Note:

• This tutorial is available in an Oracle-provided free lab environment.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Create Users and Groups on Oracle Linux

Introduction

The following tutorial provides step-by-step procedures to perform user and group administration on Oracle Linux. You will create users and groups, implement user private groups, and grant user elevated privileges.

Objectives

In this lab, you’ll:

• Create a new user and explore user’s home directory
• Create a new group and add user to group
• Utilize the user private group scheme and implement write access to a directory
• Administer the sudo command for granting root privileges

What Do You Need?

• A system with Oracle Linux installed

Note: When using the free lab environment, see Oracle Linux Lab Basics for connection and other usage instructions.

Administer User Accounts

In this section, you use command-line utilities to create a new user account, view files that are updated when adding a new user, modify a user account, set a password for the new user, and log in as the new user.

1. Open a terminal and connect to your Oracle Linux instance.

2. Become the root user.

   sudo su -
   

3. As the root user, add a user named alice.

   useradd alice
   

   The user is added to the /etc/passwd file.

4. View the alice entry in the /etc/passwd file.

   grep alice /etc/passwd
   

   Example Output:

   [root@ol-server ~]# grep alice /etc/passwd
   alice:x:1002:1002::/home/alice:/bin/bash
   [root@ol-server ~]# 
   

   The output shows:

   • The new user’s UID and GID are the same (1002).
   • A home directory was created for the new user (/home/alice).
   • The default shell for the new user is /bin/bash.
     

5. View the home directories.

   ls -l /home
   

   Example Output:

   [root@ol-server ~]# ls -l /home
   total 0
   drwx------. 2 alice  alice  62 Aug 18 09:50 alice
   drwx------. 4 opc    opc    90 Aug 18 09:48 opc
   drwx------. 3 oracle oracle 74 Aug 18 09:48 oracle
   [root@ol-server ~]#
   

   In this example, the opc user already existed.
   A home directory was created for the new user because the CREATE_HOME parameter in /etc/login.defs is set to yes.

6. View the CREATE_HOME parameter in the /etc/login.defs file.

   grep CREATE_HOME /etc/login.defs
   

   Example Output:

   [root@ol-server ~]# grep CREATE_HOME /etc/login.defs
   CREATE_HOME	yes
   [root@ol-server ~]# 
   

7. View the default settings for a new user, stored in /etc/default/useradd.

   cat /etc/default/useradd
   

   Example Output:

   [root@ol-server ~]# cat /etc/default/useradd
   # useradd defaults file
   GROUP=100
   HOME=/home
   INACTIVE=-1
   EXPIRE=
   SHELL=/bin/bash
   SKEL=/etc/skel
   CREATE_MAIL_SPOOL=yes
      
   [root@ol-server ~]# 
   

   The SKEL parameter is set to /etc/skel.

8. View the contents of the /etc/skel directory.

   ls -la /etc/skel
   

   Example Output:

   [root@ol-server ~]# ls -la /etc/skel
   total 24
   drwxr-xr-x.   2 root root   62 Jun 20 15:48 .
   drwxr-xr-x. 116 root root 8192 Aug 18 09:56 ..
   -rw-r--r--.   1 root root   18 Aug  2  2022 .bash_logout
   -rw-r--r--.   1 root root  141 Aug  2  2022 .bash_profile
   -rw-r--r--.   1 root root  376 Aug  2  2022 .bashrc
   [root@ol-server ~]# 
   

9. View the contents of the alice home directory.

   ls -la /home/alice
   

   Example Output:

   [root@ol-server ~]# ls -la /home/alice
   total 12
   drwx------. 2 alice alice  62 Aug 18 09:50 .
   drwxr-xr-x. 5 root  root   44 Aug 18 09:50 ..
   -rw-r--r--. 1 alice alice  18 Aug  2  2022 .bash_logout
   -rw-r--r--. 1 alice alice 141 Aug  2  2022 .bash_profile
   -rw-r--r--. 1 alice alice 376 Aug  2  2022 .bashrc
   [root@ol-server ~]# 
   

   The contents of SKEL (/etc/skel) are copied to the new user’s home directory.

