Note:
- This tutorial is available in an Oracle-provided free lab environment.
- It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.
Create Users and Groups on Oracle Linux
Introduction
The following tutorial provides step-by-step procedures to perform user and group administration on Oracle Linux. You will create users and groups, implement user private groups, and grant user elevated privileges.
Objectives
In this lab, you’ll:
- Create a new user and explore user’s home directory
- Create a new group and add user to group
- Utilize the user private group scheme and implement write access to a directory
- Administer the
sudo
command for granting root privileges
What Do You Need?
- A system with Oracle Linux installed
Note: When using the free lab environment, see Oracle Linux Lab Basics for connection and other usage instructions.
Administer User Accounts
In this section, you use command-line utilities to create a new user account, view files that are updated when adding a new user, modify a user account, set a password for the new user, and log in as the new user.
-
Open a terminal and connect to your Oracle Linux instance.
-
Become the root user.
sudo su -
-
As the root user, add a user named alice.
useradd alice
The user is added to the
/etc/passwd
file. -
View the alice entry in the
/etc/passwd
file.grep alice /etc/passwd
Example Output:
[root@ol-server ~]# grep alice /etc/passwd alice:x:1002:1002::/home/alice:/bin/bash [root@ol-server ~]#
The output shows:
- The new user’s UID and GID are the same (
1002
). - A home directory was created for the new user (
/home/alice
). - The default shell for the new user is
/bin/bash
.
- The new user’s UID and GID are the same (
-
View the home directories.
ls -l /home
Example Output:
[root@ol-server ~]# ls -l /home total 0 drwx------. 2 alice alice 62 Aug 18 09:50 alice drwx------. 4 opc opc 90 Aug 18 09:48 opc drwx------. 3 oracle oracle 74 Aug 18 09:48 oracle [root@ol-server ~]#
In this example, the opc user already existed.
A home directory was created for the new user because the CREATE_HOME parameter in/etc/login.defs
is set toyes
. -
View the CREATE_HOME parameter in the
/etc/login.defs
file.grep CREATE_HOME /etc/login.defs
Example Output:
[root@ol-server ~]# grep CREATE_HOME /etc/login.defs CREATE_HOME yes [root@ol-server ~]#
-
View the default settings for a new user, stored in
/etc/default/useradd
.cat /etc/default/useradd
Example Output:
[root@ol-server ~]# cat /etc/default/useradd # useradd defaults file GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL=/bin/bash SKEL=/etc/skel CREATE_MAIL_SPOOL=yes [root@ol-server ~]#
The SKEL parameter is set to
/etc/skel
. -
View the contents of the
/etc/skel
directory.ls -la /etc/skel
Example Output:
[root@ol-server ~]# ls -la /etc/skel total 24 drwxr-xr-x. 2 root root 62 Jun 20 15:48 . drwxr-xr-x. 116 root root 8192 Aug 18 09:56 .. -rw-r--r--. 1 root root 18 Aug 2 2022 .bash_logout -rw-r--r--. 1 root root 141 Aug 2 2022 .bash_profile -rw-r--r--. 1 root root 376 Aug 2 2022 .bashrc [root@ol-server ~]#
-
View the contents of the alice home directory.
ls -la /home/alice
Example Output:
[root@ol-server ~]# ls -la /home/alice total 12 drwx------. 2 alice alice 62 Aug 18 09:50 . drwxr-xr-x. 5 root root 44 Aug 18 09:50 .. -rw-r--r--. 1 alice alice 18 Aug 2 2022 .bash_logout -rw-r--r--. 1 alice alice 141 Aug 2 2022 .bash_profile -rw-r--r--. 1 alice alice 376 Aug 2 2022 .bashrc [root@ol-server ~]#
The contents of SKEL (
/etc/skel
) are copied to the new user’s home directory. -
View the new alice entry in the
/etc/group
file.grep alice /etc/group
Example Output:
[root@ol-server ~]# grep alice /etc/group alice:x:1002: [root@ol-server ~]#
Because Oracle Linux uses a user private group (UPG) scheme, a new private group (alice, GID=1001) was created when the alice user was created.
