User Management in Linux (Red Hat/CentOS)
User management is an important part of Linux (especially Red Hat Enterprise Linux) system administration. Linux users can be administrated using user or group administration GUI (Graphical User Interface) tool as well as through Red Hat/CentOS Linux command prompt. But I will always suggest you to do command line user administration as much as possible because in production GUI will not be provided always. Many people who are learning Linux administration do not know all features of user administration command as well as user related files. In this article, I will discuss all about the user administration in Linux operating system such as how to create user, how to modify user and how to remove user. Besides, I will show all the important user related files that are frequently used to manage users in Red Hat Enterprise Linux operating system.
Type of User in Red Hat Linux
There are three types of user in Red Hat Linux operating system. These are:
- Super User: usually super user which is root is created at the time of Red Hat or CentOS Linux installation. Super user has all the privileges in Linux operating system. So, Super user does all the administration tasks such as stop or starts any service, grant or revokes permissions, open ports especially less than 1024 ports, user management and much more.
- System User: system users are created by system such as bin, games, ftp, name, mail, daemon, apache etc. These types of user are different service user and required for running different services. System user cannot login to the system because by default their login shell is nologin.
- Regular User: these users are created by super user. Regular user can login to the system but has access limitations. Regular user cannot do administration tasks. If super user provides permission, regular user can do permitted administration tasks. A regular user may be an ftp user, a samba user or a mail user.
How to Add/Create User in Linux
The command that is used to create user in Red Hat or CentOS Linux is useradd. The adduser command is also used to create users in Linux operating system.
When anyone runs useradd command in Red Hat/CentOS Linux command prompt, it performs following activities in Linux system.
- It adds a new entry in both /etc/passwd file and /etc/shadow file.
- It also adds a new entry in /etc/group file and /etc/gshadow file.
- A home directory is created in /home directory for the new user.
- Permissions and ownership are also set to home directory by this command.
The basic structure or syntax of useradd command is:
useradd [options] username
The username is a login name that is used to login into the Linux system. The username must be unique that means it must be different from other usernames which already exist on your system. A lot of options can also be used with useradd command. At the follwing few sections, I will discuss some useful options that are frequently used with useradd command.
To add a new user in your Linux system, you can generally use useradd command like bellow example without any option.
Where, systemzone is the login name that will be used to login into the system. But to login into Linux system successfully, you must have a password as well. Otherwise the user cannot login into the system and the user will have at lock state.
Set/Reset User Password
To set password for the newly created user or to reset password to any existence user, another command named passwd is used.
[root@localhost ~]# passwd systemzoneChanging password for user systemzone.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
What Happen with useradd Command
Five major things or events will happen in your Linux system while creating any user with useradd command.
Event 1: A New Entry in /etc/passwd File
The /etc/passwd file is used to store user information. So, the useradd command will add a new line in /etc/passwd that will contain user primary information and the entry will be like below.
systemzone:x:1002:1002::/home/systemzone:/bin/bash
There are seven fields in this line separated by colon and every field has its own meaning. Let’s explore the meaning of these seven fields shown in below table.
Field No | Field Name | Field Value | Explanation |
1 | Username | systemzone | This is the username that is provided while creating a user. It is used to login into the system and it should be between 1to 32 characters as well as unique. |
2 | Password | x | An ‘x’ character indicates that encrypted password is stored in /etc/shadow file. If we put ‘*’ inplace of x, the user cannot login. If we keep second field blank, the user can login without password. |
3 | User ID | 1002 | Every user must have a User Identification Number (UID). Generally, UID = 0 is reserved for the super user that is root. UID 1 to 99 are reserved for other predefined user accounts. Further UID 100 to 999 is reserved for the system users. Regular user’s UID starts from 1000. As systemzone is a regular user here, The UID is showing 1002. If UID of any regular user is changed to 0, the user is considered as a super user in your system. |
4 | Group ID | 1002 | This is the primary Group Identification Number (GID) of this user. Whenever a user is created a primary group is also created for that user. Every user has its own primary group but it can also have supplementary groups. |
5 | Comments or User Info | This is an optional field and only used for informational purpose. Usually it contains the full name of the user or any user comment can be put. This field is filled by finger command. | |
6 | Home Directory | /home/systemzone | This is the absolute path of the user’s home directory. If this field value is not present, the ‘/’ root directory becomes the home directory of the user. |
7 | User Shell | /bin/bash | This is the absolute path of the user command shell. |
Event 2: A New Entry in /etc/shadow File
The useradd command will also add a new line in /etc/shadow file that is used to store user password information. The line looks like below.
systemzone:!!:17432:0:99999:7:::
At this state, the user is in lock state. But executing passwd command followed by username, the line looks like below.
systemzone:$6$q2P3fAuc$NxDDZlsy2.qeuJgbvpvqbyFTpuuUZ7XEsOb91wr0ZEi/XyCrxhutHggL9b0oNPR7VXm5sEw1DnhGOltULpJj71:17432:0:99999:7:::
There are nine fields in this line separated by colon and the explanation of these fields is shown in below table.
