Chapter 3. Managing Users and Groups
3.1. What Users and Groups Are
The control of users and groups is a core element of Red Hat Enterprise Linux system administration. The user of the system is either a human being or an account used by specific applications identified by a unique numerical identification number called user ID (UID). Users within a group can have read permissions, write permissions, execute permissions or any combination of read/write/execute permissions for files owned by that group.
Red Hat Enterprise Linux supports access control lists (ACLs) for files and directories which allow permissions for specific users outside of the owner to be set. For more information about this feature, see the Access Control Lists chapter of the Red Hat Enterprise Linux 6 Storage Administration Guide.
A group is an organization unit tying users together for a common purpose, which can be reading permissions, writing permission, or executing permission for files owned by that group. Similar to UID, each group is associated with a group ID (GID).
Note
Red Hat Enterprise Linux reserves user and group IDs below 500 for system users and groups. By default, the User Manager does not display the system users. Reserved user and group IDs are documented in the setup package. To view the documentation, use this command:
cat /usr/share/doc/setup-2.8.14/uidgid
The recommended practice is to assign non-reserved IDs starting at 5,000, as the reserved range can increase in the future. To make the IDs assigned to new users by default start at 5,000, change the UID_MIN
and GID_MIN
directives in the /etc/login.defs
file:
[file contents truncated] UID_MIN 5000 [file contents truncated] GID_MIN 5000 [file contents truncated]
Even with new user and group IDs beginning with 5,000, it is recommended not to raise IDs reserved by system above 500 to avoid conflict with systems that retain the 500 limit.
Each user is a member of exactly one primary group and zero or more supplementary groups. By default, when a file is created, the file's owner is its creator and the file's group is the creator's primary group. A user can temporarily change what group is their primary group with the
newgrp
command, after which all newly created files are owned by the new group. A supplementary group serves to grant a certain set of users, its members, access to a certain set of files, those owned by this group.
The file is assigned separate read, write, and execute permissions for the owner, the group, and everyone else. The file owner can be changed only by
root
, and access permissions can be changed by both the root
user and file owner.
By default, a file or directory can be modified only by its creator. The setting that determines what permissions are applied to a newly created file or directory is called a
umask
and can be configured in the /etc/bashrc
file for all users, or in ~/.bashrc
for each user individually . The configuration in ~/.bashrc
overrides the configuration in /etc/bashrc
. Additionally, the umask
command overrides the default permissions for the duration of the shell session.
To authenticate, a user enters their password. A hash sum is generated from the entered string and compared to the hash sum of the user's password. If the hash sums match, the user authenticates successfully.
Hash sums of user passwords are stored in the
/etc/shadow
file, which is only readable by the root
user. The file also stores information about password aging and policies for specific accounts. The default values for a newly created account are stored in the /etc/login.defs
and /etc/default/useradd
files. The Red Hat Enterprise Linux 6 Security Guide provides more security-related information about users and groups.