Chapter 4. Managing user and group accounts

The control of users and groups is a core element of Red Hat Enterprise Linux (RHEL) system administration. The following sections describe how to:

4.1. Introduction to users and groups

Each RHEL user has distinct login credentials and can be assigned to various groups to customize their system privileges.

A user who creates a file is the owner of that file and the group owner of that file. The file is assigned separate read, write, and execute permissions for the owner, the group, and those outside that group. The file owner can be changed only by the root user. Access permissions to the file can be changed by both the root user and the file owner. A regular user can change group ownership of a file they own to a group of which they are a member of.

Each user is associated with a unique numerical identification number called user ID (UID). Each group is associated with a group ID (GID). Users within a group share the same permissions to read, write, and execute files owned by that group.

4.2. Configuring reserved user and group IDs

RHEL reserves user and group IDs below 1000 for system users and groups. You can find the reserved user and group IDs in the setup package. To view reserved user and group IDs, use:

cat /usr/share/doc/setup*/uidgid

It is recommended to assign IDs to the new users and groups starting at 5000, as the reserved range can increase in the future.

To make the IDs assigned to new users start at 5000 by default, modify the UID_MIN and GID_MIN parameters in the /etc/login.defs file.

Procedure

To modify make the IDs assigned to new users start at 5000 by default, use:

  1. Open the /etc/login.defs file in an editor of your choice.
  2. Find the lines that define the minimum value for automatic UID selection.

    # Min/max values for automatic uid selection in useradd
    #
    UID_MIN                  1000
  3. Modify the UID_MIN value to start at 5000.

    # Min/max values for automatic uid selection in useradd
    #
    UID_MIN                  5000
  4. Find the lines that define the minimum value for automatic GID selection.

    # Min/max values for automatic gid selection in groupadd
    #
    GID_MIN                  1000

Note that for users and groups created before you changed the UID_MIN and GID_MIN values, UIDs and GIDs still start at the default 1000.

Warning

Do not raise IDs reserved by the system above 1000 by changing SYS_UID_MAX to avoid conflict with systems that retain the 1000 limit.

4.3. User private groups

RHEL uses the user private group (UPG) system configuration, which makes UNIX groups easier to manage. A user private group is created whenever a new user is added to the system. The user private group has the same name as the user for which it was created and that user is the only member of the user private group.

UPGs simplify the collaboration on a project between multiple users. In addition, UPG system configuration makes it safe to set default permissions for a newly created file or directory, as it allows both the user, and the group this user is a part of, to make modifications to the file or directory.

A list of all groups is stored in the /etc/group configuration file.

4.4. Managing user accounts with the web console

RHEL web console enables you to execute a wide range of administrative tasks without accessing your terminal directly. The RHEL 8 web console offers a graphical interface for adding, editing, and removing system user accounts. The following section describes how to:

  • Get started with the RHEL web console.
  • Manage user accounts in the web console.

4.4.1. Getting started using the RHEL web console

The following sections aim to help you install the web console in Red Hat Enterprise Linux 8 and open the web console in your browser. You will also learn how to add remote hosts and monitor them in the RHEL 8 web console.

Prerequisites

4.4.1.1. What is the RHEL web console

The RHEL web console is a Red Hat Enterprise Linux 8 web-based interface designed for managing and monitoring your local system, as well as Linux servers located in your network environment.

cockpit overview page PF4

The RHEL web console enables you a wide range of administration tasks, including:

  • Managing services
  • Managing user accounts
  • Managing and monitoring system services
  • Configuring network interfaces and firewall
  • Reviewing system logs
  • Managing virtual machines
  • Creating diagnostic reports
  • Setting kernel dump configuration
  • Configuring SELinux
  • Updating software
  • Managing system subscriptions

The RHEL web console uses the same system APIs as you would in a terminal, and actions performed in a terminal are immediately reflected in the RHEL web console.

You can monitor the logs of systems in the network environment, as well as their performance, displayed as graphs. In addition, you can change the settings directly in the web console or through the terminal.

4.4.1.2. Installing the web console

Red Hat Enterprise Linux 8 includes the RHEL 8 web console installed by default in many installation variants.

