Chapter 4. Managing user and group accounts

The control of users and groups is a core element of Red Hat Enterprise Linux system administration. This section explains how to add, manage, and delete users and groups in the graphical user interface and on the command line, and covers advanced topics, such as creating group directories.

4.1. Introduction to Users and Groups

While users can be either people (meaning accounts tied to physical users) or accounts that exist for specific applications to use, groups are logical expressions of organization, tying users together for a common purpose. Users within a group share the same permissions to read, write, or execute files owned by that group.

Each user is associated with a unique numerical identification number called a user ID (UID). Likewise, each group is associated with a group ID (GID). A user who creates a file is also the owner and group owner of that file. The file is assigned separate read, write, and execute permissions for the owner, the group, and everyone else. The file owner can be changed only by root, and access permissions can be changed by both the root user and file owner.

4.2. Reserved user and group IDs

Red Hat Enterprise Linux reserves user and group IDs below 1000 for system users and groups. By default, the User Manager does not display the system users. Reserved user and group IDs are documented in the setup package. To view the documentation, use this command:

cat /usr/share/doc/setup*/uidgid

The recommended practice is to assign IDs starting at 5,000 that were not already reserved, as the reserved range can increase in the future. To make the IDs assigned to new users by default start at 5,000, change the UID_MIN and GID_MIN directives in the /etc/login.defs file:

[file contents truncated]
UID_MIN                  5000
[file contents truncated]
GID_MIN                  5000
[file contents truncated]
Note

For users created before you changed UID_MIN and GID_MIN directives, UIDs will still start at the default 1000.

Even with new user and group IDs beginning with 5,000, it is recommended not to raise IDs reserved by the system above 1000 to avoid conflict with systems that retain the 1000 limit.

4.3. User private groups

Red Hat Enterprise Linux uses a user private group (UPG) scheme, which makes UNIX groups easier to manage. A user private group is created whenever a new user is added to the system. It has the same name as the user for which it was created and that user is the only member of the user private group.

User private groups make it safe to set default permissions for a newly created file or directory, allowing both the user and the group of that user to make modifications to the file or directory.

The setting which determines what permissions are applied to a newly created file or directory is called a umask and is configured in the /etc/bashrc file. Traditionally on UNIX-based systems, the umask is set to 022, which allows only the user who created the file or directory to make modifications. Under this scheme, all other users, including members of the creator’s group, are not allowed to make any modifications. However, under the UPG scheme, this "group protection" is not necessary since every user has their own private group.

A list of all groups is stored in the /etc/group configuration file.

4.4. Managing users in a graphical environment

The Users utility allows you to view, modify, add, and delete local users in the graphical user interface.

4.4.1. Opening the Users settings tool

To open the Users settings tool, use this procedure.

Procedure

  1. Enter the Activities Overview by pressing the Press the Super key.

    The Super key appears in a variety of options, depending on the keyboard and other hardware, but often as either the Windows or Command key, and typically to the left of the Space bar.

  2. Type Users, and press Enter.

Alternatively, you can open the Users utility from the Settings menu after clicking your user name in the top right corner of the screen.

Figure 4.1. The Users Settings Tool

managing users

4.4.2. Modifying user accounts in Users settings tool

This section explain how to make changes to the user accounts using the Users settings tools.

Prerequisites

  • To be able to make changes to the user accounts, first select the Unlock button, and authenticate yourself as indicated by the dialog box that appears.

    Note that unless you have superuser privileges, the application will prompt you to authenticate as root.

4.4.2.1. Adding a user with the Users settings tool

Prerequisites

Procedure

  • To add a user, select the + button.

4.4.2.2. Removing a user with Users settings tool

Prerequisites

Procedure

  • To remove a user, select the - button.

4.4.2.3. Adding a user to the wheel group with the Users settings tool

Prerequisites

Procedure

  • To add a user to the administrative group wheel, change the Account Type from Standard to Administrator.

4.4.2.4. Editing a user’s language with the Users settings tools

Prerequisites

Procedure

  • To edit a user’s language setting, select the language and a drop-down menu appears.

4.4.2.5. Managing passwords with the Users settings tool

When a new user is created, the account is disabled until a password is set.

