RHCSA Rapid Track
Course update
An updated version of this course is available that uses a newer version of Red Hat Enterprise Linux in the lab environment. Therefore, the RHEL 9.0 version of the lab environment will retire on December 31, 2024. Please complete any work in this lab environment before it is removed on December 31, 2024. For the most up-to-date version of this course, we recommend moving to the RHEL 9.3 version.
- SectionDescribe User and Group Concepts
- Quiz: Describe User and Group Concepts
- Gain Superuser Access
- Guided Exercise: Gain Superuser Access
- Manage Local User Accounts
- Guided Exercise: Manage Local User Accounts
- Manage Local Group Accounts
- Guided Exercise: Manage Local Group Accounts
- Manage User Passwords
- Guided Exercise: Manage User Passwords
- Lab: Manage Local Users and Groups
- Summary
Abstract
| Goal | Create, manage, and delete local users and groups, and administer local password policies. |
| Objectives |
|
| Sections |
|
| Lab |
Manage Local Users and Groups |
A user account provides security boundaries between people and programs that can run commands.
Users have usernames to identify them to human users and for ease of working. Internally, the system distinguishes user accounts by the unique identification number, the user ID or UID, which is assigned to them. In most scenarios, if a human uses a user account, then the system assigns a secret password for the user to prove that they are the authorized user to log in.
User accounts are fundamental to system security. Every process (running program) on the system runs as a particular user. Every file has a particular user as its owner. With file ownership, the system enforces access control for users of the files. The user that is associated with a running process determines the files and directories that are accessible to that process.
User accounts are of the following main types: the superuser, system users, and regular users.
The superuser account administers the system. The superuser name is
rootand the account has a UID of 0. The superuser has full system access.The system user accounts are used by processes that provide supporting services. These processes, or daemons, usually do not need to run as the superuser. They are assigned non-privileged accounts to secure their files and other resources from each other and from regular users on the system. Users do not interactively log in with a system user account.
Most users have regular user accounts for their day-to-day work. Like system users, regular users have limited access to the system.
Use the id command to show information about the currently logged-in user:
[user01@host ~]$ id
uid=1000(user01) gid=1000(user01) groups=1000(user01) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023To view information about another user, pass the username to the id command as an argument:
[user01@host ~]$ id user02
uid=1002(user02) gid=1001(user02) groups=1001(user02) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023Use the ls -l command to view the owner of a file.
Use the ls -ld command to view the owner of a directory, rather than the contents of that directory.
In the following output, the third column shows the username.
[user01@host ~]$ls -l mytextfile.txt-rw-rw-r--. 1user01user01 0 Feb 5 11:10 mytextfile.txt [user01@host]$ls -ld Documentsdrwxrwxr-x. 2user01user01 6 Feb 5 11:10 Documents
Use the ps command to view process information.
The default is to show only processes in the current shell.
Use the ps command -a option to view all processes with a terminal.
Use the ps command -u option to view the user that is associated with a process.
In the following output, the first column shows the username.
[user01@host ~]$ps -auUSER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1690 0.0 0.0 220984 1052 ttyS0 Ss+ 22:43 0:00 /sbin/agetty -o -p -- \u --keep-baud 1user011769 0.0 0.1 377700 6844 tty2 Ssl+ 22:45 0:00 /usr/libexec/gdm-x-session --register-user011773 1.3 1.3 528948 78356 tty2 Sl+ 22:45 0:03 /usr/libexec/Xorg vt2 -displayfd 3 -auuser011800 0.0 0.3 521412 19824 tty2 Sl+ 22:45 0:00 /usr/libexec/gnome-session-binaryuser013072 0.0 0.0 224152 5756 pts/1 Ss 22:48 0:00 -bashuser013122 0.0 0.0 225556 3652 pts/1 R+ 22:49 0:00 ps -au
The output of the preceding command displays users by name, but internally the operating system uses UIDs to track users.
The mapping of usernames to UIDs is defined in databases of account information.
By default, systems use the /etc/passwd file to store information about local users.
Each line in the /etc/passwd file contains information about one user.
The file is divided into seven colon-separated fields. An example of a line from /etc/passwd follows:
[user01@host ~]$ cat /etc/passwd
...output omitted...
user01:x:1000:1000:User One:/home/user01:/bin/bashConsider each part of the code block, separated by a colon:
user01: The username for this user.x: The user's encrypted password was historically stored here; it is now a placeholder.1000: The UID number for this user account.1000: The GID number for this user account's primary group. Groups are discussed later in this section.User One: A brief comment, description, or the real name for this user./home/user01: The user's home directory, and the initial working directory when the login shell starts./bin/bash: The default shell program for this user that runs at login. Some accounts use the/sbin/nologinshell to disallow interactive logins with that account.
A group is a collection of users that need to share access to files and other system resources. Groups can grant access to files to a set of users instead of to a single user.
Like users, groups have group names for easier recognition.
Internally, the system distinguishes groups by the unique identification number, the group ID or GID, which is assigned to them.
The mapping of group names to GIDs is defined in identity management databases of group account information.
By default, systems use the /etc/group file to store information about local groups.
Each line in the /etc/group file contains information about one group.
Each group entry is divided into four colon-separated fields.
An example of a line from /etc/group follows:
[user01@host ~]$ cat /etc/group
...output omitted...
group01:x:10000:user01,user02,user03Consider each part of the code block, separated by a colon:
group01: Name for this group.x: Obsolete group password field; it is now a placeholder.10000: The GID number for this group (10000).user01,user02,user03: A list of users that are members of this group as a supplementary group.
Every user has exactly one primary group.
For local users, this group is listed by GID in the /etc/passwd file.
The primary group owns files that the user creates.
When a regular user is created, a group is created with the same name as the user, to be the primary group for the user. The user is the only member of this User Private Group. This group membership design simplifies the management of file permissions, to have user groups separated by default.
Users might also have supplementary groups.
Membership in supplementary groups is stored in the /etc/group file.
Users are granted access to files based on whether any of their groups have access, regardless of whether the groups are primary or supplementary.
For example, if the user01 user has a user01 primary group and wheel and webadmin supplementary groups, then that user can read files that any of those three groups can read.
The id command can show group membership for a user.
In the following example, the user01 user has the user01 group as their primary group (gid).
The groups item lists all group memberships for this user, and the user also has the wheel and group01 groups as supplementary groups.
[user01@host ~]$ id
uid=1001(user01) gid=1003(user01) groups=1003(user01),10(wheel),10000(group01) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023