User Accounts

TABLE OF CONTENTS

• Introduction
• What Happens in the Background
• Manage Accounts Using CLI
• Manage Accounts Using GUI
• Single-page View (Suitable for Printing)

SUMMARY OF SECTIONS

Overview

• Ways to Create and Modify User and Group Accounts
• Programs and Files Related to Account Management

Account Creation Process

• Changes on the System During Account Creation / Modification

Account Management - Command Line Interface

• Adding User Account
• Editing User Account
• Adding Group Account
• Modifying Group Account
• Changing Password Expiry Information

Account Management - Graphical Interface

• Adding User Account
• Editing User Account
• Adding Group Account
• Modifying Group Account

Introduction

Creation and management of users and user groups is one of the fundamental pieces of system administration on multi-user systems such as Linux. The user accounts system provides a secure storage area for users' files and gives users the ability to customize their working environment according to their needs.

Fedora includes two types of accounts - system and non-system accounts. System accounts include the root user and others such as the apache user. System accounts are created during the installation process and used by various system daemons and utilities to perform system-wide tasks. Fedora reserves the first 499 UIDs for system accounts. This is why they are sometimes reffered to as low ID accounts.

UID is the abbreviation of the term User Identifier
It represents unique numerical equivalent of the username, which computer uses as a reference to username. Similarly, GID is numerical value that represents Group Identifier. UID 0 (zero) is always reserved for root user.

Non-system accounts start from uid 500. These accounts are used for regular users to perform day-to-day tasks. Usually, the first "normal" user account is created during the first boot following the system's installation. After that, user and group accounts can be created with standard procedures, explained later in this guide.

Ways to Create and Modify User and Group Accounts

As with most other tasks, system administrator can chose between two ways of creating and subsequently modifying user accounts:

• Command line interface
• Graphical interface

The account creation process is explained on the next page.

Process of Account Creation

This section explains what happens when new user is added to Fedora system.

When system administrator executes

/usr/sbin/useradd dan

from the command line, the following steps occur:

1 . New line is appended to /etc/passwd file and it looks similar to:

dan:x:502:502::/home/dan:/bin/bash

It consists of seven colon delimited fields, with the following meaning:

• dan - this is username
• x - this is password field; x signifies empty field and that encrypted (shadow) password will be placed in /etc/shadow file instead
• first 502 - this is uid
• second 502 - this is gid of the user's primary group
• blank field - this is "comment" field; user's full name usually goes here, if specified
• /home/dan - this is location of the user's home directory in the file system
• /bin/bash - this is user's default shell

Entries above show Fedora defaults for new user accounts
Shadow passwords are used by default, UID and GID are next available numbers, comment field is empty, all user directories are created as subdirectories of /home and the default shell is bash (Bourne Again Shell). These defaults may be altered by specifying options to the useradd command (more about this on the next page).

GID of the same numerical value as UID represents the Fedora concept of User Private Groups (UPG)
User Private Group is created every time the new account is added to the system. It has the same name as a user and the user is the only member of that group. The main advantage of this concept is the easier management of user groups on UNIX-like systems. Traditionally, newly created files can not be modified by other users, including members of the file creator's primary group. This is controlled through umask setting, which is configured in /etc/bashrc file. Since UPG has only one member and each user own private group, this group protection becomes redundant.

2 . New line is appended to /etc/shadow file and it looks similar to:

dan:!!:13490:0:99999:7:::

It consists of eight colon delimited fields, with the following meaning:

• dan - this is username
• !! - two exclamation marks indicate that the password has not been set yet and account is locked
• 13490 - represents the number of days (since January 1, 1970) since the password was last changed
• 0 - represents the number of days before password may be changed (0 indicates it may be changed at any time)
• 99999 - represents the number of days after which password must be changed (99999 indicates user can keep his or her password unchanged for 274 years
• 7 - represents the number of days to warn user of an expiring password (7 means a full week)
• first blank field - represents the number of days after password expires that account is disabled
• second blank field - represents the number of days since January 1, 1970 that an account has been disabled
• third blank field - reserved field for possible future use

useradd command does not create password.
At the time of command execution, password field is initialized and populated with x and !! in /etc/passwd and /etc/shadow files, respectively. Password is created using /usr/bin/passwd command, which replaces !! field with encrypted representation of the user's password. This is security related and prevents user's password from being displayed as plain text at any time.

