Administering Users and Groups

Fedora Core and RHEL systems give us featur

es to add, modify, and delete user accounts a
nd to use Sudo to give normal users root cap
abilities on a limited and monitored basis.

The Fedora Core and RHEL systems you how

to implement user and group file system quot
as to control and monitor disk space usage.

1
 Administering User Accounts
Administering user and group accounts, is a fundament
al Linux system administration activity. Ordinarily, most
people understand user accounts as accounts tied to a
particular physical user.
Fedora Core or RHEL systems also have logical user ac
counts, user accounts that exist for particular applicatio
ns, such as MySQL, or system functions, such as the m
ail and bin user accounts.
Both actual and logical have user identification number
s (UIDs), numeric values that the kernel and many app
lications use instead of the account name.
Ordinarily, each user account has a unique UID (on a g
2 iven system), but this is not strictly required.
 Working with User Accounts
One of the most common administrative tasks is working with
user and group accounts.
Although some administrators find the traditional command lin
e tools for managing users and groups tedious or inconvenient
to use.
 Table 29-1 lists the commands for adding, modifying, and del
eting user accounts.
You use the following commands most often:
■■ useradd — Create user login accounts
■■ userdel — Delete user login accounts
■■ usermod — Modify user login accounts
■■ passwd — Set or change account passwords
■■ chsh— Set or change a user’s default shell
3 ■■ chage — Modify password expiration information
4
 The useradd command creates new user accounts and,
when invoked with the -D option, modifies the default v
alues applied to new accounts. As a result,it can be invo
ked in two ways. The syntax of the first form is:
useradd [-c comment] [-d dir] [-e date]
[-f time] [-g initial] [-G group[,...]]
[-m [-k dir] | -M]
[-p passwd] [-s shell] [-u uid [-o]]
[-n] [-r] username

The first form creates a new user account named usern

ame. Optional values not specified using options are ass
igned default values drawn from /etc/login.defs and /et
c/default/useradd. Table 29-2 lists the options useradd
5 accepts.
6
7
 Modifying Multiple Accounts Simult
aneously
In busy or large IT environments, system administrators often find
themselves faced with the necessity of creating multiple user acco
unts.
Using useradd to add one or two accounts is relatively simple, but i
t quickly becomes tedious if 10 or 20 accounts need to be created.
Fortunately, the shadow password suite includes the newusers utili
ty, which can be used to create and update multiple user accounts
.
One of the advantages of command line tools is that they can be u
sed to perform bulk or mass changes.
Two commands, chpasswd and newusers, make multiple changes t
o the user password database in a single operation.
The syntax is:
newusers userfile
8
 userfile is the name of a text file consisting of lines in the
same format as the standard password file, subject to th
e following exceptions:
■■ The password field appears as clear text —newusers
encrypts it before adding the account.
■■ The pw_age field is ignored for shadow passwords if
the user already exists.
■■ The GID can be the name of an existing group or a
nonexistent GID. If the GID is the name of an existing gr
oup, the named user is added to that group, but if it is a
nonexistent numeric value, a new group with the specifie
d GID is created.
■■ If the specified home directory refers to a nonexiste
nt directory, newusers creates it. If the directory already
exists, ownership of the directory is set to that of the na
9 med user.
 The following code shows the contents of newusers.t
xt, which is passed to newusers to create three new
user accounts, bubba, joebob, and marysue:
bubba:mypass:901:901:Bubba User:/home/bubba:/bin
/bash
joebob:yourpass:902:902:Joe Bob:/home/joebob:/bin/
bash
marysue:somepass:903:903:Mary Sue:/home/marysue
:/bin/bash

After executing the command newusers newusers.txt

, you will see the entries in /etc/passwd, /etc/group,
and /etc/ shadow, as shown in Listing 29-1.

10
11
 The chpasswd command updates existing user pa
sswords en masse. It reads a file consisting of col
on-separated username:password pairs. Passwor
d must be plain text, which will be encrypted at r
untime, unless chpasswd is invoked with the -e o
ption, in which case password must already be en
crypted using a crypt(3)-compatible encryption al
gorithm.

