User va Group Management
Linux tizimida user va group management - bu security va access control'ning asosi. System administratorlar, developers va barcha Linux foydalanuvchilari uchun bu mavzu juda muhim.
Linux User System Asoslari
User Types (Foydalanuvchi Turlari)
# 1. Root User (UID 0)
# - Superuser, barcha huquqlarga ega
# - Tizimda hamma narsani qila oladi
# 2. System Users (UID 1-999)
# - Service'lar va daemon'lar uchun
# - Login qila olmaydi, faqat process ownership uchun
# - Examples: www-data, mysql, docker, nginx
# 3. Regular Users (UID 1000+)
# - Oddiy foydalanuvchilar
# - Login qila oladi, limited permissions
# - Home directory mavjud
User Information Files
# /etc/passwd - User account information
cat /etc/passwd
# Format: username:x:UID:GID:comment:home:shell
# /etc/shadow - Password information (root access kerak)
sudo cat /etc/shadow
# Format: username:encrypted_password:last_change:min:max:warn:inactive:expire
# /etc/group - Group information
cat /etc/group
# Format: groupname:x:GID:members
# /etc/gshadow - Group passwords (kam ishlatiladi)
sudo cat /etc/gshadow
User Management Commands
User Account Creation
# useradd - yangi user yaratish
sudo useradd username # Basic user yaratish
sudo useradd -m username # Home directory bilan
sudo useradd -m -s /bin/bash username # Specific shell bilan
sudo useradd -m -G sudo username # Group membership bilan
# Advanced useradd options
sudo useradd -m -d /home/custom_home -s /bin/zsh -G sudo,docker -c "Full Name" username
sudo useradd -r system_user # System user yaratish
sudo useradd -u 1500 username # Specific UID bilan
# adduser - interactive user creation (Ubuntu/Debian)
sudo adduser username # Interactive mode
sudo adduser --system system_user # System user
sudo adduser --no-create-home service_user # Home directory'siz
User Account Modification
# usermod - user account modification
sudo usermod -l newname oldname # Username o'zgartirish
sudo usermod -d /new/home -m username # Home directory o'zgartirish
sudo usermod -s /bin/zsh username # Shell o'zgartirish
sudo usermod -G sudo,docker username # Group membership o'zgartirish
sudo usermod -a -G newgroup username # Group qo'shish (append)
sudo usermod -L username # Account lock qilish
sudo usermod -U username # Account unlock qilish
# User comment/info o'zgartirish
sudo usermod -c "New Full Name" username
sudo usermod -e 2024-12-31 username # Expiry date o'rnatish
Password Management
# passwd - password o'zgartirish
passwd # Own password
sudo passwd username # Other user's password
sudo passwd -l username # Password lock
sudo passwd -u username # Password unlock
sudo passwd -d username # Password delete (passwordless)
sudo passwd -e username # Force password change on next login
# Password policies
sudo passwd -x 90 username # Max password age (90 days)
sudo passwd -n 7 username # Min password age (7 days)
sudo passwd -w 7 username # Warning days
# chage - password aging
sudo chage -l username # Password info ko'rish
sudo chage -E 2024-12-31 username # Account expiry
sudo chage -M 90 username # Max password age
sudo chage -m 7 username # Min password age
sudo chage -W 7 username # Warning period
User Account Deletion
# userdel - user o'chirish
sudo userdel username # User o'chirish (home directory qoldirish)
sudo userdel -r username # User va home directory o'chirish
