Product SiteDocumentation Site

Chapter 3. Managing Users and Groups

3.1. Introduction to Users and Groups
3.1.1. User Private Groups
3.1.2. Shadow Passwords
3.2. Using the User Accounts Tool
3.2.1. Configuring an Account
3.2.2. Adding a New User
3.2.3. Removing a User
3.3. Using the User Manager Tool
3.3.1. Viewing Users and Groups
3.3.2. Adding a New User
3.3.3. Adding a New Group
3.3.4. Modifying User Properties
3.3.5. Modifying Group Properties
3.4. Using Command Line Tools
3.4.1. Adding a New User
3.4.2. Adding a New Group
3.4.3. Enabling Password Aging
3.4.4. Enabling Automatic Logouts
3.4.5. Creating Group Directories
3.5. Additional Resources
3.5.1. Installed Documentation
The control of users and groups is a core element of Fedora system administration. This chapter explains how to add, manage, and delete users and groups in the graphical user interface and on the command line, and covers advanced topics, such as enabling password aging or creating group directories.

3.1. Introduction to Users and Groups

While users can be either people (meaning accounts tied to physical users) or accounts which exist for specific applications to use, groups are logical expressions of organization, tying users together for a common purpose. Users within a group can read, write, or execute files owned by that group.
Each user is associated with a unique numerical identification number called a user ID (UID). Likewise, each group is associated with a group ID (GID). A user who creates a file is also the owner and group owner of that file. The file is assigned separate read, write, and execute permissions for the owner, the group, and everyone else. The file owner can be changed only by root, and access permissions can be changed by both the root user and file owner.
Additionally, Fedora supports access control lists (ACLs) for files and directories which allow permissions for specific users outside of the owner to be set. Refer to For more information about this feature, refer to the Access Control Lists chapter of the Storage Administration Guide.

3.1.1. User Private Groups

Fedora uses a user private group (UPG) scheme, which makes UNIX groups easier to manage. A user private group is created whenever a new user is added to the system. It has the same name as the user for which it was created and that user is the only member of the user private group.
User private groups make it safe to set default permissions for a newly created file or directory, allowing both the user and the group of that user to make modifications to the file or directory.
The setting which determines what permissions are applied to a newly created file or directory is called a umask and is configured in the /etc/bashrc file. Traditionally on UNIX systems, the umask is set to 022, which allows only the user who created the file or directory to make modifications. Under this scheme, all other users, including members of the creator's group, are not allowed to make any modifications. However, under the UPG scheme, this group protection is not necessary since every user has their own private group.

3.1.2. Shadow Passwords

Especially in environments with multiple users, it is very important to use shadow passwords provided by the shadow-utils package to enhance the security of system authentication files. For this reason, the installation program enables shadow passwords by default.
The following is a list of the advantages shadow passwords have over the traditional way of storing passwords on UNIX-based systems:
  • Shadow passwords improve system security by moving encrypted password hashes from the world-readable /etc/passwd file to /etc/shadow, which is readable only by the root user.
  • Shadow passwords store information about password aging.
  • Shadow passwords allow the /etc/login.defs file to enforce security policies.
Most utilities provided by the shadow-utils package work properly whether or not shadow passwords are enabled. However, since password aging information is stored exclusively in the /etc/shadow file, any commands which create or modify password aging information do not work. The following is a list of utilities and commands that do not work without first enabling shadow passwords:
  • The chage utility.
  • The gpasswd utility.
  • The usermod command with the -e or -f option.
  • The useradd command with the -e or -f option.