Skip to main content

RHCSA Certification Course

Chapter #5: How to Manage Users, Groups, and Permissions

In this chapter, you'll learn how to create, modify, and delete user accounts on a RHEL server, manage groups, and control file access using key Linux commands.

Chapter #5: How to Manage Users, Groups, and Permissions
Learn how to add, modify, and delete user accounts on a RHEL server.

Managing a RHEL server, as it is the case with any other Linux server, will require that you know how to add, edit, suspend, or delete user accounts, and grant users the necessary permissions to files, directories, and other system resources to perform their assigned tasks.

Creating and Managing User Accounts

To add a new user account to a RHEL server, you can run either of the following two commands as root:

adduser [new_account]
useradd [new_account]

When a new user account is added to the system, by default the following operations are performed:

1) His/her home directory is created (/home/username unless specified otherwise).

2) The following hidden files are copied into the user’s home directory and will be used to provide environment variables for his/her user session. You can explore each of them for further details.

  • .bash_logout
  • .bash_profile
  • .bashrc

3) A mail spool is created for the user.

4) A group is created and given the same name as the new user account.

The full account information is stored in the /etc/passwd file. This file contains a record per system user account and has the following format (fields are delimited by a colon):

[username]:[x]:[UID]:[GID]:[Comment]:[Home directory]:[Default shell]
  • Fields [username] and [Comment] are self-explanatory.
  • The x in the second field indicates that the account is protected by a shadowed password (in /etc/shadow), which is needed to log in as [username].
  • The [UID] and [GID] fields are integers that represent the User IDentification and the primary Group IDentification to which [username] belongs, respectively.
  • The [Home directory] indicates the absolute path to [username]’s home directory, and
  • [Default shell] is the shell that is assigned to this user when he or she logs into the system.

Group information is stored in /etc/group. Each line follows this pattern:

[Group name]:[Group password]:[GID]:[Group members]

Where:

  • [Group name] is the name of the group.
  • An x in [Group password] indicates group passwords are not being used.
  • [GID]: same as in /etc/passwd
  • [Group members]: a comma-separated list of users who are members of [Group name].

After adding an account, you can edit the user’s account information using the usermod command, whose basic syntax is:

usermod [options] [username]

Example 1: Setting the Expiry Date for an Account

If you work for a company that has some kind of policy to enable accounts for a certain interval of time, or if you want to grant access for a limited period of time, you can use the --expiredate flag followed by a date in YYYY-MM-DD format.

To verify that the change has been applied, you can compare the output of:

chage -l tecmint
usermod --expiredate=2019-12-25 ravisaive
chage -l ravisaive

This will update the expiration date of the user ravisaive to December 19, 2025. The chage -l command displays the account aging information, allowing you to confirm that the expiry date has been set correctly.

Note:

  • If you set the expiry date to an empty string (e.g., usermod --expiredate="" username), it means the account will never expire.
  • Make sure the date is in the correct YYYY-MM-DD format β€” using the wrong format can cause the command to fail silently.
  • You must run these commands as the root user or with appropriate sudo privileges.

This method is especially useful for creating temporary accounts, managing contractors, or enforcing time-based access control without manual cleanup later.

Example 2: Adding the User to Supplementary Groups

Besides the primary group that is created when a new user account is added to the system, a user can be added to supplementary groups using the combined -aG, or --append --groups options, followed by a comma-separated list of groups.

usermod -a -G wheel ravisaive
usermod -a -G group1, group2 ravisaive
groups ravisaive

To remove a user from a group, run the following command and list the groups you want the user to belong.

usermod -G "" ravisaive
groups ravisaive
  • When using -G without -a, it replaces the user’s current supplementary groups with the ones you list. Be cautious, omitting important groups can remove access permissions unintentionally.
  • If you want to assign multiple groups and keep existing ones, always include the -a option.
  • To view all groups available on the system, you can run:
cut -d: -f1 /etc/group