Chapter 11. Managing users and groups
Preventing unauthorized access to files and processes requires an accurate user and group management. If you do not manage accounts centrally or you require a user account or group only on a specific system, you can create them locally on this host.
11.1. Introduction to managing user and group accounts
The control of users and groups is a core element of Red Hat Enterprise Linux (RHEL) system administration. Each RHEL user has distinct login credentials and can be assigned to various groups to customize their system privileges.
11.1.1. Introduction to users and groups
A user who creates a file is the owner of that file and the group owner of that file. The file is assigned separate read, write, and execute permissions for the owner, the group, and those outside that group. The file owner can be changed only by the root
user. Access permissions to the file can be changed by both the root
user and the file owner. A regular user can change group ownership of a file they own to a group of which they are a member of.
Each user is associated with a unique numerical identification number called user ID (UID). Each group is associated with a group ID (GID). Users within a group share the same permissions to read, write, and execute files owned by that group.
11.1.2. Configuring reserved user and group IDs
RHEL reserves user and group IDs below 1000 for system users and groups. You can find the reserved user and group IDs in the setup
package. To view reserved user and group IDs, use:
cat /usr/share/doc/setup*/uidgid
It is recommended to assign IDs to the new users and groups starting at 5000, as the reserved range can increase in the future.
To make the IDs assigned to new users start at 5000 by default, modify the UID_MIN
and GID_MIN
parameters in the /etc/login.defs
file.
Procedure
To modify and make the IDs assigned to new users start at 5000 by default:
-
Open the
/etc/login.defs
file in an editor of your choice. Find the lines that define the minimum value for automatic UID selection.
# Min/max values for automatic uid selection in useradd # UID_MIN 1000
Modify the
UID_MIN
value to start at 5000.# Min/max values for automatic uid selection in useradd # UID_MIN 5000
Find the lines that define the minimum value for automatic GID selection.
# Min/max values for automatic gid selection in groupadd # GID_MIN 1000
Modify the
GID_MIN
value to start at 5000.# Min/max values for automatic gid selection in groupadd # GID_MIN 5000
The dynamically assigned UIDs and GIDs for the regular users now start at 5000.
NoteThe UID’s and GID’s of users and groups created before you changed the UID_MIN and GID_MIN values do not change.
This will allow new user’s group to have same 5000+ ID as UID and GID.
WarningDo not raise IDs reserved by the system above 1000 by changing
SYS_UID_MAX
to avoid conflict with systems that retain the 1000 limit.
11.1.3. User private groups
RHEL uses the user private group (UPG) system configuration, which makes UNIX groups easier to manage. A user private group is created whenever a new user is added to the system. The user private group has the same name as the user for which it was created and that user is the only member of the user private group.
UPGs simplify the collaboration on a project between multiple users. In addition, UPG system configuration makes it safe to set default permissions for a newly created file or directory, as it allows both the user, and the group this user is a part of, to make modifications to the file or directory.
A list of all groups is stored in the /etc/group
configuration file.
11.2. Getting started with managing user accounts
Red Hat Enterprise Linux is a multi-user operating system, which enables multiple users on different computers to access a single system installed on one machine. Every user operates under its own account, and managing user accounts thus represents a core element of Red Hat Enterprise Linux system administration.
The following are the different types of user accounts:
Normal user accounts:
Normal accounts are created for users of a particular system. Such accounts can be added, removed, and modified during normal system administration.
System user accounts:
System user accounts represent a particular applications identifier on a system. Such accounts are generally added or manipulated only at software installation time, and they are not modified later.
WarningSystem accounts are presumed to be available locally on a system. If these accounts are configured and provided remotely, such as in the instance of an LDAP configuration, system breakage and service start failures can occur.
For system accounts, user IDs below 1000 are reserved. For normal accounts, you can use IDs starting at 1000. However, the recommended practice is to assign IDs starting at 5000. For assigning IDs, see the
/etc/login.defs
file.Group:
A group is an entity which ties together multiple user accounts for a common purpose, such as granting access to particular files.
11.2.1. Managing accounts and groups using command line tools
Use the following basic command-line tools to manage user accounts and groups.
To display user and group IDs:
$ id uid=1000(example.user) gid=1000(example.user) groups=1000(example.user),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
To create a new user account:
# useradd example.user
To assign a new password to a user account belonging to example.user:
# passwd example.user
To add a user to a group:
# usermod -a -G example.group example.user
Additional resources
-
man useradd(8)
,man passwd(1)
, andman usermod(8)
11.3. Managing users from the command line
You can manage users and groups using the command-line interface (CLI). This enables you to add, remove, and modify users and user groups in Red Hat Enterprise Linux environment.
