Managing RHEL 8 Users and Groups

Revision as of 16:04, 17 June 2019 by Neil (Talk | contribs)

Revision as of 16:04, 17 June 2019 by Neil (Talk | contribs)

PreviousTable of ContentsNext
Using the Bash Shell on RHEL 8Understanding RHEL 8 Software Installation and Management


You are reading a sample chapter from the Red Hat Enterprise Linux 8 (RHEL 8) Essentials book.

Purchase a full copy of Red Hat Enterprise Linux 8 (RHEL 8) Essentials in eBook ($9.99) or Print ($36.99) format

Red Hat Enterprise Linux 8 Essentials Print and eBook (ePub/PDF/Kindle) editions contain 31 chapters and over 250 pages

Buy Print Preview Book


During the installation of RHEL 8, the installer created a root, or superuser account, and required that a password be configured. The installer also provided the opportunity to create a user account for the system. We should not lose sight of the fact that RHEL 8 is actually an enterprise class, multi-user and multi-tasking operating system. In order to use the full power of RHEL 8, therefore, it is likely that more than one user will need to be given access to the system. Each user should have his or her own user account login, password, home directory and privileges.

Users are further divided into groups for the purposes of easier administration and those groups can have different levels of privileges. For example, you may have a group of users who work in the Accounting department. In such an environment you may wish to create an accounts group and assign all the Accounting department users to that group.

In this chapter we will cover the steps to add, remove and manage users and groups on a RHEL 8 system. There are a number of ways to manage users and groups on a RHEL 8 system, the most common options being command-line tools and the Cockpit web interface. In this chapter we will look at both approaches.

User Management from the Command-line

New users may be added to a RHEL 8 system via the command-line using the useradd utility. To create a new user account, enter a command similar to the following:

# useradd john

By default, this will create a home directory for the user in the To specify a different home directory, use the -d command-line option when creating the account:

# useradd -d /users/johnsmith john

Once the account has been created, a password needs to be assigned using the passwd tool before the user will be able to log into the system:

# passwd john
Changing password for user john.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

An existing user may be deleted via the command-line using the userdel utility:

# userdel john

It is also possible to remove the user’s home directory and mail spool as part of the deletion process:

# userdel --remove john

All users on a RHEL 8 system are members of one or more groups. By default, new users are added to a private group with the same name as the user (in the above example, the account created for user john was a member of a private group also named john). As an administrator, it makes sense to organize users into more logical groups. For example all sales people might belong to a sales group, while accounting staff might belong to the accounts group and so on. New groups are added from the command-line using the groupadd command-line tool, for example:

# groupadd accounts

Use the usermod tool to add an existing user to an existing group from the command-line:

# usermod -G accounts john

To add an existing user to multiple existing groups, run the usermod command with the -G option:

# usermod -G accounts,sales,support john

Note that the above commands remove the user from any supplementary groups which are not listed after the -G, but to which the user is currently a member. To retain any current group memberships, use the -a flag to append the new group memberships:

# usermod -aG accounts,sales,support john

An existing group may be deleted from a system using the groupdel utility:

# groupdel accounts

Note that if the group to be deleted is the primary or initial group for any user it cannot be deleted. The user must first be deleted, or assigned a new primary group using the usermod command before the group can be removed. A user can be assigned to a new primary group using the usermod -g option:

# usermod -g sales john
# groupdel accounts

You are reading a sample chapter from the Red Hat Enterprise Linux 8 (RHEL 8) Essentials book.

Purchase a full copy of Red Hat Enterprise Linux 8 (RHEL 8) Essentials in eBook ($9.99) or Print ($36.99) format

Red Hat Enterprise Linux 8 Essentials Print and eBook (ePub/PDF/Kindle) editions contain 31 chapters and over 250 pages

Buy Print Preview Book

To find out the groups to which a user belongs, simply run the groups command. For example:

$ groups john
john : john accounts support

By default, a user account will not be able to perform tasks that require superuser (root) privileges unless they know the root password. It is, however, possible to configure a user account so that privileged tasks can be performed using the wheel group, for example:

# usermod -aG wheel john

Once added to the wheel group, the user will be able to perform otherwise restricted tasks using sudo as follows:

$ sudo dnf update
[sudo] password for demo:
Updating Subscription Management repositories.
.
.

The sudo capabilities of wheel group may be modified by editing the /etc/sudoers file and locating the following section:

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL
 
## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

To disable sudo for all wheel group members, comment out the second line as follows:

## Allows people in group wheel to run all commands
# %wheel  ALL=(ALL)       ALL

To allow wheel group members to use sudo without entering a password (for security reasons this is not recommended), uncomment the corresponding line in the sudoers file:

## Same thing without a password
%wheel        ALL=(ALL)       NOPASSWD: ALL

It is worth noting here that behind the scenes, all of these commands are simply making changes to the /etc/passwd, /etc/group and /etc/shadow files on the system.

User Management with Cockpit

If the Cockpit web interface is installed and enabled on the system (a topic covered in the chapter entitled An Overview of the RHEL 8 Cockpit Web Interface), a number of user management tasks can be performed within the Accounts screen shown in Figure 9-1 below:


Rhel 8 cockpit account management.png


Figure 9-1

The screen will display any existing user accounts on the system and provides a button to add additional accounts. To create a new account, click on the Create New Account button and enter the requested information in the resulting dialog (Figure 9-2). Note that the option is also available to create the account but to lock it until later:


Rhel 8 cockpit add new user.png


Figure 9-2

To modify a user account, select it from the main screen and make any modifications to the account details:


Rhel 8 cockpit edit user.png


Figure 9-3

This screen allows a variety of tasks to be performed including locking or unlocking the account, changing the password or forcing the user to configure a new password. If the Server Administrator option is selected, the user will be added to the wheel group and permitted to use sudo to perform administrative tasks. A button is also provided to delete the user from the system.

If the user will be accessing the system remotely using an SSH connection with key encryption, the user’s public key may be added within this screen. SSH access and authentication will be covered later in Configuring SSH Key-based Authentication on RHEL.


Summary

As a multi-user operating system, RHEL 8 has been designed to support controlled access for multiple users. During installation, the root user account was created and assigned a password and the option to create a user account was also provided. Addtional user accounts may be added to the system using a set of command-line tools or via the Cockpit web interface. In addition to user accounts, Linux also implements the concept of groups. New groups can be added and users assigned to those groups using command-line tools and each user must belong to at least one group. By default a standard, non-root user does not have permission to perform privileged tasks. Users that are members of the special wheel group, however, may perform privileged tasks by making use of the sudo command.


You are reading a sample chapter from the Red Hat Enterprise Linux 8 (RHEL 8) Essentials book.

Purchase a full copy of Red Hat Enterprise Linux 8 (RHEL 8) Essentials in eBook ($9.99) or Print ($36.99) format

Red Hat Enterprise Linux 8 Essentials Print and eBook (ePub/PDF/Kindle) editions contain 31 chapters and over 250 pages

Buy Print Preview Book



PreviousTable of ContentsNext
Using the Bash Shell on RHEL 8Understanding RHEL 8 Software Installation and Management