Share, , Google Plus, Pinterest,

Print

Posted in:

Manage Users and Groups on Linux

If you are a linux system administrator one of the more important things to learn and to know is how to manage users and groups on linux systems.

This guide will describe how to add, delete and modify users and groups (manage users and groups) on CentOS 6 linux (same applies to other linux distributions) from command line (CLI).

The following guide was tested on a fresh fully updated CentOS 6.5 64bit minimal install.

Manage Users and Groups on CentOS 6
Manage Users and Groups on Linux

Let’s start our Manage Users and Groups on Linux Guide!

1. Adding New Users

There are two available commands for adding a new user to our linux system. These commands are “useradd” and “adduser”. The difference is that “useradd” is a native binary, that comes with the system and “adduser” is a perl script which uses “useradd” binary. “adduser” is more user friendly than “useradd” (though on CentOS it seems completely the same) but in the end you can use both to achieve the same result. Let’s try “adduser” command first. Please note we are running all commands as user root or with sudo privileges!

Adduser

Run command “adduser username” to create a new user account as follows:

[root@centos1 ~]# adduser geekpeek

If you want to manually specify a home directory for the user run the command with “-d” parameter. Home directory will be created if it does not exist:

[root@centos1 ~]# adduser -d /homedir geekpeek

Set the password for the newly created user “geekpeek”. Without setting a password the newly created user will not be able to login via SSH (default SSH security restrictions):

[root@centos1 ~]# passwd geekpeek
Changing password for user geekpeek.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

Check to confirm home directory for user “geekpeek” was created:

[root@centos1 ~]# ll /home/
total 4
drwx------ 2 geekpeek geekpeek 4096 May 27 10:10 geekpeek

That’s great. The newly created user can now connect to our linux system via SSH, but sometimes we want to force the user to change the password on first login. We can do this by issuing the following command:

[root@centos1 ~]# chage -d 0 geekpeek

We can now provide the user with the details about his account and remind him he is forced to change his password on first login.

Useradd

As in previous “adduser” example run command “useradd username” to create a new user account:

[root@centos1 ~]# useradd geekpeek

If you want to manually specify a home directory for the user run the command with “-d” parameter. Home directory will be created if it does not exist:

[root@centos1 ~]# adduser -d /homedir geekpeek

Set password for user to enable him to login via SSH:

[root@centos1 ~]# passwd geekpeek
Changing password for user geekpeek.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

Confirm users home directory was created:

[root@centos1 ~]# ll /home/
total 4
drwx------ 2 geekpeek geekpeek 4096 May 27 10:20 geekpeek

..and force password change (if desired) on first login:

[root@centos1 ~]# chage -d 0 geekpeek

We can now provide the user with the details about his account and remind him he is forced to change his password on first login. So now we are one step closer learning how to manage users and groups on linux systems. Let’s continue…

NOTE: When adding new users a group with the same name is automatically created!

ADDUSER & USERADD HELP:

[root@centos1 ~]# adduser --help
Usage: useradd [options] LOGIN

Options:
  -b, --base-dir BASE_DIR       base directory for the home directory of the
                                new account
  -c, --comment COMMENT         GECOS field of the new account
  -d, --home-dir HOME_DIR       home directory of the new account
  -D, --defaults                print or change default useradd configuration
  -e, --expiredate EXPIRE_DATE  expiration date of the new account
  -f, --inactive INACTIVE       password inactivity period of the new account
  -g, --gid GROUP               name or ID of the primary group of the new
                                account
  -G, --groups GROUPS           list of supplementary groups of the new
                                account
  -h, --help                    display this help message and exit
  -k, --skel SKEL_DIR           use this alternative skeleton directory
  -K, --key KEY=VALUE           override /etc/login.defs defaults
  -l, --no-log-init             do not add the user to the lastlog and
                                faillog databases
  -m, --create-home             create the user's home directory
  -M, --no-create-home          do not create the user's home directory
  -N, --no-user-group           do not create a group with the same name as
                                the user
  -o, --non-unique              allow to create users with duplicate
                                (non-unique) UID
  -p, --password PASSWORD       encrypted password of the new account
  -r, --system                  create a system account
  -s, --shell SHELL             login shell of the new account
  -u, --uid UID                 user ID of the new account
  -U, --user-group              create a group with the same name as the user
  -Z, --selinux-user SEUSER     use a specific SEUSER for the SELinux user mapping

