Blog

In this article, we will see Linux user management in RHEL and CentOS, like How to create user, How to modify user and How to remove user? we will also see all the important user related files that are frequently used to manage users in Red Hat Enterprise Linux operating system.

Type of User in Red Hat Linux

There are three types of user in RHEL operating system. Which are:-

• Super User: – root is a super user, which is created at the time of RHEL or CentOS installation. Super user has all the privileges in Linux operating system. So, Super user can perform all the administration tasks such as stop or starts any service, grant or revokes permissions, open ports especially less than 1024 ports, user management and much more.
• System User: system users are created by system such as bin, games, ftp, name, mail, daemon, apache etc. These types of users are different service user and required for running different services. System user cannot login to the system because by default their login shell is nologin.
• Regular User: these users are created by super user. This user can login to the system but has limited access. it’s cannot perform all administration tasks. If super user provides permission, then regular user can perform permitted administration tasks. A regular user may be an ftp user, a games user or a mail user. Like below:-

[root@urclouds ~]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-bus-proxy:x:999:998:systemd Bus Proxy:/:/sbin/nologin
systemd-network:x:998:997:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:997:996:User for polkitd:/:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin

How to Add or Create User in Linux

The command that is used to create user in RHEL or CentOS which is useradd. We can also use adduser command to create users in Linux operating system.

When we run useradd command in RHEL or CentOS Linux command prompt, then it will performs these following activities in Linux system.

• It adds a new entry in both /etc/passwd file and /etc/shadow file.
• It also adds a new entry in /etc/group file and /etc/gshadow file.
• A user home directory is created in /home directory for the new user.
• Permissions and ownership are also set to user home directory by this command.

You can see the basic structure or syntax of useradd command in below:-

useradd [options] username

The username is a login name which is used to login into the Linux system. The username must be unique that means it must be different from other usernames which is already exist on your system. We can create user with useradd command with lot of option but here we will see some useful option that are frequently used with useradd command.

To create a new user in your Linux system, you can generally use useradd command like bellow example without any option.

[root@urclouds ~]# useradd urclouds
[root@urclouds ~]#

Where, urclouds is the login name that will be used to login into your Linux system. Once we have created user then we need to set password for this user. So first of all we need to set the password for this user. Otherwise we cannot login into our system with this user. So let set the password of urclouds created user. Like below:-

Set/Reset User Password

To set the password for the newly created user or to reset password to any existence user, we can use command passwd and user name like below:-

[root@urclouds ~]# passwd urclouds
Changing password for user urclouds.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@urclouds ~]#

What Happen with useradd Command

Five major things or events will happen in your Linux system while creating any user with useradd command.

Event 1: A New Entry in /etc/passwd File

The /etc/passwd file is used to store user information. So, the useradd command will add a new line in /etc/passwd that will contain user primary information and the entry will be like below:-

[root@urclouds ~]# cat /etc/passwd |grep urclouds
urclouds:x:1001:1001::/home/urclouds:/bin/bash
[root@urclouds ~]#

There are seven fields in this line separated by colon and every field has its own meaning. Let’s explore the meaning of these all seven fields one by one.

1. urclouds:- It’s a username that is provided while creating a user. It is used to login into your system and it should be between 1 to 32 characters as well as unique.
2. X:- An ‘x’ character indicate that encrypted password is stored in /etc/shadow file. If we put ‘*’ in place of x, then the user cannot login. If we keep second field blank, then the user can login without any password.
3. 1001:- In Linux system operating system every user must have a User Identification Number (UID). Generally, UID = 0 is reserved for the super user which is root. UID 1 to 99 are reserved for other predefined user accounts. Further UID 100 to 999 is reserved for the system users. Regular user’s UID starts from 1000. As system zone is a regular user here, The UID is showing 1001. If UID of any regular user is changed to 0, the user is considered as a super user in your system.
4. 1001:- This is the primary Group Identification Number (GID) of this user. Whenever a user is created a primary group is also created for that user. Every user has its own primary group but it can also have supplementary groups.
5. Comments or User Info :- This is an optional field and only used for informational purpose. Usually it contains the full name of the user or any user comment can be put. This field is filled by finger command.
6. /home/urclouds:- This is the absolute path of the user’s home directory. If this field value is not present, then ‘/’ root directory becomes the home directory of the user.
7. /bin/bash:- This is the absolute path of the user command shell.

 

Event 2:- A New Entry in /etc/shadow File

The useradd command will also add a new line in /etc/shadow file that is used to store user password information. The entry line looks like below:-

[root@urclouds ~]# cat /etc/shadow |grep urclouds
urclouds:!!:17902:0:99999:7:::
[root@urclouds ~]#

At this state, the user is in lock state. But executing passwd command followed by username, the line looks like below.

[root@urclouds ~]# cat /etc/shadow |grep urclouds
urclouds:$6$4adRS3ZO$rIB5s5SirdRNPc3XoPawD.o8tR/SEfpgJusdPbUtNMtEHggTwHHc0oDW9JYjwN8SPFnYHxZyszaMlXRA8zsLD0:17902:0:99999:7:::
[root@urclouds ~]#

There are nine fields in this line separated by colon and the explanation of these fields in below one by one.

1. urclouds:- It is login name which is used to login into the system.
2. :$6$4adRS3ZO$rIB5s5SirdRNPc3XoPawD.o8tR/SEfpgJusdPbUtNMtEHggTwHHc0oDW9JYjwN8SPFnYHxZyszaMlXRA8zsLD0:- It’s user’s password which is encrypted. Before executing passwd command the value was (!!) which indicates no password is provided yet. So, the user is in lock state. But executing passwd command, provided password value will be encrypted with any hashing algorithm that is SHA512 by default.
3. 17902:- Days since UNIX epoch password was changed (Jan 1, 1970). If value is set to 0, the user password is immediately expired. When the user logs in the next time, he is forced to change his password.
4. 0:- Minimum number of days after which password is allowed to be changed. If this value is set to 0, then the user can change password as many times as he wants.
5. 99999:- Days after which password must be changed. If value is assigned, the user is forced to change his password. If value is 0, the password will never expire.
6. 7:- The days before password will be expired and the user is warned that his password must be changed.
7. Inactive:- The days after the password expiration the account will be disabled. Once any account is disabled, then account can only be re-enabled by the root user.
8. Emergency restriction:- This field is used as an emergency account restricting field by the root user. If value is set to 0, then account will be locked until root user removes this restriction.
9. Future use:- This field is reserved for future use.

 

The root user can make a password policy that any user must change his password within maximum specified number of days with a warning period and blocking the account if he fails to change by combining 5^th, 6^th and 7^th field.

Event 3:- A New Entry in /etc/group File

When a user is created with useradd command, a user private group is created and its entry goes to /etc/group file. The entry looks like below:-

[root@urclouds ~]# cat /etc/group |grep urclouds
urclouds:x:1001:
[root@urclouds ~]#

These are four fields in this line separated by colon. Let’s see the explanation of these fields in below:-

1. urclouds:- This is the private group name of the user followed by username.
2. X:- Group password can be assigned with gpasswd command. Here ‘x’ indicates password is saved in /etc/gshadow By default no password is assigned for the group by useradd command.
3. 1001:- This is group ID and it is same as the UID.
4. Group Member:- This field shows the member of this group except the user which is already a member of this group

Event 4:- A New Entry in /etc/gshadow File

When we create user with useradd command, a new line is also added to /etc/gshadow file. The line looks like below:-

[root@urclouds ~]# cat /etc/gshadow |grep urclouds
urclouds:!::
[root@urclouds ~]#

This line also contains four fields separated by colons. Which explanation of these fields is given below:-

1. Group name urclouds:- This is the corresponding group name of the user.
2. Password !:- This field is contains group password which is assigned with gpasswd command. If no password is given to the group, then it shows ‘!’ in this file. If /etc/gshadow file is deleted, this encrypted password is moved to second field of /etc/group
3. Group Administrators:- This field contains the list of administrators of this group. By default it is blank that means only user having same name of the group name is the administrator of this group.
4. Group Members:- Name of group members are listed in this field. By default it is blank.

Event 5:- User Home Directory

A directory followed by username is created in home directory where all the files of related users are stored. A user is only allowed to access his own home directory. Generally, home directory of RHEL or CentOS Linux is /home. But user’s default home directory path can be changed by editing /etc/default/useradd file using special option with useradd command.

Two More User Administration Files

There are two more user administration files which are very important when we managing users in RHEL or CentOS Linux operating system. Which file are these:-

• /etc/login.defs file
• /etc/default/useradd file

Understanding /etc/login.defs file

In RHEL or CentOS Linux, a file called /etc/login.defs is used to store user default password policy as well as other user related information. When we create a user with useradd command, it goes to this file and loads user default configuration from this file and then applies for the user. Only root user can edit this file.

Understanding /etc/default/useradd File

When we executed useradd command, then it takes some of user property values like where user’s home directory will be created, what should be the user’s shell etc. from /etc/default/useradd file.

Understanding /etc/skel Directory

The /etc/skel directory serves as a skeleton for user’s home directory. If any file is kept in this directory, the file will be automatically copied in user’s home directory while creating new user with useradd command. So, this can be useful for a system administrator to give default files to every new user. By default this directory contains three hidden files.

• .bash_logout
• .bash_profile
• .bashrc

So, home directory of any new user must have these three files.

The useradd Command Options

Now we will see some useful useradd command options that are frequently used for user administration in RHEL and CentOS.

Create User with Different Home Directory

According to default configuration, user home directory is created in /home directory but when we creating a new user with useradd command you can change user’s home directory. The home directory can be changed with ‘-d’ option. For example, below command will create a user named urclouds1 whose home directory will be /var/uc.

[root@urclouds ~]# useradd -d /var/uc urclouds1
Creating mailbox file: File exists
[root@urclouds ~]#

Create User without Home Directory

Sometimes We need to create a user without home directory. If we use ‘-M’ option with useradd command, than the user will not have any specific home directory. In this situation, home directory of this user will be the previous logged user’s home directory.

[root@urclouds ~]# useradd -M urclouds2
[root@urclouds ~]#

Create User with Specific UID

User ID is automatically assigned when a user is created with useradd command. But user ID can be specified while creating a user with useradd command. We can use ‘-u’ option to specify the UID of any user. For example, below command will create a user named urclouds3 whose UID will be 1004.

[root@urclouds ~]# useradd -u 1004 urclouds3
[root@urclouds ~]#

While specifying UID we should be care about that the UID must be unique from any other user ID that is already exists on the system.

Create User with Specific Group ID

Similarly, GID is automatically assigned when a user is created with useradd command. But using ‘-g’ option, GID can also be assigned manually while creating a user with useradd command. For example, below command will create a user named urclouds5 whose UID will be 1050 and GID will be 1001.

[root@urclouds ~]# useradd -u 1050 -g 1001 urclouds5
[root@urclouds ~]#

Here, we should also be care about that GID must be unique from other group ID that are already exists in our system.

Add User to Multiple Groups

By default, a user is added to its own group. But we can add a user to multiple groups while creating that user with useradd command. We can use ‘-G’ option with useradd command for this purpose. For example, below command will create a user named urclouds6 which will be added to mysql and apache group.

[root@urclouds ~]# useradd -G mysql,apache urclouds6
[root@urclouds ~]#

Create User without Group

By default, at least one private group is created followed by username while creating any user. But if we need to create a user without any group, we can use ‘-N’ option. The ‘-N’ option creates a user that will have no group.

[root@urclouds ~]# useradd -N urclouds7
[root@urclouds ~]#

Create User with Account Expiry Date

Sometimes we need to create a temporary account. In this situation, we can create an account with expiry date. By default, useradd command creates a user which will never be expired. The ‘-e’ option with useradd command helps to create a user with expiry date. Like below.

[root@urclouds ~]# useradd -e 2019-02-20 urclouds8
[root@urclouds ~]#

The date format of this option will be YYYY-MM-DD. We can show age of this user account with chage command like below.

[root@urclouds ~]# chage -l urclouds8
Last password change                                    : Jan 06, 2019
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : Feb 20, 2019
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7
[root@urclouds ~]#

Add User with Custom Comments

By default the useradd command keeps custom comments field blank if not specify. The ‘-c’ option allows to add custom comments such as full name, phone number etc to /etc/password file. For example, if we want to specify user’s full name while creating user with useradd command, use the following command.

[root@urclouds ~]# useradd -c  "Zafar Imam" urclouds9
[root@urclouds ~]#

Where, Zafar Imam is the full name of user urclouds9.

Change User’s Login Shell

Sometimes we need to change user’s default login shell which is /bin/bash. The ‘-s’ option will allow you to change user’s default login shell. For example, the following command will create a user named urclouds whose default shell will be tcsh.

[root@localhost ~]# useradd  -s /bin/tcsh  urclouds
Again, if we need to create a user that will have no login shell, you may use /sbin/nologin or /bin/false like below example.
[root@localhost ~]# useradd  -s /bin/false urclouds

Create Multiple Users with Single Command

We can create multiple users with single line command. For this, We can add multiple useradd command with AND (&&) operator. For example we can use below command to add two users with one single line command.

[root@urclouds ~]# useradd  zafar && useradd imam
[root@urclouds ~]#

Create User and Set Password with Single Command

Combining useradd and passwd command with AND (&&) operator, user and password can be created at the same time.

[root@urclouds ~]# useradd  zafar1 && passwd zafar1
Changing password for user zafar1.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@urclouds ~]#

How to Edit/Modify User in Linux

The usermod command is used to modify any user’s properties. The basic structure of usermod command is below:-

usermod [options] username

Where, username is the login name which is used to log into the system. Option parameter is used to modify different properties of any user. The options that you have to used with useradd command while creating any user can similarly be used with usermod command to modify any user property. We can see some example here.

Change User Login Name

The ‘-l’ option is used to change the username or login name of any user.

[root@urclouds ~]# usermod  -l zafar2 zafar
[root@urclouds ~]#

Where, zafar is an old name and zafar2 is new name. So, zafar2 will be replaced with zafar.

Modify User Comment

The ‘-c’ option is used to modify user comment such as user’s full name or any notes to /etc/passwd file.

[root@urclouds ~]# usermod  -c "admin" zafar2
[root@urclouds ~]#

Modify User Home Directory

We can change user home directory using ‘-d’ option with usermod command.

[root@urclouds ~]# usermod -d /var/zi/zafar2 zafar2
[root@urclouds ~]#

Modify User Default Shell

To modify user’s default shell, the ‘-s’ option can be used with usermod command.

[root@urclouds ~]# usermod  -d /bin/tcsh zafar2
[root@urclouds ~]#

Modify User Account Expiration Date

Account expiration date of any user can be changed using ‘-e’ option with help of usermod command.

[root@urclouds ~]# usermod  -e 2019-02-28 urclouds2
[root@urclouds ~]#

User Lock and Unlock

The ‘-L’ option with usermod command will lock any user immediately. So, that the user cannot login with his login credentials.

[root@urclouds ~]# usermod  -L urclouds2
[root@urclouds ~]#

Similarly, a locked user we can unlocked using -U option with usermod command.

[root@urclouds ~]# usermod  -U urclouds2
[root@urclouds ~]#

Assign Single User to Multiple Groups

The ‘-G’ option with usermod command can be used to assign a user to multiple groups.

[root@urclouds ~]# usermod  -G mysql,apache urclouds2
[root@urclouds ~]#

How to Remove User in Linux

The userdel command is used to delete any user in Linux operating system. You can see basic structure of userdel command below:-

userdel [options] username

Where, username is the login name of any user. The userdel command accepts option to perform special task too.

Delete Specific User Leaving Home Directory

If we use userdel command without any option, the user will be deleted but home directory will be remain in our system.

[root@urclouds ~]# userdel  urclouds2
[root@urclouds ~]#

 Delete User with Home Directory

The ‘-r’ option with userdel command will delete any user including his home directory.

[root@urclouds ~]# userdel -r urclouds3
[root@urclouds ~]#

Remove user forcibly

The ‘-f’ option with userdel command will delete user although the user is logged into the system as well as it will remove user’s home directory.

[root@urclouds ~]# userdel -f urclouds5
[root@urclouds ~]#

Change User’s Password Aging Information

Password expiry information of any user can be changed using chage command.

[root@urclouds ~]# chage urclouds
Changing the aging information for urclouds
Enter the new value, or press ENTER for the default

        Minimum Password Age [0]: 30
        Maximum Password Age [99999]: 60
        Last Password Change (YYYY-MM-DD) [2019-01-06]:
        Password Expiration Warning [7]:
        Password Inactive [-1]:
        Account Expiration Date (YYYY-MM-DD) [-1]:
[root@urclouds ~]#

View User’s Password Aging Information

The ‘-l’ option with chage command is used to view the password expiry information of any user.

[root@urclouds ~]# chage -l urclouds
Last password change                                    : Jan 06, 2019
Password expires                                        : Mar 07, 2019
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 30
Maximum number of days between password change          : 60
Number of days of warning before password expires       : 7
[root@urclouds ~]#

Show Logged on Users

The who command will show you users who are logged on to your system.

[root@urclouds ~]# who

Show Logged on Users with Activity

The w command will show you users who are logged on to your system and what they are doing.

[root@urclouds ~]# w

View Most Recent Login Reports

The lastlog command  reports the most recent login of all users from /var/log/lastlog file.

[root@urclouds ~]# lastlog

View Users Who Are Success to Login

We can use last command to show users who are success to login to your system from /var/log/wtmp file.

[root@urclouds ~]# last

View Users Who Are Fail to Login

We can use lastb command to show users who are fail to login to your system from /var/log/btmp file.

[root@urclouds ~]# lastb

That’s all we have completed Linux user management tutorial.