11.3.1. Adding a new user from the command line
You can use the useradd
utility to add a new user.
Prerequisites
-
Root
access
Procedure
To add a new user, use:
# useradd options username
Replace options with the command-line options for the
useradd
command, and replace username with the name of the user.Example 11.1. Adding a new user
To add the user
sarah
with user ID5000
, use:# useradd -u 5000 sarah
Verification
To verify the new user is added, use the
id
utility.# id sarah
The output returns:
uid=5000(sarah) gid=5000(sarah) groups=5000(sarah)
Additional resources
-
useradd
man page on your system
11.3.2. Adding a new group from the command line
You can use the groupadd
utility to add a new group.
Prerequisites
-
Root
access
Procedure
To add a new group, use:
# groupadd options group-name
Replace options with the command-line options for the
groupadd
command, and replace group-name with the name of the group.Example 11.2. Adding a new group
To add the group
sysadmins
with group ID5000
, use:# groupadd -g 5000 sysadmins
Verification
To verify the new group is added, use the
tail
utility.# tail /etc/group
The output returns:
sysadmins:x:5000:
Additional resources
-
groupadd
man page on your system
11.3.3. Adding a user to a supplementary group from the command line
You can add a user to a supplementary group to manage permissions or enable access to certain files or devices.
Prerequisites
-
root
access
Procedure
To add a group to the supplementary groups of the user, use:
# usermod --append -G group-name username
Replace group-name with the name of the group, and replace username with the name of the user.
Example 11.3. Adding a user to a supplementary group
To add the user
sysadmin
to the groupsystem-administrators
, use:# usermod --append -G system-administrators sysadmin
Verification
To verify the new groups is added to the supplementary groups of the user
sysadmin
, use:# groups sysadmin
The output displays:
sysadmin : sysadmin system-administrators
11.3.4. Creating a group directory
Under the UPG system configuration, you can apply the set-group identification permission (setgid bit) to a directory. The setgid
bit makes managing group projects that share a directory simpler. When you apply the setgid
bit to a directory, files created within that directory are automatically assigned to a group that owns the directory. Any user that has the permission to write and execute within this group can now create, modify, and delete files in the directory.
The following section describes how to create group directories.
Prerequisites
-
Root
access
Procedure
Create a directory:
# mkdir directory-name
Replace directory-name with the name of the directory.
Create a group:
# groupadd group-name
Replace group-name with the name of the group.
Add users to the group:
# usermod --append -G group-name username
Replace group-name with the name of the group, and replace username with the name of the user.
Associate the user and group ownership of the directory with the group-name group:
# chgrp group-name directory-name
Replace group-name with the name of the group, and replace directory-name with the name of the directory.
Set the write permissions to allow the users to create and modify files and directories and set the
setgid
bit to make this permission be applied within the directory-name directory:# chmod g+rwxs directory-name
Replace directory-name with the name of the directory.
Now all members of the
group-name
group can create and edit files in thedirectory-name
directory. Newly created files retain the group ownership ofgroup-name
group.
Verification
To verify the correctness of set permissions, use:
# ls -ld directory-name
Replace directory-name with the name of the directory.
The output returns:
drwxrwsr-x. 2 root group-name 6 Nov 25 08:45 directory-name
11.3.5. Removing a user on the command line
You can remove a user account using the command line. In addition to removing the user account, you can optionally remove the user data and metadata, such as their home directory and configuration files.
Prerequisites
-
You have
root
access. - The user currently exists.
Ensure that the user is logged out:
# loginctl terminate-user user-name
Procedure
To only remove the user account, and not the user data:
# userdel user-name
To remove the user, the data, and the metadata:
Remove the user, their home directory, their mail spool, and their SELinux user mapping:
# userdel --remove --selinux-user user-name
Remove additional user metadata:
# rm -rf /var/lib/AccountsService/users/user-name
This directory stores information that the system needs about the user before the home directory is available. Depending on the system configuration, the home directory might not be available until the user authenticates at the login screen.
ImportantIf you do not remove this directory and you later recreate the same user, the recreated user will still use certain settings inherited from the removed user.
Additional resources
-
The
userdel(8)
man page on your system.
11.4. Managing user accounts in the web console
The RHEL web console provides a graphical interface for adding, editing, and removing system user accounts.
You can also set password expiration and terminate user sessions in the web console.
