m (1 revision(s)) |
m (Fixed templates) |
||
Line 7: | Line 7: | ||
* [[Docs/Drafts/AdministrationGuide/UserAccounts/AccountManagementTui| Manage Accounts Using CLI]] | * [[Docs/Drafts/AdministrationGuide/UserAccounts/AccountManagementTui| Manage Accounts Using CLI]] | ||
* [[Docs/Drafts/AdministrationGuide/UserAccounts/AccountManagementGui| Manage Accounts Using GUI]] | * [[Docs/Drafts/AdministrationGuide/UserAccounts/AccountManagementGui| Manage Accounts Using GUI]] | ||
* [[Docs/Drafts/AdministrationGuide/UserAccounts/Print| Single-page View (Suitable for Printing)]] | |||
* [[Docs/Drafts/AdministrationGuide/UserAccounts/Print | |||
= SUMMARY OF SECTIONS = | = SUMMARY OF SECTIONS = | ||
Line 32: | Line 30: | ||
* Adding Group Account | * Adding Group Account | ||
* Modifying Group Account | * Modifying Group Account | ||
== Introduction == | == Introduction == | ||
Line 41: | Line 37: | ||
Fedora includes two types of accounts - ''system'' and ''non-system'' accounts. System accounts include the ''root'' user and others such as the <code>apache</code> user. System accounts are created during the installation process and used by various system daemons and utilities to perform system-wide tasks. Fedora reserves the first 499 ''UIDs'' for system accounts. This is why they are sometimes reffered to as ''low ID accounts''. | Fedora includes two types of accounts - ''system'' and ''non-system'' accounts. System accounts include the ''root'' user and others such as the <code>apache</code> user. System accounts are created during the installation process and used by various system daemons and utilities to perform system-wide tasks. Fedora reserves the first 499 ''UIDs'' for system accounts. This is why they are sometimes reffered to as ''low ID accounts''. | ||
{| | {{Admon/note | UID is the abbreviation of the term ''User Identifier'' | It represents unique numerical equivalent of the ''username'', which computer uses as a reference to ''username''. Similarly, ''GID'' is numerical value that represents ''Group Identifier''. UID 0 (zero) is always reserved for root user.}} | ||
| | |||
Non-system accounts start from uid 500. These accounts are used for regular users to perform day-to-day tasks. Usually, the first "normal" user account is created during the first boot following the system's installation. After that, user and group accounts can be created with standard procedures, explained later in this guide. | Non-system accounts start from uid 500. These accounts are used for regular users to perform day-to-day tasks. Usually, the first "normal" user account is created during the first boot following the system's installation. After that, user and group accounts can be created with standard procedures, explained later in this guide. | ||
Line 58: | Line 49: | ||
The account creation process is explained on the next page. | The account creation process is explained on the next page. | ||
== Process of Account Creation == | == Process of Account Creation == | ||
Line 88: | Line 77: | ||
* '''''/bin/bash''''' - this is user's default shell | * '''''/bin/bash''''' - this is user's default shell | ||
{| | {{Admon/tip | Entries above show Fedora defaults for new user accounts | Shadow passwords are used by default, UID and GID are next available numbers, comment field is empty, all user directories are created as subdirectories of <code>/home</code> and the default shell is <code>bash</code> (Bourne Again Shell). These defaults may be altered by specifying options to the <code>useradd</code> command (more about this on the next page).}} | ||
{{Admon/note | GID of the same numerical value as UID represents the Fedora concept of ''User Private Groups (UPG)'' | User Private Group is created every time the new account is added to the system. It has the same name as a user and the user is the only member of that group. The main advantage of this concept is the easier management of user groups on UNIX-like systems. Traditionally, newly created files can not be modified by other users, including members of the file creator's primary group. This is controlled through <code>umask</code> setting, which is configured in <code>/etc/bashrc</code> file. Since UPG has only one member and each user own private group, this group protection becomes redundant.}} | |||
| Shadow passwords are used by default, UID and GID are next available numbers, comment field is empty, all user directories are created as subdirectories of <code>/home</code> and the default shell is <code>bash</code> (Bourne Again Shell). These defaults may be altered by specifying options to the <code>useradd</code> command (more about this on the next page). | |||
|} | |||
2 . New line is appended to /etc/shadow file and it looks similar to: | 2 . New line is appended to /etc/shadow file and it looks similar to: | ||
Line 120: | Line 99: | ||
* third blank field - reserved field for possible future use | * third blank field - reserved field for possible future use | ||
