Information Technology College of HoChiMinh city

Faculty of Information Technology

Course: Fundamentals of Linux OS

Unit 6

Managing
Users and Groups
Lecturer: V Tn Dng
votandung@yahoo.com
http://sites.google.com/site/votandungsg/

What Users and Groups Are

The user of the system is an account identified by a unique
numerical identification number called user ID (UID).
Users within a group can have read permissions, write
permissions, execute permissions or any combination of
read/write/execute permissions for files owned by that
group.
A group is an organization unit tying users together for a
common purpose, which can be reading permissions,
writing permission, or executing permission for files owned
by that group.
Similar to, UID, each group is associated with a group ID
(GID).

V TN DNG

Owner and group owner of a file.

Each member of the system is a member of at least one
group, a primary group. A supplementary group is an
additional group for accessing files owned by this group.
Red Hat Enterprise Linux reserves user and group IDs
below 500 for system users and groups.
A user who creates a file is also the owner and primary
group owner of that file.
The file is assigned separate read, write, and execute
permissions for the owner, the group, and everyone else.
The file owner can be changed only by root, and access
permissions can be changed by both the root user and file
owner.

V TN DNG

Relating files of user and group

These files are readable only by the root user.

The files affected include /etc/passwd which stores user

accounts information.
And /etc/shadow, which stores secure user account
information.
With a group, the files affected include /etc/group which
stores group account information.
And /etc/gshadow, which stores secure group account
information.

V TN DNG

Managing Users
via Command-Line Tools

V TN DNG

Creating Users
The useradd utility creates new users and adds them to the
system. Following the short procedure below, you will
create a default user account with its UID, automatically
create a home directory where default user settings will be
stored, /home/username/, and set the default shell to
/bin/bash.
Command Format

useradd username
By setting a password unlock the account to make it
accessible. Type the password twice when the program
prompts you to.
Command Format

passwd
V TN DNG

Creating a User with

Default Settings
Example:
~]# useradd robert
~]# passwd robert
Changing password for user robert
New password:
Re-type new password:
passwd: all authentication tokens updated successfully.

If you run cat /etc/passwd to view the content of the

/etc/passwd file, you can learn more about the new user
from the line displayed to you:

robert:x:502:502::/home/robert:/bin/bash

V TN DNG

Creating a User with Default

Settings (cont.)
robert:x:502:502::/home/robert:/bin/bash

robert has been assigned a UID of 502

GID=502, group ID of User Private Group, equals to UID.
The home directory is set to /home/robert
and login shell to /bin/bash.
The letter x signals that shadow passwords are used and is
stored in /etc/shadow.

V TN DNG

Change the basic default setup

for the user
If you want to change the basic default setup for the user
while creating the account, you can choose from a list of
command-line options modifying the behavior of useradd.
You can add one or more options:
Command Format

useradd [option(s)] username

V TN DNG

Specifying a User's Full Name

when Creating a User
As a system administrator, you can use the -c option to
specify, for example, the full name of the user when
creating them. Use -c followed by a string, which adds a
comment to the user:
Command Format

useradd -c "string" username

~]# useradd -c "Robert Smith" robert
~]# cat /etc/passwd
robert:x:502:502:Robert Smith:/home/robert:/bin/bash
A user account has been created with user
name robert, sometimes called the login
name, and full name Robert Smith.
V TN DNG

Adding a User with non-default

Home Directory
If you do not want to create the default /home/username/
directory for the user account, set a different one instead of
it. Execute the command below:
Command Format

useradd -d home_directory

~]# useradd -d /home/dir_1 robert

robert's home directory is now not the default /home/robert but
/home/dir_1/.

V TN DNG

Setting the Account Expiration Date

Account expiration is a particular date, after which it is
impossible to log in to the account in any way, as the
account no longer exists.
Password expiration, the maximum password age and
date of password creation or last password change, is the
date, when it is not possible to log in using the password.
Command Format

useradd -e YYYY-MM-DD username

~]# useradd -e 2015-11-05 emily
The account emily will be created now and
automatically disabled on 5 November, 2015.
V TN DNG

Adding a User with Non-default Shell

User's login shell defaults to /bin/bash, but can be changed
by the -s option to any other shell different from bash, ksh,
csh, tsh, for example.
Command Format

useradd -s login_shell username

~]# useradd -s /bin/ksh robert
This command creates the user robert
which has the /bin/ksh shell.

