Chapter 4. Managing Users and Groups
The control of users and groups is a core element of Red Hat Enterprise Linux system administration. This chapter explains how to add, manage, and delete users and groups in the graphical user interface and on the command line, and covers advanced topics, such as creating group directories.
4.1. Introduction to Users and Groups
While users can be either people (meaning accounts tied to physical users) or accounts that exist for specific applications to use, groups are logical expressions of organization, tying users together for a common purpose. Users within a group share the same permissions to read, write, or execute files owned by that group.
Each user is associated with a unique numerical identification number called a user ID (UID). Likewise, each group is associated with a group ID (GID). A user who creates a file is also the owner and group owner of that file. The file is assigned separate read, write, and execute permissions for the owner, the group, and everyone else. The file owner can be changed only by root
, and access permissions can be changed by both the root
user and file owner.
Additionally, Red Hat Enterprise Linux supports access control lists (ACLs) for files and directories which allow permissions for specific users outside of the owner to be set. For more information about this feature, see Chapter 5, Access Control Lists.
Reserved User and Group IDs
Red Hat Enterprise Linux reserves user and group IDs below 1000 for system users and groups. By default, the User Manager does not display the system users. Reserved user and group IDs are documented in the setup package. To view the documentation, use this command:
cat /usr/share/doc/setup*/uidgid
The recommended practice is to assign IDs starting at 5,000 that were not already reserved, as the reserved range can increase in the future. To make the IDs assigned to new users by default start at 5,000, change the UID_MIN
and GID_MIN
directives in the /etc/login.defs
file:
[file contents truncated] UID_MIN 5000 [file contents truncated] GID_MIN 5000 [file contents truncated]
For users created before you changed UID_MIN
and GID_MIN
directives, UIDs will still start at the default 1000.
Even with new user and group IDs beginning with 5,000, it is recommended not to raise IDs reserved by the system above 1000 to avoid conflict with systems that retain the 1000 limit.
4.1.1. User Private Groups
Red Hat Enterprise Linux uses a user private group (UPG) scheme, which makes UNIX groups easier to manage. A user private group is created whenever a new user is added to the system. It has the same name as the user for which it was created and that user is the only member of the user private group.
User private groups make it safe to set default permissions for a newly created file or directory, allowing both the user and the group of that user to make modifications to the file or directory.
The setting which determines what permissions are applied to a newly created file or directory is called a umask and is configured in the /etc/bashrc
file. Traditionally on UNIX-based systems, the umask
is set to 022
, which allows only the user who created the file or directory to make modifications. Under this scheme, all other users, including members of the creator’s group, are not allowed to make any modifications. However, under the UPG scheme, this "group protection" is not necessary since every user has their own private group. See Section 4.3.5, “Setting Default Permissions for New Files Using umask
” for more information.
A list of all groups is stored in the /etc/group
configuration file.
4.1.2. Shadow Passwords
In environments with multiple users, it is very important to use shadow passwords provided by the shadow-utils package to enhance the security of system authentication files. For this reason, the installation program enables shadow passwords by default.
The following is a list of the advantages shadow passwords have over the traditional way of storing passwords on UNIX-based systems:
-
Shadow passwords improve system security by moving encrypted password hashes from the world-readable
/etc/passwd
file to/etc/shadow
, which is readable only by theroot
user. - Shadow passwords store information about password aging.
-
Shadow passwords allow to enforce some of the security policies set in the
/etc/login.defs
file.
Most utilities provided by the shadow-utils package work properly whether or not shadow passwords are enabled. However, since password aging information is stored exclusively in the /etc/shadow
file, some utilities and commands do not work without first enabling shadow passwords:
-
The
chage
utility for setting password aging parameters. For details, see the Password Security section in the Red Hat Enterprise Linux 7 Security Guide. -
The
gpasswd
utility for administrating the/etc/group
file. -
The
usermod
command with the-e, --expiredate
or-f, --inactive
option. -
The
useradd
command with the-e, --expiredate
or-f, --inactive
option.
