2. Users and Groups
•Three different types of user accounts:
• Root
• Normal user
• System (or what some people like to call “pseudo-user”)
accounts.
2
3. Users (Root)
• The root account is the equivalent of the Administrator or
Enterprise Admin account in the Windows world.
• It is the most powerful account on the system and has
access to everything.
• You should already realize that because of the power
this account has, you should never use it. Ever!
3
4. Users (Normal User)
• Normal user accounts have no write access to
anything on the system except their home directory
(they can read and explore much of the system,
however), which is created when the user account is
added.
• As an administrator, you can assign access rights to
different files and directories, allowing your users to
gain access to different areas of the system (outside
their home directory).
4
5. Users (System User)
• A system account is similar to a normal user account.
• The main difference is that system users normally don’t
have a home directory and can’t log in the way normal
users do.
• Many system users are created or associated with
applications or services to help run them more securely
5
6. Users
•When dealing with users, you need to
• create their accounts
• give them passwords
• manage password settings
• modify their account settings
• delete their accounts when they are no longer
needed.
6
7. Users
To manage user accounts, you can use the following
commands:
• useradd Creates user or system accounts
• usermod Modifies user accounts
• userdel Removes a user or system account
7
8. useradd command
• Syntax: useradd [options] LOGIN
• Options
• -b Sets the base directory for the new user account home
directory
• -c COMMENT Creates a description/label for the user account
• -e EXPIRE_DATE Sets the date when the account will expire
• -m Creates a home directory for the new user account
8
9. useradd command (Options)
• -r Creates a system account
• -s SHELL Defines what shell the user will log in to
• -u UID Forces the use of the UID for the new user account
• To make the first user account, you can use the following:
• # useradd -c “Avg Joe” -m -s /bin/bash user02
9
10. UIDs
• In Red Hat, UIDs start at 500 for normal users and can extend into the
thousands.
• For system users, the UID starts at 1 and goes to 499.
• Red Hat also uses a policy called User Private Groups that assigns the
UID to be the same as the username.
• Although the GID doesn’t have to match, it frequently does.
• This ensures that all users maintain security over their own files.
10
11. User
• You can check to see the new user’s home directory by
using the following:
• # ls /home
• user01 user02
• Now create another user named user03 with a home
directory:
• # useradd -m user03
11
12. usermod
• Syntax: usermod [options] LOGIN
• Options:
• -c COMMENT Specifies the new value of the GECOS field
• -d HOME_DIR Identifies the new home directory for the user account
• -g GROUP Uses GROUP as the new primary group
• -G GROUPS Specifies a new list of supplementary GROUPS
• -l NEW_LOGIN Provides a new value for the login name
• -L Locks the user account
• -s SHELL Opens a new login shell for the user account
• -u UID Specifies a new UID for the user account
• -U Unlocks the user account
12
13. userdel
• Syntax: userdel [options] LOGIN
• Options:
• -f Forces deletion of the user even if he’s still logged in
• -r Removes the user’s home directory and mail spool
13
14. Passwords
• no password was specified for any of the users created so
far.
• Does this mean that each user’s password is blank and
anyone can log in with a user’s account?
• Actually no.
• By default, an account is locked until a password is
assigned to it.
14
15. Passwords
• For password management, you can use the following
commands:
• passwd Sets a password or resets a password for a user account
• chage Enables you to modify the parameters surrounding
passwords (complexity, age, expiration)
• pwck Verifies the consistency of passwords across database
files
15
16. passwd command
• Syntax: passwd [options] LOGIN
• Options:
• -l Locks a user’s account
• -u Unlocks a user’s account
• -s Sets status of the password on the account
16
18. The Password File
• When making users, including system users, you can always
check this file to ensure they have been created properly.
• You can see that all the options specified during user creation
are present here.
• The password field is actually just a placeholder (with an x).
• The reason is that the passwords are actually stored in a
different file, /etc/shadow.
18
19. The Shadow File
• Syntax of /etc/shadow:
• <username>:<encrypted password>:<last passwd
change>:<min>:<max>:<warn>:<inactive>:<expires>:<not used>
• With the exception of the username and password fields, all values are in days.
• To view the information about the user you just created, use the following:
• # cat /etc/shadow | grep user02
• user02:$1$cMT6t6Ld$OXCCg5Pm2v2/YXxEjmz9O1:14767:0:99999:7:::
19
20. The Shadow File
• You can see here the username and encrypted password.
