RED HAT LINUX USERS AND GROUPS CONFIGURATION
The control of users and groups is a core element of Red Hat Enterprise Linux system administration. Users can be either people (meaning accounts tied to physical users) or accounts which exist for specific applications to use. Groups are logical expressions of organization, tying users together for a common
purpose. Users within a group can read, write, or execute files owned by that group. Each user and group has a unique numerical identification number called a userid (UID) and a groupid (GID), respectively. A user who creates a file is also the owner and group owner of that file. The file is assigned separate read, write, and execute permissions for the owner, the group, and everyone else. The file owner can be changed only by the root user, and access permissions can be changed by both the root user and file owner. Red Hat
Enterprise Linux also supports access control lists (ACLs) for files and directories which allow permissions for specific users outside of the owner to be set.
User and Group Configuration
The User Manager allows you to view, modify, add, and delete local users and groups. To use the User Manager, you must be running the X Window System, have root privileges and have the system-config-users RPM package installed. To start the User Manager from the desktop, go to System (on the panel) =>
Administration => Users & Groups. You can also type the command systemconfig- users at a shell prompt (for example, in an XT ermora Gnome terminal).
To view a list of local users on the system, click the Users tab. To view a list of local groups on the system, click the Groups tab. To find a specific user or group, type the first few letters of the name in the Search filter field. Press Enter or click the Apply filter button. The filtered list is displayed. To sort the users or groups, click on the column name. To view a list of local users on the system, click the Users tab. To view a list of local groups on the system, click the Groups tab. To find a specific user or group, type the first few letters of
the name in the Search filter field. Press Enter or click the Apply filter button. The filtered list is displayed. To sort the click on the column name, the users or groups are sorted according to the value of that column. Red Hat Enterprise Linux reserves user IDs below 500 for system users. By default, User Manager does not display system users. To view all users, including the system users, go to Edit => Preferences and uncheck Hide system users and groups from the dialog box.
Adding a New User
To add a new user, click the Add User button. Type the username and full name for the new user in the appropriate fields. Type the user's password in the Password and Confirm Password fields. The password must be at least six characters. Select a login shell. If you are not sure which shell to select, accept the default
value of /bin/bash. The default home directory is /home/<username>/. You can change the home directory that is created for the user, or you can choose not to create the home directory by unselecting Create home directory. If you select to create the home directory, default configuration files are copied from the /etc/skel/directory into the new home directory. Red Hat Enterprise Linux uses a user private group (UPG) scheme. The UPG scheme does not add or change anything in the standard UNIX way of handling groups; it offers a new convention. Whenever you Create a new user, by default, a unique group with the same name as the user is created. If you do not want to create this group, unselect Create a private group for the user. To specify a user ID for the user, select Specify user ID manually. If the option is not selected, the next available user ID above 500 is assigned to the new user. Because Red Hat Enterprise Linux reserves user IDs below 500 for system users, it is not advisable to manually assign user IDs 1- 499. Click OK to create the user
To configure more advanced user properties, such as password expiration, modify the user's properties after adding the user.
Modifying User Properties
To view the properties of an existing user, click on the Users tab, select the user from the user list, and click Properties from the menu (or choose File => Properties from the pull down menu).
The User Properties window is divided into multiple tabbed pages:
• User Data — shows the basic user information configured when you added the user.Use this tab to change the user's full name, password, home directory, or login shell.
• Account Info — Select Enable account expiration if you want the account to expire on a certain date. Enter the date in the provided fields. Select Local password is locked to lock the user account and prevent the user from logging into the system.
• Password Info — displays the date that the user's password last changed. To force the user to change passwords after a certain number of days, select Enable password expiration and enter a desired value in the Days before change required: field. The number of days before the user's password expires the number of days before the user is warned to change passwords, and days before the account becomes inactive can also be changed.
• Groups— Allows you to view and configure the Primary Group of the user. As well as other groups that you want the user to be a member of it.
User and Group Management Tools
Managing users and groups can be a tedious task; this is why Red Hat Enterprise Linux provides tools and conventions to make them easier to manage. The easiest way to manage users and groups is through the graphical application, User Manager (system-config-users). For more information on User Manager. The following command line tools can also be used to manage users and groups:
• useradd, usermod, and userdel— Industry-standard methods of adding, deleting and modifying user accounts
• groupadd, groupmod, and groupdel — Industry-standard methods of adding, deleting, and modifying user groups
• gpasswd — Industry-standard method of administering the /etc/groupfile
• pwck, grpck— Tools used for the verification of the password, group, and associated shadow files
• pwconv, pwunconv — Tools used for the conversion of passwords to shadow passwords and back to standard passwords
Command Line Configuration
If you prefer command line tools or do not have the X Window System installed, use this section to configure users and groups.
Adding a User
To add a user to the system:
1. Issue the useraddcommand to create a locked user account:
• useradd <username>
2. Unlock the account by issuing the passwdcommand to assign a password and set password aging guidelines:
• passwd <username>
Adding a Group
To add a group to the system, use the command groupadd:
groupadd <group-name>
Option Description
-g<gid> Group ID for the group, which must be unique and greater than
-r Create a system group with a GID less than 500
-f When used with -g<gid> and <gid> already exists,
groupadd will choose another unique <gid> for the group.
Password Aging
For security reasons, it is advisable to require users to change their passwords periodically. This can be done when adding or editing a user on the Password Info tab of the User Manager. To configure password expiration for a user from a shell prompt, use the chage command.
Option Description
-m<days> Specifies the minimum number of days between which the user must
change passwords. If the value is 0, the password does not expire.
-M<days> Specifies the maximum number of days for which the password is valid
. When the number of days specified by this option plus the number of days
specified with the -d option is less than the current day, the user must
chang
-d<days> Specifies the number of days since January 1, 1970 the password was
changed
-I<days> Specifies the number of inactive days after the password expiration before
locking the account. If the value is 0, the account is not locked after the
password expires.
-E<date> Specifies the date on which the account is locked, in the format YYYY-
MM-DD. Instead of the date, the number of days since January 1, 1970
can also be used.
-W<days> Specifies the number of days before the password expiration date to warn
the user.
You can configure a password to expire the first time a user logs in. This forces users to change passwords the first time they log in.
1.
Lock the user password — If the user does not exist, use the useradd command to create the user account, but do not give it a password so that it remains locked. If the password is already enabled, lock it with the command:
• usermod -L username
2. Force immediate password expiration — Type the following command:
• chage -d 0 username
This command sets the value for the date the password was last changed to the epoch (January 1, 1970). This value forces immediate password expiration no matter what password aging policy, if any, is in place.
3. Unlock the account — There are two common approaches to this step. The administrator can assign an initial password or assign a null password.
To assign an initial password, use the following steps:
• Start the command line Python interpreter with the python command It displays the following:
4.1.1-9)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>>
• At the prompt, type the following commands. Replace <password>with the password to encrypt and <salt> with a random combination of at least 2 of the following: any alphanumeric character, the slash (/)
character or a dot (.): import crypt;
print crypt.crypt("<password>","<salt>")
The output is the encrypted password, similar to '12CsGd8FRcMSM'.
• Press Ctrl-D to exit the Python interpreter.
• At the shell, enter the following command (replacing <encryptedpassword> with the encrypted output of the Python interpreter):
usermod -p "<encrypted-password>" <username>
Alternatively, you can assign a null password instead of an initial
password. To do this, use the following command:
• usermod -p "" username
In either case, upon initial log in, the user is prompted for a new password.
Explaining the Process
The following steps illustrate what happens if the command useradd juanis issued on a system that has shadow passwords enabled:
1. A new line for juan is created in /etc/passwd. The line has the following characteristics:
• It begins with the username juan.
• There is an x for the password field indicating that the system is using shadow passwords.
• A UID greater than 499 is created. (Under Red Hat Enterprise Linux, UIDs and GIDs below 500 are
reserved for system use.)
• A GID greater than 499 is created.
• The optional GECOS information is left blank.
• The home directory for juanis set to /home/juan/.
• The default shell is set to /bin/bash.
2. A new line for juan is created in /etc/shadow. The line has the following characteristics:
• It begins with the username juan.
• Two exclamation points (!!) appear in the password field of the /etc/shadow file, which locks the account.
