$ chsh
Changing the login shell for emma
Enter the new value, or press ENTER for the default
  Login Shell [/bin/bash]: /usr/bin/zsh

$ chsh -s /usr/bin/zsh

$ id
uid=1024(emma) gid=1024(emma)
groups=10240(netusers),20480(netadmin)

$ last
emma pts/3 ::1 Fri Jun 14 04:28 still logged in

$ who
emma pts/3 2019-06-14 04:28 (::1)
$ w
 05:43:41 up 1:40, 1 user, load average: 0.25, 0.53, 0.51
USER TTY LOGIN@ IDLE JCPU PCPU WHAT
emma pts/3 04:28 1:14m 0.04s 0.04s -bash

emma ~$ su -
Password:
root ~#

$ cat /sys/devices/virtual/dmi/id/board_serial
cat: /sys/devices/virtual/dmi/id/board_serial: Permission denied
$ sudo cat /sys/devices/virtual/dmi/id/board_serial
[sudo] password for emma:
/6789ABC/

USERNAME:PASSWORD:UID:GID:GECOS:HOMEDIR:SHELL

emma:x:1000:1000:Emma Smith,42 Douglas St,555.555.5555:/home/emma:/bin/bash

$ chfn
    Changing the user information for emma
    Enter the new value, or press ENTER for the default
    Full Name: Emma Smith
    Room Number []: 42
    Work Phone []: 555.555.5555
    Home Phone []: 555.555.6666
    

Introduction
This lesson will focus on the basic terminology of the accounts, access controls and security of local
Linux systems, the command line interface (CLI) tools in a Linux system for basic security access
controls and the basic files to support user and group accounts, including those used for elementary
privilege escalation.
Basic security in Linux systems is modeled after Unix access controls that, despite being nearly fifty
years-old, are quite effective in comparison to some popular consumer operating systems of much
newer lineage. Even some other, popular, Unix-based operating systems tend to “take liberties” that
are focused on “ease-of-access,” while Linux does not.
Modern Linux desktop environments and interfaces simplify the creation and management of users
and often automate the assignment of access controls when a user logs in—e.g., to the display, audio
and other services—requiring virtually no manual system administrator intervention. However, it is
important to understand the basic concepts of an underlying Linux operating system.
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
348 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
Accounts
Security involves many concepts, one of the most common being the general concept of access
controls. Before one can tackle file access controls such as ownership and permissions, one must
understand the basic concepts of Linux user accounts, which are broken out into several types.
Every user on a Linux system has an associated account which besides login information (like
username and password) also defines how, and where, the user can interact with the system.
Privileges and access controls define the “boundaries” within which each user can operate.
Identifiers (UIDs/GIDs)
The User and Group Identifiers (UIDs/GIDs) are the basic, enumerated references to accounts. Early
implementations were limited 16-bit (values 0 to 65535) integers, but 21st century systems support
64-bit UIDs and GIDs. Users and groups are enumerated independently, so the same ID can stand for
both a user and group.
Every user has not only an UID, but also a primary GID. The primary GID for a user can be unique to
that user alone, and may end up not being used by any other users. However, this group could also
be a group shared by numerous users. In addition to these primary groups, each user can be member
of other groups, too.
By default on Linux systems, every user is assigned to a group with the same name as their
username, and same GID as his UID. E.g., create a new user named newuser and, by default, its
default group is newuser as well.
The Superuser Account
On Linux the superuser account is root, which always has UID 0. The superuser is sometimes called
the system administrator, and has unlimited access and control over the system, including other
users.
The default group for the superuser has the GID 0 and is also named root. The home directory for
the superuser is a dedicated, top level directory, /root, only accessible by the root user himself.
Standard User Accounts
All accounts other than root are technically regular user accounts, but on a Linux system the
colloquial term user account often means a “regular” (unprivileged) user account. They typically have
the following properties, with select exceptions:
• UIDs starting at 1000 (4 digits), although some legacy systems may start at 500.
Linux Essentials (Version 1.6) | 5.1 Basic Security and Identifying User Types
Version: 2022-04-29 | Licensed for Cyber School. | learning.lpi.org | 349
• A defined home directory, usually a subdirectory of /home, depending on the site-local
configuration.
• A defined login shell. In Linux the default shell is usually the Bourne Again Shell (/bin/bash),
though others may be available.
If a user account does not have a valid shell in their attributes, the user will not be able to open an
interactive shell. Usually /sbin/nologin is used as an invalid shell. This may be purposeful, if the
user will only be authenticated for services other than console or SSH access, e.g., Secure FTP (sftp)
access only.
NOTE
To avoid confusion, the term user account will only apply to standard or regular
user accounts going forward. E.g., system account will be used to explain a Linux
user account that is of the system user account type.
System Accounts
System accounts are typically pre-created at system installation time. These are for facilities,
programs and services that will not run as the superuser. In an ideal world, these would all be
operating system facilities.
The system accounts vary, but their attributes include:
• UIDs are usually under 100 (2-digit) or 500-1000 (3-digit).
• Either no dedicated home directory or a directory that is usually not under /home.
• No valid login shell (typically /sbin/nologin), with rare exceptions.
Most system accounts on Linux will never login, and do not need a defined shell in their attributes.
Many processes owned and executed by system accounts are forked into their own environment by
the system management, running with the specified, system account. These accounts usually have
limited or, more often than not, no privileges.
NOTE From the standpoint of the LPI Linux Essentials, system accounts are UIDs <1000,
with 2 or 3 digit UIDs (and GIDs).
In general, the system accounts should not have a valid login shell. The opposite would be a security
issue in most cases.

