Redhat User and Group Management

Linux has some different users scheme than windows, Each user is associated with unique identification UID number Each group is associated with group ID (GID). There is a superuser who can give ownership to access the file and make a user member of any group.

Redhat Linux supports access control list to give permission to access the files and directories predefined User ID and Group ID

Login.defs file is one of the important files if we talk about the range of GID and UID. The root user can modify the minimum and maximum range of the UID and GID. File location is “/etc/login.defs”

RHEL 7 has all reserved user’s and group’s ID below 1000. User can view all the system user information at below location

~]$  cat /usr/share/doc/setup*/uidgid

Note – it is recommended to assign UID and GID above1000 to avoid conflict with systems that retain the 1000 limit.

You may see three types of users in Linux.

  1. Root user/Superuser– User has all their permission to add, modify, delete setting
  2. System users– Used by system software
  3. Normal users– Users created by root user and have limitation by default to add, modify and delete the setting

Linux has two types of groups

  1. Private/Primary Group– Created automatically with user
  2. Secondary Group– Administrator creates manually
  1. Private Groups/Primary Groups

RHEL 7 has user private group scheme. User Private group is automatically created when you create a new user. This group gets the same name as username. Only the user which is created is a member of this group.

  1. Secondary Group

Administrator creates this group for special purpose and assign users as per their criteria,

Permission and setting to access the file and directory for user comes from “/etc/bashrc” User and group get permission which is called umask setting. This umask allows the only user who created the directory to make changes.

Shadow Passwords file

Shadow Passwords enhances the security of system authentication. Shadow passwords is provided by the shadow-utils package. Shadow file is readable only by root user.

Advantage of using shadow Passwords

– It moves encrypted password hashes from the readable file /etc/passwd file to /etc/shadow file

– It stores the password aging

– Shadow password allows enforcing some of the security policies set in the /etc/login.defs file

Managing user in command line

UID in Redhat 7:

UID starts from 0

Root – 0

Normal users – Starts from 1000 to 60000

This all information can be seen in “/etc/login.defs”, login.defs file has lot of information about users

There are four main files

  1. /etc/passwd:- user information
  2. /etc/shadow:- User password information
  3. /etc/group:- Group information
  4. /etc/shadow:- Secure information about group

Adding/deleting/modifying User accounts and Group accounts in Linux

Common utilities

~]$ id – It is used to check the UID of account

~]$ useradd – To add the user account

~]$ usermod – To modify the user account

~]$ userdel – To delete the user account

~]$ groupadd – To add group account

~]$ groupmod – To modify the group account

~]$ groupdel – To delete the group account

~]$ gpasswd – It is used for modification of group password in the /etc/gshadow file which is used by then ewgrp command.

To add a new user, log in to the root user and follow the below steps

Syntax – ~]$ useradd [options] username

A user account can be customized by using options parameter.

By default useradd command creates locked user account and once you assign the password to user account it becomes unlock, To unlock the user account we can use “passwd” command

~]$ useradd netinfo

or

~]$ adduser netinfo

Once the user is created /etc/passwd and /etc/shadow file is updated but user is locked until we assign the password, To verify the user status, Use below command

~]$ passwd -S netinfo

Output

netinfo LK 2018-01-22 0 99999 7 -1 (Password locked.)

Now we can assign password using command and can recheck the user status

~]$ passwd p@$$w0rd

~]$ passwd -S netinfo

output

netinfo PS 2018-01-22 0 99999 7 -1 (Password set, SHA512 crypt.)

here we go now it’s unlocked with password set value.

verify the user home directory and default shell of the user

~]$ cat /etc/passwd | grep netinfo

Output

netinfo:x:5005:5007::/home/netinfo:/bin/bash

# This was the simple process to create a user, There are many options can be used along with the useradd command. Some of them are below

