fp-wiki>ImportUser (Imported from MoinMoin) |
m (add cat) |
||
| (3 intermediate revisions by 3 users not shown) | |||
| Line 2: | Line 2: | ||
--> | --> | ||
{| | {{Admon/caution | Section is ready for editing}} | ||
== User Accounts == | == User Accounts == | ||
| Line 15: | Line 12: | ||
Fedora includes two types of accounts: ''system'' and ''non-system'' accounts. System accounts include the ''root'' user and others such as the ''apache'' user. System accounts are created during the installation process and used by various system daemons and utilities to perform system-wide tasks. Fedora reserves '''UIDs 0-499''' for system accounts. This is why they are sometimes referred to as ''low ID accounts''. | Fedora includes two types of accounts: ''system'' and ''non-system'' accounts. System accounts include the ''root'' user and others such as the ''apache'' user. System accounts are created during the installation process and used by various system daemons and utilities to perform system-wide tasks. Fedora reserves '''UIDs 0-499''' for system accounts. This is why they are sometimes referred to as ''low ID accounts''. | ||
{| | {{Admon/note | UID is the abbreviation of the term ''User Identifier | It represents unique numerical equivalent of the ''username'', which computer uses as a reference to ''username''. Similarly, ''GID'' is numerical value that represents ''Group Identifier''. '''UID 0 (zero)''' is always reserved for ''root'' user.}} | ||
| It represents unique numerical equivalent of the ''username'', which computer uses as a reference to ''username''. Similarly, ''GID'' is numerical value that represents ''Group Identifier''. '''UID 0 (zero)''' is always reserved for ''root'' user. | |||
Non-system accounts start from uid 500. These accounts are used by ''non-system'' users for performing their regular tasks. Usually, the first ''non-system'' user account is created during the first boot following the system installation. Further user and group accounts are created using standard procedures, explained later in this guide. | Non-system accounts start from uid 500. These accounts are used by ''non-system'' users for performing their regular tasks. Usually, the first ''non-system'' user account is created during the first boot following the system installation. Further user and group accounts are created using standard procedures, explained later in this guide. | ||
| Line 36: | Line 28: | ||
1 . A new line is appended to the <code>/etc/passwd</code> file and it looks similar to: | 1 . A new line is appended to the <code>/etc/passwd</code> file and it looks similar to: | ||
dan:x:502:502::/home/dan:/bin/bash | |||
It consists of seven colon delimited fields associated with the following meaning: | It consists of seven colon delimited fields associated with the following meaning: | ||
| Line 49: | Line 39: | ||
* <code>/bin/bash</code> - this is the user's default shell | * <code>/bin/bash</code> - this is the user's default shell | ||
{| | {{Admon/tip | Entries above show Fedora defaults for new user accounts | Shadow passwords are used by default, UID and GID are the next available numbers, the comment field is empty, all user directories are created as subdirectories of <code>/home</code> and the default shell is <code>bash</code> (Bourne Again Shell). These defaults may be altered by specifying options to the <code>useradd</code> command (more about this on the next page).}} | ||
| Shadow passwords are used by default, UID and GID are the next available numbers, the comment field is empty, all user directories are created as subdirectories of <code>/home</code> and the default shell is <code>bash</code> (Bourne Again Shell). These defaults may be altered by specifying options to the <code>useradd</code> command (more about this on the next page). | |||
{| | {{Admon/note | A GID of the same numerical value as UID represents the Fedora concept of ''User Private Groups (UPG)'' | A User Private Group is created every time a new account is added to the system. It has the same name as the new user and the user is the only member of that group. The main advantage of this concept is easier management of user groups on UNIX-like systems. Traditionally, newly created files can not be modified by other users, including members of the file creator's primary group. This is controlled through the <code>umask</code> setting, which is configured in the <code>/etc/bashrc</code> file. Since UPG has only one member and each user has their own private group, this group protection becomes redundant.}} | ||
| A User Private Group is created every time a new account is added to the system. It has the same name as the new user and the user is the only member of that group. The main advantage of this concept is easier management of user groups on UNIX-like systems. Traditionally, newly created files can not be modified by other users, including members of the file creator's primary group. This is controlled through the <code>umask</code> setting, which is configured in the <code>/etc/bashrc</code> file. Since UPG has only one member and each user has their own private group, this group protection becomes redundant. | |||
