Administration Guide Draft/UserAccounts: Difference between revisions

Section is ready for editing

User Accounts

Introduction

Creation and management of users and user groups is a fundamental practice of system administration on multi-user systems such as Linux. Each user is given an account in the system. This provides a method to distinguish different accounts in the system with associated set of privileges. Each account is further assigned a separate and secure storage area for files and preferences. With this model, each user can specify custom working environment and account specific activities.

Fedora includes two types of accounts: system and non-system accounts. System accounts include the root user and others such as the apache user. System accounts are created during the installation process and used by various system daemons and utilities to perform system-wide tasks. Fedora reserves UIDs 0-499 for system accounts. This is why they are sometimes referred to as low ID accounts.

UID is the abbreviation of the term User Identifier
It represents unique numerical equivalent of the username, which computer uses as a reference to username. Similarly, GID is numerical value that represents Group Identifier. UID 0 (zero) is always reserved for root user.

Non-system accounts start from uid 500. These accounts are used by non-system users for performing their regular tasks. Usually, the first non-system user account is created during the first boot following the system installation. Further user and group accounts are created using standard procedures, explained later in this guide.

Process of Account Creation

This section explains what happens when a new user is added to a Fedora system.

When the system administrator executes

/usr/sbin/useradd dan

from the command line, the following steps occur:

1 . A new line is appended to the /etc/passwd file and it looks similar to:

dan:x:502:502::/home/dan:/bin/bash

It consists of seven colon delimited fields associated with the following meaning:

• dan - this is the username
• x - this is the password field; x signifies an empty field and that an encrypted (shadow) password will be placed in /etc/shadow file
• first 502 - this is the uid (username identifier)
• second 502 - this is the gid (group identifier) of the user's primary group
• blank field - this is the "comment" field; the user's full name usually goes here
• /home/dan - this is the location of the user's home directory in the file system
• /bin/bash - this is the user's default shell

Entries above show Fedora defaults for new user accounts
Shadow passwords are used by default, UID and GID are the next available numbers, the comment field is empty, all user directories are created as subdirectories of /home and the default shell is bash (Bourne Again Shell). These defaults may be altered by specifying options to the useradd command (more about this on the next page).

A GID of the same numerical value as UID represents the Fedora concept of User Private Groups (UPG)
A User Private Group is created every time a new account is added to the system. It has the same name as the new user and the user is the only member of that group. The main advantage of this concept is easier management of user groups on UNIX-like systems. Traditionally, newly created files can not be modified by other users, including members of the file creator's primary group. This is controlled through the umask setting, which is configured in the /etc/bashrc file. Since UPG has only one member and each user has their own private group, this group protection becomes redundant.

2 . A new line is appended to the /etc/shadow file and it looks similar to:

dan:!!:13490:0:99999:7:::

It consists of eight colon delimited fields associated with the following meaning:

• dan - this is the username
• !! - two exclamation marks indicate that the password has not been set yet and the account is locked
• 13490 - represents the number of days (since January 1, 1970) since the password was last changed
• 0 - represents the number of days before the password may be changed (0 indicates it may be changed at any time)
• 99999 - represents the number of days after which the password must be changed (99999 indicates user can keep his or her password unchanged for 274 years
• 7 - represents the number of days remaining before the users password expires (7 means a full week)
• first blank field - represents the number of days after the password expires that the account will be disabled
• second blank field - represents the number of days since January 1, 1970 that an account has been disabled
• third blank field - reserved field for possible future use

The useradd command does not create a password.
At the time of command execution, the password field is initialized and populated with x and !! in the /etc/passwd and /etc/shadow files, respectively. A password is created by using the /usr/bin/passwd command, which replaces !! field with encrypted representation of the user's password. This is security related and prevents the user's password from being displayed as plain text at any time.

3 . A new line is appended to the /etc/group file. It looks similar to:

dan:x:502:

The new line consists of three colon delimited fields associated with the following meaning:

• dan - this is the group name
• x - this is the group password field; x indicates that the system is using shadow passwords
• 502 - this is the gid and it matches the value of uid of the user with the same name

4 . A new line is appended to the /etc/gshadow file. It looks similar to:

dan:!::

The colon delimited fields in this line indicate:

• dan - this is group name
• ! - this is group password field in which ! indicates that the group account is locked

5 . The home directory for user dan is created as /home/dan. It has ownership of user dan and group dan but only user dan has read, write and execute permissions on directory. All the other permissions are denied.