If this is not the case on your system, install the cockpit package and set up the cockpit.socket service to enable the RHEL 8 web console.

Procedure

  1. Install the cockpit package:

    # yum install cockpit
  2. Enable and start the cockpit.socket service, which runs a web server:

    # systemctl enable --now cockpit.socket
  3. If you are using a custom firewall profile, add the cockpit service to firewalld to open port 9090 in the firewall:
# firewall-cmd --add-service=cockpit --permanent
# firewall-cmd --reload

Verification steps

  1. To verify the previous installation and configuration, you open the web console.

4.4.1.3. Logging in to the web console

Use the steps in this procedure for the first login to the RHEL web console using a system user name and password.

Prerequisites

  • Use one of the following browsers for opening the web console:

    • Mozilla Firefox 52 and later
    • Google Chrome 57 and later
    • Microsoft Edge 16 and later
  • System user account credentials

    The RHEL web console uses a specific PAM stack located at /etc/pam.d/cockpit. Authentication with PAM allows you to log in with the user name and password of any local account on the system.

Procedure

  1. Open the web console in your web browser:

    • Locally: https://localhost:9090
    • Remotely with the server’s hostname: https://example.com:9090
    • Remotely with the server’s IP address: https://192.0.2.2:9090

      If you use a self-signed certificate, the browser issues a warning. Check the certificate and accept the security exception to proceed with the login.

      The console loads a certificate from the /etc/cockpit/ws-certs.d directory and uses the last file with a .cert extension in alphabetical order. To avoid having to grant security exceptions, install a certificate signed by a certificate authority (CA).

  2. In the login screen, enter your system user name and password.

    cockpit login page PF4

  3. Optionally, click the Reuse my password for privileged tasks option.

    If the user account you are using to log in has sudo privileges, this makes it possible to perform privileged tasks in the web console, such as installing software or configuring SELinux.

  4. Click Log In.

After successful authentication, the RHEL web console interface opens.

4.4.1.4. Connecting to the web console from a remote machine

It is possible to connect to your web console interface from any client operating system and also from mobile phones or tablets. The following procedure shows how to do it.

Prerequisites

  • Device with a supported internet browser, such as:

    • Mozilla Firefox 52 and later
    • Google Chrome 57 and later
    • Microsoft Edge 16 and later
  • RHEL 8 server you want to access with an installed and accessible web console. For more information about the installation of the web console see Installing the web console.

Procedure

  1. Open your web browser.
  2. Type the remote server’s address in one of the following formats:

    1. With the server’s host name: server.hostname.example.com:port_number
    2. With the server’s IP address: server.IP_address:port_number
  3. After the login interface opens, log in with your RHEL machine credentials.

4.4.1.5. Logging in to the web console using a one-time password

Complete this procedure to login into the RHEL web console using a one-time password (OTP).

Important

It is possible to log in using a one-time password only if your system is part of an Identity Management (IdM) domain with enabled OTP configuration. For more information about OTP in IdM, see One-time password in Identity Management.

Prerequisites

  • The RHEL web console has been installed.

    For details, see Installing the web console.

  • An Identity Management server with enabled OTP configuration.
  • A configured hardware or software device generating OTP tokens.

Procedure

  1. Open the RHEL web console in your browser:

    • Locally: https://localhost:PORT_NUMBER
    • Remotely with the server hostname: https://example.com:PORT_NUMBER
    • Remotely with the server IP address: https://EXAMPLE.SERVER.IP.ADDR:PORT_NUMBER

      If you use a self-signed certificate, the browser issues a warning. Check the certificate and accept the security exception to proceed with the login.

      The console loads a certificate from the /etc/cockpit/ws-certs.d directory and uses the last file with a .cert extension in alphabetical order. To avoid having to grant security exceptions, install a certificate signed by a certificate authority (CA).

  2. The Login window opens. In the Login window, enter your system user name and password.
  3. Generate a one-time password on your device.
  4. Enter the one-time password into a new field that appears in the web console interface after you confirm your password.
  5. Click Log in.
  6. Succesful login takes you to the Overview page of the web console interface.