Service Accounts Service accounts are typically created when services are installed and configured. Similar to system accounts, these are for facilities, programs and services that will not run as the superuser. In much documentation, system and service accounts are similar, and interchanged often. This includes the location of home directories typically being outside of /home, if defined at all (service accounts are often more likely to have one, compared to system accounts), and no valid login shell. Although there is no strict definition, the primary difference between system and service accounts breaks down to UID/GID. System account UID/GID <100 (2-digit) or <500-1000 (3-digit) Service account UID/GID >1000 (4+ digit), but not a “standard” or “regular” user account, an account for services, with an UID/GID >1000 (4+ digits) Some Linux distributions still have pre-reserved service accounts under UID <100, and those could be considered a system account as well, even though they are not created at system installation. E.g., on Fedora-based (including Red Hat) Linux distributions, the user for the Apache Web server has UID (and GID) 48, clearly a system account, despite having a home directory (usually at /usr/share/httpd or /var/www/html/). NOTE From the standpoint of the LPI Linux Essentials, system accounts are UIDs <1000, and regular user accounts are UIDs >1000. Since the regular user accounts are >1000, these UIDs can also include service accounts. Login Shells and Home Directories Some accounts have a login shell, while others do not for security purposes as they do not require interactive access. The default login shell on most Linux distributions is the Bourne Again Shell, or bash, but other shells may be available, like the C Shell (csh), Korn shell (ksh) or Z shell (zsh), to name a few. A user can change his login shell using the chsh command. By default the command runs in interactive mode, and displays a prompt asking which shell should be used. The answer should be the full path to the shell binary, like below: Linux Essentials (Version 1.6) | 5.1 Basic Security and Identifying User Types Version: 2022-04-29     |     Licensed for Cyber School.     |     learning.lpi.org         |     351 $ chsh Changing the login shell for emma Enter the new value, or press ENTER for the default   Login Shell [/bin/bash]: /usr/bin/zsh You can also run the command in non-interactive mode, with the -s parameter followed by the path to the binary, like so: $ chsh -s /usr/bin/zsh Most accounts have a defined home directory. On Linux, this is usually the only location where that user account has guaranteed write access, with some exceptions (e.g., temporary file system areas). However, some accounts are purposely setup to not have any write access to even their own home directory, for security purposes. Getting Information About Your Users Listing basic user information is a common, everyday practice on a Linux system. In some cases, users will need to switch users and raise privilege to complete privileged tasks. Even users have the ability to list attributes and access from the command line, using the commands below. Basic information under limited context is not a privileged operation. Listing the current information of a user at the command line is as simple as a two letter command, id. The output will vary based on your login ID: $ id uid=1024(emma) gid=1024(emma) 1024(emma),20(games),groups=10240(netusers),20480(netadmin) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 In the preceding listing, the user (emma) has identifiers which breakdown as follows: • 1024 = User ID (UID), followed by the username (common name aka login name) in parenthesis. • 1024 = the primary Group ID (GID), followed by the groupname (common name) in parenthesis. • A list of additional GIDs (groupnames) the user also belongs to. Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions 352     |         learning.lpi.org     |     Licensed for Cyber School.     |     Version: 2022-04-29 Listing the last time users have logged into the system is done with the command last: $ last emma pts/3 ::1 Fri Jun 14 04:28 still logged in reboot system boot 5.0.17-300.fc30. Fri Jun 14 04:03 still running reboot system boot 5.0.17-300.fc30. Wed Jun 5 14:32 – 15:19 (00:46) reboot system boot 5.0.17-300.fc30. Sat May 25 18:27 – 19:11 (00:43) reboot system boot 5.0.16-100.fc28. Sat May 25 16:44 – 17:06 (00:21) reboot system boot 5.0.9-100.fc28.x Sun May 12 14:32 – 14:46 (00:14) root tty2 Fri May 10 21:55 – 21:55 (00:00)   … The information listed in columns may vary, but some notable entries in the preceding listing are: • A user (emma) logged in via the network (pseudo TTY pts/3) and is still logged in. • The time of current boot is listed, along with the kernel. In the example above, about 25 minutes before the user logged in. • The superuser (root) logged in via a virtual console (TTY tty2), briefly, in mid-May. A variant of the last command is the lastb command, which lists all the last bad login attempts. The commands who and w list only the active logins on the system: $ who emma pts/3 2019-06-14 04:28 (::1) $ w  05:43:41 up 1:40, 1 user, load average: 0.25, 0.53, 0.51 USER TTY LOGIN@ IDLE JCPU PCPU WHAT emma pts/3 04:28 1:14m 0.04s 0.04s -bash Both commands list some of the same information. For example, one user (emma) is logged in with a pseudo TTY device (pts/3) and the time of login is 04:28. The w command lists more information, including the following: • The current time and how long the system has been up • How many users are connected • The load averages for the past 1, 5 and 15 minutes Linux Essentials (Version 1.6) | 5.1 Basic Security and Identifying User Types Version: 2022-04-29     |     Licensed for Cyber School.     |     learning.lpi.org         |     353 And the additional information for each active user session. • Select, total CPU utilization times (IDLE, JCPU and PCPU) • The current process (-bash). The total CPU utilization time of that process is the last item (PCPU). Both commands have further options to list various, additional information.