sudo userdel -f username # Force deletion
# deluser - alternative (Ubuntu/Debian)
sudo deluser username # User o'chirish
sudo deluser --remove-home username # Home directory bilan
sudo deluser --remove-all-files username # Barcha files bilan
Group Management
Group Information
# Group'larni ko'rish
groups # Own groups
groups username # User's groups
id username # Detailed user/group info
getent group # All groups
getent group groupname # Specific group info
# Group membership tekshirish
grep "^groupname" /etc/group
members groupname # Group members (if available)
Group Creation va Management
# groupadd - yangi group yaratish
sudo groupadd groupname # Basic group
sudo groupadd -g 2000 groupname # Specific GID bilan
sudo groupadd -r system_group # System group
# groupmod - group modification
sudo groupmod -n newname oldname # Group name o'zgartirish
sudo groupmod -g 3000 groupname # GID o'zgartirish
# groupdel - group o'chirish
sudo groupdel groupname # Group o'chirish (agar primary group bo'lmasa)
Group Membership Management
# User'ni group'ga qo'shish
sudo usermod -a -G groupname username # Append mode (recommended)
sudo usermod -G group1,group2 username # Set specific groups (overwrite)
# User'ni group'dan olib tashlash
sudo gpasswd -d username groupname # Remove from group
sudo deluser username groupname # Alternative (Ubuntu/Debian)
# Group'ga primary group qilish
sudo usermod -g groupname username # Primary group o'zgartirish
# Temporary group membership
newgrp groupname # Switch to group (temporary session)
Advanced User Management
User Templates va Defaults
# /etc/skel - yangi user'lar uchun template
ls -la /etc/skel/ # Default files for new users
sudo cp .bashrc /etc/skel/ # Template'ga file qo'shish
# /etc/default/useradd - default settings
cat /etc/default/useradd
sudo useradd -D # Current defaults ko'rish
sudo useradd -D -s /bin/zsh # Default shell o'zgartirish
sudo useradd -D -e 2024-12-31 # Default expiry
User Environment
# User environment files
~/.bashrc # Bash configuration
~/.profile # Shell-independent profile
~/.bash_profile # Bash login profile
~/.bash_logout # Logout script
# Global environment
/etc/profile # System-wide profile
/etc/bash.bashrc # System-wide bashrc
/etc/environment # Environment variables
/etc/profile.d/ # Additional profile scripts
Security va Permissions
# User permission'lar
ls -la /home/username/ # Home directory permissions
sudo ls -la /home/username/ # Root sifatida ko'rish
# umask - default permissions
umask # Current umask
umask 022 # Set umask (directories 755, files 644)
umask 077 # Restrictive umask (700/600)
# File ownership
sudo chown username:groupname file # Owner va group o'zgartirish
sudo chown username file # Faqat owner
sudo chown :groupname file # Faqat group
sudo chown -R username:group directory/ # Recursive
# sudo access
sudo visudo # /etc/sudoers edit qilish
sudo usermod -a -G sudo username # Sudo group'ga qo'shish (Ubuntu/Debian)
sudo usermod -a -G wheel username # Wheel group'ga qo'shish (CentOS/RHEL)
Amaliy Stsenarilar
1. Web Server uchun User Setup
#!/bin/bash
# Web server user setup
# Web server user yaratish
sudo useradd -r -s /bin/false -d /var/www -M www-user
# Web directory yaratish
sudo mkdir -p /var/www/html
sudo chown www-user:www-user /var/www/html
sudo chmod 755 /var/www/html