Field No | Field Name | Field Value | Explanation |
1 | Username | systemzone | It is login name used to login into the system. |
2 | Password | $6$q2P3fAuc$NxDDZlsy2.qeuJg
bvpvqbyFTpuuUZ7XEsOb9 1wr0ZEi/XyCrxhutHggL9b0oN PR7VXm5sEw1DnhGOltULpJj71 | It is user’s password that is encrypted. Before executing passwd command the value was (!!) which indicates no password is provided yet. So, the user is in lock state. But executing passwd command, provided password value will be encrypted with any hashing algorithm that is SHA512 by default. |
3 | 17432 | Days since UNIX epoch password was changed (Jan 1, 1970). If value is set to 0, the user password is immediately expired. When the user logs in the next time, he is forced to change his password. | |
4 | Minimum | 0 | Minimum number of days after which password is allowed to be changed. If this value is set to 0, the user can change password as many times as he wants. |
5 | Maximum | 99999 | Days after which password must be changed. If value is assigned, the user is forced to change his password. If value is 0, the password will never expire. |
6 | Warn | 7 | The days before password will be expired and the user is warned that his password must be changed. |
7 | Inactive | The days after the password expiration the account will be disabled. Once any account is disabled, the account can only be re-enabled by the root user. | |
8 | Emergency
restriction | This field is used as an emergency account restricting field by the root user. If value is set to 0, the account will be locked until root user removes this restriction. | |
9 | Future use | This field is reserved for future use. |
The root user can make a password policy that any user must change his password within maximum specified number of days with a warning period and blocking the account if he fails to change by combining 5th, 6th and 7th field.
Event 3: A New Entry in /etc/group File
When a user is created with useradd command, a user private group is created and its entry goes to /etc/group file. The entry looks like below.
systemzone:x:1002:
There are four fields in this line separated by colon. Let’s see the explanation of these fields in below tables.
Field No | Field Name | Field Value | Explanation |
1 | Group Name | systemzone | This is the private group name of the user followed by username. |
2 | Group Password | x | Group password can be assigned with gpasswd command. Here ‘x’ indicates password is saved in /etc/gshadow file. By default no password is assigned for the group by useradd command. |
3 | GID | 1002 | This is group ID and it is same as the UID. |
4 | Group Member | This field shows the member of this group except the user which is already a member of this group |
Event 4: A New Entry in /etc/gshadow File
When a user is created with useradd command, a new line is also added to /etc/gshadow file. The line looks like below.
systemzone:!::
This line also contains four fileds separated by colons. The explanation of these fields is given below with a table.
Field No | Field Name | Field Value | Explanation |
1 | Group name | systemzone | This is the corresponding group name of the user. |
2 | Password | ! | This field contains group password which is assigned with gpasswd command. If no password is given to the group, it shows ‘!’ in this file. If /etc/gshadow file is deleted, this encrypted password is moved to second field of /etc/group file. |
3. | Group Administrators | This field contains the list of administrators of this group. By default it is blank that means only user having same name of the group name is the administrator of this group | |
4. | Group Members | Name of group members are listed in this field. By default it is blank. |
Event 5: User Home Directory
A directory followed by username is created in home directory where all the files of any user are stored. A user is only allowed to access his own home directory. Generally, home directory of Red Hat Linux or CentOS Linux is /home. But user’s default home directory path can be changed by editing /etc/default/useradd file which I will show you later in this article or using special option with useradd command.
Two More User Administration Files
There are two more user administration files that are very important while managing users in Red Hat or CentOS Linux operating system. These files are:
- /etc/login.defs file
- /etc/default/useradd file
Understanding /etc/login.defs file
In Red Hat Linux or CentOS Linux, a file called /etc/login.defs is used to store user default password policy as well as other user related information. When any user is created with useradd command, it goes to this file and loads user default configuration from this file and then applies for the user. Only root user can edit this file.
The property values that are load from this file by usedadd command are described in below table.