Switching Users and Escalating Privilege
In an ideal world, users would never need to escalate privilege to complete their tasks. The system
would always “just work” and everything would be configured for various access.
Luckily for us, Linux—out-of-the-box—works like this for most users who are not system
administrators, despite always following the least privilege security model.
However, there are commands that allow for privilege escalation when needed. Two of the most
important ones are su and sudo.
On most Linux systems today, the su command is only used for escalating privileges to root, which
is the default user if a username is not specified after the command name. While it can be used to
switch to another user, it is not good practice: users should login from another system, over the
network, or physical console or terminal on the system.
emma ~$ su –
Password:
root ~#
After entering the superuser (root) password, the user has a superuser shell (notice the # at the end
of the command prompt) and is, for all intents and purposes, the superuser (root).
Sharing passwords is a very bad security practice, so there should be very few, if any, need for the su
command in a modern Linux system.
The dollar symbol ($) should terminate the command line prompt for a non-privileged user shell,
while the pound symbol (#) should terminate the command line prompt for the superuser (root)
shell prompt. It is highly recommend that final character of any prompt never be changed from this
“universally understood” standard, since this nomenclature is used in learning materials, including
these.
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
354 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
WARNING
Never switch to the superuser (root) without passing the login shell (-)
parameter. Unless explicitly instructed otherwise by the OS or software
vendor when su is required, always execute su – with extremely limited
exceptions. User environments may cause undesirable configuration changes
and issues when used in full privilege mode as superuser.
What is the biggest issue with using su to switch to the superuser (root)? If a regular user’s session
has been compromised, the superuser (root) password could be captured. That’s where “Switch User
Do” (or “Superuser Do”) comes in:
$ cat /sys/devices/virtual/dmi/id/board_serial
cat: /sys/devices/virtual/dmi/id/board_serial: Permission denied
$ sudo cat /sys/devices/virtual/dmi/id/board_serial
[sudo] password for emma:
/6789ABC/
In the preceding listing, the user is attempting to look up the serial number of their system board.
However, the permission is denied, as that information is marked privileged.
However, using sudo, the user enters his own password to authenticate who he is. If he has been
authorized in the sudoers configuration to run that command with privilege, with the options
allowed, it will work.
TIP
By default, the first authorized sudo command will authenticate subsequent sudo
commands for a (very short) period of time. This is configurable by the system
administrator.
Access Control Files
Nearly all operating systems have a set of places used to store access controls. In Linux these are
typically text files located under the /etc directory, which is where system configuration files should
be stored. By default, this directory is readable by every user on the system, but writable only by
root.
The main files related to user accounts, attributes and access control are:
/etc/passwd
This file stores basic information about the users on the system, including UID and GID, home
directory, shell, etc. Despite the name, no passwords are stored here.
Linux Essentials (Version 1.6) | 5.1 Basic Security and Identifying User Types
Version: 2022-04-29 | Licensed for Cyber School. | learning.lpi.org | 355
/etc/group
This file stores basic information about all user groups on the system, like group name and GID
and members.
/etc/shadow
This is where user passwords are stored. They are hashed, for security.
/etc/gshadow
This file stores more detailed information about groups, including a hashed password which lets
users temporarily become a member of the group, a list of users who can become a member of
the group at and time and a list of group administrators.
WARNING
These files are not designed to and should never be edited directly. This
lesson only covers the information stored in these files, and not editing these
files.
By default, every user can enter /etc and read the files /etc/passwd and /etc/group. And also by
default no user, except root, may read the files /etc/shadow or /etc/gshadow.
There are also files involved with basic privilege escalation on Linux systems, like on the commands
su and sudo. By default, these are only accessible by the root user.
/etc/sudoers
This file controls who can use the sudo command, and how.
/etc/sudoers.d
This directory may contain files that supplement the settings on the sudoers file.
From the standpoint of the LPI Linux Essentials exam, just know the path and filename of the default
sudo configuration file, /etc/sudoers. Its configuration is beyond the scope of these materials.
WARNING
Even though /etc/sudoers is a text file, it should never be edited directly. If
any changes to its contents are needed, they should be made using the visudo
utility.
/etc/passwd
The file /etc/passwd is commonly referred to as the “password file”. Each line contains multiple
fields always delimited by a colon (:). Despite the name, the actual one-way password hash is
nowadays not stored in this file.
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
356 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
The typical syntax for a line on this file is:
USERNAME:PASSWORD:UID:GID:GECOS:HOMEDIR:SHELL
Where:
USERNAME
The username aka login (name), like root, nobody, emma.
PASSWORD
Legacy location of the password hash. Almost always x, indicating that the password is stored in
the file /etc/shadow.
UID
User ID (UID), like 0, 99, 1024.
GID
Default Group ID (GID), like 0, 99, 1024.
GECOS
A CSV list of user information including name, location, phone number. For example: Emma
Smith,42 Douglas St,555.555.5555
HOMEDIR
Path to the user’s home directory, like /root, /home/emma, etc.
SHELL
The default shell for this user, like /bin/bash, /sbin/nologin, /bin/ksh, etc.
For example, the following line describes the user emma:
emma:x:1000:1000:Emma Smith,42 Douglas St,555.555.5555:/home/emma:/bin/bash

