Groups and Users
This article explains how to create, modify and remove local groups and users on Linux, with specific reference to the information needed for the RHCSA EX200 and RHCE EX300 certification exams.
Remember, the exams are hands-on, so it doesn’t matter which method you use to achieve the result, so long as the end product is correct.
Groups
Groups allow multiple users with similar security and access levels to be linked, making management of those users easier. A local group is created with the groupadd command.
# groupadd dba
The group information is visible in the “/etc/group” file. Each group has a GID. If this is not assigned explicitly, the next largest number is used. We can see group we just defined has been assigned the GID of 500.
# cat /etc/group | grep dba
dba:x:500:
#
If you have the same groups across multiple servers it makes sense to set the GID explicitly to make sure it is the same across all servers.
# groupadd -g 1000 dba
Existing groups are modified using the groupmod command.
# groupmod -g 2000 dba
# groupmod -n new_dba dba
Groups are deleted using the groupdel command.
# groupdel new_dba
Users
The useradd command creates new local users.
# useradd oracle
The user details are visible in the “/etc/passwd” file. If no UID is specified, the next largest UID is assigned. A new group with a group name matching the user name is also created. By default, the users home directory is created under the “/home” directory and the shell is “/bin/bash”.
# cat /etc/passwd | grep oracle
oracle:x:500:500::/home/oracle:/bin/bash
# cat /etc/group | grep oracle
oracle:x:500:
#
As with groups, if you have the same user across several servers it makes sense to explicitly define a UID so it matches on all servers. If the users should be assigned to an existing group, this can be done while creating the user also.
# groupadd -g 1000 dba
# useradd -G dba -u 2000 tim_hall
# cat /etc/passwd | grep tim_hall
tim_hall:x:2000:2000::/home/tim_hall:/bin/bash
# cat /etc/group | grep tim_hall
dba:x:1000:tim_hall
tim_hall:x:2000:
#
There are flags to alter the default shell (-s) and default home directory (-d), but for the most part these should be unnecessary.
Most of the user details can be modified using the usermod command.
# usermod -s /bin/ksh tim_hall
# usermod -a -G oinstall tim_hall
The passwd command is used to set the password for a specified user, or the current user if no user name is specified.
# passwd tim_hall
Changing password for user tim_hall.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
# passwd
Changing password for user root.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
#
The userdel command removes a user. The “-f” option deletes the user even if the user is currently logged in. The “-r” flag removes the user’s home directory.
# userdel -r tim_hall
When logged in as the “root” user, the command prompt will display a “#” symbol. For ordinary users, the “$” symbol is displayed.
Password expiry
Password expiry (ageing) is controlled using the chage command. To check the current password expiry information use the “-l” option.
# useradd tim_hall
# chage -l tim_hall
Last password change : Mar 01, 2012
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
#
There are a number of options available, but the most commonly used ones are shown below.
# # Set the days before change required (-M) and the number of days warning (-W)
# chage -M 30 -W 5 tim_hall
# # Immediates expire a password.
# chage -d 0 tim_hall
Changes are visible using the “-l” list option again.
# chage -l tim_hall
Last password change : password must be changed
Password expires : password must be changed
Password inactive : password must be changed
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 30
Number of days of warning before password expires : 5
#
User Manager
The “User Manager” dialog is a GUI tool to manage users and groups. It can be started from the menu (System > Administraton > Users and Groups) or by running the system-config-users command.
Highlighting a specific user and clicking the “Properties” button allows you to amend the user information, account expiration, password expiration and group selection.
# ls -al /etc/skel total 36 drwxr-xr-x. 4 root root 4096 Feb 25 14:11 . drwxr-xr-x. 113 root root 12288 Mar 1 14:38 .. -rw-r–r–. 1 root root 18 Mar 29 2011 .bash_logout -rw-r–r–. 1 root root 176 Mar 29 2011 .bash_profile -rw-r–r–. 1 root root 124 Mar 29 2011 .bashrc drwxr-xr-x. 2 root root 4096 Nov 20 2010 .gnome2 drwxr-xr-x. 4 root root 4096 Feb 25 14:06 .mozilla [root@rhce1 oracle]#
Switching Users
The su command allows you to switch users. Including the “-“ option makes the shell a login shell, so you also get the new user’s profile information set.