4.2. Managing Users in a Graphical Environment
The Users utility allows you to view, modify, add, and delete local users in the graphical user interface.
4.2.1. Using the Users Settings Tool
Press the Super key to enter the Activities Overview, type Users
and then press Enter. The Users settings tool appears. The Super key appears in a variety of guises, depending on the keyboard and other hardware, but often as either the Windows or Command key, and typically to the left of the Space bar. Alternatively, you can open the Users utility from the Settings menu after clicking your user name in the top right corner of the screen.
To make changes to the user accounts, first select the root
. To add and remove users, select the and button respectively. To add a user to the administrative group wheel
, change the Account Type from Standard
to Administrator
. To edit a user’s language setting, select the language and a drop-down menu appears.
Figure 4.1. The Users Settings Tool
When a new user is created, the account is disabled until a password is set. The Password drop-down menu, shown in Figure 4.2, “The Password Menu”, contains the options to set a password by the administrator immediately, choose a password by the user at the first login, or create a guest account with no password required to log in. You can also disable or enable an account from this menu.
Figure 4.2. The Password Menu
4.3. Using Command-Line Tools
Apart from the Users settings tool described in Section 4.2, “Managing Users in a Graphical Environment”, which is designed for basic managing of users, you can use command line tools for managing users and groups that are listed in Table 4.1, “Command line utilities for managing users and groups”.
Utilities | Description |
---|---|
| Displays user and group IDs. |
| Standard utilities for adding, modifying, and deleting user accounts. |
| Standard utilities for adding, modifying, and deleting groups. |
|
Utility primarily used for modification of group password in the |
| Utilities that can be used for verification of the password, group, and associated shadow files. |
| Utilities that can be used for the conversion of passwords to shadow passwords, or back from shadow passwords to standard passwords. |
| Similar to the previous, these utilities can be used for conversion of shadowed information for group accounts. |
4.3.1. Adding a New User
To add a new user to the system, type the following at a shell prompt as root
:
useradd
options username
…where options are command-line options as described in Table 4.2, “Common useradd command-line options”.
By default, the useradd
command creates a locked user account. To unlock the account, run the following command as root
to assign a password:
passwd
username
Optionally, you can set a password aging policy. See the Password Security section in the Red Hat Enterprise Linux 7 Security Guide.
Option | |
---|---|
| comment can be replaced with any string. This option is generally used to specify the full name of a user. |
|
Home directory to be used instead of default |
| Date for the account to be disabled in the format YYYY-MM-DD. |
|
Number of days after the password expires until the account is disabled. If |
| Group name or group number for the user’s default (primary) group. The group must exist prior to being specified here. |
| List of additional (supplementary, other than default) group names or group numbers, separated by commas, of which the user is a member. The groups must exist prior to being specified here. |
| Create the home directory if it does not exist. |
| Do not create the home directory. |
| Do not create a user private group for the user. |
|
The password encrypted with |
| Create a system account with a UID less than 1000 and without a home directory. |
|
User’s login shell, which defaults to |
| User ID for the user, which must be unique and greater than 999. |
The default range of IDs for system and normal users has been changed in Red Hat Enterprise Linux 7 from earlier releases. Previously, UID 1-499 was used for system users and values above for normal users. The default range for system users is now 1-999. This change might cause problems when migrating to Red Hat Enterprise Linux 7 with existing users having UIDs and GIDs between 500 and 999. The default ranges of UID and GID can be changed in the /etc/login.defs
file.
Explaining the Process
The following steps illustrate what happens if the command useradd juan
is issued on a system that has shadow passwords enabled:
A new line for
juan
is created in/etc/passwd
:juan:x:1001:1001::/home/juan:/bin/bash
The line has the following characteristics:
-
It begins with the user name
juan
. -
There is an
x
for the password field indicating that the system is using shadow passwords. - A UID greater than 999 is created. Under Red Hat Enterprise Linux 7, UIDs below 1000 are reserved for system use and should not be assigned to users.
