Managing Users and Groups

• GOAL
• Create, manage, and delete local users and groups and administer local password
policies.
• OBJECTIVES
• Describe the purpose of users and groups on a Linux system.
• Switch to the superuser account to manage a Linux system, and grant other users
superuser access using the sudo command.
• Create, modify, and delete locally defined user accounts.
• Create, modify, and delete locally defined group accounts.
• Set a password management policy for users, and manually lock and unlock user
accounts.
• SECTIONS
• Describing Users and Groups Concepts (and Quiz)
• Gaining Superuser Access (and Guided Exercise)
• Managing Local User Accounts (and Guided Exercise)
• Managing Local Group Accounts (and Guided Exercise)
• Managing User Passwords (and Guided Exercise)
• LAB
user
• Users have user names to identify them to human users and make them easier to
work with.
• Internally, the system distinguishes user accounts by the unique identification
number assigned to
• them, the user ID or UID. If a user account is used by humans, it will generally be
assigned a secret password that the user will use to prove that they are the actual
authorized user when logging in.
• User accounts are fundamental to system security. Every process (running program)
on the system runs as a particular user. Every file has a particular user as its owner.
• File ownership helps the system enforce access control for users of the files. The
user associated with a running process determines the files and directories
accessible to that process.
User types
• There are three main types of user account: the superuser, system
users, and regular users.
• The superuser account is for administration of the system. The name of the
superuser is root and the account has UID 0. The superuser has full access to
the system.
• The system has system user accounts which are used by processes that provide
supporting services. These processes, or daemons, usually do not need to run
as the superuser. They are assiged non-privileged accounts that allow them to
secure their files and other resources from each other and from regular users
on the system. Users do not interactively log in using a system user account.
• Most users have regular user accounts which they use for their day-to-day
work. Like system users, regular users have limited access to the system.
User id
• You can use the id command to show information about the currently
logged-in user.

• To view basic information about another user, pass the username to

the id command as an argument.
Files owned by user
• To view the owner of a file use the ls -l command. To view the owner
of a directory use the ls -ld command. In the following output, the
third column shows the username.
Processes owned by users
• To view process information, use the ps command. The default is to
show only processes in the current shell. Add the a option to view all
processes with a terminal. To view the user associated with a process,
include the u option. In the following output, the first column shows
the username.
User info
• By default, systems use the /etc/passwd file to store information
about local users. Each line in the /etc/passwd file contains
information about one user. It is divided up into seven colon-
separated fields. Here is an example of a line from /etc/passwd:
WHAT IS A GROUP?
• A group is a collection of users that need to share access to files and
other system resources.
• Groups can be used to grant access to files to a set of users instead of
just a single user.
• Like users, groups have group names to make them easier to work
with. Internally, the system distinguishes groups by the unique
identification number assigned to them, the group ID or GID.
• The mapping of group names to GIDs is defined in databases of group
account information. By default, systems use the /etc/group file to
store information about local groups.
Group info
• Each line in the /etc/group file contains information about one group.
Each group entry is divided into four colon-separated fields. Here is an
example of a line from /etc/group:
• Every user has exactly one primary group. For local users, this is the
group listed by GID number in the /etc/passwd file. By default, this is
the group that will own new files created by the user.
• Normally, when you create a new regular user, a new group with the
same name as that user is created. That group is used as the primary
group for the new user
• Users may also have supplementary groups. Membership in
supplementary groups is determined by the /etc/group file. Users are
granted access to files based on whether any of their groups have
access.
• Users may also have supplementary groups. Membership in
supplementary groups is determined by the /etc/group file. Users are
granted access to files based on whether any of their groups have access.