Property Name | Default Value | Explanation |
MAIL_DIR | /var/spool/mail | This is the directory path where user’s mail will be stored. |
PASS_MAX_DAYS | 99999 | Maximum number of days for password validity. |
PASS_MIN_DAYS | 0 | Minimum number of days allowed between password changes. |
PASS_MIN_LEN | 5 | Minimum character length for a password. |
PASS_WARN_AGE | 7 | How many days the password expiration message will be shown before expired. |
UID_MIN | 1000 | Minimum number for the automatic user ID selection. |
UID_MAX | 60000 | Maximum number for the automatic user ID selection. |
SYS_UID_MIN | 201 | Minimum automatic UID for the system users. |
SYS_UID_MAX | 999 | Maximum automatic UID for the system users. |
GID_MIN | 1000 | It is the minimum numeric value for automatic group ID selection. |
GID_MAX | 60000 | The maximum numeric value for automatic group ID selection. |
SYS_GID_MIN | 201 | Minimum GID for the system accounts. |
SYS_GID_MAX | 999 | Maximum GID for the system accounts. |
CREATE_HOME | yes | This value tells useradd command whether it should create home directory for the user. |
ENCRYPT_METHOD | SHA512 | Password encryption method for any user. |
USERGROUPS_ENAB | yes | This enables userdel to remove user groups if no members exist. |
UMASK | 077 | Default umask that is permission mask for the new users. If not specified, the permission mask will be initialized to 022. |
If these values are changed in /etc/login.defs file, these values will hold for the new user by useradd command.
Understanding /etc/default/useradd File
When useradd command is executed, it takes some of user property values like where user’s home directory will be created, what should be the user’s shell etc. from /etc/default/useradd file. This file looks like below.
# useradd defaults fileGROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
The explanation of these property values is shown in below table.
Property Name | Default Value | Explanation |
GROUP | 100 | Maximum number of groups for which a user can be member of. |
HOME | /home | Default directory path where home directory of any user will be created. |
INACTIVE | -1 | After account creation how many days the account remain inactive. Default value ‘-1’ indicates account is never inactive. |
EXPIRE | Account expiration date and it should be YYYY-MM-DD format. | |
SHELL | /bin/bash | Default login shell for new user. |
SKEL | /etc/skel | The files that are kept in this directory will be copied to the user’s home directory at the time of user creation. |
CREATE_MAIL_SPOOL | yes | This option ensures that every new user will have a mail directory followed by username in /var/mail directory where user’s mail will be stored. |
By editing these property values, you can define user’s default configuration while creating a new user according to your organization’s requirements.
Understanding /etc/skel Directory
The /etc/skel directory serves as a skeleton for user’s home directory. If any file is kept in this directory, the file will be automatically copied in user’s home directory while creating new user with useradd command. So, this can be useful for a system administrator to give default files to every new user. By default this directory contains three hidden files.
- .bash_logout
- .bash_profile
- .bashrc
So, home directory of any new user must have these three files.
The useradd Command Options
Now we will see some useful useradd command options that are frequently used for user administration in Red Hat Linux.
Create User with Different Home Directory
According to default configuration, user home directory is created in /home directory but while creating a new user with useradd command you can change user’s home directory. The home directory is changed with ‘-d’ option. For example, the following command will create a user named systemzone whose home directory will be /var/ftp.
Create User without Home Directory
Sometimes you may need to create a user without home directory. If you use ‘-M’ option with useradd command, the user will not have any specific home directory. In this situation, home directory of this user will be the previous logged user’s home directory.
Create User with Specific UID
User ID is automatically assigned when a user is created with useradd command. But user ID can be specified while creating a user with useradd command. The ‘-u’ option is used to specify the UID of any user. For example, the following command will create a user named systemzone whose UID will be 1050.
While specifying UID you should be care about that the UID must be unique from any other user ID that is already exists on the system.
Create User with Specific Group ID
Similarly, GID is automatically assigned when a user is created with useradd command. But using ‘-g’ option, GID can also be assigned manually while creating a user with useradd command. For example, the following command will create a user named systemzone whose UID will be 1050 and GID will 1050.
Here, you should also be care about that GID must be unique from other group ID that are already exists in your system.
Add User to Multiple Groups
By default, a user is added to its own group. But you can add a user to multiple groups while creating that user with useradd command. The ‘-G’ option is used with useradd command for this purpose. For example, the following command will create a user named systemzone which will be added to admins and developers group.
Create User without Group
By default, at least one private group is created followed by username while creating any user. But if you need to create a user without any group, you may use ‘-N’ option. The ‘-N’ option creates a user that will have no group.
Create User with Account Expiry Date
Sometimes you may need to create a temporary account. In this situation, you have to create an account with expiry date. By default, useradd command creates a user which will never be expired. The ‘-e’ option with useradd command helps to create a user with expiry date.
The date format of this option will be YYYY-MM-DD. You can show age of this user account with chage command like below.
[root@iin /]# chage -l systemzone
Last password change : Sep 26, 2017
Password expires : never
Password inactive : never
Account expires : Sep 29, 2017
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
Add User with Custom Comments
By default the useradd command keeps custom comments field blank if not specify. The ‘-c’ option allows to add custom comments such as full name, phone number etc to /etc/password file. For example, if you want to specify user’s full name while creating user with useradd command, use the following command.
