KNOWNHOST WIKI

User Tools

Site Tools


dedicated-servers:how-to-manage-users-on-a-dedicated-server

How to Manage Users on a Dedicated Server

Managing users on a dedicated server means getting comfortable with a few basic concepts and commands, including the fact that users belong to one or more groups. Add or remove users, assign or unassign their group membership and you're in business!

The steps below assume that you're either logging in as root, so commands don't have to be prefixed with "sudo" or that you're logging in as a user with sudo privileges, in which case you will have to prefix commands with "sudo".

The steps also assume that you've SSH'd into the box and are executing the commands at the command line.

If you're not sure if sudo is installed or not, just go to the dot prompt and enter the below command. If you get a path response, you know it's installed (and where).

  which sudo


User Types

Before creating users it's important to understand that there are 3 basic types of users in a Red Hat / CentOS linux environment:


Regular User

A regular user can login and perform some tasks about themselves or apps they install, but won't be able to do superuser admin tasks, unless a superuser specifically assigns them permissions to do so. FTP user, Samba user and email user - the three regular user types.


System User

A system user is created so that a service can do things, but that doesn't include being able to login to the system and do tasks that a regular or superuser could do. Services like apache and mysql have system users assigned so that they can function.


Super User

Full control and privileges - that's what root or a superuser can do. A superuser can restart the server, manage users, control firewall and service configurations like which FTPd is running (and which is default) plus a myriad of other admin tasks.


Adding Users

Adding users isn't too painful of a process. You'll need to replace blahusername and blahpassword with whatever you're wanting to set up.

Step 1 - Adding the username

  adduser blahusername

Step 2 - Request password change for the user

  passwd blahusername

Step 3 - At the prompts, type the new password 2x Step 4 - Look to be sure the message appears that the command completed successfully


Note: In CentOS, adduser is the same as the useradd command. One is simply aliased to the other, so whenever you run either one, the same result occurs. Differences rear their head when trying to do operations such as adding to multiple groups. Adduser is a higher level extrapolation with useradd being the underlying, and somewhat more complex operation.


What Happens when Adding Users with "adduser"

Whenever a new user is created using the adduser command, in CentOS, the following system changes occur as a result:

  • /etc/group gets a new line in it with id and private group name (based on username) + more
  • /etc/gshadow gets a new line in it with private group name and encrypted password if present
  • /etc/passwd gets a new line in it with username, id and other details
  • /etc/shadow gets a new line in it with username, encrypted password and other details
  • /home/blahusername directory is created with whatever blahusername was created


Note: The rest of the adduser commands will be done via useradd for wider compatibility and consistency throughout.


Creating a Temporary User (with expiration date)

Unless you've specified a particular account expiration date, user accounts will continue in perpetuity. This is generally exactly what's wanted, though on occasion there may be need for access to be temporary. It's then that an account expiration date comes into play. The -e option, along with a date, specified at account creation time, will make the user account temporary. In the below example, the user won't be logging on from Christmas 2020 onward:

  useradd -e 2020-12-24 blahusername


Creating a User with No Home Directory

A user needn't be created with a default or specified home directory. But be careful, using the -M option, as shown below doesn't mean they do without a home directory. Instead, they get assigned the same home directory as the user logged in before:

  useradd -M blahusername


Creating a User and Specifying a Non-Standard Home Directory

A user home directory doesn't have to be in /home/blahusername. When a user is added to the system, their home directory can be specified like:

  useradd -d /var/blahsomeotherfolder blahusername


Creating a User with a Specific User ID

Ordinarily a user will be automatically assigned a User ID (UID) when they're created via the useradd command. However, you've got control and can manually specify the UID at creation time, by using the -u option, such as the below example that sets their ID as 1234. Be sure to avoid reusing a UID that's already in use:

  useradd -u 1234 blahusername


Creating a User with a Different Default Shell

If you'd like to assign a different default shell to newly added users, like bash, it's the -s option you'll need (along with an idea of what shell you're instead assigning:

  useradd -s /bin/bash blahusername

In case you'd rather the user have no login shell, that's doable with a slight variation on the above:

  useradd -s /bin/nologin blahusername


Creating a System User

System users are created just like regular users, only using the -r option at creation time. However, they won't have a default home directory unless you specify one with the -m option and a home directory path. Also, no mail directory will be created at the time either. Creating a system user can be done with:

  useradd -r blahusername

or, if you want a home directory assigned

  useradd -r -m /home/blahusername blahusername


Creating a User without a Group

Rather than allowing a user to be set up in a private group with their username as the group name, or specifying the group directly, you can create users with no group assignment at all using the -N option:

  useradd -N blahusername


Creating a User and Specifying the Group ID (GID)

Every user in the system will, by default, have a GID assigned at the time of user creation. It is possible though to manually specify the GID with the -g option. Be sure to use a group ID that's not already in use!

  useradd -g 515 blahusername


Creating a User and Adding to Multiple Groups

If you've got multiple users on the system, then managing them means creating meaningful groups with permissions based on roles. With the -G option used at creation time, a user can be added to the system and added to multiple groups, all in one go, using a comma delimited list of group names such as:

  useradd -G editors,marketers,uploaders blahusername

or

  useradd -G webadmins,webdevs,dbadmins blahusername


Creating a User with Custom Comments (Added Details)

Security through obscurity means keeping usernames different from real names, logins different from default users (like WordPress not using admin as the admin user). Within the linux server environment, you can use custom comments so that a user comment field stores something like real name, telephone number, or other key details, using the -c option like:

  useradd -c "John Doe" blahusername

This enables you to see these details and associated home directory plus username, all in one go by looking at the /etc/passwd file:

  tail /etc/passwd

or

  head /etc/passwd

The resultant output will include the new user you've created and their pertinent details such as:

  blahusername:x:1012:1008:John Doe:/home/blahusername:/bin/sh


Deleting Users

Deleting users is even easier than adding them. You'll need to replace blahusername with whatever you're wanting to remove from the system: Step 1 - Deleting the user, but leaving all of their files in place

  userdel blahusername

Step 2 - If, instead, you'd like to delete the user AND ALL their files

  userdel -r blahusername

Note: The command userdel is, in most flavors of linux, aliased from the deluser command which means that userdel is executed whenever deluser is entered.


