RHCSA: how to manage users and groups in Red Hat Linux

This is part 7 of the Red Hat series of blogs. this is another big topic, managing users and groups. These commands have been tested on RHEL 7 and 8.

RHCSA MiniSeries 

Part 1 – How to use Grep and Regular Expressions (RegEx)

Part 2 – How to manipulate files in RedHat

Part 3 – Red Hat Permissions

Part 4 – How to change the root password on Red Hat

Part 5 – How to use Red Hat as a virtual machine host

Part 6 – How to configure local storage

Part 7 – how to manage users and groups in Red Hat Linux

Part 8 – how to configure NTP Network Time Protocol in Red Hat

Getting User Information

Getting relevant user information can be done a few different ways.

• the id command
• the getent command
• Manually looking at /etc/passwd, /etc/shadow and /etc/group

How to change User Information

The easiest way to change user information is by using the usermod command.

c – Modify the user’s password file comment field

d – Change the user’s home directory. Often used with the m flag which moves files from the current home dir to the new one

G – Change the user’s supplemental groups. Often used with the a flag which appends, rather than replaces, the supplemental groups.

L, U – Lock or Unlock the account (respectively)

How to create a User

Before we go into creating a user we should be aware of where user information is kept.

/etc/passwd
User account information.
/etc/shadow
Secure user account information.
/etc/group
Group account information.
/etc/gshadow
Secure group account information.
/etc/default/useradd
Default values for account creation.
/etc/skel/
Directory containing default files.
/etc/login.defs
Shadow password suite configuration.

On Red Hat systems you can use the useradd command to create new users.

useradd [option] [login-name]

c – Text string that is entered into the comment field in /etc/passwd

g – set the GID

d – Set the home directory

G – set supplemental groups

k – Set the skeleton directory

p – Set the user’s password to this encrypted password.

r – create a system account

s – Set the user’s login shell

u – set the UID

Useradd examples

useradd -D

sudo useradd testuser1

This creates a user called testuser1

sudo useradd -m -c "Test User Three" -g testers -G admin testuser3

This creates a new user called testuser3 with:

-m creates a home drive

-c add user info of “test user three”

-g is the primary group

-G is the secondary group

Password Management

Setting password requirements is essential in today’s world full of security vulnerabilities.

There are two areas to look at when considering password requirements

1) Expiration/Longevity of a password

2) Actual password requirements

Longevity of a Password

More chage flags to be aware of: 

chage [-option]

E – Set the date when the user account will be locked out, requiring administrator intervention. -1 will mean the account never expires. 

W – How many days before expiration will a user receive a warning that the password will expire 

Password Complexity 

Regardless of how often you require users to reset passwords, you’ll end up with weak passwords. Enforcing password complexity will remove some of that risk. Password complexity is important to enforce and is done so using the pam_pwquality module.

Managing Groups

Getting Group Information 

Groups allow us to group users together for a set of permissions. Getting relevant group information can be done a few different ways. 

• the id command
• the getent command
• Manually looking at /etc/passwd, /etc/shadow and/etc/group

Adding Groups 

You may find it necessary to manually add groups to your server. It’s relatively easy to do so using the groupadd command. g – specify the Group ID 

groupadd geeks -y 1337

Changing a User’s Groups 

usermod can be used to change a user’s primary group and a user’s supplementary groups. A user can have a single primary group, but any number of supplementary groups. 

usermod [options]

g – change a user’s primary group 

G – change a user’s supplementary group.

a  – flag can be used to append a group rather than replace. 

Using Supplementary Groups 

Directories can be set to restrict access to members of a specific group. 

Changing Group Information 

The easiest way to change group information is by using the groupmod command. g – Change the Group ID n – Change the name of a group