Create users and groups on Oracle Linux
Introduction
The following tutorial provides step-by-step procedures to perform user and group administration on Oracle Linux. You will create users and groups, implement user private groups, and grant user elevated privileges.
Objectives
In this lab, you'll:
- Create a new user and explore user's home directory
- Create a new group and add user to group
- Utilize the user private group scheme and implement write access to a directory
- Administer the
sudocommand for granting root privileges
What Do You Need?
- A system with Oracle Linux installed
Note: When using the free lab environment, see Oracle Linux Lab Basics for connection and other usage instructions.
Administer User Accounts
In this section, you use command-line utilities to create a new user account, view files that are updated when adding a new user, modify a user account, set a password for the new user, and log in as the new user.
Open a terminal and connect to your Oracle Linux instance.
Become the root user.
sudo su -As the root user, add a user named alice.
useradd aliceThe user is added to the
/etc/passwdfile.View the alice entry in the
/etc/passwdfile.grep alice /etc/passwd
The output shows:
- The new user’s UID and GID are the same (
1001). - A home directory was created for the new user (
/home/alice). - The default shell for the new user is
/bin/bash.
- The new user’s UID and GID are the same (
View the home directories.
ls -l /home
In this example, the opc user already existed.
A home directory was created for the new user because the CREATE_HOME parameter in/etc/login.defsis set toyes.View the CREATE_HOME parameter in the
/etc/login.defsfile.grep CREATE_HOME /etc/login.defs
View the default settings for a new user, stored in
/etc/default/useradd.cat /etc/default/useradd
The SKEL parameter is set to
/etc/skel.View the contents of the
/etc/skeldirectory.ls -la /etc/skel
View the contents of the alice home directory.
ls -la /home/alice
The contents of SKEL (
/etc/skel) are copied to the new user’s home directory.View the new alice entry in the
/etc/groupfile.grep alice /etc/group
Because Oracle Linux uses a user private group (UPG) scheme, a new private group (alice, GID=1001) was created when the alice user was created.
Modify GECOS information for the alice user. View the alice entry in the
/etc/passwdfile before and after modifying GECOS information.grep alice /etc/passwd usermod -c "Alice Smith" alice grep alice /etc/passwd
Create a password of
AB*gh246for the alice user. View the alice entry in the/etc/shadowfile before and after creating a password for alice.grep alice /etc/shadow passwd alice grep alice /etc/shadow
The
!!for alice is replaced with a hashed password value.Exit the root login and login as the alice user. Provide the password of
AB*gh246when prompted.exit su - alice
Verify you are the alice user and your current directory is the alice user's home directory.
whoami pwd
Exit the alice user's shell and become the root user.
exit sudo su -
As the root user, add a user named oracle which is used later in this lab.
useradd oracleCreate a password of
XY*gh579for the oracle user.passwd oracle
Administer Group Accounts
In this section, you create a new group account and add a user to this new group.
As the root user, add a group named staff.
groupadd staffThe group is added to the
/etc/groupfile.View the last 10 entries in the
/etc/groupfile.tail /etc/group
The GID (
1003) for the new group is incremented by one.Add the alice user to the staff group. View the staff group entry in the
/etc/groupfile.usermod -aG 1003 alice grep staff /etc/group
The alice user has a secondary group membership in the staff group.
View the primary group membership for alice.
grep alice /etc/passwd
The alice user's primary group is still
1001.
Implement User Private Groups
In this section, you use the User Private Groups scheme to give different users write access to files in a single directory.
As the root user, create the
/staffdirectory.mkdir /staffView the
/staffdirectory and its permissions.ls -ld /staff
Change group ownership for the
/staffdirectory to the staff group. The-Roption (recursive) sets the group for files and directories within/staff. View the/staffdirectory and its permissions after changing the group ownership.chgrp -R staff /staff ls -ld /staff
The owner of the
/staffdirectory is still root, but the group is now staff.Set the setgid bit on
/staffdirectory. Then view the permissions on the/staffdirectory.chmod -R 2775 /staff ls -ld /staff
The group permissions on the
/staffdirectory have changed.Add the oracle user to the staff group. View the staff entry in the
/etc/groupfile after adding the oracle user.usermod -aG staff oracle grep staff /etc/group
Both alice and oracle users have secondary group membership in the staff group.
