Archive:Docs/Drafts/AdministrationGuide/UserAccounts/Print

= User Accounts =

= TABLE OF CONTENTS =


 * Introduction
 * What Happens in the Background
 * Manage Accounts Using CLI
 * Manage Accounts Using GUI
 * Single-page View (Suitable for Printing)

= SUMMARY OF SECTIONS =

Overview

 * Ways to Create and Modify User and Group Accounts
 * Programs and Files Related to Account Management

Account Creation Process

 * Changes on the System During Account Creation / Modification

Account Management - Command Line Interface

 * Adding User Account
 * Editing User Account
 * Adding Group Account
 * Modifying Group Account
 * Changing Password Expiry Information

Account Management - Graphical Interface

 * Adding User Account
 * Editing User Account
 * Adding Group Account
 * Modifying Group Account

Introduction
Creation and management of users and user groups is one of the fundamental pieces of system administration on multi-user systems such as Linux. The user accounts system provides a secure storage area for users' files and gives users the ability to customize their working environment according to their needs.

Fedora includes two types of accounts - system and non-system accounts. System accounts include the root user and others such as the   user. System accounts are created during the installation process and used by various system daemons and utilities to perform system-wide tasks. Fedora reserves the first 499 UIDs for system accounts. This is why they are sometimes reffered to as low ID accounts.

Non-system accounts start from uid 500. These accounts are used for regular users to perform day-to-day tasks. Usually, the first "normal" user account is created during the first boot following the system's installation. After that, user and group accounts can be created with standard procedures, explained later in this guide.

Ways to Create and Modify User and Group Accounts
As with most other tasks, system administrator can chose between two ways of creating and subsequently modifying user accounts:


 * Command line interface
 * Graphical interface

The account creation process is explained on the next page.

Process of Account Creation
This section explains what happens when new user is added to Fedora system.

When system administrator executes

/usr/sbin/useradd dan

from the command line, the following steps occur:

1 . New line is appended to /etc/passwd file and it looks similar to:

dan:x:502:502::/home/dan:/bin/bash

It consists of seven colon delimited fields, with the following meaning:
 * dan - this is username
 * x - this is password field; x signifies empty field and that encrypted (shadow) password will be placed in  file instead
 * first 502 - this is uid
 * second 502 - this is gid of the user's primary group
 * blank field - this is "comment" field; user's full name usually goes here, if specified
 * /home/dan - this is location of the user's home directory in the file system
 * /bin/bash - this is user's default shell

2 . New line is appended to /etc/shadow file and it looks similar to:

dan:!!:13490:0:99999:7:::

It consists of eight colon delimited fields, with the following meaning:


 * dan - this is username
 * !! - two exclamation marks indicate that the password has not been set yet and account is locked
 * 13490 - represents the number of days (since January 1, 1970) since the password was last changed
 * 0 - represents the number of days before password may be changed (0 indicates it may be changed at any time)
 * 99999 - represents the number of days after which password must be changed (99999 indicates user can keep his or her password unchanged for 274 years
 * 7 - represents the number of days to warn user of an expiring password (7 means a full week)
 * first blank field - represents the number of days after password expires that account is disabled
 * second blank field - represents the number of days since January 1, 1970 that an account has been disabled
 * third blank field - reserved field for possible future use

3 . New line is appended to /etc/group file. It looks similar to:

dan:x:502:

New line consists of three colon delimited fields, with the following meaning:


 * dan - this is group name
 * x - this is group password field; x indicates that the system is using shadow passwords
 * 502 - this is gid and it matches the value of uid of the user with the same name

 4 . New line is appended to /etc/gshadow file. It looks similar to:

dan:!::

Colon delimited fields in this line are:

 5 . Home directory for user dan is created as /home/dan. It has ownership of user dan and group dan but only user dan has read, write and execute permissions on directory. All the other permissions are denied.  6 . Files from /etc/skel directory are copied to user's home directory. For example, .bashrc and .bash_profile files which control user's default shell environment.  7 . System administrator can now run   command to set the user's password, unlocking user's account which gives user the ability to logon and use the system.
 * dan - this is group name
 * ! - this is group password field in which ! indicates that the group account is locked

= Account Management - Command Line Interface =

This section explains how to add new accounts and subsequently change account parameters using command line utilities.

Adding Account
To add new user account, from command line run:

su -c "/usr/sbin/useradd luke"

Enter root password when prompted.

Command above will create new user account with the user name luke, whose primary group is luke. Directory  is created as a user's home directory and user's shell environment is set to. These are Fedora defaults for user accounts.

Upon creation, user account is locked. To unlock the account, run:

su -c "passwd luke"

to set user's password. Enter root password in the first password prompt. You will then be presented with the following:

Changing password for user luke. New UNIX password:

Type in user's password and press [Enter] . Prompt changes to:

Retype new UNIX password:

Type the same password again and press [Enter] . Prompt will return:

passwd: all authentication tokens updated successfully.

User  is now able to login and use the system.

