This is part 8 of the Red Hat series of blogs. this is another big topic, managing users and groups. These commands have been tested on RHEL 7 and 8.
Getting User Information
Getting relevant user information can be done a few different ways.
- the id command
- the getent command
- Manually looking at /etc/passwd, /etc/shadow and /etc/group
How to change User Information
The easiest way to change user information is by using the usermod command.
c – Modify the user’s password file comment field
d – Change the user’s home directory. Often used with the m flag which moves files from the current home dir to the new one
G – Change the user’s supplemental groups. Often used with the a flag which appends, rather than replaces, the supplemental groups.
L, U – Lock or Unlock the account (respectively)
How to create a User
Before we go into creating a user we should be aware of where user information is kept.
/etc/passwd User account information. /etc/shadow Secure user account information. /etc/group Group account information. /etc/gshadow Secure group account information. /etc/default/useradd Default values for account creation. /etc/skel/ Directory containing default files. /etc/login.defs Shadow password suite configuration.
On Red Hat systems you can use the useradd command to create new users.
useradd [option] [login-name]
c – Text string that is entered into the comment field in /etc/passwd
g – set the GID
d – Set the home directory
G – set supplemental groups
k – Set the skeleton directory
p – Set the user’s password to this encrypted password.
r – create a system account
s – Set the user’s login shell
u – set the UID
sudo useradd testuser1
This creates a user called testuser1
sudo useradd -m -c "Test User Three" -g testers -G admin testuser3
This creates a new user called testuser3 with:
-m creates a home drive
-c add user info of “test user three”
-g is the primary group
-G is the secondary group
Setting password requirements is essential in today’s world full of security vulnerabilities.
There are two areas to look at when considering password requirements
1) Expiration/Longevity of a password
2) Actual password requirements
Longevity of a Password
More chage flags to be aware of:
E – Set the date when the user account will be locked out, requiring administrator intervention. -1 will mean the account never expires.
W – How many days before expiration will a user receive a warning that the password will expire
Regardless of how often you require users to reset passwords, you’ll end up with weak passwords. Enforcing password complexity will remove some of that risk. Password complexity is important to enforce and is done so using the pam_pwquality module.
Getting Group Information
Groups allow us to group users together for a set of permissions. Getting relevant group information can be done a few different ways.
- the id command
- the getent command
- Manually looking at /etc/passwd, /etc/shadow and/etc/group
You may find it necessary to manually add groups to your server. It’s relatively easy to do so using the groupadd command. g – specify the Group ID
groupadd geeks -y 1337
Changing a User’s Groups
usermod can be used to change a user’s primary group and a user’s supplementary groups. A user can have a single primary group, but any number of supplementary groups.
g – change a user’s primary group
G – change a user’s supplementary group.
a – flag can be used to append a group rather than replace.
Using Supplementary Groups
Directories can be set to restrict access to members of a specific group.
Changing Group Information
The easiest way to change group information is by using the groupmod command. g – Change the Group ID n – Change the name of a group