4.3. Using Command-Line Tools

Apart from the Users settings tool described in Section 4.2, “Managing Users in a Graphical Environment”, which is designed for basic managing of users, you can use command line tools for managing users and groups that are listed in Table 4.1, “Command line utilities for managing users and groups”.

Table 4.1. Command line utilities for managing users and groups

Utilities Description
id Displays user and group IDs.
useradd, usermod, userdel Standard utilities for adding, modifying, and deleting user accounts.
groupadd, groupmod, groupdel Standard utilities for adding, modifying, and deleting groups.
gpasswd Utility primarily used for modification of group password in the /etc/gshadow file which is used by the newgrp command.
pwck, grpck Utilities that can be used for verification of the password, group, and associated shadow files.
pwconv, pwunconv Utilities that can be used for the conversion of passwords to shadow passwords, or back from shadow passwords to standard passwords.
grpconv, grpunconv Similar to the previous, these utilities can be used for conversion of shadowed information for group accounts.

4.3.1. Adding a New User

To add a new user to the system, type the following at a shell prompt as root: 
useradd [options] username
…where options are command-line options as described in Table 4.2, “Common useradd command-line options”.
By default, the useradd command creates a locked user account. To unlock the account, run the following command as root to assign a password: 
passwd username
Optionally, you can set a password aging policy. See the Password Security section in the Red Hat Enterprise Linux 7 Security Guide.

Table 4.2. Common useradd command-line options

Option
-c 'comment' comment can be replaced with any string. This option is generally used to specify the full name of a user.
-d home_directory Home directory to be used instead of default /home/username/.
-e date Date for the account to be disabled in the format YYYY-MM-DD.
-f days Number of days after the password expires until the account is disabled. If 0 is specified, the account is disabled immediately after the password expires. If -1 is specified, the account is not disabled after the password expires.
-g group_name Group name or group number for the user's default (primary) group. The group must exist prior to being specified here.
-G group_list List of additional (supplementary, other than default) group names or group numbers, separated by commas, of which the user is a member. The groups must exist prior to being specified here.
-m Create the home directory if it does not exist.
-M Do not create the home directory.
-N Do not create a user private group for the user.
-p password The password encrypted with crypt.
-r Create a system account with a UID less than 1000 and without a home directory.
-s User's login shell, which defaults to /bin/bash.
-u uid User ID for the user, which must be unique and greater than 999.

Important

The default range of IDs for system and normal users has been changed in Red Hat Enterprise Linux 7 from earlier releases. Previously, UID 1-499 was used for system users and values above for normal users. The default range for system users is now 1-999. This change might cause problems when migrating to Red Hat Enterprise Linux 7 with existing users having UIDs and GIDs between 500 and 999. The default ranges of UID and GID can be changed in the /etc/login.defs file.

Explaining the Process

The following steps illustrate what happens if the command useradd juan is issued on a system that has shadow passwords enabled:
  1. A new line for juan is created in /etc/passwd: 
    juan:x:1001:1001::/home/juan:/bin/bash
    The line has the following characteristics:
    • It begins with the user name juan.
    • There is an x for the password field indicating that the system is using shadow passwords.
    • A UID greater than 999 is created. Under Red Hat Enterprise Linux 7, UIDs below 1000 are reserved for system use and should not be assigned to users.
    • A GID greater than 999 is created. Under Red Hat Enterprise Linux 7, GIDs below 1000 are reserved for system use and should not be assigned to users.
    • The optional GECOS information is left blank. The GECOS field can be used to provide additional information about the user, such as their full name or phone number.
    • The home directory for juan is set to /home/juan/.
    • The default shell is set to /bin/bash.
  2. A new line for juan is created in /etc/shadow: 
    juan:!!:14798:0:99999:7:::
    The line has the following characteristics:
    • It begins with the user name juan.
    • Two exclamation marks (!!) appear in the password field of the /etc/shadow file, which locks the account.