4.4.2. Managing user accounts in the web console

The RHEL web console offers an interface for adding, editing, and removing system user accounts. After reading this section, you will know:

  • From where the existing accounts come from.
  • How to add new accounts.
  • How to set password expiration.
  • How and when to terminate user sessions.

Prerequisites

4.4.2.1. System user accounts managed in the web console

With user accounts displayed in the RHEL web console you can:

  • Authenticate users when accessing the system.
  • Set them access rights to the system.

The RHEL web console displays all user accounts located in the system. Therefore, you can see at least one user account just after the first login to the web console.

After logging into the RHEL web console, you can perform the following operations:

  • Create new users accounts.
  • Change their parameters.
  • Lock accounts.
  • Terminate user sessions.

4.4.2.2. Adding new accounts using the web console

Use the following steps for adding user accounts to the system and setting administration rights to the accounts through the RHEL web console.

Prerequisites

Procedure

  1. Log in to the RHEL web console.
  2. Click Accounts.
  3. Click Create New Account.

    cockpit create new account pf4

  4. In the Full Name field, enter the full name of the user.

    The RHEL web console automatically suggests a user name from the full name and fills it in the User Name field. If you do not want to use the original naming convention consisting of the first letter of the first name and the whole surname, update the suggestion.

  5. In the Password/Confirm fields, enter the password and retype it for verification that your password is correct. The color bar placed below the fields shows you security level of the entered password, which does not allow you to create a user with a weak password.

    cockpit user accounts pf4

  6. Click Create to save the settings and close the dialog box.
  7. Select the newly created account.
  8. Select Server Administrator in the Roles item.

cockpit terminate session pf4

Now you can see the new account in the Accounts settings and you can use the credentials to connect to the system.

4.4.2.3. Enforcing password expiration in the web console

By default, user accounts have set passwords to never expire. To enforce password expiration, as administrator, set system passwords to expire after a defined number of days.

When the password expires, the next login attempt will prompt for a password change.

Procedure

  1. Log in to the RHEL 8 web console interface.
  2. Click Accounts.
  3. Select the user account for which to enforce password expiration.
  4. In the user account settings, click Never expire password.
  5. In the Password Expiration dialog box, select Require password change every …​ days and enter a positive whole number representing the number of days when the password expires.

    cockpit password expiration

  6. Click Change.

To verify the settings, open the account settings. The RHEL 8 web console displays a link with the date of expiration.

cockpit password expiration date

4.4.2.4. Terminating user sessions in the web console

A user creates user sessions when logging into the system. Terminating user sessions means to log the user out from the system.

It can be helpful if you need to perform administrative tasks sensitive to configuration changes, for example, system upgrades.

In each user account in the RHEL 8 web console, you can terminate all sessions for the account except for the web console session you are currently using. This prevents you from cutting yourself off the system.

Procedure

  1. Log in to the RHEL 8 web console.
  2. Click Accounts.
  3. Click the user account for which you want to terminate the session.
  4. Click the Terminate Session button.

    cockpit password expiration date If the Terminate Session button is inactive, the user is not logged in to the system.

The RHEL web console terminates the sessions.

4.5. Managing users from the command line

You can manage users and groups using the command-line interface (CLI).

The following sections describe how to use the CLI to:

Prerequisites

  • Root access.

4.5.1. Adding a new user from the command line

This section describes how to use the useradd command to add a new user.

Procedure

  • To add a new user, use:

    # useradd options username

    Replace options with the command-line options for the useradd command, and replace username with the name of the user.

Example

  • To add the user sarah with user ID 5000, use:

    # useradd -u 5000 sarah

Verification steps

  • To verify the new user is added, use the id utility.

    # id sarah

    The output returns:

    uid=5000(sarah) gid=5000(sarah) groups=5000(sarah)

Additional resources

  • For more information about useradd, see the useradd man page.

4.5.2. Adding a new group from the command line

This section describes how to use the groupadd command to add a new group.

Procedure

  • To add a new group, use:

    # groupadd options group-name

    Replace options with the command-line options for the groupadd command, and replace group-name with the name of the group.