-c This option is used to specify the comment for the user
-d This can be used to modify the default home directory
-e Change the account expiry date
-f Number of days after the password expires until the account is disabled. If the value is 0 then the user account will be disabled immediately after the password expires. If the value is -1 then account will not be disabled after the password expires
-g To add a user to the primary group but before adding primary group must exist
-G To add user to secondary group, Group must exist prior to being specified here
-m This option creates home directory if the directory doesn’t exist
-M Do not create the home directory
-N Do not create private/primary group for the user
-p Password would be encrypted with crypt
-r Creates system account with UID which is less than 1000 and without a home directory
-s To assign the user shell, the default is /bin/bash
-u To define the user id for the user and that must be greater than 999

========================================================================
Once the user is created below files are modified

  1. /etc/passwd
  2. /etc/shadow
  3. /etc/group
  4. /etc/gshadow

========================================================================
Let’s take some of the examples and create the user using some options

1. Create a user with custom home directory
Assing home directory to user

~]$  useradd -d /networkinginfo netinfo

Note – If you create a user without -d then user home directory would be created as same as username.

Verify the user home directory

~]$ cat /etc/passwd | grep netinfo

output

netinfo:x:1001:1001::/networkinginfo:/bin/bash

========================================================================

  1. Add user to multiple groups

Before assing a user to groups we must have existing groups

To verify the existing groups use below command

~]$ cat /etc/group

output

smb:x:1002:

ssh:x:1003:

nfs:x:1004:

You may see the different output, I’m going to create a new user and add to above groups

~]$  useradd -G smb,ftp,ssh,nfs user1

Note – Capital “G” is used to assign user to secondary group

Verify the user which is associated with a group

~]$ groups user1
output
user1 : user1 ftp smb ssh nfs

or

~]$ cat /etc/group | grep user1
smb:x:1002:user1
ssh:x:1003:user1

nfs:x:1004:user1

========================================================================

  1. Create a user without home directory
    Once we create user account system automatically creates home directory in /home/xxx, But sometimes we want to create home directory later. Below is the process to create it.
    ~]$  usereadd -M user2
    Let’s verify that directory is created or not
    ~]$ ls -l /home/
    output

drwx——. 14 dinesh dinesh 4096 Jan 21 07:51 dinesh
drwx——.  3 user1  user1    78 Jan 22 05:01 user1
We don’t see the home directory for user2 because it wasn’t created with user.
========================================================================

  1. Creating a new user with account expiry date/ Creating temporary account

~]$  useradd -e 2018-01-23 user3
If you want to modify the existing user then use below command

~]$  usermod -e 2018-12-31 netinfo

verify the account expiry date

~]$ chage -l user3
output of user3
Last password change                                    : Jan 22, 2018
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : Jan 23, 2018
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

output of netinfo

~]$ chage -l netinfo
Last password change                                    : Jan 22, 2018
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : Dec 31, 2018
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999

Number of days of warning before password expires       : 7

========================================================================

  1. Creating user account with password expiry date
    We can set password expiry date for user using below commands

~]$  useradd -f 2 user4

To modify the password expiry for existing user then follow the below command
~]$  usermod -f 2 netinfo

Verifying user password expiry date

~]$  cat /etc/shadow | grep user4

~]$  passwd -S user4
output of user4
user4:!!:17553:0:99999:7:2::
user4 LK 2018-01-21 0 99999 7 2 (Password locked.)
output of netinfo

netinfo:!!:17553:0:99999:7:120:17896:

netinfo LK 2018-01-21 0 99999 7 120 (Password locked.)

By default password expiry value is set to -1, It means the password will never get expired
========================================================================
6. Creating a user with comment or modifying the comment of current user.
Giving comment to a user account can give you idea the purpose the account was created for.

~]$  useradd -c “Used for Test Enviornment” user5
To modify the current user comment

~]$  usermod -c “Used for Practical” netinfo

To verify the assign comment to the user.

~]$  cat /etc/passwd

output
netinfo:x:1003:1006:Used for Practical:/home/netinfo:/bin/bash
user5:x:1007:1010:Used for Test Environment:/home/user5:/bin/bash
========================================================================

  1. Changing the account default shell

~]$  useradd -s /sbin/nologin user6

~]$  usermod -s /sbin/tash netinfo

To verify the shell information.