Where, Md. Abu Sayeed is the full name of this user.
Change User’s Login Shell
Sometimes you may need to change user’s default login shell which is /bin/bash. The ‘-s’ option will allow you to change user’s default login shell. For example, the following command will create a user named systemzone whose default shell will be tcsh.
Again, if you need to create a user that will have no login shell, you may use /sbin/nologin or /bin/false like below example.
Create User with Custom Skel
Default skel directory for any user is /etc/skel. But sometimes you may need to change skel directory for a group of special users. The ‘-k’ option will allow you to create a user with custom skel directory. For example, the following command will create a user which will get skel files from /etc/custom.skel directory.
Create Multiple Users with Single Command
You can create multiple users with single line command. For this, you have to add multiple useradd command with AND (&&) operator. For example, the following command will add two users with one single line command.
Create User and Set Password with Single Command
Combining useradd and passwd command with AND (&&) operator, user and password can be created at the same time.
How to Edit/Modify User in Linux
The usermod command is used to modify any user’s properties. The basic structure of usermod command is:
usermod [options] username
Where, username is the login name which is used to log into the system. Option parameter is used to modify different properties of any user. The options that we have used with useradd command while creating any user can similarly be used with usermod command to modify any user property. However, I am showing the usage of these options briefly here.
Change User Login Name
The ‘-l’ option is used to change the username or login name of any user.
Where, david is old name and jhon is new name. So, david will be replaced with jhon.
Modify User Comment
The ‘-c’ option is used to modify user comment such as user’s full name or any notes to /etc/passwd file.
Modify User Home Directory
User’s home directory can be changed using ‘-d’ option with usermod command.
Modify User Default Shell
To modify user’s default shell, the ‘-s’ option is used with usermod command.
Modify User Account Expiration Date
Aaccount expiration date of any user can be changed using ‘-e’ option with usermod command.
User Lock and Unlock
The ‘-L’ option with usermod command will lock any user immediately. So, the user cannot login with his login credentials.
Similarly, a locked user can be unlocked using -U option with usermod command.
Assign Single User to Multiple Groups
The ‘-G’ option with usermod command can be used to assign a user to multiple groups.
How to Remove User in Linux
The usedel command is used to delete any user in Linux operating system. The basic structure of userdel command is:
userdel [options] username
Where, username is the login name of any user. The userdel command accepts option to perform special task too.
Delete Specific User Leaving Home Directory
If you use userdel command without any option, the user will be deleted but home directory will remain in your system.
Delete User with Home Directory
The ‘-r’ option with userdel command will delete any user including his home directory.
Remove user forcibly
The ‘-f’ option with userdel command will delete user although the user is logged into the system as well as it will remove user’s home directory.
User Administration Miscellaneous
Lastly, we will show some user related commands that are also used to manage user in Red Hat Linux system.
Get User UID and GID
The id command is used to know the UID and the GID of any specific user.
[root@localhost ~]# id sayeed
uid=1000(sayeed) gid=1000(sayeed) groups=1000(sayeed)
This command will show the user’s UID and Group ID. If username is not provided, currently logged user’s UID and GID will be shown.
Change User’s Password Aging Information
Password expiry information of any user can be changed using chage command.
[root@localhost ~]# chage sayeed
Changing the aging information for sayeed
Enter the new value, or press ENTER for the default
Minimum Password Age [0]:
Maximum Password Age [99999]:
Last Password Change (YYYY-MM-DD) [2017-05-08]:
Password Expiration Warning [7]:
Password Inactive [-1]:
Account Expiration Date (YYYY-MM-DD) [-1]:
Provide these values according to your demand.
View User’s Password Aging Information
The ‘-l’ option with chage command is used to view the password expiry information of any user.
[root@localhost ~]# chage -l sayeed
Last password change : May 08, 2017
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
Show Logged on Users
The who command will show users who are logged on to your system.
Show Logged on Users with Activity
The w command will show users who are logged on to your system and what they are doing.
View Most Recent Login Reports
The lastlog command reports the most recent login of all users from /var/log/lastlog file.
View Users Who Are Success to Login
The last command will show users who are success to login to your system from /var/log/wtmp file.
View Users Who Are Fail to Login
The lastb command will show users who are fail to login to your system from /var/log/btmp file.
Linux user administrations such as how to add user, how to edit user, how to delete user etc. have been discussed in this article elaborately. I hope you are now able to manage your Linux user according to your requirements. However, if you face any problem to manage your Red Hat Linux users, feel free to discuss in comment or contact with me from Contact page. I will try my best to stay with you.
Why not a Cup of COFFEE if the solution?