From Fedora Project Wiki

User Accounts

Process of Account Creation

This section explains what happens when a new user is added to a Fedora system.

When the system administrator executes

/usr/sbin/useradd dan

from the command line, the following steps occur:

1 . A new line is appended to the /etc/passwd file and it looks similar to:

dan:x:502:502::/home/dan:/bin/bash

It consists of seven colon delimited fields, with the following meaning:

  • dan - this is the username
  • x - this is the password field; x signifies an empty field and that an encrypted (shadow) password will be placed in /etc/shadow file
  • first 502 - this is the uid (username identifier)
  • second 502 - this is the gid (group identifier) of the user's primary group
  • blank field - this is the "comment" field; the user's full name usually goes here
  • /home/dan - this is the location of the user's home directory in the file system
  • /bin/bash - this is the user's default shell
Entries above show Fedora defaults for new user accounts
Shadow passwords are used by default, UID and GID are the next available numbers, the comment field is empty, all user directories are created as subdirectories of /home and the default shell is bash (Bourne Again Shell). These defaults may be altered by specifying options to the useradd command (more about this on the next page).
A GID of the same numerical value as UID represents the Fedora concept of User Private Groups (UPG)
A User Private Group is created every time a new account is added to the system. It has the same name as the new user and the user is the only member of that group. The main advantage of this concept is easier management of user groups on UNIX-like systems. Traditionally, newly created files can not be modified by other users, including members of the file creator's primary group. This is controlled through the umask setting, which is configured in the /etc/bashrc file. Since UPG has only one member and each user has their own private group, this group protection becomes redundant.

2 . A new line is appended to the /etc/shadow file and it looks similar to:

dan:!!:13490:0:99999:7:::

It consists of eight colon delimited fields, with the following meaning:

  • dan - this is the username
  • !! - two exclamation marks indicate that the password has not been set yet and the account is locked
  • 13490 - represents the number of days (since January 1, 1970) since the password was last changed
  • 0 - represents the number of days before the password may be changed (0 indicates it may be changed at any time)
  • 99999 - represents the number of days after which the password must be changed (99999 indicates user can keep his or her password unchanged for 274 years
  • 7 - represents the number of days remaining before the users password expires (7 means a full week)
  • first blank field - represents the number of days after the password expires that the account will be disabled
  • second blank field - represents the number of days since January 1, 1970 that an account has been disabled
  • third blank field - reserved field for possible future use
The useradd command does not create a password.
At the time of command execution, the password field is initialized and populated with x and !! in the /etc/passwd and /etc/shadow files, respectively. A password is created using the /usr/bin/passwd command, which replaces !! field with encrypted representation of the user's password. This is security related and prevents the user's password from being displayed as plain text at any time.

3 . A new line is appended to the /etc/group file. It looks similar to:

dan:x:502:

The new line consists of three colon delimited fields, with the following meaning:

  • dan - this is the group name
  • x - this is the group password field; x indicates that the system is using shadow passwords
  • 502 - this is the gid and it matches the value of uid of the user with the same name

4 . A new line is appended to the /etc/gshadow file. It looks similar to:

dan:!::

The colon delimited fields in this line indicate:

  • dan - this is group name
  • ! - this is group password field in which ! indicates that the group account is locked

5 . The home directory for user dan is created as /home/dan. It has ownership of user dan and group dan but only user dan has read, write and execute permissions on directory. All the other permissions are denied.

6 . Files from the /etc/skel directory are copied to the user's home directory (for example the .bashrc and .bash_profile files which control user's default shell environment).

7 . The system administrator can now run the /usr/bin/passwd dan command to set the user's password, this unlocks the user's account giving the user the ability to logon and use the system.

Previous Page - Introduction What Happens in the Background Next Page - Manage Accounts Using CLI