The Password drop-down menu, shown in Figure 4.2, “The Password Menu”, contains the options to:

  • Set a password by the administrator immediately
  • Choose a password by the user at the first login
  • Create a guest account with no password required to log in
  • Disable or enable an account from this menu

Figure 4.2. The Password Menu

managing users password

4.5. Managing users using command-line tools

Apart from the Users settings tool, which is designed for basic managing of users, you can use command-line tools for managing users and groups.

4.5.1. Command-line utilities for managing users and groups

The following command-line tools for managing users and groups are available in Red Hat Enterprise Linux 8.

Utilities

Description

id

Displays user and group IDs.

useradd, usermod, userdel

Standard utilities for adding, modifying, and deleting user accounts.

groupadd, groupmod, groupdel

Standard utilities for adding, modifying, and deleting groups.

gpasswd

Utility primarily used for modification of group password in the /etc/gshadow file which is used by the newgrp command.

pwck, grpck

Utilities that can be used for verification of the password, group, and associated shadow files.

pwconv, pwunconv

Utilities that can be used for the conversion of passwords to shadow passwords, or back from shadow passwords to standard passwords.

grpconv, grpunconv

Similar to the previous, these utilities can be used for conversion of shadowed information for group accounts.

4.5.2. Adding a new user

This section describes how to use the useradd command to add a new user.

4.5.2.1. Applying the useradd command to add a new user

To add a new user to the system, use the following procedure.

Procedure

  • Run the following command:

    # useradd options username

    Here options are command-line options for the useradd command. For more details, see the useradd man page.

Warning

With RHEL 8, you cannot use all-numeric user names. The reason for not allowing such names is that this can confuse tools that work with user names and user ids, which are numbers.

4.5.2.2. Unlocking an user account

By default, the useradd command creates a locked user account.

To unlock the account, use this procedure.

Procedure

  • Run the following command to assign a password:

    # passwd username

4.5.2.3. Common command-line options for the useradd command

This section provides the command-line options for useradd that cover the most common use cases.

Table 4.1. Frequently used command-line options for useradd

OptionDescription

-d home_directory

Home directory to be used instead of default /home/username/.

-e date

Date for the account to be disabled in the format YYYY-MM-DD.

-f days

Number of days after the password expires until the account is disabled. If 0 is specified, the account is disabled immediately after the password expires. If -1 is specified, the account is not disabled after the password expires.

-g group_name

Group name or group number for the user’s default (primary) group. The group must exist prior to being specified here.

-G group_list

List of additional (supplementary, other than default) group names or group numbers, separated by commas, of which the user is a member. The groups must exist prior to being specified here.

-s

User’s login shell, which defaults to /bin/bash.

4.5.2.4. Range of IDs for system and normal users

The default range of IDs for system and normal users has been changed in Red Hat Enterprise Linux 7 from earlier releases. Before Red Hat Enterprise Linux 7, UID 1-499 was used for system users and values above for normal users. The default range for system users is now 1-999.

This change might cause problems when migrating to Red Hat Enterprise Linux 8 with existing users having UIDs and GIDs between 500 and 999. The default ranges of UID and GID can be changed in the /etc/login.defs file.

4.5.2.5. Additional resources

For more information, see the useradd man page.

4.5.3. Adding a new group

This section describes how to add a new goup using the groupadd command.

4.5.3.1. Applying the groupadd command to add a new group

To add a new group of users to the system, use the following procedure.

Procedure

  • Run the following command:

    # groupadd options group_name

Here options are command-line options for the groupadd command. For more details, see the groupadd man page.

Warning

With RHEL 8, you cannot use all-numeric group names. The reason for not allowing such names is that this can confuse tools that work with group names and group ids, which are numbers.

4.5.3.2. Additional resources

For more information, see the groupadd man page.

4.5.4. Adding an existing user to an existing group

This section describes how to use the usermod utility to add an already existing user to an already existing group.

Various options of usermod have different impact on user’s primary group and on their supplementary groups.

4.5.4.1. Overriding user’s primary group

To override user’s primary group, use this proedure.

Procedure

  • Run the following command :
# usermod -g group_name user_name

4.5.4.2. Overriding user’s supplementary groups

To override user’s supplementary groups, use this proedure.

Procedure

  • Run the following command :
# usermod -G group_name1,group_name2,…​ user_name

Note that all previous supplementary groups of the user are replaced by the new group or several new groups.

