Create Users and Groups on Oracle Linux

Introduction

When administering a Linux system, you will eventually need to create users and groups, whether for a particular software installation or to perform a specific task. As for groups, it's a great way to control directory access.

Objectives

In this tutorial, you will learn how to:

Create a new user and explore the user's home directory
Create a new group and add a user to the group
Utilize the user private group scheme and implement write access to a directory
Administer the sudo command for granting root privileges

Prerequisites

Minimum of a single Oracle Linux system
Each system should have Oracle Linux installed and configured with:
- A non-root user account with sudo access
- Access to the Internet

Deploy Oracle Linux

Note: If running in your own tenancy, read the linux-virt-labs GitHub project README.md and complete the prerequisites before deploying the lab environment.

Open a terminal on the Luna Desktop.

Clone the linux-virt-labs GitHub project.

git clone https://github.com/oracle-devrel/linux-virt-labs.git

Change into the working directory.
```
cd linux-virt-labs/ol
```

Install the required collections.

ansible-galaxy collection install -r requirements.yml

Deploy the lab environment.
```
ansible-playbook create_instance.yml -e localhost_python_interpreter="/usr/bin/python3.6"
```
The free lab environment requires the extra variable local_python_interpreter, which sets ansible_python_interpreter for plays running on localhost. This variable is needed because the environment installs the RPM package for the Oracle Cloud Infrastructure SDK for Python, located under the python3.6 modules.
The default deployment shape uses the AMD CPU and Oracle Linux 8. To use an Intel CPU or Oracle Linux 9, add -e instance_shape="VM.Standard3.Flex" or -e os_version="9" to the deployment command.
Important: Wait for the playbook to run successfully and reach the pause task. At this stage of the playbook, the installation of Oracle Linux is complete, and the instances are ready. Take note of the previous play, which prints the public and private IP addresses of the nodes it deploys and any other deployment information needed while running the lab.

Administer User Accounts

Open a terminal and connect via SSH to the ol-node-01 instance.
```
ssh oracle@<ip_address_of_instance>
```
Become the root user.
```
sudo su -
```
As the root user, add a user named alice.
```
useradd alice
```
This command adds the user to the /etc/passwd file.
View the alice entry in the /etc/passwd file.
```
grep alice /etc/passwd
```
Example Output:
```
alice:x:1002:1002::/home/alice:/bin/bash
```
The output shows:
- The new user’s UID and GID are the same (1002)
- Creation of a home directory for the new user (/home/alice)
- The default shell for the new user is /bin/bash
View the home directories.
```
ls -l /home
```
Example Output:
```
total 0
drwx------. 2 alice  alice  62 Aug 18 09:50 alice
drwx------. 4 opc    opc    90 Aug 18 09:48 opc
drwx------. 3 oracle oracle 74 Aug 18 09:48 oracle
```
The opc and oracle users already exist in this example.
The useradd command creates a home directory for the new user because the CREATE_HOME parameter in /etc/login.defs is set to yes.
View the CREATE_HOME parameter in the /etc/login.defs file.
```
grep CREATE_HOME /etc/login.defs
```
Example Output:
```
CREATE_HOME	yes
```
View the default settings for a new user, stored in /etc/default/useradd.
```
cat /etc/default/useradd
```
Example Output:
```
# useradd defaults file
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
```
The SKEL parameter sets the location of the background or skeleton definition to /etc/skel, which provides what a new user's home directory will look like.

View the contents of the /etc/skel directory.

ls -la /etc/skel

Example Output:

total 24
drwxr-xr-x.   2 root root   62 Jun 20 15:48 .
drwxr-xr-x. 116 root root 8192 Aug 18 09:56 ..
-rw-r--r--.   1 root root   18 Aug  2  2022 .bash_logout
-rw-r--r--.   1 root root  141 Aug  2  2022 .bash_profile
-rw-r--r--.   1 root root  376 Aug  2  2022 .bashrc

View the contents of the alice home directory.

ls -la /home/alice

Example Output:

total 12
drwx------. 2 alice alice  62 Aug 18 09:50 .
drwxr-xr-x. 5 root  root   44 Aug 18 09:50 ..
-rw-r--r--. 1 alice alice  18 Aug  2  2022 .bash_logout
-rw-r--r--. 1 alice alice 141 Aug  2  2022 .bash_profile
-rw-r--r--. 1 alice alice 376 Aug  2  2022 .bashrc

The system copies the contents of SKEL (/etc/skel) to the new user’s home directory.

