Managing users on a dedicated server means getting comfortable with a few basic concepts and commands, including the fact that users belong to one or more groups. Add or remove users, assign or unassign their group membership and you're in business!
The steps below assume that you're either logging in as root, so commands don't have to be prefixed with "sudo" or that you're logging in as a user with sudo privileges, in which case you will have to prefix commands with "sudo".
The steps also assume that you've SSH'd into the box and are executing the commands at the command line.
If you're not sure if sudo is installed or not, just go to the dot prompt and enter the below command. If you get a path response, you know it's installed (and where).
Before creating users it's important to understand that there are 3 basic types of users in a Red Hat / CentOS linux environment:
A regular user can login and perform some tasks about themselves or apps they install, but won't be able to do superuser admin tasks, unless a superuser specifically assigns them permissions to do so. FTP user, Samba user and email user - the three regular user types.
A system user is created so that a service can do things, but that doesn't include being able to login to the system and do tasks that a regular or superuser could do. Services like apache and mysql have system users assigned so that they can function.
Full control and privileges - that's what root or a superuser can do. A superuser can restart the server, manage users, control firewall and service configurations like which FTPd is running (and which is default) plus a myriad of other admin tasks.
Adding users isn't too painful of a process. You'll need to replace blahusername and blahpassword with whatever you're wanting to set up.
Step 1 - Adding the username
Step 2 - Request password change for the user
Step 3 - At the prompts, type the new password 2x Step 4 - Look to be sure the message appears that the command completed successfully
Note: In CentOS, adduser is the same as the useradd command. One is simply aliased to the other, so whenever you run either one, the same result occurs. Differences rear their head when trying to do operations such as adding to multiple groups. Adduser is a higher level extrapolation with useradd being the underlying, and somewhat more complex operation.
Whenever a new user is created using the adduser command, in CentOS, the following system changes occur as a result:
Note: The rest of the adduser commands will be done via useradd for wider compatibility and consistency throughout.
Unless you've specified a particular account expiration date, user accounts will continue in perpetuity. This is generally exactly what's wanted, though on occasion there may be need for access to be temporary. It's then that an account expiration date comes into play. The -e option, along with a date, specified at account creation time, will make the user account temporary. In the below example, the user won't be logging on from Christmas 2020 onward:
useradd -e 2020-12-24 blahusername
A user needn't be created with a default or specified home directory. But be careful, using the -M option, as shown below doesn't mean they do without a home directory. Instead, they get assigned the same home directory as the user logged in before:
useradd -M blahusername
A user home directory doesn't have to be in /home/blahusername. When a user is added to the system, their home directory can be specified like:
useradd -d /var/blahsomeotherfolder blahusername
Ordinarily a user will be automatically assigned a User ID (UID) when they're created via the useradd command. However, you've got control and can manually specify the UID at creation time, by using the -u option, such as the below example that sets their ID as 1234. Be sure to avoid reusing a UID that's already in use:
useradd -u 1234 blahusername
If you'd like to assign a different default shell to newly added users, like bash, it's the -s option you'll need (along with an idea of what shell you're instead assigning:
useradd -s /bin/bash blahusername
In case you'd rather the user have no login shell, that's doable with a slight variation on the above:
useradd -s /bin/nologin blahusername
System users are created just like regular users, only using the -r option at creation time. However, they won't have a default home directory unless you specify one with the -m option and a home directory path. Also, no mail directory will be created at the time either. Creating a system user can be done with:
useradd -r blahusername
or, if you want a home directory assigned
useradd -r -m /home/blahusername blahusername
Rather than allowing a user to be set up in a private group with their username as the group name, or specifying the group directly, you can create users with no group assignment at all using the -N option:
useradd -N blahusername
Every user in the system will, by default, have a GID assigned at the time of user creation. It is possible though to manually specify the GID with the -g option. Be sure to use a group ID that's not already in use!
useradd -g 515 blahusername
If you've got multiple users on the system, then managing them means creating meaningful groups with permissions based on roles. With the -G option used at creation time, a user can be added to the system and added to multiple groups, all in one go, using a comma delimited list of group names such as:
useradd -G editors,marketers,uploaders blahusername
useradd -G webadmins,webdevs,dbadmins blahusername
Security through obscurity means keeping usernames different from real names, logins different from default users (like WordPress not using admin as the admin user). Within the linux server environment, you can use custom comments so that a user comment field stores something like real name, telephone number, or other key details, using the -c option like:
useradd -c "John Doe" blahusername
This enables you to see these details and associated home directory plus username, all in one go by looking at the /etc/passwd file:
The resultant output will include the new user you've created and their pertinent details such as:
Deleting users is even easier than adding them. You'll need to replace blahusername with whatever you're wanting to remove from the system: Step 1 - Deleting the user, but leaving all of their files in place
Step 2 - If, instead, you'd like to delete the user AND ALL their files
userdel -r blahusername
Note: The command userdel is, in most flavors of linux, aliased from the deluser command which means that userdel is executed whenever deluser is entered.
