entered. Is there a way to specifically tell the user that their account is locked as opposed to the generic error message?
  • MentholMooseMentholMoose Member Posts: 1,525 ■■■■■■■■□□
    Is there a way to specifically tell the user that their account is locked as opposed to the generic error message?
    I couldn't find anything with a quick Google search, so I don't know if there is an "official" way to accomplish this. One possibility would be to write a script that echos "account is locked" and exits, then set the user's shell to that (e.g. "usermod -s /path/to/script.sh"), though I'm not sure if this is a good idea.
    MentholMoose
    MCSA 2003, LFCS, LFCE (expired), VCP6-DCV
  • darkerosxxdarkerosxx Banned Posts: 1,343
    Not providing any kind of message saying account is locked or otherwise is, in my view, a security measure more than anything else. You never want anyone to know a valid user login on your server, regardless of what security measures you have in place or if the account is locked.
Sign In or Register to comment.