Managing CentOS Stream 9 Users and Groups

During the installation of CentOS Stream 9, the installer created a root or superuser account and required that a password be configured. The installer also provided the opportunity to create a user account for the system. We should remember that CentOS 9 is an enterprise-class, multiuser, and multi-tasking operating system. To use the full power of CentOS 9, therefore, it is likely that more than one user will need to be given access to the system. Each user should have their own user account login, password, home directory, and privileges.

Users are further divided into groups for easier administration, and those groups can have different levels of privileges. For example, you may have a group of users who work in the Accounting department. In such an environment, you can create an accounts group and assign all the Accounting department users to that group.

This chapter will cover the steps to add, remove and manage users and groups on a CentOS 9 system. Users and groups may be managed on CentOS 9 using command-line tools, the Cockpit web interface, and the desktop Settings app. In this chapter, we will look at each of these approaches to user management.

User Management from the Command-line

New users may be added to a CentOS 9 system via the command line using the adduser utility. To create a new user account, enter a command similar to the following:

# useradd johnCode language: Shell Session (shell)

By default, this will create a home directory for the user in the /home directory (in this case, / home/john). To specify a different home directory, use the -d command-line option when creating the account:

 

You are reading a sample chapter from CentOS Stream 9 Essentials. Buy the full book now in eBook or Print format.

Full book includes 34 chapters and 290 pages. Learn more.

Preview  Buy eBook Buy Print

 

# useradd -d /users/johnsmith johnCode language: Shell Session (shell)

Once the account has been created, a password needs to be assigned using the passwd tool before the user will be able to log into the system:

# passwd john
Changing password for user john.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.Code language: plaintext (plaintext)

An existing user may be deleted via the command line using the userdel utility. While this will delete the account, the user’s files and data will remain intact on the system:

# userdel johnCode language: Shell Session (shell)

It is also possible to remove the user’s home directory and mail spool as part of the deletion process:

# userdel --remove johnCode language: Shell Session (shell)

All users on a CentOS 9 system are members of one or more groups. By default, new users are added to a private group with the same name as the user (in the above example, the account created for user john was a member of a private group also named john). However, as an administrator, it makes sense to organize users into more logical groups. For example, all salespeople might belong to a sales group, accounting staff might belong to the accounts group, and so on. New groups are added from the command line using the groupadd command-line tool, for example:

# groupadd accountsCode language: Shell Session (shell)

Use the usermod tool to add an existing user to an existing group from the command line:

 

You are reading a sample chapter from CentOS Stream 9 Essentials. Buy the full book now in eBook or Print format.

Full book includes 34 chapters and 290 pages. Learn more.

Preview  Buy eBook Buy Print

 

# usermod -G accounts johnCode language: Shell Session (shell)

To add an existing user to multiple existing groups, run the usermod command with the -G option:

# usermod -G accounts,sales,support johnCode language: Shell Session (shell)

Note that the above commands remove the user from supplementary groups not listed after the -G but to which the user is currently a member. To retain any current group memberships, use the -a flag to append the new group memberships:

# usermod -aG accounts,sales,support johnCode language: Shell Session (shell)

An existing group may be deleted from a system using the groupdel utility:

# groupdel accountsCode language: Shell Session (shell)

Note that if the group to be deleted is the primary or initial group for any user, it cannot be deleted. The user must first be deleted or assigned a new primary group using the usermod command before the group can be removed. A user can be assigned to a new primary group using the usermod -g option:

# usermod -g sales john
# groupdel accountsCode language: Shell Session (shell)

Next, run the groups command to find out the groups a user belongs to. For example:

 

You are reading a sample chapter from CentOS Stream 9 Essentials. Buy the full book now in eBook or Print format.

Full book includes 34 chapters and 290 pages. Learn more.

