Chapter 9. Managing users and groups

Preventing unauthorized access to files and processes requires an accurate user and group management. If you do not manage accounts centrally or you require a user account or group only on a specific system, you can create them locally on this host.

9.1. Introduction to managing user and group accounts

The control of users and groups is a core element of Red Hat Enterprise Linux (RHEL) system administration. Each RHEL user has distinct login credentials and can be assigned to various groups to customize their system privileges.

9.1.1. Introduction to users and groups

A user who creates a file is the owner of that file and the group owner of that file. The file is assigned separate read, write, and execute permissions for the owner, the group, and those outside that group. The file owner can be changed only by the root user. Access permissions to the file can be changed by both the root user and the file owner. A regular user can change group ownership of a file they own to a group of which they are a member of.

Each user is associated with a unique numerical identification number called user ID (UID). Each group is associated with a group ID (GID). Users within a group share the same permissions to read, write, and execute files owned by that group.

9.1.2. Configuring reserved user and group IDs

RHEL reserves user and group IDs below 1000 for system users and groups. You can find the reserved user and group IDs in the setup package. To view reserved user and group IDs, use: 

cat /usr/share/doc/setup*/uidgid

It is recommended to assign IDs to the new users and groups starting at 5000, as the reserved range can increase in the future.

To make the IDs assigned to new users start at 5000 by default, modify the UID_MIN and GID_MIN parameters in the /etc/login.defs file.

Procedure

To modify and make the IDs assigned to new users start at 5000 by default:

  1. Open the /etc/login.defs file in an editor of your choice.

  2. Find the lines that define the minimum value for automatic UID selection. 

    # Min/max values for automatic uid selection in useradd
#
UID_MIN                  1000

  3. Modify the UID_MIN value to start at 5000. 

    # Min/max values for automatic uid selection in useradd
#
UID_MIN                  5000

  4. Find the lines that define the minimum value for automatic GID selection. 

    # Min/max values for automatic gid selection in groupadd
#
GID_MIN                  1000

  5. Modify the GID_MIN value to start at 5000. 

    # Min/max values for automatic gid selection in groupadd
#
GID_MIN                  5000

    The dynamically assigned UIDs and GIDs for the regular users now start at 5000.

    Note

    The UID’s and GID’s of users and groups created before you changed the UID_MIN and GID_MIN values do not change.

    This will allow new user’s group to have same 5000+ ID as UID and GID.

    Warning

    Do not raise IDs reserved by the system above 1000 by changing SYS_UID_MAX to avoid conflict with systems that retain the 1000 limit.

9.1.3. User private groups

RHEL uses the user private group (UPG) system configuration, which makes UNIX groups easier to manage. A user private group is created whenever a new user is added to the system. The user private group has the same name as the user for which it was created and that user is the only member of the user private group.

UPGs simplify the collaboration on a project between multiple users. In addition, UPG system configuration makes it safe to set default permissions for a newly created file or directory, as it allows both the user, and the group this user is a part of, to make modifications to the file or directory.

A list of all groups is stored in the /etc/group configuration file.

9.2. Getting started with managing user accounts

Red Hat Enterprise Linux is a multi-user operating system, which enables multiple users on different computers to access a single system installed on one machine. Every user operates under its own account, and managing user accounts thus represents a core element of Red Hat Enterprise Linux system administration.

The following are the different types of user accounts:

  • Normal user accounts:

    Normal accounts are created for users of a particular system. Such accounts can be added, removed, and modified during normal system administration.

  • System user accounts:

    System user accounts represent a particular applications identifier on a system. Such accounts are generally added or manipulated only at software installation time, and they are not modified later.

    Warning

    System accounts are presumed to be available locally on a system. If these accounts are configured and provided remotely, such as in the instance of an LDAP configuration, system breakage and service start failures can occur.

    For system accounts, user IDs below 1000 are reserved. For normal accounts, you can use IDs starting at 1000. However, the recommended practice is to assign IDs starting at 5000. For assigning IDs, see the /etc/login.defs file.

  • Group:

    A group is an entity which ties together multiple user accounts for a common purpose, such as granting access to particular files.

9.2.1. Managing accounts and groups using command line tools

Use the following basic command-line tools to manage user accounts and groups.

