4.3. Using Command-Line Tools
Table 4.1. Command line utilities for managing users and groups
Utilities | Description |
---|---|
id | Displays user and group IDs. |
useradd , usermod , userdel | Standard utilities for adding, modifying, and deleting user accounts. |
groupadd , groupmod , groupdel | Standard utilities for adding, modifying, and deleting groups. |
gpasswd | Utility primarily used for modification of group password in the /etc/gshadow file which is used by the newgrp command. |
pwck , grpck | Utilities that can be used for verification of the password, group, and associated shadow files. |
pwconv , pwunconv | Utilities that can be used for the conversion of passwords to shadow passwords, or back from shadow passwords to standard passwords. |
grpconv , grpunconv | Similar to the previous, these utilities can be used for conversion of shadowed information for group accounts. |
4.3.1. Adding a New User
root
:
useradd
[options] username
useradd
command creates a locked user account. To unlock the account, run the following command as root
to assign a password:
passwd
username
Table 4.2. Common useradd command-line options
Option | |
---|---|
-c 'comment' | comment can be replaced with any string. This option is generally used to specify the full name of a user. |
-d home_directory | Home directory to be used instead of default /home/username/ . |
-e date | Date for the account to be disabled in the format YYYY-MM-DD. |
-f days | Number of days after the password expires until the account is disabled. If 0 is specified, the account is disabled immediately after the password expires. If -1 is specified, the account is not disabled after the password expires. |
-g group_name | Group name or group number for the user's default (primary) group. The group must exist prior to being specified here. |
-G group_list | List of additional (supplementary, other than default) group names or group numbers, separated by commas, of which the user is a member. The groups must exist prior to being specified here. |
-m | Create the home directory if it does not exist. |
-M | Do not create the home directory. |
-N | Do not create a user private group for the user. |
-p password | The password encrypted with crypt . |
-r | Create a system account with a UID less than 1000 and without a home directory. |
-s | User's login shell, which defaults to /bin/bash . |
-u uid | User ID for the user, which must be unique and greater than 999. |
Important
/etc/login.defs
file.
Explaining the Process
useradd juan
is issued on a system that has shadow passwords enabled:
- A new line for
juan
is created in/etc/passwd
:juan:x:1001:1001::/home/juan:/bin/bash
The line has the following characteristics:- It begins with the user name
juan
. - There is an
x
for the password field indicating that the system is using shadow passwords. - A UID greater than 999 is created. Under Red Hat Enterprise Linux 7, UIDs below 1000 are reserved for system use and should not be assigned to users.
- A GID greater than 999 is created. Under Red Hat Enterprise Linux 7, GIDs below 1000 are reserved for system use and should not be assigned to users.
- The optional GECOS information is left blank. The GECOS field can be used to provide additional information about the user, such as their full name or phone number.
- The home directory for
juan
is set to/home/juan/
. - The default shell is set to
/bin/bash
.
- A new line for
juan
is created in/etc/shadow
:juan:!!:14798:0:99999:7:::
The line has the following characteristics:- It begins with the user name
juan
. - Two exclamation marks (
!!
) appear in the password field of the/etc/shadow
file, which locks the account.Note
If an encrypted password is passed using the-p
flag, it is placed in the/etc/shadow
file on the new line for the user. - The password is set to never expire.
- A new line for a group named
juan
is created in/etc/group
:juan:x:1001:
A group with the same name as a user is called a user private group. For more information on user private groups, see Section 4.1.1, “User Private Groups”.The line created in/etc/group
has the following characteristics:- It begins with the group name
juan
. - An
x
appears in the password field indicating that the system is using shadow group passwords. - The GID matches the one listed for
juan
's primary group in/etc/passwd
.
- A new line for a group named
juan
is created in/etc/gshadow
:juan:!::
The line has the following characteristics:- It begins with the group name
juan
. - An exclamation mark (
!
) appears in the password field of the/etc/gshadow
file, which locks the group. - All other fields are blank.
- A directory for user
juan
is created in the/home
directory:~]#
ls -ld /home/juan
drwx------. 4 juan juan 4096 Mar 3 18:23 /home/juanThis directory is owned by userjuan
and groupjuan
. It has read, write, and execute privileges only for the userjuan
. All other permissions are denied. - The files within the
/etc/skel/
directory (which contain default user settings) are copied into the new/home/juan/
directory:~]#
ls -la /home/juan
total 28 drwx------. 4 juan juan 4096 Mar 3 18:23 . drwxr-xr-x. 5 root root 4096 Mar 3 18:23 .. -rw-r--r--. 1 juan juan 18 Jun 22 2010 .bash_logout -rw-r--r--. 1 juan juan 176 Jun 22 2010 .bash_profile -rw-r--r--. 1 juan juan 124 Jun 22 2010 .bashrc drwxr-xr-x. 4 juan juan 4096 Nov 23 15:09 .mozilla
juan
exists on the system. To activate it, the administrator must next assign a password to the account using the passwd
command and, optionally, set password aging guidelines (see the Password Security section in the Red Hat Enterprise Linux 7 Security Guide for details).