User account defaults are controlled through  configuration file. Administrator can manually change values in this file and create deferent set off account defaults. Settings from  file may be bypassed by supplying options to the   command. For example:

su -c "useradd -c "Luke McAlister" -g primary -G additional,another -d /home/second -s /bin/tcsh luke2"

creates new user account for user  with the following characteristics:


 * user's full name is Luke Mc Alister
 * user's primary group is
 * user  is also a member of   and   groups
 * /home/second is created as home directory for
 * is set as a shell environment for

Adding Group Account
To add new group account, from command line run:

su -c "groupadd black"

and enter root password when prompted.

Command above will create new group account with the group name black.

Modifying Account Parameters
To edit user account parameters, use  command. Depending on what account parameters need modification,  command must be supplied with an option specific to that parameter. For example, to change the comment field for the account, run:

su -c "usermod -c "Luke McAlister" luke"

and enter root password in the password prompt.

This will alter account information in  file, placing user's full name in the fifth field. The line will change from:

luke:x:503:503::/home/luke:/bin/bash

to

luke:x:503:503:Luke McAlister:/home/luke:/bin/bash

Another common example is modification of user's group membership. To alter user's group membership, run:

su -c "usermod -G black luke"

and enter root password when prompted. Command from the preceding example will add user luke to the black group.

Modifying Group Account
To modify group account parameters, use  command. This command can change two group account parameters. To change the groupID of the group black, run:

su -c "groupmod -g 600 black"

Enter root password at the prompt. This command would change GID of the group  to 600. If you do not use  option, GID numerical value supplied to the command must be unique.

To assign new name to the group account, run:

su -c "groupmod -n blue black"

Enter root password at the prompt. This will change group's name from black to blue.

Changing Password Expiry Information
To change user's password expiry information use  command. This command changes the number of days between password changes and the date of the last password change and is used by the system to determine when will user be forced to change the password. For example, to set the maximum number of days for which password of user dan will be valid to 90 (three months), run:

su -c "chage -M 90 dan"

and enter root password at the prompt. The above option is usually used in conjunction with -W option, which is used to set the number of days prior to password expiry during which user is warned about the pending password expiry:

su -c "chage -W 10 -M 90 dan"

Enter root password when prompted. The command above will force user dan to change the password after 90 days. User dan will be warned about this every day, starting from 10 days before the password expiry.

Next section explains how to manage accounts using Graphical Interface.

= Account Management - Graphical User Interface =

This section explains how to manage user and group accounts using Graphical User Interface. User Manager is the application used to create and manage user and group accounts.

To start User Manager select System > Administration > Users and groups from the main panel menu or from the command line run  and enter root password at the prompt.



By default, User Manager does not display system accounts. To enble listing of system accounts, from the main menu select Edit > Preferences



and uncheck the box next to Hide system users and groups. You can use Preferences window to modify default behaviour of automatically assigning next available UID or GID to user and group accounts or creating the GID of the user's private group with the identical value as the user's UID. This functionality is achieved by unchecking the appropriate boxes in the New users pane of the Preferences window.

To search for the user enter first few letters of the user name in the search filter field and click Apply filter button.

You can sort the users list by clicking on the column name. Textual fields are sorted in alphabetical order and numerical fields in the ascending order of the values in the field.

Adding New User
To add new account click Add User button on the main toolbar.



Type the user name, user's full name and password in appropriate fields. Pre-selected fields represent the defaults for Fedora -  is default shell,   is created as user's home directory, private group with the same name will be created for user and next available UID will be used. If you chose so, you can change any of these options. Once you supply all the information, click [OK] button to create account.

Adding New Group
To list existing groups, in User Manager window click on Groups tab. The same rules apply for sorting available columns and searching for particular group as on the Users tab.



To create new group, click Add Group button on the main toolbar of the User Manager.



Type the group name in the Group Name field and click [OK]. By default, new group will be added with the next available GID. You can manually change this behaviour by checking the box Specify group ID manually and selecting different, unused number from the list.

Modifying User Accounts


To display properties of the user account, select the wanted account from the list and click Properties button, which is now active, on the main toolbar of the User Manager window. The User Properties window opens, with User Data tab focused:



You can change account name, user's full name, password, home directory and user's shell by altering information in appropriate fields.

Click the Account info tab.



Check Enable account expiration box and enter the date to expire user account on that day. Check Local password is locked box to lock user account.

Click the Password info tab.



Time of the last password change is displayed. Check Enable password expiration box. This will allow you to disable password change for user, force user to change password and warn user about that change in advance and when will account become inactive. Each of the four fields accepts integer, representing number of days.

Click the Groups tab.



Change the user's group membership by checking or unchecking the box next to group name. If user is a member of multiple groups, set the user's primary group by selecting the group from the Primary group drop-down list.

Modifying Group Accounts
To modify group account select the group from the Groups tab of the User Manager



To view group's properties, click the Properties button on the main toolbar. Group Properties window opens



with Group Data" tab in focus. To change the group name, edit text in the Group Name'' filed.

Click the Group Users tab.



To add users to this group, check the box next to appropriate user names on the list.