4.5.4.3. Adding a group to user’s supplementary groups

To add one or more groups to user’s supplementary groups, use this procedure:

Procedure

  • Run either of these two commands:

    # usermod -aG group_name1,group_name2,…​ user_name
    # usermod --append -G group_name1,group_name2,…​ user_name

4.5.5. Creating group directories

System administrators usually create a group for each major project and assign people to the group when they need to access that project’s files.

With this traditional scheme, file management is difficult; when someone creates a file, it is associated with the primary group to which they belong. When a single person works on multiple projects, it becomes difficult to associate the right files with the right group.

However, with the UPG scheme, groups are automatically assigned to files created within a directory with the setgid bit set. The setgid bit makes managing group projects that share a common directory very simple because any files a user creates within the directory are owned by the group that owns the directory.

This section provides an example use case where creation of a group directory is needed.

4.5.5.1. Creating a group directory - an example use case

In this example use case, a group of people need to work on files in the /opt/myproject/ directory. Some people are trusted to modify the contents of this directory, but not everyone.

To create the group directory for this case, use this procedure.

Procedure

  1. Create the /opt/myproject/ directory:

    # mkdir /opt/myproject
  2. Add the myproject group to the system:

    # groupadd myproject
  3. Associate the contents of the /opt/myproject/ directory with the myproject group:

    # chown root:myproject /opt/myproject
  4. Allow users in the group to create files within the directory and set the setgid bit:

    # chmod 2775 /opt/myproject

    At this point, all members of the myproject group can create and edit files in the /opt/myproject/ directory without the administrator having to change file permissions every time users write new files. To verify that the permissions have been set correctly, run the following command:

    # ls -ld /opt/myproject
    drwxrwsr-x. 3 root myproject 4096 Mar  3 18:31 /opt/myproject
  5. Add users to the myproject group:

    # usermod -aG myproject username

4.6. Managing sudo access

System administrators can grant sudo access to allow non-root users to execute administrative commands that are normally reserved for the root user. As a result, non-root users can execute such commands without logging in to the root user account.

4.6.1. Definition of sudo access

The sudo command is a method for providing users with administrative access without using the password of the root user. When users need to perform an administrative command normally reserved for the root user, they can precede that command with sudo. After entering their password, the command is executed as if they were the root user.

Be aware of the following limitations:

  • Only users listed in the /etc/sudoers configuration file are allowed to use the sudo command.
  • The command is executed in the user’s shell, not a root shell.

You can also administer sudo access with such services as Identity Management and LDAP.

4.6.2. Granting sudo access to a user

Follow this procedure to grant sudo access to a user account.

  1. Log in to the system as the root user.
  2. Enter the visudo command to edit the /etc/sudoers file. This file defines the policies applied by the sudo command.

    # visudo
  3. Find the lines that grant sudo access to users in the group wheel.

    ## Allows people in group wheel to run all commands
    %wheel        ALL=(ALL)       ALL
  4. Make sure the second line does not start with the comment character (#).
  5. Save any changes, and exit the editor.
  6. Add the user to whom you want to grant sudo access to the wheel group:

    # usermod -aG wheel _USERNAME_

Verification steps

Test that the updated configuration allows the user to enter commands using sudo.

  1. Switch to the user account:

    # su _USERNAME_ -
  2. Verify the user is in the wheel group:

    $ groups
    _USERNAME_ wheel
  3. Use the sudo command to enter the whoami command. The first time you enter a command using sudo from a user account, the terminal displays the following banner message. You also have to enter the password for the user account.

    $ sudo whoami
    We trust you have received the usual lecture from the local System
    Administrator. It usually boils down to these three things:
    
        #1) Respect the privacy of others.
        #2) Think before you type.
        #3) With great power comes great responsibility.
    
    [sudo] password for _USERNAME_:
    root
  4. The last line of the output is the user name returned by the whoami command. If sudo is configured correctly, this value is root.

Additional resources

See the following man pages for more information about sudo access:

  • The sudo(8) man page provides an overview of various options for the sudo command.
  • The visudo(8) man page describes editing of the sudoers file.

4.6.3. Additional resources

  • Run the man -k sudo command and select the appropriate topic to display the man pages with additional information.

