Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 7. Managing users and groups

Preventing unauthorized access to files and processes requires accurate user and group management. If you do not manage accounts centrally or you require a user account or group only on a specific system, you can create them locally on a host.

The control of users and groups is a core element of Red Hat Enterprise Linux (RHEL) system administration. Each RHEL user has distinct login credentials and can be assigned to various groups to customize their system privileges.

7.1.1. Introduction to users and groups
Copy link

A user who creates a file is the owner of that file and the group owner of that file. The file is assigned separate read, write, and execute permissions for the owner, the group, and those outside that group. The file owner can be changed only by the root user. Access permissions to the file can be changed by both the root user and the file owner. A regular user can change group ownership of a file they own to a group of which they are a member of.

Each user is associated with a unique numerical identification number called user ID (UID). Each group is associated with a group ID (GID). Users within a group share the same permissions to read, write, and execute files owned by that group.

7.1.2. Configuring reserved user and group IDs
Copy link

By default, RHEL reserves user and group IDs below 1000 for system users and groups. You can find the reserved user and group IDs in the setup package. The UID’s and GID’s of users and groups created before you changed the UID_MIN and GID_MIN values do not change. The reserved user and group IDs are documented in the: 

/usr/share/doc/setup/uidgid

To assign IDs to the new users and groups starting at 5000, as the reserved range can increase in the future.

Modify the UID_MIN and GID_MIN parameters in the /etc/login.defs file to define a start ID other than the defaults (1000).

Warning

Do not raise IDs reserved by the system above 1000 by changing SYS_UID_MAX to avoid conflict with systems that retain the 1000 limit.

Procedure

  1. Open the /etc/login.defs file in an editor.

  2. Set the UID_MIN variable, for example: 

    # Min/max values for automatic uid selection in useradd
#
UID_MIN                  5000

  3. Set the GID_MIN variable, for example: 

    # Min/max values for automatic gid selection in groupadd
#
GID_MIN                  5000

    The dynamically assigned UIDs and GIDs for the regular users now start at 5000.

7.1.3. User private groups
Copy link

RHEL uses the user private group (UPG) system configuration, which makes Linux groups easier to manage. A user private group is created whenever a new user is added to the system. The user private group has the same name as the user for which it was created and that user is the only member of the user private group.

UPGs simplify the collaboration on a project between multiple users. In addition, UPG system configuration makes it safe to set default permissions for a newly created file or directory, as it allows both the user, and the group this user is a part of, to make modifications to the file or directory.

A list of all local groups is stored in the /etc/group configuration file.

7.2. Getting started with managing user accounts
Copy link

Red Hat Enterprise Linux is a multi-user operating system, which enables multiple users on different computers to access a single system installed on one machine. Every user operates under its own account, and managing user accounts thus represents a core element of Red Hat Enterprise Linux system administration.

The following are the different types of user accounts:

  • Normal user accounts:

    Normal accounts are created for users of a particular system. Such accounts can be added, removed, and modified during normal system administration.

  • System user accounts:

    System user accounts represent a particular applications identifier on a system. Such accounts are generally added or manipulated only at software installation time, and they are not modified later.

    Warning

    System accounts are presumed to be available locally on a system. If these accounts are configured and provided remotely, such as in the instance of an LDAP configuration, system breakage and service start failures can occur.

    For system accounts, user IDs below 1000 are reserved. For normal accounts, you can use IDs starting at 1000. To define the min/max IDs for users and groups, system users and system groups, see the /etc/login.defs file.

  • Group:

    A group is an entity which ties together multiple user accounts for a common purpose, such as granting access to particular files.

Use the following basic command-line tools to manage user accounts and groups.

Procedure

  • Create a new user account: 

    # useradd example.user

  • Assign a new password to a user account belonging to example.user: 

    # passwd example.user

  • Add a user to a group: 

    # usermod -a -G example.group example.user

7.3. Managing users from the command line
Copy link

You can manage users and groups using the command-line interface (CLI). This enables you to add, remove, and modify users and user groups in Red Hat Enterprise Linux environment.

7.3.1. Adding a new user from the command line
Copy link

You can use the useradd utility to add a new user.

Prerequisites

  • You have Root access

Procedure

  • Add a new user, use: 

    # useradd <options> <username>

    Replace options with the command-line options for the useradd command, and replace username with the name of the user.

    Example 7.1. Adding a new user

    To add the user sarah with user ID 5000, use: 

    # useradd -u 5000 sarah

Verification

  • To verify the new user is added, use the id utility. 

    # id sarah

    The command returns: 

    uid=5000(sarah) gid=5000(sarah) groups=5000(sarah)

7.3.2. Adding a new group from the command line
Copy link

You can use the groupadd utility to add a new group.

Prerequisites

  • You have Root access

Procedure

  • To add a new group, use: 

    # groupadd options group-name

    Replace options with the command-line options for the groupadd command, and replace group-name with the name of the group.

    Example 7.2. Adding a new group

    To add the group sysadmins with group ID 5000, use: 

    # groupadd -g 5000 sysadmins

Verification

  • To verify the new group is added, use the tail utility. 

