Webmin Control Panel (eApps) - Managing Users and Groups

  1. Portal Home
  2. Knowledgebase
  3. Webmin Control Panel (eApps) - Managing Users and Groups
  •   24/09/2010 10:48 AM
  •  

Applicable Plans - eApps Cloud Hosting Plans (eApps templates only)

User Guide - Managing Users and Groups in the Control Panel

Overview

The operating system Template that is used to create the Virtual Machine is already populated with the required system users, and also includes the webadmin user that can be used to manage any web sites. You can also add additional users if you have multiple people managing multiple web sites, and you want to keep those users and their content separate from each other.

The Control Panel is used to add new users to the system. It allows you to create the users, assign them to multiple groups, and also control their passwords and login ability.

To add and manage users in the Control Panel, you will first need to log in to the Control Panel. See the User Guide - Using the Control Panel http://support.eapps.com/control_panel_eapps/control_panel for more information.

Adding and Editing Users in the Control Panel
Adding a user
Editing (modifying) existing users

Editing the webadmin user

Adding and editing groups in the Control Panel
Adding a group
Editing existing groups in the Control Panel

Links to other information

Adding and Editing Users in the Control Panel

To add a new user or group, or to modify an existing user or group, click on the Users and Groups icon from the main System screen Users and Groups icon

NOTE - advanced users can add, modify and delete users and groups from the command line. See the useradd and groupadd commands for more information.

WARNING - Unless you are absolutely, positively, 1000% sure that it is safe to remove a user, then DO NOT, under any circumstances, remove that user. The majority of the users shown on the Users and Groups screen are what are known as system users, and are needed by the operating system to perform system functions. Removing one of these users can cause your system to no longer work correctly, or crash completely to the point where the only way to recover is to completely rebuild the server. Any user with a User ID of less than 500 should never be removed.

You have been warned - any assistance requested to help recover a system that has crashed due to system users or groups being removed will be billable at $90 an hour.

Generally, the only users it is moderately safe to remove are ones that you have added yourself, and even then you need to make sure that the user is not being used by any site or script before removing them.

Adding a user

When you click on the Users and Groups icon, you are taken to the main Users and Groups page, which defaults to showing the Local Users.

To add a new user, click on Create a new user Create a new user

This brings you to the Create User screen, with the following options - User Details, Password Options, Group Membership and Upon Creation.

User Details

The User Details section is where the username, shell and password are configured.

User Details

  • Username - the username is in lowercase, with alphanumberic characters (letters and numbers), and anywhere from 6 to 10 characters in length. Most modern Linux distros allow you to use up to 128 characters in a username, however 8 characters is the general standard for a username.

  • User ID - the users created through the Control Panel will be non-system users, and their User IDs will be greater than 500. Unless you know exactly what you are doing and why, there is no need to change the User ID from the default of Automatic.

  • Real name - the real name of the user. This can be left blank.

  • Home directory - using the default of Automatic will create the directory of /home/username, which is fine for most users. If you need to specify the home directory for the user, you can choose Directory and either enter the absolute path to the home directory or browse to the home directory (which must already exist).

  • Shell - if the user is going to be able to log in to the system from either the command line via SSH or from SFTP, then choose from /bin/sh, /bin/csh, /bin/bash, /bin/tcsh or /bin/ksh, depending on which shell the user is the most familiar with. If you installed your own shell, such as the Z-shell, then choose Other and specify the absolute path the shell binary. The bash shell (/bin/bash) is the standard shell on most Linux distros, and the one that is probably the most familiar to your users.

    If the user is only going to have FTP access, and does not need to be able to log in to the system from the command line via SSH or use SFTP, then choose /sbin/nologin as their shell.

  • Password - if the user is going to be able to log in to the system through SSH, SFTP or FTP, they will need a password.

    No password required - Under no circumstances create a user with no password required. If you do this, your system will be hacked, and you will be responsible for any overage or data charges, as well as the time it takes for eApps to fix the issue, at a rate of $90 an hour.

    No login allowed means this user can never log in to the system, for any reason (FTP, e-mail, etc)

    Normal Password - enter a password for the user. Your Virtual Machine uses a program called cracklib, which will require a password with a minimum of six (6) characters, and at least one special character (!@#$%^&*()). This feature is mandatory, and will not be disabled. If possible, use a password generator, such as Strong Password Generator - http://strongpasswordgenerator.com (there are many other password generators online).

    Pre-encrypted password allows you to paste in the encrypted password from /etc/shadow if you are bringing this user over from another system

    Login temporarily disabled - this allows you to disable the login for a user without having to change any other settings for them, such as shell or password.

Password Options

The Password Options section is where you can set the length of time a users password is valid. For example, if you had a policy that passwords had to be changed every 30 days, the Password Options section is where that would be configured.