4.7. Changing and resetting the root password

Setting up the root password is a mandatory part of the Red Hat Enterprise Linux 8 installation. For more details, see Performing a standard RHEL installation.

This section describes two major use cases:

  • Changing the root password after the installation
  • Resetting forgotten root password

To change the root password after the installation, use the passwd command. With this command, you can change the root password as the root user and also as a non-root user. For more information, see Changing the root password as the root user or Changing or resetting forgotten root password as a non-root user.

To reset forgotten root password, you can also use the passwd command. However, this is only possible if you are able to log in as a non-root user who belongs to the wheel group. For more information, see Changing or resetting forgotten root password as a non-root user.

If you are not able to log in as a non-root user belonging to the wheel group, you can reset forgotten root password during the boot process by switching into the chroot jail environment. For more information, see Resetting forgotten root password in chroot jail with SELinux in permissive mode or Resetting forgotten root password in chroot jail with SELinux in enforcing mode.

4.7.1. Changing the root password as the root user

Prerequisites

You are able to log in as the root user.

To change the root password as the root user, use the following procedure.

Procedure
  • Run:
# passwd

4.7.2. Changing or resetting forgotten root password as a non-root user

Using the passwd command, you can change or reset forgotten root password as a non-root user that belongs to the wheel group.

Prerequisites

You are able to log in as a non-root user that belongs to the wheel group.

To change the root password as a non-root user who is a member of the wheel group, use the following procedure.

Procedure
  • Run:
$ sudo passwd root

4.7.3. Resetting forgotten root password on boot

If you forget the root password, and you are not able to log in as a non-root user belonging to the wheel group, you can reset the root password on boot by switching into the chroot jail environment. A chroot jail is an environment that enables to isolate a process and its children processes from the rest of the system.

Updating the password file in chroot jail results in a file with the incorrect SELinux security context. Therefore, you must relabel all files on the next system boot. However, especially for a large disk, the relabeling process might be time-consuming. To avoid the relabeling process, you can work with SELinux switched to permissive mode. For more information, see Resetting forgotten root password in chroot jail with SELinux in permissive mode.

If you want to work with SELIinux in enforcing mode, use the procedure described in Resetting forgotten root password in the chroot jail with SELinux in enforcing mode.

4.7.3.1. Resetting forgotten root password in chroot jail with SELinux in permissive mode

Procedure
  1. Start the system and, on the GRUB 2 boot screen, press the e key to edit the selected menu item.
  2. Enable system messages by removing the rhgb and quiet parameters.

    You can find these parameters at the end or near the end of the line starting with linux.

    Note

    Press Ctrl+a and Ctrl+e to jump to the start and end of the line, respectively. On some systems, Home and End also work.

  3. Set SELinux to permissive mode by adding the following at the end of the line starting with linux:

    rd.break enforcing=0

    Adding the enforcing=0 option enables omitting the time-consuming SELinux relabeling process. As a result, the initramfs stops before passing control to the Linux kernel, enabling you to work with the root file system. Note that the initramfs prompt appears on the last console specified on the respective line.

  4. Press Ctrl+x to boot the system with the changed parameters.

    Note

    With an encrypted file system, a password is required at this point. However, the password prompt might not appear as it is overlaid by logging messages. You can press the Backspace key to see the prompt. Release the key and enter the password for the encrypted file system, while ignoring the logging messages.

    The initramfs switch_root prompt appears.

  5. The file system is mounted as read-only on /sysroot/. You cannot change the password if the file system is not writable. To remount the file system as writable:

    switch_root:/# mount -o remount,rw /sysroot
  6. Enter the chroot environment:

    switch_root:/# chroot /sysroot

    The prompt changes to sh-4.4#.

  7. Change the root password:

    sh-4.4# passwd

    After entering this command, follow the instructions displayed on the command line to finalize the change of the root password.

  8. Optionally, relabel SELinux security contexts for all files on the next system boot by entering the following command:

    sh-4.4# touch /.autorelabel

    Note that relabeling a large disk might take long time.

  9. Remount the file system as read-only:

    sh-4.4# mount -o remount,ro /
  10. Exit the chroot environment:

    sh-4.4# exit
  11. Resume the initialization and finish the system boot:

    switch_root:/# exit

    With an encrypted file system, a password or phrase is required at this point. However, the password prompt might not appear as it is overlaid by logging messages. You can press and hold the Backspace key to see the prompt. Release the key and enter the password for the encrypted file system, while ignoring the logging messages.