• The password is set to never expire.
3. A new line for a group named juan is created in /etc/group. A group with the same name as a user is
called a user private group. For more information on user private groups,
“Adding a New User”.
The line created in /etc/grouphas the following characteristics:
• It begins with the group name juan.
• An x appears in the password field indicating that the system is using shadow group passwords.
• The GID matches the one listed for user juanin /etc/passwd.
4. A new line for a group named juanis created in /etc/gshadow. The line has the following characteristics:
• It begins with the group name juan.
• An exclamation point (!) appears in the password field of the /etc/gshadowfile, which locks the group.
• All other fields are blank.
5. A directory for user juanis created in the /home/ directory. This directory is owned by user juan and group
juan. However, it has read, write, and execute privileges only for the user juan. All other permissions are
denied.
6. The files within the /etc/skel/ directory (which contain default user settings) are copied into the new
home/juan/ directory.
At this point, a locked account called juanexists on the system. To activate it,the administrator must next assign a password to the account using the passwd command and, optionally, set password aging guidelines.
User Private Groups
Red Hat Enterprise Linux uses a user private group (UPG) scheme, which makes UNIX groups easier to manage. A UPG is created whenever a new user is added to the system. A UPG has the same name as the user for which it was created and that user is the only member of the UPG. UPGs make it safe to set
default permissions for a newly created file or directory, allowing both the user and the group of that user to make modifications to the file or directory. The setting which determines what permissions are applied to a newly created file or directory is called a umask and is configured in the /etc/bashrc file. Traditionally on UNIX systems, the umaskis set to 022, which allows only the user who created the file or directory to make modifications. Under this scheme, all other users, including members of the creator's group, are not
allowed to make any modifications. However, under the UPG scheme, this "group protection" is not necessary since every user has their own private group.
Group Directories
Many IT organizations like to create a group for each major project and then assign people to the group if they need to access that project's files. Using this traditional scheme, managing files has been difficult; when someone creates a file, it is associated with the primary group to which they belong. When a single person works on multiple projects, it is difficult to associate the right files with the right group. Using the UPG scheme, however, groups are automatically assigned to files created within a directory with the setgid bit set.
The setgid bit makes managing group projects that share a common directory very simple because any files a user creates within the directory are owned by the group which owns the directory. Let us say, for example, that a group of people need to work on files in the /usr/share/emacs/site-lisp/ directory. Some people are trusted to modify the directory, but certainly not everyone is trusted. First create an emacsgroup, as
in the following command:
• /usr/sbin/groupadd emacs
To associate the contents of the directory with the emacsgroup, type:
• chown -R root.emacs /usr/share/emacs/site-lisp
Now, it is possible to add the proper users to the group with the gpasswd command:
• /usr/bin/gpasswd -a <username> emacs
To allow users to create files within the directory, use the following command:
• chmod 775 /usr/share/emacs/site-lisp
When a user creates a new file, it is assigned the group of the user's default private group. Next, set the setgid bit, which assigns everything created in the directory the same group permission as the directory itself (emacs). Use the following command:
• chmod 2775 /usr/share/emacs/site-lisp
At this point, because the default umask of each user is 002, all members of the emacs group can create and edit files in the /usr/share/emacs/site-lisp/ directory without the administrator having to change file permissions every time users write new files. In multiuser environments it is very important to use shadow passwords (provided by the shadow-utils package). Doing so enhances the security of system authentication files. For this reason, the installation program enables shadow passwords by default. The following lists the advantages of shadow passwords have over the traditional way of storing passwords on UNIX-based systems:
• Improves system security by moving encrypted password hashes from the world-readable /etc/passwd file to /etc/shadow, which is readable only by the root user.
• Stores information about password aging.
• Allows the use the /etc/login.defsfile to enforce security policies.Most utilities provided by the shadow-utilspackage work properly whether or not shadow passwords are enabled. However, since password aging
information is stored exclusively in the /etc/ shadow file, any commands which create or modify password aging information do not work. The following is a list of commands which do not work without first enabling shadow passwords:
• chage
• gpasswd
• /usr/sbin/usermod-e or -foptions
• /usr/sbin/useradd-e or -foptions