    # getent group sysadmin

    The command returns: 

    sysadmins:x:5000:

You can add a user to a supplementary group to manage permissions or enable access to certain files or devices.

Prerequisites

  • You have root access

Procedure

  • To add a group to the supplementary groups of the user, use: 

    # usermod --append -G <group_name> <username>

Verification

  • To verify the new groups is added to the supplementary groups of the user sysadmin, use: 

    # groups <username>

7.3.4. Creating a group directory
Copy link

Under the UPG system configuration, you can apply the set-group identification permission (setgid bit) to a directory. The setgid bit makes managing group projects that share a directory simpler. When you apply the setgid bit to a directory, files created within that directory are automatically assigned to a group that owns the directory. Any user that has the permission to write and execute within this group can now create, modify, and delete files in the directory.

Prerequisites

  • You have Root access

Procedure

  1. Create a directory: 

    # mkdir <directory-name>

  2. Create a group: 

    # groupadd <group-name>

  3. Add users to the group: 

    # usermod --append -G <group_name> <username>

  4. Associate the user and group ownership of the directory with the group-name group: 

    # chgrp <group_name> <directory>

  5. Set the write permissions to allow the users to create and modify files and directories and set the setgid bit to make this permission be applied within the directory: 

    # chmod g+rwxs <directory>

Verification

  • To verify the correctness of set permissions, use: 

    # ls -ld <directory>

    The command returns: 

    *drwx__rws__r-x.* 2 root _group-name_ 6 Nov 25 08:45 _directory-name_

7.3.5. Removing a user on the command line
Copy link

You can remove a user account by using the command line. In addition, below mentioned are the commands to remove the user account, and optionally remove the user data and metadata, such as their home directory and configuration files.

  • You have root access.
  • The user currently exists.

  • Ensure that the user is logged out: 

    # loginctl terminate-user user-name

  • To only remove the user account, and not the user data: 

    # userdel user-name

  • To remove the user, the data, and the metadata:

    1. Remove the user, their home directory, their mail spool, and their SELinux user mapping: 

      # userdel --remove --selinux-user user-name

    2. Remove additional user metadata: 

      # rm -rf /var/lib/AccountsService/users/user-name

      This directory stores information that the system needs about the user before the home directory is available. Depending on the system configuration, the home directory might not be available until the user authenticates at the login screen.

      Important

      If you do not remove this directory and you later recreate the same user, the recreated user will still use certain settings inherited from the removed user.

7.4. Managing user accounts in the web console
Copy link

The RHEL web console provides a graphical interface for adding, editing, and removing system user accounts.

You can also set password expiration and terminate user sessions in the web console.

You can add user accounts to the system and set administration rights to the accounts through the RHEL web console.

Prerequisites

  • You have installed the RHEL 9 web console.
  • You have enabled the cockpit service.

  • Your user account is allowed to log in to the web console.

    For instructions, see Installing and enabling the web console.

Procedure

  1. Log in to the RHEL 9 web console.

    For details, see Logging in to the web console.

  2. Click Accounts.
  3. Click Create New Account.

  4. In the Full Name field, enter the full name of the user.

    The web console automatically suggests a user name from the full name and fills it in the User Name field. If you do not want to use the original naming convention, which consists of the first letter of the first name and the entire surname, update the suggestion.

  5. In the Password/Confirm fields, enter the password and retype it for verification that your password is correct.

    The color bar below the fields indicates the security level of the entered password, which prevents you from creating a user with a weak password.

  6. Click Create to save the settings and close the dialog box.
  7. Select the newly created account.
  8. In the Groups drop-down menu, select the groups that you want to add to the new account.

Verification

  • You can view the new account in the Accounts settings and use its credentials to connect to the system.

By default, user accounts have set passwords to never expire. You can set system passwords to expire after a defined number of days. When the password expires, the user must change its password at the next login attempt before the user can access the system.

Prerequisites

  • You have installed the RHEL 9 web console.
  • You have enabled the cockpit service.

  • Your user account is allowed to log in to the web console.

    For instructions, see Installing and enabling the web console.

Procedure

  1. Log in to the RHEL 9 web console.
  2. Click Accounts.
  3. Select the user account for which you want to enforce password expiration.

  4. Click edit on the Password line.

    cockpit edit password change
  5. In the Password expiration dialog box, select Require password change every …​ days and enter a positive whole number representing the number of days after which the password expires.

  6. Click Change.

    The web console immediately shows the date of the future password change request on the Password line.

7.5. Editing user groups using the command line
Copy link

A user belongs to a certain set of groups that allow a logical collection of users with a similar access to files and folders. You can edit the primary and supplementary user groups from the command line to change the user’s permissions.

7.5.1. Primary and supplementary user groups
Copy link

A group is an entity which ties together multiple user accounts for a common purpose, such as granting access to particular files.