2. Adding New Groups

There are two commands available to add a new group in some distributions but not in CentOS! In CentOS we can only use command “groupadd” to add a new group to our linux system.

Run command “groupadd groupname” to create a new group:

[root@centos1 ~]# groupadd testing

We can check and confirm the group was successfully created by looking into /etc/group file:

[root@centos1 ~]# grep testing /etc/group
testing:x:501:

Great, new group was successfully created with group ID 501. Let’s create another group called “admin” for following examples:

[root@centos1 ~]# groupadd admin
[root@centos1 ~]# grep admin /etc/group
admin:x:502:

Great

GROUPADD HELP:

[root@centos1 ~]# groupadd --help
Usage: groupadd [options] GROUP

Options:
  -f, --force                   exit successfully if the group already exists,
                                and cancel -g if the GID is already used
  -g, --gid GID                 use GID for the new group
  -h, --help                    display this help message and exit
  -K, --key KEY=VALUE           override /etc/login.defs defaults
  -o, --non-unique              allow to create groups with duplicate
                                (non-unique) GID
  -p, --password PASSWORD       use this encrypted password for the new group
  -r, --system                  create a system account

3. Modifying Users

There are many scenarios in which we are forced to modify an existing user. We will not go through all of the use cases but the syntax is always the same “usermod [options] username” – you can get all information by running “usermod –help”. In the following example we will re-configure user “geekpeek” and change his primary and secondary groups.

First use “id username” command to see existing user configuration:

[root@centos1 ~]# id geekpeek
uid=500(geekpeek) gid=500(geekpeek) groups=500(geekpeek)

As we see user “geekpeek” has user ID 500 and his primary group is “geekpeek” with group ID 500. This user is only a member of “geekpeek” group. Let’s add “geekpeek” user to previously created group “testing”:

[root@centos1 ~]# usermod -G testing geekpeek
[root@centos1 ~]# id geekpeek
uid=500(geekpeek) gid=500(geekpeek) groups=500(geekpeek),501(testing)

As we can see “-G” parameter added user “geekpeek” to a supplementary group “testing”. Now this user is a member of two groups, primary “geekpeek” and secondary “testing”. Let’s try and change this users primary group with the following command:

[root@centos1 ~]# usermod -g admin geekpeek
[root@centos1 ~]# id geekpeek
uid=500(geekpeek) gid=502(admin) groups=502(admin),501(testing)

Voila, the parameter “-g” changes the users primary group. We can also change users user ID:

[root@centos1 ~]# usermod -u 505 geekpeek
[root@centos1 ~]# id geekpeek
uid=505(geekpeek) gid=502(admin) groups=502(admin),501(testing)

Let’s  modify user “geekpeek” to the state it was before we started playing around with it:

[root@centos1 ~]# usermod -u 500 geekpeek
[root@centos1 ~]# usermod -g geekpeek geekpeek
[root@centos1 ~]# usermod -G geekpeek geekpeek
[root@centos1 ~]# id geekpeek
uid=500(geekpeek) gid=500(geekpeek) groups=500(geekpeek)

NOTE: We can use numeric user or group ID’s or human friendly user and group names to change and modify users.

USERMOD HELP:

[root@centos1 ~]# usermod --help
Usage: usermod [options] LOGIN

Options:
  -c, --comment COMMENT         new value of the GECOS field
  -d, --home HOME_DIR           new home directory for the user account
  -e, --expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE
  -f, --inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -g, --gid GROUP               force use GROUP as new primary group
  -G, --groups GROUPS           new list of supplementary GROUPS
  -a, --append                  append the user to the supplemental GROUPS
                                mentioned by the -G option without removing
                                him/her from other groups
  -h, --help                    display this help message and exit
  -l, --login NEW_LOGIN         new value of the login name
  -L, --lock                    lock the user account
  -m, --move-home               move contents of the home directory to the
                                new location (use only with -d)
  -o, --non-unique              allow using duplicate (non-unique) UID
  -p, --password PASSWORD       use encrypted password for the new password
  -s, --shell SHELL             new login shell for the user account
  -u, --uid UID                 new UID for the user account
  -U, --unlock                  unlock the user account
  -Z, --selinux-user            new SELinux user mapping for the user account

4. Modifying Groups

Modifying groups is pretty much the same or similar to modifying users. We can modify groups with the command “groupmod” and the syntax is “groupmod [options] groupame” – you can get all information by running “groupmod –help”. In the following example we will change the group name and group ID for previously created group “testing”.

Let’s see the current configuration for group “testing”:

[root@centos1 ~]# grep testing /etc/group
testing:x:501:geekpeek
[root@centos1 ~]# id geekpeek
uid=500(geekpeek) gid=500(geekpeek) groups=500(geekpeek),501(testing)

Let’s change group name to “testgroup” with the following command:

[root@centos1 ~]# groupmod -n testgroup testing

..and check if we succeded:

[root@centos1 ~]# grep testgroup /etc/group
testgroup:x:501:geekpeek
[root@centos1 ~]# id geekpeek
uid=500(geekpeek) gid=500(geekpeek) groups=500(geekpeek),501(testgroup)

We can see that “geekpeek” user secondary group name changed. What will happen when we change the group ID by issuing the following command:

[root@centos1 ~]# groupmod -g 505 testgroup

Let’s see the current situation:

[root@centos1 ~]# grep testgroup /etc/group
testgroup:x:505:geekpeek
[root@centos1 ~]# id geekpeek
uid=500(geekpeek) gid=500(geekpeek) groups=500(geekpeek),505(testgroup)

..again everything was changed successfully and no manual action is needed.

GROUPMOD HELP:

[root@centos1 ~]# groupmod --help
Usage: groupmod [options] GROUP

Options:
  -g, --gid GID                 change the group ID to GID
  -h, --help                    display this help message and exit
  -n, --new-name NEW_GROUP      change the name to NEW_GROUP
  -o, --non-unique              allow to use a duplicate (non-unique) GID
  -p, --password PASSWORD       change the password to this (encrypted)
                                PASSWORD

5. Removing Users

We can remove users from our linux system with the command “userdel” The correct syntax is “userdel [options] username”. To remove user home directory and mail spool add parameter “-r” as option:

[root@centos1 ~]# userdel -r geekpeek

Check that home directory and mail spol was removed:

[root@centos1 ~]# ll /var/spool/mail/
total 0
[root@centos1 ~]# ll /home/
total 0

Doing great! Just one more step in our manage users and groups on linux system guide!

USERDEL HELP:

[root@centos1 ~]# userdel --help
Usage: userdel [options] LOGIN

Options:
  -f, --force                   force removal of files,
                                even if not owned by user
  -h, --help                    display this help message and exit
  -r, --remove                  remove home directory and mail spool
  -Z, --selinux-user            remove SELinux user from SELinux user mapping

6. Removing Groups

We remove groups with “groupdel” command. The syntax is “groupdel groupname” – no parameters are available here:

[root@centos1 ~]# groupdel testgroup
[root@centos1 ~]# groupdel admin

..and we are finished!

As we can see we can easily manage users and groups from linux command line. If you do not remember the parameter to use, you can always see help which is very direct and self explanatory. Hope this post was helpful in learning how to manage users and groups on CentOS 6.

Share, , Google Plus, Pinterest,

2 Comments

Leave a Reply