3 . New line is appended to /etc/group file. It looks similar to:

dan:x:502:

New line consists of three colon delimited fields, with the following meaning:

• dan - this is group name
• x - this is group password field; x indicates that the system is using shadow passwords
• 502 - this is gid and it matches the value of uid of the user with the same name

4 . New line is appended to /etc/gshadow file. It looks similar to:

dan:!::

Colon delimited fields in this line are:

• dan - this is group name
• ! - this is group password field in which ! indicates that the group account is locked

5 . Home directory for user dan is created as /home/dan. It has ownership of user dan and group dan but only user dan has read, write and execute permissions on directory. All the other permissions are denied.
6 . Files from /etc/skel directory are copied to user's home directory. For example, .bashrc and .bash_profile files which control user's default shell environment.
7 . System administrator can now run /usr/bin/passwd dan command to set the user's password, unlocking user's account which gives user the ability to logon and use the system.

Account Management - Command Line Interface

This section explains how to add new accounts and subsequently change account parameters using command line utilities.

Adding Account

To add new user account, from command line run:

su -c "/usr/sbin/useradd luke"

Enter root password when prompted.

Command above will create new user account with the user name luke, whose primary group is luke. Directory /home/luke is created as a user's home directory and user's shell environment is set to /bin/bash. These are Fedora defaults for user accounts.

Command from the example above can be run as su -c "useradd luke" For this to work, edit your ~/.bash_profile, to include /usr/sbin in the PATH statement. This section assumes that you have done so at this point and will use shorter form further in the text.

Upon creation, user account is locked. To unlock the account, run:

su -c "passwd luke"

to set user's password. Enter root password in the first password prompt. You will then be presented with the following:

Changing password for user luke.
New UNIX password:

Type in user's password and press [Enter] . Prompt changes to:

Retype new UNIX password:

Type the same password again and press [Enter] . Prompt will return:

passwd: all authentication tokens updated successfully.

User luke is now able to login and use the system.

Chose passwords wisely!
Passwords are essential element of the system security. Avoid using dictionary words and use combination of lower and upper case letters, numbers and special characters.

User account defaults are controlled through /etc/login.defs configuration file. Administrator can manually change values in this file and create deferent set off account defaults. Settings from /etc/login.defs file may be bypassed by supplying options to the useradd command. For example:

su -c "useradd -c "Luke McAlister" -g primary -G additional,another -d /home/second -s /bin/tcsh luke2"

creates new user account for user luke2 with the following characteristics:

• user's full name is Luke Mc Alister
• user's primary group is primary
• user luke2 is also a member of additional and another groups
• /home/second is created as home directory for luke2
• TCShell is set as a shell environment for luke2

For the full list of available command options, refer to useradd(8) manual page.

Adding Group Account

To add new group account, from command line run:

su -c "groupadd black"

and enter root password when prompted.

Command above will create new group account with the group name black.

Modifying Account Parameters

To edit user account parameters, use usermod command. Depending on what account parameters need modification, usermod command must be supplied with an option specific to that parameter. For example, to change the comment field for the account, run:

su -c "usermod -c "Luke McAlister" luke"

and enter root password in the password prompt.

This will alter account information in /etc/passwd file, placing user's full name in the fifth field. The line will change from:

luke:x:503:503::/home/luke:/bin/bash

to

luke:x:503:503:Luke McAlister:/home/luke:/bin/bash

Another common example is modification of user's group membership. To alter user's group membership, run:

su -c "usermod -G black luke"

and enter root password when prompted. Command from the preceding example will add user luke to the black group.

Be careful with -G command option!
If user is member of multiple groups, all the groups must be listed as parameters to command option -G in a comma-separated form -G <group1,group2,...,groupn>. When you omit group name, you remove user's membership of that group.

For the full list of available command options, refer to usermod(8) manual page.

Modifying Group Account

To modify group account parameters, use groupmod command. This command can change two group account parameters. To change the groupID of the group black, run:

su -c "groupmod -g 600 black"

Enter root password at the prompt. This command would change GID of the group black to 600. If you do not use -o option, GID numerical value supplied to the command must be unique.

groupmod command does not change group ownership of files.
You must manually change groupID ownership of all the files owned by the group's previous groupID.

To assign new name to the group account, run:

su -c "groupmod -n blue black"

Enter root password at the prompt. This will change group's name from black to blue.

