How to create, modify, and delete local user accounts in Linux
A number of command-line tools can be used to manage local user accounts.
Creating Users from the Command Line
- The useradd username command creates a new user named username. It sets up the user’s home directory and account information, and creates a private group for the user named username. At this point the account does not have a valid password set, and the user cannot log in until a password is set.
- The useradd –help command displays the basic options that can be used to override the defaults. In most cases, the same options can be used with the usermod command to modify an existing user.
- Some defaults, such as the range of valid UID numbers and default password aging rules, are read from the /etc/login.defs ﬁle. Values in this ﬁle are only used when creating new users. A change to this ﬁle does not affect existing users.
Modifying Existing Users from the Command Line
The usermod –help command displays the basic options that can be used to modify an account. Some common options include:
|-c, –comment COMMENT||Add the user’s real name to the comment field.|
|-g, –gid GROUP||Specify the primary group for the user account.|
|-G, –groups GROUPS||Specify a comma-separated list of supplementary groups for the user account.|
|-a, –append||Used with the -G option to add the supplementary groups to the user’s current set of group memberships instead of replacing the set of supplementary groups with a new set.|
|-d, –home HOME_DIR||Specify a particular home directory for the user account.|
|-m, –move-home||Move the user’s home directory to a new location. Must be used with the -d option.|
|-s, –shell SHELL||Specify a particular login shell for the user account.|
|-L, –lock||Lock the user account.|
|-U, –unlock||Unlock the user account.|
Deleting Users from the Command Line
- The userdel username command removes the details of username from /etc/passwd, but leaves the user’s home directory intact. - The userdel -r username command removes the details of username from /etc/passwd and also deletes the user’s home directory.
WARNING: When a user is removed with userdel without the -r option speciﬁed, the system will have ﬁles that are owned by an unassigned UID. This can also happen when a ﬁle, having a deleted user as its owner, exists outside that user’s home directory. This situation can lead to information leakage and other security issues.
In CentOS/RHEL 7 and 8, the useradd command assigns new users the ﬁrst free UID greater than or equal to 1000, unless you explicitly specify one using the -u option. This is how information leakage can occur. If the ﬁrst free UID had been previously assigned to a user account that has since been removed from the system, the old user’s UID will get reassigned to the new user, giving the new user ownership of the old user’s remaining ﬁles.
The following scenario demonstrates this situation.
[[email protected] ~]# useradd user01 [[email protected] ~]# ls -l /home drwx------. 3 user01 user01 74 Feb 4 15:22 user01 [[email protected] ~]# userdel user01 [[email protected] ~]# ls -l /home drwx------. 3 1000 1000 74 Feb 4 15:22 user01 [[email protected] ~]# useradd user02 [[email protected] ~]# ls -l /home drwx------. 3 user02 user02 74 Feb 4 15:23 user02 drwx------. 3 user02 user02 74 Feb 4 15:22 user01
Notice that user02 now owns all ﬁles that user01 previously owned. Depending on the situation, one solution to this problem is to remove all unowned ﬁles from the system when the user that created them is deleted. Another solution is to manually assign the unowned ﬁles to a different user. The root user can use the find / -nouser -o -nogroup command to ﬁnd all unowned ﬁles and directories.
Setting Passwords from the Command Line
- The passwd username command sets the initial password or changes the existing password of username. - The root user can set a password to any value. A message is displayed if the password does not meet the minimum recommended criteria, but is followed by a prompt to retype the new password and all tokens are updated successfully.
[[email protected] ~]# passwd user01 Changing password for user user01. New password: new_passwd BAD PASSWORD: The password fails the dictionary check - it is based on a dictionary word Retype new password: new_passwd passwd: all authentication tokens updated successfully. [[email protected] ~]#
A regular user must choose a password at least eight characters long and is also not based on a dictionary word, the username, or the previous password.
Speciﬁc UID numbers and ranges of numbers are used for speciﬁc purposes by Red Hat Enterprise Linux.
- UID 0 is always assigned to the superuser account, root.
- UID 1-200 is a range of “system users” assigned statically to system processes by Red Hat.
- UID 201-999 is a range of “system users” used by system processes that do not own ﬁles on the ﬁle system. They are typically assigned dynamically from the available pool when the software that needs them is installed. Programs run as these “unprivileged” system users in order to limit their access to only the resources they need to function.
- UID 1000+ is the range available for assignment to regular users.