V TN DNG

Create an administrative account

The -r option creates a system account, which is an account
for administrative use that has some, but not all, root
privileges.
Such accounts have a UID lower than the value of UID_MIN
defined in /etc/login.defs, typically 500 and above for
ordinary users.
Command Format

useradd -r username

V TN DNG

Attaching New Users to Groups

You can specify the user's group membership with -g and G options. While the -g option specifies the primary group
membership, -G refers to supplementary groups into which
the user is also included. The group names you specify
must already exist on the system.

~]# useradd -g "friends" -G "family,schoolmates" emily

The useradd -g "friends" -G "family,schoolmates" emily command
creates the user emily but emily's primary group is set to friends
as specified by the -g option. emily is also a group member of the
supplementary groups family and schoolmates.

usermod -G group_1,group_2,group_3 username

V TN DNG

Updating Users' Authentication

When running the basic useradd username command, the
password is automatically set to never expire. If you wish to
change this, use passwd command:

passwd option(s) username

You can lock the specified account. The locking is performed
by prefixing an exclamation mark (!) at the encrypted
password.
If you later find a reason to unlock the account, passwd has a
reverse operation for locking. Only root can carry out these two
operations.

passwd -l username
passwd -u username
V TN DNG

Change, lock, unlock a password

passwd [options] [username]
Where username is the name of the account which you
want to change its password. If the username is absent,
then this command will perform the password change for
the current account.
Some options for this command:
-l: enables account lock.
-u or f: used to unlock a locked account. Option u will not unlock account which doesnt have a password, but option f
allows unlocking an account which has no password.
-d: delete the password of the user account.

V TN DNG

Change, lock, unlock a password

(cont.)
Example:
#passwd -d alan
removing the password for user alan
#passwd -l alan
lock the password of user alan
#passwd -uf alan
unlocking password for user alan

V TN DNG

Unlocking a User Password

Example:

~]# passwd -l robert

Locking password for user robert.
passwd: Success
~]# passwd -u robert
passwd: Warning: unlocked password would be empty
passwd: Unsafe operation (use -f to force)
At first, the -l option locks robert's account password
successfully. However, running the passwd -u
command does not unlock the password because by
default passwd refuses to create a passwordless
account.

V TN DNG

Password for an account to expire

If you wish a password for an account to expire, run passwd
with the -e option. The user will be forced to change the
password during the next login attempt:
Command Format

passwd -e username

V TN DNG

Adjusting Aging Data for User

Passwords
Setting the minimum time between password changes is
useful for forcing the user to really change the password.
The system administrator can set the minimum (the -n
option) and the maximum (the -x option) lifetimes. To inform
the user about their password expiration, use the -w option.
All these options must be accompanied with the number of
days and can be run as root only.
~]# passwd -n 10 -x 60 -w 3 jane

The above command has set the minimum password

lifetime to 10 days, the maximum password lifetime to 60,
and the number of days jane will begin receiving warnings
in advance that her password will expire to 3 day.

V TN DNG

Disables the account permanently

by useradd command
You can also set the number of days after a password
expires with the useradd command, which disables the
account permanently.
A value of 0 disables the account as soon as the password
has expired.
And a value of -1 disables the feature, that is, the user will
have to change his password when the password expires.
The -f option is used to specify the number of days after a
password expires until the account is disabled.
Command Format

useradd -f number-of-days username

V TN DNG

Modifying User Settings

When a user already exists and you need to specify any of
the options now, use the usermod command. The logic of
using usermod is identical to useradd as well as its syntax:
Command Format

usermod option(s) username

Some options for this command:
-L: lock an user account.
-U: Unlock a locked account.
-l new-user-name: username is changed to the new name.
-u UID-new: change the user's identification.
-g: changing group which your user belongs to

V TN DNG

Changing User's Login

If you need to change the user's user name, use the -l
option with the new user name (or login).

~]# usermod -l "emily-smith" emily

The -l option changes the name of the user from the login
emily to the new login, emily-smith.
Nothing else is changed.
In particular, emily's home directory name (/home/emily)
remains the same unless it is changed manually to reflect
the new user name.

V TN DNG

Changing User's UID

and Home Directory
In the similar way you can change the user's UID or user's
home directory. Study the example below:

~]# usermod -a -u 699 -d /home/dir_2 robert

The command with -a -u and -d options changes the
settings of user robert.
Now, his ID is 699 instead of 501.
And his home directory is no longer /home/robert but
/home/dir_2.