      Note

      If an encrypted password is passed using the -p flag, it is placed in the /etc/shadow file on the new line for the user.
    • The password is set to never expire.
  3. A new line for a group named juan is created in /etc/group: 
    juan:x:1001:
    A group with the same name as a user is called a user private group. For more information on user private groups, see Section 4.1.1, “User Private Groups”.
    The line created in /etc/group has the following characteristics:
    • It begins with the group name juan.
    • An x appears in the password field indicating that the system is using shadow group passwords.
    • The GID matches the one listed for juan's primary group in /etc/passwd.
  4. A new line for a group named juan is created in /etc/gshadow: 
    juan:!::
    The line has the following characteristics:
    • It begins with the group name juan.
    • An exclamation mark (!) appears in the password field of the /etc/gshadow file, which locks the group.
    • All other fields are blank.
  5. A directory for user juan is created in the /home directory: 
    ~]# ls -ld /home/juan
drwx------. 4 juan juan 4096 Mar  3 18:23 /home/juan
    This directory is owned by user juan and group juan. It has read, write, and execute privileges only for the user juan. All other permissions are denied.
  6. The files within the /etc/skel/ directory (which contain default user settings) are copied into the new /home/juan/ directory: 
    ~]# ls -la /home/juan
total 28
drwx------. 4 juan juan 4096 Mar  3 18:23 .
drwxr-xr-x. 5 root root 4096 Mar  3 18:23 ..
-rw-r--r--. 1 juan juan   18 Jun 22  2010 .bash_logout
-rw-r--r--. 1 juan juan  176 Jun 22  2010 .bash_profile
-rw-r--r--. 1 juan juan  124 Jun 22  2010 .bashrc
drwxr-xr-x. 4 juan juan 4096 Nov 23 15:09 .mozilla
At this point, a locked account called juan exists on the system. To activate it, the administrator must next assign a password to the account using the passwd command and, optionally, set password aging guidelines (see the Password Security section in the Red Hat Enterprise Linux 7 Security Guide for details).

4.3.2. Adding a New Group

To add a new group to the system, type the following at a shell prompt as root: 
groupadd [options] group_name
…where options are command-line options as described in Table 4.3, “Common groupadd command-line options”.

Table 4.3. Common groupadd command-line options

Option Description
-f, --force When used with -g gid and gid already exists, groupadd will choose another unique gid for the group.
-g gid Group ID for the group, which must be unique and greater than 999.
-K, --key key=value Override /etc/login.defs defaults.
-o, --non-unique Allows creating groups with duplicate GID.
-p, --password password Use this encrypted password for the new group.
-r Create a system group with a GID less than 1000.

4.3.3. Adding an Existing User to an Existing Group

Use the usermod utility to add an already existing user to an already existing group.
Various options of usermod have different impact on user's primary group and on his or her supplementary groups.
To override user's primary group, run the following command as root: 
~]# usermod -g group_name user_name
To override user's supplementary groups, run the following command as root: 
~]# usermod -G group_name1,group_name2,... user_name
Note that in this case all previous supplementary groups of the user are replaced by the new group or several new groups.
To add one or more groups to user's supplementary groups, run one of the following commands as root: 
~]# usermod -aG group_name1,group_name2,... user_name
~]# usermod --append -G group_name1,group_name2,... user_name
Note that in this case the new group is added to user's current supplementary groups.

4.3.4. Creating Group Directories

System administrators usually like to create a group for each major project and assign people to the group when they need to access that project's files. With this traditional scheme, file management is difficult; when someone creates a file, it is associated with the primary group to which they belong. When a single person works on multiple projects, it becomes difficult to associate the right files with the right group. However, with the UPG scheme, groups are automatically assigned to files created within a directory with the setgid bit set. The setgid bit makes managing group projects that share a common directory very simple because any files a user creates within the directory are owned by the group that owns the directory.
For example, a group of people need to work on files in the /opt/myproject/ directory. Some people are trusted to modify the contents of this directory, but not everyone.
  1. As root, create the /opt/myproject/ directory by typing the following at a shell prompt: 
    mkdir /opt/myproject
  2. Add the myproject group to the system: 
    groupadd myproject
  3. Associate the contents of the /opt/myproject/ directory with the myproject group: 
    chown root:myproject /opt/myproject
  4. Allow users in the group to create files within the directory and set the setgid bit: 
    chmod 2775 /opt/myproject
    At this point, all members of the myproject group can create and edit files in the /opt/myproject/ directory without the administrator having to change file permissions every time users write new files. To verify that the permissions have been set correctly, run the following command: 
    ~]# ls -ld /opt/myproject
drwxrwsr-x. 3 root myproject 4096 Mar  3 18:31 /opt/myproject
  5. Add users to the myproject group: 
    usermod -aG myproject username

4.3.5. Setting Default Permissions for New Files Using umask

When a process creates a file, the file has certain default permissions, for example, -rw-rw-r--. These initial permissions are partially defined by the file mode creation mask, also called file permission mask or umask. Every process has its own umask, for example, bash has umask 0022 by default. Process umask can be changed.