- A GID greater than 999 is created. Under Red Hat Enterprise Linux 7, GIDs below 1000 are reserved for system use and should not be assigned to users.
- The optional GECOS information is left blank. The GECOS field can be used to provide additional information about the user, such as their full name or phone number.
-
The home directory for
juan
is set to/home/juan/
. -
The default shell is set to
/bin/bash
.
-
It begins with the user name
A new line for
juan
is created in/etc/shadow
:juan:!!:14798:0:99999:7:::
The line has the following characteristics:
-
It begins with the user name
juan
. Two exclamation marks (
!!
) appear in the password field of the/etc/shadow
file, which locks the account.NoteIf an encrypted password is passed using the
-p
flag, it is placed in the/etc/shadow
file on the new line for the user.- The password is set to never expire.
-
It begins with the user name
A new line for a group named
juan
is created in/etc/group
:juan:x:1001:
A group with the same name as a user is called a user private group. For more information on user private groups, see Section 4.1.1, “User Private Groups”.
The line created in
/etc/group
has the following characteristics:-
It begins with the group name
juan
. -
An
x
appears in the password field indicating that the system is using shadow group passwords. -
The GID matches the one listed for
juan
's primary group in/etc/passwd
.
-
It begins with the group name
A new line for a group named
juan
is created in/etc/gshadow
:juan:!::
The line has the following characteristics:
-
It begins with the group name
juan
. -
An exclamation mark (
!
) appears in the password field of the/etc/gshadow
file, which locks the group. - All other fields are blank.
-
It begins with the group name
A directory for user
juan
is created in the/home
directory:~]# ls -ld /home/juan drwx------. 4 juan juan 4096 Mar 3 18:23 /home/juan
This directory is owned by user
juan
and groupjuan
. It has read, write, and execute privileges only for the userjuan
. All other permissions are denied.The files within the
/etc/skel/
directory (which contain default user settings) are copied into the new/home/juan/
directory:~]# ls -la /home/juan total 28 drwx------. 4 juan juan 4096 Mar 3 18:23 . drwxr-xr-x. 5 root root 4096 Mar 3 18:23 .. -rw-r--r--. 1 juan juan 18 Jun 22 2010 .bash_logout -rw-r--r--. 1 juan juan 176 Jun 22 2010 .bash_profile -rw-r--r--. 1 juan juan 124 Jun 22 2010 .bashrc drwxr-xr-x. 4 juan juan 4096 Nov 23 15:09 .mozilla
At this point, a locked account called juan
exists on the system. To activate it, the administrator must next assign a password to the account using the passwd
command and, optionally, set password aging guidelines (see the Password Security section in the Red Hat Enterprise Linux 7 Security Guide for details).
4.3.2. Adding a New Group
To add a new group to the system, type the following at a shell prompt as root
:
groupadd options group_name
…where options are command-line options as described in Table 4.3, “Common groupadd command-line options”.
Option | Description |
---|---|
|
When used with |
| Group ID for the group, which must be unique and greater than 999. |
|
Override |
| Allows creating groups with duplicate GID. |
| Use this encrypted password for the new group. |
| Create a system group with a GID less than 1000. |
4.3.3. Adding an Existing User to an Existing Group
Use the usermod
utility to add an already existing user to an already existing group.
Various options of usermod
have different impact on user’s primary group and on his or her supplementary groups.
To override user’s primary group, run the following command as root
:
~]# usermod -g group_name user_name
To override user’s supplementary groups, run the following command as root
:
~]# usermod -G group_name1,group_name2,... user_name
Note that in this case all previous supplementary groups of the user are replaced by the new group or several new groups.