-
Modify GECOS information for the alice user. View the alice entry in the
/etc/passwd
file before and after modifying GECOS information.grep alice /etc/passwd usermod -c "Alice Smith" alice grep alice /etc/passwd
Example Output:
[root@ol-server ~]# grep alice /etc/passwd alice:x:1002:1002::/home/alice:/bin/bash [root@ol-server ~]# usermod -c "Alice Smith" alice [root@ol-server ~]# grep alice /etc/passwd alice:x:1002:1002:Alice Smith:/home/alice:/bin/bash [root@ol-server ~]#
-
Create a password of
AB*gh246
for the alice user. View the alice entry in the/etc/shadow
file before and after creating a password for alice.grep alice /etc/shadow passwd alice grep alice /etc/shadow
Example Output:
[root@ol-server ~]# grep alice /etc/shadow alice:!!:19587:0:99999:7::: [root@ol-server ~]# passwd alice Changing password for user alice. New password: Retype new password: passwd: all authentication tokens updated successfully. [root@ol-server ~]# grep alice /etc/shadow alice:$6$Ulba2YCfMyrwZC8V$J0jWtJmaOa1vKN2yywyiN4AQpWfg1gDd6Duzm.TWEWHwFDYcxjjIuF2qrIO7rk8LsEBm6s//mgKa5jbqhfT9E.:19587:0:99999:7::: [root@ol-server ~]#
The
!!
for alice is replaced with a hashed password value. -
Exit the root login and login as the alice user. Provide the password of
AB*gh246
when prompted.exit su - alice
Example Output:
[root@ol-server ~]# exit logout [oracle@ol-server ~]$ su - alice Password: [alice@ol-server ~]$
-
Verify you are the alice user and your current directory is the alice user’s home directory.
whoami pwd
Example Output:
[alice@ol-server ~]$ whoami alice [alice@ol-server ~]$ pwd /home/alice [alice@ol-server ~]$
-
Exit the alice user’s shell and become the root user.
exit sudo su -
Example Output:
[alice@ol-server ~]$ exit logout [oracle@ol-server ~]$ sudo su - Last login: Fri Aug 18 09:50:03 GMT 2023 on pts/0 [root@ol-server ~]#
-
As the root user, add a user named mynewuser1 which is used later in this lab.
useradd mynewuser1
-
Create a password of
XY*gh579
for the mynewuser1 user.passwd mynewuser1
Example Output:
[root@ol-server ~]# passwd mynewuser1 Changing password for user mynewuser1. New password: Retype new password: passwd: all authentication tokens updated successfully. [root@ol-server ~]#
Administer Group Accounts
In this section, you create a new group account and add a user to this new group.
-
As the root user, add a group named staff.
groupadd staff
The group is added to the
/etc/group
file. -
View the last 10 entries in the
/etc/group
file.tail /etc/group
Example Output:
[root@ol-server ~]# tail /etc/group sshd:x:74: slocate:x:21: tcpdump:x:72: oracle-cloud-agent:x:985:oracle-cloud-agent,oracle-cloud-agent-updater,ocarun pcp:x:984: opc:x:1000: oracle:x:1001: alice:x:1002: mynewuser1:x:1003: staff:x:1004: [root@ol-server ~]#
The GID (
1004
) for the new group is incremented by one. -
Add the alice user to the staff group. View the staff group entry in the
/etc/group
file.usermod -aG 1004 alice grep staff /etc/group
Example Output:
[root@ol-server ~]# usermod -aG 1004 alice [root@ol-server ~]# grep staff /etc/group staff:x:1004:alice [root@ol-server ~]#
The alice user has a secondary group membership in the staff group.
-
View the primary group membership for alice.
grep alice /etc/passwd
Example Output:
[root@ol-server ~]# grep alice /etc/passwd alice:x:1002:1002:Alice Smith:/home/alice:/bin/bash [root@ol-server ~]#
The alice user’s primary group is still
1002
.
Implement User Private Groups
In this section, you use the User Private Groups scheme to give different users write access to files in a single directory.