Changing Password Expiry Information

To change user's password expiry information use chage command. This command changes the number of days between password changes and the date of the last password change and is used by the system to determine when will user be forced to change the password. For example, to set the maximum number of days for which password of user dan will be valid to 90 (three months), run:

su -c "chage -M 90 dan"

and enter root password at the prompt. The above option is usually used in conjunction with -W option, which is used to set the number of days prior to password expiry during which user is warned about the pending password expiry:

su -c "chage -W 10 -M 90 dan"

Enter root password when prompted. The command above will force user dan to change the password after 90 days. User dan will be warned about this every day, starting from 10 days before the password expiry.

For the full list of available command options, refer to chage(1) manual page.

Next section explains how to manage accounts using Graphical Interface.

Account Management - Graphical User Interface

This section explains how to manage user and group accounts using Graphical User Interface. User Manager is the application used to create and manage user and group accounts.

To run User Manager, you must have X Window system and system-config-users rpm installed.

To start User Manager select System > Administration > Users and groups from the main panel menu or from the command line run system-config-users and enter root password at the prompt.

File:Docs Drafts AdministrationGuide UserAccounts usermanager.png

By default, User Manager does not display system accounts. To enble listing of system accounts, from the main menu select Edit > Preferences

File:Docs Drafts AdministrationGuide UserAccounts usermanagerprefs.png

and uncheck the box next to Hide system users and groups. You can use Preferences window to modify default behaviour of automatically assigning next available UID or GID to user and group accounts or creating the GID of the user's private group with the identical value as the user's UID. This functionality is achieved by unchecking the appropriate boxes in the New users pane of the Preferences window.

To search for the user enter first few letters of the user name in the search filter field and click Apply filter button.

You can sort the users list by clicking on the column name. Textual fields are sorted in alphabetical order and numerical fields in the ascending order of the values in the field.

Adding New User

To add new account click Add User button on the main toolbar.

File:Docs Drafts AdministrationGuide UserAccounts newuser.png

Type the user name, user's full name and password in appropriate fields. Pre-selected fields represent the defaults for Fedora - /bin/bash is default shell, /home/<username> is created as user's home directory, private group with the same name will be created for user and next available UID will be used. If you chose so, you can change any of these options. Once you supply all the information, click [OK] button to create account.

Adding New Group

To list existing groups, in User Manager window click on Groups tab. The same rules apply for sorting available columns and searching for particular group as on the Users tab.

File:Docs Drafts AdministrationGuide UserAccounts groupstab.png

To create new group, click Add Group button on the main toolbar of the User Manager.

File:Docs Drafts AdministrationGuide UserAccounts addgroup.png

Type the group name in the Group Name field and click [OK] . By default, new group will be added with the next available GID. You can manually change this behaviour by checking the box Specify group ID manually and selecting different, unused number from the list.

Modifying User Accounts

File:Docs Drafts AdministrationGuide UserAccounts usermanagerselect.png

To display properties of the user account, select the wanted account from the list and click Properties button, which is now active, on the main toolbar of the User Manager window. The User Properties window opens, with User Data tab focused:

File:Docs Drafts AdministrationGuide UserAccounts userpropertiesdata.png

You can change account name, user's full name, password, home directory and user's shell by altering information in appropriate fields.

Click the Account info tab.

File:Docs Drafts AdministrationGuide UserAccounts userpropertiesaccinfo.png

Check Enable account expiration box and enter the date to expire user account on that day. Check Local password is locked box to lock user account.

Click the Password info tab.

File:Docs Drafts AdministrationGuide UserAccounts userpropertiespwd.png

Time of the last password change is displayed. Check Enable password expiration box. This will allow you to disable password change for user, force user to change password and warn user about that change in advance and when will account become inactive. Each of the four fields accepts integer, representing number of days.

Click the Groups tab.

File:Docs Drafts AdministrationGuide UserAccounts userpropertiesgrp.png

Change the user's group membership by checking or unchecking the box next to group name. If user is a member of multiple groups, set the user's primary group by selecting the group from the Primary group drop-down list.

Modifying Group Accounts

To modify group account select the group from the Groups tab of the User Manager

File:Docs Drafts AdministrationGuide UserAccounts usermanagergrpselect.png

To view group's properties, click the Properties button on the main toolbar. Group Properties window opens

File:Docs Drafts AdministrationGuide UserAccounts grouppropertiesdata.png

with Group Data" tab in focus. To change the group name, edit text in the Group Name filed.

Click the Group Users tab.

File:Docs Drafts AdministrationGuide UserAccounts grouppropertiesusers.png

To add users to this group, check the box next to appropriate user names on the list.