4
Working With User and Group Accounts
By default, a new installation of Oracle Linux uses local user and group accounts for
authentication, permissions handling, and access to resources. When working with local
accounts for users and groups, you use three main commands:
useradd
,
groupadd
, and
usermod
. Through these commands and their different options, you can add or delete users
and groups, as well as modify user or group settings.
About User and Group Accounts
To implement system authentication, Oracle Linux uses two types of accounts: user and
group. Together, these accounts hold information such as passwords, home directories for
users, login shells, group settings and memberships, and so on. The information is used to
ensure that only authorized logins are granted access to the system. Users without
credentials, or whose credentials do not match the information in these accounts, are locked
out of the system.
By default, user and group information is located locally in the system. However, in an
enterprise environment that might have hundreds of servers and thousands of users, user
and group account information is better stored in a central repository rather than in files on
individual servers. User and group information is configured on a central server and then
retrieved through services such as the Lightweight Directory Access Protocol (LDAP) or the
Network Information Service (NIS). Central management of this information is more efficient
than storing and configuring user and group information locally.
Where User and Group Information Is Stored Locally
Unless you select a different authentication mechanism during installation or use the
authselect command to create an authentication profile, Oracle Linux verifies a user's
identity by using the information that is stored in the /etc/passwd and /etc/shadow files.
The /etc/passwd file stores account information for each user such as his or her unique
user ID (or UID, which is an integer), username, home directory, and login shell. A user logs
in using his or her username, but the operating system uses the associated UID. When the
user logs in, he or she is placed in his or her home directory and his or her login shell runs.
The /etc/group file stores information about groups of users. A user also belongs to one or
more groups, and each group can contain one or more users. If you can grant access
privileges to a group, all members of the group receive the same access privileges. Each
group account has a unique group ID (GID, again an integer) and an associated group name.
By default, Oracle Linux implements the user private group (UPG) scheme where adding a
user account also creates a corresponding UPG with the same name as the user, and of
which the user is the only member.
By default, both users and groups use shadow passwords, which are cryptographically
hashed and stored in /etc/shadow and /etc/gshadow respectively. These shadow
password files are readable only by the administraor. The administrator can set a group
4-1