-
As the root user, create the
/staff
directory.mkdir /staff
-
View the
/staff
directory and its permissions.ls -ld /staff
Example Output:
[root@ol-server ~]# ls -ld /staff drwxr-xr-x. 2 root root 6 Aug 18 11:23 /staff [root@ol-server ~]#
-
Change group ownership for the
/staff
directory to the staff group. The-R
option (recursive) sets the group for files and directories within/staff
. View the/staff
directory and its permissions after changing the group ownership.chgrp -R staff /staff ls -ld /staff
Example Output:
[root@ol-server ~]# chgrp -R staff /staff [root@ol-server ~]# ls -ld /staff drwxr-xr-x. 2 root staff 6 Aug 18 11:23 /staff [root@ol-server ~]#
The owner of the
/staff
directory is still root, but the group is now staff. -
Set the setgid bit on
/staff
directory. Then view the permissions on the/staff
directory.chmod -R 2775 /staff ls -ld /staff
Example Output:
[root@ol-server ~]# chmod -R 2775 /staff [root@ol-server ~]# ls -ld /staff drwxrwsr-x. 2 root staff 6 Aug 18 11:23 /staff [root@ol-server ~]#
The group permissions on the
/staff
directory have changed. -
Add the mynewuser1 user to the staff group. View the staff entry in the
/etc/group
file after adding the mynewuser1 user.usermod -aG staff mynewuser1 grep staff /etc/group
Example Output:
[root@ol-server ~]# usermod -aG staff mynewuser1 [root@ol-server ~]# grep staff /etc/group staff:x:1004:alice,mynewuser1 [root@ol-server ~]#
Both alice and mynewuser1 users have secondary group membership in the staff group.
-
Become the mynewuser1 user. You are not prompted for the mynewuser1 user’s password because you currently are the root user. Verify you are the mynewuser1 user and your current directory is the mynewuser1 user’s home directory.
su - mynewuser1 whoami pwd
Example Output:
[root@ol-server ~]# su - mynewuser1 [mynewuser1@ol-server ~]$ whoami mynewuser1 [mynewuser1@ol-server ~]$ pwd /home/mynewuser1 [mynewuser1@ol-server ~]$
-
Display group membership for the mynewuser1 user.
groups
Example Output:
[mynewuser1@ol-server ~]$ groups mynewuser1 staff [mynewuser1@ol-server ~]$
The mynewuser1 user belongs to two groups - mynewuser1 and staff.
-
Change to the
/staff
directory. Create a new file in the/staff
directory namedmynewuser1_file
. Display the permissions and ownership of the new file.cd /staff touch mynewuser1_file ls -l mynewuser1_file
Example Output:
[mynewuser1@ol-server ~]$ cd /staff [mynewuser1@ol-server staff]$ touch mynewuser1_file [mynewuser1@ol-server staff]$ ls -l mynewuser1_file -rw-rw-r--. 1 mynewuser1 staff 0 Aug 18 11:40 mynewuser1_file [mynewuser1@ol-server staff]$
The permissions are read/write for the staff group.
-
Become the alice user. Provide the password of
AB*gh246
when prompted. Verify you are the alice user.su - alice whoami
Example Output:
[mynewuser1@ol-server staff]$ su - alice Password: Last login: Fri Aug 18 11:10:13 GMT 2023 on pts/0 [alice@ol-server ~]$ whoami alice [alice@ol-server ~]$
-
Display group membership for the alice user.
groups
Example Output:
[alice@ol-server ~]$ groups alice staff [alice@ol-server ~]$
The alice user belongs to two groups - alice and staff.
-
Change to the
/staff
directory. Create a new file in the/staff
directory namedalice_file
. Display the permissions and ownership of the new files.cd /staff touch alice_file ls -l
Example Output:
[alice@ol-server ~]$ cd /staff [alice@ol-server staff]$ touch alice_file [alice@ol-server staff]$ ls -l total 0 -rw-rw-r--. 1 alice staff 0 Aug 18 12:09 alice_file -rw-rw-r--. 1 mynewuser1 staff 0 Aug 18 12:06 mynewuser1_file [alice@ol-server staff]$
The permissions are read/write on both files for the staff group.
