← Back

Domain 2 — Users, Groups & Access Control | Round 2

Mar 13, 2026

Question Bank — Full Coverage

/etc/passwd, /etc/shadow, /etc/group — Deep Structure

  1. List all 7 fields of /etc/passwd and explain what each one means. What does an x in the password field indicate?
  2. What are the 9 fields in /etc/shadow? For each field, state what it controls and what unit it uses.
  3. A user’s /etc/shadow entry shows ! before the password hash. What does this mean, and how did it get there?
  4. What is the difference between UID 0, UIDs 1–999, and UIDs 1000+? Why does this distinction matter?
  5. A /etc/passwd line shows /sbin/nologin as the shell. What happens if someone tries to SSH in as that user? What about switching to them with su?
  6. What is /etc/gshadow? What does it store that /etc/group does not?
  7. How do you safely edit /etc/passwd and /etc/sudoers? Why should you never edit them directly with a regular text editor?

Password Aging & Account Expiry

  1. What does chage -l username show you? Name every field it outputs.
  2. A user’s password must be changed every 90 days, with a 7-day warning and a 5-day grace period after expiry. Write the exact chage command to configure this.
  3. What is the difference between password expiry and account expiry? Which field in /etc/shadow controls each?
  4. A sysadmin wants to force a user to change their password on their very next login. What is the command? What does it actually write into /etc/shadow?
  5. You want to disable an account permanently on December 31, 2025. Write the exact chage command. What field does this modify in /etc/shadow?
  6. What is the minimum password age (chage -m) used for? Give a real-world reason an admin would set it to a non-zero value.
  7. What do fields 4, 5, 6, 7, and 8 in /etc/shadow mean respectively, in human-readable terms?

Account Locking & Unlocking

  1. What is the difference between passwd -l username and usermod -L username? Do they achieve the same thing?
  2. How do you unlock a locked account? Give both the passwd and usermod ways.
  3. After locking an account with passwd -l, what exactly changes in /etc/shadow? Show before and after.
  4. A locked regular account — can root still su into it? Can the user still use SSH key authentication to log in? Explain why.
  5. What is /etc/nologin? What happens when this file exists on the system? Which users are affected and which are not?

sudo — Deep Configuration

  1. What is visudo and why must you always use it instead of editing /etc/sudoers directly?
  2. Explain this sudoers line completely: deploy ALL=(www-data) NOPASSWD: /usr/bin/systemctl restart nginx
  3. What are the four parts of a sudoers privilege specification (who where=(as_whom) commands)? What does ALL mean in each position?
  4. What is the purpose of /etc/sudoers.d/? How do you add a new sudo rule cleanly without touching /etc/sudoers?
  5. How do you give an entire group sudo access? Write the sudoers line for group devops.
  6. A user runs sudo -i vs sudo -s vs sudo su -. What is different about each in terms of environment and shell behavior?
  7. What does sudo -l do? What does sudo -ll add?
  8. A sudoers entry uses %wheel ALL=(ALL:ALL) ALL. What does the ALL:ALL part mean? What does the % prefix mean?
  9. What is a Cmnd_Alias in sudoers? Write an example that groups systemctl, journalctl, and service together, then grant it to a user.
  10. What happens if /etc/sudoers has a syntax error and you can’t use sudo anymore? How do you recover?

su — Substituting Users

  1. What is the difference between su username and su - username? What specifically changes with the dash?
  2. Can a regular user su to root without knowing root’s password? Under what condition?
  3. What file controls which users are allowed to use su? What PAM module enforces this?
  4. What does su -c "command" username do? Give a practical use case.

Groups — Deep Management

  1. What is the difference between a user’s primary group and supplementary groups? Where is each stored?
  2. You add a user to a new group with usermod -aG. Why is the -a flag critical? What happens without it?
  3. After adding yourself to a new group with usermod -aG, you run groups and the new group is not listed. Why? How do you fix it without logging out?
  4. What does newgrp groupname do? What is its limitation?
  5. What is gpasswd used for? How do you use it to add and remove members from a group?
  6. How do you create a group with a specific GID? Why might you need a specific GID in environments with shared NFS storage?
  7. A file is owned by group developers but a user in that group cannot read it. What are the possible reasons?

Default User Environment — /etc/skel, Profiles

  1. What is /etc/skel? When is it used and when is it NOT used?
  2. Explain the difference between /etc/profile, /etc/bashrc, ~/.bash_profile, and ~/.bashrc. Which ones run for login shells vs interactive non-login shells?
  3. A sysadmin wants every new user to have a custom .bashrc with company aliases pre-configured. What is the correct approach?
  4. What is the difference between a login shell and an interactive non-login shell? Give one example of each.
  5. Where should system-wide environment variables be defined? What is the purpose of /etc/environment vs /etc/profile.d/?

Special & Service Accounts

  1. What is a system account? How does useradd -r differ from useradd without -r?
  2. Why do service accounts (nginx, mysql, www-data) typically have /usr/sbin/nologin or /bin/false as their shell? What is the difference between those two options?
  3. How do you run a command as a service account (e.g., www-data) for debugging purposes if it has no login shell?
  4. What is the purpose of the nobody user? Is it safe to run services as nobody? Explain.

getent — Querying System Databases

  1. What does getent do and why is it more reliable than directly cat-ing /etc/passwd?
  2. What are the four most common databases you’d query with getent? Write the command for each.
  3. You run getent passwd username and get no output. The user exists in /etc/passwd. What could explain this?
  4. What is nsswitch.conf? What does the line passwd: files systemd mean in terms of lookup order?

Login Restrictions & Security Controls

  1. What is /etc/security/limits.conf used for? Give two practical examples of limits you might set for a production server.
  2. What does the ulimit command do? What is the difference between a hard limit and a soft limit?
  3. How do you restrict SSH access to specific users or groups at the sshd level? Name the four relevant sshd_config directives.
  4. What is /etc/securetty? What happens if you remove tty1 from it?
  5. How do you allow a user to have a shell account but prevent them from using cron or at jobs? What files control this?

PAM — Pluggable Authentication Modules (Foundations)

  1. What is PAM and why does it exist? What problem does it solve compared to each application managing its own authentication?
  2. Where are PAM configuration files stored? What is the naming convention for per-service configs?
  3. A PAM configuration file has four management groups. Name them and briefly describe what each handles.
  4. What do the four PAM control flags mean: required, requisite, sufficient, optional? Explain how they differ when a module fails.
  5. What does pam_tally2 or pam_faillock do? What is the practical security purpose?
  6. A user is locked out due to failed login attempts enforced by PAM. How do you unlock them? Write the command.

Practical Scenario Questions

  1. You need to create a deployment user with these requirements: no login shell, member of www-data and deploy groups, home directory at /var/deploy, locked password. Write all the commands.
  2. A junior developer needs to run systemctl restart myapp and journalctl -u myapp with sudo but nothing else. Write the complete sudoers configuration.
  3. You suspect a user account has been compromised. List the steps you’d take immediately — checking account status, active sessions, and locking the account — with exact commands.
  4. A new policy requires all user passwords to expire every 60 days with a 7-day warning. You need to apply this to all existing human users (UID ≥ 1000) at once. How do you approach this?
  5. After running id username, you see the user’s primary group is username (their own private group) but they should be using engineers as their primary group. Fix this with one command.
  6. You create a new file as user alice (primary group alice). A colleague in group engineers cannot read it even though alice is also in engineers. Explain this and show how to fix it without changing permissions on the file.

Total: 70 questions. Anyone who can answer all of these clearly — without looking things up — has a solid, practical Round 2 foundation in Domain 2.

Scroll to Top