Example

  • To add the group sysadmins with group ID 5000, use:

    # groupadd -g 5000 sysadmins

Verification steps

  • To verify the new group is added, use the tail utility.

    # tail /etc/group

    The output returns:

    sysadmins:x:5000:

Additional resources

  • For more information about useradd, see the groupadd man page.

4.5.3. Adding a user to a groups from the command line

This section describes how to use the usermod command to add a group to the supplementary groups of the user.

Procedure

  • To add a group to the supplementary groups of the user, use:

    # usermod --append -G group-name username

    Replace group-name with the name of the group, and replace username with the name of the user.

Example

  • To add the user sysadmin to the group system-administrators, use:

    # usermod --append -G system-administrators sysadmin

Verification steps

  • To verify the new groups is added to the supplementary groups of the user sysadmin, use:

    # groups sysadmin

    The output returns:

    sysadmin: sysadmin system-administrators

4.5.4. Removing a user from a group from the command line

You can remove a user from a primary or supplementary group by overriding the groups the user belongs to with a new set of groups that does not contain the group you want to remove the user from. The following section describes how to:

  • Override the primary group of the user.
  • Override the supplementary groups of the user.

4.5.4.1. Overriding the primary group of the user

This section describes how to use the usermod command to override the primary group of the user.

Procedure

  • To override the primary group of the user, use:

    # usermod -g group-name username

    Replace group-name with the name of the group, and replace username with the name of the user.

Example

  • If the user sarah belongs to the primary groups sarah1, and you want to change the primary group of the user to sarah2, use:

    # usermod -g sarah2 sarah

Verification steps

  • To verify that the primary group of the user is overridden, use:

    # groups sarah

    The output returns:

    sarah : sarah2

4.5.4.2. Overriding the supplementary groups of the user

This section describes how to use the usermod command to override the supplementary groups of the user.

Procedure

  • To override the supplementary groups of the user, use:

    # usermod -G group-name username

    Replace group-name with the name of the group, and replace username with the name of the user.

Example

  • If the user sarah belongs to the system-administrator group and to the developer group and you want to remove the user sarah from the system-administrator group, you can do that by replacing the old list of groups with a new one. To do that, use:

    # usermod -G developer sarah

Verification steps

  • To verify that the supplementary groups of the user are overridden, use:

    # groups sarah

    The output returns:

    sarah : sarah developer

4.5.5. Creating a group directory

Under the UPG system configuration, you can apply the set-group identification permission (setgid bit) to a directory. The setgid bit makes managing group projects that share a directory simpler. When you apply the setgid bit to a directory, files created within that directory are automatically assigned to a group that owns the directory. Any user that has the permission to write and execute within this group can now create, modify, and delete files in the directory.

The following section describes how to create group directories.

Procedure

  1. Create a directory:

    # mkdir directory-name

    Replace directory-name with the name of the directory.

  2. Create a group:

    # groupadd group-name

    Replace group-name with the name of the group.

  3. Add users to the group:

    # usermod --append -G group-name username

    Replace group-name with the name of the group, and replace username with the name of the user.

  4. Associate the user and group ownership of the directory with the group-name group:

    # chown :group-name directory-name

    Replace group-name with the name of the group, and replace directory-name with the name of the directory.

  5. Set the write permissions to allow the users to create and modify files and directories and set the setgid bit to make this permission be applied within the directory-name directory:

    # chmod g+rwxs directory-name

    Replace directory-name with the name of the directory.

    Now all members of the group-name group can create and edit files in the directory-name directory. Newly created files retain the group ownership of group-name group.

Verification steps

  • To verify the correctness of set permissions, use:

    # ls -ld directory-name

    Replace directory-name with the name of the directory.

    The output returns:

    drwxrwsr-x. 2 root group-name 6 Nov 25 08:45 directory-name

4.6. Managing sudo access

System administrators can grant sudo access to allow non-root users to execute administrative commands. The sudo command provides users with administrative access without using the password of the root user.

When users need to perform an administrative command, they can precede that command with sudo. The command is then executed as if they were the root user.

Be aware of the following limitations:

  • Only users listed in the /etc/sudoers configuration file can use the sudo command.
  • The command is executed in the shell of the user, not in the root shell.