11.4.1. Adding new accounts by using the web console
You can add user accounts to the system and set administration rights to the accounts through the RHEL web console.
Prerequisites
You have installed the RHEL 8 web console.
For instructions, see Installing and enabling the web console.
Procedure
Log in to the RHEL 8 web console.
For details, see Logging in to the web console.
- Click .
- Click .
In the Full Name field, enter the full name of the user.
The RHEL web console automatically suggests a user name from the full name and fills it in the User Name field. If you do not want to use the original naming convention consisting of the first letter of the first name and the whole surname, update the suggestion.
In the Password/Confirm fields, enter the password and retype it for verification that your password is correct.
The color bar below the fields shows you the security level of the entered password, which does not allow you to create a user with a weak password.
- Click to save the settings and close the dialog box.
- Select the newly created account.
In the Groups drop-down menu, select the groups that you want to add to the new account.
Now you can see the new account in the Accounts settings and you can use its credentials to connect to the system.
11.4.2. Enforcing password expiration in the web console
By default, user accounts have set passwords to never expire. You can set system passwords to expire after a defined number of days. When the password expires, the next login attempt will prompt for a password change.
Prerequisites
You have installed the RHEL 8 web console.
For instructions, see Installing and enabling the web console.
Procedure
- Log in to the RHEL 8 web console.
- Click .
- Select the user account for which you want to enforce password expiration.
Click Password line.
on the- In the Password expiration dialog box, select Require password change every … days and enter a positive whole number representing the number of days after which the password expires.
Click
.The web console immediately shows the date of the future password change request on the Password line.
11.5. Editing user groups using the command line
A user belongs to a certain set of groups that allow a logical collection of users with a similar access to files and folders. You can edit the primary and supplementary user groups from the command line to change the user’s permissions.
11.5.1. Primary and supplementary user groups
A group is an entity which ties together multiple user accounts for a common purpose, such as granting access to particular files.
On Linux, user groups can act as primary or supplementary. Primary and supplementary groups have the following properties:
- Primary group
- Every user has just one primary group at all times.
- You can change the user’s primary group.
- Supplementary groups
- You can add an existing user to an existing supplementary group to manage users with the same security and access privileges within the group.
- Users can be members of zero or multiple supplementary groups.
11.5.2. Listing the primary and supplementary groups of a user
You can list the groups of users to see which primary and supplementary groups they belong to.
Procedure
Display the names of the primary and any supplementary group of a user:
$ groups user-name
Replace user-name with the name of the user. If you do not provide a user name, the command displays the group membership for the current user. The first group is the primary group followed by the optional supplementary groups.
Example 11.4. Listing of groups for user sarah:
$ groups sarah
The output displays:
sarah : sarah wheel developer
User
sarah
has a primary groupsarah
and is a member of supplementary groupswheel
anddeveloper
.Example 11.5. Listing of groups for user marc:
$ groups marc
The output displays:
marc : marc
User
marc
has only a primary groupmarc
and no supplementary groups.
11.5.3. Changing the primary group of a user
You can change the primary group of an existing user to a new group.
Prerequisites:
-
root
access - The new group must exist
Procedure
Change the primary group of a user:
# usermod -g group-name user-name
Replace group-name with the name of the new primary group, and replace user-name with the name of the user.
NoteWhen you change a user’s primary group, the command also automatically changes the group ownership of all files in the user’s home directory to the new primary group. You must fix the group ownership of files outside of the user’s home directory manually.
Example 11.6. Example of changing the primary group of a user:
If the user
sarah
belongs to the primary groupsarah1
, and you want to change the primary group of the user tosarah2
, use:# usermod -g sarah2 sarah
Verification
Verify that you changed the primary group of the user:
$ groups sarah
The output displays:
sarah : sarah2
11.5.4. Adding a user to a supplementary group from the command line
You can add a user to a supplementary group to manage permissions or enable access to certain files or devices.
Prerequisites
-
root
access
Procedure
To add a group to the supplementary groups of the user, use:
# usermod --append -G group-name username
Replace group-name with the name of the group, and replace username with the name of the user.
Example 11.7. Adding a user to a supplementary group
To add the user
sysadmin
to the groupsystem-administrators
, use:# usermod --append -G system-administrators sysadmin
Verification
To verify the new groups is added to the supplementary groups of the user
sysadmin
, use:# groups sysadmin
The output displays:
sysadmin : sysadmin system-administrators
11.5.5. Removing a user from a supplementary group
You can remove an existing user from a supplementary group to limit their permissions or access to files and devices.