# Developer'lar uchun group
sudo groupadd webdev
sudo usermod -a -G webdev www-user
# Developer user'larni group'ga qo'shish
sudo usermod -a -G webdev developer1
sudo usermod -a -G webdev developer2
# Web directory'ga group permissions
sudo chgrp -R webdev /var/www/html
sudo chmod -R g+w /var/www/html
sudo chmod g+s /var/www/html # SGID bit - new files inherit group
2. Database Service User
#!/bin/bash
# Database service user setup
# MySQL user yaratish
sudo useradd -r -s /bin/false -d /var/lib/mysql -M mysql
# Data directory setup
sudo mkdir -p /var/lib/mysql
sudo chown mysql:mysql /var/lib/mysql
sudo chmod 700 /var/lib/mysql
# Log directory
sudo mkdir -p /var/log/mysql
sudo chown mysql:mysql /var/log/mysql
sudo chmod 750 /var/log/mysql
# Configuration file permissions
sudo chown root:mysql /etc/mysql/my.cnf
sudo chmod 640 /etc/mysql/my.cnf
3. Application Service User
#!/bin/bash
# Application service user setup
APP_NAME="myapp"
APP_USER="$APP_NAME"
APP_GROUP="$APP_NAME"
APP_HOME="/opt/$APP_NAME"
# User va group yaratish
sudo groupadd "$APP_GROUP"
sudo useradd -r -g "$APP_GROUP" -d "$APP_HOME" -s /bin/bash "$APP_USER"
# Application directory setup
sudo mkdir -p "$APP_HOME"/{bin,config,logs,data,tmp}
sudo chown -R "$APP_USER:$APP_GROUP" "$APP_HOME"
# Permissions
sudo chmod 755 "$APP_HOME"
sudo chmod 750 "$APP_HOME"/{config,logs,data}
sudo chmod 755 "$APP_HOME"/bin
sudo chmod 1777 "$APP_HOME"/tmp # Sticky bit
# Log rotation setup
sudo mkdir -p /etc/logrotate.d/
cat << EOF | sudo tee /etc/logrotate.d/$APP_NAME
$APP_HOME/logs/*.log {
daily
rotate 30
compress
delaycompress
missingok
notifempty
create 640 $APP_USER $APP_GROUP
postrotate
systemctl reload $APP_NAME 2>/dev/null || true
endscript
}
EOF
4. Development Team Setup
#!/bin/bash
# Development team user management
PROJECT="webapp"
DEVELOPERS=("alice" "bob" "charlie" "diana")
# Project group yaratish
sudo groupadd "dev-$PROJECT"
# Project directory
sudo mkdir -p "/opt/projects/$PROJECT"
sudo chgrp "dev-$PROJECT" "/opt/projects/$PROJECT"
sudo chmod 2775 "/opt/projects/$PROJECT" # SGID for group inheritance
# Developer user'larni yaratish va setup
for dev in "${DEVELOPERS[@]}"; do
echo "Setting up user: $dev"
# User yaratish (agar mavjud bo'lmasa)
if ! id "$dev" &>/dev/null; then
sudo useradd -m -s /bin/bash -G "dev-$PROJECT" "$dev"
echo "User $dev created"
else
sudo usermod -a -G "dev-$PROJECT" "$dev"
echo "Added $dev to dev-$PROJECT group"
fi
# SSH directory setup
sudo mkdir -p "/home/$dev/.ssh"
sudo chmod 700 "/home/$dev/.ssh"
sudo chown "$dev:$dev" "/home/$dev/.ssh"
# bashrc customization
echo "export PROJECT_ROOT=/opt/projects/$PROJECT" | sudo tee -a "/home/$dev/.bashrc"
echo "alias cdproject='cd \$PROJECT_ROOT'" | sudo tee -a "/home/$dev/.bashrc"
done
# Shared resources
sudo mkdir -p "/opt/projects/$PROJECT"/{src,docs,scripts,config}
sudo chown -R "root:dev-$PROJECT" "/opt/projects/$PROJECT"
sudo chmod -R g+w "/opt/projects/$PROJECT"
5. System Maintenance User
#!/bin/bash
# System maintenance user setup
MAINT_USER="maintenance"
MAINT_GROUP="maintenance"
# Maintenance user yaratish
sudo groupadd "$MAINT_GROUP"
sudo useradd -m -g "$MAINT_GROUP" -s /bin/bash "$MAINT_USER"
# Sudo privileges (limited)
cat << 'EOF' | sudo tee "/etc/sudoers.d/$MAINT_USER"
# Maintenance user privileges
maintenance ALL=(ALL) NOPASSWD: /bin/systemctl restart *, /bin/systemctl reload *
