Managing Users and Groups in AlmaLinux

User and group management is a fundamental aspect of Linux system administration. In AlmaLinux, proper user management ensures system security, resource allocation, and organized access control. This comprehensive guide will walk you through everything you need to know about managing users and groups in AlmaLinux.

Understanding Users and Groups

In AlmaLinux, every process and file is owned by a user. Users are identified by a unique User ID (UID), while groups are identified by a Group ID (GID). This identification system forms the foundation of Linux security and access control.

Key Concepts

• User Account: Represents an individual who can log into the system
• System Account: Used by services and daemons (typically UID < 1000)
• Group: A collection of users with shared permissions
• Primary Group: The main group assigned to a user
• Secondary Groups: Additional groups a user belongs to

Important Files

• /etc/passwd: Contains user account information
• /etc/shadow: Stores encrypted passwords
• /etc/group: Contains group information
• /etc/gshadow: Stores encrypted group passwords

Creating and Managing Users

Creating a New User

The primary command for creating users in AlmaLinux is useradd:

# Basic user creation
sudo useradd john

# Create user with specific home directory
sudo useradd -d /home/john john

# Create user with comment (full name)
sudo useradd -c "John Doe" john

# Create user with specific shell
sudo useradd -s /bin/bash john

# Create user with specific UID
sudo useradd -u 1500 john

# Create user and set password in one command
sudo useradd -m -p $(openssl passwd -1 'password123') john

Complete User Creation Example

Here’s a comprehensive example of creating a user with all common options:

sudo useradd -m -d /home/johndoe -c "John Doe" -s /bin/bash -G wheel,developers johndoe
sudo passwd johndoe

This command:

• -m: Creates home directory
• -d: Specifies home directory path
• -c: Adds a comment (full name)
• -s: Sets the login shell
• -G: Adds user to supplementary groups

Modifying User Accounts

Use the usermod command to modify existing user accounts:

# Change user's login name
sudo usermod -l newname oldname

# Change user's home directory
sudo usermod -d /new/home/dir -m username

# Add user to additional groups
sudo usermod -aG groupname username

# Change user's shell
sudo usermod -s /bin/zsh username

# Lock user account
sudo usermod -L username

# Unlock user account
sudo usermod -U username

# Set account expiration date
sudo usermod -e 2025-12-31 username

Deleting Users

Remove users with the userdel command:

# Delete user (keeps home directory)
sudo userdel username

# Delete user and home directory
sudo userdel -r username

# Force deletion (even if user is logged in)
sudo userdel -f username

Working with Groups

Creating Groups

# Create a new group
sudo groupadd developers

# Create group with specific GID
sudo groupadd -g 1500 developers

# Create system group
sudo groupadd -r systemgroup

Managing Group Membership

# Add user to group
sudo usermod -aG groupname username

# Remove user from group (edit /etc/group manually or use gpasswd)
sudo gpasswd -d username groupname

# Set group administrators
sudo gpasswd -A username groupname

# View user's groups
groups username

# View all groups
cat /etc/group

Modifying and Deleting Groups

# Rename group
sudo groupmod -n newname oldname

# Change group GID
sudo groupmod -g 1501 groupname

# Delete group
sudo groupdel groupname

User Account Properties

Viewing User Information

# Display user account information
id username

# Show all users
cat /etc/passwd

# Show logged-in users
who
w

# Show user's last login
last username

# Display user account status
sudo passwd -S username

Account Aging and Expiration

# Set password expiration
sudo chage -M 90 username  # Password expires after 90 days

# Set account expiration
sudo chage -E 2025-12-31 username

# View password aging information
sudo chage -l username

# Force password change on next login
sudo chage -d 0 username

Password Management

Setting and Changing Passwords

# Set/change user password (as root)
sudo passwd username

# Change your own password
passwd

# Set password in batch mode
echo "username:newpassword" | sudo chpasswd

# Generate secure password
openssl rand -base64 12

Password Policies

Configure password policies in /etc/security/pwquality.conf:

# Edit password quality requirements
sudo nano /etc/security/pwquality.conf

# Example settings:
minlen = 12          # Minimum password length
dcredit = -1         # At least one digit
ucredit = -1         # At least one uppercase
lcredit = -1         # At least one lowercase
ocredit = -1         # At least one special character

Managing /etc/login.defs

This file contains system-wide password and account settings:

# Important settings in /etc/login.defs
PASS_MAX_DAYS   90      # Maximum password age
PASS_MIN_DAYS   7       # Minimum password age
PASS_MIN_LEN    8       # Minimum password length
PASS_WARN_AGE   7       # Password expiration warning
UID_MIN         1000    # Minimum UID for regular users
GID_MIN         1000    # Minimum GID for regular groups

File Permissions and Ownership

Understanding Permissions

Linux uses a three-tier permission system:

• Owner (u): The user who owns the file
• Group (g): The group that owns the file
• Others (o): Everyone else

Each tier has three permissions:

• Read (r): Value 4
• Write (w): Value 2
• Execute (x): Value 1

Changing Ownership

# Change file owner
sudo chown username filename

# Change file group
sudo chgrp groupname filename

# Change both owner and group
sudo chown username:groupname filename

# Recursive ownership change
sudo chown -R username:groupname directory/

Managing Permissions

# Symbolic method
chmod u+x filename      # Add execute for owner
chmod g-w filename      # Remove write for group
chmod o=r filename      # Set read-only for others
chmod a+r filename      # Add read for all

