Note:
- This tutorial is available in an Oracle-provided free lab environment.
- It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.
Create Users and Groups on Oracle Linux
Introduction
When administering a Linux system, you will eventually need to create users and groups, whether for a particular software installation or to perform a specific task. As for groups, it’s a great way to control directory access.
Objectives
In this tutorial, you will learn how to:
- Create a new user and explore the user’s home directory
- Create a new group and add a user to the group
- Utilize the user private group scheme and implement write access to a directory
- Administer the
sudo
command for granting root privileges
Prerequisites
-
Minimum of a single Oracle Linux system
-
Each system should have Oracle Linux installed and configured with:
- A non-root user account with sudo access
- Access to the Internet
Deploy Oracle Linux
Note: If running in your own tenancy, read the linux-virt-labs
GitHub project README.md and complete the prerequisites before deploying the lab environment.
-
Open a terminal on the Luna Desktop.
-
Clone the
linux-virt-labs
GitHub project.git clone https://github.com/oracle-devrel/linux-virt-labs.git
-
Change into the working directory.
cd linux-virt-labs/ol
-
Install the required collections.
ansible-galaxy collection install -r requirements.yml
-
Deploy the lab environment.
ansible-playbook create_instance.yml -e localhost_python_interpreter="/usr/bin/python3.6"
The free lab environment requires the extra variable
local_python_interpreter
, which setsansible_python_interpreter
for plays running on localhost. This variable is needed because the environment installs the RPM package for the Oracle Cloud Infrastructure SDK for Python, located under the python3.6 modules.The default deployment shape uses the AMD CPU and Oracle Linux 8. To use an Intel CPU or Oracle Linux 9, add
-e instance_shape="VM.Standard3.Flex"
or-e os_version="9"
to the deployment command.Important: Wait for the playbook to run successfully and reach the pause task. At this stage of the playbook, the installation of Oracle Linux is complete, and the instances are ready. Take note of the previous play, which prints the public and private IP addresses of the nodes it deploys and any other deployment information needed while running the lab.
Administer User Accounts
-
Open a terminal and connect via SSH to the ol-node-01 instance.
ssh oracle@<ip_address_of_instance>
-
Become the root user.
sudo su -
-
As the root user, add a user named alice.
useradd alice
This command adds the user to the
/etc/passwd
file. -
View the alice entry in the
/etc/passwd
file.grep alice /etc/passwd
Example Output:
alice:x:1002:1002::/home/alice:/bin/bash
The output shows:
- The new user’s UID and GID are the same (
1002
) - Creation of a home directory for the new user (
/home/alice
) - The default shell for the new user is
/bin/bash
- The new user’s UID and GID are the same (
-
View the home directories.
ls -l /home
Example Output:
total 0 drwx------. 2 alice alice 62 Aug 18 09:50 alice drwx------. 4 opc opc 90 Aug 18 09:48 opc drwx------. 3 oracle oracle 74 Aug 18 09:48 oracle
The opc and oracle users already exist in this example.
The
useradd
command creates a home directory for the new user because the CREATE_HOME parameter in/etc/login.defs
is set toyes
. -
View the CREATE_HOME parameter in the
/etc/login.defs
file.grep CREATE_HOME /etc/login.defs
Example Output:
CREATE_HOME yes
-
View the default settings for a new user, stored in
/etc/default/useradd
.cat /etc/default/useradd
Example Output:
# useradd defaults file GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL=/bin/bash SKEL=/etc/skel CREATE_MAIL_SPOOL=yes
The SKEL parameter sets the location of the background or skeleton definition to
/etc/skel
, which provides what a new user’s home directory will look like. -
View the contents of the
/etc/skel
directory.ls -la /etc/skel
Example Output:
total 24 drwxr-xr-x. 2 root root 62 Jun 20 15:48 . drwxr-xr-x. 116 root root 8192 Aug 18 09:56 .. -rw-r--r--. 1 root root 18 Aug 2 2022 .bash_logout -rw-r--r--. 1 root root 141 Aug 2 2022 .bash_profile -rw-r--r--. 1 root root 376 Aug 2 2022 .bashrc
-
View the contents of the alice home directory.
