Linux+

Exam XK0-005

Copyright © 2022 CompTIA, Inc. All Rights Reserved. | CompTIA.org

1
CompTIA Linux+ XK0-005

Lesson 2
Administering Users and Groups

Copyright © 2022 CompTIA, Inc. All Rights Reserved. | CompTIA.org

2
Objectives
• Manage user accounts.
• Manage group accounts.
• Configure privilege escalation.
• Troubleshoot user and group issues.

3
Lesson 2

Topic 2A
Manage User Accounts

Copyright © 2022 CompTIA, Inc. All Rights Reserved. | CompTIA.org

4
User Configuration Files (slide 1)

/ect/password file

5
User Configuration Files (slide 2)

/etc/shadow file

6
Account Management Commands
• useradd – create
user accounts in
the /etc/passwd and
/etc/shadow files
• usermod – modify
existing user
accounts
• userdel – delete
existing user
accounts
7
The useradd Command
• Options:
• -c comment (often used for full name)

• -e expire

• -D display default settings

8
The passwd Command

9
Key Demonstration: Create User and Set Password (slide 1)
Sign in to at least one system (either RH or Debian-based) and then
walk through the process of creating a user and setting a password.
Create a few more users with different options.

1. Display the contents of /etc/login.defs.

2. Create a user with useradd.

3. Create a user with useradd and define a non-default home

directory.

4. Create a user with useradd and define a non-Bash shell.

(continued on next slide)

10
Key Demonstration: Create User and Set Password (slide 2)
(continued from previous slide)

5. Set a password for each new user by using the passwd

command.

6. Create a user with adduser, pointing out the options available

during the process and showing how a password is set.

7. Display the contents of the /etc/passwd file to show the

new users.

8. Display the contents of the /etc/shadow file to show the

hashed passwords.

11
Modify and Delete User Accounts
• usermod
• userdel

12
The chage Command
Options
• -l List or display default settings
• -M Maximum days between password changes
• -m Minimum days between password changes
• -W Warning time for password expiration
• -E Lock an account

13
Key Demonstration: Account Configuration Commands
Sign in to at least one system (either RH or Debian-based), then
display output of any of the following:

1. whoami

2. w

3. who

4. id

5. /etc/login.defs file

6. Password configurations with chage

14
 Review Activity: User Account Management
1. Why are user passwords stored in the /etc/shadow file and not
the /etc/passwd file?
2. What is the purpose of the /etc/skel directory?
3. Why might an administrator change a user's default shell?

15
 Lab Activity
• Assisted Lab: Manage User Accounts

16
Lesson 2

Topic 2B
Manage Group Accounts

Copyright © 2022 CompTIA, Inc. All Rights Reserved. | CompTIA.org

17
Group Configuration Files

/etc/group

18
Group Management Commands

• groupadd – create a group in

the /etc/group files
• groupmod – modify an
existing group
• groupdel – delete an
existing group

19
Key Demonstration: Group Management (slide 1)
Sign in to at least one system (either RH or Debian-based), then
create several groups and display the /etc/group file contents.
The focus of this demo is group management. Adding users to the
group is in a later demonstration.

1. Sign in

2. Create a new group named sales - groupadd sales

3. Create a new group named marketing - groupadd

marketing

4. Display the contents of /etc/group to show the two new

groups - tail /etc/group

(continued on next slide)

20
Key Demonstration: Group Management (slide 2)
(continued from previous slide)

5. Modify the marketing group by changing its name to publicity -

groupmod -n publicity marketing

6. Display the contents of /etc/group to show the renamed

group - tail /etc/group

7. Delete the sales group - groupdel sales

8. Display the contents of /etc/group to show the sales group

no longer exists

21
Add Users to a Group
• usermod –aG sales USERNAME

22
Key Demonstration: Add Members to Groups (slide 1)
Sign in to at least one system (either RH or Debian-based), then
create a group and add members to it. The focus of this demo is
adding users to groups; creating a group was covered in a previous
demonstration.

1. Sign in

2. Create a group named Labs - groupadd Labs

3. Display the contents of /etc/group to show there are no

members listed for the Labs group

(continued on next slide)

23
Key Demonstration: Add Members to Groups (slide 2)
(continued from previous slide)

4. Add USER to the Labs group - usermod -aG Labs USER

5. Display the contents of /etc/group to show that USER is a

member of Labs

6. Display information about the USER account to show group

membership - id USER

24
 Review Activity: Group Account Management
1. Suggest at least two ways to display group membership
information.
2. What command adds a user to a group?
3. What is the result if an administrator forgets to add the -a option
when adding a user to a group?
4. Why might a user be a member of multiple groups?

25
 Lab Activity
• Assisted Lab: Manage Group Accounts

26
Lesson 2

Topic 2C
Configure Privilege Escalation

Copyright © 2022 CompTIA, Inc. All Rights Reserved. | CompTIA.org

27
Root Users
• Do not log on as the root user
• Many distributions disable the root account
• Use su or sudo to elevate privileges, or “get root”
• Delegate tasks by configuring the /etc/sudoers file

28
Elevate Privileges with su Command

• su root – switches to the root user in the original user’s context.

• su – root – switches to the root user in the root user’s context.
• You must know the password for the account you’re switching to
(unless you are root).