Understanding the GECOS Field
The GECOS field contains three (3) or more fields, delimited by a comma (,), aka a list of Comma
Separated Values (CSV). Although there is no enforced standard, the fields are usually in the
following order:
Linux Essentials (Version 1.6) | 5.1 Basic Security and Identifying User Types
Version: 2022-04-29 | Licensed for Cyber School. | learning.lpi.org | 357
NAME,LOCATION,CONTACT
Where:
NAME
is the user’s “Full Name”, or the “Software Name” in the case of a service account.
LOCATION
is usually the user’s physical location within a building, room number or the contact department
or person in the case of a service account.
CONTACT
lists contact information such as home or work telephone number.
Additional fields may include additional contact information, such as a home number or e-mail
address. To change the information on the GECOS field, use the chfn command and answer the
questions, like below. If no username is provided after the command name, you will change
information for the current user:
$ chfn
Changing the user information for emma
Enter the new value, or press ENTER for the default
Full Name: Emma Smith
Room Number []: 42
Work Phone []: 555.555.5555
Home Phone []: 555.555.6666
/etc/group
The /etc/group file contains fields always delimited by a colon (:), storing basic information about
the groups on the system. It is sometimes called the “group file”. The syntax for each line is:
NAME:PASSWORD:GID:MEMBERS
Where:
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
358 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
NAME
is the group name, like root, users, emma, etc.
PASSWORD
legacy location of an optional group password hash. Almost always x, indicating that the
password (if defined) is stored in the file /etc/gshadow.
GID
Group ID (GID), like 0, 99, 1024.
MEMBERS
a comma-separated list of usernames which are members of the group, like jsmith,emma.
The example below shows a line containing information about the students group:
students:x:1023:jsmith,emma
The user does not need to be listed in the members field when the group is the primary group for a
user. If a user is listed, then it is redundant—i.e., there is no change in functionality, listed or not.
NOTE
Use of passwords for groups are beyond the scope of this section, however if
defined the password hash is stored in the file /etc/gshadow. This is also beyond
the scope of this section.
/etc/shadow
The following table lists the attributes stored in the file /etc/shadow, commonly referred to as the
“shadow file”. The file contains fields always delimited by a colon (:). Although the file has many
fields, most are beyond the scope of this lesson, other than the first two.
The basic syntax for a line on this file is:
USERNAME:PASSWORD:LASTCHANGE:MINAGE:MAXAGE:WARN:INACTIVE:EXPDATE
Where:
USERNAME
The username (same as /etc/passwd), like root, nobody, emma.
Linux Essentials (Version 1.6) | 5.1 Basic Security and Identifying User Types
Version: 2022-04-29 | Licensed for Cyber School. | learning.lpi.org | 359
PASSWORD
A one-way hash of the password, including preceding salt. For example: !!, !$1$01234567$ABC…,
$6$012345789ABCDEF$012….
LASTCHANGE
Date of the last password change in days since the “epoch”, such as 17909.
MINAGE
Minimum password age in days.
MAXAGE
Maximum password age in days.
WARN
Warning period before password expiration, in days.
