Linux Users and Groups

The control of users and groups is a core element of Red Hat Enterprise Linux system administration.

Users can be either people (meaning accounts tied to physical users) or accounts which exist for specific applications to use.

Groups are logical expressions of organization, tying users together for a common purpose. Users within a group can read, write, or execute files owned by that group.

Each user and group has a unique numerical identification number called a userid (UID) and a groupid (GID), respectively.

A user who creates a file is also the owner and group owner of that file. The file is assigned separate read, write, and execute permissions for the owner, the group, and everyone else. The file owner can be changed only by the root user, and access permissions can be changed by both the root user and file owner.

The following command line tools can also be used to manage users and groups:

  • useradd, usermod, and userdel — Industry-standard methods of adding, deleting and modifying user accounts
  • groupadd, groupmod, and groupdel — Industry-standard methods of adding, deleting, and modifying user groups
  • gpasswd — Industry-standard method of administering the /etc/group file
  • pwck, grpck — Tools used for the verification of the password, group, and associated shadow files
  • pwconv, pwunconv — Tools used for the conversion of passwords to shadow passwords and back to standard passwords.

01. Managing users:

Users stored in /etc/passwd file and passwords for users stored in /etc/shadow

Adding Users: read useradd command help and manpage to know about all options.

useradd --help
man useradd
useradd ahmed
useradd mohammed
useradd testuser

Modifying users: read usermod command help and manpage to know more about all options.

usermod --help
man usermod
# add user ahmed to a group called sales (append this group th the existing groups)
usermod -aG sales ahmed
# making sales group the primary group for this user
usermod -G sales ahed
# lock user mohamed (disabling it without need to delete it)
usermod -L mohamed
# Unlock a locked user
usermod -U mohamed

Deleting users: read userdel command help and read manpage to know more options.

userdel --help
man userdel
# deleting a user without deleting home directory (unless the default was changed)
userdel ahmed
# deleting a user and remove home and mail directories . 
userdel -r ahmed

02. Managing Groups:

So similar to user management but simpler, group info stored in /etc/gshadow

Adding group: read groupadd command help and manpage to know more about all options.

groupadd --help
man groupadd
# adding sales and accounts groups
groupadd sales

Modifying groups : read groupmod command help and manpage to know more about all options.

groupmod --help
man groupmod
# change group name from sales TO Newsales
groupmod -n Newsales sales

Deleting groups: read groupdel command help and manpage to know more about all options.

groupdel --help
man groupdel
# delete group sales
groupdel sales

03. Default User policy and configuration:

when you create a new user using useradd command without any parameters , it uses the default options which stored at /etc/default/useradd

vim /etc/default/useradd
# useradd defaults file
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes

you may change the default shell or home path or change group ID to start more than 200 rather than 100 , expiration.

What if you want to copy some default data to all users ?!
you can achieve that using SKEL path which is defined at /etc/default/useradd which default is /etc/skel/

It is usually used for specific configuration files but you may put any files.

[root@localhost ~]# ls -la /etc/skel/
total 24
drwxr-xr-x.  2 root root   59 Apr 24 09:35 .
drwxr-xr-x. 76 root root 8192 Apr 24 10:08 ..
-rw-r--r--.  1 root root   18 Jun 10  2014 .bash_logout
-rw-r--r--.  1 root root  193 Jun 10  2014 .bash_profile
-rw-r--r--.  1 root root  231 Jun 10  2014 .bashrc
[root@localhost ~]#

add any test file in that path and create a new user , you should find all files in user’s home directory

To set a password for a user , use command passwd USER
Only root can set password for others , every user can change its own password
But how the system decide how many character and types should the password contains , what is password min and max age , days before expiration to warn .!

All of that info configured in /etc/login.defs

vim /etc/login.defs
MAIL_DIR        /var/spool/mail
# Password aging controls:
PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_MIN_LEN    5
PASS_WARN_AGE   7
# Min/max values for automatic uid selection in useradd
UID_MIN                  1000
UID_MAX                 60000
# System accounts
SYS_UID_MIN               201
SYS_UID_MAX               999
# Min/max values for automatic gid selection in groupadd
#
GID_MIN                  1000
GID_MAX                 60000
# System accounts
SYS_GID_MIN               201
SYS_GID_MAX               999
CREATE_HOME     yes
UMASK           077

It was some not all setting in that file , it is easy to understand, the most important is password settings , change it to your specific policies PASS_MAX_DAYS
(password max age before expire) , PASS_MIN_DAYS   (min days to use password before change it) , PASS_MIN_LEN    (least character count to use in valid password) ,
PASS_WARN_AGE   (warn the user before expiration by how many day) , CREATE_HOME     yes (to allow creating home directories by default for new users)

That is it , i hope it was simple to create and modify users and groups, Thanks.
Enjoy !.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s