Password Options

  • Password changed - this shows the date the password was last changed, or Never if the password has never been changed.

  • Expiry Date - this is the date the password expires, meaning the user cannot log in after this date. The format is Day/Month/Year.

  • Minimum days - this is the number of days since the user was created or the password last changed that user has to wait before changing the password again. Leave this blank to allow the user to change passwords as often as they want to.

  • Maximum days - this is the number of days after the user was created or the password was last changed when the password expires, and has to be changed. If you wanted this user to have to change their password every 30 days, you would enter 30 here.

  • Warning days - this is the number of days prior to their password expiring (the value in Maximum days) that the user will be warned at login to change their password. If this is blank, there will be no warning and the user will not know their password has expired until they are forced to change it on their next login.

  • Inactive days - this is the number of days after the users password that the entire account will be disabled if the user has not changed their password. Leave this blank to keep the account from ever expiring.

  • Force change at next login - this is useful if you are just setting a generic password for this user, and allowing them to choose their own password. If you check this box to Yes, the user will be asked to set a password the next time they log in.

Group Membership

Group Membership allows you to set a Primary and Secondary group for the user. For example, if the user being created is going to be the administrative user of a web site, then you would set their secondary group membership to the apache group so that the web server would have access to the files in that user’s directory.

Group Membership

  • Primary group - the Primary group is the main group the user belongs to.

    New group with same name as user - this allows you to create what is known as a User Private Group for this user, which is a standard feature on Red Hat based systems such as CentOS and Fedora. This means that the user webadmin is also in the webadmin group, instead of being in the same group with all the other non-system users. This is the default choice.

    New group - if you want this user to be in a new group, enter the group name here (lowercase letters only)

    Existing group - if this user needs to be part of an existing group, enter the group name here, or browse for it to select.

  • Secondary groups - Secondary groups are used if a user needs to belong to another group outside of their primary group. For example, a user being created as the administrative user for a site would have a secondary group of apache.

To select a secondary group, scroll down in the All groups column to find the group to add as the secondary group, and then click the right pointing arrow to add that group to the In groups list.

NOTE - be aware of any potential system vulnerabilities you may be creating by adding a user to a secondary group such as root (or any group with root as a member). If the user is compromised, then the hacker will have access to any files that the secondary group has permissions to.

Upon Creation..

Upon Creation.. is where the actions to be taken when the user is created are configured.

Upon Creation..

  • Create home directory? - if the user you are creating does not already have a home directory, then leave this at the default of Yes.

  • Copy template files to home directory? - this copies the files from the /etc/skel directory to the newly created user directory. The default is Yes, only change this if you know exactly what you are doing and why.

  • Create user in other modules? - leave at the default of Yes to create this user in other modules that may be configured to see a new user on creation.

Create the user

Once you have set up the new user, click Create to write your changes to the system, and to create the new home directory (if selected).

You will be returned to the Users and Groups page, where you can see your new user.

Editing (modifying) existing users

If you need to change the parameters for any existing user (including one you just created), click on the user name to be taken to an Edit User module. In the Edit User module you have access to several of the same options as in Create User (User Details, Password Options, Group Membership), but instead of Upon Creation.. there is an Upon Save.. option.

Be very careful about editing any user with a User ID of less than 500. Those are system users, and have functions defined by the operating system. Only edit a system user if you know exactly what your are doing, and why.

At the bottom of the Edit User screen are Save, Show Logins, Read Email and Delete. Click Save to save any changes you have made to this user, Show Logins to see when this user has logged in to the system, Read Email to read any e-mail in the user’s inbox, and Delete to delete the user.

Edit User Options

Editing the webadmin user

The Apache User Guide mentions that to use the webadmin user as the administrative user for a site, the user must be modified to allow it to log in, as well as setting a password.

User Details

The User Details screen will be populated with the existing user data for webadmin.

Edit User - User Details

  • Username - leave as webadmin

  • User ID - leave at 500

  • Real Name - add a real name for the user if you wish, otherwise leave blank

  • Home directory - Automatic means that the directory is /home/webadmin. Only change this if you have a very specific reason to do so.

  • Shell - set to /bin/bash by default. Only change this if you have a preference for another shell.

  • Password - a password will need to be set for webadmin to allow a login, whether for FTP or SSH/SFTP.

    No password required - remember the previous warnings about using No password required. If you use this option, your system will be hacked, and you will be responsible for all charges related to that.

    No login allowed - only check this if you do not want the webadmin user to be able to log in using any method.

    Normal password - check this box, and enter a password for the webadmin user, which should be a minimum of 6 characters, and contain at least one special character (!@#$%^&*()).

    Pre-encrypted password - when you check the box for Normal password, this box will be unchecked, which is correct.

