User Management in Linux (Red Hat/CentOS)

User management is an important part of Linux (especially Red Hat Enterprise Linux) system administration. Linux users can be administrated using user or group administration GUI (Graphical User Interface) tool as well as through Red Hat/CentOS Linux command prompt. But I will always suggest you to do command line user administration as much as possible because in production GUI will not be provided always. Many people who are learning Linux administration do not know all features of user administration command as well as user related files. In this article, I will discuss all about the user administration in Linux operating system such as how to create user, how to modify user and how to remove user. Besides, I will show all the important user related files that are frequently used to manage users in Red Hat Enterprise Linux operating system.

Type of User in Red Hat Linux

There are three types of user in Red Hat Linux operating system. These are:

  • Super User: usually super user which is root is created at the time of Red Hat or CentOS Linux installation. Super user has all the privileges in Linux operating system. So, Super user does all the administration tasks such as stop or starts any service, grant or revokes permissions, open ports especially less than 1024 ports, user management and much more.
  • System User: system users are created by system such as bin, games, ftp, name, mail, daemon, apache etc. These types of user are different service user and required for running different services. System user cannot login to the system because by default their login shell is nologin.
  • Regular User: these users are created by super user. Regular user can login to the system but has access limitations. Regular user cannot do administration tasks. If super user provides permission, regular user can do permitted administration tasks. A regular user may be an ftp user, a samba user or a mail user.
‫ vim text editor
Linux User Database

How to Add/Create User in Linux

The command that is used to create user in Red Hat or CentOS Linux is useradd. The adduser command is also used to create users in Linux operating system.

When anyone runs useradd command in Red Hat/CentOS Linux command prompt, it performs following activities in Linux system.

  • It adds a new entry in both /etc/passwd file and /etc/shadow file.
  • It also adds a new entry in /etc/group file and /etc/gshadow file.
  • A home directory is created in /home directory for the new user.
  • Permissions and ownership are also set to home directory by this command.

The basic structure or syntax of useradd command is:

useradd [options] username

The username is a login name that is used to login into the Linux system. The username must be unique that means it must be different from other usernames which already exist on your system. A lot of options can also be used with useradd command. At the follwing few sections, I will discuss some useful options that are frequently used with useradd command.

To add a new user in your Linux system, you can generally use useradd command like bellow example without any option.

[root@localhost ~]# useradd systemzone

Where, systemzone is the login name that will be used to login into the system. But to login into Linux system successfully, you must have a password as well. Otherwise the user cannot login into the system and the user will have at lock state.

Set/Reset User Password

To set password for the newly created user or to reset password to any existence user, another command named passwd is used.

[root@localhost ~]# passwd systemzoneChanging password for user systemzone.

New password:

Retype new password:

passwd: all authentication tokens updated successfully.

What Happen with useradd Command

Five major things or events will happen in your Linux system while creating any user with useradd command.

Event 1: A New Entry in /etc/passwd File

The /etc/passwd file is used to store user information. So, the useradd command will add a new line in /etc/passwd that will contain user primary information and the entry will be like below.

systemzone:x:1002:1002::/home/systemzone:/bin/bash

There are seven fields in this line separated by colon and every field has its own meaning. Let’s explore the meaning of these seven fields shown in below table.

Field NoField NameField ValueExplanation
1UsernamesystemzoneThis is the username that is provided while creating a user. It is used to login into the system and it should be between 1to 32 characters as well as unique.
2PasswordxAn ‘x’ character indicates that encrypted password is stored in /etc/shadow file.  If we put ‘*’ inplace of x, the user cannot login. If we keep second field blank, the user can login without password.
3User ID1002Every user must have a User Identification Number (UID). Generally, UID = 0 is reserved for the super user that is root. UID 1 to 99 are reserved for other predefined user accounts. Further UID 100 to 999 is reserved for the system users. Regular user’s UID starts from 1000. As systemzone is a regular user here, The UID is showing 1002. If UID of any regular user is changed to 0, the user is considered as a super user in your system.
4Group ID1002This is the primary Group Identification Number (GID) of this user. Whenever a user is created a primary group is also created for that user. Every user has its own primary group but it can also have supplementary groups.
5Comments or User Info This is an optional field and only used for informational purpose. Usually it contains the full name of the user or any user comment can be put. This field is filled by finger command.
6Home Directory/home/systemzoneThis is the absolute path of the user’s home directory. If this field value is not present, the ‘/’ root directory becomes the home directory of the user.
7User Shell/bin/bashThis is the absolute path of the user command shell.