10. View the new alice entry in the /etc/group file.

    grep alice /etc/group
    

    Example Output:

    [root@ol-server ~]# grep alice /etc/group
    alice:x:1002:
    [root@ol-server ~]#
    

    Because Oracle Linux uses a user private group (UPG) scheme, a new private group (alice, GID=1001) was created when the alice user was created.

11. Modify GECOS information for the alice user. View the alice entry in the /etc/passwd file before and after modifying GECOS information.

    grep alice /etc/passwd
    usermod -c "Alice Smith" alice
    grep alice /etc/passwd
    

    Example Output:

    [root@ol-server ~]# grep alice /etc/passwd
    alice:x:1002:1002::/home/alice:/bin/bash
    [root@ol-server ~]# usermod -c "Alice Smith" alice
    [root@ol-server ~]# grep alice /etc/passwd
    alice:x:1002:1002:Alice Smith:/home/alice:/bin/bash
    [root@ol-server ~]#
    

12. Create a password of AB*gh246 for the alice user. View the alice entry in the /etc/shadow file before and after creating a password for alice.

    grep alice /etc/shadow
    passwd alice
    grep alice /etc/shadow
    

    Example Output:

    [root@ol-server ~]# grep alice /etc/shadow
    alice:!!:19587:0:99999:7:::
    [root@ol-server ~]# passwd alice
    Changing password for user alice.
    New password: 
    Retype new password: 
    passwd: all authentication tokens updated successfully.
    [root@ol-server ~]# grep alice /etc/shadow
    alice:$6$Ulba2YCfMyrwZC8V$J0jWtJmaOa1vKN2yywyiN4AQpWfg1gDd6Duzm.TWEWHwFDYcxjjIuF2qrIO7rk8LsEBm6s//mgKa5jbqhfT9E.:19587:0:99999:7:::
    [root@ol-server ~]# 
    

    The !! for alice is replaced with a hashed password value.

13. Exit the root login and login as the alice user. Provide the password of AB*gh246 when prompted.

    exit
    su - alice
    

    Example Output:

    [root@ol-server ~]# exit
    logout
    [oracle@ol-server ~]$ su - alice
    Password: 
    [alice@ol-server ~]$ 
    

14. Verify you are the alice user and your current directory is the alice user’s home directory.

    whoami
    pwd
    

    Example Output:

    [alice@ol-server ~]$ whoami
    alice
    [alice@ol-server ~]$ pwd
    /home/alice
    [alice@ol-server ~]$ 
    

15. Exit the alice user’s shell and become the root user.

    exit
    sudo su -
    

    Example Output:

    [alice@ol-server ~]$ exit
    logout
    [oracle@ol-server ~]$ sudo su -
    Last login: Fri Aug 18 09:50:03 GMT 2023 on pts/0
    [root@ol-server ~]# 
    

16. As the root user, add a user named mynewuser1 which is used later in this lab.

    useradd mynewuser1
    

17. Create a password of XY*gh579 for the mynewuser1 user.

    passwd mynewuser1
    

    Example Output:

    [root@ol-server ~]# passwd mynewuser1
    Changing password for user mynewuser1.
    New password: 
    Retype new password: 
    passwd: all authentication tokens updated successfully.
    [root@ol-server ~]# 
    

Administer Group Accounts

In this section, you create a new group account and add a user to this new group.

1. As the root user, add a group named staff.

   groupadd staff
   

   The group is added to the /etc/group file.

2. View the last 10 entries in the /etc/group file.

   tail /etc/group
   

   Example Output:

   [root@ol-server ~]# tail /etc/group
   sshd:x:74:
   slocate:x:21:
   tcpdump:x:72:
   oracle-cloud-agent:x:985:oracle-cloud-agent,oracle-cloud-agent-updater,ocarun
   pcp:x:984:
   opc:x:1000:
   oracle:x:1001:
   alice:x:1002:
   mynewuser1:x:1003:
   staff:x:1004:
   [root@ol-server ~]# 
   

   The GID (1004) for the new group is incremented by one.

