Adding users

As with groups, the addition of new users is normally done by either a commandline or GUI-based tool today. However, to understand the steps involved (and the information you must prepare before the task), we will outline the manual procedure first by asking some questions:

• what will the user's login be?
• what groups will she be a member of? which one will be her default group?
• where is her home directory? 
• what shell will she use?
• where are the master copies of the user shell initialization ('startup') files kept? (User startup files are discussed in the next section.)
• what initial password will be given to the account?

After all these questions were answered, the account and directories would be created manually, the group information modified, and the startup files copied to the home directory. Then, the owner and group of the files in the home directory and the home directory itself would be changed. The final steps, which should still be performed when a tool is used to created the account, is to add the password and to test the account before turning it over to the new owner. 

The command-line program useradd has simplified this process and reduced the probability of error.

useradd

useradd has lots of options. These are the most important ones:

useradd [ -g group ] [ -G group,group,... ] [ -N ] [ -d home ] [ -s shell ]
[ -c gecos ] [ -m [ -k skeldir ] ] [ -M ] [ -r ] [ -p passwd ] username

• -g group  use this as the default group
• -G g,g,...  add the user to these secondary groups
• -N  normally, RedHat linux creates a new group for each user. -N overrides that behavior. (Note: -N used to be -n, which still works. -n is deprecated.)
  
• -d home  The path to the user's home directory
• -s shell   The path to the program that will be run when the user logs in.
• -c gecos  The initial contents of the GECOS field. Normally, the user's real name is used here.
• -m  create the user's home directory. If -m is used, -k skeldir can be used to specify the directories to copy the user startup files from. 
• -M do not create the user's home directory
• -r create a system account rather than a user account. (This determines the range that the account's uid will be in.)
• -p password  Here, password is the encrypted password. Usually, the passwd program is run after the account is created to assign the password.
• username is the user's name (the login name). It must be unique.

The only required argument is username. 

Default values for user information

Missing information for useradd is filled in using default values from /etc/login.defs and /etc/default/useradd. A few values in these files deserve comments:

/etc/default/useradd:

This file contains a value for the default group, if none is specified. On Redhat linux, the user's personal group becomes the default group and the default group specified in this file is only used when -N is specified. This file also contains the path to the directory that holds default copies of the shell initialization files. The shell initialization files are hidden files, so remember to use -A when examining this directory. (Shell initialization files are the subject of the next section.)

/etc/login.defs:

This file includes a flag CREATE_HOME indicating whether creating the user's home directory is the default (same as -m) or not (-M). It also includes the uid (UID_MIN) and gid (GID_MIN) that is the dividing line between ids reserved for the system and ids reserved for the user. uids less than UID_MIN are system uids. uids greater than or equal to UID_MIN are user uids. 

Modifying users

usermod can be used to modify the parameters of an existing user. Its options are similar to useradd, with the addition of a few important options. The first is -l: changing the name of an existing user:

usermod -l newuname existinguname

This changes the username existinguname to newuname.

Note that this change does not change the name of the user's home directory, either the directory itself or the path in the /etc/passwd file. The directory name would have to be changed by hand. The path to the home directory can be changed with the -d option to usermod.

One further option is peculiar to usermod: -a. When this option is used in conjunction with -G, the user is added to the indicated secondary groups in addition to  the secondary groups (s)he is currently a member of. (The default behavior is to delete the user's secondary groups and set them to those following -G )

Suppose dipsy is a member of users in addition to her default group dipsy, and you want to add her to an additional secondary group students

usermod -G students dipsy

would delete her membership in users, while

usermod -a -G students dipsy or

usermod -G students,users dipsy

would not.

(By the way, you can use usermod -G "" dipsy to remove all of dipsy's secondary groups. Just don't forget the quotes.)

Disabling accounts 

We previously discussed the use of passwd -l to lock a user's password. A common misconception is that this command will lock a user's account. Locking the password is not the same as disabling the account. A user whose password is locked can still access the account using an ssh key.

To disable an account you must install a dummy program as the user's shell. This could be a program you write, or it could be the standard program /sbin/nologin. The nologin program simply displays a message and exits. The message is either a canned internal message indicating the account is disabled or a message you write and place in /etc/nologin.txt. Since the shell is the single program the user runs when a login occurs, whether the login uses a password or an ssh key, the user's account is totally disabled.

Disabling an account allows easy recovery as opposed to simply deleting the account.

You change a user's shell, of course, using chsh -s shellpath user. The user can change their shell as well, but is limited to sanctioned shells, which are listed in /etc/shells. It is questionable whether /sbin/nologin should be in this list, but it is. (This means, of course, that users can disable their own account.)

Deleting users

userdel can be used to delete accounts. It has a single option: -r which indicates delete the users home directory (and its contents) also. Usually -r should be used, possibly after archiving the home directory.

userdel [ -r ] uname

Note that even if the user's home directory is deleted, data may exist elsewhere on the system that is still owned by the user. It is very important to track down this data and dispose of it, as the uid that was associated with uname could be recycled when the next user is created. If this happens, the new user will inherit ownership of the deleted user's files. This is an immense liability issue. Consider the following scenario:

Joe was fired. His account was deleted, but the administrator forgot to search the /var filesystem for files owned by joe, one of which is /var/mail/joe. When Susan was hired, she was assigned the uid previously used by Joe and thus became owner of all of Joe's mail. 

find has an option to search for data belonging to a particular uid. Use it as a standard part of account deletion.

Using the GUI

Unless you are automating the creation, deletion or modification of users and groups, you will probably find the use of the Users and Groups control panel easier to use than the command-line tools. Check it out!