2 . A new line is appended to the <code>/etc/shadow</code> file and it looks similar to: | 2 . A new line is appended to the <code>/etc/shadow</code> file and it looks similar to: | ||
| Line 80: | Line 60: | ||
* third blank field - reserved field for possible future use | * third blank field - reserved field for possible future use | ||
{| | {{Admon/tip | The ''useradd'' command does not create a password. | At the time of command execution, the password field is initialized and populated with '''x''' and '''!!''' in the <code>/etc/passwd</code> and <code>/etc/shadow</code> files, respectively. A password is created by using the <code>/usr/bin/passwd</code> command, which replaces '''!!''' field with encrypted representation of the user's password. This is security related and prevents the user's password from being displayed as plain text at any time.}} | ||
| At the time of command execution, the password field is initialized and populated with '''x''' and '''!!''' in the <code>/etc/passwd</code> and <code>/etc/shadow</code> files, respectively. A password is created by using the <code>/usr/bin/passwd</code> command, which replaces '''!!''' field with encrypted representation of the user's password. This is security related and prevents the user's password from being displayed as plain text at any time. | |||
3 . A new line is appended to the <code>/etc/group</code> file. It looks similar to: | 3 . A new line is appended to the <code>/etc/group</code> file. It looks similar to: | ||
| Line 153: | Line 128: | ||
User ''luke'' is now able to logon and use the system. | User ''luke'' is now able to logon and use the system. | ||
{| | {{Admon/important | Choose passwords wisely! | Passwords are an essential element of system security. Avoid using dictionary words and use a combination of lower and upper case letters, numbers and special characters.}} | ||
| Passwords are an essential element of system security. Avoid using dictionary words and use a combination of lower and upper case letters, numbers and special characters. | |||
User account defaults are controlled through the <code>/etc/login.defs</code> configuration file. Administrators can manually change values in this file and create a different set of account defaults. Settings from <code>/etc/login.defs</code> file can be overridden by supplying options to the <code>useradd</code> command. For example: | User account defaults are controlled through the <code>/etc/login.defs</code> configuration file. Administrators can manually change values in this file and create a different set of account defaults. Settings from <code>/etc/login.defs</code> file can be overridden by supplying options to the <code>useradd</code> command. For example: | ||
| Line 173: | Line 143: | ||
* <code>TCShell</code> is set as the shell environment for ''luke2'' | * <code>TCShell</code> is set as the shell environment for ''luke2'' | ||
{| | {{Admon/tip | For the full list of available command options, refer to <code>useradd(8)</code> manual page.}} | ||
==== Adding Group Accounts ==== | ==== Adding Group Accounts ==== | ||
| Line 280: | Line 247: | ||
For the full list of available command options, refer to the <code>usermod(8)</code> manual page. | For the full list of available command options, refer to the <code>usermod(8)</code> manual page. | ||
{| | {{Admon/important | Be careful with the -G command option! | If the user is a member of multiple groups, all the groups must be listed as parameters in a comma-separated form: <code>-G</code> ''<group1,group2,group3,group4>''. When you omit a group name you '''remove''' the user from that group.}} | ||
| If the user is a member of multiple groups, all the groups must be listed as parameters in a comma-separated form: <code>-G</code> ''<group1,group2,group3,group4>''. When you omit a group name you '''remove''' the user from that group. | |||
==== Modifying Group Accounts ==== | ==== Modifying Group Accounts ==== | ||
| Line 296: | Line 258: | ||
Enter root password at the prompt. This command would change the GID of the group <code>black</code> to 600. If you do not use <code>-o</code> option, the GID numerical value supplied to the command must be unique. | Enter root password at the prompt. This command would change the GID of the group <code>black</code> to 600. If you do not use <code>-o</code> option, the GID numerical value supplied to the command must be unique. | ||
{| | {{Admon/tip | The <code>groupmod</code> command does not change group ownership of files. | You must manually change group ID (GID) ownership of all the files owned by the group's previous group ID.}} | ||
| You must manually change group ID (GID) ownership of all the files owned by the group's previous group ID. | |||
To assign a new name to the group account, run: | To assign a new name to the group account, run: | ||
| Line 325: | Line 281: | ||
Enter the root password when prompted. The above command forces the user ''dan'' to change the password after 90 days. User ''dan'' is warned about this every day, starting 10 days before the password expiration. | Enter the root password when prompted. The above command forces the user ''dan'' to change the password after 90 days. User ''dan'' is warned about this every day, starting 10 days before the password expiration. | ||