View the new alice entry in the /etc/group file.
```
grep alice /etc/group
```
Example Output:
```
alice:x:1002:
```
When creating the new alice user, the system creates a new private group (alice, GID=1001) because Oracle Linux uses a user private group (UPG) scheme.

Modify GECOS information for the alice user.

View the alice entry in the /etc/passwd file before and after modifying GECOS information.

grep alice /etc/passwd
usermod -c "Alice Smith" alice
grep alice /etc/passwd

Example Output:

[root@ol-server ~]# grep alice /etc/passwd
alice:x:1002:1002::/home/alice:/bin/bash
[root@ol-server ~]# usermod -c "Alice Smith" alice
[root@ol-server ~]# grep alice /etc/passwd
alice:x:1002:1002:Alice Smith:/home/alice:/bin/bash
[root@ol-server ~]#

Create a password of AB*gh246 for the alice user.

View the alice entry in the /etc/shadow file before and after creating a password for alice.

grep alice /etc/shadow
passwd alice
grep alice /etc/shadow

Example Output:

[root@ol-server ~]# grep alice /etc/shadow
alice:!!:19587:0:99999:7:::
[root@ol-server ~]# passwd alice
Changing password for user alice.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@ol-server ~]# grep alice /etc/shadow
alice:$6$Ulba2YCfMyrwZC8V$J0jWtJmaOa1vKN2yywyiN4AQpWfg1gDd6Duzm.TWEWHwFDYcxjjIuF2qrIO7rk8LsEBm6s//mgKa5jbqhfT9E.:19587:0:99999:7:::
[root@ol-server ~]#

The !! for alice is replaced with a hashed password value.

Exit the root login and log in as the alice user.

Provide the password of AB*gh246 when prompted.

exit
su - alice

Example Output:

[root@ol-server ~]# exit
logout
[oracle@ol-server ~]$ su - alice
Password: 
[alice@ol-server ~]$

Verify you are the alice user and your current directory is the alice user's home directory.
```
whoami
pwd
```
Example Output:
```
[alice@ol-server ~]$ whoami
alice
[alice@ol-server ~]$ pwd
/home/alice
```

Exit the alice user's shell and become the root user.

exit
sudo su -

Example Output:

[alice@ol-server ~]$ exit
logout
[oracle@ol-server ~]$ sudo su -
Last login: Fri Aug 18 09:50:03 GMT 2023 on pts/0
[root@ol-server ~]#

As the root user, add a user named mynewuser1 which is used later in this tutorial.
```
useradd mynewuser1
```

Create a password of XY*gh579 for the mynewuser1 user.

passwd mynewuser1

Example Output:

[root@ol-server ~]# passwd mynewuser1
Changing password for user mynewuser1.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

Administer Group Accounts

As the root user, add a group named staff.
```
groupadd staff
```
This command adds the group to the /etc/group file.

View the last 10 entries in the /etc/group file.

tail /etc/group

Example Output:

[root@ol-server ~]# tail /etc/group
sshd:x:74:
slocate:x:21:
tcpdump:x:72:
oracle-cloud-agent:x:985:oracle-cloud-agent,oracle-cloud-agent-updater,ocarun
pcp:x:984:
opc:x:1000:
oracle:x:1001:
alice:x:1002:
mynewuser1:x:1003:
staff:x:1004:
[root@ol-server ~]#

The new group's GID (1004) is incremented by one.

Add the alice user to the staff group.
View the staff group entry in the /etc/group file.
```
usermod -aG 1004 alice
grep staff /etc/group
```
Example Output:
```
[root@ol-server ~]# usermod -aG 1004 alice
[root@ol-server ~]# grep staff /etc/group
staff:x:1004:alice
```
The alice user has a secondary group membership in the staff group.

