Red Hat – Managing Users and Groups

One of the key components of any system are the users and groups.  Linux is no different.  Let’s get right into it. 

The important files
So there are three important files when talking about users and groups.  They are..

/etc/passwd
This file (despite it’s name) stores the locally defined user accounts.  Each line of the file is for a single user.  For instance…

[[email protected] etc]# more /etc/passwd | grep test
test_user:x:500:500::/home/test_user:/bin/bash

A line is broken into a couple of fields delimited by a colon.  Here’s what each field is starting from the left..

Username
Place holder
– Used to be the encrypted password
User ID (UID) – User defined users should have a UID thats above 500.  0 is reserved for root and 1-499 are system defined (for daemons etc).
Group ID (GID) – Every user has a ‘primary group’ created for them.  They are the only people that can be a member of this group.  The GID field represents this group.
Comment Field – I guess it’s actually the ‘name’ field in the GUI
Home Directory – The user’s home directory
Login Shell – The user’s login shell

/etc/shadow
This file keeps track of the locally defined user passwords as well as account items related to things like password aging, password expiration, and so on.  A line in the file would look like this…

[[email protected] etc]# more /etc/shadow | grep test_user
test_user:$1$/6caNEpK$C4Xo005ZQ3FckzMDwTmc31:15532:0:99999:7:::

The first field shows the user name.  The second field is related to account status.  For instance, if I create an account and don’t set the passwords it will show as $!!$.  If I lock the account, it might shows as $!$.  Seems that if everything is in order it looks like $1$.  The third field is the encrypted password.  And the forth field is really another set of colon delimited integers.  These, relate to the aforementioned account settings.  These can be set/read with the ‘chage’ command…

[[email protected]osBox etc]# chage -l test_user
Last password change                                    : Jul 11, 2012
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

/etc/group
This file keeps track of the locally defined groups and their members.  Again, it’s pretty straight forward.  Here I created a group called ‘test’ and added two users to it (test_user and test_user2).

[[email protected] etc]# more /etc/group | grep test
test_user:x:500:
test:x:501:test_user2,test_user
test_user2:x:502:

Note that the grep returned the primary group numbers for each of the users as well.  The group ‘test’ has a secondary group ID of 501 and has members test_user2 and test_user in it.  The second field (shown as an X) is described as ‘password’.  Not sure what the deal with that is though.

Other useful commands for users and groups
o let’s imagine that I just created the test_user user (which I did by the way).  I would have done something like this…

[[email protected] etc]# useradd test_user

That’s it.  The only other thing I have to do is to set the user’s password.  This is done with the ‘passwd’ command. 

[[email protected] etc]# passwd test_user
Changing password for user test_user.
New UNIX password:
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

Now the account is ready to use.  what if we wanted to add the user to a group through?  That’s done with the ‘usermod’ tool.  We’d do something like this…

[[email protected] etc]# usermod -aG test test_user

Make SURE you include the -a flag in the usermod command.  The ‘a’ stands for append, and without it, you are removing the user from any previously defined group they were in. 

We can also user usermod to lock and unlock accounts with the ‘L’ and ‘U’ flags. 

[[email protected] etc]# usermod -L test_user
[[email protected] etc]# passwd -S test_user
test_user LK 2012-07-10 0 99999 7 -1 (Password locked.)
[[email protected] etc]# usermod -U test_user
[[email protected] etc]# passwd -S test_user
test_user PS 2012-07-10 0 99999 7 -1 (Password set, MD5 crypt.)

Also, if you ever want a quick run down on a user, use the ‘id’ command.

[[email protected] etc]# id root
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),500(AwesomeRootGroup)

This tells us the user ID, the primary group ID, and which groups the user is in.

Now let’s say I want to clean all of this up.  Easy, just use the ‘userdel’ and ‘groupdel’ commands. 

[[email protected] etc]# groupdel test
[[email protected] etc]# userdel -r test_user
[[email protected] etc]# userdel -r test_user2

The -r flag tells the command to cleanup the folders defined for that user as well.  If you don’t you’ll need to cleanup those directories manually. 

Leave a Reply

Your email address will not be published. Required fields are marked *