{| | {{Admon/tip | ''useradd'' command does not create password. | At the time of command execution, password field is initialized and populated with '''x''' and '''!!''' in <code>/etc/passwd</code> and <code>/etc/shadow</code> files, respectively. Password is created using <code>/usr/bin/passwd</code> command, which replaces '''!!''' field with encrypted representation of the user's password. This is security related and prevents user's password from being displayed as plain text at any time.}} | ||
| At the time of command execution, password field is initialized and populated with '''x''' and '''!!''' in <code>/etc/passwd</code> and <code>/etc/shadow</code> files, respectively. Password is created using <code>/usr/bin/passwd</code> command, which replaces '''!!''' field with encrypted representation of the user's password. This is security related and prevents user's password from being displayed as plain text at any time. | |||
3 . New line is appended to /etc/group file. It looks similar to: | 3 . New line is appended to /etc/group file. It looks similar to: | ||
Line 156: | Line 130: | ||
<BR> | <BR> | ||
7 . System administrator can now run <code> /usr/bin/passwd dan </code> command to set the user's password, unlocking user's account which gives user the ability to logon and use the system. | 7 . System administrator can now run <code> /usr/bin/passwd dan </code> command to set the user's password, unlocking user's account which gives user the ability to logon and use the system. | ||
= Account Management - Command Line Interface = | = Account Management - Command Line Interface = | ||
Line 164: | Line 136: | ||
== Adding Account == | == Adding Account == | ||
To add new user account, from command line run: | To add new user account, from command line run: | ||
Line 172: | Line 142: | ||
</pre> | </pre> | ||
Enter root password when prompted. | Enter root password when prompted. | ||
Command above will create new user account with the user name ''luke'', whose primary group is ''luke''. Directory <code>/home/luke</code> is created as a user's home directory and user's shell environment is set to <code>/bin/bash</code>. These are Fedora defaults for user accounts. | Command above will create new user account with the user name ''luke'', whose primary group is ''luke''. Directory <code>/home/luke</code> is created as a user's home directory and user's shell environment is set to <code>/bin/bash</code>. These are Fedora defaults for user accounts. | ||
{| | {{Admon/tip | Command from the example above can be run as <code>su -c "useradd luke"</code> For this to work, edit your <code>~/.bash_profile</code>, to include <code>/usr/sbin</code> in the ''PATH'' statement. This section assumes that you have done so at this point and will use shorter form further in the text.}} | ||
Upon creation, user account is locked. To unlock the account, run: | Upon creation, user account is locked. To unlock the account, run: | ||
Line 213: | Line 176: | ||
User <code>luke</code> is now able to login and use the system. | User <code>luke</code> is now able to login and use the system. | ||
{| | {{Admon/important | Chose passwords wisely! | Passwords are essential element of the system security. Avoid using dictionary words and use combination of lower and upper case letters, numbers and special characters.}} | ||
| Passwords are essential element of the system security. Avoid using dictionary words and use combination of lower and upper case letters, numbers and special characters. | |||
User account defaults are controlled through <code>/etc/login.defs</code> configuration file. Administrator can manually change values in this file and create deferent set off account defaults. Settings from <code>/etc/login.defs</code> file may be bypassed by supplying options to the <code>useradd</code> command. For example: | User account defaults are controlled through <code>/etc/login.defs</code> configuration file. Administrator can manually change values in this file and create deferent set off account defaults. Settings from <code>/etc/login.defs</code> file may be bypassed by supplying options to the <code>useradd</code> command. For example: | ||
Line 234: | Line 192: | ||
* <code>TCShell</code> is set as a shell environment for <code>luke2</code> | * <code>TCShell</code> is set as a shell environment for <code>luke2</code> | ||
{| | {{Admon/tip | For the full list of available command options, refer to <code>useradd(8)</code> manual page.}} | ||
== Adding Group Account == | == Adding Group Account == | ||
Line 282: | Line 237: | ||
and enter root password when prompted. Command from the preceding example will add user ''luke'' to the ''black'' group. | and enter root password when prompted. Command from the preceding example will add user ''luke'' to the ''black'' group. | ||
{| | {{Admon/important | Be careful with -G command option! | If user is member of multiple groups, all the groups must be listed as parameters to command option -G in a comma-separated form <code>-G <group1,group2,...,groupn></code>. When you omit group name, you remove user's membership of that group.}} | ||
| If user is member of multiple groups, all the groups must be listed as parameters to command option -G in a comma-separated form <code>-G <group1,group2,...,groupn></code>. When you omit group name, you remove user's membership of that group. | |||