Become the oracle user. You are not prompted for the oracle user's password because you currently are the root user. Verify you are the oracle user and your current directory is the oracle user's home directory.
su - oracle whoami pwd
Display group membership for the oracle user.
groups
The oracle user belongs to two groups - oracle and staff.
Change to the
/staffdirectory. Create a new file in the/staffdirectory namedoracle_file. Display the permissions and ownership of the new file.cd /staff touch oracle_file ls -l oracle_file
The permissions are read/write for the staff group.
Become the alice user. Provide the password of
AB*gh246when prompted. Verify you are the alice user.su - alice whoami
Display group membership for the alice user.
groups
The alice user belongs to two groups - alice and staff.
Change to the
/staffdirectory. Create a new file in the/staffdirectory namedalice_file. Display the permissions and ownership of the new files.cd /staff touch alice_file ls -l
The permissions are read/write on both files for the staff group.
As the alice user, use the
touchcommand to update the time stamp on theoracle_file. View the files to verify the time has changed.touch oracle_file ls -l
Updating the time stamp implies write permissions on the file as the alice user, even though the file was created by the oracle user.
Exit both the alice user's shell, and the oracle user's shell, to return to the root user's shell. Verify that you are the root user.
exit exit whoami
Option 1: Grant Elevated Privileges to a User
In this section, you grant sudo privileges to a user by adding an entry to the /etc/sudoers file.
Become the alice user. You are not prompted for alice password because you currently are the root user. Verify you are the alice user.
su - alice whoami
As the alice user, attempt to add newuser.
useradd newuser
The alice user does not have permission to add newuser.
Insert the
sudocommand before the previoususeraddcommand to add newuser. Provide the password ofAB*gh246when prompted.sudo useradd newuser
The attempt to issue this administrator command without proper authorization is reported in the
/var/log/securefile.Exit the alice user's shell to return to the root user's shell. View sudoers entries in the
/var/log/securefile.exit grep sudoers /var/log/secure
The alice : user NOT in sudoers entry for the attempted use of the
/sbin/useraddcommand is in the/var/log/securefile. Multiple entries are shown in the example. You might only have a single entry.As the root user, edit the
/etc/sudoersfile by using thevisudocommand.visudoThis command opens the
/etc/sudoersfile using thevimeditor.In the
/etc/sudoersfile, add the following line to grant the alice user permission to run the/sbin/useraddcommand.alice ALL=(ALL) /sbin/useraddThe new entry is highlighted. Save your changes and exit the
visudocommand.
Become the alice user. Attempt to add newuser without the
sudocommand. Insert thesudocommand and attempt to add newuser a second time. Provide the password ofAB*gh246when prompted.su - alice useradd newuser sudo useradd newuser
Verify newuser was added.
grep newuser /etc/passwd ls -l /home
The newuser now exists. With the alice entry in the
/etc/sudoersfile, the alice user hassudoprivileges to run the/sbin/useraddcommand.Exit the alice shell to return to the root shell. Use the
visudocommand and delete the alice entry from the/etc/sudoersfile that you added earlier in this lab.exit visudoThe entry to delete is highlighted. Delete the entire line, or as in this example, insert the
#character to comment out the line. Save your changes and exit thevisudocommand.
Verify the alice user can no longer add a new user. Become the alice user. Attempt to add anotheruser with the
sudocommand.su - alice sudo useradd anotheruser
The attempt to issue this administrator command without proper authorization is reported in the
/var/log/securefile.Exit the alice user's shell to return to the root user's shell.
exit
Option 2: Grant Elevated Privileges to a User
In this section, you grant sudo privileges by adding a user to the wheel group.
As the root user, view the wheel entry in the
/etc/sudoersfile.grep wheel /etc/sudoers
The %wheel ALL=(ALL) ALL entry in the
/etc/sudoersfile allows any member of the wheel group to execute any command, when preceded bysudo.Add the alice user to the wheel group. Confirm the alice user is in the wheel group.
usermod -aG wheel alice grep wheel /etc/group
User alice has a secondary group membership in the wheel group.
Become the alice user. You are not prompted for alice password because you currently are the root user. Verify you are the alice user.
su - alice whoamiAs the alice user, add thirduser using the
sudo useraddcommand. Provide the password ofAB*gh246if prompted.sudo useradd thirduser
Verify thirduser was added. The
lscommand fails until you insertsudoand provide alice password. This confirms the alice user hassudoprivileges.grep thirduser /etc/passwd ls -la /home/thirduser sudo ls -la /home/thirduser