6 . Files from the /etc/skel directory are copied to the user's home directory (for example the .bashrc and .bash_profile files which control user's default shell environment).

7 . The system administrator can now run the /usr/bin/passwd dan command to set the user's password, this unlocks the user's account giving the user the ability to login and use the system.

Account Management - Command Line Interface

This section explains how to add new accounts and change account parameters using command line utilities.

Adding Accounts

To add a new user account from the command line run:

su -c "/usr/sbin/useradd luke"

Enter the root password when prompted.

The above command creates a new user account with the username luke, whose primary group is luke. The directory /home/luke is created as the user's home directory and the user's shell environment is set to /bin/bash. (These are Fedora defaults for user accounts.)

Upon creation, the user account is locked. To unlock the account, run:

su -c "passwd luke"

To set user's password, enter the root password at the first password prompt. You are then be presented with the following:

Changing password for user luke.
New UNIX password:

Type in what you want the user's password to be (remember passwords are case sensitive) and press [Enter] . Prompt changes to:

Retype new UNIX password:

Type the same password again and press [Enter] . Prompt returns:

passwd: all authentication tokens updated successfully.

User luke is now able to logon and use the system.

Choose passwords wisely!
Passwords are an essential element of system security. Avoid using dictionary words and use a combination of lower and upper case letters, numbers and special characters.

User account defaults are controlled through the /etc/login.defs configuration file. Administrators can manually change values in this file and create a different set of account defaults. Settings from /etc/login.defs file can be overridden by supplying options to the useradd command. For example:

su -c "/usr/sbin/useradd -c 'Luke McAlister' -g primary -G additional,another -d /home/second -s /bin/tcsh luke2"

creates a new user account for the user luke2 with the following characteristics:

• user's full name is Luke McAlister
• user's primary group is primary
• user luke2 is also a member of additional and another groups
• /home/second is created as the home directory for luke2
• TCShell is set as the shell environment for luke2

For the full list of available command options, refer to useradd(8) manual page.

Adding Group Accounts

To add a new group account, from the command line run:

su -c "/usr/sbin/groupadd black"

and enter the root password when prompted.

The above command creates a new group account with the group name black.

Modifying Account Parameters

To edit user account parameters, use the usermod command. Depending on what account parameters need modification, usermod command may need to be supplied with an option specific to that parameter. For example, to change the comment field for the account, run:

su -c "/usr/sbin/usermod -c 'Luke McAlister' luke"

Enter the root password at the password prompt.

This alters the account information in /etc/passwd file, placing the user's full name in the fifth field. The line changes from:

luke:x:503:503::/home/luke:/bin/bash

to

luke:x:503:503:Luke McAlister:/home/luke:/bin/bash

You can also edit user's group membership using the usermod command. When a user is created, a new group with the same name as the username is created. This group is the user's Primary Group. Files or directories created by said user inherit said users Primary Group. Use the id command to view Primary and Secondary Group memberships:

id
uid=500(user1) gid=500(user1) groups=10(wheel),500(user1) context=user_u:system_r:unconfined_t

The above example shows that the Primary Group for the user user1, is gid 500 (user1). The user1 user is also a member of the wheel Secondary Group. Primary Groups are defined in /etc/passwd:

user1:x:500:500:UserOne:/home/user1:/bin/bash

The fourth field shows the Primary Group ID (500) for the user. The /etc/passwd file uses the following syntax: account:password:UID:GID:GECOS:directory:shell

The Primary Group can be temporarily changed using the newgrp command. However, the user must already be a member of the group specified:

newgrp testing

The results can be seen using the id and touch commands:

id
uid=500(user1) gid=502(testing) groups=10(wheel),500(user1),502(testing) context=user_u:system_r:unconfined_t

Note, the Primary Group is now gid 502 (testing).