maintenance ALL=(ALL) NOPASSWD: /usr/bin/tail -f /var/log/*
maintenance ALL=(ALL) NOPASSWD: /bin/df *, /bin/du *, /usr/bin/free *
maintenance ALL=(ALL) NOPASSWD: /usr/bin/find /var/log -name "*.log" -mtime +7 -delete
EOF
# Maintenance scripts directory
sudo mkdir -p "/home/$MAINT_USER/scripts"
sudo chown "$MAINT_USER:$MAINT_GROUP" "/home/$MAINT_USER/scripts"
# Log monitoring script
cat << 'EOF' | sudo tee "/home/$MAINT_USER/scripts/monitor-logs.sh"
#!/bin/bash
# Log monitoring script
echo "=== System Log Summary - $(date) ==="
echo "Recent errors:"
sudo tail -100 /var/log/syslog | grep -i error | tail -5
echo -e "\nDisk usage:"
df -h | grep -vE '^Filesystem|tmpfs|udev'
echo -e "\nMemory usage:"
free -h
echo -e "\nTop processes by CPU:"
ps aux --sort=-pcpu | head -6
EOF
sudo chmod +x "/home/$MAINT_USER/scripts/monitor-logs.sh"
sudo chown "$MAINT_USER:$MAINT_GROUP" "/home/$MAINT_USER/scripts/monitor-logs.sh"
User Monitoring va Auditing
Active User Monitoring
# Kim online
who # Current logged in users
w # Detailed user activity
users # Simple user list
last # Login history
last username # Specific user login history
lastlog # Last login for all users
# Failed login attempts
sudo lastb # Bad login attempts
sudo grep "Failed password" /var/log/auth.log | tail -10
# User processes
ps aux | grep "^username" # User's processes
pgrep -u username # Process IDs by user
pkill -u username # Kill user's processes (be careful!)
User Resource Usage
# Disk usage by user
sudo du -sh /home/* # Home directory sizes
sudo find / -user username -type f -exec ls -la {} \; | awk '{sum += $5} END {print sum/1024/1024 " MB"}'
# Process resource usage by user
ps aux | awk '{user[$1] += $3; mem[$1] += $4} END {for (u in user) printf "%-10s CPU: %6.2f%% MEM: %6.2f%%\n", u, user[u], mem[u]}'
# Login frequency
last | awk '{print $1}' | sort | uniq -c | sort -nr | head -10
User Security Audit
#!/bin/bash
# User security audit script
echo "=== User Security Audit - $(date) ==="
echo "=== Users with empty passwords ==="
sudo awk -F: '$2 == "" {print $1}' /etc/shadow
echo "=== Users with same UID ==="
awk -F: '{print $3, $1}' /etc/passwd | sort -n | uniq -D -f1
echo "=== Users with UID 0 (root privileges) ==="
awk -F: '$3 == 0 {print $1}' /etc/passwd
echo "=== Users with non-standard shells ==="
awk -F: '$7 !~ /\/(bash|sh|zsh|csh|tcsh|nologin|false)$/ {print $1, $7}' /etc/passwd
echo "=== Home directories with wrong ownership ==="
while IFS=: read -r username _ uid gid _ homedir shell; do
if [[ $uid -ge 1000 && -d "$homedir" ]]; then
owner=$(stat -c "%U" "$homedir" 2>/dev/null)
if [[ "$owner" != "$username" && "$owner" != "root" ]]; then
echo "$homedir owned by $owner, should be $username"
fi
fi
done < /etc/passwd
echo "=== World-writable home directories ==="
find /home -maxdepth 1 -type d -perm -002 2>/dev/null
echo "=== Users without home directories ==="
while IFS=: read -r username _ uid _ _ homedir _; do
if [[ $uid -ge 1000 && ! -d "$homedir" ]]; then
echo "$username: $homedir does not exist"
fi
done < /etc/passwd
echo "=== Sudo access users ==="
getent group sudo wheel 2>/dev/null | cut -d: -f4 | tr ',' '\n' | sort -u
echo "=== Recent failed login attempts ==="
sudo grep "Failed password" /var/log/auth.log 2>/dev/null | tail -10 | awk '{print $1, $2, $3, $9, $11}'
Best Practices
