Redhat User and Group Management
Users and Groups Management in Linux
Linux has some different users scheme than windows, Each user is associated with unique identification UID number Each group is associated with group ID (GID). There is a superuser who can give ownership to access the file and make a user member of any group.
Redhat Linux supports access control list to give permission to access the files and directories predefined User ID and Group ID
Login.defs file is one of the important files if we talk about the range of GID and UID. The root user can modify the minimum and maximum range of the UID and GID. File location is “/etc/login.defs”
RHEL 7 has all reserved user's and group's ID below 1000. User can view all the system user information at below location
~]$ cat /usr/share/doc/setup*/uidgid
Note - it is recommended to assign UID and GID above1000 to avoid conflict with systems that retain the 1000 limit.
You may see three types of users in Linux.
1. Root user/Superuser - User has all their permission to add, modify, delete setting
2. System users - Used by system software
3. Normal users - Users created by root user and have limitation by default to add, modify and delete the setting
Linux has two types of groups
1. Private/Primary Group - Created automatically with user
2. Secondary Group - Administrator creates manually
1. Private Groups/Primary Groups
RHEL 7 has user private group scheme. User Private group is automatically created when you create a new user. This group gets the same name as username. Only the user which is created is a member of this group.
2. Secondary Group
Administrator creates this group for special purpose and assign users as per their criteria,
Permission and setting to access the file and directory for user comes from “/etc/bashrc” User and group get permission which is called umask setting. This umask allows the only user who created the directory to make changes.
Shadow Passwords file
Shadow Passwords enhances the security of system authentication. Shadow passwords is provided by the shadow-utils package. Shadow file is readable only by root user.
Advantage of using shadow Passwords
- It moves encrypted password hashes from the readable file /etc/passwd file to /etc/shadow file
- It stores the password aging
- Shadow password allows enforcing some of the security policies set in the /etc/login.defs file
Managing user in command line
UID in Redhat 7:
UID starts from 0
Root - 0
Normal users - Starts from 1000 to 60000
This all information can be seen in "/etc/login.defs", login.defs file has lot of information about users
There are four main files
1. /etc/passwd:- user information
2. /etc/shadow:- User password information
3. /etc/group:- Group information
4. /etc/shadow:- Secure information about group
Adding/deleting/modifying User accounts and Group accounts in Linux
Common utilities
~]$ id - It is used to check the UID of account
~]$ useradd - To add the user account
~]$ usermod - To modify the user account
~]$ userdel - To delete the user account
~]$ groupadd - To add group account
~]$ groupmod - To modify the group account
~]$ groupdel - To delete the group account
~]$ gpasswd - It is used for modification of group password in the /etc/gshadow file which is used by then ewgrp command.
To add a new user, log in to the root user and follow the below steps
Syntax - ~]$ useradd [options] username
A user account can be customized by using options parameter.
By default useradd command creates locked user account and once you assign the password to user account it becomes unlock, To unlock the user account we can use "passwd" command
~]$ useradd netinfo
or
~]$ adduser netinfo
Once the user is created /etc/passwd and /etc/shadow file is updated but user is locked until we assign the password, To verify the user status, Use below command
~]$ passwd -S netinfo
Output
netinfo LK 2018-01-22 0 99999 7 -1 (Password locked.)
Now we can assign password using command and can recheck the user status
~]$ passwd p@$$w0rd
~]$ passwd -S netinfo
output
netinfo PS 2018-01-22 0 99999 7 -1 (Password set, SHA512 crypt.)
here we go now it's unlocked with password set value.
verify the user home directory and default shell of the user
~]$ cat /etc/passwd | grep netinfo
Output
netinfo:x:5005:5007::/home/netinfo:/bin/bash
# This was the simple process to create a user, There are many options can be used along with the useradd command. Some of them are below
-c
|
This option is used to specify the comment for the user
|
-d
|
This can be used to modify the default home directory
|
-e
|
Change the account expiry date
|
-f
|
Number of days after the password expires until the account is disabled. If the value is 0 then the user account will be disabled immediately after the password expires. If the value is -1 then account will not be disabled after the password expires
|
-g
|
To add a user to the primary group but before adding primary group must exist
|
-G
|
To add user to secondary group, Group must exist prior to being specified here
|
-m
|
This option creates home directory if the directory doesn’t exist
|
-M
|
Do not create the home directory
|
-N
|
Do not create private/primary group for the user
|
-p
|
Password would be encrypted with crypt
|
-r
|
Creates system account with UID which is less than 1000 and without a home directory
|
-s
|
To assign the user shell, the default is /bin/bash
|
-u
|
To define the user id for the user and that must be greater than 999
|
========================================================================
Once the user is created below files are modified
1. /etc/passwd
2. /etc/shadow
3. /etc/group
4. /etc/gshadow
========================================================================
Let's take some of the examples and create the user using some options
1. Create a user with custom home directory
Assing home directory to user
Let's take some of the examples and create the user using some options
1. Create a user with custom home directory
Assing home directory to user
~]$ useradd -d /networkinginfo netinfo
Note - If you create a user without -d then user home directory would be created as same as username.