touch file1
ls -l file1
-rw-r--r-- 1 user1 testing 0 2007-10-13 20:31 file1

The file1 file belongs to the testing group instead of the user1 group. Type exit to return to your original Primary Group; the output of the exit command is exit:

exit
exit
id
uid=500(user1) gid=500(user1) groups=10(wheel),500(user1) context=user_u:system_r:unconfined_t

The Primary Group is now back to user1. Also note the id command has not displayed the testing group. Changes to group membership require you to log out and then log in, before the changes are displayed using the id and groups commands. Users can also be members of Secondary Groups. Secondary groups are defined in /etc/group. Use the groups and id commands to view group membership:

groups
user1 wheel testing

id
uid=500(user1) gid=500(user1) groups=10(wheel),500(user1),502(testing) context=user_u:system_r:unconfined_t

To add a user to a Secondary Group, use the following command:

su -c "/usr/sbin/usermod -a -G <group> <username>"

Enter the root password when prompted.

This adds the user specified with <username> to the Secondary Group specified in <group>. To add a user to multiple Secondary Groups list the group names in comma-separated form:

su -c "/usr/sbin/usermod -a -G <group1>,<group2>,<group3> <username>"

Enter the root password when prompted.

Removing a user from a group is a little different. Use the usermod command without the -a append switch to specify the group memberships you want to keep. For example, if the mentioned user is a member of group1, group2, group3, and group4, but you want to remove the user from group4, then run the following command:

su -c "/usr/sbin/usermod -G group1,group2,group3 <username>"

This command keeps the user's group memberships of group1, group2, and group3, while removing membership from the group4.

For the full list of available command options, refer to the usermod(8) manual page.

Be careful with the -G command option!
If the user is a member of multiple groups, all the groups must be listed as parameters in a comma-separated form: -G <group1,group2,group3,group4>. When you omit a group name you remove the user from that group.

Modifying Group Accounts

To modify group account parameters, use the groupmod command. This command can change two group account parameters, the group ID (GID) and group name. To change the group ID (GID) of the group black, run:

su -c "/usr/sbin/groupmod -g 600 black"

Enter root password at the prompt. This command would change the GID of the group black to 600. If you do not use -o option, the GID numerical value supplied to the command must be unique.

The groupmod command does not change group ownership of files.
You must manually change group ID (GID) ownership of all the files owned by the group's previous group ID.

To assign a new name to the group account, run:

su -c "/usr/sbin/groupmod -n blue black"

Enter the root password at the prompt. This changes the group's name from black to blue.

Changing Password Expiration Information

To change the user's password expiration information use the chage command. This command changes the number of days between password changes and the date of the last password change and is used by the system to determine when the user is forced to change the password. For example, to set the number of days the password of the user dan to be valid for 90 days (three months), run:

su -c "chage -M 90 dan"

Enter the root password at the prompt. The above option is usually used in conjunction with -W option, which sets the number of days before expiration the user is warned about the pending expiration:

su -c "chage -W 10 -M 90 dan"

Enter the root password when prompted. The above command forces the user dan to change the password after 90 days. User dan is warned about this every day, starting 10 days before the password expiration.

For the full list of available command options, refer to the chage(1) manual page.

Account Management - Using A Graphical User Interface

This section explains how to manage user and group accounts using a graphical user interface (GUI). User Manager is the application used to create and manage user and group accounts.

To run User Manager, you must have the X Window system installed,configured and the system-config-users package installed.

To start User Manager select System > Administration > Users and groups from the main panel menu or from the command line run system-config-users and enter the root password at the prompt.

File:Docs Drafts AdministrationGuide UserAccounts usermanager.png

By default, User Manager does not display system accounts. To enable the listing of system accounts, from the main menu select Edit > Preferences

File:Docs Drafts AdministrationGuide UserAccounts usermanagerprefs.png

and uncheck the box next to Hide system users and groups. You can use the Preferences window to modify the default behavior of automatically assigning the next available UID or GID to user and group accounts or creating the GID of the user's private group with the identical value as the user's UID. This is achieved by unchecking the appropriate boxes in the New users pane of the Preferences window.

To search for the user, enter first few letters of the username in the search filter field and click the Apply filter button.

You can sort the users list by clicking on the column name. Text fields are sorted in alphabetical order and numerical fields in the ascending order of the values in the field.