Event 2: A New Entry in /etc/shadow File

The useradd command will also add a new line in /etc/shadow file that is used to store user password information. The line looks like below.

systemzone:!!:17432:0:99999:7:::

At this state, the user is in lock state. But executing passwd command followed by username, the line looks like below.

systemzone:$6$q2P3fAuc$NxDDZlsy2.qeuJgbvpvqbyFTpuuUZ7XEsOb91wr0ZEi/XyCrxhutHggL9b0oNPR7VXm5sEw1DnhGOltULpJj71:17432:0:99999:7:::

There are nine fields in this line separated by colon and the explanation of these fields is shown in below table.

Field NoField Name Field ValueExplanation
1UsernamesystemzoneIt is login name used to login into the system.
2Password$6$q2P3fAuc$NxDDZlsy2.qeuJg

 

bvpvqbyFTpuuUZ7XEsOb9

1wr0ZEi/XyCrxhutHggL9b0oN

PR7VXm5sEw1DnhGOltULpJj71

It is user’s password that is encrypted. Before executing passwd command the value was (!!) which indicates no password is provided yet. So, the user is in lock state. But executing passwd command, provided password value will be encrypted with any hashing algorithm that is SHA512 by default.
3 17432Days since UNIX epoch password was changed (Jan 1, 1970). If value is set to 0, the user password is immediately expired. When the user logs in the next time, he is forced to change his password.
4Minimum0Minimum number of days after which password is allowed to be changed. If this value is set to 0, the user can change password as many times as he wants.
5Maximum99999Days after which password must be changed. If value is assigned, the user is forced to change his password. If value is 0, the password will never expire.
6Warn7The days before password will be expired and the user is warned that his password must be changed.
7Inactive The days after the password expiration the account will be disabled. Once any account is disabled, the account can only be re-enabled by the root user.
8Emergency

 

restriction

 This field is used as an emergency account restricting field by the root user. If value is set to 0, the account will be locked until root user removes this restriction.
9Future use This field is reserved for future use.

The root user can make a password policy that any user must change his password within maximum specified number of days with a warning period and blocking the account if he fails to change by combining 5th, 6th and 7th field.

Event 3: A New Entry in /etc/group File

When a user is created with useradd command, a user private group is created and its entry goes to /etc/group file. The entry looks like below.

systemzone:x:1002:

There are four fields in this line separated by colon. Let’s see the explanation of these fields in below tables.

Field NoField NameField ValueExplanation
1Group NamesystemzoneThis is the private group name of the user followed by username.
2Group PasswordxGroup password can be assigned with gpasswd command. Here ‘x’ indicates password is saved in /etc/gshadow file. By default no password is assigned for the group by useradd command.
3GID1002This is group ID and it is same as the UID.
4Group Member This field shows the member of this group except the user which is already a member of this group

Event 4: A New Entry in /etc/gshadow File

When a user is created with useradd command, a new line is also added to /etc/gshadow file. The line looks like below.

systemzone:!::

This line also contains four fileds separated by colons. The explanation of these fields is given below with a table.

Field NoField NameField ValueExplanation
1Group namesystemzoneThis is the corresponding group name of the user.
2Password!This field contains group password which is assigned with gpasswd command. If no password is given to the group, it shows ‘!’ in this file. If /etc/gshadow file is deleted, this encrypted password is moved to second field of /etc/group file.
3.Group Administrators This field contains the list of administrators of this group. By default it is blank that means only user having same name of the group name is the administrator of this group
4.Group Members Name of group members are listed in this field. By default it is blank.

Event 5: User Home Directory

A directory followed by username is created in home directory where all the files of any user are stored. A user is only allowed to access his own home directory. Generally, home directory of Red Hat Linux or CentOS Linux is /home. But user’s default home directory path can be changed by editing /etc/default/useradd file which I will show you later in this article or using special option with useradd command.