  • To display user and group IDs: 

    $ id
uid=1000(example.user) gid=1000(example.user) groups=1000(example.user),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

  • To create a new user account: 

    # useradd example.user

  • To assign a new password to a user account belonging to example.user: 

    # passwd example.user

  • To add a user to a group: 

    # usermod -a -G example.group example.user

Additional resources

  • man useradd(8), man passwd(1), and man usermod(8)

9.2.2. System user accounts managed in the web console

With user accounts displayed in the RHEL web console you can:

  • Authenticate users when accessing the system.
  • Set the access rights to the system.

The RHEL web console displays all user accounts located in the system. Therefore, you can see at least one user account just after the first login to the web console.

After logging into the RHEL web console, you can perform the following operations:

  • Create new users accounts.
  • Change their parameters.
  • Lock accounts.
  • Terminate user sessions.

9.2.3. Adding new accounts using the web console

Use the following steps for adding user accounts to the system and setting administration rights to the accounts through the RHEL web console.

Prerequisites

Procedure

  1. Log in to the RHEL web console.
  2. Click Accounts.
  3. Click Create New Account.

  4. In the Full Name field, enter the full name of the user.

    The RHEL web console automatically suggests a user name from the full name and fills it in the User Name field. If you do not want to use the original naming convention consisting of the first letter of the first name and the whole surname, update the suggestion.

  5. In the Password/Confirm fields, enter the password and retype it for verification that your password is correct.

    The color bar below the fields shows you the security level of the entered password, which does not allow you to create a user with a weak password.

  6. Click Create to save the settings and close the dialog box.
  7. Select the newly created account.

  8. In the Groups drop-down menu, select the groups that you want to add to the new account.

    cockpit accounts new user

    Now you can see the new account in the Accounts settings and you can use its credentials to connect to the system.

9.3. Managing users from the command line

You can manage users and groups using the command-line interface (CLI). This enables you to add, remove, and modify users and user groups in Red Hat Enterprise Linux environment.

9.3.1. Adding a new user from the command line

You can use the useradd utility to add a new user.

Prerequisites

  • Root access

Procedure

  • To add a new user, use: 

    # useradd options username

    Replace options with the command-line options for the useradd command, and replace username with the name of the user.

    Example 9.1. Adding a new user

    To add the user sarah with user ID 5000, use: 

    # useradd -u 5000 sarah

Verification steps

  • To verify the new user is added, use the id utility. 

    # id sarah

    The output returns: 

    uid=5000(sarah) gid=5000(sarah) groups=5000(sarah)

Additional resources

  • useradd man page

9.3.2. Adding a new group from the command line

You can use the groupadd utility to add a new group.

Prerequisites

  • Root access

Procedure

  • To add a new group, use: 

    # groupadd options group-name

    Replace options with the command-line options for the groupadd command, and replace group-name with the name of the group.

    Example 9.2. Adding a new group

    To add the group sysadmins with group ID 5000, use: 

    # groupadd -g 5000 sysadmins

Verification steps

  • To verify the new group is added, use the tail utility. 

    # tail /etc/group

    The output returns: 

    sysadmins:x:5000:

Additional resources

  • groupadd man page

9.3.3. Adding a user to a supplementary group from the command line

You can add a user to a supplementary group to manage permissions or enable access to certain files or devices.

Prerequisites

  • root access

Procedure

  • To add a group to the supplementary groups of the user, use: 

    # usermod --append -G group-name username

    Replace group-name with the name of the group, and replace username with the name of the user.

    Example 9.3. Adding a user to a supplementary group

    To add the user sysadmin to the group system-administrators, use: 

    # usermod --append -G system-administrators sysadmin

Verification steps

  • To verify the new groups is added to the supplementary groups of the user sysadmin, use: 

    # groups sysadmin

    The output displays: 

    sysadmin : sysadmin system-administrators

9.3.4. Creating a group directory

Under the UPG system configuration, you can apply the set-group identification permission (setgid bit) to a directory. The setgid bit makes managing group projects that share a directory simpler. When you apply the setgid bit to a directory, files created within that directory are automatically assigned to a group that owns the directory. Any user that has the permission to write and execute within this group can now create, modify, and delete files in the directory.

The following section describes how to create group directories.