To add one or more groups to user’s supplementary groups, run one of the following commands as root
:
~]# usermod -aG group_name1,group_name2,... user_name
~]# usermod --append -G group_name1,group_name2,... user_name
Note that in this case the new group is added to user’s current supplementary groups.
4.3.4. Creating Group Directories
System administrators usually like to create a group for each major project and assign people to the group when they need to access that project’s files. With this traditional scheme, file management is difficult; when someone creates a file, it is associated with the primary group to which they belong. When a single person works on multiple projects, it becomes difficult to associate the right files with the right group. However, with the UPG scheme, groups are automatically assigned to files created within a directory with the setgid bit set. The setgid bit makes managing group projects that share a common directory very simple because any files a user creates within the directory are owned by the group that owns the directory.
For example, a group of people need to work on files in the /opt/myproject/
directory. Some people are trusted to modify the contents of this directory, but not everyone.
As
root
, create the/opt/myproject/
directory by typing the following at a shell prompt:mkdir /opt/myproject
Add the
myproject
group to the system:groupadd myproject
Associate the contents of the
/opt/myproject/
directory with themyproject
group:chown root:myproject /opt/myproject
Allow users in the group to create files within the directory and set the setgid bit:
chmod 2775 /opt/myproject
At this point, all members of the
myproject
group can create and edit files in the/opt/myproject/
directory without the administrator having to change file permissions every time users write new files. To verify that the permissions have been set correctly, run the following command:~]# ls -ld /opt/myproject drwxrwsr-x. 3 root myproject 4096 Mar 3 18:31 /opt/myproject
Add users to the
myproject
group:usermod -aG myproject username
4.3.5. Setting Default Permissions for New Files Using umask
When a process creates a file, the file has certain default permissions, for example, -rw-rw-r--
. These initial permissions are partially defined by the file mode creation mask, also called file permission mask or umask. Every process has its own umask, for example, bash has umask 0022
by default. Process umask can be changed.
What umask consists of
A umask consists of bits corresponding to standard file permissions. For example, for umask 0137
, the digits mean that:
-
0
= no meaning, it is always0
(umask does not affect special bits) -
1
= for owner permissions, the execute bit is set -
3
= for group permissions, the execute and write bits are set -
7
= for others permissions, the execute, write, and read bits are set
Umasks can be represented in binary, octal, or symbolic notation. For example, the octal representation 0137
equals symbolic representation u=rw-,g=r--,o=---
. Symbolic notation specification is the reverse of the octal notation specification: it shows the allowed permissions, not the prohibited permissions.
How umask works
Umask prohibits permissions from being set for a file:
- When a bit is set in umask, it is unset in the file.
- When a bit is not set in umask, it can be set in the file, depending on other factors.
The following figure shows how umask 0137
affects creating a new file.
Figure 4.3. Applying umask when creating a file
For security reasons, a regular file cannot have execute permissions by default. Therefore, even if umask is 0000
, which does not prohibit any permissions, a new regular file still does not have execute permissions. However, directories can be created with execute permissions:
[john@server tmp]$ umask 0000 [john@server tmp]$ touch file [john@server tmp]$ mkdir directory [john@server tmp]$ ls -lh . total 0 drwxrwxrwx. 2 john john 40 Nov 2 13:17 directory -rw-rw-rw-. 1 john john 0 Nov 2 13:17 file
4.3.5.1. Managing umask in Shells
For popular shells, such as bash
, ksh
, zsh
and tcsh
, umask is managed using the umask
shell builtin
. Processes started from shell inherit its umask.
Displaying the current mask
To show the current umask in octal notation:
~]$ umask
0022
To show the current umask in symbolic notation:
~]$ umask -S
u=rwx,g=rx,o=rx
Setting mask in shell using umask
To set umask for the current shell session using octal notation run:
~]$ umask octal_mask
Substitute octal_mask with four or less digits from 0
to 7
. When three or less digits are provided, permissions are set as if the command contained leading zeros. For example, umask 7
translates to 0007
.