# su oracle
# su - oracle
If no user is specified, it is assumed you are trying to switch to the “root” user.
$ su -
Password:
#
Use the logout or exit command to return the the original shell.
The “-c” option allows you to pass a single command to the shell to be executed. This command could also be a saved script, or a script defined inline.
# su - oracle -c "touch /tmp/test_file1.txt"
# ls -al /tmp/test_file1.txt
-rw-rw-r--. 1 oracle oracle 0 Mar 2 16:17 /tmp/test_file1.txt
#
# su - oracle -c "echo 'touch /tmp/test_file2.txt' >> /tmp/myscript.sh; chmod u+x /tmp/myscript.sh"
# ls -al /tmp/myscript.sh
-rwxrw-r--. 1 oracle oracle 26 Mar 2 16:41 /tmp/myscript.sh
#
# su - oracle -c /tmp/myscript.sh
# ls -al /tmp/test_file2.txt
-rw-rw-r--. 1 oracle oracle 0 Mar 2 16:42 /tmp/test_file2.txt
#
Important Files
The “/etc/profile” file contains system wide environment settings and runs all the scripts in the “/etc/profile.d” directory. If you want to make global changes, it is better to define a new “/etc/profile.d/custom.sh” file containing the changes, rather than editing the “/etc/profile” file directly.
When you create new user with the useradd command, the files in the “/etc/skel” directory are copied into the users home directory.
# ls -al /etc/skel
total 36
drwxr-xr-x. 4 root root 4096 Feb 25 14:11 .
drwxr-xr-x. 113 root root 12288 Mar 1 14:38 ..
-rw-r--r--. 1 root root 18 Mar 29 2011 .bash_logout
-rw-r--r--. 1 root root 176 Mar 29 2011 .bash_profile
-rw-r--r--. 1 root root 124 Mar 29 2011 .bashrc
drwxr-xr-x. 2 root root 4096 Nov 20 2010 .gnome2
drwxr-xr-x. 4 root root 4096 Feb 25 14:06 .mozilla
#
Of these files, probably the most commonly used is the “.bash_profile” file, typically for setting environment variables.
ORACLE_BASE=/u01/app/oracle; export ORACLE_BASE
ORACLE_HOME=$ORACLE_BASE/product/11.2.0/db_1; export ORACLE_HOME
ORACLE_SID=ORCL; export ORACLE_SID
PATH=$ORACLE_HOME/bin:$PATH; export PATH
The “.bash_profile” file sources the “.bashrc” file, which is typically used for functions and aliases, although they can be placed in the “.bash_profile” file if you wish.
alias rm='rm -i'
The first thing the “.bashrc” does is source the “/etc/bashrc” file, which contains system-wide functions and aliases.
It’s worth spending a little time looking through the contents of these files to look at the inter-dependencies, but much of the time I only edit the “.bash_profile” files in the individual user home directories.
LDAP
Companies often hold group information and user credentials in a centralized LDAP server. Linux can use LDAP, rather than local user and group informaton. Make sure the necessary packages are installed.
# yum install openldap-clients authconfig-gtk
The “Authentication Configuration” dialog is available from the menu (System > Administration > Authentication) or by running the system-config-authentication command from the command line.
Change the “User Account Database” setting to “LDAP”. The screen will alter to allow the entry of LDAP server information.
Passwordless Login
On the client, issue the following command and accept all the defaults.
ssh-keygen -t rsa
Push the public key in the “~/.ssh/id_rsa.pub” file on the client to the “~/.ssh/authorized_key” file on the server.
cat ~/.ssh/id_rsa.pub | ssh my_user@my-server "cat >> .ssh/authorized_keys"
Make sure the permissions are correct on the server.
ssh my_user@my-server "chmod 700 .ssh; chmod 640 .ssh/authorized_keys"
You will now be able to SSH from the client to the server without a password.
ssh my_user@my-server
For more information see: