Administration Guide Draft/UserAccounts
Creation and management of users and user groups is a fundamental practice of system administration on multi-user systems such as Linux. Each user is given an account in the system. This provides a method to distinguish different accounts in the system with associated set of privileges. Each account is further assigned a separate and secure storage area for files and preferences. With this model, each user can specify custom working environment and account specific activities.
Fedora includes two types of accounts: system and non-system accounts. System accounts include the root user and others such as the apache user. System accounts are created during the installation process and used by various system daemons and utilities to perform system-wide tasks. Fedora reserves UIDs 0-499 for system accounts. This is why they are sometimes referred to as low ID accounts.
Non-system accounts start from uid 500. These accounts are used by non-system users for performing their regular tasks. Usually, the first non-system user account is created during the first boot following the system installation. Further user and group accounts are created using standard procedures, explained later in this guide.
Process of Account Creation
This section explains what happens when a new user is added to a Fedora system.
When the system administrator executes
from the command line, the following steps occur:
1 . A new line is appended to the
/etc/passwd file and it looks similar to:
It consists of seven colon delimited fields associated with the following meaning:
- dan - this is the username
- x - this is the password field; x signifies an empty field and that an encrypted (shadow) password will be placed in
- first 502 - this is the uid (username identifier)
- second 502 - this is the gid (group identifier) of the user's primary group
- blank field - this is the "comment" field; the user's full name usually goes here
- /home/dan - this is the location of the user's home directory in the file system
/bin/bash- this is the user's default shell
2 . A new line is appended to the
/etc/shadow file and it looks similar to:
It consists of eight colon delimited fields associated with the following meaning:
- dan - this is the username
- !! - two exclamation marks indicate that the password has not been set yet and the account is locked
- 13490 - represents the number of days (since January 1, 1970) since the password was last changed
- 0 - represents the number of days before the password may be changed (0 indicates it may be changed at any time)
- 99999 - represents the number of days after which the password must be changed (99999 indicates user can keep his or her password unchanged for 274 years
- 7 - represents the number of days remaining before the users password expires (7 means a full week)
- first blank field - represents the number of days after the password expires that the account will be disabled
- second blank field - represents the number of days since January 1, 1970 that an account has been disabled
- third blank field - reserved field for possible future use
3 . A new line is appended to the
/etc/group file. It looks similar to:
The new line consists of three colon delimited fields associated with the following meaning:
- dan - this is the group name
- x - this is the group password field; x indicates that the system is using shadow passwords
- 502 - this is the gid and it matches the value of uid of the user with the same name
4 . A new line is appended to the
/etc/gshadow file. It looks similar to:
The colon delimited fields in this line indicate:
- dan - this is group name
- ! - this is group password field in which ! indicates that the group account is locked
5 . The home directory for user dan is created as /home/dan. It has ownership of user dan and group dan but only user dan has read, write and execute permissions on directory. All the other permissions are denied.
6 . Files from the
/etc/skel directory are copied to the user's home directory (for example the
.bash_profile files which control user's default shell environment).
7 . The system administrator can now run the
/usr/bin/passwd dan command to set the user's password, this unlocks the user's account giving the user the ability to login and use the system.
Account Management - Command Line Interface
This section explains how to add new accounts and change account parameters using command line utilities.
To add a new user account from the command line run:
su -c "/usr/sbin/useradd luke"
Enter the root password when prompted.
The above command creates a new user account with the username luke, whose primary group is luke. The directory /home/luke is created as the user's home directory and the user's shell environment is set to
/bin/bash. (These are Fedora defaults for user accounts.)
Upon creation, the user account is locked. To unlock the account, run:
su -c "passwd luke"
To set user's password, enter the root password at the first password prompt. You are then be presented with the following:
Changing password for user luke. New UNIX password:
Type in what you want the user's password to be (remember passwords are case sensitive) and press [Enter] . Prompt changes to:
Retype new UNIX password:
Type the same password again and press [Enter] . Prompt returns:
passwd: all authentication tokens updated successfully.
User luke is now able to logon and use the system.
User account defaults are controlled through the
/etc/login.defs configuration file. Administrators can manually change values in this file and create a different set of account defaults. Settings from
/etc/login.defs file can be overridden by supplying options to the
useradd command. For example:
su -c "/usr/sbin/useradd -c 'Luke McAlister' -g primary -G additional,another -d /home/second -s /bin/tcsh luke2"
creates a new user account for the user
luke2 with the following characteristics:
- user's full name is Luke McAlister
- user's primary group is primary
- user luke2 is also a member of additional and another groups
- /home/second is created as the home directory for luke2
TCShellis set as the shell environment for luke2
Adding Group Accounts
To add a new group account, from the command line run:
su -c "/usr/sbin/groupadd black"
and enter the root password when prompted.
The above command creates a new group account with the group name black.
Modifying Account Parameters
To edit user account parameters, use the
usermod command. Depending on what account parameters need modification,
usermod command may need to be supplied with an option specific to that parameter. For example, to change the comment field for the account, run:
su -c "/usr/sbin/usermod -c 'Luke McAlister' luke"
Enter the root password at the password prompt.
This alters the account information in
/etc/passwd file, placing the user's full name in the fifth field. The line changes from:
You can also edit user's group membership using the
usermod command. When a user is created, a new group with the same name as the username is created. This group is the user's Primary Group. Files or directories created by said user inherit said users Primary Group. Use the
id command to view Primary and Secondary Group memberships:
id uid=500(user1) gid=500(user1) groups=10(wheel),500(user1) context=user_u:system_r:unconfined_t
The above example shows that the Primary Group for the user user1, is gid 500 (user1). The user1 user is also a member of the wheel Secondary Group. Primary Groups are defined in
The fourth field shows the Primary Group ID (500) for the user. The
/etc/passwd file uses the following syntax: account:password:UID:GID:GECOS:directory:shell
The Primary Group can be temporarily changed using the
newgrp command. However, the user must already be a member of the group specified:
The results can be seen using the
id uid=500(user1) gid=502(testing) groups=10(wheel),500(user1),502(testing) context=user_u:system_r:unconfined_t
Note, the Primary Group is now gid 502 (testing).
touch file1 ls -l file1 -rw-r--r-- 1 user1 testing 0 2007-10-13 20:31 file1
file1 file belongs to the testing group instead of the user1 group. Type
exit to return to your original Primary Group; the output of the
exit command is
exit exit id uid=500(user1) gid=500(user1) groups=10(wheel),500(user1) context=user_u:system_r:unconfined_t
The Primary Group is now back to user1. Also note the
id command has not displayed the testing group. Changes to group membership require you to log out and then log in, before the changes are displayed using the
groups commands. Users can also be members of Secondary Groups. Secondary groups are defined in
/etc/group. Use the
id commands to view group membership:
groups user1 wheel testing
id uid=500(user1) gid=500(user1) groups=10(wheel),500(user1),502(testing) context=user_u:system_r:unconfined_t
To add a user to a Secondary Group, use the following command:
su -c "/usr/sbin/usermod -a -G <group> <username>"
Enter the root password when prompted.
This adds the user specified with <username> to the Secondary Group specified in <group>. To add a user to multiple Secondary Groups list the group names in comma-separated form:
su -c "/usr/sbin/usermod -a -G <group1>,<group2>,<group3> <username>"
Enter the root password when prompted.
Removing a user from a group is a little different. Use the
usermod command without the
-a append switch to specify the group memberships you want to keep. For example, if the mentioned user is a member of group1, group2, group3, and group4, but you want to remove the user from group4, then run the following command:
su -c "/usr/sbin/usermod -G group1,group2,group3 <username>"
This command keeps the user's group memberships of group1, group2, and group3, while removing membership from the group4.
For the full list of available command options, refer to the
usermod(8) manual page.
Modifying Group Accounts
To modify group account parameters, use the
groupmod command. This command can change two group account parameters, the group ID (GID) and group name. To change the group ID (GID) of the group black, run:
su -c "/usr/sbin/groupmod -g 600 black"
Enter root password at the prompt. This command would change the GID of the group
black to 600. If you do not use
-o option, the GID numerical value supplied to the command must be unique.
To assign a new name to the group account, run:
su -c "/usr/sbin/groupmod -n blue black"
Enter the root password at the prompt. This changes the group's name from black to blue.
Changing Password Expiration Information
To change the user's password expiration information use the
chage command. This command changes the number of days between password changes and the date of the last password change and is used by the system to determine when the user is forced to change the password. For example, to set the number of days the password of the user dan to be valid for 90 days (three months), run:
su -c "chage -M 90 dan"
Enter the root password at the prompt. The above option is usually used in conjunction with
-W option, which sets the number of days before expiration the user is warned about the pending expiration:
su -c "chage -W 10 -M 90 dan"
Enter the root password when prompted. The above command forces the user dan to change the password after 90 days. User dan is warned about this every day, starting 10 days before the password expiration.
Account Management - Using A Graphical User Interface
This section explains how to manage user and group accounts using a graphical user interface (GUI). User Manager is the application used to create and manage user and group accounts.
To start User Manager select System > Administration > Users and groups from the main panel menu or from the command line run
system-config-users and enter the root password at the prompt.
By default, User Manager does not display system accounts. To enable the listing of system accounts, from the main menu select Edit > Preferences
and uncheck the box next to Hide system users and groups. You can use the Preferences window to modify the default behavior of automatically assigning the next available UID or GID to user and group accounts or creating the GID of the user's private group with the identical value as the user's UID. This is achieved by unchecking the appropriate boxes in the New users pane of the Preferences window.
To search for the user, enter first few letters of the username in the search filter field and click the Apply filter button.
You can sort the users list by clicking on the column name. Text fields are sorted in alphabetical order and numerical fields in the ascending order of the values in the field.
Adding A New User
To add a new account click the Add User button on the main toolbar.
Type the username, user's full name and password (remember passwords are case-sensitive) in appropriate fields. Pre-selected fields represent the defaults for Fedora -
/bin/bash is default shell,
/home/<username> is created as user's home directory, private group with the same name will be created for user and next available UID will be used. If you choose to, you can change any of these options. Once you supply all the information, click [OK] button to create account.
Adding A New Group
To list the existing groups in the User Manager window click on the Groups tab. The same rules apply for sorting available columns and searching for a particular group as applied to the Users tab.
To create a new group, click the Add Group button on the main toolbar of the User Manager.
Type the group name in the Group Name field and click [OK] . By default, the new group will be added with the next available GID. You can manually change this behavior by checking the box Specify group ID manually and selecting a different, unused number from the list.
Modifying User Accounts
To display the properties of a user account, select the account from the list and click the Properties button, which is now active, on the main toolbar of the User Manager window. The User Properties window opens, with User Data tab focused:
You can change the account name, user's full name, password, home directory and user's shell by altering information in appropriate fields.
Click the Account info tab.
Check Enable account expiration box and enter the date to expire user account on that day. Check Local password is locked box to lock the user account.
Click the Password info tab.
Time of the last password change is displayed. Check Enable password expiration box. This will allow you to disable password change for user, force the user to change their password and warn the user about that change in advance and when the account will become inactive. Each of the four fields accepts integers, representing number of days.
Click the Groups tab.
Change the user's group membership by checking or unchecking the box next to group name. If the user is a member of multiple groups, set the user's primary group by selecting the group from the Primary group drop-down list.
Modifying Group Accounts
To modify group accounts select the group from the Groups tab of the User Manager
To view group properties, click the Properties button on the main toolbar. The Group Properties window opens
with the Group Data tab in focus. To change the group name, edit text in the Group Name field.
Click the Group Users tab.
To add users to this group, check the box next to appropriate user names on the list.
For additional help and more information on managing user accounts look at:
- passwd(1) ---Learn more about the file format information for the
- group(5) ---Learn more about the file format information for the
- shadow(5) ---Learn more about the file format information for the
- useradd(8) ---Learn how to create or update user accounts.
- userdel(8) ---Learn how to delete user accounts.
- usermod(8) ---Learn how to modify user accounts.
- chpasswd(8) ---Learn how to batch update user passwords.
- chage(1) ---Learn how to change user password aging information.
- chfn(1) ---Learn how to change a user's GECOS (finger) information.
- chsh(1) ---Learn how to change a user's login shell.
- groupadd(8) ---Learn how to create a new group.
- groupdel(8) ---Learn how to delete a group.
- groupmod(8) ---Learn how to modify a group.
- gpasswd(1) ---Learn how to administer the
- grpck(1) ---Learn how to verify the integrity of the
- chgrp(1) ---Learn how to change group-level ownership.
- chmod(1) ---Learn how to change file access permissions.
- chown(1) ---Learn how to change file owner and group.