Edited by ZacharyHamed on 4.23.2008
User Accounts
Introduction
Creation and management of users and user groups is a fundamental practice of system administration on multi-user systems such as Linux. Each user is given an account in the system. This feature provides a method to distinguish different users in the system with an associated set of privileges. Additionally, each account is assigned a separate and secure storage area for files and preferences. With this model, each user can specify custom working environment and account specific activities.
Fedora includes two types of accounts: system and non-system accounts. System accounts include the root and apache users. System accounts are created during the installation process and are used by various system daemons and utilities to perform system-wide tasks. Fedora reserves UIDs 0-499 for system accounts. For this reason, system accounts are sometimes referred to as low ID accounts.
Non-system accounts start from UID 500. These accounts are used by non-system users for performing their regular tasks. Usually, the first non-system user account is created during the first boot following the system installation. Further user and group accounts are created using standard procedures, explained later in this guide.
Process of Account Creation
This section explains what happens when a new user is added to a Fedora system.
When the system administrator executes
/usr/sbin/useradd dan
from the command line, the following steps occur:
1 . A new line is appended to the /etc/passwd
file and it looks similar to:
dan:x:502:502::/home/dan:/bin/bash
It consists of seven colon delimited fields associated with the following meaning:
- dan - this is the username
- x - this is the password field; x signifies an empty field and that an encrypted (shadow) password will be placed in
/etc/shadow
file - first 502 - this is the uid (username identifier)
- second 502 - this is the gid (group identifier) of the user's primary group
- blank field - this is the "comment" field; the user's full name usually goes here
- /home/dan - this is the location of the user's home directory in the file system
/bin/bash
- this is the user's default shell
2 . A new line is appended to the /etc/shadow
file and it looks similar to:
dan:!!:13490:0:99999:7:::
It consists of eight colon delimited fields associated with the following meaning:
- dan - This is the username
- !! - Two exclamation marks indicate that the password has not been set yet and the account is locked
- 13490 - Represents the number of days (since January 1, 1970) since the password was last changed
- 0 - Represents the number of days before the password may be changed (0 indicates it may be changed at any time)
- 99999 - Represents the number of days after which the password must be changed (99999 indicates user can keep his or her password unchanged for 274 years
- 7 - Represents the number of days remaining before the user's password expires (7 means a full week)
- First blank field - Represents the number of days after the password expires that the account will be disabled
- Second blank field - Represents the number of days since January 1, 1970 that an account has been disabled
- Third blank field - Reserved field for possible future use
3 . A new line is appended to the /etc/group
file. It looks similar to:
dan:x:502:
The new line consists of three colon delimited fields associated with the following meaning:
- dan - this is the group name
- x - this is the group password field; x indicates that the system is using shadow passwords
- 502 - this is the gid and it matches the value of uid of the user with the same name
4 . A new line is appended to the /etc/gshadow
file. It looks similar to:
dan:!::
The colon delimited fields in this line indicate:
- dan - this is group name
- ! - this is group password field in which ! indicates that the group account is locked
5 . The home directory for user dan is created as /home/dan. It has ownership of user dan and group dan but only user dan has read, write and execute permissions on directory. All the other permissions are denied.
6 . Files from the /etc/skel
directory are copied to the user's home directory (for example, the .bashrc
and .bash_profile
files that control user's default shell environment).
7 . The system administrator can now run the /usr/bin/passwd dan
command to set the user's password. This action unlocks the user's account, giving the user the ability to login and use the system.
Account Management - Command Line Interface
This section explains how to add new accounts and change account parameters using command line utilities.
Adding Accounts
To add a new user account from the command line run:
su -c "/usr/sbin/useradd luke"
Enter the root password when prompted.
The above command creates a new user account with the username luke, whose primary group is luke. The directory /home/luke is created as the user's home directory and the user's shell environment is set to /bin/bash
. (These are Fedora defaults for user accounts.)
Upon creation, the user account is locked. To unlock the account, run:
su -c "passwd luke"
To set user's password, enter the root password at the first password prompt. You are then be presented with the following:
Changing password for user luke. New UNIX password:
Type in what you want the user's password to be (remember passwords are case sensitive) and press [Enter] . Prompt changes to:
Retype new UNIX password:
Type the same password again and press [Enter] . Prompt returns:
passwd: all authentication tokens updated successfully.
User luke is now able to login and use the system.
User account defaults are controlled through the /etc/login.defs
configuration file. Administrators can manually change values in this file and create a different set of account defaults. Settings from /etc/login.defs
file can be overridden by supplying options to the useradd
command. For example:
su -c "/usr/sbin/useradd -c 'Luke McAlister' -g primary -G additional,another -d /home/second -s /bin/tcsh luke2"
creates a new user account for the user luke2
with the following characteristics:
- User's full name is Luke McAlister
- User's primary group is primary
- User luke2 is also a member of additional and another groups
- /home/second is created as the home directory for luke2
TCShell
is set as the shell environment for luke2
Adding Group Accounts
To add a new group account, from the command line run:
su -c "/usr/sbin/groupadd black"
and enter the root password when prompted.
