RHCSA – Adding, modifying, and deleting users

Overview

By the end of this article you should be able to answer the following questions:


01. What is the command to create a user called 'donald'?

$ useradd donald

02. What is the command to view what default settings are applied when creating a new user?

$ useradd -D

03. What is the command to view the donald user's uid+gid values along with correspoding primary+supplementary group names?

$ id donald

04. What is the command to set a password for the user 'donald'?

$ passwd donald

05. Which file stores each user's details?

/etc/passwd

06. Which file stores each user's password in hash form?

/etc/shadow

07. What is the command to edit the donald user account's comment section to 'sitting duck'?

$ usermod -c “sitting duck” donald

08. What is the command to lock donald's user account?

$ usermod -L donald

09. What is the command to delete the 'donald' user account along with their home directory and mailbox?

$ userdel -r donald


Create a new user

Creating a new user account is done by using the useradd command. Here’s the help info for this command:


$ useradd --help
Usage: useradd [options] LOGIN
       useradd -D
       useradd -D [options]

Options:
  -b, --base-dir BASE_DIR       base directory for the home directory of the
                                new account
  -c, --comment COMMENT         GECOS field of the new account
  -d, --home-dir HOME_DIR       home directory of the new account
  -D, --defaults                print or change default useradd configuration
  -e, --expiredate EXPIRE_DATE  expiration date of the new account
  -f, --inactive INACTIVE       password inactivity period of the new account
  -g, --gid GROUP               name or ID of the primary group of the new
                                account
  -G, --groups GROUPS           list of supplementary groups of the new
                                account
  -h, --help                    display this help message and exit
  -k, --skel SKEL_DIR           use this alternative skeleton directory
  -K, --key KEY=VALUE           override /etc/login.defs defaults
  -l, --no-log-init             do not add the user to the lastlog and
                                faillog databases
  -m, --create-home             create the user's home directory
  -M, --no-create-home          do not create the user's home directory
  -N, --no-user-group           do not create a group with the same name as
                                the user
  -o, --non-unique              allow to create users with duplicate
                                (non-unique) UID
  -p, --password PASSWORD       encrypted password of the new account
  -r, --system                  create a system account
  -R, --root CHROOT_DIR         directory to chroot into
  -s, --shell SHELL             login shell of the new account
  -u, --uid UID                 user ID of the new account
  -U, --user-group              create a group with the same name as the user
  -Z, --selinux-user SEUSER     use a specific SEUSER for the SELinux user mapping

Based on the above info, if you want to take a look at useradd’s default settings do:

$ useradd -D
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes

If you want to adjust these default values, then you can do so by editing the /etc/login.defs file and the /etc/default/useradd file.

These default values means that we don’t need to write a really long command to explicitly define these when creating a new user. Therefore to create a new user called Donald, we can simply do:

$ useradd donald

It’s also recommended to use the (c)omment flag (for setting a user’s name) when creating a user, e.g.

$ useradd -c “donald duck” donald

Note, for security we can’t pass in the password at this stage of creating a user. We’ll cover setting password later on. But let’s first check that the user now exist by checking the /etc/passwd file:

$ cat /etc/passwd | grep donald
donald:x:1005:1005:donald duck:/home/donald:/bin/bash

In Linux, the /etc/passwd file acts as an official register for all the machine’s user accounts. In other words, it’s the main place that stores all the information for each user that exists on the machine.

Another handy way to check whether a user exists is with the id command:

$ id donald
uid=1005(donald) gid=1005(donald) groups=1005(donald)

As you can see here, when you create a new user account, then a group (of the same) is also automatically created and the new user is automatically assigned to that group. This group is referred to as the primary group. Therefore in this example, when we created case a user called “donald” (using the useradd command), a group of the name “donald” was created automatically, and the new user account “donald” was automatically assigned to the “donald” group.

User and Group IDs

Each user account is automatically assigned with a unique id, which is referred to as user id (aka uid). Similarly, each group is assigned with it’s own unique id, which is referred to as group id (aka gid).