Adding A New User

To add a new account click the Add User button on the main toolbar.

File:Docs Drafts AdministrationGuide UserAccounts newuser.png

Type the username, user's full name and password (remember passwords are case-sensitive) in appropriate fields. Pre-selected fields represent the defaults for Fedora - /bin/bash is default shell, /home/<username> is created as user's home directory, private group with the same name will be created for user and next available UID will be used. If you choose to, you can change any of these options. Once you supply all the information, click [OK] button to create account.

Adding A New Group

To list the existing groups in the User Manager window click on the Groups tab. The same rules apply for sorting available columns and searching for a particular group as applied to the Users tab.

File:Docs Drafts AdministrationGuide UserAccounts groupstab.png

To create a new group, click the Add Group button on the main toolbar of the User Manager.

File:Docs Drafts AdministrationGuide UserAccounts addgroup.png

Type the group name in the Group Name field and click [OK] . By default, the new group will be added with the next available GID. You can manually change this behavior by checking the box Specify group ID manually and selecting a different, unused number from the list.

Modifying User Accounts

File:Docs Drafts AdministrationGuide UserAccounts usermanagerselect.png

To display the properties of a user account, select the account from the list and click the Properties button, which is now active, on the main toolbar of the User Manager window. The User Properties window opens, with User Data tab focused:

File:Docs Drafts AdministrationGuide UserAccounts userpropertiesdata.png

You can change the account name, user's full name, password, home directory and user's shell by altering information in appropriate fields.

Click the Account info tab.

File:Docs Drafts AdministrationGuide UserAccounts userpropertiesaccinfo.png

Check Enable account expiration box and enter the date to expire user account on that day. Check Local password is locked box to lock the user account.

Click the Password info tab.

File:Docs Drafts AdministrationGuide UserAccounts userpropertiespwd.png

Time of the last password change is displayed. Check Enable password expiration box. This will allow you to disable password change for user, force the user to change their password and warn the user about that change in advance and when the account will become inactive. Each of the four fields accepts integers, representing number of days.

Click the Groups tab.

File:Docs Drafts AdministrationGuide UserAccounts userpropertiesgrp.png

Change the user's group membership by checking or unchecking the box next to group name. If the user is a member of multiple groups, set the user's primary group by selecting the group from the Primary group drop-down list.

Modifying Group Accounts

To modify group accounts select the group from the Groups tab of the User Manager

File:Docs Drafts AdministrationGuide UserAccounts usermanagergrpselect.png

To view group properties, click the Properties button on the main toolbar. The Group Properties window opens

File:Docs Drafts AdministrationGuide UserAccounts grouppropertiesdata.png

with the Group Data tab in focus. To change the group name, edit text in the Group Name field.

Click the Group Users tab.

File:Docs Drafts AdministrationGuide UserAccounts grouppropertiesusers.png

To add users to this group, check the box next to appropriate user names on the list.

Additional Information

For additional help and more information on managing user accounts look at:

Websites

username and password guidelines

username and group file(s) information

Manual Pages

• passwd(1) ---Learn more about the file format information for the /etc/passwd file.
• group(5) ---Learn more about the file format information for the /etc/group file.
• shadow(5) ---Learn more about the file format information for the /etc/shadow file.
• useradd(8) ---Learn how to create or update user accounts.
• userdel(8) ---Learn how to delete user accounts.
• usermod(8) ---Learn how to modify user accounts.
• chpasswd(8) ---Learn how to batch update user passwords.
• chage(1) ---Learn how to change user password aging information.
• chfn(1) ---Learn how to change a user's GECOS (finger) information.
• chsh(1) ---Learn how to change a user's login shell.
• groupadd(8) ---Learn how to create a new group.
• groupdel(8) ---Learn how to delete a group.
• groupmod(8) ---Learn how to modify a group.
• gpasswd(1) ---Learn how to administer the /etc/group and /etc/gshadow files.
• grpck(1) ---Learn how to verify the integrity of the /etc/group and /etc/gshadow files.
• chgrp(1) ---Learn how to change group-level ownership.
• chmod(1) ---Learn how to change file access permissions.
• chown(1) ---Learn how to change file owner and group.