The above command creates a new group account with the group name black.
Modifying Account Parameters
To edit user account parameters, use the usermod
command. Depending on what account parameters need modification, usermod
command may need to be supplied with an option specific to that parameter. For example, to change the comment field for the account, run:
su -c "/usr/sbin/usermod -c 'Luke McAlister' luke"
Enter the root password at the password prompt.
This alters the account information in /etc/passwd
file, placing the user's full name in the fifth field. The line changes from:
luke:x:503:503::/home/luke:/bin/bash
to
luke:x:503:503:Luke McAlister:/home/luke:/bin/bash
You can also edit user's group membership using the usermod
command. When a user is created, a new group with the same name as the username is created. This group is the user's Primary Group. Files or directories created by said user inherit said users Primary Group. Use the id
command to view Primary and Secondary Group memberships:
id uid=500(user1) gid=500(user1) groups=10(wheel),500(user1) context=user_u:system_r:unconfined_t
The above example shows that the Primary Group for the user user1, is gid 500 (user1). The user1 user is also a member of the wheel Secondary Group. Primary Groups are defined in /etc/passwd
:
user1:x:500:500:UserOne:/home/user1:/bin/bash
The fourth field shows the Primary Group ID (500) for the user. The /etc/passwd
file uses the following syntax: account:password:UID:GID:GECOS:directory:shell
The Primary Group can be temporarily changed using the newgrp
command. However, the user must already be a member of the group specified:
newgrp testing
The results can be seen using the id
and touch
commands:
id uid=500(user1) gid=502(testing) groups=10(wheel),500(user1),502(testing) context=user_u:system_r:unconfined_t
Note, the Primary Group is now gid 502 (testing).
touch file1 ls -l file1 -rw-r--r-- 1 user1 testing 0 2007-10-13 20:31 file1
The file1
file belongs to the testing group instead of the user1 group. Type exit
to return to your original Primary Group; the output of the exit
command is exit
:
exit exit id uid=500(user1) gid=500(user1) groups=10(wheel),500(user1) context=user_u:system_r:unconfined_t
The Primary Group is now back to user1. Also note the id
command has not displayed the testing group. Changes to group membership require you to log out and then log in, before the changes are displayed using the id
and groups
commands. Users can also be members of Secondary Groups. Secondary groups are defined in /etc/group
. Use the groups
and id
commands to view group membership:
groups user1 wheel testing
id uid=500(user1) gid=500(user1) groups=10(wheel),500(user1),502(testing) context=user_u:system_r:unconfined_t
To add a user to a Secondary Group, use the following command:
su -c "/usr/sbin/usermod -a -G <group> <username>"
Enter the root password when prompted.
This adds the user specified with <username> to the Secondary Group specified in <group>. To add a user to multiple Secondary Groups list the group names in comma-separated form:
su -c "/usr/sbin/usermod -a -G <group1>,<group2>,<group3> <username>"
Enter the root password when prompted.
Removing a user from a group is a bit different. Use the usermod
command without the -a
append switch to specify the group memberships you want to keep. For example, if the mentioned user is a member of group1, group2, group3, and group4, but wants to be removed from group4, the user should run the following command:
su -c "/usr/sbin/usermod -G group1,group2,group3 <username>"
This command keeps the user's group memberships of group1, group2, and group3, while removing membership from the group4.
For a full list of available command options, refer to the usermod(8)
manual page.
Modifying Group Accounts
To modify group account parameters, use the groupmod
command. This command can change two group account parameters, the group ID (GID) and group name. To change the group ID (GID) of the group black, run:
su -c "/usr/sbin/groupmod -g 600 black"
Once prompted, enter the root password. This command changes the GID of the group black
to 600. If you do not use -o
option, the GID numerical value supplied to the command must be unique.
To assign a new name to the group account, run:
su -c "/usr/sbin/groupmod -n blue black"
Enter the root password at the prompt. This changes the group's name from black to blue.
Changing Password Expiration Information
To change the user's password expiration information, use the chage
command. This command changes the number of days between password changes and the date of the last password change and is used by the system to determine when the user is forced to change the password. For example, to set the number of days the password of the user dan to be valid for 90 days (three months), run:
su -c "chage -M 90 dan"
Enter the root password at the prompt. The above option is usually used in conjunction with -W
option, which sets the number of days before expiration the user is warned about the pending expiration:
su -c "chage -W 10 -M 90 dan"
Enter the root password when prompted. The above command forces the user dan to change the password after 90 days. User dan is warned about this every day, starting 10 days before the password expiration.
Account Management - Using A Graphical User Interface
This section explains how to manage user and group accounts using a graphical user interface (GUI). User Manager is the application used to create and manage user and group accounts.
To start User Manager, select System > Administration > Users and groups from the main panel menu or from the command line, run system-config-users
and enter the root password at the prompt.