{| | {{Admon/tip | For the full list of available command options, refer to <code>usermod(8)</code> manual page.}} | ||
== Modifying Group Account == | == Modifying Group Account == | ||
Line 304: | Line 251: | ||
Enter root password at the prompt. This command would change GID of the group <code>black</code> to 600. If you do not use <code>-o</code> option, GID numerical value supplied to the command must be unique. | Enter root password at the prompt. This command would change GID of the group <code>black</code> to 600. If you do not use <code>-o</code> option, GID numerical value supplied to the command must be unique. | ||
{| | {{Admon/tip | <code>groupmod</code> command does not change group ownership of files. | You must manually change groupID ownership of all the files owned by the group's previous groupID.}} | ||
| You must manually change groupID ownership of all the files owned by the group's previous groupID. | |||
Line 336: | Line 278: | ||
Enter root password when prompted. The command above will force user ''dan'' to change the password after 90 days. User ''dan'' will be warned about this every day, starting from 10 days before the password expiry. | Enter root password when prompted. The command above will force user ''dan'' to change the password after 90 days. User ''dan'' will be warned about this every day, starting from 10 days before the password expiry. | ||
{| | {{Admon/tip | For the full list of available command options, refer to <code>chage(1)</code> manual page.}} | ||
Next section explains how to manage accounts using Graphical Interface. | Next section explains how to manage accounts using Graphical Interface. | ||
= Account Management - Graphical User Interface = | = Account Management - Graphical User Interface = | ||
Line 349: | Line 286: | ||
This section explains how to manage user and group accounts using Graphical User Interface. '''''User Manager''''' is the application used to create and manage user and group accounts. | This section explains how to manage user and group accounts using Graphical User Interface. '''''User Manager''''' is the application used to create and manage user and group accounts. | ||
{| | {{Admon/tip | To run User Manager, you must have X Window system and <code>system-config-users</code> rpm installed.}} | ||
To start '''User Manager''' select ''System > Administration > Users and groups'' from the main panel menu or from the command line run <code>system-config-users</code> and enter root password at the prompt. | To start '''User Manager''' select ''System > Administration > Users and groups'' from the main panel menu or from the command line run <code>system-config-users</code> and enter root password at the prompt. | ||
Line 363: | Line 297: | ||
and uncheck the box next to ''Hide system users and groups''. You can use ''Preferences'' window to modify default behaviour of automatically assigning next available '''UID''' or '''GID''' to user and group accounts or creating the '''GID''' of the user's private group with the identical value as the user's '''UID'''. This functionality is achieved by unchecking the appropriate boxes in the ''New users'' pane of the ''Preferences'' window. | and uncheck the box next to ''Hide system users and groups''. You can use ''Preferences'' window to modify default behaviour of automatically assigning next available '''UID''' or '''GID''' to user and group accounts or creating the '''GID''' of the user's private group with the identical value as the user's '''UID'''. This functionality is achieved by unchecking the appropriate boxes in the ''New users'' pane of the ''Preferences'' window. | ||
To search for the user enter first few letters of the user name in the search filter field and click '''Apply filter''' button. | To search for the user enter first few letters of the user name in the search filter field and click '''Apply filter''' button. | ||
You can sort the users list by clicking on the column name. Textual fields are sorted in alphabetical order and numerical fields in the ascending order of the values in the field. | You can sort the users list by clicking on the column name. Textual fields are sorted in alphabetical order and numerical fields in the ascending order of the values in the field. | ||
Line 414: | Line 346: | ||
Time of the last password change is displayed. Check ''Enable password expiration'' box. This will allow you to disable password change for user, force user to change password and warn user about that change in advance and when will account become inactive. Each of the four fields accepts integer, representing number of days. | Time of the last password change is displayed. Check ''Enable password expiration'' box. This will allow you to disable password change for user, force user to change password and warn user about that change in advance and when will account become inactive. Each of the four fields accepts integer, representing number of days. | ||
Click the ''Groups'' tab. | Click the ''Groups'' tab. | ||
Line 433: | Line 364: | ||
