The control of users and groups is a core element of Red Hat Enterprise Linux system administration.
Users can be either people (meaning accounts tied to physical users) or accounts which exist for specific applications to use.
Groups are logical expressions of organization, tying users together for a common purpose. Users within a group can read, write, or execute files owned by that group.
Each user and group has a unique numerical identification number called a userid (UID) and a groupid (GID), respectively.
A user who creates a file is also the owner and group owner of that file. The file is assigned separate read, write, and execute permissions for the owner, the group, and everyone else. The file owner can be changed only by the root user, and access permissions can be changed by both the root user and file owner.
The following command line tools can also be used to manage users and groups:
- useradd, usermod, and userdel — Industry-standard methods of adding, deleting and modifying user accounts
- groupadd, groupmod, and groupdel — Industry-standard methods of adding, deleting, and modifying user groups
- gpasswd — Industry-standard method of administering the /etc/group file
- pwck, grpck — Tools used for the verification of the password, group, and associated shadow files
- pwconv, pwunconv — Tools used for the conversion of passwords to shadow passwords and back to standard passwords.
01. Managing users:
Users stored in /etc/passwd file and passwords for users stored in /etc/shadow
Adding Users: read useradd command help and manpage to know about all options.
useradd --help man useradd useradd ahmed useradd mohammed useradd testuser
Modifying users: read usermod command help and manpage to know more about all options.
usermod --help man usermod # add user ahmed to a group called sales (append this group th the existing groups) usermod -aG sales ahmed # making sales group the primary group for this user usermod -G sales ahed # lock user mohamed (disabling it without need to delete it) usermod -L mohamed # Unlock a locked user usermod -U mohamed
Deleting users: read userdel command help and read manpage to know more options.
userdel --help man userdel # deleting a user without deleting home directory (unless the default was changed) userdel ahmed # deleting a user and remove home and mail directories . userdel -r ahmed
02. Managing Groups:
So similar to user management but simpler, group info stored in /etc/gshadow
Adding group: read groupadd command help and manpage to know more about all options.
groupadd --help man groupadd # adding sales and accounts groups groupadd sales
Modifying groups : read groupmod command help and manpage to know more about all options.
groupmod --help man groupmod # change group name from sales TO Newsales groupmod -n Newsales sales
Deleting groups: read groupdel command help and manpage to know more about all options.
groupdel --help man groupdel # delete group sales groupdel sales
03. Default User policy and configuration:
when you create a new user using useradd command without any parameters , it uses the default options which stored at /etc/default/useradd
# useradd defaults file GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL=/bin/bash SKEL=/etc/skel CREATE_MAIL_SPOOL=yes
you may change the default shell or home path or change group ID to start more than 200 rather than 100 , expiration.
What if you want to copy some default data to all users ?!
you can achieve that using SKEL path which is defined at /etc/default/useradd which default is /etc/skel/
It is usually used for specific configuration files but you may put any files.
[root@localhost ~]# ls -la /etc/skel/ total 24 drwxr-xr-x. 2 root root 59 Apr 24 09:35 . drwxr-xr-x. 76 root root 8192 Apr 24 10:08 .. -rw-r--r--. 1 root root 18 Jun 10 2014 .bash_logout -rw-r--r--. 1 root root 193 Jun 10 2014 .bash_profile -rw-r--r--. 1 root root 231 Jun 10 2014 .bashrc [root@localhost ~]#
add any test file in that path and create a new user , you should find all files in user’s home directory
To set a password for a user , use command passwd USER
Only root can set password for others , every user can change its own password
But how the system decide how many character and types should the password contains , what is password min and max age , days before expiration to warn .!
All of that info configured in /etc/login.defs
MAIL_DIR /var/spool/mail # Password aging controls: PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # Min/max values for automatic uid selection in useradd UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201 SYS_UID_MAX 999 # Min/max values for automatic gid selection in groupadd # GID_MIN 1000 GID_MAX 60000 # System accounts SYS_GID_MIN 201 SYS_GID_MAX 999 CREATE_HOME yes UMASK 077
It was some not all setting in that file , it is easy to understand, the most important is password settings , change it to your specific policies PASS_MAX_DAYS
(password max age before expire) , PASS_MIN_DAYS (min days to use password before change it) , PASS_MIN_LEN (least character count to use in valid password) ,
PASS_WARN_AGE (warn the user before expiration by how many day) , CREATE_HOME yes (to allow creating home directories by default for new users)
That is it , i hope it was simple to create and modify users and groups, Thanks.