Chapter 9. Managing users and groups

Preventing unauthorized access to files and processes requires an accurate user and group management. If you do not manage accounts centrally or you require a user account or group only on a specific system, you can create them locally on this host.

9.1. Introduction to managing user and group accounts

The control of users and groups is a core element of Red Hat Enterprise Linux (RHEL) system administration. Each RHEL user has distinct login credentials and can be assigned to various groups to customize their system privileges.

9.1.1. Introduction to users and groups

A user who creates a file is the owner of that file and the group owner of that file. The file is assigned separate read, write, and execute permissions for the owner, the group, and those outside that group. The file owner can be changed only by the root user. Access permissions to the file can be changed by both the root user and the file owner. A regular user can change group ownership of a file they own to a group of which they are a member of.

Each user is associated with a unique numerical identification number called user ID ( UID ). Each group is associated with a group ID ( GID ). Users within a group share the same permissions to read, write, and execute files owned by that group.

9.1.2. Configuring reserved user and group IDs

RHEL reserves user and group IDs below 1000 for system users and groups. You can find the reserved user and group IDs in the setup package. To view reserved user and group IDs, use:

cat /usr/share/doc/setup*/uidgid

It is recommended to assign IDs to the new users and groups starting at 5000, as the reserved range can increase in the future.

To make the IDs assigned to new users start at 5000 by default, modify the UID_MIN and GID_MIN parameters in the /etc/login.defs file.

Procedure

To modify and make the IDs assigned to new users start at 5000 by default:

1. Open the /etc/login.defs file in an editor of your choice.
2. Find the lines that define the minimum value for automatic UID selection.

# Min/max values for automatic uid selection in useradd # UID_MIN 1000

# Min/max values for automatic uid selection in useradd # UID_MIN 5000

# Min/max values for automatic gid selection in groupadd # GID_MIN 1000

# Min/max values for automatic gid selection in groupadd # GID_MIN 5000

The UID’s and GID’s of users and groups created before you changed the UID_MIN and GID_MIN values do not change.

Do not raise IDs reserved by the system above 1000 by changing SYS_UID_MAX to avoid conflict with systems that retain the 1000 limit.

9.1.3. User private groups

RHEL uses the user private group ( UPG ) system configuration, which makes UNIX groups easier to manage. A user private group is created whenever a new user is added to the system. The user private group has the same name as the user for which it was created and that user is the only member of the user private group.

UPGs simplify the collaboration on a project between multiple users. In addition, UPG system configuration makes it safe to set default permissions for a newly created file or directory, as it allows both the user, and the group this user is a part of, to make modifications to the file or directory.

A list of all groups is stored in the /etc/group configuration file.

9.2. Getting started with managing user accounts

Red Hat Enterprise Linux is a multi-user operating system, which enables multiple users on different computers to access a single system installed on one machine. Every user operates under its own account, and managing user accounts thus represents a core element of Red Hat Enterprise Linux system administration.

The following are the different types of user accounts:

• Normal user accounts: Normal accounts are created for users of a particular system. Such accounts can be added, removed, and modified during normal system administration.
• System user accounts: System user accounts represent a particular applications identifier on a system. Such accounts are generally added or manipulated only at software installation time, and they are not modified later.

System accounts are presumed to be available locally on a system. If these accounts are configured and provided remotely, such as in the instance of an LDAP configuration, system breakage and service start failures can occur.

9.2.1. Managing accounts and groups using command line tools

Use the following basic command-line tools to manage user accounts and groups.

• To display user and group IDs:

$ id uid=1000(example.user) gid=1000(example.user) groups=1000(example.user),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

# useradd example.user

# passwd example.user

# usermod -a -G example.group example.user

Additional resources

• man useradd(8) , man passwd(1) , and man usermod(8)

9.3. Managing users from the command line

You can manage users and groups using the command-line interface ( CLI ). This enables you to add, remove, and modify users and user groups in Red Hat Enterprise Linux environment.

9.3.1. Adding a new user from the command line

You can use the useradd utility to add a new user.

Prerequisites

Procedure

To add a new user, use:

# useradd options username

Replace options with the command-line options for the useradd command, and replace username with the name of the user.

# useradd -u 5000 sarah

Verification

To verify the new user is added, use the id utility.

# id sarah

uid=5000(sarah) gid=5000(sarah) groups=5000(sarah)

Additional resources

9.3.2. Adding a new group from the command line

You can use the groupadd utility to add a new group.

Prerequisites

Procedure

To add a new group, use:

# groupadd options group-name

Replace options with the command-line options for the groupadd command, and replace group-name with the name of the group.

# groupadd -g 5000 sysadmins

Verification

To verify the new group is added, use the tail utility.