{| | {{Admon/tip | For the full list of available command options, refer to the <code>chage(1)</code> manual page.}} | ||
=== Account Management - Using A Graphical User Interface === | === Account Management - Using A Graphical User Interface === | ||
| Line 334: | Line 287: | ||
This section explains how to manage user and group accounts using a graphical user interface (GUI). '''''User Manager''''' is the application used to create and manage user and group accounts. | This section explains how to manage user and group accounts using a graphical user interface (GUI). '''''User Manager''''' is the application used to create and manage user and group accounts. | ||
{| | {{Admon/tip | To run User Manager, you must have the X Window system installed,configured and the <code>system-config-users</code> package installed.}} | ||
To start '''User Manager''' select ''System > Administration > Users and groups'' from the main panel menu or from the command line run <code>system-config-users</code> and enter the root password at the prompt. | To start '''User Manager''' select ''System > Administration > Users and groups'' from the main panel menu or from the command line run <code>system-config-users</code> and enter the root password at the prompt. | ||
[[Image: | [[Image:Docs_Drafts_AdministrationGuide_UserAccounts_usermanager.png]] | ||
By default, '''User Manager''' does not display system accounts. To enable the listing of system accounts, from the main menu select ''Edit > Preferences'' | By default, '''User Manager''' does not display system accounts. To enable the listing of system accounts, from the main menu select ''Edit > Preferences'' | ||
[[Image: | [[Image:Docs_Drafts_AdministrationGuide_UserAccounts_usermanagerprefs.png]] | ||
and uncheck the box next to ''Hide system users and groups''. You can use the ''Preferences'' window to modify the default behavior of automatically assigning the next available '''UID''' or '''GID''' to user and group accounts or creating the '''GID''' of the user's private group with the identical value as the user's '''UID'''. This is achieved by unchecking the appropriate boxes in the ''New users'' pane of the ''Preferences'' window. | and uncheck the box next to ''Hide system users and groups''. You can use the ''Preferences'' window to modify the default behavior of automatically assigning the next available '''UID''' or '''GID''' to user and group accounts or creating the '''GID''' of the user's private group with the identical value as the user's '''UID'''. This is achieved by unchecking the appropriate boxes in the ''New users'' pane of the ''Preferences'' window. | ||
| Line 357: | Line 307: | ||
To add a new account click the ''Add User'' button on the main toolbar. | To add a new account click the ''Add User'' button on the main toolbar. | ||
[[Image: | [[Image:Docs_Drafts_AdministrationGuide_UserAccounts_newuser.png]] | ||
Type the username, user's full name and password (remember passwords are case-sensitive) in appropriate fields. Pre-selected fields represent the defaults for Fedora - <code>/bin/bash</code> is default shell, <code>/home/<username></code> is created as user's home directory, private group with the same name will be created for user and next available '''UID''' will be used. If you choose to, you can change any of these options. Once you supply all the information, click [OK] button to create account. | Type the username, user's full name and password (remember passwords are case-sensitive) in appropriate fields. Pre-selected fields represent the defaults for Fedora - <code>/bin/bash</code> is default shell, <code>/home/<username></code> is created as user's home directory, private group with the same name will be created for user and next available '''UID''' will be used. If you choose to, you can change any of these options. Once you supply all the information, click [OK] button to create account. | ||
| Line 365: | Line 315: | ||
To list the existing groups in the '''User Manager''' window click on the ''Groups'' tab. The same rules apply for sorting available columns and searching for a particular group as applied to the ''Users'' tab. | To list the existing groups in the '''User Manager''' window click on the ''Groups'' tab. The same rules apply for sorting available columns and searching for a particular group as applied to the ''Users'' tab. | ||
[[Image: | [[Image:Docs_Drafts_AdministrationGuide_UserAccounts_groupstab.png]] | ||
To create a new group, click the ''Add Group'' button on the main toolbar of the '''User Manager'''. | To create a new group, click the ''Add Group'' button on the main toolbar of the '''User Manager'''. | ||
[[Image: | [[Image:Docs_Drafts_AdministrationGuide_UserAccounts_addgroup.png]] | ||
Type the group name in the ''Group Name'' field and click [OK] . By default, the new group will be added with the next available '''GID'''. You can manually change this behavior by checking the box ''Specify group ID manually'' and selecting a different, '''unused''' number from the list. | Type the group name in the ''Group Name'' field and click [OK] . By default, the new group will be added with the next available '''GID'''. You can manually change this behavior by checking the box ''Specify group ID manually'' and selecting a different, '''unused''' number from the list. | ||