with ''Group Data" tab in focus. To change the group name, edit text in the ''Group Name'' filed. | with ''Group Data" tab in focus. To change the group name, edit text in the ''Group Name'' filed. | ||
Click the ''Group Users'' tab. | Click the ''Group Users'' tab. | ||
Line 439: | Line 369: | ||
To add users to this group, check the box next to appropriate user names on the list. | To add users to this group, check the box next to appropriate user names on the list. | ||
Revision as of 17:22, 2 June 2008
User Accounts
TABLE OF CONTENTS
- Introduction
- What Happens in the Background
- Manage Accounts Using CLI
- Manage Accounts Using GUI
- Single-page View (Suitable for Printing)
SUMMARY OF SECTIONS
Overview
- Ways to Create and Modify User and Group Accounts
- Programs and Files Related to Account Management
Account Creation Process
- Changes on the System During Account Creation / Modification
Account Management - Command Line Interface
- Adding User Account
- Editing User Account
- Adding Group Account
- Modifying Group Account
- Changing Password Expiry Information
Account Management - Graphical Interface
- Adding User Account
- Editing User Account
- Adding Group Account
- Modifying Group Account
Introduction
Creation and management of users and user groups is one of the fundamental pieces of system administration on multi-user systems such as Linux. The user accounts system provides a secure storage area for users' files and gives users the ability to customize their working environment according to their needs.
Fedora includes two types of accounts - system and non-system accounts. System accounts include the root user and others such as the apache
user. System accounts are created during the installation process and used by various system daemons and utilities to perform system-wide tasks. Fedora reserves the first 499 UIDs for system accounts. This is why they are sometimes reffered to as low ID accounts.
Non-system accounts start from uid 500. These accounts are used for regular users to perform day-to-day tasks. Usually, the first "normal" user account is created during the first boot following the system's installation. After that, user and group accounts can be created with standard procedures, explained later in this guide.
Ways to Create and Modify User and Group Accounts
As with most other tasks, system administrator can chose between two ways of creating and subsequently modifying user accounts:
- Command line interface
- Graphical interface
The account creation process is explained on the next page.
Process of Account Creation
This section explains what happens when new user is added to Fedora system.
When system administrator executes
/usr/sbin/useradd dan
from the command line, the following steps occur:
1 . New line is appended to /etc/passwd file and it looks similar to:
dan:x:502:502::/home/dan:/bin/bash
It consists of seven colon delimited fields, with the following meaning:
- dan - this is username
- x - this is password field; x signifies empty field and that encrypted (shadow) password will be placed in
/etc/shadow
file instead - first 502 - this is uid
- second 502 - this is gid of the user's primary group
- blank field - this is "comment" field; user's full name usually goes here, if specified
- /home/dan - this is location of the user's home directory in the file system
- /bin/bash - this is user's default shell
2 . New line is appended to /etc/shadow file and it looks similar to:
dan:!!:13490:0:99999:7:::
It consists of eight colon delimited fields, with the following meaning:
- dan - this is username
- !! - two exclamation marks indicate that the password has not been set yet and account is locked
- 13490 - represents the number of days (since January 1, 1970) since the password was last changed
- 0 - represents the number of days before password may be changed (0 indicates it may be changed at any time)
- 99999 - represents the number of days after which password must be changed (99999 indicates user can keep his or her password unchanged for 274 years
- 7 - represents the number of days to warn user of an expiring password (7 means a full week)
- first blank field - represents the number of days after password expires that account is disabled
- second blank field - represents the number of days since January 1, 1970 that an account has been disabled
- third blank field - reserved field for possible future use
3 . New line is appended to /etc/group file. It looks similar to:
dan:x:502:
New line consists of three colon delimited fields, with the following meaning:
- dan - this is group name
- x - this is group password field; x indicates that the system is using shadow passwords
- 502 - this is gid and it matches the value of uid of the user with the same name
4 . New line is appended to /etc/gshadow file. It looks similar to:
dan:!::
Colon delimited fields in this line are:
- dan - this is group name
- ! - this is group password field in which ! indicates that the group account is locked
5 . Home directory for user dan is created as /home/dan. It has ownership of user dan and group dan but only user dan has read, write and execute permissions on directory. All the other permissions are denied.