Two More User Administration Files

There are two more user administration files that are very important while managing users in Red Hat or CentOS Linux operating system. These files are:

  • /etc/login.defs file
  • /etc/default/useradd file

Understanding /etc/login.defs file

In Red Hat Linux or CentOS Linux, a file called /etc/login.defs is used to store user default password policy as well as other user related information. When any user is created with useradd command, it goes to this file and loads user default configuration from this file and then applies for the user. Only root user can edit this file.

The property values that are load from this file by usedadd command are described in below table.

Property NameDefault Value Explanation
MAIL_DIR/var/spool/mailThis is the directory path where user’s mail will be stored.
PASS_MAX_DAYS99999Maximum number of days for password validity.
PASS_MIN_DAYS0Minimum number of days allowed between password changes.
PASS_MIN_LEN5Minimum character length for a password.
PASS_WARN_AGE7How many days the password expiration message will be shown before expired.
UID_MIN1000Minimum number for the automatic user ID selection.
UID_MAX60000Maximum number for the automatic user ID selection.
SYS_UID_MIN201Minimum automatic UID for the system users.
SYS_UID_MAX999Maximum automatic UID for the system users.
GID_MIN1000It is the minimum numeric value for automatic group ID selection.
GID_MAX60000The maximum numeric value for automatic group ID selection.
SYS_GID_MIN201Minimum GID for the system accounts.
SYS_GID_MAX999Maximum GID for the system accounts.
CREATE_HOMEyesThis value tells useradd command whether it should create home directory for the user.
ENCRYPT_METHODSHA512Password encryption method for any user.
USERGROUPS_ENAByesThis enables userdel to remove user groups if no members exist.
UMASK077Default umask that is permission mask for the new users. If not specified, the permission mask will be initialized to 022.

If these values are changed in /etc/login.defs file, these values will hold for the new user by useradd command.

Understanding /etc/default/useradd File

When useradd command is executed, it takes some of user property values like where user’s home directory will be created, what should be the user’s shell etc. from /etc/default/useradd file. This file looks like below.

# useradd defaults fileGROUP=100

HOME=/home

INACTIVE=-1

EXPIRE=

SHELL=/bin/bash

SKEL=/etc/skel

CREATE_MAIL_SPOOL=yes

The explanation of these property values is shown in below table.

Property NameDefault ValueExplanation
GROUP100Maximum number of groups for which a user can be member of.
HOME/homeDefault directory path where home directory of any user will be created.
INACTIVE-1After account creation how many days the account remain inactive. Default value ‘-1’ indicates account is never inactive.
EXPIRE Account expiration date and it should be YYYY-MM-DD format.
SHELL/bin/bash Default login shell for new user.
SKEL/etc/skelThe files that are kept in this directory will be copied to the user’s home directory at the time of user creation.
CREATE_MAIL_SPOOLyesThis option ensures that every new user will have a mail directory followed by username in /var/mail directory where user’s mail will be stored.

By editing these property values, you can define user’s default configuration while creating a new user according to your organization’s requirements.

Understanding /etc/skel Directory

The /etc/skel directory serves as a skeleton for user’s home directory. If any file is kept in this directory, the file will be automatically copied in user’s home directory while creating new user with useradd command. So, this can be useful for a system administrator to give default files to every new user. By default this directory contains three hidden files.

  • .bash_logout
  • .bash_profile
  • .bashrc

So, home directory of any new user must have these three files.

The useradd Command Options

Now we will see some useful useradd command options that are frequently used for user administration in Red Hat Linux.

Create User with Different Home Directory

According to default configuration, user home directory is created in /home directory but while creating a new user with useradd command you can change user’s home directory. The home directory is changed with ‘-d’ option. For example, the following command will create a user named systemzone whose home directory will be /var/ftp.

[root@localhost ~]# useradd -d /var/ftp systemzone

Create User without Home Directory

Sometimes you may need to create a user without home directory. If you use ‘-M’ option with useradd command, the user will not have any specific home directory. In this situation, home directory of this user will be the previous logged user’s home directory.

[root@localhost ~]# useradd -M systemzone

Create User with Specific UID

User ID is automatically assigned when a user is created with useradd command. But user ID can be specified while creating a user with useradd command. The ‘-u’ option is used to specify the UID of any user. For example, the following command will create a user named systemzone whose UID will be 1050.