| Line 375: | Line 325: | ||
==== Modifying User Accounts ==== | ==== Modifying User Accounts ==== | ||
[[Image: | [[Image:Docs_Drafts_AdministrationGuide_UserAccounts_usermanagerselect.png]] | ||
To display the properties of a user account, select the account from the list and click the ''Properties'' button, which is now active, on the main toolbar of the '''User Manager''' window. The ''User Properties'' window opens, with ''User Data'' tab focused: | To display the properties of a user account, select the account from the list and click the ''Properties'' button, which is now active, on the main toolbar of the '''User Manager''' window. The ''User Properties'' window opens, with ''User Data'' tab focused: | ||
[[Image: | [[Image:Docs_Drafts_AdministrationGuide_UserAccounts_userpropertiesdata.png]] | ||
You can change the account name, user's full name, password, home directory and user's shell by altering information in appropriate fields. | You can change the account name, user's full name, password, home directory and user's shell by altering information in appropriate fields. | ||
| Line 385: | Line 335: | ||
Click the ''Account info'' tab. | Click the ''Account info'' tab. | ||
[[Image: | [[Image:Docs_Drafts_AdministrationGuide_UserAccounts_userpropertiesaccinfo.png]] | ||
Check ''Enable account expiration'' box and enter the date to expire user account on that day. Check ''Local password is locked'' box to lock the user account. | Check ''Enable account expiration'' box and enter the date to expire user account on that day. Check ''Local password is locked'' box to lock the user account. | ||
| Line 391: | Line 341: | ||
Click the ''Password info'' tab. | Click the ''Password info'' tab. | ||
[[Image: | [[Image:Docs_Drafts_AdministrationGuide_UserAccounts_userpropertiespwd.png]] | ||
Time of the last password change is displayed. Check ''Enable password expiration'' box. This will allow you to disable password change for user, force the user to change their password and warn the user about that change in advance and when the account will become inactive. Each of the four fields accepts integers, representing number of days. | Time of the last password change is displayed. Check ''Enable password expiration'' box. This will allow you to disable password change for user, force the user to change their password and warn the user about that change in advance and when the account will become inactive. Each of the four fields accepts integers, representing number of days. | ||
| Line 397: | Line 347: | ||
Click the ''Groups'' tab. | Click the ''Groups'' tab. | ||
[[Image: | [[Image:Docs_Drafts_AdministrationGuide_UserAccounts_userpropertiesgrp.png]] | ||
Change the user's group membership by checking or unchecking the box next to group name. If the user is a member of multiple groups, set the user's primary group by selecting the group from the ''Primary group'' drop-down list. | Change the user's group membership by checking or unchecking the box next to group name. If the user is a member of multiple groups, set the user's primary group by selecting the group from the ''Primary group'' drop-down list. | ||
| Line 405: | Line 355: | ||
To modify group accounts select the group from the ''Groups'' tab of the '''User Manager''' | To modify group accounts select the group from the ''Groups'' tab of the '''User Manager''' | ||
[[Image: | [[Image:Docs_Drafts_AdministrationGuide_UserAccounts_usermanagergrpselect.png]] | ||
To view group properties, click the ''Properties'' button on the main toolbar. The ''Group Properties'' window opens | To view group properties, click the ''Properties'' button on the main toolbar. The ''Group Properties'' window opens | ||
[[Image: | [[Image:Docs_Drafts_AdministrationGuide_UserAccounts_grouppropertiesdata.png]] | ||
with the ''Group Data'' tab in focus. To change the group name, edit text in the ''Group Name'' field. | with the ''Group Data'' tab in focus. To change the group name, edit text in the ''Group Name'' field. | ||
| Line 415: | Line 365: | ||
Click the ''Group Users'' tab. | Click the ''Group Users'' tab. | ||
[[Image: | [[Image:Docs_Drafts_AdministrationGuide_UserAccounts_grouppropertiesusers.png]] | ||
To add users to this group, check the box next to appropriate user names on the list. | To add users to this group, check the box next to appropriate user names on the list. | ||
| Line 449: | Line 399: | ||
* chmod(1) ---Learn how to change file access permissions. | * chmod(1) ---Learn how to change file access permissions. | ||
* chown(1) ---Learn how to change file owner and group. | * chown(1) ---Learn how to change file owner and group. | ||
[[Category:Administration Guide]] | |||
Latest revision as of 03:00, 5 March 2009
.png){kind=small}
User Accounts
Introduction
Creation and management of users and user groups is a fundamental practice of system administration on multi-user systems such as Linux. Each user is given an account in the system. This provides a method to distinguish different accounts in the system with associated set of privileges. Each account is further assigned a separate and secure storage area for files and preferences. With this model, each user can specify custom working environment and account specific activities.