By default the root user’s uid and gid values are both 0 as indicated below:

$ cat /etc/passwd | grep "^root"
root:x:0:0:root:/root:/bin/bash
$ id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Note, the “context” refers to SELinux Security Context, which we’ll cover later.

The uid and gids for internal RedHat “system” user accounts ranges between 1-200. Files/Folders can be owned by these accounts. Also process can be run under these accounts.

The 201-999 range is reserved for system user accounts that can run processes but don’t own any files or folders.

Primary and Supplementary Groups

Any file or folder must be owned by both a user and a group. This is why a user’s primary group is so important, when a user create’s a new file (or folder) then that user’s primary group automatically assumes group ownership of that item. That’s why a user must belong to exactly one primary group.

However users can also be added to other groups as well, and these additional groups are referred to as supplementary groups.

Set a password

If we look at the /etc/shadow file for our new user:

$ cat /etc/shadow | grep donald
donald:!!:16716:0:99999:7:::

You’ll see “!!”. This indicates that a password has not been set yet for this user. So now we set the password for our new account, using the passwd command:

$ passwd {username}

You need to run the passwd as the root user. If you are logged in as a normal user, and just want to change your current user’s password, then simply run passwd commands on it’s own:

$ passwd 

Therefore, going back to our donald user, let’s set the password:

[root@localhost ~]# passwd donald
Changing password for user donald.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
[root@localhost ~]#


We may get “BAD PASSWORD” warnings, but since we are logged in as root, we can ignore these error messages.

If we check the shadow file again, we’ll see that the “!!” is no longer there:

[root@localhost ~]# cat /etc/shadow | grep "donald"
donald:$6$MJmDFGEe$GR/DkhS.ARMxS9LFHwB8yK28X5B7et6d9lQiqSyEE41pgQ3t4yUZSu8lMgR0NFmzU5aOGNC5nrpsIU4NiF1hh/:16531:0:99999:7:::
[root@localhost ~]#

It is now replaced by an encrypted hash.

Note this file also stores password policy configurations, such as password expiry dates. We’ll cover this later.

Modifying a user account

To modifying an existing user account, you can simply use the usermod command:

$ usermod --help
Usage: usermod [options] LOGIN

Options:
  -c, --comment COMMENT         new value of the GECOS field
  -d, --home HOME_DIR           new home directory for the user account
  -e, --expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE
  -f, --inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -g, --gid GROUP               force use GROUP as new primary group
  -G, --groups GROUPS           new list of supplementary GROUPS
  -a, --append                  append the user to the supplemental GROUPS
                                mentioned by the -G option without removing
                                him/her from other groups
  -h, --help                    display this help message and exit
  -l, --login NEW_LOGIN         new value of the login name
  -L, --lock                    lock the user account
  -m, --move-home               move contents of the home directory to the
                                new location (use only with -d)
  -o, --non-unique              allow using duplicate (non-unique) UID
  -p, --password PASSWORD       use encrypted password for the new password
  -R, --root CHROOT_DIR         directory to chroot into
  -s, --shell SHELL             new login shell for the user account
  -u, --uid UID                 new UID for the user account
  -U, --unlock                  unlock the user account
  -Z, --selinux-user SEUSER     new SELinux user mapping for the user account

Based on this, to add/change a user account’s comment field, we do:

$ usermod -c “donald duck” donald 

Or to lock the user, we do:

$ usermod -L donald

This command ends up simply prefixing an “!” at the beginning of the hash in the /etc/shadow file:

$ cat /etc/shadow | grep donald
donald:!$6$LtEzIHPi$RTfF8d0R1lYyQVHDClyb/PFtUKdCaEXU4uCEomLql05IEVYF9.uPT1b1z6iWllXPq/q.L2Qw85lNIBFGkNvM/.:16716:0:99999:7:::

Deleting user accounts

We can delete users using the userdel. However this command doesn’t delete a user’s:

  • home directory
  • mailbox

This is a precautionary measure in case there is something valuable in the user’s home directory or mailbox. However if you want to remove them as well, then do:

$ userdel -r donald