# Numeric method
chmod 755 filename      # rwxr-xr-x
chmod 644 filename      # rw-r--r--
chmod 600 filename      # rw-------

# Special permissions
chmod u+s filename      # Set SUID
chmod g+s directory     # Set SGID
chmod +t directory      # Set sticky bit

Special User Accounts

The root User

The root user (UID 0) has unlimited privileges. Best practices:

# Switch to root user
sudo su -

# Run single command as root
sudo command

# Edit sudoers file safely
sudo visudo

System Accounts

System accounts are used by services and typically have:

• UID < 1000
• No login shell (/sbin/nologin)
• No home directory or a system directory

# Create system account
sudo useradd -r -s /sbin/nologin -d /nonexistent servicename

The nobody User

Used for unprivileged operations:

# View nobody user info
id nobody
getent passwd nobody

User Environment Configuration

Shell Configuration Files

User environment is configured through several files:

System-wide configuration:

• /etc/profile: System-wide profile
• /etc/bashrc: System-wide bash configuration
• /etc/profile.d/: Directory for additional configurations

User-specific configuration:

• ~/.bash_profile: User’s profile (login shells)
• ~/.bashrc: User’s bash configuration (non-login shells)
• ~/.bash_logout: Executed on logout

Setting Environment Variables

# In ~/.bashrc or ~/.bash_profile
export PATH=$PATH:/custom/path
export EDITOR=vim
export HISTSIZE=10000

# Set system-wide in /etc/environment
JAVA_HOME=/usr/lib/jvm/java-11

Default Files for New Users

Files in /etc/skel/ are copied to new user home directories:

# List skeleton directory
ls -la /etc/skel/

# Add custom file for all new users
sudo cp /path/to/customfile /etc/skel/

Security Best Practices

1. Strong Password Policies

# Enforce password complexity
sudo authconfig --passminlen=12 --enablereqlower --enablerequpper --enablereqdigit --enablereqother --update

2. Limit User Access

# Restrict user to specific commands with sudo
# In /etc/sudoers or /etc/sudoers.d/username
username ALL=(ALL) /usr/bin/systemctl restart httpd

3. Account Security

# Disable unused accounts
sudo usermod -L unused_account

# Set account expiration for temporary users
sudo useradd -e 2025-12-31 tempuser

# Remove shell access for service accounts
sudo usermod -s /sbin/nologin serviceaccount

4. Monitor User Activity

# Check last login times
lastlog

# Monitor failed login attempts
sudo grep "Failed password" /var/log/secure

# Track user commands (if audit is enabled)
sudo aureport -x --summary

5. Implement Access Control Lists (ACLs)

# Set ACL for specific user
setfacl -m u:username:rx /path/to/file

# Set default ACL for directory
setfacl -d -m g:groupname:rwx /path/to/directory

# View ACLs
getfacl /path/to/file

Troubleshooting Common Issues

User Cannot Log In

1. Check account status:

sudo passwd -S username

2. Verify password expiration:

sudo chage -l username

3. Check for account lock:

sudo grep username /etc/shadow
# Look for ! or !! at the beginning of password field

4. Verify shell access:

grep username /etc/passwd
# Ensure valid shell is set

Permission Denied Errors

1. Check file ownership:

ls -l filename

2. Verify group membership:

groups username

3. Check effective permissions:

namei -l /path/to/file

Home Directory Issues

1. Verify home directory exists:

ls -ld /home/username

2. Check ownership:

sudo chown -R username:username /home/username

3. Fix permissions:

sudo chmod 755 /home/username

Sudo Access Problems

1. Check sudo configuration:

sudo -l -U username

2. Verify sudoers syntax:

sudo visudo -c

3. Check group membership:

# Ensure user is in wheel group for sudo access
sudo usermod -aG wheel username

Advanced User Management

Bulk User Operations

Create multiple users from a file:

#!/bin/bash
# bulk_create_users.sh

while IFS=: read -r username password fullname
do
    sudo useradd -m -c "$fullname" "$username"
    echo "$username:$password" | sudo chpasswd
    echo "Created user: $username"
done < users.txt

User Quotas

Implement disk quotas:

# Enable quotas on filesystem (edit /etc/fstab)
# Add usrquota,grpquota to mount options

# Create quota database
sudo quotacheck -cugm /home

# Enable quotas
sudo quotaon -v /home

# Set user quota
sudo setquota -u username 1G 1.5G 0 0 /home

Centralized Authentication

For enterprise environments, consider:

• LDAP integration
• Active Directory integration
• FreeIPA
• SSSD (System Security Services Daemon)

Conclusion

Effective user and group management is crucial for maintaining a secure and well-organized AlmaLinux system. By following the practices outlined in this guide, you can ensure proper access control, maintain security, and efficiently manage user accounts.

Key takeaways:

• Always use strong passwords and enforce password policies
• Regularly audit user accounts and remove unused ones
• Implement proper file permissions and ownership
• Use groups effectively for access control
• Monitor user activity and login attempts
• Keep system accounts secure and restricted

Remember that user management is an ongoing process. Regularly review and update your user management practices to maintain system security and efficiency.