~]$  cat /etc/passwd | grep user6
output

user6:x:1008:1011::/home/user6:/sbin/nologin

netinfo:x:1003:1006:Used for Practical:/home/netinfo:/sbin/tash

========================================================================

  1. useradd advance use cases

~]$ useradd -d /home/user7testuser -c “Test user7” -U user7

Password change for user

~]$ passwd user7

This command can be run only by root user. the only root user can specify a username

A normal user can’t specify the username name in front of passwd command.

========================================================================

  1. Displaying the password information in Linux

~]$ passwd -S user2

This command can show result

~]$  user2 PS 2018-01-19 0 99999 7 -1 (Password set, SHA512 crypt.)

# user2 – is username

# PS – Password status (You may see LK-Password Locked, NP=No Password)

# 2018-01-19 – Last password change date

# 0  – Minimum age of password

# 99999 – Maximum age of password

# 7 – Waring period before expiring the password

# -1 – Password expiry information

========================================================================

  1. Expire password immidiately

~]$  passwd -e dinesh

This command expires password
Verify the information
~]$  chage -l dinesh
output
Last password change                                : password must be changed
Password expires                                        : password must be changed
Password inactive                                       : password must be changed
Account expires                                          : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7
Password expires show that user password has expired and need to reassign.

========================================================================

  1. Locking/Unloacking the user password

~]$  passwd -l dinesh

Verify the user information
~]$ cat /etc/shadow | grep dinesh
output
This command locks the user password and updates shadow file. It inserts!! in front of the password hash value

below is an example

dinesh:!!$6$0m4zVG$TmUk4MUJst2Q6lLZYR6nQTiX1ldbc.yZhrBAbyY2cm8kyLRyxpfSVlZeim58zdK2mRgIeqNGKGRyKTEZMUzhf0:17551:0:99999:7:::

another command to verify

~]$  passwd -S dinesh

output

dinesh LK 2018-01-19 0 99999 7 -1 (Password locked.)

Unlocking user password

~]$ passwd -u dinesh

To verify

~]$ passwd -S dinesh

Result

dinesh PS 2018-01-19 0 99999 7 -1 (Password set, SHA512 crypt.)

Note – The password status should be PS

========================================================================

  1. Setting the password ageing time

~]$ passwd -i 10 dinesh

To verify

~]$ passwd -S dinesh

Result

dinesh PS 2018-01-19 0 99999 7 10 (Password set, SHA512 crypt.)

  1. Minimum password age setting

~]$ passwd -n 2 dinesh

To verify

~]$ Passwd -S dinesh

Result

dinesh PS 2018-01-19 2 99999 7 10 (Password set, SHA512 crypt.)

========================================================================

Function of usermod command

This command is mostly used to modify the user account setting, Once we execute the usermod command below files can be changes

  1. /etc/passwd
  2. /etc/shadow
  3. /etc/group
  4. /etc/gshadow
  5. /etc/login.defs
  1. Changing the home directory for user

– Verify the current home directory

~]$ cat /etc/passwd | grep dinesh

output
dinesh:x:1000:1000::/home/dinesh:/bin/bash

above output shows that /home/dinesh is current home directory

– Create new directory and change home dir for user

~]$  mkdir /home/dineshtest

~]$ usermode -d /home/dineshtest dinesh

– Verify again

~]$ cat /etc/passwd | gre dinesh

output
dinesh:x:1000:1000::/home/dineshtest/:/bin/bash

========================================================================

  1. Assigning user account to secondary group

– Verify the current user and find the user is associated with which group

~]$ id user5
output

uid=1014(user5) gid=1014(user5) groups=1014(user5)

Once the user is created the primary group is automatically created along with the user, Group gets the same name as user gets

Note – Before assigning a user to a new group, the Secondary group should present in the system.