Verify the user home directory
~]$ cat /etc/passwd | grep netinfo
output
netinfo:x:1001:1001::/networkinginfo:/bin/bash
========================================================================
2. Add user to multiple groups
Before assing a user to groups we must have existing groups
To verify the existing groups use below command
~]$ cat /etc/group
output
smb:x:1002:
ssh:x:1003:
nfs:x:1004:
You may see the different output, I'm going to create a new user and add to above groups
~]$ useradd -G smb,ftp,ssh,nfs user1
Note - Capital "G" is used to assign user to secondary group
Verify the user which is associated with a group
~]$ groups user1
output
user1 : user1 ftp smb ssh nfs
smb:x:1002:user1
ssh:x:1003:user1
nfs:x:1004:user1
output
user1 : user1 ftp smb ssh nfs
or
~]$ cat /etc/group | grep user1smb:x:1002:user1
ssh:x:1003:user1
nfs:x:1004:user1
========================================================================
3. Create a user without home directory
Once we create user account system automatically creates home directory in /home/xxx, But sometimes we want to create home directory later. Below is the process to create it.
~]$ usereadd -M user2
Let's verify that directory is created or not
~]$ ls -l /home/
output
Once we create user account system automatically creates home directory in /home/xxx, But sometimes we want to create home directory later. Below is the process to create it.
~]$ usereadd -M user2
Let's verify that directory is created or not
~]$ ls -l /home/
output
drwx------. 14 dinesh dinesh 4096 Jan 21 07:51 dinesh
drwx------. 3 user1 user1 78 Jan 22 05:01 user1
We don't see the home directory for user2 because it wasn't created with user.
========================================================================
drwx------. 3 user1 user1 78 Jan 22 05:01 user1
We don't see the home directory for user2 because it wasn't created with user.
========================================================================
4. Creating a new user with account expiry date/ Creating temporary account
~]$ useradd -e 2018-01-23 user3
If you want to modify the existing user then use below command
If you want to modify the existing user then use below command
~]$ usermod -e 2018-12-31 netinfo
verify the account expiry date
~]$ chage -l user3
output of user3
Last password change : Jan 22, 2018
Password expires : never
Password inactive : never
Account expires : Jan 23, 2018
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
output of user3
Last password change : Jan 22, 2018
Password expires : never
Password inactive : never
Account expires : Jan 23, 2018
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
output of netinfo
~]$ chage -l netinfo
Last password change : Jan 22, 2018
Password expires : never
Password inactive : never
Account expires : Dec 31, 2018
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
Last password change : Jan 22, 2018
Password expires : never
Password inactive : never
Account expires : Dec 31, 2018
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
========================================================================
5. Creating user account with password expiry date
We can set password expiry date for user using below commands
We can set password expiry date for user using below commands
~]$ useradd -f 2 user4
To modify the password expiry for existing user then follow the below command
~]$ usermod -f 2 netinfo
~]$ usermod -f 2 netinfo
Verifying user password expiry date
~]$ cat /etc/shadow | grep user4
~]$ passwd -S user4
output of user4
user4:!!:17553:0:99999:7:2::
user4 LK 2018-01-21 0 99999 7 2 (Password locked.)
output of netinfo
netinfo:!!:17553:0:99999:7:120:17896:
output of user4
user4:!!:17553:0:99999:7:2::
user4 LK 2018-01-21 0 99999 7 2 (Password locked.)
output of netinfo
netinfo:!!:17553:0:99999:7:120:17896:
netinfo LK 2018-01-21 0 99999 7 120 (Password locked.)
By default password expiry value is set to -1, It means the password will never get expired
========================================================================
6. Creating a user with comment or modifying the comment of current user.
Giving comment to a user account can give you idea the purpose the account was created for.
========================================================================
6. Creating a user with comment or modifying the comment of current user.
Giving comment to a user account can give you idea the purpose the account was created for.