• In the preceding example, user03 has the group user03 as their primary
group (gid). The groups item lists all groups for this user, and other than
the primary group user03, the user has groups wheel and group01 as
supplementary groups.
QUIZ
1. Which item represents a number that identifies the user at the most fundamental level?
a. primary user
b. UID
c. GID
d. username
2. Which item represents the program that provides the user's command-line prompt?
a. primary shell
b. home directory
c. login shell
d. command name
3. Which item or file represents the location of the local group information?
a. home directory
b. /etc/passwd
c. /etc/GID
d. /etc/group
QUIZ
4. Which item or file represents the location of the user's personal files?
a. home directory
b. login shell
c. /etc/passwd
d. /etc/group
5. Which item represents a number that identifies the group at the most fundamental level?
a. primary group
b. UID
c. GID
d. groupid
6. Which item or file represents the location of the local user account information?
a. home directory
b. /etc/passwd
c. /etc/UID
d. /etc/group
QUIZ
7. What is the fourth field of the /etc/passwd file?
a. home directory
b. UID
c. login shell
d. primary group
QUIZ
1. Which item represents a number that identifies the user at the most fundamental level?
a. primary user
b. UID
c. GID
d. username
2. Which item represents the program that provides the user's command-line prompt?
a. primary shell
b. home directory
c. login shell
d. command name
3. Which item or file represents the location of the local group information?
a. home directory
b. /etc/passwd
c. /etc/GID
d. /etc/group
QUIZ
4. Which item or file represents the location of the user's personal files?
a. home directory
b. login shell
c. /etc/passwd
d. /etc/group
5. Which item represents a number that identifies the group at the most fundamental level?
a. primary group
b. UID
c. GID
d. groupid
6. Which item or file represents the location of the local user account information?
a. home directory
b. /etc/passwd
c. /etc/UID
d. /etc/group
QUIZ
7. What is the fourth field of the /etc/passwd file?
a. home directory
b. UID
c. login shell
d. primary group
THE SUPERUSER
• In Red Hat Enterprise Linux this is the root user. This user has the power to
override normal privileges on the file system, and is used to manage and
administer the system. To perform tasks
• such as installing or removing software and to manage system files and
directories, users must escalate their privileges to the root user.
• This unlimited privilege, however, comes with responsibility. The root user has
unlimited power to damage the system: remove files and directories, remove
user accounts, add back doors, and so on. If the root user's account is
compromised, someone else would have administrative control of the system.
• Administrators are encouraged to log in as a normal user and escalate privileges
to root only when needed. (su, sudo, or PolicyKit, for example) to temporarily
gain superuser privileges.
SWITCHING USERS
• The su command allows users to switch to a different user account. If
you run su from a regular user account, you will be prompted for the
password of the account to which you want to switch.
• When root runs su, you do not need to enter the user's password.

• If you omit the user name, the su or su - command attempts to switch

to root by default.
sudo
• Unlike su, users who use sudo to run commands as root do not need
to know the root password. Instead, they use their own passwords to
authenticate access.
• Additionally, sudo can be configured to allow specific users to run any
command as some other user, or only some commands as that user.
• For example, when sudo is configured to allow the user01 user to run
the command usermod as root, user01 could run the following
command to lock or unlock a user account:
• One additional benefit to using sudo is that all commands executed are
logged by default to /var/log/secure.

• In Red Hat Enterprise Linux 7 and Red Hat Enterprise Linux 8, all
members of the wheel group can use sudo to run commands as any
user, including root. The user is prompted for their ownpassword.
Configuring Sudo
• The main configuration file for sudo is /etc/sudoers. To avoid problems if
multiple administrators try to edit it at the same time, it should only be
edited with the special visudo command.
• For example, the following line from the /etc/sudoers file enables sudo
access for members of group wheel.

