Account Management - Command Line Interface

This section explains how to add new accounts and change account parameters using command line utilities.

Adding Accounts

To add a new user account from the command line run:

su -c "/usr/sbin/useradd luke"

Enter the root password when prompted.

The above command creates a new user account with the username luke, whose primary group is luke. The directory /home/luke is created as the user's home directory and the user's shell environment is set to /bin/bash. (These are Fedora defaults for user accounts.)

Command from the example above can be run as su -c "useradd luke". For this to work, edit your ~/.bash_profile, to include /usr/sbin in the PATH statement. The following sections assume that you have made the above modification, so the shorter form of the command is shown from this point forward.

Upon creation, the user account is locked. To unlock the account, run:

su -c "passwd luke"

To set user's password, enter the root password at the first password prompt. You are then be presented with the following:

Changing password for user luke.
New UNIX password:

Type in what you want the user's password to be (remember passwords are case sensitive) and press [Enter] . Prompt changes to:

Retype new UNIX password:

Type the same password again and press [Enter] . Prompt returns:

passwd: all authentication tokens updated successfully.

User luke is now able to logon and use the system.

Choose passwords wisely!
Passwords are an essential element of system security. Avoid using dictionary words and use a combination of lower and upper case letters, numbers and special characters.

User account defaults are controlled through the /etc/login.defs configuration file. Administrators can manually change values in this file and create a different set of account defaults. Settings from /etc/login.defs file can be overridden by supplying options to the useradd command. For example:

su -c "useradd -c "Luke McAlister" -g primary -G additional,another -d /home/second -s /bin/tcsh luke2"

creates a new user account for the user luke2 with the following characteristics:

• user's full name is Luke McAlister
• user's primary group is primary
• user luke2 is also a member of additional and another groups
• /home/second is created as the home directory for luke2
• TCShell is set as the shell environment for luke2

For the full list of available command options, refer to useradd(8) manual page.

Adding Group Accounts

To add a new group account, from the command line run:

su -c "groupadd black"

and enter the root password when prompted.

The above command creates a new group account with the group name black.

Modifying Account Parameters

To edit user account parameters, use the usermod command. Depending on what account parameters need modification, usermod command may need to be supplied with an option specific to that parameter. For example, to change the comment field for the account, run:

su -c "usermod -c "Luke McAlister" luke"

Enter the root password at the password prompt.

This alters the account information in /etc/passwd file, placing the user's full name in the fifth field. The line changes from:

luke:x:503:503::/home/luke:/bin/bash

to

luke:x:503:503:Luke McAlister:/home/luke:/bin/bash

You can also edit a user's group membership using the usermod command. When a user is created, a new group with the same name as the username is created. This group is the user's Primary Group. Files or directories created by said user inherit said users Primary Group. Use the id command to view Primary and Secondary Group memberships:

id
uid=500(user1) gid=500(user1) groups=10(wheel),500(user1) context=user_u:system_r:unconfined_t

The above example shows that the Primary Group for the user user1, is gid 500 (user1). The user1 user is also a member of the wheel Secondary Group. Primary Groups are defined in /etc/passwd:

user1:x:500:500:UserOne:/home/user1:/bin/bash

The fourth field shows the Primary Group ID (500) for the user. The /etc/passwd file uses the following syntax: account:password:UID:GID:GECOS:directory:shell

The Primary Group can be temporarily changed using the newgrp command. However, the user must already be a member of the group specified:

newgrp testing

The results can be seen using the id and touch commands:

id
uid=500(user1) gid=502(testing) groups=10(wheel),500(user1),502(testing) context=user_u:system_r:unconfined_t

Note, the Primary Group is now gid 502 (testing).

touch file1
ls -l file1
-rw-r--r-- 1 user1 testing 0 2007-10-13 20:31 file1

The file1 file belongs to the testing group instead of the user1 group. Type exit to return to your original Primary Group; the output of the exit command is exit:

exit
exit
id
uid=500(user1) gid=500(user1) groups=10(wheel),500(user1) context=user_u:system_r:unconfined_t

The Primary Group is now back to user1. Also note the id command has not displayed the testing group. Changes to group membership require you to log out and then log in, before the changes are displayed using the id and groups commands. Users can also be members of Secondary Groups. Secondary groups are defined in /etc/group. Use the groups and id commands to view group membership:

groups
user1 wheel testing

id
uid=500(user1) gid=500(user1) groups=10(wheel),500(user1),502(testing) context=user_u:system_r:unconfined_t

To add a user to a Secondary Group, use the following command:

su -c "/usr/sbin/usermod -a -G <group> <username>"

Enter the root password when prompted.

This adds the user specified with <username> to the Secondary Group specified in <group>. To add a user to multiple Secondary Groups list the group names in comma-separated form:

su -c "/usr/sbin/usermod -a -G <group1>,<group2>,<group3> <username>"

Enter the root password when prompted.

Removing a user from a group is a little different. Use the usermod command without the -a append switch to specify the group memberships you want to keep. For example, if said user is a member of group1, group2, group3, and group4, but you want to remove the user from group4, run the following command:

su -c "/usr/sbin/usermod -G group1,group2,group3 <username>"

This command keeps the user's group memberships of group1, group2, and group3, while removing them from the group4 group.

For the full list of available command options, refer to the usermod(8) manual page.

Be careful with the -G command option!
If the user is a member of multiple groups, all the groups must be listed as parameters in a comma-separated form: -G <group1,group2,group3,group4>. When you omit a group name you remove the user from that group.

Modifying Group Accounts

To modify group account parameters, use the groupmod command. This command can change two group account parameters, the group ID (GID) and group name. To change the group ID (GID) of the group black, run:

su -c "groupmod -g 600 black"

Enter root password at the prompt. This command would change the GID of the group black to 600. If you do not use -o option, the GID numerical value supplied to the command must be unique.

The groupmod command does not change group ownership of files.
You must manually change group ID (GID) ownership of all the files owned by the group's previous group ID.

To assign a new name to the group account, run:

su -c "groupmod -n blue black"

Enter the root password at the prompt. This changes the group's name from black to blue.

Changing Password Expiration Information

To change the user's password expiration information use the chage command. This command changes the number of days between password changes and the date of the last password change and is used by the system to determine when the user is forced to change the password. For example, to set the number of days the password of the user dan to be valid for 90 days (three months), run:

su -c "chage -M 90 dan"

Enter the root password at the prompt. The above option is usually used in conjunction with -W option, which sets the number of days before expiration the user is warned about the pending expiration:

su -c "chage -W 10 -M 90 dan"

Enter the root password when prompted. The above command forces the user dan to change the password after 90 days. User dan is warned about this every day, starting 10 days before the password expiration.

For the full list of available command options, refer to the chage(1) manual page.

The next section explains how to manage accounts using a graphical interface.