Prerequisites

  • Root access

Procedure

  1. Create a directory: 

    # mkdir directory-name

    Replace directory-name with the name of the directory.

  2. Create a group: 

    # groupadd group-name

    Replace group-name with the name of the group.

  3. Add users to the group: 

    # usermod --append -G group-name username

    Replace group-name with the name of the group, and replace username with the name of the user.

  4. Associate the user and group ownership of the directory with the group-name group: 

    # chgrp group-name directory-name

    Replace group-name with the name of the group, and replace directory-name with the name of the directory.

  5. Set the write permissions to allow the users to create and modify files and directories and set the setgid bit to make this permission be applied within the directory-name directory: 

    # chmod g+rwxs directory-name

    Replace directory-name with the name of the directory.

    Now all members of the group-name group can create and edit files in the directory-name directory. Newly created files retain the group ownership of group-name group.

Verification steps

  • To verify the correctness of set permissions, use: 

    # ls -ld directory-name

    Replace directory-name with the name of the directory.

    The output returns: 

    drwxrwsr-x. 2 root group-name 6 Nov 25 08:45 directory-name

9.3.5. Removing a user on the command line

You can remove a user account using the command line. In addition to removing the user account, you can optionally remove the user data and metadata, such as their home directory and configuration files.

Prerequisites

  • You have root access.
  • The user currently exists.

  • Ensure that the user is logged out: 

    # loginctl terminate-user user-name

Procedure

  • To only remove the user account, and not the user data: 

    # userdel user-name

  • To remove the user, the data, and the metadata:

    1. Remove the user, their home directory, their mail spool, and their SELinux user mapping: 

      # userdel --remove --selinux-user user-name

    2. Remove additional user metadata: 

      # rm -rf /var/lib/AccountsService/users/user-name

      This directory stores information that the system needs about the user before the home directory is available. Depending on the system configuration, the home directory might not be available until the user authenticates at the login screen.

      Important

      If you do not remove this directory and you later recreate the same user, the recreated user will still use certain settings inherited from the removed user.

Additional resources

  • The userdel(8) man page.

9.4. Managing user accounts in the web console

The RHEL web console offers a graphical interface that enables you to execute a wide range of administrative tasks without accessing your terminal directly. For example, you can add, edit or remove system user accounts.

After reading this section, you will know:

  • From where the existing accounts come from.
  • How to add new accounts.
  • How to set password expiration.
  • How and when to terminate user sessions.

Prerequisites

9.4.1. System user accounts managed in the web console

With user accounts displayed in the RHEL web console you can:

  • Authenticate users when accessing the system.
  • Set the access rights to the system.

The RHEL web console displays all user accounts located in the system. Therefore, you can see at least one user account just after the first login to the web console.

After logging into the RHEL web console, you can perform the following operations:

  • Create new users accounts.
  • Change their parameters.
  • Lock accounts.
  • Terminate user sessions.

9.4.2. Adding new accounts using the web console

Use the following steps for adding user accounts to the system and setting administration rights to the accounts through the RHEL web console.

Prerequisites

Procedure

  1. Log in to the RHEL web console.
  2. Click Accounts.
  3. Click Create New Account.

  4. In the Full Name field, enter the full name of the user.

    The RHEL web console automatically suggests a user name from the full name and fills it in the User Name field. If you do not want to use the original naming convention consisting of the first letter of the first name and the whole surname, update the suggestion.

  5. In the Password/Confirm fields, enter the password and retype it for verification that your password is correct.

    The color bar below the fields shows you the security level of the entered password, which does not allow you to create a user with a weak password.

  6. Click Create to save the settings and close the dialog box.
  7. Select the newly created account.

  8. In the Groups drop-down menu, select the groups that you want to add to the new account.

    cockpit accounts new user

    Now you can see the new account in the Accounts settings and you can use its credentials to connect to the system.

9.4.3. Enforcing password expiration in the web console

By default, user accounts have set passwords to never expire. You can set system passwords to expire after a defined number of days. When the password expires, the next login attempt will prompt for a password change.

Procedure

  1. Log in to the RHEL 9 web console.
  2. Click Accounts.
  3. Select the user account for which you want to enforce password expiration.

  4. Click edit on the Password line.

    cockpit edit password change

  5. In the Password expiration dialog box, select Require password change every …​ days and enter a positive whole number representing the number of days after which the password expires.