Prerequisites
-
root
access
Procedure
Remove a user from a supplementary group:
# gpasswd -d user-name group-name
Replace user-name with the name of the user, and replace group-name with the name of the supplementary group.
Example 11.8. Removing user from a supplementary group
If the user sarah has a primary group
sarah2
, and belongs to the secondary groupswheel
anddevelopers
, and you want to remove that user from the groupdevelopers
, use:# gpasswd -d sarah developers
Verification
Verify that you removed the user sarah from the secondary group developers:
$ groups sarah
The output displays:
sarah : sarah2 wheel
11.5.6. Changing all of the supplementary groups of a user
You can overwrite the list of supplementary groups that you want the user to remain a member of.
Prerequisites
-
root
access - The supplementary groups must exist
Procedure
Overwrite a list of user’s supplementary groups:
# usermod -G group-names username
Replace group-names with the name of one or more supplementary groups. To add the user to several supplementary groups at once, separate the group names using commas and no intervening spaces. For example:
wheel,developer
.Replace user-name with the name of the user.
ImportantIf the user is currently a member of a group that you do not specify, the command removes the user from the group.
Example 11.9. Changing the list of supplementary groups of a user
If the user
sarah
has a primary groupsarah2
, and belongs to the supplementary groupwheel
, and you want the user to belong to three more supplementary groupsdeveloper
,sysadmin
, andsecurity
, use:# usermod -G wheel,developer,sysadmin,security sarah
Verification
Verify that you set the list of the supplementary groups correct:
# groups sarah
The output displays:
sarah : sarah2 wheel developer sysadmin security
11.6. Changing and resetting the root password
If the existing root password is no longer satisfactory or is forgotten, you can change or reset it both as the root
user and a non-root user.
11.6.1. Changing the root password as the root user
You can use the passwd
command to change the root
password as the root
user.
Prerequisites
-
Root
access
Procedure
To change the
root
password, use:# passwd
You are prompted to enter your current password before you can change it.
11.6.2. Changing or resetting the forgotten root password as a non-root user
You can use the passwd
command to change or reset the forgotten root
password as a non-root user.
Prerequisites
- You are able to log in as a non-root user.
-
You are a member of the administrative
wheel
group.
Procedure
To change or reset the
root
password as a non-root user that belongs to thewheel
group, use:$ sudo passwd root
You are prompted to enter your current non-root password before you can change the
root
password.
11.6.3. Resetting the root password on boot
If you are unable to log in as a non-root user or do not belong to the administrative wheel
group, you can reset the root password on boot by switching into a specialized chroot jail
environment.
Procedure
Reboot the system and, on the GRUB 2 boot screen, press the
key to interrupt the boot process.The kernel boot parameters appear.
load_video set gfx_payload=keep insmod gzio linux ($root)/vmlinuz-4.18.0-80.e18.x86_64 root=/dev/mapper/rhel-root ro crash\ kernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv/swap rhgb quiet initrd ($root)/initramfs-4.18.0-80.e18.x86_64.img $tuned_initrd
Go to the end of the line that starts with linux.
linux ($root)/vmlinuz-4.18.0-80.e18.x86_64 root=/dev/mapper/rhel-root ro crash\ kernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv/swap rhgb quiet
Press
to jump to the end of the line.Add
rd.break
to the end of the line that starts withlinux
.linux ($root)/vmlinuz-4.18.0-80.e18.x86_64 root=/dev/mapper/rhel-root ro crash\ kernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv/swap rhgb quiet rd.break
Press
to start the system with the changed parameters.The
switch_root
prompt appears.Remount the file system as writable:
mount -o remount,rw /sysroot
The file system is mounted as read-only in the
/sysroot
directory. Remounting the file system as writable allows you to change the password.Enter the
chroot
environment:chroot /sysroot
The
sh-4.4#
prompt appears.Reset the
root
password:passwd
Follow the instructions displayed by the command line to finalize the change of the
root
password.Enable the SELinux relabeling process on the next system boot:
touch /.autorelabel
Exit the
chroot
environment:exit
Exit the
switch_root
prompt:exit
- Wait until the SELinux relabeling process is finished. Note that relabeling a large disk might take a long time. The system reboots automatically when the process is complete.
Verification
-
To verify that the
root
password is successfully changed, log in as a normal user and open the Terminal. Run the interactive shell as root:
$ su
-
Enter your new
root
password. Print the user name associated with the current effective user ID:
# whoami
The output returns:
root