🌐 🇵🇱 Polski · 🇬🇧 EN
Every operating system should allow for the creation of user accounts and enable efficient work within them. In this chapter, I will discuss the administrator's tasks related to system users, such as adding accounts, granting permissions, creating groups, etc. Every system administrator spends a significant amount of time managing user accounts and groups. This is because these settings determine which files and directories a given user or group can access and define the level of that access. It is also possible to organize users into groups, for example, to work on a joint project. When a user account is created, a standard set of files is also generated. These files define the environment and workspace for that user. In large systems with high user turnover, administrators usually develop automation for account management by using pre-prepared scripts. So far, everything seems obvious as long as the work is limited to a single machine, but what should be done if we are dealing with a larger number of hosts on a network? Do we have to create the same users separately on each one? The solution to this problem is to add the system to a domain containing all user accounts and groups in a central database, thus enabling easier organization and management of user accounts.
USERS AND GROUPS
In a RedHat environment, there are three different types of user accounts:
- root
- regular user
- system user (pseudo-user)
The "root" account is equivalent to the Windows Enterprise Administrator account. It is the account with the highest privileges in the system and has access to everything within it. Precisely because of the power this account possesses, it should NEVER be used!
At the moment of installing the RedHat environment, we are asked to create the first user account (if the installation is performed with a desktop manager); otherwise, if the installation is performed over the network or by skipping the wizard, the first account must be created manually. In any case, the point is to create a user account for yourself and grant it enough permissions to perform your administrative tasks with it.
In the following section, you will see how to delegate control over system administration to a specially created user or any other user so that they can perform assigned tasks for which only the "root" account has permissions.
Such actions not only make the system more secure, but this approach also makes it easier to manage the accountability of specific users for what happens in the system (it is known who did what). A regular user account does not have write access anywhere in the system outside of its own home directory (it can only browse the directory structure); only the administrator can grant appropriate permissions to other locations in the system.
A system account is very similar to a regular user account. The difference is that a system account does not have a home directory and does not log into the system like a regular user. Such accounts are used for the needs of programs and system services, enabling them to function. Why was it solved this way? For example, the Apache server (web server) has its own user, and if someone were to take control of it, they could only gain access to that specific service and its configuration files. If you were to allow this service to run with root privileges, in the event of an attack, the attacker would gain full rights to the entire environment. This is also the answer to the question of why you should not use the root account in the system.
USERS
When working with users, we must have the ability to create password-protected accounts (and manage password settings), edit and configure accounts and permissions, and delete accounts when they are no longer needed. To manage user accounts, we use the following commands:
- useradd - Create a user and their account
- usermod - Modify a user account
- userdel - Remove an account from the system
Let's imagine a situation where an employee comes to the administrator in the office and says: "I need to log in to one of the servers to install new software and test it." You cannot give them your own permissions, because you are the administrator, and giving away your own full-privilege account is out of the question. We need a user account for this person on the given server. For practice, we will create 5 user accounts and learn about the various options available when creating an account. For this purpose, we will use the "useradd" command:
Syntax of the useradd command: # useradd [options] LOGIN
Options for the useradd command:
- -b - Set the base directory for the new account (home directory)
- -c COMMENT - Create a description for the new account
- -e EXPIRE_DATE - Set an account expiration date
- -m - Create the user's home directory
- -r - Create a system account
- -s SHELL - Define which shell the user will use
- -u UID - Set the UID for the user
Let's create the first account:
# useradd -c “Avg Joe” -m -s /bin/bash user02
The account created in this way has the name and home directory - "user02", the shell that will be available after logging in is set to /bin/bash, which is BASH, and a description has been added informing that the account belongs to "Avg Joe". The rest happens in the background.
All users have a unique ID number (UID) and a group ID (GID). In RedHat, UID numbers start from the value 500 for normal users, of which there can be thousands. For system accounts, values from 1 to 499 are reserved.
Let's see the created user directories:
# ls /home
user01 user02
Now let's add another user with their home directory:
# useradd -m user03
It is good practice to add descriptions for each account so you don't forget why a given account was created.
Now that the account has been created, let's see how we can administer it and make changes to it. Let's add a description to the account. Modifications are performed with the "usermod" command.
Syntax of the usermod command: # usermod [options] LOGIN
Options for the usermod command:
- -c COMMENT - Set a new description value
- -d HOME-DIR - Set a new home directory location
- -g GROUP - Set a new primary group for the user
- -G GROUPS - Assign the user to multiple groups
- -l NEW_LOGIN - Change the user's login name
- -L - Lock the user account
- -s SHELL - Change the shell for the user
- -u UID - Set a new UID value for the user
- -U - Unlock the user account
So, to add a description for a user account:
# usermod -c “Third User” user03
The last task regarding user accounts is: deleting an account. This issue can be a bit trickier than it seems because the "userdel" command does not work as you might expect. Let's create a user named "user05" and then delete them:
# useradd user05
To perform account deletion, we will use the "userdel" command.
Syntax of the userdel command: # userdel [options] LOGIN
Options for the userdel command:
- -f - Force removal of the user even if they are logged in
- -r - Remove the user along with their home directory and e-mail spool
We are deleting user User05:
# userdel user05
In this case, if we go to the user home directories, the User05 directory will still be there:
# ls /home
user01 user02 user05
The directory was not deleted because the "-r" switch was not used, which would cause all of that user's files to be deleted.
Knowledge about deleting user accounts along with their files can be useful for the exam, however, in the real world, there are many internal company policies informing what to do with user files and how to store them; in 99% of cases, they are not deleted. A good practice is to move the files to a directory with "root" permissions and allow them to be read by selected or all users. Thanks to this, if the files were needed again, e.g., due to account restoration, it could be done in a simple way.
Although every user has their home directory to store their files, it often happens that users save their files in various places, and to thoroughly clean up the system after a given user, it is worth searching for all their files:
# find / -user user05
Now you can move them to one location and archive them.
Comments