# tail /etc/group

sysadmins:x:5000:

Additional resources

• groupadd man page

9.3.3. Adding a user to a supplementary group from the command line

You can add a user to a supplementary group to manage permissions or enable access to certain files or devices.

Prerequisites

Procedure

To add a group to the supplementary groups of the user, use:

# usermod --append -G group-name username

# usermod --append -G system-administrators sysadmin

Verification

To verify the new groups is added to the supplementary groups of the user sysadmin , use:

# groups sysadmin

sysadmin : sysadmin system-administrators

9.3.4. Creating a group directory

Under the UPG system configuration, you can apply the set-group identification permission ( setgid bit) to a directory. The setgid bit makes managing group projects that share a directory simpler. When you apply the setgid bit to a directory, files created within that directory are automatically assigned to a group that owns the directory. Any user that has the permission to write and execute within this group can now create, modify, and delete files in the directory.

The following section describes how to create group directories.

Prerequisites

Procedure

Create a directory:

# mkdir directory-name

# groupadd group-name

# usermod --append -G group-name username

# chgrp group-name directory-name

# chmod g+rwxs directory-name

Verification

To verify the correctness of set permissions, use:

# ls -ld directory-name

drwxrwsr-x. 2 root group-name 6 Nov 25 08:45 directory-name

9.3.5. Removing a user on the command line

You can remove a user account using the command line. In addition to removing the user account, you can optionally remove the user data and metadata, such as their home directory and configuration files.

Prerequisites

• You have root access.
• The user currently exists.
• Ensure that the user is logged out:

# loginctl terminate-user user-name

Procedure

To only remove the user account, and not the user data:

# userdel user-name

1. Remove the user, their home directory, their mail spool, and their SELinux user mapping:

# userdel --remove --selinux-user user-name

# rm -rf /var/lib/AccountsService/users/user-name

This directory stores information that the system needs about the user before the home directory is available. Depending on the system configuration, the home directory might not be available until the user authenticates at the login screen.

If you do not remove this directory and you later recreate the same user, the recreated user will still use certain settings inherited from the removed user.

Additional resources

• The userdel(8) man page.

9.4. Managing user accounts in the web console

The RHEL web console provides a graphical interface for adding, editing, and removing system user accounts.

You can also set password expiration and terminate user sessions in the web console.

9.4.1. Adding new accounts by using the web console

You can add user accounts to the system and set administration rights to the accounts through the RHEL web console.

Prerequisites

• You have installed the RHEL 9 web console. For instructions, see Installing and enabling the web console.

Procedure

1. Log in to the RHEL 9 web console. For details, see Logging in to the web console.
2. Click Accounts .
3. Click Create New Account .
4. In the Full Name field, enter the full name of the user. The RHEL web console automatically suggests a user name from the full name and fills it in the User Name field. If you do not want to use the original naming convention consisting of the first letter of the first name and the whole surname, update the suggestion.
5. In the Password/Confirm fields, enter the password and retype it for verification that your password is correct. The color bar below the fields shows you the security level of the entered password, which does not allow you to create a user with a weak password.
6. Click Create to save the settings and close the dialog box.
7. Select the newly created account.
8. In the Groups drop-down menu, select the groups that you want to add to the new account. Now you can see the new account in the Accounts settings and you can use its credentials to connect to the system.

9.4.2. Enforcing password expiration in the web console

By default, user accounts have set passwords to never expire. You can set system passwords to expire after a defined number of days. When the password expires, the next login attempt will prompt for a password change.

Prerequisites

• You have installed the RHEL 9 web console. For instructions, see Installing and enabling the web console.

Procedure

1. Log in to the RHEL 9 web console.
2. Click Accounts .
3. Select the user account for which you want to enforce password expiration.
4. Click edit on the Password line.
5. In the Password expiration dialog box, select Require password change every …​ days and enter a positive whole number representing the number of days after which the password expires.
6. Click Change . The web console immediately shows the date of the future password change request on the Password line.

9.5. Editing user groups using the command line

A user belongs to a certain set of groups that allow a logical collection of users with a similar access to files and folders. You can edit the primary and supplementary user groups from the command line to change the user’s permissions.

9.5.1. Primary and supplementary user groups

A group is an entity which ties together multiple user accounts for a common purpose, such as granting access to particular files.

On Linux, user groups can act as primary or supplementary. Primary and supplementary groups have the following properties:

• Every user has just one primary group at all times.
• You can change the user’s primary group.

• You can add an existing user to an existing supplementary group to manage users with the same security and access privileges within the group.
• Users can be members of zero or multiple supplementary groups.

9.5.2. Listing the primary and supplementary groups of a user

You can list the groups of users to see which primary and supplementary groups they belong to.