V TN DNG

Move the user's home directory

With the usermod command you can also move the content
of the user's home directory to a new location, or lock the
account by locking its password.

~]# usermod -m -d /home/jane -L jane

In this sample command, the -m and -d options used
together move the content of jane's home directory to the
/home/dir_3 directory.
The -L option locks the access to jane's account by locking
its password.

V TN DNG

Switching temporarily to another user

To temporarily become another user without logging out the
current user, we can use the su command:
Command Format

su switching-username
If no switching-username, then the default switchingusername, user root, is used.
When you use the su command, the system will ask to
enter the password of switching-username.
who command: show who are logged in your Linux system.

V TN DNG

View information of a user

The following command allows to view information about a
user:
Command Format

id [options] username
Some options for this command:
-g: show the main group that contains this user.
-u: only display the UID of the this user.
-G: displays all groups that the user is a member.

V TN DNG

Deleting Users
If you want to remove a user account from the system, use
the userdel command on the command line as root.

userdel username
Combining userdel with the -r option removes files in the
user's home directory along with the home directory itself.

userdel -r username

V TN DNG

Managing Groups
via Command-Line Tools

V TN DNG

Creating Groups
Groups are a useful tool for permitting co-operation
between different users.
There is a set of commands for operating with groups such
as groupadd, groupmod, groupdel, or gpasswd.
The files affected include /etc/group which stores group
account information and /etc/gshadow, which stores
secure group information.
To add a new group to the system with default settings,
the groupadd command is run at the shell prompt as root.
Command Format

groupadd [option(s)] groupname

V TN DNG

Creating a Group with Default Settings

~]# groupadd friends
This groupadd command creates a new group
called friends. You can read more information about the
group from the newly-created line in the /etc/group file:

friends:x:505:
Automatically, the group friends is attached with a unique
GID (group ID) of 505 and is not attached with any users.
Optionally, you can set a password for a group by
running: .

gpasswd groupname
V TN DNG

Creating a Group with Specified GID

groupadd -g GID
If you want to specify the numerical value of the group's ID
(GID) when creating the group, run the groupadd command
with the -g option.
Remember that this value GID must be unique.

The command below creates a group

named schoolmates and sets GID of 60002 for it:

~]# groupadd -g 60002 schoolmates

When used with -g and GID already exists, groupadd
refuses to create another group with existing GID.

V TN DNG

Create a system group

You may also create a system group by attaching the -r
option to the groupadd command.
System groups are used for system purposes, which
practically means that GID is allocated from 1 to 499 within
the reserved range of 999.

groupadd -r group_name

V TN DNG

Attach, remove Users to/from Groups

If you want to add an existing user to the named group, you
can make use of the gpasswd command.

gpasswd -a username which_group_to_edit

To remove a user from the named group, run:

gpasswd -d username which_group_to_edit

To set the list of group members, write the user names after
the --members option dividing them with commas and no
spaces:
gpasswd --members username_1,username_2 group_to_edit

V TN DNG

Add group administrators

A group administrator can add and delete users as well as set,
change, or remove the group password.
A group can have more than one group administrator.
The root user can add group administrators with the
command:

gpasswd -A users groupname

where users is a comma-separated list of existing users you
want to be group administrators (without any spaces between
commas).

V TN DNG

Change, remove a group's password

For changing a group's password, run the gpasswd
command with the relevant group name. You will be
prompted to type the new password of the group.

gpasswd groupname
~]# gpasswd crowd
Changing password for group crowd
New password:
Re-enter new password:
The password for the group crowd has been changed.
You can also remove the password from the named group by
using the -r option.

gpasswd -r schoolmates
V TN DNG

Modifying Group Settings

When a group already exists and you need to specify any of
the options now, use the groupmod command. The logic of
using groupmod is identical to groupadd as well as its
syntax:

groupmod option(s) groupname

To change the group ID of a given group, use the groupmod

command in the following way:

groupmod -g GID_NEW which_group_to_edit

To change the name of the group, run the following on the
command line. The name of the group will be changed from
GROUP_NAME to NEW_GROUP_NAME name.

groupmod -n new_groupname groupname

V TN DNG

Deleting Groups
The groupdel command modifies the system account files,
deleting all entries that refer to the group. The named group
must exist when you execute this command.

groupdel groupname

V TN DNG

END OF UNIT 6
remember to do your homework
(see http://sites.google.com/site/votandungsg/)

V TN DNG