English Italian
Managing Users and Groups
indexterm:[groups,introducing]indexterm:[users,introducing]indexterm:[users,UID]indexterm:[groups,GID] The control of users and groups is a core element of {MAJOROS} system administration. This chapter explains how to add, manage, and delete users and groups in the graphical user interface and on the command line, and covers advanced topics, such as creating group directories.
Introduction to Users and Groups
While users can be either people (meaning accounts tied to physical users) or accounts which exist for specific applications to use, groups are logical expressions of organization, tying users together for a common purpose. Users within a group share the same permissions to read, write, or execute files owned by that group.
Each user is associated with a unique numerical identification number called a _user ID_ (*UID*). Likewise, each group is associated with a _group ID_ (*GID*). A user who creates a file is also the owner and group owner of that file. The file is assigned separate read, write, and execute permissions for the owner, the group, and everyone else. The file owner can be changed only by `root`, and access permissions can be changed by both the `root` user and file owner.
Additionally, {MAJOROS} supports _access control lists_ (*ACLs*) for files and directories which allow permissions for specific users outside of the owner to be set. For more information about this feature, see the [citetitle]_link:++https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Access_Control_Lists.html++[Access Control Lists]_ chapter of the [citetitle]_link:++https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/index.html++[Red Hat Enterprise Linux 7 System Administrators Guide]_.
User Private Groups
indexterm:[groups,user private]indexterm:[user private groups,groups]indexterm:[groups,tools for management of,groupadd] {MAJOROS} uses a _user private group_ (_UPG_) scheme, which makes UNIX groups easier to manage. A user private group is created whenever a new user is added to the system. It has the same name as the user for which it was created and that user is the only member of the user private group.
User private groups make it safe to set default permissions for a newly created file or directory, allowing both the user and *the group of that user* to make modifications to the file or directory.
The setting which determines what permissions are applied to a newly created file or directory is called a _umask_ and is configured in the `/etc/bashrc` file. Traditionally on UNIX-based systems, the [command]#umask# is set to [command]#022#, which allows only the user who created the file or directory to make modifications. Under this scheme, all other users, *including members of the creator's group*, are not allowed to make any modifications. However, under the UPG scheme, this "group protection" is not necessary since every user has their own private group.
A list of all groups is stored in the `/etc/group` configuration file.
Shadow Passwords
indexterm:[passwords,shadow]indexterm:[shadow passwords,overview of] In environments with multiple users, it is very important to use _shadow passwords_ provided by the [package]*shadow-utils* package to enhance the security of system authentication files. For this reason, the installation program enables shadow passwords by default.
The following is a list of the advantages shadow passwords have over the traditional way of storing passwords on UNIX-based systems:
Shadow passwords improve system security by moving encrypted password hashes from the world-readable `/etc/passwd` file to `/etc/shadow`, which is readable only by the `root` user.
Shadow passwords store information about password aging.
Shadow passwords allow the `/etc/login.defs` file to enforce security policies.
Most utilities provided by the [package]*shadow-utils* package work properly whether or not shadow passwords are enabled. However, since password aging information is stored exclusively in the `/etc/shadow` file, some utilities and commands do not work without first enabling shadow passwords:
The [command]#chage# utility for setting password-aging parameters. For details, see the link:++https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-Hardening_Your_System_with_Tools_and_Services.html#sec-Password_Security++[Password Security] section in the [citetitle]_Red{nbsp}Hat Enterprise{nbsp}Linux{nbsp}7 Security Guide_.
The [command]#gpasswd# utility for administrating the `/etc/group` file.