3. Add the alice user to the staff group. View the staff group entry in the /etc/group file.

   usermod -aG 1004 alice
   grep staff /etc/group
   

   Example Output:

   [root@ol-server ~]# usermod -aG 1004 alice
   [root@ol-server ~]# grep staff /etc/group
   staff:x:1004:alice
   [root@ol-server ~]#
   

   The alice user has a secondary group membership in the staff group.

4. View the primary group membership for alice.

   grep alice /etc/passwd
   

   Example Output:

   [root@ol-server ~]# grep alice /etc/passwd
   alice:x:1002:1002:Alice Smith:/home/alice:/bin/bash
   [root@ol-server ~]#
   

   The alice user’s primary group is still 1002.

Implement User Private Groups

In this section, you use the User Private Groups scheme to give different users write access to files in a single directory.

1. As the root user, create the /staff directory.

   mkdir /staff
   

2. View the /staff directory and its permissions.

   ls -ld /staff
   

   Example Output:

   [root@ol-server ~]# ls -ld /staff
   drwxr-xr-x. 2 root root 6 Aug 18 11:23 /staff
   [root@ol-server ~]# 
   

3. Change group ownership for the /staff directory to the staff group. The -R option (recursive) sets the group for files and directories within /staff. View the /staff directory and its permissions after changing the group ownership.

   chgrp -R staff /staff
   ls -ld /staff
   

   Example Output:

   [root@ol-server ~]# chgrp -R staff /staff
   [root@ol-server ~]# ls -ld /staff
   drwxr-xr-x. 2 root staff 6 Aug 18 11:23 /staff
   [root@ol-server ~]# 
   

   The owner of the /staff directory is still root, but the group is now staff.

4. Set the setgid bit on /staff directory. Then view the permissions on the /staff directory.

   chmod -R 2775 /staff
   ls -ld /staff
   

   Example Output:

   [root@ol-server ~]# chmod -R 2775 /staff
   [root@ol-server ~]# ls -ld /staff
   drwxrwsr-x. 2 root staff 6 Aug 18 11:23 /staff
   [root@ol-server ~]# 
   

   The group permissions on the /staff directory have changed.

5. Add the mynewuser1 user to the staff group. View the staff entry in the /etc/group file after adding the mynewuser1 user.

   usermod -aG staff mynewuser1
   grep staff /etc/group
   

   Example Output:

   [root@ol-server ~]# usermod -aG staff mynewuser1
   [root@ol-server ~]# grep staff /etc/group
   staff:x:1004:alice,mynewuser1
   [root@ol-server ~]# 
   

   Both alice and mynewuser1 users have secondary group membership in the staff group.

6. Become the mynewuser1 user. You are not prompted for the mynewuser1 user’s password because you currently are the root user. Verify you are the mynewuser1 user and your current directory is the mynewuser1 user’s home directory.

   su - mynewuser1
   whoami
   pwd
   

   Example Output:

   [root@ol-server ~]# su - mynewuser1
   [mynewuser1@ol-server ~]$ whoami
   mynewuser1
   [mynewuser1@ol-server ~]$ pwd
   /home/mynewuser1
   [mynewuser1@ol-server ~]$ 
   

7. Display group membership for the mynewuser1 user.

   groups
   

   Example Output:

   [mynewuser1@ol-server ~]$ groups
   mynewuser1 staff
   [mynewuser1@ol-server ~]$ 
   

   The mynewuser1 user belongs to two groups - mynewuser1 and staff.