  6. Click Change.

    The web console immediately shows the date of the future password change request on the Password line.

9.4.4. Terminating user sessions in the web console

A user creates user sessions when logging into the system. Terminating user sessions means to log the user out from the system. It can be helpful if you need to perform administrative tasks sensitive to configuration changes, for example, system upgrades.

In each user account in the RHEL 9web console, you can terminate all sessions for the account except for the web console session you are currently using. This prevents you from loosing access to your system.

Procedure

  1. Log in to the RHEL 9 web console.
  2. Click Accounts.
  3. Click the user account for which you want to terminate the session.

  4. Click Terminate Session.

    If the Terminate Session button is inactive, the user is not logged in to the system.

    The RHEL web console terminates the sessions.

9.5. Editing user groups using the command line

A user belongs to a certain set of groups that allow a logical collection of users with a similar access to files and folders. You can edit the primary and supplementary user groups from the command line to change the user’s permissions.

9.5.1. Primary and supplementary user groups

A group is an entity which ties together multiple user accounts for a common purpose, such as granting access to particular files.

On Linux, user groups can act as primary or supplementary. Primary and supplementary groups have the following properties:

Primary group
  • Every user has just one primary group at all times.
  • You can change the user’s primary group.
Supplementary groups
  • You can add an existing user to an existing supplementary group to manage users with the same security and access privileges within the group.
  • Users can be members of zero or multiple supplementary groups.

9.5.2. Listing the primary and supplementary groups of a user

You can list the groups of users to see which primary and supplementary groups they belong to.

Procedure

  • Display the names of the primary and any supplementary group of a user: 

    $ groups user-name

    Replace user-name with the name of the user. If you do not provide a user name, the command displays the group membership for the current user. The first group is the primary group followed by the optional supplementary groups.

    Example 9.4. Listing of groups for user sarah:

    $ groups sarah

    The output displays: 

    sarah : sarah wheel developer

    User sarah has a primary group sarah and is a member of supplementary groups wheel and developer.

    Example 9.5. Listing of groups for user marc:

    $ groups marc

    The output displays: 

    marc : marc

    User marc has only a primary group marc and no supplementary groups.

9.5.3. Changing the primary group of a user

You can change the primary group of an existing user to a new group.

Prerequisites:

  1. root access
  2. The new group must exist

Procedure

  • Change the primary group of a user: 

    # usermod -g group-name user-name

    Replace group-name with the name of the new primary group, and replace user-name with the name of the user.

    Note

    When you change a user’s primary group, the command also automatically changes the group ownership of all files in the user’s home directory to the new primary group. You must fix the group ownership of files outside of the user’s home directory manually.

    Example 9.6. Example of changing the primary group of a user:

    If the user sarah belongs to the primary group sarah1, and you want to change the primary group of the user to sarah2, use: 

    # usermod -g sarah2 sarah

Verification steps

  • Verify that you changed the primary group of the user: 

    $ groups sarah

    The output displays: 

    sarah : sarah2

9.5.4. Adding a user to a supplementary group from the command line

You can add a user to a supplementary group to manage permissions or enable access to certain files or devices.

Prerequisites

  • root access

Procedure

  • To add a group to the supplementary groups of the user, use: 

    # usermod --append -G group-name username

    Replace group-name with the name of the group, and replace username with the name of the user.

    Example 9.7. Adding a user to a supplementary group

    To add the user sysadmin to the group system-administrators, use: 

    # usermod --append -G system-administrators sysadmin

Verification steps

  • To verify the new groups is added to the supplementary groups of the user sysadmin, use: 

    # groups sysadmin

    The output displays: 

    sysadmin : sysadmin system-administrators

9.5.5. Removing a user from a supplementary group

You can remove an existing user from a supplementary group to limit their permissions or access to files and devices.

Prerequisites

  • root access

Procedure

  • Remove a user from a supplementary group: 

    # gpasswd -d user-name group-name

    Replace user-name with the name of the user, and replace group-name with the name of the supplementary group.

    Example 9.8. Removing user from a supplementary group

    If the user sarah has a primary group sarah2, and belongs to the secondary groups wheel and developers, and you want to remove that user from the group developers, use: 

    # gpasswd -d sarah developers

Verification steps

  • Verify that you removed the user sarah from the secondary group developers: 

    $ groups sarah

    The output displays: 

    sarah : sarah2 wheel

9.5.6. Changing all of the supplementary groups of a user

You can overwrite the list of supplementary groups that you want the user to remain a member of.

