-
Create, delete, and modify local user accounts
-
RHEL 8 supports three user account types: root, normal and service. The root user has full access to all services and administrative functions. A normal user can run applications and programs that they are authorised to execute. Service accounts are responsible for taking care of the installed services.
-
The
/etc/passwdfile contains vital user login data. -
The
/etc/shadowfile is readable only by the root user and contains user authentication information. Each row in the file corresponds to one entry in the passwd file. The password expiry settings are defined in the/etc/login.defsfile. The/etc/defaults/useraddfile contains defaults for the useradd command. -
The
/etc/groupfile contains the group information. Each row in the file stores one group entry. -
The
/etc/gshadowfile stores encrypted group passwords. Each row in the file corresponds to one entry in the group file. -
Due to manual modification, inconsistencies may arise between the above four authentication files. The pwck command is used to check for inconsistencies.
-
The vipw and vigr commands are used to modify the passwd and group files, respectively. These commands disable write access to these files while the privileged user is making the modifications.
-
To create a user:
useradd user1
-
To check that the user has been created:
cat /etc/group | grep user1 -
To specify the UID and GID at user creation:
useradd -u 1010 -g 1005 user1
-
To create a user and add them to a group:
useradd -G IT user2
-
Note that -G is a secondary group, and -g is the primary group. The primary group is the group that the operating system assigns to files to which a user belongs. A secondary group is one or more other groups to which a user also belongs.
-
To delete a user:
userdel user1
-
To modify a user:
usermod -l user5 user1 # note that home directory will remain as user1 -
To add a user but not give access to the shell:
useradd -s /sbin/nologin user
-
-
Change passwords and adjust password aging for local user accounts
-
To change the password for a user:
passwd user1
-
To step through password aging information the chage command can be used without any options.
-
To view user password expiry information:
chage -l user1
-
To set the password expiry for a user 30 days from now:
chage -M 30 user1
-
To set the password expiry date:
chage -E 2021-01-01 user1
-
To set the password to never expire:
chage -E -1 user1
-
-
Create, delete, and modify local groups and group memberships
-
To create a group:
groupadd IT
-
To create a group with a specific GID:
groupadd -g 3032
-
To delete a group:
groupdel IT
-
To modify the name of a group:
groupmod -n IT-Support IT
-
To modify the GID of a group:
groupmod -g 3033 IT-Support
-
To add a user to a group:
groupmod -aG IT-Support user1
-
To view the members of a group:
groupmems -l -g IT-Support
-
To remove a user from a group:
gpasswd -d user1 IT-Support
-
-
Configure superuser access
-
To view the sudoers file:
visudo /etc/sudoers
-
Members of the wheel group can use sudo on all commands. To add a user to the wheel group:
sudo usermod -aG wheel user1
-
To allow an individual user sudo access to specific commands:
visudo /etc/sudoers user2 ALL=(root) /bin/ls, /bin/df -h, /bin/date
-
Things have changed in RHEL 9. rd.break does not work anymore. These are the steps that need to be taken.
- Find the line that loads the Linux kernel and add
init=/bin/bashto the end of the line. mount -o remount,rw /This is necessary because it's mounted as read-only.passwd roottouch /.autorelabelexec /usr/lib/systemd/systemd/To reboot the machine or/sbin/reboot -f
Apparently this isn't supposed to work in RHEL 9, but as of 9.4 I was successful with it. It's worth knowing multiple ways of doing it for both exam and real world applications
- Interupt boot process and hit
eto edit your GRUB config - Navigate to the end of the 'linux' line and add
rd.break - Boot system wit
ctrl+x - When you get into emergency mode, execute the command
mount | grep root. You'll get output like this:
- In the picture above we can see that the root filesystem is mounted to
/sysrootwith "ro" (read-only) permissions. We need to remount it as "rw" (read-write) with the commandmount -o remount,rw /sysroot. If we check withmount | grep rootagain we can then see it was successful:
- Now we can use
chrootto access the root filesystem and change the password:chroot /sysroot - Then change the root password with
passwd root - Then tell SELinux not to complain that someone changed the root password by the command
touch /.autorelabel - Then
exitto get out of your chroot session andlogoutto get out of the emergency shell
useradd john to create user john.
Checkout useradd --help to see more available options.
Files in /etc/default/useradd apply to useradd only.
Alternatively, write default settings to /etc/login.defs. This is the main settings config file.
Changing this will not affect previously created users, only users that will be created in the future.
Files in /etc/skel are copied to the user home directory upon creation. If we want to send a message, scripts, etc. We can use /etc/skel.
To view password settings for user John.
chage -l john
To set password options for John.
chage john
You can also view the password options in /etc/shadow. You can see if the user account is locked out. The second field is the password hash. If the password hash starts with ! The user account is locked out. As you can see, the user John is locked out.
You can also see if the account is locked with passwd -S armann
If you want to transfer a password from another server to another one, simply copy the password hash in /etc/shadow from the server with the correct password and paste it into field number 2.
To edit /etc/passwd use vipw. Do not edit the file directly.
To lock a user account.
usermod -L john
To unlock an account.
usermod -U john
See previous logged in users.
last
See currently logged in users.
w or who
/etc/login.defs: Used for default settings like UID settings, passwd default settings, and other things.
/etc/profile: Used for default settings for all users when starting a login shell.
/etc/bashrc: Used to define defaults for all users when starting a subshell.
~/.profile: Specific settings for one user applied when starting a login shell.
~/.bashrc: Specific settings for one user applied when starting a subshell.
To create a new group. groupadd groupname
To see members of a group. groupmems -g sales or lid -g groupname. For a specific user you can use id john or groups john. The first group listed is the primary group.
Add John to the group sales. usermod -aG sales john. The new group for the user is applied when they log out and back in. If they don't want to do that and use the new group right away, that's when we use the newgrp command. Remember to use the -a option when adding people to groups. If you don't, it will override all secondary groups the member is a part of.
Remove user John from the group printers.
gpasswd -d john printers
You can use newgrp sales to change the primary group to sales. This is only a temporary primary group change, when you exit, it's back to your original primary group. Remember that the newgrp command opens a subshell where the user is a member of the group sales.
Use vigr to change the /etc/groups file.
See all groups cat /etc/group
To have sudo rights the user needs to be a part of the wheel group.
To see current members of the wheel group.
lid -g wheel
Let's add John to the wheel group. usermod -aG wheel john
Let's remove John from the wheel group. gpasswd -d john wheel