8. Change to the /staff directory. Create a new file in the /staff directory named mynewuser1_file. Display the permissions and ownership of the new file.

   cd /staff
   touch mynewuser1_file
   ls -l mynewuser1_file
   

   Example Output:

   [mynewuser1@ol-server ~]$ cd /staff
   [mynewuser1@ol-server staff]$ touch mynewuser1_file
   [mynewuser1@ol-server staff]$ ls -l mynewuser1_file
   -rw-rw-r--. 1 mynewuser1 staff 0 Aug 18 11:40 mynewuser1_file
   [mynewuser1@ol-server staff]$ 
   

   The permissions are read/write for the staff group.

9. Become the alice user. Provide the password of AB*gh246 when prompted. Verify you are the alice user.

   su - alice
   whoami
   

   Example Output:

   [mynewuser1@ol-server staff]$ su - alice
   Password: 
   Last login: Fri Aug 18 11:10:13 GMT 2023 on pts/0
   [alice@ol-server ~]$ whoami
   alice
   [alice@ol-server ~]$  
   

10. Display group membership for the alice user.

    groups
    

    Example Output:

    [alice@ol-server ~]$ groups
    alice staff
    [alice@ol-server ~]$  
    

    The alice user belongs to two groups - alice and staff.

11. Change to the /staff directory. Create a new file in the /staff directory named alice_file. Display the permissions and ownership of the new files.

    cd /staff
    touch alice_file
    ls -l
    

    Example Output:

    [alice@ol-server ~]$ cd /staff
    [alice@ol-server staff]$ touch alice_file
    [alice@ol-server staff]$ ls -l
    total 0
    -rw-rw-r--. 1 alice      staff 0 Aug 18 12:09 alice_file
    -rw-rw-r--. 1 mynewuser1 staff 0 Aug 18 12:06 mynewuser1_file
    [alice@ol-server staff]$  
    

    The permissions are read/write on both files for the staff group.

12. As the alice user, use the touch command to update the time stamp on the mynewuser1_file. View the files to verify the time has changed.

    touch mynewuser1_file
    ls -l
    

    Example Output:

    [alice@ol-server staff]$ touch mynewuser1_file
    [alice@ol-server staff]$ ls -l
    total 0
    -rw-rw-r--. 1 alice      staff 0 Aug 18 12:09 alice_file
    -rw-rw-r--. 1 mynewuser1 staff 0 Aug 18 12:11 mynewuser1_file
    [alice@ol-server staff]$ 
    

    Updating the time stamp implies write permissions on the file as the alice user, even though the file was created by the mynewuser1 user.

13. Exit both the alice user’s shell, and the mynewuser1 user’s shell, to return to the root user’s shell. Verify that you are the root user.

    exit
    exit
    whoami
    

    Example Output:

    [alice@ol-server staff]$ exit
    logout
    [mynewuser1@ol-server staff]$ exit
    logout
    [root@ol-server ~]# whoami
    root
    [root@ol-server ~]#  
    

Option 1: Grant Elevated Privileges to a User

In this section, you grant sudo privileges to a user by adding an entry to the /etc/sudoers file.

1. Become the alice user. You are not prompted for alice password because you currently are the root user. Verify you are the alice user.

   su - alice
   whoami
   

   Example Output:

   [root@ol-server ~]# su - alice
   Last login: Fri Aug 18 12:07:27 GMT 2023 on pts/0
   [alice@ol-server ~]$ whoami
   alice
   [alice@ol-server ~]$  
   

2. As the alice user, attempt to add anotheruser.

   useradd anotheruser
   

   Example Output:

   [alice@ol-server ~]$ useradd anotheruser
   useradd: Permission denied.
   useradd: cannot lock /etc/passwd; try again later.
   [alice@ol-server ~]$ 
   

   The alice user does not have permission to add anotheruser.

3. Insert the sudo command before the previous useradd command to add anotheruser. Provide the password of AB*gh246 when prompted.

   sudo useradd anotheruser
   

   Example Output:

   [alice@ol-server ~]$ sudo useradd anotheruser
   
   We trust you have received the usual lecture from the local System
   Administrator. It usually boils down to these three things:
   
       #1) Respect the privacy of others.
       #2) Think before you type.
       #3) With great power comes great responsibility.
   