Prerequisites

  • root access
  • The supplementary groups must exist

Procedure

  • Overwrite a list of user’s supplementary groups: 

    # usermod -G group-names username

    Replace group-names with the name of one or more supplementary groups. To add the user to several supplementary groups at once, separate the group names using commas and no intervening spaces. For example: wheel,developer.

    Replace user-name with the name of the user.

    Important

    If the user is currently a member of a group that you do not specify, the command removes the user from the group.

    Example 9.9. Changing the list of supplementary groups of a user

    If the user sarah has a primary group sarah2, and belongs to the supplementary group wheel, and you want the user to belong to three more supplementary groups developer, sysadmin, and security, use: 

    # usermod -G wheel,developer,sysadmin,security sarah

Verification steps

  • Verify that you set the list of the supplementary groups correct: 

    # groups sarah

    The output displays: 

    sarah : sarah2 wheel developer sysadmin security

9.6. Changing and resetting the root password

If the existing root password is no longer satisfactory or is forgotten, you can change or reset it both as the root user and a non-root user.

9.6.1. Changing the root password as the root user

You can use the passwd command to change the root password as the root user.

Prerequisites

  • Root access

Procedure

  • To change the root password, use: 

    # passwd

    You are prompted to enter your current password before you can change it.

9.6.2. Changing or resetting the forgotten root password as a non-root user

You can use the passwd command to change or reset the forgotten root password as a non-root user.

Prerequisites

  • You are able to log in as a non-root user.
  • You are a member of the administrative wheel group.

Procedure

  • To change or reset the root password as a non-root user that belongs to the wheel group, use: 

    $ sudo passwd root

    You are prompted to enter your current non-root password before you can change the root password.

9.6.3. Resetting the root password on boot

If you are unable to log in as a non-root user or do not belong to the administrative wheel group, you can reset the root password on boot by switching into a specialized chroot jail environment.

Procedure

  1. Reboot the system and, on the GRUB 2 boot screen, press the e key to interrupt the boot process.

    The kernel boot parameters appear. 

    load_video
set gfx_payload=keep
insmod gzio
linux ($root)/vmlinuz-5.14.0-70.22.1.e19_0.x86_64 root=/dev/mapper/rhel-root ro crash\
kernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv/swap rhgb quiet
initrd ($root)/initramfs-5.14.0-70.22.1.e19_0.x86_64.img $tuned_initrd

  2. Go to the end of the line that starts with linux. 

    linux ($root)/vmlinuz-5.14.0-70.22.1.e19_0.x86_64 root=/dev/mapper/rhel-root ro crash\
kernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv/swap rhgb quiet

    Press Ctrl+e to jump to the end of the line.

  3. Add rd.break to the end of the line that starts with linux. 

    linux ($root)/vmlinuz-5.14.0-70.22.1.e19_0.x86_64 root=/dev/mapper/rhel-root ro crash\
kernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv/swap rhgb quiet rd.break

  4. Press Ctrl+x to start the system with the changed parameters.

    The switch_root prompt appears.

  5. Remount the file system as writable: 

    mount -o remount,rw /sysroot

    The file system is mounted as read-only in the /sysroot directory. Remounting the file system as writable allows you to change the password.

  6. Enter the chroot environment: 

    chroot /sysroot

    The sh-4.4# prompt appears.

  7. Reset the root password: 

    passwd

    Follow the instructions displayed by the command line to finalize the change of the root password.

  8. Enable the SELinux relabeling process on the next system boot: 

    touch /.autorelabel

  9. Exit the chroot environment: 

    exit

  10. Exit the switch_root prompt: 

    exit
  11. Wait until the SELinux relabeling process is finished. Note that relabeling a large disk might take a long time. The system reboots automatically when the process is complete.

Verification steps

  1. To verify that the root password is successfully changed, log in as a normal user and open the Terminal.

  2. Run the interactive shell as root: 

    $ su
  3. Enter your new root password.

  4. Print the user name associated with the current effective user ID: 

    # whoami

    The output returns: 

    root