Groups and Users
This article explains how to create, modify and remove local groups and users on Linux, with specific reference to the information needed for the RHCSA EX200 and RHCE EX300 certification exams.
Remember, the exams are hands-on, so it doesn’t matter which method you use to achieve the result, so long as the end product is correct.
Groups allow multiple users with similar security and access levels to be linked, making management of those users easier. A local group is created with the
# groupadd dba
The group information is visible in the “/etc/group” file. Each group has a GID. If this is not assigned explicitly, the next largest number is used. We can see group we just defined has been assigned the GID of 500.
# cat /etc/group | grep dba dba:x:500: #
If you have the same groups across multiple servers it makes sense to set the GID explicitly to make sure it is the same across all servers.
# groupadd -g 1000 dba
Existing groups are modified using the
# groupmod -g 2000 dba # groupmod -n new_dba dba
Groups are deleted using the
# groupdel new_dba
useradd command creates new local users.
# useradd oracle
The user details are visible in the “/etc/passwd” file. If no UID is specified, the next largest UID is assigned. A new group with a group name matching the user name is also created. By default, the users home directory is created under the “/home” directory and the shell is “/bin/bash”.
# cat /etc/passwd | grep oracle oracle:x:500:500::/home/oracle:/bin/bash # cat /etc/group | grep oracle oracle:x:500: #
As with groups, if you have the same user across several servers it makes sense to explicitly define a UID so it matches on all servers. If the users should be assigned to an existing group, this can be done while creating the user also.
# groupadd -g 1000 dba # useradd -G dba -u 2000 tim_hall # cat /etc/passwd | grep tim_hall tim_hall:x:2000:2000::/home/tim_hall:/bin/bash # cat /etc/group | grep tim_hall dba:x:1000:tim_hall tim_hall:x:2000: #
There are flags to alter the default shell (-s) and default home directory (-d), but for the most part these should be unnecessary.
Most of the user details can be modified using the
# usermod -s /bin/ksh tim_hall # usermod -a -G oinstall tim_hall
passwd command is used to set the password for a specified user, or the current user if no user name is specified.
# passwd tim_hall Changing password for user tim_hall. New password: Retype new password: passwd: all authentication tokens updated successfully. # passwd Changing password for user root. New password: Retype new password: passwd: all authentication tokens updated successfully. #
The userdel command removes a user. The “-f” option deletes the user even if the user is currently logged in. The “-r” flag removes the user’s home directory.
# userdel -r tim_hall
When logged in as the “root” user, the command prompt will display a “#” symbol. For ordinary users, the “$” symbol is displayed.
Password expiry (ageing) is controlled using the
chage command. To check the current password expiry information use the “-l” option.
# useradd tim_hall # chage -l tim_hall Last password change : Mar 01, 2012 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7 #
There are a number of options available, but the most commonly used ones are shown below.
# # Set the days before change required (-M) and the number of days warning (-W) # chage -M 30 -W 5 tim_hall # # Immediates expire a password. # chage -d 0 tim_hall
Changes are visible using the “-l” list option again.
# chage -l tim_hall Last password change : password must be changed Password expires : password must be changed Password inactive : password must be changed Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 30 Number of days of warning before password expires : 5 #
The “User Manager” dialog is a GUI tool to manage users and groups. It can be started from the menu (System > Administraton > Users and Groups) or by running the
Highlighting a specific user and clicking the “Properties” button allows you to amend the user information, account expiration, password expiration and group selection.
# ls -al /etc/skel total 36 drwxr-xr-x. 4 root root 4096 Feb 25 14:11 . drwxr-xr-x. 113 root root 12288 Mar 1 14:38 .. -rw-r–r–. 1 root root 18 Mar 29 2011 .bash_logout -rw-r–r–. 1 root root 176 Mar 29 2011 .bash_profile -rw-r–r–. 1 root root 124 Mar 29 2011 .bashrc drwxr-xr-x. 2 root root 4096 Nov 20 2010 .gnome2 drwxr-xr-x. 4 root root 4096 Feb 25 14:06 .mozilla [root@rhce1 oracle]#
su command allows you to switch users. Including the “-“ option makes the shell a login shell, so you also get the new user’s profile information set.