View the primary group membership for alice.

grep alice /etc/passwd

Example Output:

[root@ol-server ~]# grep alice /etc/passwd
alice:x:1002:1002:Alice Smith:/home/alice:/bin/bash

The alice user's primary group is still 1002.

Implement User Private Groups

As the root user, create the /staff directory.
```
mkdir /staff
```

View the /staff directory and its permissions.

ls -ld /staff

Example Output:

[root@ol-server ~]# ls -ld /staff
drwxr-xr-x. 2 root root 6 Aug 18 11:23 /staff

Change group ownership for the /staff directory to the staff group.
The -R option (recursive) sets the group for files and directories within /staff. After changing the group ownership, view the /staff directory and its permissions.
```
chgrp -R staff /staff
ls -ld /staff
```
Example Output:
```
[root@ol-server ~]# chgrp -R staff /staff
[root@ol-server ~]# ls -ld /staff
drwxr-xr-x. 2 root staff 6 Aug 18 11:23 /staff
[root@ol-server ~]# 
```
The owner of the /staff directory is still root, but the group is now staff.
Set the setgid bit on the /staff directory.
Then, view the permissions on the /staff directory.
```
chmod -R 2775 /staff
ls -ld /staff
```
Example Output:
```
[root@ol-server ~]# chmod -R 2775 /staff
[root@ol-server ~]# ls -ld /staff
drwxrwsr-x. 2 root staff 6 Aug 18 11:23 /staff
```
The group permissions on the /staff directory have changed.
Add the mynewuser1 user to the staff group.
View the staff entry in the /etc/group file after adding the mynewuser1 user.
```
usermod -aG staff mynewuser1
grep staff /etc/group
```
Example Output:
```
[root@ol-server ~]# usermod -aG staff mynewuser1
[root@ol-server ~]# grep staff /etc/group
staff:x:1004:alice,mynewuser1
```
Both alice and mynewuser1 users have secondary group membership in the staff group.
Become the mynewuser1 user.
You are not prompted for the mynewuser1 user's password because you currently are the root user. Verify you are the mynewuser1 user and your current directory is the mynewuser1 user's home directory.
```
su - mynewuser1
whoami
pwd
```
Example Output:
```
[root@ol-server ~]# su - mynewuser1
[mynewuser1@ol-server ~]$ whoami
mynewuser1
[mynewuser1@ol-server ~]$ pwd
/home/mynewuser1
```
Display group membership for the mynewuser1 user.
```
groups
```
Example Output:
```
[mynewuser1@ol-server ~]$ groups
mynewuser1 staff
```
The mynewuser1 user belongs to two groups - mynewuser1 and staff.

Change to the /staff directory.

Create a new file in the /staff directory named mynewuser1_file. Display the permissions and ownership of the new file.

cd /staff
touch mynewuser1_file
ls -l mynewuser1_file

Example Output:

[mynewuser1@ol-server ~]$ cd /staff
[mynewuser1@ol-server staff]$ touch mynewuser1_file
[mynewuser1@ol-server staff]$ ls -l mynewuser1_file
-rw-rw-r--. 1 mynewuser1 staff 0 Aug 18 11:40 mynewuser1_file

The permissions are read/write for the staff group.

Become the alice user.

Provide the password of AB*gh246 when prompted. Verify you are the alice user.

su - alice
whoami

Example Output:

[mynewuser1@ol-server staff]$ su - alice
Password: 
Last login: Fri Aug 18 11:10:13 GMT 2023 on pts/0
[alice@ol-server ~]$ whoami
alice
[alice@ol-server ~]$

Display group membership for the alice user.
```
groups
```
Example Output:
```
[alice@ol-server ~]$ groups
alice staff
[alice@ol-server ~]$  
```
The alice user belongs to two groups - alice and staff.

Change to the /staff directory.

Create a new file in the /staff directory named alice_file. Display the permissions and ownership of the new files.

cd /staff
touch alice_file
ls -l

Example Output:

[alice@ol-server ~]$ cd /staff
[alice@ol-server staff]$ touch alice_file
[alice@ol-server staff]$ ls -l
total 0
-rw-rw-r--. 1 alice      staff 0 Aug 18 12:09 alice_file
-rw-rw-r--. 1 mynewuser1 staff 0 Aug 18 12:06 mynewuser1_file

The permissions are read/write on both files for the staff group.