Example 4.1. Setting umask Using Octal Notation
To prohibit new files from having write and execute permissions for owner and group, and from having any permissions for others:
~]$ umask 0337
Or simply:
~]$ umask 337
To set umask for the current shell session using symbolic notation:
~]$ umask -S symbolic_mask
Example 4.2. Setting umask Using Symbolic Notation
To set umask 0337
using symbolic notation:
~]$ umask -S u=r,g=r,o=
Working with the default shell umask
Shells usually have a configuration file where their default umask is set. For bash
, it is /etc/bashrc
. To show the default bash
umask:
~]$ grep -i -B 1 umask /etc/bashrc
The output shows if umask is set, either using the umask
command or the UMASK
variable. In the following example, umask is set to 022
using the umask
command:
~]$ grep -i -B 1 umask /etc/bashrc # By default, we want umask to get set. This sets it for non-login shell. -- if [ $UID -gt 199 ] && [ “id -gn” = “id -un” ]; then umask 002 else umask 022
To change the default umask for bash
, change the umask
command call or the UMASK
variable assignment in /etc/bashrc
. This example changes the default umask to 0227
:
if [ $UID -gt 199 ] && [ “id -gn” = “id -un” ]; then
umask 002
else
umask 227
Working with the default shell umask of a specific user
By default, bash
umask of a new user defaults to the one defined in /etc/bashrc
.
To change bash
umaskfor a particular user, add a call to the umask
command in $HOME/.bashrc
file of that user. For example, to change bash
umask of user john
to 0227
:
john@server ~]$ echo 'umask 227' >> /home/john/.bashrc
Setting default permissions for newly created home directories
To change permissions with which user home directories are created, change the UMASK
variable in the /etc/login.defs
file:
# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
UMASK 077
4.4. Additional Resources
For more information on how to manage users and groups on Red Hat Enterprise Linux, see the resources listed below.
Installed Documentation
For information about various utilities for managing users and groups, see the following manual pages:
-
useradd
(8) — The manual page for theuseradd
command documents how to use it to create new users. -
userdel
(8) — The manual page for theuserdel
command documents how to use it to delete users. -
usermod
(8) — The manual page for theusermod
command documents how to use it to modify users. -
groupadd
(8) — The manual page for thegroupadd
command documents how to use it to create new groups. -
groupdel
(8) — The manual page for thegroupdel
command documents how to use it to delete groups. -
groupmod
(8) — The manual page for thegroupmod
command documents how to use it to modify group membership. -
gpasswd
(1) — The manual page for thegpasswd
command documents how to manage the/etc/group
file. -
grpck
(8) — The manual page for thegrpck
command documents how to use it to verify the integrity of the/etc/group
file. -
pwck
(8) — The manual page for thepwck
command documents how to use it to verify the integrity of the/etc/passwd
and/etc/shadow
files. -
pwconv
(8) — The manual page for thepwconv
,pwunconv
,grpconv
, andgrpunconv
commands documents how to convert shadowed information for passwords and groups. -
id
(1) — The manual page for theid
command documents how to display user and group IDs. -
umask
(2) — The manual page for theumask
command documents how to work with the file mode creation mask.
For information about related configuration files, see:
-
group
(5) — The manual page for the/etc/group
file documents how to use this file to define system groups. -
passwd
(5) — The manual page for the/etc/passwd
file documents how to use this file to define user information. -
shadow
(5) — The manual page for the/etc/shadow
file documents how to use this file to set passwords and account expiration information for the system.
Online Documentation
- Red Hat Enterprise Linux 7 Security Guide — The Security Guide for Red Hat Enterprise Linux 7 provides additional information how to ensure password security and secure the workstation by enabling password aging and user account locking.
See Also
-
Chapter 6, Gaining Privileges documents how to gain administrative privileges by using the
su
andsudo
commands.