    Login temporarily disabled - uncheck this box to allow the webadmin user to be able to log in

Password Options

The Password Options screen shows the current settings for the webadmin user. Review the Password Options section in Creating Users if needed, but there shouldn’t be any reason to change any of these settings.

Edit User - Password Options

Group Membership

The Group Membership screen shows the current primary group for the webadmin user. This is where you configure the webadmin user to have a secondary group of apache, so that the web server process can read the files in the /home/webadmin directory.

Edit User - Group Membership

  • Primary group - leave as webadmin

  • Secondary group - to configure a secondary group of apache, scroll down the list in All groups until you reach apache. Click on it once to highlight it, and then click the right pointing arrow to add apache to the In groups column.

Upon Save..

Upon Save.. allows you to make some extra configuration changes that will take place when you click the Save button. Generally, there is no need to modify any of these settings.

Edit User - Upon Save..

Save the changes and other options

Once you have made the required modifications to the webadmin user, click on Save.

Edit User - Save Changes

You can also Show Logins to see when the webadmin user has logged in, Read Email to read the e-mail in the inbox for webadmin on the system, and Delete the user.

Viewing User Logins

At the bottom of the Users and Groups screen are options to view logins for all users, or for a specific user. You can also view who is currently logged in. The same functions are available on the Local Groups screen.

User Logins

Adding and editing groups in the Control Panel

WARNING - Unless you are absolutely, positively, 1000% sure that it is safe to remove a group, then DO NOT, under any circumstances, remove that group. The majority of the groups shown on the Users and Groups screen and the Local Groups screen are needed by the operating system to perform system functions. Removing one of these groups can cause your system to no longer work correctly, or crash completely to the point where the only way to recover is to completely rebuild the system. Any group with a Group ID of less than 500 should never be removed.

You have been warned - any assistance requested to help recover a system that has crashed due to system users or groups being removed will be billable at $90 an hour.

Generally, the only users or groups it is moderately safe to remove are ones that you have added yourself, and even then you need to make sure that the group is not being used by any site or script before removing them.

There are very few reasons why you would want to add a group, or to modify an existing group. Make sure you know exactly what you are doing and why you are doing it before proceeding. Making changes to your system without a clear understanding of what you are doing and why can lead to many problems.

Adding a group

When you click on the Users and Groups icon, you are taken to the main Users and Groups page, which defaults to showing the Local Users.

To add a new group, click on Local Groups Local Groups

This screen shows all the existing groups, with their group ID and members.

To create a new group, click on Create a new group Create a new group

This takes you to the Create Group screen, which has two options - Group Details, and Upon Creation.. .

Group Details

Group Details is where the Group name and Members are configured.

Group Details

  • Group name - enter the name for the group, in lowercase letters only

  • Group ID - any group created should be a non-system group, with a Group ID of greater than 500. Unless you know exactly what you are doing and why you are doing it, there should be no need to change this from the default of Automatic.

  • Password - leave at the default of No password required unless you have a very specific reason to change it.

  • Members - to add members to the new group, select those members from the All users column on the left, and use the right pointing arrow to move them to the Users in group column.

    NOTE - be very careful as to which users you add to the group. There should NEVER be a reason to add the root user to the group. Adding the root user can open up system vulnerabilities and expose your system to hackers.

Upon Creation..

Leave this at the default setting unless you have a very specific reason to change it.

Upon Creation..

Create the group

Click on Create to create the new group. You will be returned to the Local Groups page and will be able to see the new group.

Editing existing groups in the Control Panel

To edit an existing group, click on the group name in the Local Groups screen. There are only two sections in Edit Group, Group Details and Upon Save.. .

Again, take heed of this warning: There are very few reasons why you would want to add a group, or to modify an existing group. Make sure you know exactly what you are doing and why you are doing it before proceeding. Making changes to your system without a clear understanding of what you are doing and why can lead to many problems.

Generally, you would only want to edit a non-system group, meaning a group with a Group ID of 500 or greater.

Group Details

The Group Details screen shows the name and ID of the group and the members.

Edit Group - Group Details

  • Group name - this is the name of the group, which cannot be changed once created.

  • Group ID - the ID of the group - you can change this, but there generally should be no reason to ever do so.

  • Password - leave at the default of Pre-encrypted password

  • Members - this is where to add or remove users from a group. Be very careful about adding users to a group, NOTE - be very careful as to which users you add to the group. There should NEVER be a reason to add the root user to the group. Adding the root user can open up system vulnerabilities and expose your system to hackers.

  • Primary group members - this is the primary member of the group, akin to the group “owner”.

Upon Save..

Leave this at the default settings unless you have a very specific reason to change it.

Edit Group - Upon Save..

Save the changes

Click on Save to save any changes that you have made to this group. This will take you back to the Local Groups page.

  Print

Comments

Please login to comment