On RHEL, user groups can act as primary or supplementary. Primary and supplementary groups have the following properties:

Primary group
  • Every user has just one primary group at all times.
  • You can change the user’s primary group.
Supplementary groups
  • You can add an existing user to an existing supplementary group to manage users with the same security and access privileges within the group.
  • Users can be members of zero, one, or multiple supplementary groups.

You can list the groups of users to see which primary and supplementary groups they belong to.

Procedure

  • Display the names of the primary and any supplementary group of a user: 

    $ groups user-name

    If you do not provide a user name, the command displays the group membership for the current user. The first group is the primary group followed by the optional supplementary groups.

    Example 7.3. Listing of groups for user sarah:

    $ groups sarah

    The output displays: 

    sarah : sarah wheel developer

    User sarah has a primary group sarah and is a member of supplementary groups wheel and developer.

7.5.3. Changing the primary group of a user
Copy link

You can change the primary group of an existing user to a new group.

Prerequisites

  1. root access
  2. The new group must exist

Procedure

  • Change the primary group of a user: 

    # usermod -g <group-name> <user-name>
    Note

    When you change a user’s primary group, the command also automatically changes the group ownership of all files in the user’s home directory to the new primary group. You must fix the group ownership of files outside of the user’s home directory manually.

  • Verify that you changed the primary group of the user: 

    $ groups <username>

You can add a user to a supplementary group to manage permissions or enable access to certain files or devices.

Prerequisites

  • You have root access

Procedure

  • To add a group to the supplementary groups of the user, use: 

    # usermod --append -G <group_name> <username>

Verification

  • To verify the new groups is added to the supplementary groups of the user sysadmin, use: 

    # groups <username>

7.5.5. Removing a user from a supplementary group
Copy link

You can remove an existing user from a supplementary group to limit their permissions or access to files and devices.

Prerequisites

  • You have root access

Procedure

  • Remove a user from a supplementary group: 

    # gpasswd -d <user-name> <group-name>

Verification

  • Verify that you removed the user sarah from the secondary group developers: 

    $ groups <username>

You can overwrite the list of supplementary groups that you want the user to remain a member of.

Prerequisites

  • You have root access.
  • The supplementary groups must exist.

Procedure

  • Overwrite a list of user’s supplementary groups: 

    # usermod -G <group-names> <username>

    To add the user to several supplementary groups at once, separate the group names using commas and no intervening spaces. For example: wheel,developer.

    Important

    If the user is currently a member of a group that you do not specify, the command removes the user from the group.

Verification

  • Verify that you set the list of the supplementary groups correct: 

    # groups <username>

7.6. Changing and resetting the root password
Copy link

If the existing root password is no longer satisfactory, you can change it both as the root user and a non-root user.

7.6.1. Changing the root password as the root user
Copy link

You can use the passwd command to change the root password as the root user.

Prerequisites

  • You have Root access

Procedure

  • To change the root password, use: 

    # passwd

    You are prompted to enter your current password before you can change it.

You can use the passwd command to change or reset the forgotten root password as a non-root user.

Prerequisites

  • You are able to log in as a non-root user.
  • You have permissions to execute commands as root by using sudo.

Procedure

  • To change or reset the root password as a non-root user that belongs to the wheel group, use: 

    $ sudo passwd root

    You are prompted to enter your current non-root password before you can change the root password.

7.6.3. Resetting the root password
Copy link

If you are unable to log in as root user and have no non-root user with sudo permissions, you can reset the root password or do not belong to the administrative wheel group, you can reset the root password by booting the system into the special mode. In this mode, the boot process stops before the system hands over the control from the initramfs to the actual system.

Procedure

  1. Reboot the system and, on the GRUB boot screen, press the e key to interrupt the boot process.

    The kernel boot parameters appear. 

    load_video
set gfx_payload=keep
insmod gzio
linux ($root)/vmlinuz-5.14.0-70.22.1.e19_0.x86_64 root=/dev/mapper/rhel-root ro crash\
kernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv/swap rhgb quiet
initrd ($root)/initramfs-5.14.0-70.22.1.e19_0.x86_64.img $tuned_initrd
  2. Set the cursor to the end of the line that starts with linux.
  3. Append rd.break to the end of the line that starts with linux.

  4. Press Ctrl+x to start the system with the changed parameters.

    The switch_root prompt appears.

  5. Remount the file system as writable: 

    # mount -o remount,rw /sysroot

    By default, the file system is mounted as read-only in the /sysroot directory. Remounting the file system as writable allows you to change the password.

  6. Enter the chroot environment: 

    # chroot /sysroot

  7. Reset the root password: 

    # passwd

    Follow the instructions displayed by the command line to finalize the change of the root password.

  8. Enable the SELinux relabeling process on the next system boot: 

    # touch /.autorelabel

  9. Exit the chroot environment: 

    # exit

  10. Exit the switch_root prompt, to reboot the system: 

    exit
  11. Wait until the SELinux relabeling process is finished. Note that relabeling a large disk can take a long time. The system reboots automatically when the process is complete.

Verification

  1. Log in as the root user by using the new root password.

  2. Optional: Display the user name associated with the current effective user ID: 

    # whoami
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top