[root@localhost ~]# useradd -u 1050 systemzone

While specifying UID you should be care about that the UID must be unique from any other user ID that is already exists on the system.

Create User with Specific Group ID

Similarly, GID is automatically assigned when a user is created with useradd command. But using ‘-g’ option, GID can also be assigned manually while creating a user with useradd command. For example, the following command will create a user named systemzone whose UID will be 1050 and GID will 1050.

[root@localhost ~]# useradd -u 1050 -g 1050 systemzone

Here, you should also be care about that GID must be unique from other group ID that are already exists in your system.

Add User to Multiple Groups

By default, a user is added to its own group. But you can add a user to multiple groups while creating that user with useradd command. The ‘-G’ option is used with useradd command for this purpose. For example, the following command will create a user named systemzone which will be added to admins and developers group.

[root@localhost ~]# useradd -G admins,developers systemzone

Create User without Group

By default, at least one private group is created followed by username while creating any user. But if you need to create a user without any group, you may use ‘-N’ option. The ‘-N’ option creates a user that will have no group.

[root@localhost ~]# useradd -N systemzone

Create User with Account Expiry Date

Sometimes you may need to create a temporary account. In this situation, you have to create an account with expiry date. By default, useradd command creates a user which will never be expired. The ‘-e’ option with useradd command helps to create a user with expiry date.

[root@localhost ~]# useradd -e 2017-09-29 systemzone

The date format of this option will be YYYY-MM-DD. You can show age of this user account with chage command like below.

[root@iin /]# chage -l systemzone

Last password change                                    : Sep 26, 2017

Password expires                                        : never

Password inactive                                       : never

Account expires                                         : Sep 29, 2017

Minimum number of days between password change          : 0

Maximum number of days between password change          : 99999

Number of days of warning before password expires       : 7

Add User with Custom Comments

By default the useradd command keeps custom comments field blank if not specify. The ‘-c’ option allows to add custom comments such as full name, phone number etc to /etc/password file. For example, if you want to specify user’s full name while creating user with useradd command, use the following command.

[root@localhost ~]# useradd -c  “Md. Abu Sayeed ”  systemzone

Where, Md. Abu Sayeed is the full name of this user.

Change User’s Login Shell

Sometimes you may need to change user’s default login shell which is /bin/bash. The ‘-s’ option will allow you to change user’s default login shell. For example, the following command will create a user named systemzone whose default shell will be tcsh.

[root@localhost ~]# useradd  -s /bin/tcsh  systemzone

Again, if you need to create a user that will have no login shell, you may use /sbin/nologin or /bin/false like below example.

[root@localhost ~]# useradd  -s /bin/false  systemzone

Create User with Custom Skel

Default skel directory for any user is /etc/skel. But sometimes you may need to change skel directory for a group of special users. The ‘-k’ option will allow you to create a user with custom skel directory. For example, the following command will create a user which will get skel files from /etc/custom.skel directory.

[root@localhost ~]# useradd  -k /etc/custom.skel  systemzone

Create Multiple Users with Single Command

You can create multiple users with single line command. For this, you have to add multiple useradd command with AND (&&) operator. For example, the following command will add two users with one single line command.

[root@localhost ~]# useradd  ikbal && useradd tuhin

Create User and Set Password with Single Command

Combining useradd and passwd command with AND (&&) operator, user and password can be created at the same time.

[root@localhost ~]# useradd  ikbal && passwd ikbal

How to Edit/Modify User in Linux

The usermod command is used to modify any user’s properties. The basic structure of usermod command is:

usermod [options] username

Where, username is the login name which is used to log into the system. Option parameter is used to modify different properties of any user. The options that we have used with useradd command while creating any user can similarly be used with usermod command to modify any user property. However, I am showing the usage of these options briefly here.

Change User Login Name

The ‘-l’ option is used to change the username or login name of any user.

[root@localhost ~]# usermod  -l jhon david

Where, david is old name and jhon is new name. So, david will be replaced with jhon.

Modify User Comment

The ‘-c’ option is used to modify user comment such as user’s full name or any notes to /etc/passwd file.

[root@localhost ~]# usermod  -c “System Administrator” sayeed

Modify User Home Directory

User’s home directory can be changed using ‘-d’ option with usermod command.