File:Docs Drafts AdministrationGuide UserAccounts usermanager.png
By default, User Manager does not display system accounts. To enable the listing of system accounts, from the main menu select Edit > Preferences
File:Docs Drafts AdministrationGuide UserAccounts usermanagerprefs.png
and uncheck the box next to Hide system users and groups. You can use the Preferences window to modify the default behavior of automatically assigning the next available UID or GID to user and group accounts or creating the GID of the user's private group with the identical value as the user's UID. This is achieved by unchecking the appropriate boxes in the New users pane of the Preferences window.
To search for the user, enter first few letters of the username in the search filter field and click the Apply filter button.
You can sort the users list by clicking on the column name. Text fields are sorted in alphabetical order and numerical fields in the ascending order of the values in the field.
Adding A New User
To add a new account click the Add User button on the main toolbar.
File:Docs Drafts AdministrationGuide UserAccounts newuser.png
Type the username, user's full name and password (remember passwords are case-sensitive) in appropriate fields. Pre-selected fields represent the defaults for Fedora - /bin/bash
is default shell, /home/<username>
is created as user's home directory, private group with the same name will be created for user and next available UID will be used. If you choose to, you can change any of these options. Once you supply all the information, click [OK] button to create account.
Adding A New Group
To list the existing groups in the User Manager window click on the Groups tab. The same rules apply for sorting available columns and searching for a particular group as applied to the Users tab.
File:Docs Drafts AdministrationGuide UserAccounts groupstab.png
To create a new group, click the Add Group button on the main toolbar of the User Manager.
File:Docs Drafts AdministrationGuide UserAccounts addgroup.png
Type the group name in the Group Name field and click [OK] . By default, the new group will be added with the next available GID. You can manually change this behavior by checking the box Specify group ID manually and selecting a different, unused number from the list.
Modifying User Accounts
File:Docs Drafts AdministrationGuide UserAccounts usermanagerselect.png
To display the properties of a user account, select the account from the list and click the Properties button, which is now active, on the main toolbar of the User Manager window. The User Properties window opens, with User Data tab focused:
File:Docs Drafts AdministrationGuide UserAccounts userpropertiesdata.png
You can change the account name, user's full name, password, home directory and user's shell by altering information in appropriate fields.
Click the Account info tab:
File:Docs Drafts AdministrationGuide UserAccounts userpropertiesaccinfo.png
Check the Enable account expiration box and enter the date on which you want the user account to expire. Check the Local password is locked box to lock the user account.
Click the Password info tab.
File:Docs Drafts AdministrationGuide UserAccounts userpropertiespwd.png
The time of the last password change is now displayed. Check the Enable password expiration box, allowing you to disable any user-initiated password changes, force the user to change their password, and warn the user about that change in advance and when the account will become inactive. Each of the four fields accepts integers, representing number of days.
Click the Groups tab.
File:Docs Drafts AdministrationGuide UserAccounts userpropertiesgrp.png
Change the user's group membership by checking or unchecking the box next to group name. If the user is a member of multiple groups, set the user's primary group by selecting the group from the Primary group drop-down list.
Modifying Group Accounts
To modify group accounts select the group from the Groups tab of the User Manager
File:Docs Drafts AdministrationGuide UserAccounts usermanagergrpselect.png
To view group properties, click the Properties button on the main toolbar. The Group Properties window opens
File:Docs Drafts AdministrationGuide UserAccounts grouppropertiesdata.png
with the Group Data tab in focus. To change the group name, edit text in the Group Name field.
Click the Group Users tab.
File:Docs Drafts AdministrationGuide UserAccounts grouppropertiesusers.png
To add users to this group, check the box next to appropriate user names on the list.
Additional Information
For additional help and more information on managing user accounts look at:
Websites
username and password guidelines
username and group file(s) information
Manual Pages
- passwd(1) ---Learn more about the file format information for the
/etc/passwd
file. - group(5) ---Learn more about the file format information for the
/etc/group
file. - shadow(5) ---Learn more about the file format information for the
/etc/shadow
file. - useradd(8) ---Learn how to create or update user accounts.
- userdel(8) ---Learn how to delete user accounts.
- usermod(8) ---Learn how to modify user accounts.
- chpasswd(8) ---Learn how to batch update user passwords.
- chage(1) ---Learn how to change user password aging information.
- chfn(1) ---Learn how to change a user's GECOS (finger) information.
- chsh(1) ---Learn how to change a user's login shell.
- groupadd(8) ---Learn how to create a new group.
- groupdel(8) ---Learn how to delete a group.
- groupmod(8) ---Learn how to modify a group.
- gpasswd(1) ---Learn how to administer the
/etc/group
and/etc/gshadow
files. - grpck(1) ---Learn how to verify the integrity of the
/etc/group
and/etc/gshadow
files. - chgrp(1) ---Learn how to change group-level ownership.
- chmod(1) ---Learn how to change file access permissions.
- chown(1) ---Learn how to change file owner and group.