1. Setting Up System Accounts and Authentication
  2. Local Account Configuration

2 Local Account Configuration

This chapter describes how to configure and manage local user and group accounts.

About User and Group Configuration

You can use the User Manager GUI (system-config-users) to add or delete users and groups and to modify settings such as passwords, home directories, login shells, and group membership. Alternatively, you can use commands such as useradd and groupadd.

Figure 2-1 User Manager


The figure shows the User Manager GUI with the Users tab selected.

In an enterprise environment that might have hundreds of servers and thousands of users, user and group account information is more likely to be held in a central repository rather than in files on individual servers. You can configure user and group information on a central server and retrieve this information by using services such as Lightweight Directory Access Protocol (LDAP) or Network Information Service (NIS). You can also create users’ home directories on a central server and automatically mount, or access, these remote file systems when a user logs in to a system.

Changing Default Settings for User Accounts

To display the default settings for an account use the following command:

# useradd -D
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes

INACTIVE specifies after how many days the system locks an account if a user's password expires. If set to 0, the system locks the account immediately. If set to -1, the system does not lock the account.

SKEL defines a template directory, whose contents are copied to a newly created user’s home directory. The contents of this directory should match the default shell defined by SHELL.

You can specify options to useradd -D to change the default settings for user accounts. For example, to change the defaults for INACTIVE, HOME and SHELL: 

# useradd -D -f 3 -b /home2 -s /bin/sh

Note:

If you change the default login shell, you would usually also create a new SKEL template directory with contents that are appropriate to the new shell.

If you specify /sbin/nologin for a user's SHELL, that user cannot log into the system directly but processes can run with that user's ID. This setting is typically used for services that run as users other than root.

The default settings are stored in the /etc/default/useradd file.

For more information, see Configuring Password Aging and the useradd(8) manual page.

Creating User Accounts

To create a user account by using the useradd command:

  1. Enter the following command to create a user account:

    # useradd [options] username

    You can specify options to change the account's settings from the default ones.

    By default, if you specify a user name argument but do not specify any options, useradd creates a locked user account using the next available UID and assigns a user private group (UPG) rather than the value defined for GROUP as the user's group.

  2. Assign a password to the account to unlock it:

    # passwd username

    The command prompts you to enter a password for the account.

    If you want to change the password non-interactively (for example, from a script), use the chpasswd command instead: 

    echo "username:password" | chpasswd

Alternatively, you can use the newusers command to create a number of user accounts at the same time.

For more information, see the chpasswd(8), newusers(8), passwd(1), and useradd(8) manual pages.

About umask and the setgid and Restricted Deletion Bits

Users whose primary group is not a UPG have a umask of 0022 set by /etc/profile or /etc/bashrc, which prevents other users, including other members of the primary group, from modifying any file that the user owns.

A user whose primary group is a UPG has a umask of 0002. It is assumed that no other user has the same group.

To grant users in the same group write access to files within the same directory, change the group ownership on the directory to the group, and set the setgid bit on the directory: 

# chgrp groupname directory
# chmod g+s directory

Files created in such a directory have their group set to that of the directory rather than the primary group of the user who creates the file.

The restricted deletion bit prevents unprivileged users from removing or renaming a file in the directory unless they own either the file or the directory.

To set the restricted deletion bit on a directory:

# chmod a+t directory

For more information, see the chmod(1) manual page.

Locking an Account

To lock a user's account, enter:

# passwd -l username

To unlock the account:

# passwd -u username

For more information, see the passwd(1) manual page.

Modifying or Deleting User Accounts

To modify a user account, use the usermod command: 

# usermod [options] username

For example, to add a user to a supplementary group (other than his or her login group):

# usermod -aG groupname username

You can use the groups command to display the groups to which a user belongs, for example: 

# groups root
root : root bin daemon sys adm disk wheel

To delete a user's account, use the userdel command: 

# userdel username

For more information, see the groups(1), userdel(8) and usermod(8) manual pages.

Creating Groups

To create a group by using the groupadd command: 

# groupadd [options] groupname

Typically, you might want to use the -g option to specify the group ID (GID). For example: 

# groupadd -g 1000 devgrp

For more information, see the groupadd(8) manual page.

Modifying or Deleting Groups

To modify a group, use the groupmod command: 

# groupmod [options] username

To delete a user's account, use the groupdel command: 

# groupdel username

For more information, see the groupdel(8) and groupmod(8) manual pages.

Configuring Password Aging

To specify how users' passwords are aged, edit the following settings in the /etc/login.defs file:
Setting Description

PASS_MAX_DAYS

Maximum number of days for which a password can be used before it must be changed. The default value is 99,999 days.

PASS_MIN_DAYS

Minimum number of days that is allowed between password changes. The default value is 0 days.

PASS_WARN_AGE

Number of days warning that is given before a password expires. The default value is 7 days.

For more information, see the login.defs(5) manual page.

To change how long a user's account can be inactive before it is locked, use the usermod command. For example, to set the inactivity period to 30 days: 

# usermod -f 30 username

To change the default inactivity period for new user accounts, use the useradd command: 

# useradd -D -f 30

A value of -1 specifies that user accounts are not locked due to inactivity.

For more information, see the useradd(8) and usermod(8) manual pages.

Granting sudo Access to Users

By default, an Oracle Linux system is configured so that you cannot log in directly as root. You must log in as a named user before using either su or sudo to perform tasks as root. This configuration allows system accounting to trace the original login name of any user who performs a privileged administrative action. If you want to grant certain users authority to be able to perform specific administrative tasks via sudo, use the visudo command to modify the /etc/sudoers file.

For example, the following entry grants the user erin the same privileges as root when using sudo, but defines a limited set of privileges to frank so that he can run commands such as systemctl, rpm, and yum: 

erin           ALL=(ALL)       ALL
frank          ALL= SERVICES, SOFTWARE

For more information, see the su(1), sudo(8), sudoers(5), and visudo(8) manual pages.