[root@localhost ~]# usermod -d /var/ftp/sayeed sayeed

 Modify User Default Shell

To modify user’s default shell, the ‘-s’ option is used with usermod command.

[root@localhost ~]# usermod  -d /bin/tcsh sayeed

Modify User Account Expiration Date

Aaccount expiration date of any user can be changed using ‘-e’ option with usermod command.

[root@localhost ~]# usermod  -e 2017-12-25 sayeed

User Lock and Unlock

The ‘-L’ option with usermod command will lock any user immediately. So, the user cannot login with his login credentials.

[root@localhost ~]# usermod  -L sayeed

Similarly, a locked user can be unlocked using -U option with usermod command.

[root@localhost ~]# usermod  -U sayeed

Assign Single User to Multiple Groups

The ‘-G’ option with usermod command can be used to assign a user to multiple groups.

[root@localhost ~]# usermod  -G admins,developers sayeed

How to Remove User in Linux

The usedel command is used to delete any user in Linux operating system. The basic structure of userdel command is:

userdel [options] username

Where, username is the login name of any user. The userdel command accepts option to perform special task too.

Delete Specific User Leaving Home Directory

If you use userdel command without any option, the user will be deleted but home directory will remain in your system.

[root@localhost ~]# userdel  sayeed

 Delete User with Home Directory

The ‘-r’ option with userdel command will delete any user including his home directory.

[root@localhost ~]# userdel  -r sayeed

Remove user forcibly

The ‘-f’ option with userdel command will delete user although the user is logged into the system as well as it will remove user’s home directory.

[root@localhost ~]# usermod -f sayeed

User Administration Miscellaneous

Lastly, we will show some user related commands that are also used to manage user in Red Hat Linux system.

Get User UID and GID

The id command is used to know the UID and the GID of any specific user.

[root@localhost ~]# id sayeed

uid=1000(sayeed) gid=1000(sayeed) groups=1000(sayeed)

This command will show the user’s UID and Group ID. If username is not provided, currently logged user’s UID and GID will be shown.

Change User’s Password Aging Information

Password expiry information of any user can be changed using chage command.

[root@localhost ~]# chage sayeed

Changing the aging information for sayeed

Enter the new value, or press ENTER for the default

Minimum Password Age [0]:

Maximum Password Age [99999]:

Last Password Change (YYYY-MM-DD) [2017-05-08]:

Password Expiration Warning [7]:

Password Inactive [-1]:

Account Expiration Date (YYYY-MM-DD) [-1]:

Provide these values according to your demand.

View User’s Password Aging Information

The ‘-l’ option with chage command is used to view the password expiry information of any user.

[root@localhost ~]# chage -l sayeed

Last password change                                    : May 08, 2017

Password expires                                        : never

Password inactive                                       : never

Account expires                                         : never

Minimum number of days between password change          : 0

Maximum number of days between password change          : 99999

Number of days of warning before password expires       : 7

Show Logged on Users

The who command will show users who are logged on to your system.

[root@localhost ~]# who

Show Logged on Users with Activity

The w command will show users who are logged on to your system and what they are doing.

[root@localhost ~]# w

View Most Recent Login Reports

The lastlog command  reports the most recent login of all users from /var/log/lastlog file.

[root@localhost ~]# lastlog

View Users Who Are Success to Login

The last command will show users who are success to login to your system from /var/log/wtmp file.

[root@localhost ~]# last

View Users Who Are Fail to Login

The lastb command will show users who are fail to login to your system from /var/log/btmp file.

[root@localhost ~]# lastb

Linux user administrations such as how to add user, how to edit user, how to delete user etc. have been discussed in this article elaborately. I hope you are now able to manage your Linux user according to your requirements. However, if you face any problem to manage your Red Hat Linux users, feel free to discuss in comment or contact with me from Contact page. I will try my best to stay with you.

Why not a Cup of COFFEE if the solution?

user-management-in-linux-redhat-centos

ABU SAYEED

I am a system administrator and like to share knowledge that I am learning from my daily experience. I usually work on MikroTik, Redhat/CentOS Linux, Windows Server, physical server and storage, virtual technology and other system related topics. Follow Me: Facebook, Twitter and Linkedin.

Your name can also be listed here. Have an IT topic? Submit it here to become a System Zone author.

Leave a Reply

Your email address will not be published. Required fields are marked *

*