Manage Users and Groups in Red Hat Enterprise Linux

Introduction

In this lab, you will gain essential skills in managing local users and groups within a Red Hat Enterprise Linux (RHEL) environment. You will begin by understanding fundamental user and group concepts, including how to identify user and group information and file ownership.

Subsequently, you will learn how to obtain superuser access, create and modify local user accounts, manage local group accounts, and configure user password policies. This hands-on experience will equip you with the knowledge to effectively control access and permissions on your Linux system.

Understand User and Group Concepts

In this step, you will learn about fundamental user and group concepts in Red Hat Enterprise Linux (RHEL) and how to use various commands to inspect user and group information. Understanding these concepts is crucial for managing permissions and access control on a Linux system.

Every file and process on a Linux system is associated with a user and a group. This association determines who can read, write, or execute files, and who can manage processes.

First, let's explore how to identify the current user and other users on the system using the id command.

Use the id command to show information about the currently logged-in user. This command displays the user ID (UID), primary group ID (GID), and all groups the user belongs to.
```
id
```
You should see output similar to this, indicating your labex user information:
```
uid=1000(labex) gid=1000(labex) groups=1000(labex),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
```
To view basic information about another user, such as the root user, pass the username to the id command as an argument.
```
id root
```
The output will show the root user's UID (0), GID (0), and groups:
```
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
```

Next, you will learn how to identify the owner of files and directories using the ls command.

Use the ls -l command to view the owner of a file. First, create a dummy file in your ~/project directory.
```
touch ~/project/mytextfile.txt
ls -l ~/project/mytextfile.txt
```
The output will show labex as both the user and group owner of mytextfile.txt:
```
-rw-r--r-- 1 labex labex 0 Feb  5 11:10 /home/labex/project/mytextfile.txt
```
Use the ls -ld command to view the owner of a directory, rather than the contents of that directory. In the following output, the third column shows the username and the fourth column shows the group name.
```
ls -ld ~/project
```
You will see labex as the owner of your ~/project directory:
```
drwxr-xr-x 2 labex labex 6 Feb  5 11:10 /home/labex/project
```

Now, let's examine how to view process information and the user associated with each process using the ps command.

Use the ps -au command to view processes. The a option shows all processes with a terminal, and the u option displays the user that is associated with a process. In the following output, the first column shows the username.

ps -au

You will see various processes, with labex and root as common users:

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0  10608  3808 ?        Ss   00:00   0:00 /sbin/init
root        42  0.0  0.0  10608  3808 ?        Ss   00:00   0:00 /sbin/init
labex      123  0.0  0.1 224152  5756 pts/0    Ss   00:00   0:00 -bash
labex      150  0.0  0.0 225556  3652 pts/0    R+   00:00   0:00 ps -au

Finally, you will explore the /etc/passwd and /etc/group files, which store user and group information, respectively. These files are critical for understanding how user and group accounts are defined on a Linux system.

Each line in the /etc/passwd file contains information about one user. The file is divided into seven colon-separated fields. Use cat to view its contents.
```
cat /etc/passwd
```
Locate the entry for labex and root. For labex, it should look similar to this:
```
labex:x:1000:1000:LabEx User:/home/labex:/bin/bash
```
Let's break down each field:
- labex: The username for this user.
- x: The user's encrypted password was historically stored here; this is now a placeholder, as passwords are stored in /etc/shadow for security.
- 1000: The UID number for this user account.
- 1000: The GID number for this user account's primary group.
- LabEx User: A brief comment, description, or the real name for this user.
- /home/labex: The user's home directory, and the initial working directory when the login shell starts.
- /bin/bash: The default shell program for this user that runs at login.
Each line in the /etc/group file contains information about one group. Each group entry is divided into four colon-separated fields. Use cat to view its contents.
```
cat /etc/group
```
You will see entries for various system groups and user-private groups. For example, the labex group entry might look like this:
```
labex:x:1000:
```
Let's break down each field:
- labex: Name for this group.
- x: Obsolete group password field; this is now a placeholder.
- 1000: The GID number for this group.
- (empty): A list of users that are members of this group as a secondary group. If this field is empty, it means no additional users are explicitly listed as secondary members of this group (though the primary user labex is implicitly a member).
Primary Groups and Secondary Groups:
Every user has exactly one primary group. For local users, this group is listed by GID in the /etc/passwd file. The primary group owns files that the user creates. When creating a regular user, a group is often created with the same name as the user, to be the primary group for the user. The user is typically the only member of this User Private Group. This design simplifies file permission management.