Unless you specify the -f option, covered in the section following this, below, then whenever you try to delete a user, it can fail due to certain causes such as:
When you run the standard userdel blahusername command and it fails due to a process running that belongs to blahusername, you'll get an error such as:
user blahusername is currently used by process 123456
Contrary to what you may expect, even using the -r option won't work (userdel -r blahusername) and will still give the same error.
command to work. The key, therefore, is to stop the process, then execute the userdel command again:
Step 1 - As root you can kill the process with
kill -9 123456
Step 2 - Then delete the user with the standard userdel command
There are a number of scenarios when executing the userdel command, the results of which are known thanks to the exit codes provided as the command completes. The exit numbers are bit cryptic, so use this chart for reference:
Code Text Explanation successful completion 1 password file can't be updated 2 syntax error in command 6 username doesn't exist 8 user is logged in 10 group file can't be updated 12 home directory can't be removed
The beauty of linux is the power commands have with the simple flick of a switch (use of a option) such as using the -f option to force the removal of a user.
Using the -f option will remove the user, their home directory, their mail spool and do it even if they're logged on AND EVEN IF another user shares that same home directory. Even more dangerous, in some situations, a group with the same name as the user, if it exists, will get nuked as well. Use with extreme caution!
userdel -f blahusername
Adding users and deleting users are remarkably similar operations, which is good, since keeping it simple is a good plan.
Changing user home directory, default shell, password expiry, login name, adding comments and more, can all be done using the usermod command (with the right options of course)
Just as adding a user with a custom home directory relies on the -d option, so too does the usermod command when you want to change a user home directory:
usermod -d /var/blahsomeotherfolder blahusername
Changing the user home directory is great, but what about all the files in the old folder? They're still there! If you want to change the user home directory AND move the files from the old folder to the new one, you'll need to also include the -m (for move) to the above:
usermod -m -d /var/blahsomeotherfolder blahusername
This combination of -m and -d options will move the files to the new home directory it assigns to the user.
Changing the UID for a user is just like specifying it when creating a user, through the -u option and by providing the new UID:
usermod -u 1111 blahcurrentusername
Renaming a user is done with the -l option (for new login name). You'll need to know the new login and current login to proceed:
usermod -l blahnewusername blahcurrentusername
You can set or change the account expiration date for a user so that they will no longer have access to the system after a certain point in the future using the -e option and by supplying the expiry date:
usermod -e 2021-01-21 blahusername
Every regular user has a default group set as their username. Using the -g option and specifying the new default group will reassign:
usermod -g blahnewgroupname blahusername
If you want to put a user into a different group, you can use the -G option. If you'd like to keep them in existing groups AND add them to a different group too, then you'd need -a and -G. Here's the method for pulling them out of all other groups and putting into a single new group:
usermod -G blahnewgroupname blahusername
or, you can append their group membership, keeping existing groups and adding a new group
usermod -a -G blahnewgroupname blahusername
With the -L option, you can lock a user account so the password no longer works (it puts the ! in the passwd file for that user). Keep in mind that other methods of accessing the user account such as SU by a user with priv's, sudo, cron and a few others, can get around this, since the user password isn't necessary.
Setting the expiration date to a past date, or 1, is enough to enforce the lock however. To lock a user account, use the below. To unlock use the same command only with the -U option.
usermod -L blahusername
usermod -U blahusername
If, after locking, you'd like to set the expiry date, it can be done as:
usermod -e 2019-01-01 blahusername
You know that there's a user account with a name and think you know it, but would like quick confirmation that it's correct. The way to check is with the id command. If it exists, you'll get a positive result (with user and group details). If not, it'll be a "No such user" message:
Rather than trying to accomplish something, like deleting a user, only to find an error because they have processes running (and you're not wanting to use the dangerous -f option), savvy admins will first check to see what processes a user has active:
ps -aux | grep blahusername
Processes can then be terminated by process ID using the below, replacing blahprocessid with the numeric process ID number to be terminated:
kill -9 blahprocessid
A root user can find out about any user using the -l option on this command, while a regular user can find out when their own password is about to expire (without need to specify their own username in the command below):
chage -l blahusername
Note: chage means change user expiry (password). At the prompt, use the command below to find out all the other possible options used in manipulating the user expiry defaults:
If you'd like to walk through the current settings, being interactively prompted to enter new values (or not), just run the chage command without any options: