User Administration

Adding new users

Creating a new user most of the time is done by either running the GUI application User Manager or console application useradd (usually located in /usr/sbin).

The useradd command has the following options:

Option	Description
-b BASE_DIR --base-dir BASE_DIR	Set the default base directory for the system if `-d` dir is not specified. BASE_DIR is concatenated with the account name to define the home directory. If the `-m` option is not used, BASE_DIR must exist. Note: use the `-D` option first.
-c COMMENT --comment COMMENT	Any text string. It is generally a short description of the login, and is currently used as the field for the user’s full name. # useradd -c "Test User #1" test1
-d HOME_DIR --home-dir HOME_DIR	home directory for the new user account. The new user will be created using HOME_DIR as the value for the user’s login directory. The default is to append the LOGIN name to BASE_DIR and use that as the login directory name. The directory HOME_DIR does not have to exist but will not be created if it is missing. # useradd -d /home/testdir test2
-D --defaults	print or save modified default useradd configuration
-e EXPIRE_DATE --expiredate EXPIRE_DATE	set account expiration date to EXPIRE_DATE. The date on which the user account will be disabled. The date is specified in the format YYYY-MM-DD. # useradd -e 29-02-2008 test3
-f INACTIVE --inactive INACTIVE	Sets the number of days after a password expires until the account is permanently disabled. A value of 0 disables the account as soon as the password has expired, and a value of -1 disables the feature. The default value is -1.
-g GROUP --gid GROUP	The group name or number of the user’s initial login group. The group name must exist. A group number must refer to an already existing group.
-G GROUP1[,GROUP2,...[,GROUPN]]] --groups GROUP1[,GROUP2,...[,GROUPN]]]	A list of supplementary groups which the user is also a member of. Each group is separated from the next by a comma, with no intervening white space. The groups are subject to the same restrictions as the group given with the -g option. The default is for the user to belong only to the initial group.
-k SKEL_DIR --skel SKEL_DIR	Specify an alternative skeleton directory containing initial configuration files and login scripts that should be copied to a new user's home directory. This parameter can only be used in conjunction with the `-m` option.
-m --create-home	The user’s home directory will be created if it does not exist. The files contained in SKEL_DIR will be copied to the home directory if the `-k` option is used, otherwise the files contained in `/etc/skel` will be used instead. Any directories contained in SKEL_DIR or `/etc/skel` will be created in the user’s home directory as well. The default is to not create the directory and to not copy any files.
-M	The user’s home directory will not be created, even if the system wide settings from `/etc/login.defs` is to create home dirs.
-n	A group having the same name as the user being added to the system will be created by default. This option will turn off this Red Hat Linux specific behavior. When this option is used, users by default will be placed in whatever group is specified in /etc/default/useradd. If no default group is defined, group 1 will be used.
-o --non-unique	Allow the creation of a user account with a duplicate (non-unique) UID. Use with `-u UID` to create a user account that has the same UID as another user name. This effectively lets you have two different users with authority over the same set of files and directories. # useradd -o -u 0 admin
-r	This flag is used to create a system account. That is, a user with a UID lower than the value of UID_MIN defined in /etc/login.defs and whose password does not expire. Note that useradd will not create a home directory for such an user, regardless of the default setting in /etc/login.defs. You have to specify -m option if you want a home directory for a system account to be created. This is an option added by Red Hat
-p ENC_PASSWORD --password ENC_PASSWORD	The encrypted password, as returned by crypt(3). The default is to disable the account. Since the password has to be specified in the encrypted form, it's easier to create a user without a password and then define one using the `password` command.
-s SHELL --shell SHELL	The name of the user’s login shell. The default is to leave this field blank, which causes the system to select the default login shell. # useradd -s /bin/zsh test4 If you wish do create a user that cannot login, you can use special nologin shell: # useradd -s /bin/nologin -d /var/www/html webuser
-u UID --uid UID	The numerical value of the user’s ID. This value must be unique, unless the -o option is used. The value must be non-negative. The default is to use the smallest ID value greater than 999 and greater than every other user. Values between 0 and 999 are typically reserved for system accounts.

Once a new user is created, you can set the initial password using the passwd command:

# useradd -c "Test User" billy
# passwd billy
Changing password for user billy.
New UNIX password: *********
Retype new UNIX password: *********
# passwd -n 3 -x 90 -w 5 billy
Adjusting aging data for user billy.
passwd: Success
# passwd -S billy
billy PS 2008-02-20 3 90 5 -1 (Password set, MD5 crypt.)

In creating a new account for Billy, the useradd command performs the following actions:

Reads the /etc/login.defs file to get the default values to use when creating accounts. Note that this file settings can be overwritten by the useradd command:
- useradd -D -b defaut_home
- useradd -D -e default_expire_date
- useradd -D -f default_inactive
- useradd -D -g default_group
- useradd -D -s default_shell
Checks command-line parameters to find out which default values to override.
Creates a new entry in the /etc/passwd and /etc/shadow files based on the default values and command line parameters.
Creates any new group entries in the /etc/group file.
Creates a home directory based on the user's name and places it in the /home directory.
Copies any files located within the /etc/skel directory to the new home direcory.