ls -la /home/alice
Example Output:
total 12 drwx------. 2 alice alice 62 Aug 18 09:50 . drwxr-xr-x. 5 root root 44 Aug 18 09:50 .. -rw-r--r--. 1 alice alice 18 Aug 2 2022 .bash_logout -rw-r--r--. 1 alice alice 141 Aug 2 2022 .bash_profile -rw-r--r--. 1 alice alice 376 Aug 2 2022 .bashrc
The system copies the contents of SKEL (
/etc/skel
) to the new user’s home directory. -
View the new alice entry in the
/etc/group
file.grep alice /etc/group
Example Output:
alice:x:1002:
When creating the new alice user, the system creates a new private group (alice, GID=1001) because Oracle Linux uses a user private group (UPG) scheme.
-
Modify GECOS information for the alice user.
View the alice entry in the
/etc/passwd
file before and after modifying GECOS information.grep alice /etc/passwd usermod -c "Alice Smith" alice grep alice /etc/passwd
Example Output:
[root@ol-server ~]# grep alice /etc/passwd alice:x:1002:1002::/home/alice:/bin/bash [root@ol-server ~]# usermod -c "Alice Smith" alice [root@ol-server ~]# grep alice /etc/passwd alice:x:1002:1002:Alice Smith:/home/alice:/bin/bash [root@ol-server ~]#
-
Create a password of
AB*gh246
for the alice user.View the alice entry in the
/etc/shadow
file before and after creating a password for alice.grep alice /etc/shadow passwd alice grep alice /etc/shadow
Example Output:
[root@ol-server ~]# grep alice /etc/shadow alice:!!:19587:0:99999:7::: [root@ol-server ~]# passwd alice Changing password for user alice. New password: Retype new password: passwd: all authentication tokens updated successfully. [root@ol-server ~]# grep alice /etc/shadow alice:$6$Ulba2YCfMyrwZC8V$J0jWtJmaOa1vKN2yywyiN4AQpWfg1gDd6Duzm.TWEWHwFDYcxjjIuF2qrIO7rk8LsEBm6s//mgKa5jbqhfT9E.:19587:0:99999:7::: [root@ol-server ~]#
The
!!
for alice is replaced with a hashed password value. -
Exit the root login and log in as the alice user.
Provide the password of
AB*gh246
when prompted.exit su - alice
Example Output:
[root@ol-server ~]# exit logout [oracle@ol-server ~]$ su - alice Password: [alice@ol-server ~]$
-
Verify you are the alice user and your current directory is the alice user’s home directory.
whoami pwd
Example Output:
[alice@ol-server ~]$ whoami alice [alice@ol-server ~]$ pwd /home/alice
-
Exit the alice user’s shell and become the root user.
exit sudo su -
Example Output:
[alice@ol-server ~]$ exit logout [oracle@ol-server ~]$ sudo su - Last login: Fri Aug 18 09:50:03 GMT 2023 on pts/0 [root@ol-server ~]#
-
As the root user, add a user named mynewuser1 which is used later in this tutorial.
useradd mynewuser1
-
Create a password of
XY*gh579
for the mynewuser1 user.passwd mynewuser1
Example Output:
[root@ol-server ~]# passwd mynewuser1 Changing password for user mynewuser1. New password: Retype new password: passwd: all authentication tokens updated successfully.
Administer Group Accounts
-
As the root user, add a group named staff.
groupadd staff
This command adds the group to the
/etc/group
file. -
View the last 10 entries in the
/etc/group
file.tail /etc/group
Example Output:
[root@ol-server ~]# tail /etc/group sshd:x:74: slocate:x:21: tcpdump:x:72: oracle-cloud-agent:x:985:oracle-cloud-agent,oracle-cloud-agent-updater,ocarun pcp:x:984: opc:x:1000: oracle:x:1001: alice:x:1002: mynewuser1:x:1003: staff:x:1004: [root@ol-server ~]#
The new group’s GID (
1004
) is incremented by one. -
Add the alice user to the staff group.
View the staff group entry in the
/etc/group
file.usermod -aG 1004 alice grep staff /etc/group
Example Output:
[root@ol-server ~]# usermod -aG 1004 alice [root@ol-server ~]# grep staff /etc/group staff:x:1004:alice
The alice user has a secondary group membership in the staff group.