Users might also have secondary groups. Membership in secondary groups is stored in the /etc/group file. Users are granted access to files based on whether any of their groups have access, regardless of whether the groups are primary or secondary. For example, if the labex user has a labex primary group and wheel as a secondary group, then that user can read files that any of those two groups can read.

The id command can show all group memberships for a user. Recall the output of id for labex:
```
uid=1000(labex) gid=1000(labex) groups=1000(labex),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
```
Here, gid=1000(labex) indicates labex is the primary group. groups=1000(labex),10(wheel) lists all group memberships, showing labex as the primary group and wheel as a secondary group.

Gain Superuser Access

In this step, you will learn how to gain superuser access (root privileges) on a RHEL system. Superuser access is essential for performing administrative tasks such as installing software, managing users, and configuring system settings. You will explore the su and sudo commands, which are the primary tools for privilege escalation.

The su (substitute user) command allows you to switch to another user account. When used without a username, it defaults to the root user.

Use the su - command to switch to the root user. The hyphen (-) option ensures that you get a login shell, which means the root user's environment variables and path will be loaded. You will be prompted for the root password, which is redhat.
```
su -
```
After entering the password redhat, your prompt will change to [root@host ~]#, indicating you are now the root user.
```
Password:
[root@host ~]#
```
To verify you are root, you can run the whoami command:
```
whoami
```
The output should be:
```
root
```
To exit the root shell and return to your labex user, type exit.
```
exit
```
Your prompt will return to [labex@host ~]$.

The sudo (superuser do) command allows a permitted user to execute a command as the superuser or another user, as specified by the sudoers file. The labex user is configured to have sudo privileges without requiring a password, which is common in many cloud and lab environments.

Use the sudo -i command to switch to the root account. This command is generally preferred over su - because it provides a more secure way to run commands with elevated privileges. When you use sudo -i, you are still using your own user account but with root privileges, and commands are logged to your account, making it easier to track what was done.
```
sudo -i
```
Your prompt will change to [root@host ~]#, indicating you are now the root user.
```
[root@host ~]#
```
Again, you can verify with whoami:
```
whoami
```
The output should be:
```
root
```
To exit the root shell and return to your labex user, type exit.
```
exit
```
Your prompt will return to [labex@host ~]$.
You can also use sudo to run a single command with root privileges without switching to the root shell. For example, to view the contents of /etc/shadow (which is only readable by root), you can use sudo cat /etc/shadow.
```
sudo cat /etc/shadow | head -n 3
```
This will display the first three lines of the /etc/shadow file, demonstrating that the cat command was executed with root privileges.
```
root:*:19780:0:99999:7:::
bin:*:19780:0:99999:7:::
daemon:*:19780:0:99999:7:::
```
The /etc/sudoers file is the main configuration file for the sudo command. It defines which users or groups can run which commands with elevated privileges. To avoid problems if multiple administrators try to edit the file at the same time, you should edit it only with the special visudo command. The visudo editor also validates the file, to ensure no syntax errors.

A common entry in /etc/sudoers allows members of the wheel group to run any command as root. The labex user is a member of the wheel group, which is why sudo works without a password.
```
sudo grep wheel /etc/sudoers
```
You should see a line similar to this, which grants sudo access to the wheel group:
```
%wheel        ALL=(ALL:ALL)       ALL
```
This line means:
- %wheel: The rule applies to members of the wheel group. The % symbol denotes a group.
- ALL=(ALL:ALL): On any host (first ALL), users in the wheel group can run commands as any user (second ALL) and any group (third ALL).
- ALL: Users in the wheel group can run any command.