Procedure

Display the names of the primary and any supplementary group of a user:

$ groups user-name

Replace user-name with the name of the user. If you do not provide a user name, the command displays the group membership for the current user. The first group is the primary group followed by the optional supplementary groups.

$ groups sarah

sarah : sarah wheel developer

$ groups marc

marc : marc

9.5.3. Changing the primary group of a user

You can change the primary group of an existing user to a new group.

Prerequisites:

1. root access
2. The new group must exist

Procedure

Change the primary group of a user:

# usermod -g group-name user-name

Replace group-name with the name of the new primary group, and replace user-name with the name of the user.

When you change a user’s primary group, the command also automatically changes the group ownership of all files in the user’s home directory to the new primary group. You must fix the group ownership of files outside of the user’s home directory manually.

If the user sarah belongs to the primary group sarah1 , and you want to change the primary group of the user to sarah2 , use:

# usermod -g sarah2 sarah

Verification

Verify that you changed the primary group of the user:

$ groups sarah

sarah : sarah2

9.5.4. Adding a user to a supplementary group from the command line

You can add a user to a supplementary group to manage permissions or enable access to certain files or devices.

Prerequisites

Procedure

To add a group to the supplementary groups of the user, use:

# usermod --append -G group-name username

# usermod --append -G system-administrators sysadmin

Verification

To verify the new groups is added to the supplementary groups of the user sysadmin , use:

# groups sysadmin

sysadmin : sysadmin system-administrators

9.5.5. Removing a user from a supplementary group

You can remove an existing user from a supplementary group to limit their permissions or access to files and devices.

Prerequisites

Procedure

Remove a user from a supplementary group:

# gpasswd -d user-name group-name

Replace user-name with the name of the user, and replace group-name with the name of the supplementary group.

If the user sarah has a primary group sarah2 , and belongs to the secondary groups wheel and developers , and you want to remove that user from the group developers , use:

# gpasswd -d sarah developers

Verification

Verify that you removed the user sarah from the secondary group developers:

$ groups sarah

sarah : sarah2 wheel

9.5.6. Changing all of the supplementary groups of a user

You can overwrite the list of supplementary groups that you want the user to remain a member of.

Prerequisites

• root access
• The supplementary groups must exist

Procedure

Overwrite a list of user’s supplementary groups:

# usermod -G group-names username

Replace group-names with the name of one or more supplementary groups. To add the user to several supplementary groups at once, separate the group names using commas and no intervening spaces. For example: wheel,developer . Replace user-name with the name of the user.

If the user is currently a member of a group that you do not specify, the command removes the user from the group.

If the user sarah has a primary group sarah2 , and belongs to the supplementary group wheel , and you want the user to belong to three more supplementary groups developer , sysadmin , and security , use:

# usermod -G wheel,developer,sysadmin,security sarah

Verification

Verify that you set the list of the supplementary groups correct:

# groups sarah

sarah : sarah2 wheel developer sysadmin security

9.6. Changing and resetting the root password

If the existing root password is no longer satisfactory or is forgotten, you can change or reset it both as the root user and a non-root user.

9.6.1. Changing the root password as the root user

You can use the passwd command to change the root password as the root user.

Prerequisites

Procedure

To change the root password, use:

# passwd

9.6.2. Changing or resetting the forgotten root password as a non-root user

You can use the passwd command to change or reset the forgotten root password as a non-root user.

Prerequisites

• You are able to log in as a non-root user.
• You are a member of the administrative wheel group.

Procedure

To change or reset the root password as a non-root user that belongs to the wheel group, use:

$ sudo passwd root

9.6.3. Resetting the root password on boot

If you are unable to log in as a non-root user or do not belong to the administrative wheel group, you can reset the root password on boot by switching into a specialized chroot jail environment.

Procedure

Reboot the system and, on the GRUB 2 boot screen, press the e key to interrupt the boot process. The kernel boot parameters appear.

load_video set gfx_payload=keep insmod gzio linux ($root)/vmlinuz-5.14.0-70.22.1.e19_0.x86_64 root=/dev/mapper/rhel-root ro crash\ kernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv/swap rhgb quiet initrd ($root)/initramfs-5.14.0-70.22.1.e19_0.x86_64.img $tuned_initrd

linux ($root)/vmlinuz-5.14.0-70.22.1.e19_0.x86_64 root=/dev/mapper/rhel-root ro crash\ kernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv/swap rhgb quiet

linux ($root)/vmlinuz-5.14.0-70.22.1.e19_0.x86_64 root=/dev/mapper/rhel-root ro crash\ kernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv/swap rhgb quiet rd.break

mount -o remount,rw /sysroot

chroot /sysroot

passwd

touch /.autorelabel

exit

exit

Verification

1. To verify that the root password is successfully changed, log in as a normal user and open the Terminal.
2. Run the interactive shell as root:

$ su

# whoami