What umask consists of

A umask consists of bits corresponding to standard file permissions. For example, for umask 0137, the digits mean that:
  • 0 = no meaning, it is always 0 (umask does not affect special bits)
  • 1 = for owner permissions, the execute bit is set
  • 3 = for group permissions, the execute and write bits are set
  • 7 = for others permissions, the execute, write, and read bits are set
Umasks can be represented in binary, octal, or symbolic notation. For example, the octal representation 0137 equals symbolic representation u=rw-,g=r--,o=---. Symbolic notation specification is the reverse of the octal notation specification: it shows the allowed permissions, not the prohibited permissions.

How umask works

Umask prohibits permissions from being set for a file:
  • When a bit is set in umask, it is unset in the file.
  • When a bit is not set in umask, it can be set in the file, depending on other factors.
The following figure shows how umask 0137 affects creating a new file.
Applying umask when creating a file

Figure 4.3. Applying umask when creating a file

Important

For security reasons, a regular file cannot have execute permissions by default. Therefore, even if umask is 0000, which does not prohibit any permissions, a new regular file still does not have execute permissions. However, directories can be created with execute permissions: 
[john@server tmp]$ umask 0000
[john@server tmp]$ touch file
[john@server tmp]$ mkdir directory
[john@server tmp]$ ls -lh .
total 0
drwxrwxrwx. 2 john john 40 Nov  2 13:17 directory
-rw-rw-rw-. 1 john john  0 Nov  2 13:17 file

4.3.5.1. Managing umask in Shells

For popular shells, such as bash, ksh, zsh and tcsh, umask is managed using the umask shell builtin. Processes started from shell inherit its umask.

Displaying the current mask

To show the current umask in octal notation: 
~]$ umask
0022
To show the current umask in symbolic notation: 
~]$ umask -S
u=rwx,g=rx,o=rx

Setting mask in shell using umask

To set umask for the current shell session using octal notation run: 
~]$ umask octal_mask
Substitute octal_mask with four or less digits from 0 to 7. When three or less digits are provided, permissions are set as if the command contained leading zeros. For example, umask 7 translates to 0007.

Example 4.1. Setting umask Using Octal Notation

To prohibit new files from having write and execute permissions for owner and group, and from having any permissions for others: 
~]$ umask 0337
Or simply: 
~]$ umask 337
To set umask for the current shell session using symbolic notation: 
~]$ umask -S symbolic_mask

Example 4.2. Setting umask Using Symbolic Notation

To set umask 0337 using symbolic notation: 
~]$ umask -S u=r,g=r,o=

Working with the default shell umask

Shells usually have a configuration file where their default umask is set. For bash, it is /etc/bashrc. To show the default bash umask: 
~]$ grep -i -B 1 umask /etc/bashrc
The output shows if umask is set, either using the umask command or the UMASK variable. In the following example, umask is set to 022 using the umask command: 
~]$ grep -i -B 1 umask /etc/bashrc
    # By default, we want umask to get set. This sets it for non-login shell.
--
    if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
       umask 002
    else
       umask 022
To change the default umask for bash, change the umask command call or the UMASK variable assignment in /etc/bashrc. This example changes the default umask to 0227: 
    if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
       umask 002
    else
       umask 227

Working with the default shell umask of a specific user

By default, bash umask of a new user defaults to the one defined in /etc/bashrc.
To change bash umaskfor a particular user, add a call to the umask command in $HOME/.bashrc file of that user. For example, to change bash umask of user john to 0227: 
john@server ~]$ echo 'umask 227' >> /home/john/.bashrc

Setting default permissions for newly created home directories

To change permissions with which user home directories are created, change the UMASK variable in the /etc/login.defs file: 
# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
UMASK 077