The following section describes how to grant sudo access to a user.

4.6.1. Granting sudo access to a user

A non-root user requires sudo access to perform administrative commands. The following section describes how to grant sudo access to a user.

Prerequisites

  • Root access.

Procedure

  1. Open the /etc/sudoers file.

    # visudo

    The /etc/sudoers file defines the policies applied by the sudo command.

  2. In the /etc/sudoers file find the lines that grant sudo access to users in the administrative wheel group.

    ## Allows people in group wheel to run all commands
    %wheel        ALL=(ALL)       ALL
  3. Make sure the line that starts with %wheel does not have # comment character before it.
  4. Save any changes, and exit the editor.
  5. Add users you want to grant sudo access to into the administrative wheel group .

     # usermod --append -G wheel username

    Replace username with the name of the user.

Example

  • To add the user sarah to the administrative wheel group, use:

     # usermod --append -G wheel sarah

Verification steps

  • To verify the user is added to the administrative wheel group, use the id utility.

    # id sarah

    The output returns:

    uid=5000(sarah) gid=5000(sarah) groups=5000(sarah),10(wheel)

4.7. Changing and resetting the root password

If the existing root password is no longer satisfactory or is forgotten, you can change or reset it both as the root user and a non-root user.

This following sections describe how to:

  • Change the root password as the root user.
  • Change or reset the forgotten root password as a non-root user.
  • Reset the forgotten root password on boot.

4.7.1. Changing the root password as the root user

This section describes how to use the passwd command to change the root password as the root user.

Prerequisites

  • Root access.

Procedure

  • To change the root password, use:

    # passwd

    You are prompted to enter your current password before you can change it.

4.7.2. Changing or resetting the forgotten root password as a non-root user

This section describes how to use the passwd command to change or reset the forgotten root password as a non-root user.

Prerequisites

  • You are able to log in as a non-root user.
  • You are a member of the administrative wheel group.

Procedure

  • To change or reset the root password as a non-root user that belongs to the wheel group, use:

    $ sudo passwd root

    You are prompted to enter your current non-root password before you can change the root password.

4.7.3. Resetting the forgotten root password on boot

If you are unable to log in as a non-root user or do not belong to the administrative wheel group, you can reset the root password on boot by switching into a specialized chroot jail environment.

Procedure

  1. Reboot the system and, on the GRUB 2 boot screen, press the e key to interrupt the boot process.

    The kernel boot parameters appear.

    load_video
    set gfx_payload=keep
    insmod gzio
    linux ($root)/vmlinuz-4.18.0-80.e18.x86_64 root=/dev/mapper/rhel-root ro crash\
    kernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv/swap rhab quiet
    initrd ($root)/initramfs-4.18.0-80.e18.x86_64.img $tuned_initrd
  2. Go to the end of the line that starts with linux.

    linux ($root)/vmlinuz-4.18.0-80.e18.x86_64 root=/dev/mapper/rhel-root ro crash\
    kernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv/swap rhab quiet

    Press Ctrl+e to jump to the end of the line.

  3. Add rd.break to the end of the line that starts with linux.

    linux ($root)/vmlinuz-4.18.0-80.e18.x86_64 root=/dev/mapper/rhel-root ro crash\
    kernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv/swap rhab quiet rd.break
  4. Press Ctrl+x to start the system with the changed parameters.

    The switch_root prompt appears.

  5. Remount the file system as writable:

    mount -o remount,rw /sysroot

    The file system is mounted as read-only in the /sysroot directory. Remounting the file system as writable allows you to change the password.

  6. Enter the chroot environment:

    chroot /sysroot

    The sh-4.4# prompt appears.

  7. Reset the root password:

    passwd

    Follow the instructions displayed by the command line to finalize the change of the root password.

  8. Enable the SELinux relabeling process on the next system boot:

    touch /.autorelabel
  9. Exit the chroot environment:

    exit
  10. Exit the switch_root prompt:

    exit
  11. Wait until the SELinux relabeling process is finished. Note that relabeling a large disk might take a long time. The system reboots automatically when the process is complete.