When You Can't Delete a User

Unless you specify the -f option, covered in the section following this, below, then whenever you try to delete a user, it can fail due to certain causes such as:


Problem: They've Created a Process That's Still Running

When you run the standard userdel blahusername command and it fails due to a process running that belongs to blahusername, you'll get an error such as:

  user blahusername is currently used by process 123456

Contrary to what you may expect, even using the -r option won't work (userdel -r blahusername) and will still give the same error.


Solution: Kill the Process Then Delete the User

command to work. The key, therefore, is to stop the process, then execute the userdel command again:

Step 1 - As root you can kill the process with

  kill -9 123456

Step 2 - Then delete the user with the standard userdel command

  userdel blahusername


Kill Exit Codes

There are a number of scenarios when executing the userdel command, the results of which are known thanks to the exit codes provided as the command completes. The exit numbers are bit cryptic, so use this chart for reference:

Code Text Explanation successful completion 1 password file can't be updated 2 syntax error in command 6 username doesn't exist 8 user is logged in 10 group file can't be updated 12 home directory can't be removed


Deleting a Logged In User (Forced) [Nuclear Danger Warning]

The beauty of linux is the power commands have with the simple flick of a switch (use of a option) such as using the -f option to force the removal of a user.


Warning

Using the -f option will remove the user, their home directory, their mail spool and do it even if they're logged on AND EVEN IF another user shares that same home directory. Even more dangerous, in some situations, a group with the same name as the user, if it exists, will get nuked as well. Use with extreme caution!

  userdel -f blahusername 


Modifying Users

Adding users and deleting users are remarkably similar operations, which is good, since keeping it simple is a good plan.

Changing user home directory, default shell, password expiry, login name, adding comments and more, can all be done using the usermod command (with the right options of course)


Change a User Home Directory

Just as adding a user with a custom home directory relies on the -d option, so too does the usermod command when you want to change a user home directory:

  usermod -d /var/blahsomeotherfolder blahusername

Changing the user home directory is great, but what about all the files in the old folder? They're still there! If you want to change the user home directory AND move the files from the old folder to the new one, you'll need to also include the -m (for move) to the above:

  usermod -m -d /var/blahsomeotherfolder blahusername

This combination of -m and -d options will move the files to the new home directory it assigns to the user.


Change a User ID

Changing the UID for a user is just like specifying it when creating a user, through the -u option and by providing the new UID:

  usermod -u 1111 blahcurrentusername


Change a User Login Name

Renaming a user is done with the -l option (for new login name). You'll need to know the new login and current login to proceed:

  usermod -l blahnewusername blahcurrentusername


Change the Account Expiry Date

You can set or change the account expiration date for a user so that they will no longer have access to the system after a certain point in the future using the -e option and by supplying the expiry date:

  usermod -e 2021-01-21 blahusername


Change the User Primary Group

Every regular user has a default group set as their username. Using the -g option and specifying the new default group will reassign:

  usermod -g blahnewgroupname blahusername


Add User to Another Group

If you want to put a user into a different group, you can use the -G option. If you'd like to keep them in existing groups AND add them to a different group too, then you'd need -a and -G. Here's the method for pulling them out of all other groups and putting into a single new group:

  usermod -G blahnewgroupname blahusername

or, you can append their group membership, keeping existing groups and adding a new group

  usermod -a -G blahnewgroupname blahusername


Lock a User Account

With the -L option, you can lock a user account so the password no longer works (it puts the ! in the passwd file for that user). Keep in mind that other methods of accessing the user account such as SU by a user with priv's, sudo, cron and a few others, can get around this, since the user password isn't necessary.

Setting the expiration date to a past date, or 1, is enough to enforce the lock however. To lock a user account, use the below. To unlock use the same command only with the -U option.

Lock

  usermod -L blahusername

Unlock

  usermod -U blahusername

If, after locking, you'd like to set the expiry date, it can be done as:

  usermod -e 2019-01-01 blahusername



Check that a User has an Account

You know that there's a user account with a name and think you know it, but would like quick confirmation that it's correct. The way to check is with the id command. If it exists, you'll get a positive result (with user and group details). If not, it'll be a "No such user" message:

  id blahusername


Find All Processes by a Specific Username

Rather than trying to accomplish something, like deleting a user, only to find an error because they have processes running (and you're not wanting to use the dangerous -f option), savvy admins will first check to see what processes a user has active:

  ps -aux | grep blahusername

Processes can then be terminated by process ID using the below, replacing blahprocessid with the numeric process ID number to be terminated:

  kill -9 blahprocessid


Find When a User Password is Due to Expire

A root user can find out about any user using the -l option on this command, while a regular user can find out when their own password is about to expire (without need to specify their own username in the command below):

  chage -l blahusername

Note: chage means change user expiry (password). At the prompt, use the command below to find out all the other possible options used in manipulating the user expiry defaults:

  chage -h

If you'd like to walk through the current settings, being interactively prompted to enter new values (or not), just run the chage command without any options:

  chage blahusername
dedicated-servers/how-to-manage-users-on-a-dedicated-server.txt · Last modified: 2020/10/20 06:39 by Karson N.