-
View the primary group membership for alice.
grep alice /etc/passwd
Example Output:
[root@ol-server ~]# grep alice /etc/passwd alice:x:1002:1002:Alice Smith:/home/alice:/bin/bash
The alice user’s primary group is still
1002
.
Implement User Private Groups
-
As the root user, create the
/staff
directory.mkdir /staff
-
View the
/staff
directory and its permissions.ls -ld /staff
Example Output:
[root@ol-server ~]# ls -ld /staff drwxr-xr-x. 2 root root 6 Aug 18 11:23 /staff
-
Change group ownership for the
/staff
directory to the staff group.The
-R
option (recursive) sets the group for files and directories within/staff
. After changing the group ownership, view the/staff
directory and its permissions.chgrp -R staff /staff ls -ld /staff
Example Output:
[root@ol-server ~]# chgrp -R staff /staff [root@ol-server ~]# ls -ld /staff drwxr-xr-x. 2 root staff 6 Aug 18 11:23 /staff [root@ol-server ~]#
The owner of the
/staff
directory is still root, but the group is now staff. -
Set the setgid bit on the
/staff
directory.Then, view the permissions on the
/staff
directory.chmod -R 2775 /staff ls -ld /staff
Example Output:
[root@ol-server ~]# chmod -R 2775 /staff [root@ol-server ~]# ls -ld /staff drwxrwsr-x. 2 root staff 6 Aug 18 11:23 /staff
The group permissions on the
/staff
directory have changed. -
Add the mynewuser1 user to the staff group.
View the staff entry in the
/etc/group
file after adding the mynewuser1 user.usermod -aG staff mynewuser1 grep staff /etc/group
Example Output:
[root@ol-server ~]# usermod -aG staff mynewuser1 [root@ol-server ~]# grep staff /etc/group staff:x:1004:alice,mynewuser1
Both alice and mynewuser1 users have secondary group membership in the staff group.
-
Become the mynewuser1 user.
You are not prompted for the mynewuser1 user’s password because you currently are the root user. Verify you are the mynewuser1 user and your current directory is the mynewuser1 user’s home directory.
su - mynewuser1 whoami pwd
Example Output:
[root@ol-server ~]# su - mynewuser1 [mynewuser1@ol-server ~]$ whoami mynewuser1 [mynewuser1@ol-server ~]$ pwd /home/mynewuser1
-
Display group membership for the mynewuser1 user.
groups
Example Output:
[mynewuser1@ol-server ~]$ groups mynewuser1 staff
The mynewuser1 user belongs to two groups - mynewuser1 and staff.
-
Change to the
/staff
directory.Create a new file in the
/staff
directory namedmynewuser1_file
. Display the permissions and ownership of the new file.cd /staff touch mynewuser1_file ls -l mynewuser1_file
Example Output:
[mynewuser1@ol-server ~]$ cd /staff [mynewuser1@ol-server staff]$ touch mynewuser1_file [mynewuser1@ol-server staff]$ ls -l mynewuser1_file -rw-rw-r--. 1 mynewuser1 staff 0 Aug 18 11:40 mynewuser1_file
The permissions are read/write for the staff group.
-
Become the alice user.
Provide the password of
AB*gh246
when prompted. Verify you are the alice user.su - alice whoami
Example Output:
[mynewuser1@ol-server staff]$ su - alice Password: Last login: Fri Aug 18 11:10:13 GMT 2023 on pts/0 [alice@ol-server ~]$ whoami alice [alice@ol-server ~]$
-
Display group membership for the alice user.
groups
Example Output:
[alice@ol-server ~]$ groups alice staff [alice@ol-server ~]$
The alice user belongs to two groups - alice and staff.
-
Change to the
/staff
directory.Create a new file in the
/staff
directory namedalice_file
. Display the permissions and ownership of the new files.cd /staff touch alice_file ls -l
Example Output:
[alice@ol-server ~]$ cd /staff [alice@ol-server staff]$ touch alice_file [alice@ol-server staff]$ ls -l total 0 -rw-rw-r--. 1 alice staff 0 Aug 18 12:09 alice_file -rw-rw-r--. 1 mynewuser1 staff 0 Aug 18 12:06 mynewuser1_file
The permissions are read/write on both files for the staff group.