12
 Viewing Login and Process Informat
ion
To view current and past login information and to deter
mine what processes users are running, you can use on
e of the following commands:
■■ last — Displays historical login information
■■ who — Displays information about currently logged
in users
■■ w— Displays a user’s currently running process
For all logins, last prints the user name, TTY, date, time
, elapsed time, and the host name or IP address of the r
emote host, if applicable, from which the login originate
d of all user logins, starting with the most recent login.
Its syntax is:

13
last [-R | [-ai]] [-num |-n num] [username] [tty]
 The who command displays information about cu
rrently logged-in users. Its default output include
s the user name, login TTY, and the date and tim
e each user logged in.
who’s syntax is:
who [-Hil] | [-q]

The w command is very similar to who, except th

at it also displays the command line of each user’
s currently running process and a summary of ea
ch user’s CPU usage.
w’s syntax is:
w [-husf] [username]
14
 Working with Group Account
s
Unlike user accounts, group accounts always represent some sort
of logical organization of users. Like user accounts, groups have g
roup identification numbers, or GIDs, and it is common for users t
o be members of several groups.
Groups are used to tie one or more users together to simplify ad
ministrative tasks. For example, an administrator can assign a gro
up permission to execute a certain application, and then add and
delete users from that group, rather than granting permission to i
ndividual users.
Handling access control at the group level is a simpler, less labor-i
ntensive approach. Similarly, file access can be controlled at the g
roup level because files are assigned user and group owners whe
n files are created and because files carry separate read, write, a
nd execute permissions for the owner, the group assigned to the f
15 ile, and any other users.
 Table 29-5 lists the commands used to add, modify, and delete grou
p accounts. They are discussed in greater detail in the following sub
sections.
If you understand the format of the group file, /etc/group. It has on
e entry per line, and each line has the format:
groupname:password:gid:userlist
■■ groupname is the name of the group
■■ password is an optional field containing the encrypted group pa
ssword
■■ gid is the numeric group ID number
■■ userlist is a comma-separated list of the user account names tha
t compose the group
If x appears in the password field, nonmembers of the group cannot
join it using the newgrp command.
A typical entry in the group file might resemble the following:
admins:x:507:joebob,marysue,bubba
groupname is admins; password is empty, meaning no group passw
16 ord has been set; gid is 503; and userlist is joebob,marysue,bubba.
17
 Creating Groups
To create a new group, use the groupadd command. Its
syntax is:
groupadd [[-g gid [-o]] [-r] [-f] groupname
groupname is the only required argument and must be t
he name of a nonexistent group.
When invoked with only the name of the new group, gro
upadd creates the group and assigns it the first unused G
ID that is both greater than 500 and not already in use.
Specify -f to force groupadd to accept an existing groupn
ame.
Use the -g gid option if you want to specify the new grou
p’s GID, replacing gid with a unique GID (use the -o opti
on to force groupadd to accept a nonunique GID).
To create system group, one that has special privileges,
18 use the -r option.
 The following command creates a new group na
med admins:
# groupadd admins

Here is the resulting entry created in /etc/group:

admins:x:507:

As this point, admins has no members and the pa

ssword field has an x in it, meaning that no one (
which is everyone at this point) except root can j
oin the group using newgrp.

19
 Modifying and Deleting Grou
ps
To add a user to the group, a group administrator must us
e the -a username option. The -d username option remove
s a user from a group. The next example shows how to ad
d and remove bubba using gpasswd’s -a and -d options:
# gpasswd -a bubba admins
Adding user bubba to group admins
# grep admins /etc/group
admins:!:507:marysue,joebob,bubba
# gpasswd -d bubba admins
Removing user bubba from group admins
# grep admins /etc/group
admins:!:507:marysue,joebob
20
 Using a Shadowed Group File
Much of the behavior described in the previous subsection
does not apply if the shadow group file, /etc/gshadow, is
present. In particular, if the shadow group file is in use:
■■ Adding a group creates an entry for that group in the
shadow group file that resembles the following:
admins:x:507:
admins:!::
■■ Adding a user to a group adds that user to both the s
tandard group file and the shadow group file:
# gpasswd -M marysue admins
# grep admins /etc/group /etc/gshadow
group:admins:x:507:marysue
gshadow:admins:!::marysue
21
 ■■ The third field in the shadow group file holds th
e name of the group administrator, not the GID, if
an administrator is added using gpasswd’s -A usern
ame option:
# gpasswd -A marysue admins
# grep admins /etc/gshadow
admins:!:marysue:marysue

■■ A group administrator cannot join the group un

less the administrator’s account is also a member o
f the group. Similarly, a group administrator can ad
d and delete her user account from the group with
out affecting her administrative function.
22
 ■■ Only group members can use newgrp to join the
group. To put it another way, nonmembers of a grou
p cannot use newgrp to join groups of which they are
not members, even if they know the group password.
In fact, passwords are irrelevant because they do not
work for nonmembers and members do not need to u
se them.
Deleting a group is quite simple. Use the groupdel co
mmand, which takes no options except the name of t
he group to delete.
For example, the following command deletes the adm
ins group:
# groupdel admins