   [sudo] password for alice: 
   alice is not in the sudoers file.  This incident will be reported.
   [alice@ol-server ~]$ 
   

   The attempt to issue this administrator command without proper authorization is reported in the /var/log/secure file.

4. Exit the alice user’s shell to return to the root user’s shell. View sudoers entries in the /var/log/secure file.

   exit
   grep sudoers /var/log/secure
   

   Example Output:

   [alice@ol-server ~]$ exit
   logout
   [root@ol-server ~]# grep sudoers /var/log/secure
   Aug 18 12:18:54 ol-server sudo[12289]:   alice : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/alice ; USER=root ; COMMAND=/sbin/useradd anotheruser
   [root@ol-server ~]#  
   

   The alice : user NOT in sudoers entry for the attempted use of the /sbin/useradd command is in the /var/log/secure file. Multiple entries are shown in the example. You might only have a single entry.

5. As the root user, edit the /etc/sudoers file by using the visudo command.

   visudo
   

   This command opens the /etc/sudoers file using the vim editor.

6. In the /etc/sudoers file, scroll down to the section shown in the example output and add the following line to grant the alice user permission to run the /sbin/useradd command.

   alice   ALL=(ALL)       /sbin/useradd
   

   Example Output:

    
   ## Next comes the main part: which users can run what software on
   ## which machines (the sudoers file can be shared between multiple
   ## systems).
   ## Syntax:
   ##
   ##      user    MACHINE=COMMANDS
   ##
   ## The COMMANDS section may have other options added to it.
   ##
   ## Allow root to run any commands anywhere
   root    ALL=(ALL)       ALL
   alice   ALL=(ALL)       /sbin/useradd
    
   

   Ensure the alice entry is added. Save your changes and exit the visudo command.

7. Become the alice user. Attempt to add anotheruser without the sudo command. Insert the sudo command and attempt to add anotheruser a second time. Provide the password of AB*gh246 when prompted.

   su - alice
   useradd anotheruser
   sudo useradd anotheruser
   

   Example Output:

   [root@ol-server ~]# su - alice
   Last login: Fri Aug 18 12:16:40 GMT 2023 on pts/0
   [alice@ol-server ~]$ useradd anotheruser
   useradd: Permission denied.
   useradd: cannot lock /etc/passwd; try again later.
   [alice@ol-server ~]$ sudo useradd anotheruser
   [sudo] password for alice: 
   [alice@ol-server ~]$  
   

8. Verify anotheruser was added.

   grep anotheruser /etc/passwd
   ls -l /home
   

   Example Output:

   [alice@ol-server ~]$ grep anotheruser /etc/passwd
   anotheruser:x:1004:1005::/home/anotheruser:/bin/bash
   [alice@ol-server ~]$ ls -l /home
   total 0
   drwx------. 2 alice       alice       83 Aug 18 12:50 alice
   drwx------. 2 anotheruser anotheruser 62 Aug 18 13:04 anotheruser
   drwx------. 2 mynewuser1  mynewuser1  83 Aug 18 12:54 mynewuser1
   drwx------. 4 opc         opc         90 Aug 18 12:45 opc
   drwx------. 3 oracle      oracle      74 Aug 18 12:45 oracle
   [alice@ol-server ~]$ 
   

   The anotheruser now exists. We also see the user mynewuser1 also listed as part of its name matches the search criteria. With the alice entry in the /etc/sudoers file, the alice user has sudo privileges to run the /sbin/useradd command.

9. Exit the alice shell to return to the root shell. Use the visudo command and delete the alice entry from the /etc/sudoers file that you added earlier in this lab.

   exit
   visudo
   

   Delete the alice line previously added, or as in this example, insert the # character to comment out the line. Save your changes and exit the visudo command.