~]$ useradd -c "Used for Test Enviornment" user5
To modify the current user comment
To modify the current user comment
~]$ usermod -c "Used for Practical" netinfo
To verify the assign comment to the user.
~]$ cat /etc/passwd
output
netinfo:x:1003:1006:Used for Practical:/home/netinfo:/bin/bash
user5:x:1007:1010:Used for Test Environment:/home/user5:/bin/bash
========================================================================
netinfo:x:1003:1006:Used for Practical:/home/netinfo:/bin/bash
user5:x:1007:1010:Used for Test Environment:/home/user5:/bin/bash
========================================================================
7. Changing the account default shell
~]$ useradd -s /sbin/nologin user6
~]$ usermod -s /sbin/tash netinfo
To verify the shell information.
~]$ cat /etc/passwd | grep user6
output
user6:x:1008:1011::/home/user6:/sbin/nologin
output
user6:x:1008:1011::/home/user6:/sbin/nologin
netinfo:x:1003:1006:Used for Practical:/home/netinfo:/sbin/tash
========================================================================
8. useradd advance use cases
~]$ useradd -d /home/user7testuser -c "Test user7" -U user7
Password change for user
~]$ passwd user7
This command can be run only by root user. the only root user can specify a username
A normal user can't specify the username name in front of passwd command.
========================================================================
9. Displaying the password information in Linux
~]$ passwd -S user2
This command can show result
~]$ user2 PS 2018-01-19 0 99999 7 -1 (Password set, SHA512 crypt.)
# user2 - is username
# PS - Password status (You may see LK-Password Locked, NP=No Password)
# 2018-01-19 - Last password change date
# 0 - Minimum age of password
# 99999 - Maximum age of password
# 7 - Waring period before expiring the password
# -1 - Password expiry information
========================================================================
10. Expire password immidiately
~]$ passwd -e dinesh
This command expires password
Verify the information
~]$ chage -l dinesh
output
Last password change : password must be changed
Password expires : password must be changed
Password inactive : password must be changed
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
Password expires show that user password has expired and need to reassign.
Verify the information
~]$ chage -l dinesh
output
Last password change : password must be changed
Password expires : password must be changed
Password inactive : password must be changed
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
Password expires show that user password has expired and need to reassign.
========================================================================
11. Locking/Unloacking the user password
~]$ passwd -l dinesh
Verify the user information
~]$ cat /etc/shadow | grep dinesh
output
This command locks the user password and updates shadow file. It inserts!! in front of the password hash value
Verify the user information
~]$ cat /etc/shadow | grep dinesh
output
This command locks the user password and updates shadow file. It inserts!! in front of the password hash value
below is an example
dinesh:!!$6$0m4zVG$TmUk4MUJst2Q6lLZYR6nQTiX1ldbc.yZhrBAbyY2cm8kyLRyxpfSVlZeim58zdK2mRgIeqNGKGRyKTEZMUzhf0:17551:0:99999:7:::
another command to verify
~]$ passwd -S dinesh
output
dinesh LK 2018-01-19 0 99999 7 -1 (Password locked.)
Unlocking user password
~]$ passwd -u dinesh
To verify
~]$ passwd -S dinesh
Result
dinesh PS 2018-01-19 0 99999 7 -1 (Password set, SHA512 crypt.)
Note - The password status should be PS
========================================================================
12. Setting the password ageing time
~]$ passwd -i 10 dinesh
To verify
~]$ passwd -S dinesh
Result
dinesh PS 2018-01-19 0 99999 7 10 (Password set, SHA512 crypt.)
13. Minimum password age setting
~]$ passwd -n 2 dinesh
To verify
~]$ Passwd -S dinesh
Result
dinesh PS 2018-01-19 2 99999 7 10 (Password set, SHA512 crypt.)
========================================================================
Function of usermod command
This command is mostly used to modify the user account setting, Once we execute the usermod command below files can be changes
1. /etc/passwd
2. /etc/shadow
3. /etc/group
4. /etc/gshadow
5. /etc/login.defs
1. Changing the home directory for user
- Verify the current home directory
~]$ cat /etc/passwd | grep dinesh
output
dinesh:x:1000:1000::/home/dinesh:/bin/bash
dinesh:x:1000:1000::/home/dinesh:/bin/bash
above output shows that /home/dinesh is current home directory
- Create new directory and change home dir for user
~]$ mkdir /home/dineshtest
~]$ usermode -d /home/dineshtest dinesh
- Verify again
~]$ cat /etc/passwd | gre dinesh
output
dinesh:x:1000:1000::/home/dineshtest/:/bin/bash
dinesh:x:1000:1000::/home/dineshtest/:/bin/bash
========================================================================
2. Assigning user account to secondary group
- Verify the current user and find the user is associated with which group
~]$ id user5
output
output
uid=1014(user5) gid=1014(user5) groups=1014(user5)
Once the user is created the primary group is automatically created along with the user, Group gets the same name as user gets
Note - Before assigning a user to a new group, the Secondary group should present in the system.