# su oracle # su - oracle
If no user is specified, it is assumed you are trying to switch to the “root” user.
$ su - Password: #
exit command to return the the original shell.
The “-c” option allows you to pass a single command to the shell to be executed. This command could also be a saved script, or a script defined inline.
# su - oracle -c "touch /tmp/test_file1.txt" # ls -al /tmp/test_file1.txt -rw-rw-r--. 1 oracle oracle 0 Mar 2 16:17 /tmp/test_file1.txt # # su - oracle -c "echo 'touch /tmp/test_file2.txt' >> /tmp/myscript.sh; chmod u+x /tmp/myscript.sh" # ls -al /tmp/myscript.sh -rwxrw-r--. 1 oracle oracle 26 Mar 2 16:41 /tmp/myscript.sh # # su - oracle -c /tmp/myscript.sh # ls -al /tmp/test_file2.txt -rw-rw-r--. 1 oracle oracle 0 Mar 2 16:42 /tmp/test_file2.txt #
The “/etc/profile” file contains system wide environment settings and runs all the scripts in the “/etc/profile.d” directory. If you want to make global changes, it is better to define a new “/etc/profile.d/custom.sh” file containing the changes, rather than editing the “/etc/profile” file directly.
When you create new user with the
useradd command, the files in the “/etc/skel” directory are copied into the users home directory.
# ls -al /etc/skel total 36 drwxr-xr-x. 4 root root 4096 Feb 25 14:11 . drwxr-xr-x. 113 root root 12288 Mar 1 14:38 .. -rw-r--r--. 1 root root 18 Mar 29 2011 .bash_logout -rw-r--r--. 1 root root 176 Mar 29 2011 .bash_profile -rw-r--r--. 1 root root 124 Mar 29 2011 .bashrc drwxr-xr-x. 2 root root 4096 Nov 20 2010 .gnome2 drwxr-xr-x. 4 root root 4096 Feb 25 14:06 .mozilla #
Of these files, probably the most commonly used is the “.bash_profile” file, typically for setting environment variables.
ORACLE_BASE=/u01/app/oracle; export ORACLE_BASE ORACLE_HOME=$ORACLE_BASE/product/11.2.0/db_1; export ORACLE_HOME ORACLE_SID=ORCL; export ORACLE_SID PATH=$ORACLE_HOME/bin:$PATH; export PATH
The “.bash_profile” file sources the “.bashrc” file, which is typically used for functions and aliases, although they can be placed in the “.bash_profile” file if you wish.
alias rm='rm -i'
The first thing the “.bashrc” does is source the “/etc/bashrc” file, which contains system-wide functions and aliases.
It’s worth spending a little time looking through the contents of these files to look at the inter-dependencies, but much of the time I only edit the “.bash_profile” files in the individual user home directories.
Companies often hold group information and user credentials in a centralized LDAP server. Linux can use LDAP, rather than local user and group informaton. Make sure the necessary packages are installed.
# yum install openldap-clients authconfig-gtk
The “Authentication Configuration” dialog is available from the menu (System > Administration > Authentication) or by running the
system-config-authentication command from the command line.
Change the “User Account Database” setting to “LDAP”. The screen will alter to allow the entry of LDAP server information.
On the client, issue the following command and accept all the defaults.
ssh-keygen -t rsa
Push the public key in the “~/.ssh/id_rsa.pub” file on the client to the “~/.ssh/authorized_key” file on the server.
cat ~/.ssh/id_rsa.pub | ssh my_user@my-server "cat >> .ssh/authorized_keys"
Make sure the permissions are correct on the server.
ssh my_user@my-server "chmod 700 .ssh; chmod 640 .ssh/authorized_keys"
You will now be able to SSH from the client to the server without a password.
For more information see:
Leave a comment