INACTIVE
Maximum password age past expiration, in days.
EXPDATE
Date of password expiration, in days since the “epoch”.
In the example below you can see a sample entry from the /etc/shadow file. Note that some values,
like INACTIVE and EXPDATE are undefined.
emma:$6$nP532JDDogQYZF8I$bjFNh9eT1xpb9/n6pmjlIwgu7hGjH/eytSdttbmVv0MlyTMFgBIXESFNUm
To9EGxxH1OT1HGQzR0so4n1npbE0:18064:0:99999:7:::
The “epoch” of a POSIX system is midnight (0000), Universal Coordinate Time (UTC), on Thursday,
January 1st, 1970. Most POSIX dates and times are in either seconds since “epoch”, or in the case of
the file /etc/shadow, days since “epoch”.
NOTE
The shadow file is designed to be only readable by the superuser, and select, core
system authentication services that check the one-way password hash at login or
other authentication-time.
Although different authentication solutions exist, the elementary method of password storage is the
one-way hash function. This is done so the password is never stored in clear-text on a system, as the
hashing function is not reversible. You can turn a password into a hash, but (ideally) it is not
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
360 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
possible to turn a hash back into a password.
At most, a brute force method is required to hash all combinations of a password, until one matches.
To mitigate the issue of a password hash being cracked on one system, Linux systems use a random
“salt” on each password hash for a user. So the hash for a user password on one Linux system will
usually not be the same as on another Linux system, even if the password is the same.
In the file /etc/shadow, the password may take several forms. These forms typically include the
following:
!!
This means a “disabled” account (no authentication possible), with no password hash stored.
!$1$01234567$ABC…
A “disabled” account (due to the initial exclamation mark), with a prior hash function, hash salt
and hash string stored.
$1$0123456789ABC$012…
An “enabled” account, with a hash function, hash salt and hash string stored.
The hash function, hash salt and hash string are preceded and delimited by a dollar symbol ($). The
hash salt length must be between eight and sixteen (8-16) characters. Examples of the three most
common are as follows:
$1$01234567$ABC…
A hash function of MD5 (1), with an example hash length of eight.
$5$01234567ABCD$012…
A hash function of SHA256 (5), with an example hash length of twelve.
$6$01234567ABCD$012…
A hash function of SHA512 (6), with an example hash length of twelve.
NOTE
The MD5 hash function is considered cryptographically insecure with today’s
(2010s and later) level of ASIC and even general computing SIMD performance.
E.g., the US Federal Information Processing Standards (FIPS) does not allow MD5
to be used for any cryptographic functions, only very limited aspects of validation,
but not the integrity of digital signatures or similar purposes.
From the standpoint of the LPI Linux Essentials objectives and exam, just understand the password
Linux Essentials (Version 1.6) | 5.1 Basic Security and Identifying User Types
Version: 2022-04-29 | Licensed for Cyber School. | learning.lpi.org | 361
hash for a local user is only stored in the file /etc/shadow which only select, authentication services
can read, or the superuser can modify via other commands.

