Lab 14: Manage Local User Accounts
Objective Focus
- Manage users and groups
- Create, delete, and modify local user accounts
Official RHCSA EX200 Exam Objectives
Manage users
Managing users is a very important admin task. RHEL is a server operating system and many users will most likely need access. Monitoring this access will be the job of the sysadmin.
$ who The who command will show us who is logged into the system.
$ last The last command shows us of the users who last logged in with a record any power cycles.
Types of user accounts
Superuser aka root, regular, and system are the 3 common accounts found in RHEL 9.
List user and group information
$ id- Print user information
$ groups- Print the groups a user is in
Important files related to users and groups
Here you will notice most files related to users are in the /etc directory. The /etc directory stores many files related to configuration of the system, so getting familiar with it is critical to sysadmin tasks.
/etc/passwd
$ man 5 passwd This file contains information about all users on the system.
jose:x:1000:1000:jose:/home/jose:/bin/bash| Login Name | PW | UID | GID | Comment | Home Dir | Shell |
|---|
Login: The username used for logging in.
Password: An “x”, “*”, or hashed password can be in this position.
UID: User Identifier, regular user accounts start at 1000. Root is 0. And 1 - 999 are used for other parts accounts used in the operating system.
GID: Group Identifier, you will notice that when a user is created, by default a new user will be in a group with the same entry as their Login and UID. This field also represents the users primary group.
Comment/User Info: Here various information can be provided to help identify the user. This can include things like address, role, and phone number,
Home Directory: Path to users home directory. This is where, after logging in, the user be in the file system.
Shell: The path of the shell the user account will be primarily using.
/etc/shadow
This file contains secure user account information.
$ man 5 shadow jose:LQ0D...h2YIV:19964:0:99999:7::: | Login Name | Encrypted PW | Last PW Change | MinDays | MaxDays | WarnDays | PW Expiration | Acct Expiration |
|---|
Login: The username used for logging in. Same as Passwd file.
Encrypted Password: Hashed PW. Prefix with “!” means the account is locked. Empty means user is configured with passwordless log in.
Last Password Change: Number of days since Jan 1, 1970 (Research why this is). Value 0 means user will have to change password on next log in. Empty field means aging feature is disabled.
Minimum PW age: User waits until this goes down to be allowed to change PW. Empty field and 0 means there is no minimum password age.
Maximum PW age: User will have to change their password after the password age limit has elapsed.
PW warning message: Message to user about the upcoming password change.
PW Expiration: The days users will be allowed to log in with an expired PW.
/etc/login.defs
$ man 5 login.defs This file contains default configurations for several user related commands and settings. In the man page, an important section to review is “CROSS REFERENCES”. This section shows which commands consult this file and which lines.
Search the following lines in the file.
| Lines of interest |
|---|
| UMASK |
| Password aging controls |
| Min/max values for automatic uid selection in useradd |
| Min/max values for automatic gid selection in groupadd |
/etc/skel
The /etc/skel directory serves as a template for the home directories of newly created users. A new user account is created, the contents of /etc/skel are copied into the user’s new home directory.
User Related Commands
$ useradd learner2 - Add a new user
$ passwd learner2 - Change user password
$ usermod learner2 - Modify existing user
$ userdel learner2 - Delete a existing user account
sbin/nologin
The /etc/passwd file you might see some accounts with the “nologin” shell. These account are for system accounts. If needed this can be changed or added on users using the above commands.
$ grep -i nologin /etc/passwd More on User Permissions
Special File permissions are setuid, setgid, and sticky bit. We talk about setuid now and the others in the groups related objective.
The setuid permission allows users who do not own the file to execute it as if they were. This means that executable files like “umount” are owned by root but can be run with the same privileges.
Setuid does nothing on directories.
$ ls -l /usr/bin/umount -rwsr-xr-x. 1 root root 36296 Feb 8 2024 /usr/bin/umount- The setuid permission is denoted by the “s”, where x would normally go. It will be capital “S” if the permission was not already set.
That is all for this objective!