– Create a new group

~]$ groupadd MGMT

– Assign user to group

~]$ usermod -G MGMT user5

– Verify again

~]$ id user5

uid=1014(user5) gid=1014(user5) groups=1014(user5),1064(MGMT)

note – if you want to add a user to multiple groups then the administrator has to use “a” option to append the group

example

~]$ usermod -a -G GRP1 user5

========================================================================

  1. Changing the user login name

– verify the current username

~]$ cat /etc/passwd | grep user1

– Change the user login name

~]$ usermod -l dinesh user1

– Verify again

~]$ cat /etc/passwd | grep user1

========================================================================

  1. Locking the user account

– Verify the current status

~]$ cat /etc/passwd | grep dinesh

use the command to lock the user
~]$ usermod -L dinesh

-Verify the shadow file where you can see ! mark in front of password

~]$ cat /etc/shadow

========================================================================

  1. Moving the users home directory

– Verify the current home directory for user

~]$ cat /etc/passwd | grep dinesh

– Move to new location

~]$ usermod -d /home/newdinesh -m dinesh

– Verify the home directory for user

~]$ cat /etc/passwd | grep dinesh

~]$  ls -l /home/newdinesh

========================================================================

  1. Unencrypted user Password setting

-Verify the current password format

~]$ cat /etc/shadow | grep dinesh

Result

dinesh:$6$0m4zVGTo$TmUk4MUJst2Q6lLZYR6nQTiX1ldbc.yZhrBAbyY2cm8kyLRyxpfSVlZeim58zdK2mRgIeqNGKGRyKTEZMUzhf0:17551:5:99999:7:10::

-Change user password to unencrypted mode

~]$ usermode -p password dinesh

-Verify the information in shadow

~]$ cat /etc/shadow | grep dinesh

Result

dinesh:password:17551:5:99999:7:10::

Note – we don’t recommend unencrypted password setting

========================================================================

  1. Changing the UID of user

-Verify the current UID of user

~]$ cat /etc/passwd | grep dinesh

Result

dinesh:x:1000:1000::/home/dineshtest/:/bin/bash

– Set new UID

~]$ usermod -u 1050 dinesh

– Verify the UID of user

~]$ cat /etc/passwd | grep dinesh

Result

dinesh:x:1050:1000::/home/dineshtest/:/bin/zsh

========================================================================

GROUP Management

========================================================================
1. Create a group account

~]$ groupadd testgroup

Setting group ID

~]$ groupadd -g 1100 testgroup

verify the group

~]$ cat /etc/group

========================================================================

  1. Creating system group

# In RHEL7 System groups have GID below 1000

~]$ groupadd -r systemtestgroup

verify the system group

~]$ cat /etc/group | grep systemtestgroup

========================================================================

  1. Creating group with duplicate GID

-Verify the current GID

~]$ cat /etc/group

Result

testgroup:x:1100:

– Assign 1100 id to testgroup1

~]$ groupadd -o -g 1100 testgroup1

– Verify again

~]$ cat /etc/group

Result

testgroup:x:1100:

systemtestgroup:x:995:

testgroup1:x:1100:

here we can see test group and testgroup1 have got the same GID

========================================================================

Modify the existing groups

========================================================================

Some values can make admin understand the effect of groupmod command

0 = Success

2 = Invalid syntax

3 = Invalid argument

4 = Specified group doesn’t exist

6 = Specified group doesn’t exist

9 = Group name already in use

10 = Can’t update group file

————————————————————————————————————————–

  1. Modify the group name

– Verify the existing group which we want to update

~]$ cat /etc/group | grep testgroup1

Result

testgroup1:x:1100:

– Change the old name to new name

~]$ groupmod -n newtestgroup1 testgroup1

– Verify again

~]$ cat /etc/group

Result

newtestgroup1:x:1100:

we can see testgroup1 has been updated with newtestgroup1 name

========================================================================

  1. Modifying group ID

-. Verify the group whose GID shoud

~]$ cat /etc/group | grep newtestgroup1

Result

newtestgroup1:x:1100:

-. Modify the GID

~]$ groupmod -g 1101 newtestgroup1

-. Verify again

~]$ cat /etc/group | grep newtestgroup1

Result

newtestgroup1:x:1101:

here we can see the new GID is updated

========================================================================

Managing group using Gpasswd command

=======================================================================

gpasswd is used to administer the /etc/group and /etc/gshadow file

  1. Add multiple users to a group

– Verify the existing group

~]$  cat /etc/group | grep newtestgroup1

Result

newtestgroup1:x:1101:

– Create three users

~]$ useradd test1

~]$ useradd test2

~]$ useradd test3

– Add users in group

~]$ gpasswd -M test1,test2,test newtestgroup1

– Verify again

~]$  cat /etc/group | grep newtestgroup1

Result

newtestgroup1:x:1101:test1,test2,test3

========================================================================

  1. Removing user from group

– Verify the how many users are member of a group

~]$  cat /etc/group | grep newtestgroup1

Result

newtestgroup1:x:1101:test1,test2,test3

– Remove test1 and test2 from newtestgroup1

~]$  gpasswd -d test1 newtestgroup1

~]$  gpasswd -d test2 newtestgroup1

– Verify again to see the result

Result

newtestgroup1:x:1101:test3

========================================================================

  1. Making user a member of administrator group

– Verify the user and see the user is member of which group

~]$ cat /etc/passwd | grep test2

Result

test2:x:1006:1007::/test2:/bin/bash

– Make user a member of admin group

~]$ gpasswd -A test2 newtestgroup1

– Verify again

========================================================================

  1. Setting group passwd

– Verify the current group password whether it is set or not

~]$ cat /etc/gshadow

Result

newtestgroup1:!:test2:test3

note – ! mark shows that password is not active or not set yet

– Set the group passwod

~]$ gpasswd newtestgroup1

– Verify again to see

~]$ cat /etc/gshadow | grep newtestgroup1

Result

newtestgroup1:$6$OZL2o/pUv0$rqxmIJRS7w/ql9XklZk64qBZIameI5UxVlgHI2jRgkse8JgG1vocq3xyYL5qNu3t0gtV8V3CJ3mf.VCCeN1wB1:test2:test3

Password can be removed putting -r keyword

~]$ gpasswd -r newtestgroup1
========================================================================
newgrp command

It is used to change the current GID during the login session to login to new group

User and Group Management in Rhel 7 ( Newgrp command )
========================================================================

Deleting user account

========================================================================

  1. The user which you would like to delete make sure the user is locked and not in use
  2. Kill all the process used by that user
  3. Take the backup of the useraccount
  4. userdel or deluser command to delete
  1. Verify the user which we want to delete

~]$ cat /etc/passwd

Result

test1:x:1051:1051::/home/test1:/bin/bash

  1. lock the user account

~]$  usermod -L test1

  1. verify the current processes used by user

~]$ pgrep -u test1

Result

2083

2084

2103

  1. Kill the used processes

~]$ kill 2083

~]$ kill 2084

~]$ kill 2103

or

~]$ kill -9 -u test1

  1. Take the backup of user’s  home directory

/home/test1 —->> /test1bkp/test1.home.tar.gz

~]$ mkdir /test1bkp

~]$ tar -zcvf /test1bkp/test1_home.tar.gz /home/test1

  1. Remove user with home directory

~]$ userdel -r test1

  1. Verify the user and it’s homedirectory

~]$ ls -l /home

~]$ cat /etc/passwd

Now you will find the user is deleted with /home/test1 home directory

========================================================================
This was just a start, I’ll come up with more option and features of user and group account in our future articles. Till then, Stay connected with me for more exciting and interesting tutorials in future. Do leave your comments and suggestions below in the comment box
==============================================================

GROUP MANAGEMENT HOW TO CREATES USER AND GROUPS IN LINUX? LINUX USER MANAGEMENT USER AND GROUP MANAGEMENT IN LINUX USER MANAGEMENT

Location: TOKYO, JAPAN

Write a Message