Guided Exercises
1. Consider the following output of the id command:
$ id emma
uid=1000(emma) gid=1000(emma)
groups=1000(emma),4(adm),5(tty),10(uucp),20(dialout),27(sudo),46(plugdev)
In which files are the following attributes stored?
UID and GID
Groups
◦ Additionally, in which file is the user password stored?
2. Which of the following types of cryptography is used by default to store passwords locally on a
Linux system?
◦ Asymmetric
◦ One-way Hash
◦ Symmetric
◦ ROT13
3. If an account has a User ID (UID) enumerated under 1000, what type of account is this?
4. How can you get a list of the active logins in your system, and a count of them as well?
5. Using the grep command, we got the result below with information about the user emma.
$ grep emma /etc/passwd
emma:x:1000:1000:Emma Smith,42 Douglas St,555.555.5555,:/home/emma:/bin/ksh
Fill in the blanks of the chart with the appropriate information using the output of the previous
Linux Essentials (Version 1.6) | 5.1 Basic Security and Identifying User Types
Version: 2022-04-29 | Licensed for Cyber School. | learning.lpi.org | 363
command.
Username
Password
UID
Primary GID
GECOS
Home Directory
Shell
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
364 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
Explorational Exercises
1. Compare the results of last to w and who. What details are missing from each of the commands
compared to one another?
2. Try issuing the commands who and w -his.
◦ What information has been removed from the output of the w command with the “no
header” (-h) and “short” (-s) options?
◦ What information has been added in the output the w command with the “ip address” (-i)
option?
3. Which file is the file that stores a user account’s one-way password hash?
4. Which file contains the list of groups a user account is a member of? What logic could be used to
compile a list of a groups a user account is a member of?
5. One or more (1+) of the following files are not readable by regular, unprivileged users, by
default. Which ones?
◦ /etc/group
◦ /etc/passwd
◦ /etc/shadow
◦ /etc/sudoers
6. How would you change the current user’s login shell to the Korn Shell (/usr/bin/ksh) in noninteractive mode?
7. Why is the home directory of the root user not placed within /home directory?
Linux Essentials (Version 1.6) | 5.1 Basic Security and Identifying User Types
Version: 2022-04-29 | Licensed for Cyber School. | learning.lpi.org | 365
Summary
In this lesson we have discovered the Linux user and group databases. We have learned the most
important properties of users and groups, including their names and their numeric IDs. We have also
investigated how password hashing works on Linux and how users are assigned to groups.
All of this information is stored in the following four files, which provide the most basic, local
security access controls on a Linux system:
/etc/passwd
All system-local user account POSIX attributes, other than password hash, readable by all.
/etc/group
All system-local group account POSIX attributes, readable by all.
/etc/shadow
All system-local user password hashes (and expiration information), unreadable by any (only
select processes).
/etc/sudoers
All system-local privilege escalation information/allowance by the sudo command.
The following commands were discussed in this lesson:
id
List real (or effective) user and group IDs.
last
List users who logged in last.
who
List users who are currently logged in.
w
Similar to who but with additional context.
su
Switch to another user with a login shell, or run commands as that user, by passing that user’s
password.
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
366 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
sudo
Switch User (or Superuser) Do, if entitled, the current user enters their own password (if
required) to raise privilege.
chsh
Change a user’s shell.
chfn
Change the user’s information on the GECOS field.