Modifying user accounts

Sometimes, users need to modify their accounts. This can done via the User Manager window or by means of the usermod command. The usermod is similar to the useradd command and even shares some of the same options. Some of the new options available for the usermod are:

-l option that allows the user to change the login name:
```
# usermod -l jenny -c "Jenny Barnes" mary 
```
-a - adds the user to a supplemental group. Use only with the -G option.
```
# usermod -a -G wheel 
```
-m option supposedly allows to move a directory of existing user to another directory for a new user (in case of renaming the account), but I couldn't make it work. This is not a standard option of the usermod command, it was added by in Red Hat Linux and Fedora.

If would like to change the description (full name) of an account we can use -c option

# usermod -c "New User Name"

or use the chfn command:

$ chfn -f "W.C. Chief" bobby

Additional arguments of this command are:

-f – full name
-o – office
-p – office-phone
-h – home-phone

The difference between the two approaches is that any user can change his/her own description using the chfn command, while he/she has to be a super user to deploy the usermod.

Similarly, anyone can change its own shell by using chsh command:

$ chsh -s /bin/zsh daniel

Deleting user accounts

The userdel command is used to remove an existing user. This command basically has two options:

-f (or --force) – this options forces the system to delete the user, even if the user is currenmtly logged in. This option also removes the home directory of the user and the mail spool. Please note that the directory will be removed even if another user uses the very same directory, and the mail spool will be deleted even if the user is not the owner of it.
-r (or --remove) – files of the user's home directory will be removed together with the mail spool.

Note that this command doesn't remove files that belong to the user but located in other parts of the file system. These files have to be seached for and deleted manually. This search can be performed by find command:

Search for all files (starting at the root directory /) belonging to mary
```
find / -user mary
```
Search for all files owned by mary in the /home directory and remove them:
```
find /home -user mary -exec rm -i {} \;
```
Search everywhere for files owned by mary and change each file so that it is owned by jenny
```
find / -user mary -exec chown jenny {} \;
```

Group management

groupadd

-f This option causes to just exit with success status if the specified group already exists. With -g, if specified GID already exists, other (unique) GID is chosen (i.e. -g is turned off).
-g GID The numerical value of the group’s ID. This value must be unique, unless the -o option is used. The value must be non-negative. The default is to use the smallest ID value greater than 500 and greater than every other group. Values between 0 and 499 are typically reserved for system accounts.
-o This option permits to add group with non-unique GID.
-r This flag instructs groupadd to add a system account. The first available gid lower than 499 will be automatically selected unless the -g option is also given on the command line. This is an option added by Red Hat.

Every group can have administrators, members and a password. The gpasswd command can be used to manage group password and administrator. This command if used with no options and with just one argument (name of a group) sets a pasword for the group.

-A user1[,user2,...] group System administrator can use this option to define group administrator(s)
-M user1[,user2,...] group System administrator can use this option to define group member(s)
-a user group adds a new user to the group. The same result can be achieved with the usermod -G command.
-d user group removes a user from the group
-d group removes the password from the group
-R group this option disables access via a password to the group through newgrp command (however members will still be able to switch to this group).

If password is set the members can still newgrp without a password, non-members must supply the password.

newgrp is used to change the current group ID during a login session. If the optional – flag is given, the user’s environment will be reinitialized as though the user had logged in, otherwise the current environment, including current working directory, remains unchanged.

# groupadd admin
# gpasswd admin
Changing the password for group admin
New Password: ******
Re-enter new password: ****** 
# gpasswd -a daniel admin
Adding user daniel to group admin
# su - daniel
$ whoami
daniel
$ echo test > test1
$ newgrp admin
$ echo test > test2
$ ls -l test?
??????????
$ exit
# su - mary
$ newgrp admin
Password: ******

Please predict the output of the ls command.

groupmod modifies the definition of a group. By definition we mean either the name of group ID (GID). The following options can be used:

-g GID GROUP Specify the new group ID for the GROUP. The numerical value of the GID must be a non-negative decimal integer. This value must be unique, unless the -o option is used. Values between 0 and 999 are typically reserved for system groups. Any files which the old group ID is the file group ID must have the file group ID changed manually.
-n NEW_GROUP GROUP The name of the group will be changed from GROUP to NEW_GROUP name.
-o GROUP When used with the -g option allow to change the group GID to non-unique value.

groupdel command removes a group. Please note that you may not remove the primary group of any existing user. You must remove the user before you remove the group.

Homework assignment

Read about the options of the passwd command/
Find out how to create new users using the User Manager GUI.
Please read about shell command newusers and figure out the correct format of the input file. Create a little test file that would make the newusers command create new users with the following settings:
- User: bob:
  - Password: test567
  - Used ID: 504
  - Group ID: 504
  - Home directory: /home/bob
  - Shell: /bin/bash
- User: mary:
  - Password: mary123
  - Used ID: 505
  - Group ID: 505
  - Home directory: /home/mary
  - Shell: /bin/zsh
Read about the chage command.