This concludes your exploration of gaining superuser access. You now understand the difference between su - and sudo -i and how to execute commands with elevated privileges.

Create and Modify Local User Accounts

In this step, you will learn how to create, modify, and delete local user accounts on a RHEL system. Managing user accounts is a fundamental administrative task, ensuring that each user has appropriate access and permissions. You will use commands like useradd, usermod, userdel, and passwd.

First, let's create a new user account.

Use the useradd command to create a new user. By default, useradd creates a new user with a UID greater than or equal to 1000, creates a home directory (/home/username), and sets the default shell to /bin/bash. You need sudo privileges to run this command. Let's create a user named testuser01.
```
sudo useradd testuser01
```
After creating the user, you can verify its existence in /etc/passwd and check its home directory.
```
grep testuser01 /etc/passwd
ls -ld /home/testuser01
```
You should see output similar to this:
```
testuser01:x:1001:1001::/home/testuser01:/bin/bash
drwx------. 2 testuser01 testuser01 6 Mar  4 15:22 /home/testuser01
```
By default, newly created users do not have a password set, which means they cannot log in. You need to set a password for testuser01 using the passwd command.
```
sudo passwd testuser01
```
You will be prompted to enter a new password. For this lab, use labexrhel9 as the password for testuser01. You might see a "BAD PASSWORD" warning, but you can proceed.
```
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
```
Now, try to switch to testuser01 using su -.
```
su - testuser01
```
Enter the password labexrhel9 when prompted. Your prompt should change to [testuser01@host ~]$.
```
Password:
[testuser01@host ~]$
```
To return to your labex user, type exit.
```
exit
```

Next, let's modify an existing user account using the usermod command. The usermod command allows you to change various properties of a user, such as their home directory, shell, or group memberships.

Let's change the comment field (full name) for testuser01 to "Test User One".
```
sudo usermod -c "Test User One" testuser01
```
Verify the change by checking the /etc/passwd file again.
```
grep testuser01 /etc/passwd
```
The output should now reflect the updated comment:
```
testuser01:x:1001:1001:Test User One:/home/testuser01:/bin/bash
```
You can also lock or unlock a user account. Locking an account prevents the user from logging in, while unlocking it re-enables login.

To lock the testuser01 account:
```
sudo usermod -L testuser01
```
Now, try to switch to testuser01 again.
```
su - testuser01
```
You will be prompted for the password, but even with the correct password, the login will fail:
```
Password:
su: Authentication failure
```
To unlock the testuser01 account:
```
sudo usermod -U testuser01
```
Try to switch to testuser01 again, and it should succeed. Remember to exit to return to labex.
```
su - testuser01
## Enter password 'labexrhel9'
exit
```

Finally, let's delete the user account you created.

Use the userdel command to remove a user. By default, userdel removes the user's entry from /etc/passwd but leaves their home directory intact. This can lead to orphaned files.
```
sudo userdel testuser01
```
Verify that the user is removed from /etc/passwd, but the home directory still exists.
```
grep testuser01 /etc/passwd
ls -ld /home/testuser01
```
The grep command should return no output, indicating the user is gone. The ls -ld command will show the home directory still exists, but its ownership will appear as numeric UIDs/GIDs since the user no longer exists.
```
drwx------ 2 1001 1001 83 Mar  4 15:22 /home/testuser01
```
Note: In some RHEL versions or configurations, userdel might remove the home directory by default if it's empty or if the user was the sole owner. However, it's safer to explicitly use the -r option to ensure the home directory is removed.
To remove the user and their home directory, use the -r option with userdel. Let's create a new user testuser02 to demonstrate this properly.
```
sudo useradd testuser02
sudo passwd testuser02 ## You'll be prompted to enter 'labexrhel9'
```
Now, remove testuser02 and its home directory:
```
sudo userdel -r testuser02
```
Verify that both the user entry and the home directory are removed.
```
grep testuser02 /etc/passwd
ls -ld /home/testuser02
```
Both commands should indicate that testuser02 and its home directory no longer exist.
```
ls: cannot access '/home/testuser02': No such file or directory
```

This concludes your practice with creating, modifying, and deleting local user accounts.