6 . Files from /etc/skel directory are copied to user's home directory. For example, .bashrc and .bash_profile files which control user's default shell environment.
7 . System administrator can now run /usr/bin/passwd dan
command to set the user's password, unlocking user's account which gives user the ability to logon and use the system.
Account Management - Command Line Interface
This section explains how to add new accounts and subsequently change account parameters using command line utilities.
Adding Account
To add new user account, from command line run:
su -c "/usr/sbin/useradd luke"
Enter root password when prompted.
Command above will create new user account with the user name luke, whose primary group is luke. Directory /home/luke
is created as a user's home directory and user's shell environment is set to /bin/bash
. These are Fedora defaults for user accounts.
Upon creation, user account is locked. To unlock the account, run:
su -c "passwd luke"
to set user's password. Enter root password in the first password prompt. You will then be presented with the following:
Changing password for user luke. New UNIX password:
Type in user's password and press [Enter] . Prompt changes to:
Retype new UNIX password:
Type the same password again and press [Enter] . Prompt will return:
passwd: all authentication tokens updated successfully.
User luke
is now able to login and use the system.
User account defaults are controlled through /etc/login.defs
configuration file. Administrator can manually change values in this file and create deferent set off account defaults. Settings from /etc/login.defs
file may be bypassed by supplying options to the useradd
command. For example:
su -c "useradd -c "Luke McAlister" -g primary -G additional,another -d /home/second -s /bin/tcsh luke2"
creates new user account for user luke2
with the following characteristics:
- user's full name is Luke Mc Alister
- user's primary group is
primary
- user
luke2
is also a member ofadditional
andanother
groups - /home/second is created as home directory for
luke2
TCShell
is set as a shell environment forluke2
Adding Group Account
To add new group account, from command line run:
su -c "groupadd black"
and enter root password when prompted.
Command above will create new group account with the group name black.
Modifying Account Parameters
To edit user account parameters, use usermod
command. Depending on what account parameters need modification, usermod
command must
be supplied with an option specific to that parameter. For example, to change the comment field for the account, run:
su -c "usermod -c "Luke McAlister" luke"
and enter root password in the password prompt.
This will alter account information in /etc/passwd
file, placing user's full name in the fifth field. The line will change from:
luke:x:503:503::/home/luke:/bin/bash
to
luke:x:503:503:Luke McAlister:/home/luke:/bin/bash
Another common example is modification of user's group membership. To alter user's group membership, run:
su -c "usermod -G black luke"
and enter root password when prompted. Command from the preceding example will add user luke to the black group.
Modifying Group Account
To modify group account parameters, use groupmod
command. This command can change two group account parameters. To change the groupID of the group black, run:
su -c "groupmod -g 600 black"
Enter root password at the prompt. This command would change GID of the group black
to 600. If you do not use -o
option, GID numerical value supplied to the command must be unique.
To assign new name to the group account, run:
su -c "groupmod -n blue black"
Enter root password at the prompt. This will change group's name from black to blue.
Changing Password Expiry Information
To change user's password expiry information use chage
command. This command changes the number of days between password changes and the date of the last password change and is used by the system to determine when will user be forced to change the password. For example, to set the maximum number of days for which password of user dan will be valid to 90 (three months), run:
su -c "chage -M 90 dan"
and enter root password at the prompt. The above option is usually used in conjunction with -W option, which is used to set the number of days prior to password expiry during which user is warned about the pending password expiry:
su -c "chage -W 10 -M 90 dan"
Enter root password when prompted. The command above will force user dan to change the password after 90 days. User dan will be warned about this every day, starting from 10 days before the password expiry.