-
As the alice user, use the
touch
command to update the time stamp on themynewuser1_file
. View the files to verify the time has changed.touch mynewuser1_file ls -l
Example Output:
[alice@ol-server staff]$ touch mynewuser1_file [alice@ol-server staff]$ ls -l total 0 -rw-rw-r--. 1 alice staff 0 Aug 18 12:09 alice_file -rw-rw-r--. 1 mynewuser1 staff 0 Aug 18 12:11 mynewuser1_file [alice@ol-server staff]$
Updating the time stamp implies write permissions on the file as the alice user, even though the file was created by the mynewuser1 user.
-
Exit both the alice user’s shell, and the mynewuser1 user’s shell, to return to the root user’s shell. Verify that you are the root user.
exit exit whoami
Example Output:
[alice@ol-server staff]$ exit logout [mynewuser1@ol-server staff]$ exit logout [root@ol-server ~]# whoami root [root@ol-server ~]#
Option 1: Grant Elevated Privileges to a User
In this section, you grant sudo
privileges to a user by adding an entry to the /etc/sudoers
file.
-
Become the alice user. You are not prompted for alice password because you currently are the root user. Verify you are the alice user.
su - alice whoami
Example Output:
[root@ol-server ~]# su - alice Last login: Fri Aug 18 12:07:27 GMT 2023 on pts/0 [alice@ol-server ~]$ whoami alice [alice@ol-server ~]$
-
As the alice user, attempt to add anotheruser.
useradd anotheruser
Example Output:
[alice@ol-server ~]$ useradd anotheruser useradd: Permission denied. useradd: cannot lock /etc/passwd; try again later. [alice@ol-server ~]$
The alice user does not have permission to add anotheruser.
-
Insert the
sudo
command before the previoususeradd
command to add anotheruser. Provide the password ofAB*gh246
when prompted.sudo useradd anotheruser
Example Output:
[alice@ol-server ~]$ sudo useradd anotheruser We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for alice: alice is not in the sudoers file. This incident will be reported. [alice@ol-server ~]$
The attempt to issue this administrator command without proper authorization is reported in the
/var/log/secure
file. -
Exit the alice user’s shell to return to the root user’s shell. View sudoers entries in the
/var/log/secure
file.exit grep sudoers /var/log/secure
Example Output:
[alice@ol-server ~]$ exit logout [root@ol-server ~]# grep sudoers /var/log/secure Aug 18 12:18:54 ol-server sudo[12289]: alice : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/alice ; USER=root ; COMMAND=/sbin/useradd anotheruser [root@ol-server ~]#
The alice : user NOT in sudoers entry for the attempted use of the
/sbin/useradd
command is in the/var/log/secure
file. Multiple entries are shown in the example. You might only have a single entry. -
As the root user, edit the
/etc/sudoers
file by using thevisudo
command.visudo
This command opens the
/etc/sudoers
file using thevim
editor. -
In the
/etc/sudoers
file, scroll down to the section shown in the example output and add the following line to grant the alice user permission to run the/sbin/useradd
command.alice ALL=(ALL) /sbin/useradd
Example Output:
## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## user MACHINE=COMMANDS ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL alice ALL=(ALL) /sbin/useradd
Ensure the alice entry is added. Save your changes and exit the
visudo
command. -
Become the alice user. Attempt to add anotheruser without the
sudo
command. Insert thesudo
command and attempt to add anotheruser a second time. Provide the password ofAB*gh246
when prompted.su - alice useradd anotheruser sudo useradd anotheruser
Example Output:
[root@ol-server ~]# su - alice Last login: Fri Aug 18 12:16:40 GMT 2023 on pts/0 [alice@ol-server ~]$ useradd anotheruser useradd: Permission denied. useradd: cannot lock /etc/passwd; try again later. [alice@ol-server ~]$ sudo useradd anotheruser [sudo] password for alice: [alice@ol-server ~]$
-
Verify anotheruser was added.
