Overview
By the end of this article you should be able to answer the following questions:
$ useradd donald
$ useradd -D
$ id donald
$ passwd donald
/etc/passwd
/etc/shadow
$ usermod -c "sitting duck" donald
$ usermod -L donald
$ userdel -r donald
Create a new user
Creating a new user account is done by using the useradd command. Here's the help info for this command:
$ useradd --help
Usage: useradd [options] LOGIN
useradd -D
useradd -D [options]
Options:
-b, --base-dir BASE_DIR base directory for the home directory of the
new account
-c, --comment COMMENT GECOS field of the new account
-d, --home-dir HOME_DIR home directory of the new account
-D, --defaults print or change default useradd configuration
-e, --expiredate EXPIRE_DATE expiration date of the new account
-f, --inactive INACTIVE password inactivity period of the new account
-g, --gid GROUP name or ID of the primary group of the new
account
-G, --groups GROUPS list of supplementary groups of the new
account
-h, --help display this help message and exit
-k, --skel SKEL_DIR use this alternative skeleton directory
-K, --key KEY=VALUE override /etc/login.defs defaults
-l, --no-log-init do not add the user to the lastlog and
faillog databases
-m, --create-home create the user's home directory
-M, --no-create-home do not create the user's home directory
-N, --no-user-group do not create a group with the same name as
the user
-o, --non-unique allow to create users with duplicate
(non-unique) UID
-p, --password PASSWORD encrypted password of the new account
-r, --system create a system account
-R, --root CHROOT_DIR directory to chroot into
-s, --shell SHELL login shell of the new account
-u, --uid UID user ID of the new account
-U, --user-group create a group with the same name as the user
-Z, --selinux-user SEUSER use a specific SEUSER for the SELinux user mapping
Based on the above info, if you want to take a look at useradd's default settings do:
$ useradd -D GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL=/bin/bash SKEL=/etc/skel CREATE_MAIL_SPOOL=yes
If you want to adjust these default values, then you can do so by editing the /etc/login.defs file and the /etc/default/useradd file.
These default values means that we don't need to write a really long command to explicitly define these when creating a new user. Therefore to create a new user called Donald, we can simply do:
$ useradd donald
It's also recommended to use the (c)omment flag (for setting a user's name) when creating a user, e.g.
$ useradd -c “donald duck” donald
Note, for security we can't pass in the password at this stage of creating a user. We'll cover setting password later on. But let's first check that the user now exist by checking the /etc/passwd file:
$ cat /etc/passwd | grep donald donald:x:1005:1005:donald duck:/home/donald:/bin/bash
In Linux, the /etc/passwd file acts as an official register for all the machine's user accounts. In other words, it's the main place that stores all the information for each user that exists on the machine.
Another handy way to check whether a user exists is with the id command:
$ id donald uid=1005(donald) gid=1005(donald) groups=1005(donald)
As you can see here, when you create a new user account, then a group (of the same) is also automatically created and the new user is automatically assigned to that group. This group is referred to as the primary group. Therefore in this example, when we created case a user called "donald" (using the useradd command), a group of the name "donald" was created automatically, and the new user account "donald" was automatically assigned to the "donald" group.
User and Group IDs
Each user account is automatically assigned with a unique id, which is referred to as user id (aka uid). Similarly, each group is assigned with it's own unique id, which is referred to as group id (aka gid).
By default the root user's uid and gid values are both 0 as indicated below:
$ cat /etc/passwd | grep "^root" root:x:0:0:root:/root:/bin/bash $ id uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Note, the "context" refers to SELinux Security Context, which we'll cover later.
The uid and gids for internal RedHat "system" user accounts ranges between 1-200. Files/Folders can be owned by these accounts. Also process can be run under these accounts.
The 201-999 range is reserved for system user accounts that can run processes but don't own any files or folders.
Primary and Supplementary Groups
Any file or folder must be owned by both a user and a group. This is why a user's primary group is so important, when a user create's a new file (or folder) then that user's primary group automatically assumes group ownership of that item. That's why a user must belong to exactly one primary group.
However users can also be added to other groups as well, and these additional groups are referred to as supplementary groups.
Set a password
If we look at the /etc/shadow file for our new user:
$ cat /etc/shadow | grep donald donald:!!:16716:0:99999:7:::
You'll see "!!". This indicates that a password has not been set yet for this user. So now we set the password for our new account, using the passwd command:
$ passwd {username}
You need to run the passwd as the root user. If you are logged in as a normal user, and just want to change your current user's password, then simply run passwd commands on it's own:
$ passwd
Therefore, going back to our donald user, let's set the password:
[root@localhost ~]# passwd donald Changing password for user donald. New password: BAD PASSWORD: The password is shorter than 8 characters Retype new password: passwd: all authentication tokens updated successfully. [root@localhost ~]#
We may get "BAD PASSWORD" warnings, but since we are logged in as root, we can ignore these error messages.
If we check the shadow file again, we'll see that the "!!" is no longer there:
[root@localhost ~]# cat /etc/shadow | grep "donald" donald:$6$MJmDFGEe$GR/DkhS.ARMxS9LFHwB8yK28X5B7et6d9lQiqSyEE41pgQ3t4yUZSu8lMgR0NFmzU5aOGNC5nrpsIU4NiF1hh/:16531:0:99999:7::: [root@localhost ~]#
It is now replaced by an encrypted hash.
Note this file also stores password policy configurations, such as password expiry dates. We'll cover this later.
Modifying a user account
To modifying an existing user account, you can simply use the usermod command:
$ usermod --help
Usage: usermod [options] LOGIN
Options:
-c, --comment COMMENT new value of the GECOS field
-d, --home HOME_DIR new home directory for the user account
-e, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE
-f, --inactive INACTIVE set password inactive after expiration
to INACTIVE
-g, --gid GROUP force use GROUP as new primary group
-G, --groups GROUPS new list of supplementary GROUPS
-a, --append append the user to the supplemental GROUPS
mentioned by the -G option without removing
him/her from other groups
-h, --help display this help message and exit
-l, --login NEW_LOGIN new value of the login name
-L, --lock lock the user account
-m, --move-home move contents of the home directory to the
new location (use only with -d)
-o, --non-unique allow using duplicate (non-unique) UID
-p, --password PASSWORD use encrypted password for the new password
-R, --root CHROOT_DIR directory to chroot into
-s, --shell SHELL new login shell for the user account
-u, --uid UID new UID for the user account
-U, --unlock unlock the user account
-Z, --selinux-user SEUSER new SELinux user mapping for the user account
Based on this, to add/change a user account's comment field, we do:
$ usermod -c “donald duck” donald
Or to lock the user, we do:
$ usermod -L donald
This command ends up simply prefixing an "!" at the beginning of the hash in the /etc/shadow file:
$ cat /etc/shadow | grep donald donald:!$6$LtEzIHPi$RTfF8d0R1lYyQVHDClyb/PFtUKdCaEXU4uCEomLql05IEVYF9.uPT1b1z6iWllXPq/q.L2Qw85lNIBFGkNvM/.:16716:0:99999:7:::
Deleting user accounts
We can delete users using the userdel. However this command doesn't delete a user’s:
- home directory
- mailbox
This is a precautionary measure in case there is something valuable in the user’s home directory or mailbox. However if you want to remove them as well, then do:
$ userdel -r donald