-
As the alice user, use the
touch
command to update the time stamp on themynewuser1_file
.View the files to verify the time has changed.
touch mynewuser1_file ls -l
Example Output:
[alice@ol-server staff]$ touch mynewuser1_file [alice@ol-server staff]$ ls -l total 0 -rw-rw-r--. 1 alice staff 0 Aug 18 12:09 alice_file -rw-rw-r--. 1 mynewuser1 staff 0 Aug 18 12:11 mynewuser1_file
Updating the time stamp implies file write permissions on the file as the alice user, even though the mynewuser1 user created the file.
-
Exit both the alice user’s shell and the mynewuser1 user’s shell, to return to the root user’s shell.
Verify that you are the root user.
exit exit whoami
Example Output:
[alice@ol-server staff]$ exit logout [mynewuser1@ol-server staff]$ exit logout [root@ol-server ~]# whoami root
Option 1: Create a New File in the /etc/sudoers.d
Directory
This method is the preferred way to grant sudo
privilege to a user. It also is more straightforward to automate in a script and takes effect without the user having to log out and back in again.
-
Become the root user and create the user’s sudoer file.
sudo tee /etc/sudoers.d/200-alice > /dev/null << EOF alice ALL =(ALL) NOPASSWD: ALL EOF
Option 2: Grant Elevated Privileges to a User
-
As the root user, view the wheel entry in the
/etc/sudoers
file.grep wheel /etc/sudoers
Example Output:
## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL # %wheel ALL=(ALL) NOPASSWD: ALL
The %wheel ALL=(ALL) ALL entry in the
/etc/sudoers
file allows any member of the wheel group to execute any command when preceded bysudo
. -
Add the alice user to the wheel group.
Confirm the alice user is in the wheel group.
usermod -aG wheel alice grep wheel /etc/group
Example Output:
[root@ol-server ~]# usermod -aG wheel alice [root@ol-server ~]# grep wheel /etc/group wheel:x:10:oracle,alice
User alice has a secondary group membership in the wheel group.
-
Become the alice user.
You are not prompted for the alice user’s password because you currently are the root user. Verify you become the alice user.
su - alice whoami
Example Output:
[root@ol-server ~]# su - alice Last login: Fri Aug 18 13:09:18 GMT 2023 on pts/0 [alice@ol-server ~]$ whoami alice
-
As the alice user, add anotheruser2 using the
sudo useradd
command.Provide the password of
AB*gh246
if prompted.sudo useradd anotheruser2
Example Output:
[alice@ol-server ~]$ sudo useradd anotheruser2 [sudo] password for alice:
-
Verify anotheruser2 was added.
The
ls
command fails until you insertsudo
. This step confirms the alice user hassudo
privileges.grep anotheruser2 /etc/passwd ls -la /home/anotheruser2 sudo ls -la /home/anotheruser2
Example Output:
[alice@ol-server ~]$ grep anotheruser2 /etc/passwd anotheruser2:x:1005:1006::/home/anotheruser2:/bin/bash [alice@ol-server ~]$ ls -la /home/anotheruser2 ls: cannot open directory '/home/anotheruser2': Permission denied [alice@ol-server ~]$ sudo ls -la /home/anotheruser2 total 12 drwx------. 2 anotheruser2 anotheruser2 62 Aug 18 13:14 . drwxr-xr-x. 8 root root 101 Aug 18 13:14 .. -rw-r--r--. 1 anotheruser2 anotheruser2 18 Aug 2 2022 .bash_logout -rw-r--r--. 1 anotheruser2 anotheruser2 141 Aug 2 2022 .bash_profile -rw-r--r--. 1 anotheruser2 anotheruser2 376 Aug 2 2022 .bashrc
Next Steps
This tutorial shows how to create users and groups on Oracle Linux. These users and groups can access the system and resources based on their permissions. For further topics and training, see the Related Links section below.
Related Links
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
Create Users and Groups on Oracle Linux
F37531-13
August 2024