Preview  Buy eBook Buy Print

 

$ groups john
john : accounts supportCode language: plaintext (plaintext)

By default, a user account cannot perform tasks requiring superuser (root) privileges unless they know the root password. It is, however, possible to configure a user account so that privileged tasks can be performed using the sudo command. This involves adding the user account as a member of the wheel group, for example:

# usermod -aG wheel johnCode language: Shell Session (shell)

Once added to the wheel group, the user will be able to perform otherwise restricted tasks using sudo as follows:

$ sudo dnf update
[sudo] password for demo:
Updating Subscription Management repositories.
.
.Code language: plaintext (plaintext)

The sudo capabilities of the wheel group may be modified by editing the /etc/sudoers file and locating the following section:

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL
 
## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALLCode language: plaintext (plaintext)

To disable sudo for all wheel group members, comment out the second line as follows:

## Allows people in group wheel to run all commands
# %wheel  ALL=(ALL)       ALLCode language: plaintext (plaintext)

To allow wheel group members to use sudo without entering a password (for security reasons, this is not recommended), uncomment the corresponding line in the sudoers file:

 

You are reading a sample chapter from CentOS Stream 9 Essentials. Buy the full book now in eBook or Print format.

Full book includes 34 chapters and 290 pages. Learn more.

Preview  Buy eBook Buy Print

 

## Same thing without a password
%wheel        ALL=(ALL)       NOPASSWD: ALLCode language: plaintext (plaintext)

Behind the scenes, all these commands are simply changing the /etc/passwd, /etc/group, and /etc/ shadow files on the system.

User Management with Cockpit

If the Cockpit web interface is installed and enabled on the system (a topic covered in the chapter entitled Using Cockpit on CentOS Stream 9), several user management tasks can be performed within the Accounts screen shown in Figure 9-1 below:

Figure 9-1

The screen will display any existing user accounts on the system and provides a button to add additional accounts. To create a new account, click the Create New Account button and enter the requested information in the resulting dialog (Figure 9-2). Note that the option is also available to create the account but to lock it until later:

Figure 9-2

To modify a user account, select it from the main screen and make any modifications to the account details:

Figure 9-3

This screen allows various tasks, including locking or unlocking the account, changing the password, or forcing the user to configure a new password to be performed. In addition, if the Server Administrator option is selected, the user will be added to the wheel group and permitted to use sudo to perform administrative tasks. A button is also provided to delete the user from the system.

 

You are reading a sample chapter from CentOS Stream 9 Essentials. Buy the full book now in eBook or Print format.

Full book includes 34 chapters and 290 pages. Learn more.

Preview  Buy eBook Buy Print

 

If the user is accessing the system remotely using an SSH connection with key encryption, the user’s public key may be added within this screen. SSH access and authentication will be covered later in Configuring SSH Key-based Authentication on CentOS Stream 9.

User Management using the Settings App

A third user account management option is available via the GNOME desktop settings app. This app is accessed by clicking on icons in the top right-hand corner of the GNOME desktop and selecting the Settings option, as shown in Figure 9-4:

Figure 9-4

When the main settings screen appears, click the Users option in the left-hand navigation panel. By default, the settings will be locked, and making any changes to the user accounts on the system will not be possible. To unlock the Settings app, click the Unlock button in Figure 9-5 below and enter your password. Note that it will only be possible to unlock the settings if you are logged in as a user with sudo privileges:

Figure 9-5

Once the app has been unlocked, a button labeled Add User… will appear in the title bar. Click this button to display the dialog shown in Figure 9-6 below:

Figure 9-6

Select the Administrator account to assign sudo access to the new user; otherwise, leave Standard selected. Next, enter the user’s full name and username and assign a password now, or allow the user to set up the password when they first log into their account. Once the information has been entered, click the Add button to create the account.

 

You are reading a sample chapter from CentOS Stream 9 Essentials. Buy the full book now in eBook or Print format.

Full book includes 34 chapters and 290 pages. Learn more.

Preview  Buy eBook Buy Print

 

The settings for an existing user can be viewed, modified, or the account deleted at any time by selecting the corresponding icon within the Users screen, as shown in Figure 9-7. The option is also available to view the user’s login activity. Note that it will be necessary to unlock the Settings app again before any changes can be made to an account:

Figure 9-7

Summary

As a multiuser operating system, CentOS Stream 9 has been designed to support controlled access for multiple users. During installation, the root user account was created and assigned a password, and the option to create a user account was also provided. Additional user accounts may be added to the system using a set of command-line tools via the Cockpit web interface or the GNOME Settings app. In addition to user accounts, Linux also implements the concept of groups. New groups can be added, and users assigned to those groups using command-line tools, and each user must belong to at least one group. By default, a standard, non-root user does not have permission to perform privileged tasks. Users that are members of the special wheel group, however, may perform privileged tasks by making use of the sudo command.


Categories