Manage Local Group Accounts

In this step, you will learn how to manage local group accounts on a RHEL system. Groups are fundamental for managing permissions efficiently, allowing you to grant access to multiple users simultaneously. You will use commands like groupadd, groupmod, and groupdel, and also revisit usermod for managing user-group memberships.

First, let's create a new group.

Use the groupadd command to create a new group. By default, groupadd assigns the next available GID from the range specified in /etc/login.defs. You need sudo privileges to run this command. Let's create a group named developers.
```
sudo groupadd developers
```
You can verify the creation of the group by checking the /etc/group file.
```
grep developers /etc/group
```
You should see an entry similar to this:
```
developers:x:1002:
```
You can also specify a particular GID for the group using the -g option. Let's create another group named testers with a specific GID, for example, 2000.
```
sudo groupadd -g 2000 testers
```
Verify the GID of the testers group.
```
grep testers /etc/group
```
The output should confirm the specified GID:
```
testers:x:2000:
```

Next, let's modify an existing group using the groupmod command.

You can change the name of a group using the -n option. Let's rename testers to qa_team.
```
sudo groupmod -n qa_team testers
```
Verify the name change in /etc/group.
```
grep qa_team /etc/group
```
The output should show the new name with the original GID:
```
qa_team:x:2000:
```
You can also change the GID of a group using the -g option. Let's change the GID of qa_team to 2001.
```
sudo groupmod -g 2001 qa_team
```
Verify the GID change.
```
grep qa_team /etc/group
```
The output should reflect the new GID:
```
qa_team:x:2001:
```

Now, let's manage user memberships within these groups. You will use the usermod command for this. First, create a couple of test users.

Create userA and userB and set their passwords to labexrhel9.
```
sudo useradd userA
sudo passwd userA
```
Type labexrhel9 as the password for userA.
```
sudo useradd userB
sudo passwd userB
```
Type labexrhel9 as the password for userB.
Add userA to the developers group as a secondary group. Use the -a (append) and -G (groups) options with usermod.
```
sudo usermod -aG developers userA
```
Verify userA's group memberships using the id command.
```
id userA
```
You should see developers listed in the groups section:
```
uid=1003(userA) gid=1003(userA) groups=1003(userA),1002(developers)
```
Add userB to both developers and qa_team groups as secondary groups.
```
sudo usermod -aG developers,qa_team userB
```
Verify userB's group memberships.
```
id userB
```
You should see both developers and qa_team listed:
```
uid=1004(userB) gid=1004(userB) groups=1004(userB),1002(developers),2001(qa_team)
```
You can also change a user's primary group using the -g option with usermod. Let's change userA's primary group to developers.
```
sudo usermod -g developers userA
```
Verify userA's primary group.
```
id userA
```
The gid field should now show developers:
```
uid=1003(userA) gid=1002(developers) groups=1002(developers)
```
Note: When you change a user's primary group, they are removed from their old primary group's membership list in /etc/group if that group was also a secondary group. In this case, userA's original primary group (userA) is no longer listed as a secondary group.

Finally, let's delete the groups and test users you created.

Use the groupdel command to remove a group. You cannot delete a group if it is the primary group for any user. First, change userA's primary group back to its default (or another existing group) before deleting developers.
```
sudo usermod -g userA userA ## Change userA's primary group back to userA
sudo groupdel developers
```
Verify that developers is removed from /etc/group.
```
grep developers /etc/group
```
This command should return no output.
Delete the qa_team group.
```
sudo groupdel qa_team
```
Verify its removal.
```
grep qa_team /etc/group
```
This command should also return no output.

Clean up the test users.

sudo userdel -r userA
sudo userdel -r userB

This concludes your practice with managing local group accounts and user-group memberships.

Configure User Password Policies

In this step, you will learn how to configure user password policies on a RHEL system. Password policies are crucial for enhancing security by enforcing rules on password complexity, expiration, and account locking. You will explore the /etc/shadow file and the chage command.

