Linux User Management

Linux User Management

What three things must you do to manage user accounts?

  • Create accounts
  • Modify accounts
  • Delete accounts

Here is a breakdown of how to use these three commands with some of their related options in RHEL.

  • Useradd

The most basic task is to create an account to represent the user who will be working on the system. Each user must authenticate to Linux with an identity that can be used to control their resource access and consumption. User accounts are stored in the /etc/passwd file. That file should not be edited directly by tools such as Vim. Instead, there is useradd, a user-creation utility that adds an account but also accomplishes additional tasks.

Use the useradd command to create accounts:

$ sudo useradd user1

That’s enough to create the account. However, there are some options you can add. As always, review the associated man page for details. Here are a few common options:

  • --create-home (-m): Adds a home directory (this is a default on some distributions)
  • --shell (-s): Sets the user’s preferred shell if it’s different from /bin/bash
  • --uid (-u): Specifies a particular user ID (UID)
  • --comment (-c): Populates the comment field (usually with the user’s full name enclosed in quotes)

Settings for the useradd command are stored in the /etc/defaults/useradd file.

Also, don’t forget to set a password for the account by using the passwd command.

Try a few exercises to test these commands:

  1. Create a user named user1 with a home directory named /home/myuser.
  2. Create a user named user2 with zsh as the default shell.
  3. Create a user named user3 with “Temperary User” in the comment field.

  • Usermod

Now that some user accounts exist on the system, you can modify their settings. You accomplish this with the usermod command and its related options. Modifications may be necessary when users change names, request different shells, or need updated password information.

Standard options for usermod include:

  • --comment (-c): Modifies the comment field
  • --home (-d): Modifies home directory information
  • --expiredate (-d): Changes account-expiration settings
  • --login (-l): Modifies the username
  • --lock (-L): Locks a user account
  • --unlock (-U): Unlocks a user account

Perhaps a user requests an account name change from user2 to test2. The command looks like this:

$ sudo usermod --login test2 
--comment "Test Two" user2

The user2 string is the argument in this command. The --login and --comment options act on that argument to modify the account.

Maybe a user is taking a leave of absence. The user will return, but the account should be inaccessible in the meantime. If an administrator deletes the account, the user’s data, group memberships, and other unique information may be lost or more difficult to access. It’s better to lock the account until their return.

Lock a user account by using the usermod command:

$ sudo usermod --lock user1

Upon the user’s return, unlock the account:

$ sudo usermod --unlock user1

Interestingly, adding a user to a group modifies the user, not the group. Therefore, you manage group membership with the usermod command.

The two primary group membership scenarios are:

  • Add a user to a group and remove the user from all other groups
  • Add a user to a group and retain the user’s membership in all other groups

Use the --groups (-G for short) option with usermod to accomplish the first scenario (add a user to a group and remove them from other groups). The --append (-a for short) option appends a group to the user, and when combined with -G, it retains its membership in other groups.

So, to add the user1 user account to the clusters group and retain user1‘s membership in other groups, type:

$ sudo usermod --append --groups clusters user1

  • Userdel

Finally, you might want to remove an account representing a user whose role has changed or is no longer with the organization.

To delete the account, type:

$ sudo userdel user3

However, before deleting the account, don’t forget about resources such as the user’s home directory or system mail. You will want to ensure those resources get handled according to the organization’s written security policy.

Here are some common options for userdel that address these resources:

  • --force (-f): Deletes the account (including mail and home directory), even if the user is still logged in
  • --remove (-r): Deletes the account (including mail and home directory), but the user must be logged out

The userdel command is pretty simple. There aren’t many options, but they can be displayed by typing userdel --help.

Thank You !!!