- Create a new group
~]$ groupadd MGMT
- Assign user to group
~]$ usermod -G MGMT user5
- Verify again
~]$ id user5
uid=1014(user5) gid=1014(user5) groups=1014(user5),1064(MGMT)
note - if you want to add a user to multiple groups then the administrator has to use "a" option to append the group
example
~]$ usermod -a -G GRP1 user5
========================================================================
3. Changing the user login name
- verify the current username
~]$ cat /etc/passwd | grep user1
- Change the user login name
~]$ usermod -l dinesh user1
- Verify again
~]$ cat /etc/passwd | grep user1
========================================================================
4. Locking the user account
- Verify the current status
~]$ cat /etc/passwd | grep dinesh
use the command to lock the user
~]$ usermod -L dinesh
~]$ usermod -L dinesh
-Verify the shadow file where you can see ! mark in front of password
~]$ cat /etc/shadow
========================================================================
5. Moving the users home directory
- Verify the current home directory for user
~]$ cat /etc/passwd | grep dinesh
- Move to new location
~]$ usermod -d /home/newdinesh -m dinesh
- Verify the home directory for user
~]$ cat /etc/passwd | grep dinesh
~]$ ls -l /home/newdinesh
========================================================================
6. Unencrypted user Password setting
-Verify the current password format
~]$ cat /etc/shadow | grep dinesh
Result
dinesh:$6$0m4zVGTo$TmUk4MUJst2Q6lLZYR6nQTiX1ldbc.yZhrBAbyY2cm8kyLRyxpfSVlZeim58zdK2mRgIeqNGKGRyKTEZMUzhf0:17551:5:99999:7:10::
-Change user password to unencrypted mode
~]$ usermode -p password dinesh
-Verify the information in shadow
~]$ cat /etc/shadow | grep dinesh
Result
dinesh:password:17551:5:99999:7:10::
Note - we don't recommend unencrypted password setting
========================================================================
7. Changing the UID of user
-Verify the current UID of user
~]$ cat /etc/passwd | grep dinesh
Result
dinesh:x:1000:1000::/home/dineshtest/:/bin/bash
- Set new UID
~]$ usermod -u 1050 dinesh
- Verify the UID of user
~]$ cat /etc/passwd | grep dinesh
Result
dinesh:x:1050:1000::/home/dineshtest/:/bin/zsh
========================================================================
GROUP Management
========================================================================
1. Create a group account
1. Create a group account
~]$ groupadd testgroup
Setting group ID
~]$ groupadd -g 1100 testgroup
verify the group
~]$ cat /etc/group
========================================================================
2. Creating system group
# In RHEL7 System groups have GID below 1000
~]$ groupadd -r systemtestgroup
verify the system group
~]$ cat /etc/group | grep systemtestgroup
========================================================================
3. Creating group with duplicate GID
-Verify the current GID
~]$ cat /etc/group
Result
testgroup:x:1100:
- Assign 1100 id to testgroup1
~]$ groupadd -o -g 1100 testgroup1
- Verify again
~]$ cat /etc/group
Result
testgroup:x:1100:
systemtestgroup:x:995:
testgroup1:x:1100:
here we can see test group and testgroup1 have got the same GID
========================================================================
Modify the existing groups
========================================================================
Some values can make admin understand the effect of groupmod command
0 = Success
2 = Invalid syntax
3 = Invalid argument
4 = Specified group doesn't exist
6 = Specified group doesn't exist
9 = Group name already in use
10 = Can't update group file
--------------------------------------------------------------------------------------------------------------------------
1. Modify the group name
- Verify the existing group which we want to update
~]$ cat /etc/group | grep testgroup1
Result
testgroup1:x:1100:
- Change the old name to new name
~]$ groupmod -n newtestgroup1 testgroup1
- Verify again
~]$ cat /etc/group
Result
newtestgroup1:x:1100:
we can see testgroup1 has been updated with newtestgroup1 name
========================================================================
2. Modifying group ID
-. Verify the group whose GID shoud
~]$ cat /etc/group | grep newtestgroup1
Result
newtestgroup1:x:1100:
-. Modify the GID
~]$ groupmod -g 1101 newtestgroup1
-. Verify again
~]$ cat /etc/group | grep newtestgroup1
Result
newtestgroup1:x:1101:
here we can see the new GID is updated
========================================================================