Fedora includes two types of accounts: system and non-system accounts. System accounts include the root user and others such as the apache user. System accounts are created during the installation process and used by various system daemons and utilities to perform system-wide tasks. Fedora reserves UIDs 0-499 for system accounts. This is why they are sometimes referred to as low ID accounts.
It represents unique numerical equivalent of the username, which computer uses as a reference to username. Similarly, GID is numerical value that represents Group Identifier. UID 0 (zero) is always reserved for root user.
Non-system accounts start from uid 500. These accounts are used by non-system users for performing their regular tasks. Usually, the first non-system user account is created during the first boot following the system installation. Further user and group accounts are created using standard procedures, explained later in this guide.
Process of Account Creation
This section explains what happens when a new user is added to a Fedora system.
When the system administrator executes
/usr/sbin/useradd dan
from the command line, the following steps occur:
1 . A new line is appended to the /etc/passwd file and it looks similar to:
dan:x:502:502::/home/dan:/bin/bash
It consists of seven colon delimited fields associated with the following meaning:
- dan - this is the username
- x - this is the password field; x signifies an empty field and that an encrypted (shadow) password will be placed in
/etc/shadowfile - first 502 - this is the uid (username identifier)
- second 502 - this is the gid (group identifier) of the user's primary group
- blank field - this is the "comment" field; the user's full name usually goes here
- /home/dan - this is the location of the user's home directory in the file system
/bin/bash- this is the user's default shell
Shadow passwords are used by default, UID and GID are the next available numbers, the comment field is empty, all user directories are created as subdirectories of
/home and the default shell is bash (Bourne Again Shell). These defaults may be altered by specifying options to the useradd command (more about this on the next page).A User Private Group is created every time a new account is added to the system. It has the same name as the new user and the user is the only member of that group. The main advantage of this concept is easier management of user groups on UNIX-like systems. Traditionally, newly created files can not be modified by other users, including members of the file creator's primary group. This is controlled through the
umask setting, which is configured in the /etc/bashrc file. Since UPG has only one member and each user has their own private group, this group protection becomes redundant.2 . A new line is appended to the /etc/shadow file and it looks similar to:
dan:!!:13490:0:99999:7:::
It consists of eight colon delimited fields associated with the following meaning:
- dan - this is the username
- !! - two exclamation marks indicate that the password has not been set yet and the account is locked
- 13490 - represents the number of days (since January 1, 1970) since the password was last changed
- 0 - represents the number of days before the password may be changed (0 indicates it may be changed at any time)
- 99999 - represents the number of days after which the password must be changed (99999 indicates user can keep his or her password unchanged for 274 years
- 7 - represents the number of days remaining before the users password expires (7 means a full week)
- first blank field - represents the number of days after the password expires that the account will be disabled
- second blank field - represents the number of days since January 1, 1970 that an account has been disabled
- third blank field - reserved field for possible future use
At the time of command execution, the password field is initialized and populated with x and !! in the
/etc/passwd and /etc/shadow files, respectively. A password is created by using the /usr/bin/passwd command, which replaces !! field with encrypted representation of the user's password. This is security related and prevents the user's password from being displayed as plain text at any time.3 . A new line is appended to the /etc/group file. It looks similar to:
dan:x:502:
The new line consists of three colon delimited fields associated with the following meaning:
- dan - this is the group name
- x - this is the group password field; x indicates that the system is using shadow passwords
- 502 - this is the gid and it matches the value of uid of the user with the same name
4 . A new line is appended to the /etc/gshadow file. It looks similar to:
dan:!::
The colon delimited fields in this line indicate:
- dan - this is group name
- ! - this is group password field in which ! indicates that the group account is locked
5 . The home directory for user dan is created as /home/dan. It has ownership of user dan and group dan but only user dan has read, write and execute permissions on directory. All the other permissions are denied.
6 . Files from the /etc/skel directory are copied to the user's home directory (for example the .bashrc and .bash_profile files which control user's default shell environment).
7 . The system administrator can now run the /usr/bin/passwd dan command to set the user's password, this unlocks the user's account giving the user the ability to login and use the system.
Account Management - Command Line Interface
This section explains how to add new accounts and change account parameters using command line utilities.
Adding Accounts
To add a new user account from the command line run:
su -c "/usr/sbin/useradd luke"
Enter the root password when prompted.
The above command creates a new user account with the username luke, whose primary group is luke. The directory /home/luke is created as the user's home directory and the user's shell environment is set to /bin/bash. (These are Fedora defaults for user accounts.)
Upon creation, the user account is locked. To unlock the account, run:
su -c "passwd luke"
To set user's password, enter the root password at the first password prompt. You are then be presented with the following:
Changing password for user luke. New UNIX password:
Type in what you want the user's password to be (remember passwords are case sensitive) and press [Enter] . Prompt changes to:
Retype new UNIX password:
Type the same password again and press [Enter] . Prompt returns:
passwd: all authentication tokens updated successfully.
User luke is now able to logon and use the system.
Passwords are an essential element of system security. Avoid using dictionary words and use a combination of lower and upper case letters, numbers and special characters.
User account defaults are controlled through the /etc/login.defs configuration file. Administrators can manually change values in this file and create a different set of account defaults. Settings from /etc/login.defs file can be overridden by supplying options to the useradd command. For example:
su -c "/usr/sbin/useradd -c 'Luke McAlister' -g primary -G additional,another -d /home/second -s /bin/tcsh luke2"
creates a new user account for the user luke2 with the following characteristics:
- user's full name is Luke McAlister
- user's primary group is primary
- user luke2 is also a member of additional and another groups
- /home/second is created as the home directory for luke2
TCShellis set as the shell environment for luke2
useradd(8) manual page.Adding Group Accounts
To add a new group account, from the command line run:
su -c "/usr/sbin/groupadd black"
and enter the root password when prompted.
The above command creates a new group account with the group name black.
Modifying Account Parameters
To edit user account parameters, use the usermod command. Depending on what account parameters need modification, usermod command may need to be supplied with an option specific to that parameter. For example, to change the comment field for the account, run:
su -c "/usr/sbin/usermod -c 'Luke McAlister' luke"
Enter the root password at the password prompt.
This alters the account information in /etc/passwd file, placing the user's full name in the fifth field. The line changes from:
luke:x:503:503::/home/luke:/bin/bash
to
luke:x:503:503:Luke McAlister:/home/luke:/bin/bash
You can also edit user's group membership using the usermod command. When a user is created, a new group with the same name as the username is created. This group is the user's Primary Group. Files or directories created by said user inherit said users Primary Group. Use the id command to view Primary and Secondary Group memberships:
id uid=500(user1) gid=500(user1) groups=10(wheel),500(user1) context=user_u:system_r:unconfined_t
The above example shows that the Primary Group for the user user1, is gid 500 (user1). The user1 user is also a member of the wheel Secondary Group. Primary Groups are defined in /etc/passwd:
user1:x:500:500:UserOne:/home/user1:/bin/bash
The fourth field shows the Primary Group ID (500) for the user. The /etc/passwd file uses the following syntax: account:password:UID:GID:GECOS:directory:shell
The Primary Group can be temporarily changed using the newgrp command. However, the user must already be a member of the group specified:
newgrp testing
The results can be seen using the id and touch commands:
id uid=500(user1) gid=502(testing) groups=10(wheel),500(user1),502(testing) context=user_u:system_r:unconfined_t
Note, the Primary Group is now gid 502 (testing).
touch file1 ls -l file1 -rw-r--r-- 1 user1 testing 0 2007-10-13 20:31 file1
The file1 file belongs to the testing group instead of the user1 group. Type exit to return to your original Primary Group; the output of the exit command is exit:
exit exit id uid=500(user1) gid=500(user1) groups=10(wheel),500(user1) context=user_u:system_r:unconfined_t
The Primary Group is now back to user1. Also note the id command has not displayed the testing group. Changes to group membership require you to log out and then log in, before the changes are displayed using the id and groups commands. Users can also be members of Secondary Groups. Secondary groups are defined in /etc/group. Use the groups and id commands to view group membership:
groups user1 wheel testing
id uid=500(user1) gid=500(user1) groups=10(wheel),500(user1),502(testing) context=user_u:system_r:unconfined_t
To add a user to a Secondary Group, use the following command:
su -c "/usr/sbin/usermod -a -G <group> <username>"
Enter the root password when prompted.
This adds the user specified with <username> to the Secondary Group specified in <group>. To add a user to multiple Secondary Groups list the group names in comma-separated form:
su -c "/usr/sbin/usermod -a -G <group1>,<group2>,<group3> <username>"
Enter the root password when prompted.
Removing a user from a group is a little different. Use the usermod command without the -a append switch to specify the group memberships you want to keep. For example, if the mentioned user is a member of group1, group2, group3, and group4, but you want to remove the user from group4, then run the following command:
su -c "/usr/sbin/usermod -G group1,group2,group3 <username>"
This command keeps the user's group memberships of group1, group2, and group3, while removing membership from the group4.
For the full list of available command options, refer to the usermod(8) manual page.
If the user is a member of multiple groups, all the groups must be listed as parameters in a comma-separated form:
-G <group1,group2,group3,group4>. When you omit a group name you remove the user from that group.Modifying Group Accounts
To modify group account parameters, use the groupmod command. This command can change two group account parameters, the group ID (GID) and group name. To change the group ID (GID) of the group black, run:
su -c "/usr/sbin/groupmod -g 600 black"
Enter root password at the prompt. This command would change the GID of the group black to 600. If you do not use -o option, the GID numerical value supplied to the command must be unique.
groupmod command does not change group ownership of files. You must manually change group ID (GID) ownership of all the files owned by the group's previous group ID.
To assign a new name to the group account, run:
su -c "/usr/sbin/groupmod -n blue black"
Enter the root password at the prompt. This changes the group's name from black to blue.
Changing Password Expiration Information
To change the user's password expiration information use the chage command. This command changes the number of days between password changes and the date of the last password change and is used by the system to determine when the user is forced to change the password. For example, to set the number of days the password of the user dan to be valid for 90 days (three months), run:
su -c "chage -M 90 dan"
Enter the root password at the prompt. The above option is usually used in conjunction with -W option, which sets the number of days before expiration the user is warned about the pending expiration:
su -c "chage -W 10 -M 90 dan"
Enter the root password when prompted. The above command forces the user dan to change the password after 90 days. User dan is warned about this every day, starting 10 days before the password expiration.
chage(1) manual page.Account Management - Using A Graphical User Interface
This section explains how to manage user and group accounts using a graphical user interface (GUI). User Manager is the application used to create and manage user and group accounts.
system-config-users package installed.To start User Manager select System > Administration > Users and groups from the main panel menu or from the command line run system-config-users and enter the root password at the prompt.
File:Docs Drafts AdministrationGuide UserAccounts usermanager.png
By default, User Manager does not display system accounts. To enable the listing of system accounts, from the main menu select Edit > Preferences
File:Docs Drafts AdministrationGuide UserAccounts usermanagerprefs.png
and uncheck the box next to Hide system users and groups. You can use the Preferences window to modify the default behavior of automatically assigning the next available UID or GID to user and group accounts or creating the GID of the user's private group with the identical value as the user's UID. This is achieved by unchecking the appropriate boxes in the New users pane of the Preferences window.
To search for the user, enter first few letters of the username in the search filter field and click the Apply filter button.