  12. According to whether you relabed SELinux security contexts by using the touch /.autorelabel as described in the step 8, do the following:

    • If you relabeled SELinux contexts, wait until the SELinux relabeling process is finished. Note that the process can take a long time. A system reboots automatically when the process is complete.
    • If you omitted the step 8, and you did not relabel SELinux security contexts, follow these steps:

      • Restore the /etc/shadow file’s SELinux security context:

        # restorecon /etc/shadow
      • Turn the SELinux policy enforcement back on:

        # setenforce 1
      • Verify that the SELinux policy enforcement is on:

        # getenforce
        Enforcing

4.7.3.2. Resetting forgotten root password in chroot jail with SElinux in enforcing mode

Procedure
  1. Start the system and, on the GRUB 2 boot screen, press the e key to edit the selected menu item.
  2. Enable system messages by removing the rhgb and quiet parameters.

    You can find these parameters at the end or near the end of the line starting with linux.

    Note

    Press Ctrl+a and Ctrl+e to jump to the start and end of the line, respectively. On some systems, Home and End also work.

  3. Press Ctrl+x to boot the system with the changed parameters.

    Note

    With an encrypted file system, a password is required at this point. However, the password prompt might not appear as it is overlaid by logging messages. You can press the Backspace key to see the prompt. Release the key and enter the password for the encrypted file system, while ignoring the logging messages.

    The initramfs switch_root prompt appears.

  4. The file system is mounted as read-only on /sysroot/. You cannot change the password if the file system is not writable. To remount the file system as writable:

    switch_root:/# mount -o remount,rw /sysroot
  5. Enter the chroot environment:

    switch_root:/# chroot /sysroot

    The prompt changes to sh-4.4#.

  6. Change the root password:

    sh-4.4# passwd

    Follow the instructions displayed on the command line to finalize the change of the root password.

  7. Updating the password file results in a file with the incorrect SELinux security context. To relabel all files on the next system boot, enter the following command:

    sh-4.4# touch /.autorelabel
  8. Remount the file system as read-only:

    sh-4.4# mount -o remount,ro /
  9. Exit the chroot environment:

    sh-4.4# exit
  10. Resume the initialization and finish the system boot:

    switch_root:/# exit

    With an encrypted file system, a password or phrase is required at this point. However, the password prompt might not appear as it is overlaid by logging messages. You can press and hold the Backspace key to see the prompt. Release the key and enter the password for the encrypted file system, while ignoring the logging messages.

  11. Wait until the SELinux relabeling process is finished.

    Note that the process can take a long time. A system reboots automatically when the process is complete.

4.8. Additional Resources

For more information on how to manage users and groups on Red Hat Enterprise Linux, see the resources listed below.

4.8.1. Installed Documentation

For information about various utilities for managing users and groups, see the following manual pages:

  • useradd(8) — The manual page for the useradd command documents how to use it to create new users.
  • userdel(8) — The manual page for the userdel command documents how to use it to delete users.
  • usermod(8) — The manual page for the usermod command documents how to use it to modify users.
  • groupadd(8) — The manual page for the groupadd command documents how to use it to create new groups.
  • groupdel(8) — The manual page for the groupdel command documents how to use it to delete groups.
  • groupmod(8) — The manual page for the groupmod command documents how to use it to modify group membership.
  • gpasswd(1) — The manual page for the gpasswd command documents how to manage the /etc/group file.
  • grpck(8) — The manual page for the grpck command documents how to use it to verify the integrity of the /etc/group file.
  • pwck(8) — The manual page for the pwck command documents how to use it to verify the integrity of the /etc/passwd and /etc/shadow files.
  • pwconv(8) — The manual page for the pwconv, pwunconv, grpconv, and grpunconv commands documents how to convert shadowed information for passwords and groups.
  • id(1) — The manual page for the id command documents how to display user and group IDs.

For information about related configuration files, see:

  • group(5) — The manual page for the /etc/group file documents how to use this file to define system groups.
  • passwd(5) — The manual page for the /etc/passwd file documents how to use this file to define user information.
  • shadow(5) — The manual page for the /etc/shadow file documents how to use this file to set passwords and account expiration information for the system.