As the alice user, use the touch command to update the time stamp on the mynewuser1_file.
View the files to verify the time has changed.
```
touch mynewuser1_file
ls -l
```
Example Output:
```
[alice@ol-server staff]$ touch mynewuser1_file
[alice@ol-server staff]$ ls -l
total 0
-rw-rw-r--. 1 alice      staff 0 Aug 18 12:09 alice_file
-rw-rw-r--. 1 mynewuser1 staff 0 Aug 18 12:11 mynewuser1_file
```
Updating the time stamp implies file write permissions on the file as the alice user, even though the mynewuser1 user created the file.
Exit both the alice user's shell and the mynewuser1 user's shell, to return to the root user's shell.
Verify that you are the root user.
```
exit
exit
whoami
```
Example Output:
```
[alice@ol-server staff]$ exit
logout
[mynewuser1@ol-server staff]$ exit
logout
[root@ol-server ~]# whoami
root
```

Option 1: Create a New File in the `/etc/sudoers.d` Directory

This method is the preferred way to grant sudo privilege to a user. It also is more straightforward to automate in a script and takes effect without the user having to log out and back in again.

Become the root user and create the user's sudoer file.

sudo tee /etc/sudoers.d/200-alice > /dev/null << EOF
alice ALL =(ALL) NOPASSWD: ALL
EOF

Option 2: Grant Elevated Privileges to a User

As the root user, view the wheel entry in the /etc/sudoers file.
```
grep wheel /etc/sudoers
```
Example Output:
```
## Allows people in group wheel to run all commands
%wheel	ALL=(ALL)	ALL
# %wheel	ALL=(ALL)	NOPASSWD: ALL
```
The %wheel ALL=(ALL) ALL entry in the /etc/sudoers file allows any member of the wheel group to execute any command when preceded by sudo.

Add the alice user to the wheel group.

Confirm the alice user is in the wheel group.

usermod -aG wheel alice
grep wheel /etc/group

Example Output:

[root@ol-server ~]# usermod -aG wheel alice
[root@ol-server ~]# grep wheel /etc/group
wheel:x:10:oracle,alice

User alice has a secondary group membership in the wheel group.

Become the alice user.
You are not prompted for the alice user's password because you currently are the root user. Verify you become the alice user.
```
su - alice
whoami
```
Example Output:
```
[root@ol-server ~]# su - alice
Last login: Fri Aug 18 13:09:18 GMT 2023 on pts/0
[alice@ol-server ~]$ whoami
alice
```
As the alice user, add anotheruser2 using the sudo useradd command.
Provide the password of AB*gh246 if prompted.
```
sudo useradd anotheruser2
```
Example Output:
```
[alice@ol-server ~]$ sudo useradd anotheruser2
[sudo] password for alice: 
```

Verify anotheruser2 was added.

The ls command fails until you insert sudo. This step confirms the alice user has sudo privileges.

grep anotheruser2 /etc/passwd
ls -la /home/anotheruser2
sudo ls -la /home/anotheruser2

Example Output:

[alice@ol-server ~]$ grep anotheruser2 /etc/passwd
anotheruser2:x:1005:1006::/home/anotheruser2:/bin/bash
[alice@ol-server ~]$ ls -la /home/anotheruser2
ls: cannot open directory '/home/anotheruser2': Permission denied
[alice@ol-server ~]$ sudo ls -la /home/anotheruser2
total 12
drwx------. 2 anotheruser2 anotheruser2  62 Aug 18 13:14 .
drwxr-xr-x. 8 root         root         101 Aug 18 13:14 ..
-rw-r--r--. 1 anotheruser2 anotheruser2  18 Aug  2  2022 .bash_logout
-rw-r--r--. 1 anotheruser2 anotheruser2 141 Aug  2  2022 .bash_profile
-rw-r--r--. 1 anotheruser2 anotheruser2 376 Aug  2  2022 .bashrc

Next Steps

This tutorial shows how to create users and groups on Oracle Linux. These users and groups can access the system and resources based on their permissions. For further topics and training, see the Related Links section below.