• The next field, 14767, is the number of days since the password has been
changed.
• Well, you just made this user account, so where did that large number come from?
• This number is actually based on the number of days since epoch time (January 1,
1970), which is a standard for keeping track of how long it’s been since something
has elapsed.
• Also, notice that the next two fields show the minimum number of days before you
can change your password (0) and the number of days your password is valid (the
99999 is basically forever, so the password won’t expire).
• The difference between the max days field and expires field is that max days
requires you to change your password, whereas the expires field disables, or
20
21. chage command
• You can edit and manage the password expiration details with the chage
command.
• Syntax: chage [options] USER
• Options:
• -d LAST_DAY Indicates the day the password was last changed
• -E EXPIRE_DATE Sets the account expiration date
• -I INACTIVE Changes the password in an inactive state after the account expires
• -l Shows account aging information
• -m MIN_DAYS Sets the minimum number of days between password changes
• -M MAX_DAYS Sets the maximum number of days a password is valid
• -W WARN_DAYS Sets the number of days to warn before the password expires
21
22. chage command
• chage -l user03
• Set user03’s account to expire in one week (say today’s
date is 15-11-2022):
• # chage -E 2022-01-22 user03
22
23. pwck command
• When you create or delete users, sometimes things don’t always work out
properly. This can cause the password files to become inconsistent. You can
use the pwck command to verify the consistency between the /etc/passwd file
and the /etc/shadow file:
• # pwck
• user adm: directory /var/adm does not exist
• user news: directory /etc/news does not exist
• user uucp: directory /var/spool/uucp does not exist
• pwck: no changes
23
24. Groups
• Creating a group is similar to creating a user.
• Here are the commands for group creation and
management:
• id Shows UID/GID for the group of a given user
• groupadd Creates a group
• groupmod Modifies the properties of a group
• groupdel Deletes a group
24
25. groupadd
•Syntax: groupadd [options] GROUP
•Options
• -r Creates a system group
• -g GID Uses the GID specified for the group
• # groupadd Sales
25
26. The Group File
• Syntax of /etc/group:
• <group name>:<password placeholder>:<GID>:<members>
• You can verify that your group was added successfully by
checking this file for the new group’s existence.
• # cat /etc/group | grep sales
• sales:x:503:
• Notice that there is an x placeholder as in the user’s file,
but this field is not typically used with groups.
26
27. The Group File
• You have the Sales group, add some of the users to
that group:
• # usermod -G Sales user02
• This adds user02 to the Sales group. Verify with
• # cat /etc/group | grep Sales
• Sales:x:503:user02
• Here, you can see the group named Sales and the last
field, which shows a list of members for the group.
27
28. The Group File
• Next, add another user to the Sales group.
• # usermod -G Sales user03
• Now if you verify, you should see two user
accounts in the last field:
• # cat /etc/group | grep Sales
• Sales:x:503:user02,user03
28
29. id command
• Another way you can verify what groups a user belongs to
is to use the id command:
• Syntax: id [options] [username]
• Options
• -G Shows the GID
• -n Shows the name instead of the ID
• -u Shows the UID
29
30. id command
• Let’s check out the groups to which user02 belongs:
• # id -Gn user02
• user02 Sales
• If the id command is called without any options, you can also
see what UID and GID the user has:
• # id user02
• uid=501(user02) gid=501(user02) groups=500(user02)
• context=user_u:system_r:unconfined_t
30
31. Switching Accounts
• With all these user accounts floating around, someone is bound to
run into a problem sooner or later.
• Being able to switch accounts is most useful when you’re
troubleshooting some specific problem a user has or if you want to
show a user how to do something.
• su Enables you to run a command as another user or switch
user accounts
• sudo Enables you to run a command as the root user
31
32. Switching Accounts
• Suppose you are logged in as user02, but user03 is having trouble
executing a command.
• You can switch over to user03’s account to check that the command
is able to be run and that the problem is not just a user error.
• To switch accounts, use this command:
• # su user03
• Password:
To create a new user with a normal user account, you can use the
following
• command:
• # sudo useradd user09
32
33. Group Collaboration
• setuid This flag is used to allow multiuser access.
• setgid This flag is used to allow multigroup access.
• sticky bit This flag prevents accidental delete by users or groups.
• chmod Changes permissions on files and directories
• chown Changes ownership of files and directories
33