You can sort the users list by clicking on the column name. Text fields are sorted in alphabetical order and numerical fields in the ascending order of the values in the field.
Adding A New User
To add a new account click the Add User button on the main toolbar.
File:Docs Drafts AdministrationGuide UserAccounts newuser.png
Type the username, user's full name and password (remember passwords are case-sensitive) in appropriate fields. Pre-selected fields represent the defaults for Fedora - /bin/bash is default shell, /home/<username> is created as user's home directory, private group with the same name will be created for user and next available UID will be used. If you choose to, you can change any of these options. Once you supply all the information, click [OK] button to create account.
Adding A New Group
To list the existing groups in the User Manager window click on the Groups tab. The same rules apply for sorting available columns and searching for a particular group as applied to the Users tab.
File:Docs Drafts AdministrationGuide UserAccounts groupstab.png
To create a new group, click the Add Group button on the main toolbar of the User Manager.
File:Docs Drafts AdministrationGuide UserAccounts addgroup.png
Type the group name in the Group Name field and click [OK] . By default, the new group will be added with the next available GID. You can manually change this behavior by checking the box Specify group ID manually and selecting a different, unused number from the list.
Modifying User Accounts
File:Docs Drafts AdministrationGuide UserAccounts usermanagerselect.png
To display the properties of a user account, select the account from the list and click the Properties button, which is now active, on the main toolbar of the User Manager window. The User Properties window opens, with User Data tab focused:
File:Docs Drafts AdministrationGuide UserAccounts userpropertiesdata.png
You can change the account name, user's full name, password, home directory and user's shell by altering information in appropriate fields.
Click the Account info tab.
File:Docs Drafts AdministrationGuide UserAccounts userpropertiesaccinfo.png
Check Enable account expiration box and enter the date to expire user account on that day. Check Local password is locked box to lock the user account.
Click the Password info tab.
File:Docs Drafts AdministrationGuide UserAccounts userpropertiespwd.png
Time of the last password change is displayed. Check Enable password expiration box. This will allow you to disable password change for user, force the user to change their password and warn the user about that change in advance and when the account will become inactive. Each of the four fields accepts integers, representing number of days.
Click the Groups tab.
File:Docs Drafts AdministrationGuide UserAccounts userpropertiesgrp.png
Change the user's group membership by checking or unchecking the box next to group name. If the user is a member of multiple groups, set the user's primary group by selecting the group from the Primary group drop-down list.
Modifying Group Accounts
To modify group accounts select the group from the Groups tab of the User Manager
File:Docs Drafts AdministrationGuide UserAccounts usermanagergrpselect.png
To view group properties, click the Properties button on the main toolbar. The Group Properties window opens
File:Docs Drafts AdministrationGuide UserAccounts grouppropertiesdata.png
with the Group Data tab in focus. To change the group name, edit text in the Group Name field.
Click the Group Users tab.
File:Docs Drafts AdministrationGuide UserAccounts grouppropertiesusers.png
To add users to this group, check the box next to appropriate user names on the list.
Additional Information
For additional help and more information on managing user accounts look at:
Websites
username and password guidelines
username and group file(s) information
Manual Pages
- passwd(1) ---Learn more about the file format information for the
/etc/passwdfile. - group(5) ---Learn more about the file format information for the
/etc/groupfile. - shadow(5) ---Learn more about the file format information for the
/etc/shadowfile. - useradd(8) ---Learn how to create or update user accounts.
- userdel(8) ---Learn how to delete user accounts.
- usermod(8) ---Learn how to modify user accounts.
- chpasswd(8) ---Learn how to batch update user passwords.
- chage(1) ---Learn how to change user password aging information.
- chfn(1) ---Learn how to change a user's GECOS (finger) information.
- chsh(1) ---Learn how to change a user's login shell.
- groupadd(8) ---Learn how to create a new group.
- groupdel(8) ---Learn how to delete a group.
- groupmod(8) ---Learn how to modify a group.
- gpasswd(1) ---Learn how to administer the
/etc/groupand/etc/gshadowfiles. - grpck(1) ---Learn how to verify the integrity of the
/etc/groupand/etc/gshadowfiles. - chgrp(1) ---Learn how to change group-level ownership.
- chmod(1) ---Learn how to change file access permissions.
- chown(1) ---Learn how to change file owner and group.