Answers to Guided Exercises
1. Consider the following output of the id command:
$ id emma
uid=1000(emma) gid=1000(emma)
groups=1000(emma),4(adm),5(tty),10(uucp),20(dialout),27(sudo),46(plugdev)
In which files are the following attributes stored?
UID and GID /etc/passwd
Groups /etc/group
◦ Additionally, in which file is the user password stored?
The hashed user password is stored in /etc/shadow.
2. Which of the following types of cryptography is used by default to store passwords locally on a
Linux system?
By default, a one-way hash is used to store passwords.
3. If an account has a User ID (UID) enumerated under 1000, what type of account is this?
Accounts with a UID lower than 1000 generally are system accounts.
4. How can you get a list of the active logins in your system, and a count of them as well?
Use the w command. Besides a list of all active logins, it will also show information like how
many users are logged in, along the system load and uptime.
5. Using the grep command, we got the result below with information about the user emma.
$ grep emma /etc/passwd
emma:x:1000:1000:Emma Smith,42 Douglas St,555.555.5555,:/home/emma:/bin/ksh
Fill in the blanks of the chart with the appropriate information using the output of the previous
command.
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
368 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
Username emma
Password x – should always be x for a valid, active user
login
UID 1000
Primary GID 1000
GECOS Emma Smith,42 Douglas St,555.555.5555
Home Directory /home/emma
Shell /bin/ksh
Linux Essentials (Version 1.6) | 5.1 Basic Security and Identifying User Types
Version: 2022-04-29 | Licensed for Cyber School. | learning.lpi.org | 369
Answers to Explorational Exercises
1. Compare the results of last to w and who. What details are missing from each of the commands
compared to one another?
The w and who tools only list current users logged into the system, whereas last also lists users
that have disconnected. The w command lists system utilization, while who does not.
2. Try issuing the commands who and w -his.
◦ What information has been removed from the output of the w command with the “no
header” (-h) and “short” (-s) options?
The header is not printed, which is useful for parsing, and the login time and select CPU
information is not listed, respectively.
◦ What information has been added in the output the w command with the “ip address” (-i)
option?
This prints the IP address, instead of attempting DNS resolution, printing the hostname.
This option to w better matches the default output of the last command.
3. Which file is the file that stores a user account’s one-way password hash?
The file /etc/shadow stores a user account’s one-way password hash, since it is not readable by
a regular, unprivileged user account, unlike file /etc/passwd.
4. Which file contains the list of groups a user account is a member of? What logic could be used to
compile a list of a groups a user account is a member of?
The file /etc/group has a CSV list of usernames in the last field, “members”, of any line for a
group.
Any line in the file /etc/group where the user is listed in the final field, “members”, would mean
the user is a member of that group—assuming it is correctly formatted (CSV delimited).
Additionally, the user’s primary group membership in the /etc/passwd file will also have a
matching entry in the /etc/group file for both the group name and GID.
5. One or more (1+) of the following files are not readable by regular, unprivileged users, by
default. Which ones?
◦ /etc/group
◦ /etc/passwd
Linux Essentials (Version 1.6) | Topic 5: Security and File Permissions
370 | learning.lpi.org | Licensed for Cyber School. | Version: 2022-04-29
◦ /etc/shadow
◦ /etc/sudoers
The files /etc/shadow and /etc/sudoers are not readable by default, except by select
services or the superuser. These answers will be customized, based on the systems and
usernames used in the laboratory.
6. How would you change the current user’s login shell to the Korn Shell (/usr/bin/ksh) in noninteractive mode?
$ chsh -s /usr/bin/ksh
7. Why is the home directory of the root user not placed within /home directory?
Because the root account is required to troubleshoot and fix errors, which might include file
system issues related to the /home directory. In such cases, root should be fully functional even
when the /home file system is not available yet.