First, let's understand the /etc/shadow file, which stores encrypted password information and password aging parameters for user accounts. This file is highly sensitive and is only readable by the root user.

Each user has an entry in the /etc/shadow file. Let's create a new user policyuser and set its password to labexrhel9 for demonstration purposes.
```
sudo useradd policyuser
sudo passwd policyuser
```
Type labexrhel9 as the password for policyuser.
Now, view the entry for policyuser in /etc/shadow.
```
sudo grep policyuser /etc/shadow
```
You will see an output similar to this:
```
policyuser:$6$randomsalt$encryptedhash:19780:0:99999:7:::
```
Let's break down each field, separated by a colon:
- policyuser: Name of the user account.
- $6$randomsalt$encryptedhash: The encrypted password of the user.
  - $6: The hashing algorithm in use for this password (SHA-512, the RHEL 9 default).
  - randomsalt: The salt used to encrypt the password; originally chosen at random.
  - encryptedhash: The encrypted hash of the user's password.
- 19780: The days from the epoch (1970-01-01 UTC) when the password was last changed. This number will vary based on the current date.
- 0: The minimum days since the last password change before the user can change it again.
- 99999: The maximum days without a password change before the password expires. An empty field means the password never expires.
- 7: The number of days ahead to warn the user that their password will expire.
- (empty): The number of days without activity, starting with the day the password expired, before the account is automatically locked.
- (empty): The day when the account expires in days since the epoch. An empty field means the account never expires.
- The last field is typically empty and reserved for future use.

Next, you will use the chage command to modify these password aging parameters. The chage command allows you to change user password expiry information.

Let's set a password policy for policyuser with the following rules:
- Minimum days between password changes: 7 days (-m 7)
- Maximum days between password changes: 90 days (-M 90)
- Warning period before password expires: 14 days (-W 14)
- Inactivity period after password expires before account locks: 30 days (-I 30)
```
sudo chage -m 7 -M 90 -W 14 -I 30 policyuser
```

To verify these changes, you can use chage -l (list) to display the current password aging information for policyuser.

sudo chage -l policyuser

You should see output reflecting the new policy:

Last password change     : Mar 04, 2024
Password expires     : Jun 02, 2024
Password inactive     : Jul 02, 2024
Account expires      : never
Minimum number of days between password change  : 7
Maximum number of days between password change  : 90
Number of days of warning before password expires : 14

Note: The dates will vary based on when you perform the lab.

You can also set an absolute account expiration date using the -E option. Let's set policyuser's account to expire in 30 days from today. First, get today's date and calculate the date 30 days from now.
```
EXPIRY_DATE=$(date -d "+30 days" +%Y-%m-%d)
echo "Account will expire on: $EXPIRY_DATE"
sudo chage -E $EXPIRY_DATE policyuser
```
Verify the account expiration date.
```
sudo chage -l policyuser | grep "Account expires"
```
The output should show the calculated expiration date:
```
Account expires      : Apr 03, 2024
```
Note: The date will be approximately 30 days from your current lab date.
To remove the account expiration date, you can use chage -E -1 policyuser.
```
sudo chage -E -1 policyuser
sudo chage -l policyuser | grep "Account expires"
```
The output should revert to never:
```
Account expires      : never
```

Finally, clean up the policyuser account.

sudo userdel -r policyuser

This concludes your practice with configuring user password policies. You now understand how to inspect and modify password aging parameters using the /etc/shadow file and the chage command.

Summary

In this lab, you learned fundamental concepts of user and group management in Red Hat Enterprise Linux (RHEL). You began by understanding how users and groups are associated with files and processes, and how to inspect user and group information using the id command for both the current user and other system users like root. You also practiced identifying file and directory ownership using the ls -l and ls -ld commands, respectively, which is crucial for understanding permissions and access control.

The lab further guided you through gaining superuser access, creating and modifying local user accounts, managing local group accounts, and configuring user password policies. These steps provided practical experience in essential system administration tasks, enabling you to effectively manage user access and security on a Linux system.