Managing group using Gpasswd command
=======================================================================
gpasswd is used to administer the /etc/group and /etc/gshadow file
1. Add multiple users to a group
- Verify the existing group
~]$ cat /etc/group | grep newtestgroup1
Result
newtestgroup1:x:1101:
- Create three users
~]$ useradd test1
~]$ useradd test2
~]$ useradd test3
- Add users in group
~]$ gpasswd -M test1,test2,test newtestgroup1
- Verify again
~]$ cat /etc/group | grep newtestgroup1
Result
newtestgroup1:x:1101:test1,test2,test3
========================================================================
2. Removing user from group
- Verify the how many users are member of a group
~]$ cat /etc/group | grep newtestgroup1
Result
newtestgroup1:x:1101:test1,test2,test3
- Remove test1 and test2 from newtestgroup1
~]$ gpasswd -d test1 newtestgroup1
~]$ gpasswd -d test2 newtestgroup1
- Verify again to see the result
Result
newtestgroup1:x:1101:test3
========================================================================
3. Making user a member of administrator group
- Verify the user and see the user is member of which group
~]$ cat /etc/passwd | grep test2
Result
test2:x:1006:1007::/test2:/bin/bash
- Make user a member of admin group
~]$ gpasswd -A test2 newtestgroup1
- Verify again
========================================================================
4. Setting group passwd
- Verify the current group password whether it is set or not
~]$ cat /etc/gshadow
Result
newtestgroup1:!:test2:test3
note - ! mark shows that password is not active or not set yet
- Set the group passwod
~]$ gpasswd newtestgroup1
- Verify again to see
~]$ cat /etc/gshadow | grep newtestgroup1
Result
newtestgroup1:$6$OZL2o/pUv0$rqxmIJRS7w/ql9XklZk64qBZIameI5UxVlgHI2jRgkse8JgG1vocq3xyYL5qNu3t0gtV8V3CJ3mf.VCCeN1wB1:test2:test3
Password can be removed putting -r keyword
~]$ gpasswd -r newtestgroup1
========================================================================
newgrp command
========================================================================
newgrp command
It is used to change the current GID during the login session to login to new group
User and Group Management in Rhel 7 ( Newgrp command )
========================================================================
========================================================================
Deleting user account
========================================================================
1. The user which you would like to delete make sure the user is locked and not in use
2. Kill all the process used by that user
3. Take the backup of the useraccount
4. userdel or deluser command to delete
1. Verify the user which we want to delete
~]$ cat /etc/passwd
Result
test1:x:1051:1051::/home/test1:/bin/bash
2. lock the user account
~]$ usermod -L test1
3. verify the current processes used by user
~]$ pgrep -u test1
Result
2083
2084
2103
4. Kill the used processes
~]$ kill 2083
~]$ kill 2084
~]$ kill 2103
or
~]$ kill -9 -u test1
5. Take the backup of user's home directory
/home/test1 ---->> /test1bkp/test1.home.tar.gz
~]$ mkdir /test1bkp
~]$ tar -zcvf /test1bkp/test1_home.tar.gz /home/test1
6. Remove user with home directory
~]$ userdel -r test1
7. Verify the user and it's homedirectory
~]$ ls -l /home
~]$ cat /etc/passwd
Now you will find the user is deleted with /home/test1 home directory
========================================================================
This was just a start, I’ll come up with more option and features of user and group account in our future articles. Till then, Stay connected with me for more exciting and interesting tutorials in future. Do leave your comments and suggestions below in the comment box
==============================================================
This was just a start, I’ll come up with more option and features of user and group account in our future articles. Till then, Stay connected with me for more exciting and interesting tutorials in future. Do leave your comments and suggestions below in the comment box
==============================================================
I hope this has been informative for you. If it seems helpful then Like, Share and Don’t forget to subscribe and follow me for the upcoming posts
https://www.youtube.com/channel/UC0-p23p1xWsZsTXHUQ7CiJg
https://www.facebook.com/networkinginfo/
https://twitter.com/Dj1Pali
https://www.instagram.com/a_bhartiya_rider/
https://www.linkedin.com/in/dinesh-jangid-515b6a23/
Post a Comment