grep anotheruser /etc/passwd ls -l /home
Example Output:
[alice@ol-server ~]$ grep anotheruser /etc/passwd anotheruser:x:1004:1005::/home/anotheruser:/bin/bash [alice@ol-server ~]$ ls -l /home total 0 drwx------. 2 alice alice 83 Aug 18 12:50 alice drwx------. 2 anotheruser anotheruser 62 Aug 18 13:04 anotheruser drwx------. 2 mynewuser1 mynewuser1 83 Aug 18 12:54 mynewuser1 drwx------. 4 opc opc 90 Aug 18 12:45 opc drwx------. 3 oracle oracle 74 Aug 18 12:45 oracle [alice@ol-server ~]$
The anotheruser now exists. We also see the user mynewuser1 also listed as part of its name matches the search criteria. With the alice entry in the
/etc/sudoers
file, the alice user hassudo
privileges to run the/sbin/useradd
command. -
Exit the alice shell to return to the root shell. Use the
visudo
command and delete the alice entry from the/etc/sudoers
file that you added earlier in this lab.exit visudo
Delete the alice line previously added, or as in this example, insert the
#
character to comment out the line. Save your changes and exit thevisudo
command.Example Output:
## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## user MACHINE=COMMANDS ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL #alice ALL=(ALL) /sbin/useradd
-
Verify the alice user can no longer add a new user. Become the alice user. Attempt to add anotheruser2 with the
sudo
command.su - alice sudo useradd anotheruser2
Example Output:
[root@ol-server ~]# su - alice Last login: Fri Aug 18 13:03:55 GMT 2023 on pts/0 [alice@ol-server ~]$ sudo useradd anotheruser2 alice is not in the sudoers file. This incident will be reported. [alice@ol-server ~]$
The attempt to issue this administrator command without proper authorization is reported in the
/var/log/secure
file. -
Exit the alice user’s shell to return to the root user’s shell.
exit
Option 2: Grant Elevated Privileges to a User
In this section, you grant sudo
privileges by adding a user to the wheel group.
-
As the root user, view the wheel entry in the
/etc/sudoers
file.grep wheel /etc/sudoers
Example Output:
[root@ol-server ~]# grep wheel /etc/sudoers ## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL # %wheel ALL=(ALL) NOPASSWD: ALL [root@ol-server ~]#
The %wheel ALL=(ALL) ALL entry in the
/etc/sudoers
file allows any member of the wheel group to execute any command, when preceded bysudo
. -
Add the alice user to the wheel group. Confirm the alice user is in the wheel group.
usermod -aG wheel alice grep wheel /etc/group
Example Output:
[root@ol-server ~]# usermod -aG wheel alice [root@ol-server ~]# grep wheel /etc/group wheel:x:10:oracle,alice [root@ol-server ~]#
User alice has a secondary group membership in the wheel group.
-
Become the alice user. You are not prompted for alice password because you currently are the root user. Verify you are the alice user.
su - alice whoami
Example Output:
[root@ol-server ~]# su - alice Last login: Fri Aug 18 13:09:18 GMT 2023 on pts/0 [alice@ol-server ~]$ whoami alice [alice@ol-server ~]$
-
As the alice user, add anotheruser2 using the
sudo useradd
command. Provide the password ofAB*gh246
if prompted.sudo useradd anotheruser2
Example Output:
[alice@ol-server ~]$ sudo useradd anotheruser2 [sudo] password for alice: [alice@ol-server ~]$
-
Verify anotheruser2 was added. The
ls
command fails until you insertsudo
. This confirms the alice user hassudo
privileges.grep anotheruser2 /etc/passwd ls -la /home/anotheruser2 sudo ls -la /home/anotheruser2
Example Output:
[alice@ol-server ~]$ grep anotheruser2 /etc/passwd anotheruser2:x:1005:1006::/home/anotheruser2:/bin/bash [alice@ol-server ~]$ ls -la /home/anotheruser2 ls: cannot open directory '/home/anotheruser2': Permission denied [alice@ol-server ~]$ sudo ls -la /home/anotheruser2 total 12 drwx------. 2 anotheruser2 anotheruser2 62 Aug 18 13:14 . drwxr-xr-x. 8 root root 101 Aug 18 13:14 .. -rw-r--r--. 1 anotheruser2 anotheruser2 18 Aug 2 2022 .bash_logout -rw-r--r--. 1 anotheruser2 anotheruser2 141 Aug 2 2022 .bash_profile -rw-r--r--. 1 anotheruser2 anotheruser2 376 Aug 2 2022 .bashrc [alice@ol-server ~]$
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
Create Users and Groups on Oracle Linux
F37531-12
August 2023
Copyright © 2021, Oracle and/or its affiliates.