Note:

Create users and groups on Oracle Linux 8

Introduction

The following tutorial provides step-by-step procedures to perform user and group administration on Oracle Linux 8. You will create users and groups, implement user private groups, and grant user elevated privileges.

Objectives

In this lab, you’ll:

What Do You Need?

(Hands-on Lab) Connect to the Compute Instance

Note: This step is specific to the Oracle provided free lab environment.

The Desktop environment will display before the instance(s) are ready. Deployment of this environment can take two to five minutes, depending on the number of resources and provisioning steps needed.

First, to access the lab compute instance(s), connect to the Oracle Cloud Console and copy the compute instance Public IP address.

  1. Sign in to Oracle Cloud Console, and select your Compartment.

  2. Click Instances.

  3. Copy the Public IP to a temporary location (such as a text file) on your computer.

    copy public ip

    To copy, highlight the IP address with the mouse and press Ctrl+C.

  4. Right-click the Virtual Desktop and select Open Terminal Here.

  5. Connect to the instance.

    ssh -i ../.ssh/id_rsa oracle@<IP_ADDRESS_OF_COMPUTE_INSTANCE>
    

    Where <IP_ADDRESS_OF_COMPUTE_INSTANCE> is the IP address copied from the Oracle Cloud Console.

  6. Accept the ECDSA key fingerprint by typing yes at the prompt.

  7. You are now connected to the compute instance for this lab.

If the connection fails with the Permission denied (publickey,gssapi-keyex,gssapi-with-mic) message, wait a bit longer for the provisioning process to complete and try making the ssh connection again.

Administer User Accounts

In this section, you use command-line utilities to create a new user account, view files that are updated when adding a new user, modify a user account, set a password for the new user, and log in as the new user.

  1. Open a terminal and connect to your Oracle Linux 8 instance.

  2. Become the root user.

    sudo su -
    
  3. As the root user, add a user named alice.

    useradd alice
    

    The user is added to the /etc/passwd file.

  4. View the alice entry in the /etc/passwd file.

    grep alice /etc/passwd
    

    grep output

    The output shows:

    • The new user’s UID and GID are the same (1001).
    • A home directory was created for the new user (/home/alice).
    • The default shell for the new user is /bin/bash.
  5. View the home directories.

    ls -l /home
    

    ls output

    In this example, the opc user already existed.
    A home directory was created for the new user because the CREATE_HOME parameter in /etc/login.defs is set to yes.

  6. View the CREATE_HOME parameter in the /etc/login.defs file.

    grep CREATE_HOME /etc/login.defs
    

    grep output

  7. View the default settings for a new user, stored in /etc/default/useradd.

    cat /etc/default/useradd
    

    default settings

    The SKEL parameter is set to /etc/skel.

  8. View the contents of the /etc/skel directory.

    ls -la /etc/skel
    

    skel file

  9. View the contents of the alice home directory.

    ls -la /home/alice
    

    home dir

    The contents of SKEL (/etc/skel) are copied to the new user’s home directory.

  10. View the new alice entry in the /etc/group file.

    grep alice /etc/group
    

    group file

    Because Oracle Linux 8 uses a user private group (UPG) scheme, a new private group (alice, GID=1001) was created when the alice user was created.

  11. Modify GECOS information for the alice user. View the alice entry in the /etc/passwd file before and after modifying GECOS information.

    grep alice /etc/passwd
    usermod -c "Alice Smith" alice
    grep alice /etc/passwd
    

    usermod

  12. Create a password of AB*gh246 for the alice user. View the alice entry in the /etc/shadow file before and after creating a password for alice.

    grep alice /etc/shadow
    passwd alice
    grep alice /etc/shadow
    

    password

    The !! for alice is replaced with a hashed password value.

  13. Exit the root login and login as the alice user. Provide the password of AB*gh246 when prompted.

    exit
    su - alice
    

    login

  14. Verify you are the alice user and your current directory is the alice user’s home directory.

    whoami
    pwd
    

    verify

  15. Exit the alice user’s shell and become the root user.

    exit
    sudo su -
    

    root

  16. As the root user, add a user named oracle which is used later in this lab.

    useradd oracle
    
  17. Create a password of XY*gh579 for the oracle user.

    passwd oracle
    

    oracle pwd

Administer Group Accounts

In this section, you create a new group account and add a user to this new group.

  1. As the root user, add a group named staff.

    groupadd staff
    

    The group is added to the /etc/group file.

  2. View the last 10 entries in the /etc/group file.

    tail /etc/group
    

    tail output

    The GID (1003) for the new group is incremented by one.

  3. Add the alice user to the staff group. View the staff group entry in the /etc/group file.

    usermod -aG 1003 alice
    grep staff /etc/group
    

    add user

    The alice user has a secondary group membership in the staff group.

  4. View the primary group membership for alice.

    grep alice /etc/passwd
    

    grep output

    The alice user’s primary group is still 1001.

Implement User Private Groups

In this section, you use the User Private Groups scheme to give different users write access to files in a single directory.

  1. As the root user, create the /staff directory.

    mkdir /staff
    
  2. View the /staff directory and its permissions.

    ls -ld /staff
    

    ls output

  3. Change group ownership for the /staff directory to the staff group. The -R option (recursive) sets the group for files and directories within /staff. View the /staff directory and its permissions after changing the group ownership.

    chgrp -R staff /staff
    ls -ld /staff
    

    chgrp

    The owner of the /staff directory is still root, but the group is now staff.

  4. Set the setgid bit on /staff directory. Then view the permissions on the /staff directory.

    chmod -R 2775 /staff
    ls -ld /staff
    

    setgid

    The group permissions on the /staff directory have changed.