4.3.2. Adding a New Group
root
:
groupadd
[options] group_name
Table 4.3. Common groupadd command-line options
Option | Description |
---|---|
-f , --force | When used with -g gid and gid already exists, groupadd will choose another unique gid for the group. |
-g gid | Group ID for the group, which must be unique and greater than 999. |
-K , --key key=value | Override /etc/login.defs defaults. |
-o , --non-unique | Allows creating groups with duplicate GID. |
-p , --password password | Use this encrypted password for the new group. |
-r | Create a system group with a GID less than 1000. |
4.3.3. Adding an Existing User to an Existing Group
usermod
utility to add an already existing user to an already existing group.
usermod
have different impact on user's primary group and on his or her supplementary groups.
root
:
~]# usermod -g
group_name user_name
root
:
~]# usermod -G
group_name1,group_name2,... user_name
root
:
~]# usermod -aG
group_name1,group_name2,... user_name
~]# usermod --append -G
group_name1,group_name2,... user_name
4.3.4. Creating Group Directories
/opt/myproject/
directory. Some people are trusted to modify the contents of this directory, but not everyone.
- As
root
, create the/opt/myproject/
directory by typing the following at a shell prompt:mkdir /opt/myproject
- Add the
myproject
group to the system:groupadd myproject
- Associate the contents of the
/opt/myproject/
directory with themyproject
group:chown root:myproject /opt/myproject
- Allow users in the group to create files within the directory and set the setgid bit:
chmod 2775 /opt/myproject
At this point, all members of themyproject
group can create and edit files in the/opt/myproject/
directory without the administrator having to change file permissions every time users write new files. To verify that the permissions have been set correctly, run the following command:~]#
ls -ld /opt/myproject
drwxrwsr-x. 3 root myproject 4096 Mar 3 18:31 /opt/myproject - Add users to the
myproject
group:usermod -aG myproject username
4.3.5. Setting Default Permissions for New Files Using umask
-rw-rw-r--
. These initial permissions are partially defined by the file mode creation mask, also called file permission mask or umask. Every process has its own umask, for example, bash has umask 0022
by default. Process umask can be changed.
What umask consists of
0137
, the digits mean that:
0
= no meaning, it is always0
(umask does not affect special bits)1
= for owner permissions, the execute bit is set3
= for group permissions, the execute and write bits are set7
= for others permissions, the execute, write, and read bits are set
0137
equals symbolic representation u=rw-,g=r--,o=---
. Symbolic notation specification is the reverse of the octal notation specification: it shows the allowed permissions, not the prohibited permissions.
How umask works
- When a bit is set in umask, it is unset in the file.
- When a bit is not set in umask, it can be set in the file, depending on other factors.
0137
affects creating a new file.

Figure 4.3. Applying umask when creating a file
Important
0000
, which does not prohibit any permissions, a new regular file still does not have execute permissions. However, directories can be created with execute permissions:
[john@server tmp]$ umask 0000 [john@server tmp]$ touch file [john@server tmp]$ mkdir directory [john@server tmp]$ ls -lh . total 0 drwxrwxrwx. 2 john john 40 Nov 2 13:17 directory -rw-rw-rw-. 1 john john 0 Nov 2 13:17 file
4.3.5.1. Managing umask in Shells
bash
, ksh
, zsh
and tcsh
, umask is managed using the umask
shell builtin
. Processes started from shell inherit its umask.
Displaying the current mask
~]$ umask
0022
~]$ umask -S
u=rwx,g=rx,o=rx
Setting mask in shell using umask
~]$ umask octal_mask
0
to 7
. When three or less digits are provided, permissions are set as if the command contained leading zeros. For example, umask 7
translates to 0007
.
Example 4.1. Setting umask Using Octal Notation
~]$ umask 0337
~]$ umask 337
~]$ umask -S symbolic_mask
Example 4.2. Setting umask Using Symbolic Notation
0337
using symbolic notation:
~]$ umask -S u=r,g=r,o=
Working with the default shell umask
bash
, it is /etc/bashrc
. To show the default bash
umask:
~]$ grep -i -B 1 umask /etc/bashrc
umask
command or the UMASK
variable. In the following example, umask is set to 022
using the umask
command:
~]$ grep -i -B 1 umask /etc/bashrc
# By default, we want umask to get set. This sets it for non-login shell.
--
if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
umask 002
else
umask 022
bash
, change the umask
command call or the UMASK
variable assignment in /etc/bashrc
. This example changes the default umask to 0227
:
if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
umask 002
else
umask 227
Working with the default shell umask
of a specific user
bash
umask of a new user defaults to the one defined in /etc/bashrc
.
bash
umaskfor a particular user, add a call to the umask
command in $HOME/.bashrc
file of that user. For example, to change bash
umask of user john
to 0227
:
john@server ~]$ echo 'umask 227' >> /home/john/.bashrc
Setting default permissions for newly created home directories
UMASK
variable in the /etc/login.defs
file:
# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
UMASK 077
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.