29
Elevate Privileges with sudo Command
To create a user account using
sudo:
• sudo useradd {user-
name}

30
Configuration Examples for /etc/sudoers
Example 1 Example 2
To grant full administrative To delegate the ability to execute
privileges to a user, type these shutdown commands
username ALL=(ALL:ALL) without entering a password,
ALL type SOMEUSER ALL=(ALL)
• The user will be prompted for
NOPASSWD:
their password. Be very careful SHUTDOWN_CMDS
with this level of delegation! • Assumes that SHUTDOWN_CMDS
is aliased to all related options for
the shutdown command
31
Key Demonstration: Elevate Privileges with sudo (slide 1)
Instructor - sign in to at least one system (either RH or Debian-
based), then demonstrate the process of adding a user to the
sudoers file and delegating the ability to issue the shutdown
command to the system.

1. Log in

2. Get root privileges su - root

3. Select a user to delegate authority to, or create a new user with

useradd

(continued on next slide)

32
Key Demonstration: Elevate Privileges with sudo (slide 2)
(continued from previous slide)

4. Open the /etc/sudoers file for editing with visudo

5. At the bottom of the file, add the following line:

SOMEUSER ALL=(ALL) NOPASSWD:

SHUTDOWN_CMDS

6. Save changes and exit

7. (Optional) Switch to the delegated user and issue the shutdown

-h now command

33
PolicyKit Configuration
Alternative delegation method to sudo
• More granular control via defined rules and actions

Examples of delegated tasks:

• Software management

• System shutdown or hibernation

• Configuration of network devices

• Device access

• Mounting and unmounting filesystems on removable media

34
Polkit Commands
• pkexec - allows an authorized user to execute an action
• pkaction - display details about an action
• pkcheck - display whether a process is authorized
• pkttyagent - provides a text-based authentication agent

35
Troubleshoot Privilege Escalation Issues
• User has switched user identities, but variables and other profile
settings are not present.
• User fails to switch identities when using the su command.
• Sudo does not function as expected.
• Cannot exercise administrative privileges.
• User cannot run a command, even when the command is preceded
by sudo.

36
 Review Activity: Privilege Escalation
1. A developer at your organization needs the ability to reboot a test server,
but their account's standard privileges do not permit this. The developer
requests the system's root user password in order to use su to reboot the
server. Is there a more secure option that aligns with the principle of least
privilege?
2. How are the su root and su - root commands different?
3. You must delegate the shutdown -h privilege to SOMEUSER. What tool is
used to modify the /etc/sudoers file, and what line must be added to that
file?
4. Whose password must be entered with sudo? Whose password must be
entered with su?
37
 Lab Activity
• Assisted Lab: Configure and Troubleshoot Privilege Escalation

38
Lesson 2

Topic 2D
Troubleshoot User and Group Issues

Copyright © 2022 CompTIA, Inc. All Rights Reserved. | CompTIA.org

39
Troubleshooting User Management Issues
• Only authorized users can manage groups
• root

• Users delegated the privileges with sudo

• Does the group exist?

• Check etc/passwd or etc/group files to confirm

• Halt active user processes with sudo killall -u

{username}

40
User Login Attempt Failures
1. Confirm the user has an account on the system by displaying the contents of
/etc/passwd. If necessary, create an account for the user by using the useradd
command.
2. If the account exists, confirm that a password is set. Display the contents of
/etc/shadow and verify a hashed password exists. Use the passwd command to
set a password if one did not exist.
3. If the account exists and a password is set, the user may have forgotten the correct
password. Reset the password with the passwd command.
4. If the account exists and a password is set, the password may be expired. Reset the
password by using the passwd command.
5. If the account exists and a password is set, the account may be locked. Unlock the
account by using the chage command.
41
Reviewing the Login Process
1. The operating system boots and the kernel is loaded. Assume the
system boots to the CLI. An authentication prompt is displayed.
2. The user enters a name and password combination. These are
checked against the /etc/passwd and /etc/shadow files.
Settings such as expired passwords and locked accounts are
checked for at this point.
3. System and user profile files are processed, and the user is
presented with an authenticated and customized environment.

42
Using User Login Commands
• lastlog – displays recent • w – displays current logins to
login information the system, including idle time
• last – pulls login history • who – displays current logins to
information from the system
/var/log/wtmp

43
Key Demonstration: User Login Commands
Sign in to at least one system (either RH or Debian-based), then run
the following commands and discuss the output. Note that the
output can vary from system to system.

1. Run the last command.

2. Run the lastlog command.

3. Run the w command.

4. Run the who command and compare the results to the output
from the w command.

44
 Review Activity: User and Group Troubleshooting
1. List at least three scenarios where you might need records of who logged in to a Linux
system.
2. Another administrator asks you to explain the value of editing the /etc/sudoer's file with
visudo rather than a traditional text editor. What is your response?
3. List at least three reasons a user account might be locked.
4. During a security audit it is discovered that a user does not have a password set. When
you check the /etc/passwd file, the password field is properly populated with the x
character. What file would actually display whether a password has been set for the user?
5. A user places sudo before a command, but the command still fails to run. What might be
the cause?
6. An administrator asks you how to delegate Linux administrative privileges to a specific
user. What group is used for such delegation?
45
CompTIA Linux+ XK0-005

Lesson 2
Summary

Copyright © 2022 CompTIA, Inc. All Rights Reserved. | CompTIA.org

46