  5. Add the oracle user to the staff group. View the staff entry in the /etc/group file after adding the oracle user.

    usermod -aG staff oracle
    grep staff /etc/group
    

    grep output

    Both alice and oracle users have secondary group membership in the staff group.

  6. Become the oracle user. You are not prompted for the oracle user’s password because you currently are the root user. Verify you are the oracle user and your current directory is the oracle user’s home directory.

    su - oracle
    whoami
    pwd
    

    oracle user

  7. Display group membership for the oracle user.

    groups
    

    groups

    The oracle user belongs to two groups - oracle and staff.

  8. Change to the /staff directory. Create a new file in the /staff directory named oracle_file. Display the permissions and ownership of the new file.

    cd /staff
    touch oracle_file
    ls -l oracle_file
    

    oracle file

    The permissions are read/write for the staff group.

  9. Become the alice user. Provide the password of AB*gh246 when prompted. Verify you are the alice user.

    su - alice
    whoami
    

    su alice

  10. Display group membership for the alice user.

    groups
    

    alice group

    The alice user belongs to two groups - alice and staff.

  11. Change to the /staff directory. Create a new file in the /staff directory named alice_file. Display the permissions and ownership of the new files.

    cd /staff
    touch alice_file
    ls -l
    

    file perm

    The permissions are read/write on both files for the staff group.

  12. As the alice user, use the touch command to update the time stamp on the oracle_file. View the files to verify the time has changed.

    touch oracle_file
    ls -l
    

    touch alice

    Updating the time stamp implies write permissions on the file as the alice user, even though the file was created by the oracle user.

  13. Exit both the alice user’s shell, and the oracle user’s shell, to return to the root user’s shell. Verify that you are the root user.

    exit
    exit
    whoami
    

    file perm

Option 1: Grant Elevated Privileges to a User

In this section, you grant sudo privileges to a user by adding an entry to the /etc/sudoers file.

  1. Become the alice user. You are not prompted for alice password because you currently are the root user. Verify you are the alice user.

    su - alice
    whoami
    

    su alice

  2. As the alice user, attempt to add newuser.

    useradd newuser
    

    add user

    The alice user does not have permission to add newuser.

  3. Insert the sudo command before the previous useradd command to add newuser. Provide the password of AB*gh246 when prompted.

    sudo useradd newuser
    

    sudo fail

    The attempt to issue this administrator command without proper authorization is reported in the /var/log/secure file.

  4. Exit the alice user’s shell to return to the root user’s shell. View sudoers entries in the /var/log/secure file.

    exit
    grep sudoers /var/log/secure
    

    grep sudoers

    The alice : user NOT in sudoers entry for the attempted use of the /sbin/useradd command is in the /var/log/secure file. Multiple entries are shown in the example. You might only have a single entry.

  5. As the root user, edit the /etc/sudoers file by using the visudo command.

    visudo
    

    This command opens the /etc/sudoers file using the vim editor.

  6. In the /etc/sudoers file, add the following line to grant the alice user permission to run the /sbin/useradd command.

    alice   ALL=(ALL)       /sbin/useradd
    

    The new entry is highlighted. Save your changes and exit the visudo command.

    visudo

  7. Become the alice user. Attempt to add newuser without the sudo command. Insert the sudo command and attempt to add newuser a second time. Provide the password of AB*gh246 when prompted.

    su - alice
    useradd newuser
    sudo useradd newuser
    

    sudo works

  8. Verify newuser was added.

    grep newuser /etc/passwd
    ls -l /home
    

    verify sudo

    The newuser now exists. With the alice entry in the /etc/sudoers file, the alice user has sudo privileges to run the /sbin/useradd command.

  9. Exit the alice shell to return to the root shell. Use the visudo command and delete the alice entry from the /etc/sudoers file that you added earlier in this lab.

    exit
    visudo
    

    The entry to delete is highlighted. Delete the entire line, or as in this example, insert the # character to comment out the line. Save your changes and exit the visudo command.

    delete entry

  10. Verify the alice user can no longer add a new user. Become the alice user. Attempt to add anotheruser with the sudo command.

    su - alice
    sudo useradd anotheruser
    

    another fail

    The attempt to issue this administrator command without proper authorization is reported in the /var/log/secure file.

  11. Exit the alice user’s shell to return to the root user’s shell.

    exit
    

Option 2: Grant Elevated Privileges to a User

In this section, you grant sudo privileges by adding a user to the wheel group.

  1. As the root user, view the wheel entry in the /etc/sudoers file.

    grep wheel /etc/sudoers
    

    wheel

    The %wheel ALL=(ALL) ALL entry in the /etc/sudoers file allows any member of the wheel group to execute any command, when preceded by sudo.

  2. Add the alice user to the wheel group. Confirm the alice user is in the wheel group.

    usermod -aG wheel alice
    grep wheel /etc/group
    

    add wheel

    User alice has a secondary group membership in the wheel group.

  3. Become the alice user. You are not prompted for alice password because you currently are the root user. Verify you are the alice user.

    su - alice
    whoami
    

    su alice

  4. As the alice user, add thirduser using the sudo useradd command. Provide the password of AB*gh246 if prompted.

    sudo useradd thirduser
    

    add third

  5. Verify thirduser was added. The ls command fails until you insert sudo and provide alice password. This confirms the alice user has sudo privileges.

    grep thirduser /etc/passwd
    ls -la /home/thirduser
    sudo ls -la /home/thirduser
    

    confirm third

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.