   Example Output:

   ## Next comes the main part: which users can run what software on
   ## which machines (the sudoers file can be shared between multiple
   ## systems).
   ## Syntax:
   ##
   ##      user    MACHINE=COMMANDS
   ##
   ## The COMMANDS section may have other options added to it.
   ##
   ## Allow root to run any commands anywhere
   root    ALL=(ALL)       ALL
   #alice   ALL=(ALL)       /sbin/useradd
   

10. Verify the alice user can no longer add a new user. Become the alice user. Attempt to add anotheruser2 with the sudo command.

    su - alice
    sudo useradd anotheruser2
    

    Example Output:

    [root@ol-server ~]# su - alice
    Last login: Fri Aug 18 13:03:55 GMT 2023 on pts/0
    [alice@ol-server ~]$ sudo useradd anotheruser2
    alice is not in the sudoers file.  This incident will be reported.
    [alice@ol-server ~]$  
    

    The attempt to issue this administrator command without proper authorization is reported in the /var/log/secure file.

11. Exit the alice user’s shell to return to the root user’s shell.

    exit
    

Option 2: Grant Elevated Privileges to a User

In this section, you grant sudo privileges by adding a user to the wheel group.

1. As the root user, view the wheel entry in the /etc/sudoers file.

   grep wheel /etc/sudoers
   

   Example Output:

   [root@ol-server ~]# grep wheel /etc/sudoers
   ## Allows people in group wheel to run all commands
   %wheel	ALL=(ALL)	ALL
   # %wheel	ALL=(ALL)	NOPASSWD: ALL
   [root@ol-server ~]#  
   

   The %wheel ALL=(ALL) ALL entry in the /etc/sudoers file allows any member of the wheel group to execute any command, when preceded by sudo.

2. Add the alice user to the wheel group. Confirm the alice user is in the wheel group.

   usermod -aG wheel alice
   grep wheel /etc/group
   

   Example Output:

   [root@ol-server ~]# usermod -aG wheel alice
   [root@ol-server ~]# grep wheel /etc/group
   wheel:x:10:oracle,alice
   [root@ol-server ~]#  
   

   User alice has a secondary group membership in the wheel group.

3. Become the alice user. You are not prompted for alice password because you currently are the root user. Verify you are the alice user.

   su - alice
   whoami
   

   Example Output:

   [root@ol-server ~]# su - alice
   Last login: Fri Aug 18 13:09:18 GMT 2023 on pts/0
   [alice@ol-server ~]$ whoami
   alice
   [alice@ol-server ~]$  
   

4. As the alice user, add anotheruser2 using the sudo useradd command. Provide the password of AB*gh246 if prompted.

   sudo useradd anotheruser2
   

   Example Output:

   [alice@ol-server ~]$ sudo useradd anotheruser2
   [sudo] password for alice: 
   [alice@ol-server ~]$  
   

5. Verify anotheruser2 was added. The ls command fails until you insert sudo. This confirms the alice user has sudo privileges.

   grep anotheruser2 /etc/passwd
   ls -la /home/anotheruser2
   sudo ls -la /home/anotheruser2
   

   Example Output:

   [alice@ol-server ~]$ grep anotheruser2 /etc/passwd
   anotheruser2:x:1005:1006::/home/anotheruser2:/bin/bash
   [alice@ol-server ~]$ ls -la /home/anotheruser2
   ls: cannot open directory '/home/anotheruser2': Permission denied
   [alice@ol-server ~]$ sudo ls -la /home/anotheruser2
   total 12
   drwx------. 2 anotheruser2 anotheruser2  62 Aug 18 13:14 .
   drwxr-xr-x. 8 root         root         101 Aug 18 13:14 ..
   -rw-r--r--. 1 anotheruser2 anotheruser2  18 Aug  2  2022 .bash_logout
   -rw-r--r--. 1 anotheruser2 anotheruser2 141 Aug  2  2022 .bash_profile
   -rw-r--r--. 1 anotheruser2 anotheruser2 376 Aug  2  2022 .bashrc
   [alice@ol-server ~]$  
   

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Create Users and Groups on Oracle Linux

F37531-12

August 2023

Copyright © 2021, Oracle and/or its affiliates.