23
 Administering Users and Groups with User
Manager
User Manager is a graphical tool for administering user and group accoun
ts.
To use it, you must be logged in as root or otherwise have root access.
To start User Manager, click Main Menu ➪ System Settings ➪ Users and
Groups. You can start from a command line using the command system-
config-users in a terminal window.
The initial screen resembles Figure 29-1. From this screen you can view,
modify, and delete existing user and group accounts or create new ones.
 To reduce the list of displayed accounts or to search for a specific accoun
t, type the first few letters of an account name in the Filter by text box an
d click the Apply filter button.
You can update most windows by clicking the Refresh button on the toolb
ar.
To get context-sensitive help, click the toolbar’s Help button or, to view th
e entire User Manager manual, select Help ➪ Manual from the toolbar.
24
Figure 29-1 The main Red Hat User Manager dialog box.

25
 Creating User Accounts
To add a new user:
1. Click the Add User button. The Create New User dialog bo
x, shown in Figure 29-2, appears.
2. Type the new account name in the User Name text box.
3. Type the user’s full name in the Full Name text box.
4. Type the user’s password in the Password and Confirm Pa
ssword fields. The password must be at least six characters.
5. Select a login shell. If you choose not to accept the defaul
t shell, select an alternative shell from the Login Shell drop-d
own box.
6. As noted earlier in this chapter, the default home director
y is /home/username. You can change the home directory b
y editing the Home Directory text box or not create a home
directory at all by clearing the Create home directory check
26 box.
 Figure 29-2 Adding a new user.

27
 7. To prevent creation of a user private group, re
move the check from the Create new group for th
e user check box. A completed Create New User
dialog box might resemble Figure 29-3.
8. Click OK to create the user.

28
 Figure 29-3 A newly created user account in User Manager.

29
 Modifying and Deleting User Accounts
After you have created a user account, you can configure addition
al properties by clicking User Manager’s User tab, selecting the use
r, and clicking the Properties button to open the User Properties di
alog box.
 To add the user to additional groups, click the Groups tab (see Fig
ure 29-4). Click the check box next to the groups of which the user
should be a member, then click the Apply button.
Other account data you can modify from the User Properties windo
w includes the basic user information you supplied when you creat
ed the user (the User Data tab), account information (the Account
Info tab), and password expiration information (the Password Info
tab).
On the Password Info tab, click the Enable account expiration chec
k box to set the user account’s expiration date if you want the acc
ount to expire on a certain date.
To prevent this user account from logging in, place a check mark i

30
n the User account is locked check box.
 Figure 29-4 Adding a user to additional groups.

31
 Click the Password Info tab to view and change the account
password expiration information. (See Figure 29-5.) The dat
e that the user last changed her password appears across th
e top of the tab.
Click Enable password expiration to force a password change
after a certain number of days, and then enter the number o
f days between required password changes in the Days befo
re change required text box.
You can also set the number of days before the user can cha
nge her password, the number of days before the user is wa
rned to change her password, and the number of days befor
e the account becomes inactive.
When you have finished modifying the user account properti
es, click OK to apply the changes and close the User Properti
es dialog box.
Finally, to delete a user account, click the account to delete
on User Manager’s Users tab, and then click the Delete butto
32 n.
Figure 29-5 Modifying user account password expiration information.

33
 Creating Group Accounts

To add a new user group, click the Add Group bu

tton. In the Create New Group dialog box, shown
in Figure 29-6, type the name of the new group,
and then click OK to create the group.

34
 Figure 29-6 Adding a new group.

35
 Modifying and Deleting Group Accounts
To view or modify the properties of an existing group, selec
t the group to modify from the group list on the Groups tab
and click the Properties button.
The Group Properties dialog box, shown in Figure 29-7, app
ears.
The Group Users tab, shown in Figure 29-8, displays the us
ers that are members of the group.
To add other users to the group, place a check mark next t
o the user account names in the list, and deselect account
names to remove them from the group.
Click OK to apply the changes and close the Group Properti
es box.
After you have finished adding or modifying user and group
accounts, click File ➪ Quit or press Ctrl+Q to save your cha
36 nges and close User Manager.
 Figure 29-7 Modifying group properties.

37
 Figure 29-8 Modifying group properties.

38