1. User Creation Standards
# Script: create-user.sh
#!/bin/bash
create_standard_user() {
local username=$1
local fullname=$2
local groups=$3
# Validation
if [[ -z "$username" ]]; then
echo "Error: Username required"
return 1
fi
# Check if user exists
if id "$username" &>/dev/null; then
echo "Error: User $username already exists"
return 1
fi
# Create user
sudo useradd -m -s /bin/bash -c "$fullname" "$username"
# Add to groups
if [[ -n "$groups" ]]; then
sudo usermod -a -G "$groups" "$username"
fi
# Set up basic environment
sudo cp /etc/skel/.bashrc "/home/$username/"
sudo chown "$username:$username" "/home/$username/.bashrc"
# Force password change on first login
sudo passwd -e "$username"
echo "User $username created successfully"
echo "Groups: $(groups $username)"
echo "Home: /home/$username"
}
# Usage
create_standard_user "johndoe" "John Doe" "users,developers"
2. Automated User Cleanup
#!/bin/bash
# cleanup-inactive-users.sh
INACTIVE_DAYS=90
DRY_RUN=true # Set to false for actual execution
echo "=== Inactive User Cleanup - $(date) ==="
echo "Looking for users inactive for more than $INACTIVE_DAYS days"
# Find inactive users
while IFS=: read -r username _ uid _ _ homedir shell; do
# Skip system users and those without home directories
if [[ $uid -lt 1000 || ! -d "$homedir" ]]; then
continue
fi
# Check last login
last_login=$(lastlog -u "$username" | tail -1 | awk '{print $4, $5, $6, $7}')
if [[ "$last_login" =~ "Never logged in" ]]; then
echo "Never logged in: $username"
if [[ "$DRY_RUN" == "false" ]]; then
sudo userdel -r "$username"
echo " -> Deleted"
else
echo " -> Would delete (dry run)"
fi
else
# Check if home directory hasn't been accessed recently
if [[ -d "$homedir" ]]; then
days_since_access=$(find "$homedir" -type f -atime -$INACTIVE_DAYS 2>/dev/null | wc -l)
if [[ $days_since_access -eq 0 ]]; then
echo "Inactive: $username (last login: $last_login)"
if [[ "$DRY_RUN" == "false" ]]; then
sudo usermod -L "$username" # Lock account instead of deleting
echo " -> Locked"
else
echo " -> Would lock (dry run)"
fi
fi
fi
fi
done < /etc/passwd
3. Group Access Management
#!/bin/bash
# manage-group-access.sh
PROJECT_GROUP="project-alpha"
PROJECT_DIR="/opt/projects/alpha"
# Function to add user to project
add_to_project() {
local username=$1
if ! id "$username" &>/dev/null; then
echo "Error: User $username does not exist"
return 1
fi
# Add to group
sudo usermod -a -G "$PROJECT_GROUP" "$username"
# Ensure user can access project directory
if [[ -d "$PROJECT_DIR" ]]; then
sudo setfacl -m u:"$username":rwx "$PROJECT_DIR"
sudo setfacl -d -m u:"$username":rwx "$PROJECT_DIR"
fi
echo "Added $username to $PROJECT_GROUP project"
}
# Function to remove user from project
remove_from_project() {
local username=$1
# Remove from group
sudo gpasswd -d "$username" "$PROJECT_GROUP"
# Remove ACL
if [[ -d "$PROJECT_DIR" ]]; then
sudo setfacl -x u:"$username" "$PROJECT_DIR"
sudo setfacl -d -x u:"$username" "$PROJECT_DIR"
fi
echo "Removed $username from $PROJECT_GROUP project"
}
# Usage examples
# add_to_project "newdev"
# remove_from_project "olddev"
Bu tutorial user va group management bo'yicha Linux system administration uchun zarur bo'lgan barcha asosiy va advanced ma'lumotlarni qamrab oladi. Har qanday Linux muhitida - server'lar, workstation'lar, development environment'larda foydalanish mumkin.