Next section explains how to manage accounts using Graphical Interface.
Account Management - Graphical User Interface
This section explains how to manage user and group accounts using Graphical User Interface. User Manager is the application used to create and manage user and group accounts.
To start User Manager select System > Administration > Users and groups from the main panel menu or from the command line run system-config-users
and enter root password at the prompt.
File:Docs Drafts AdministrationGuide UserAccounts Print usermanager.png
By default, User Manager does not display system accounts. To enble listing of system accounts, from the main menu select Edit > Preferences
File:Docs Drafts AdministrationGuide UserAccounts Print usermanagerprefs.png
and uncheck the box next to Hide system users and groups. You can use Preferences window to modify default behaviour of automatically assigning next available UID or GID to user and group accounts or creating the GID of the user's private group with the identical value as the user's UID. This functionality is achieved by unchecking the appropriate boxes in the New users pane of the Preferences window.
To search for the user enter first few letters of the user name in the search filter field and click Apply filter button.
You can sort the users list by clicking on the column name. Textual fields are sorted in alphabetical order and numerical fields in the ascending order of the values in the field.
Adding New User
To add new account click Add User button on the main toolbar.
File:Docs Drafts AdministrationGuide UserAccounts Print newuser.png
Type the user name, user's full name and password in appropriate fields. Pre-selected fields represent the defaults for Fedora - /bin/bash
is default shell, /home/<username>
is created as user's home directory, private group with the same name will be created for user and next available UID will be used. If you chose so, you can change any of these options. Once you supply all the information, click [OK] button to create account.
Adding New Group
To list existing groups, in User Manager window click on Groups tab. The same rules apply for sorting available columns and searching for particular group as on the Users tab.
File:Docs Drafts AdministrationGuide UserAccounts Print groupstab.png
To create new group, click Add Group button on the main toolbar of the User Manager.
File:Docs Drafts AdministrationGuide UserAccounts Print addgroup.png
Type the group name in the Group Name field and click [OK] . By default, new group will be added with the next available GID. You can manually change this behaviour by checking the box Specify group ID manually and selecting different, unused number from the list.
Modifying User Accounts
File:Docs Drafts AdministrationGuide UserAccounts Print usermanagerselect.png
To display properties of the user account, select the wanted account from the list and click Properties button, which is now active, on the main toolbar of the User Manager window. The User Properties window opens, with User Data tab focused:
File:Docs Drafts AdministrationGuide UserAccounts Print userpropertiesdata.png
You can change account name, user's full name, password, home directory and user's shell by altering information in appropriate fields.
Click the Account info tab.
File:Docs Drafts AdministrationGuide UserAccounts Print userpropertiesaccinfo.png
Check Enable account expiration box and enter the date to expire user account on that day. Check Local password is locked box to lock user account.
Click the Password info tab.
File:Docs Drafts AdministrationGuide UserAccounts Print userpropertiespwd.png
Time of the last password change is displayed. Check Enable password expiration box. This will allow you to disable password change for user, force user to change password and warn user about that change in advance and when will account become inactive. Each of the four fields accepts integer, representing number of days.
Click the Groups tab.
File:Docs Drafts AdministrationGuide UserAccounts Print userpropertiesgrp.png
Change the user's group membership by checking or unchecking the box next to group name. If user is a member of multiple groups, set the user's primary group by selecting the group from the Primary group drop-down list.
Modifying Group Accounts
To modify group account select the group from the Groups tab of the User Manager
File:Docs Drafts AdministrationGuide UserAccounts Print usermanagergrpselect.png
To view group's properties, click the Properties button on the main toolbar. Group Properties window opens
File:Docs Drafts AdministrationGuide UserAccounts Print grouppropertiesdata.png
with Group Data" tab in focus. To change the group name, edit text in the Group Name filed.
Click the Group Users tab.
File:Docs Drafts AdministrationGuide UserAccounts Print grouppropertiesusers.png
To add users to this group, check the box next to appropriate user names on the list.