• In this line, %wheel is the user or group to whom the rule applies. A %
specifies that this is a group, group wheel. The ALL=(ALL) specifies that on
any host that might have this file, wheel can run any command. The final ALL
specifies that wheel can run those commands as any user on the system.
Sudo config
• By default, /etc/sudoers also includes the contents of any files in the /etc/sudoers.d
directory as part of the configuration file. This allows an administrator to add sudo access for
a user simply by putting an appropriate file in that directory.
• To enable full sudo access for the user user01, you could create /etc/sudoers.d/user01 with
the following content:

To enable full sudo access for the group group01, you could create /etc/sudoers.d/group01
with the following content:

• It is also possible to set up sudo to allow a user to run commands as another user without
enteringtheir password:
excercise
MANAGING LOCAL USERS
• The useradd username command creates a new user named
username.
• The useradd --help command displays the basic options that can be
used to override the defaults
Deleting Users
• • The userdel username command removes the details of username
from /etc/passwd, but leaves the user's home directory intact.
• • The userdel -r username command removes the details of
username from /etc/passwd and also deletes the user's home
directory.
Create new user
• In Red Hat Enterprise Linux 7 and Red Hat Enterprise Linux 8, the
useradd command assigns new users the first free UID greater than or
equal to 1000, unless you explicitly specify one using the -u option.
Setting Passwords
• The passwd username command sets the initial password or changes
the existing password of username.
• The root user can set a password to any value. A message is displayed
if the password does not meet the minimum recommended criteria,
but is followed by a prompt to retype the new password and all
tokens are updated successfully.
excercise
MANAGING LOCAL GROUPS
• Creating Groups from the Command Line
• The groupadd command creates groups. Without options the groupadd
command uses the next available GID from the range specified in the
/etc/login.defs file while creating the groups.
• The -g option specifies a particular GID for the group to use
• The -r option creates a system group using a GID from the range of
valid system GIDs listed in the /etc/login.defs file. The SYS_GID_MIN
and SYS_GID_MAX configuration items in /etc/login.defs define the
range of system GIDs.
Modify group
• The groupmod command changes the properties of an existing group.
The -n option specifies a new name for the group.

• Notice that the group name is updated to group0022 from group02.

• The -g option specifies a new GID.
Deleting Groups
• The groupdel command removes groups.

• Changing Group Membership from the Command Line

• • The membership of a group is controlled with user management.
Use the usermod –g command to change a user's primary group.
Add user to group
• Use the usermod -aG command to add a user to a supplementary
group.

• IMPORTANT
• The use of the -a option makes usermod function in append mode. Without -
a, the user will be removed from any of their current supplementary groups
that are notincluded in the -G option's list.
excercise
MANAGING USER PASSWORDS
• Like /etc/passwd, each user has a line in the /etc/shadow file. A
sample line from /etc/shadow with its nine colon-separated fields is
shown below.
Password Verification

• When a user tries to log in, the system looks up the entry for the user
in /etc/shadow,
Password policy
• chage command to implement a password aging policy

• The preceding chage command uses the -m, -M, -W, and -I options to set the
minimum age, maximum age, warning period, and inactivity period of the
user's password, respectively.
• The chage -d 0 user03 command forces the user03 user to update its
password on the next login.
• The chage -l user03 command displays the password aging details of user03.
• The chage -E 2019-08-05 user03 command causes the user03 user's account
to expire on 2019-08-05 (in YYYY-MM-DD format).
Password policy
• Edit the password aging configuration items in the /etc/login.defs file
to set the default password aging policies. The PASS_MAX_DAYS sets
the default maximum age of the password.
• The PASS_MIN_DAYS sets the default minimum age of the password.
The PASS_WARN_AGE sets the default warning period of the
password. Any change in the default password aging policies will be
effective for new users only. The existing users will continue to use the
old password aging settings rather than the new ones.
RESTRICTING ACCESS
• The usermod command can lock an account with the -L option.

• The preceding usermod command uses the -e option to set the account expiry date
for the given user account. The -L option locks the user's password.
• the account can later be unlocked with usermod -U. If the account was also
expired, be sure to also change the expiration date.
RESTRICTING ACCESS
• set the user's login shell to /sbin/nologin. If the user attempts to log in to the
system directly, the nologin shell closes the connection.

• The nologin shell acts as a replacement shell for the user accounts not
intended to interactively log into the system. It is wise from the security
standpoint to disable the user account from logging into the system when
the user acount serves a responsibility that does not require the user to log
into the system.
excercise