The file where system user account definition is done is /etc/passwd. This file has the following structure :

...

username
The system account username . It should not start with a number or include uppercase letters.

x
The password. An x points to /etc/shadow for the password. An * means the account is disabled. A random group of letters and numbers represents the encrypted password.

500
The user ID (UID) for that user.

500
The group ID (GID) associated with that user.

Some comments
Any information can be used in this field.

/home/username
By default, RHEL places new home directories in /home/username.

/bin/bash
Default user shell.

In order add/delete users to the system this file can be edited directly with vipw or using useradd/userdel commands as described in next sections.
/etc/group

The file where system group account definition is done is /etc/group. This file has the following structure :


...

groupname
The system account groupname user gets his own group. By default when a user is created is related to a group with groupname equal to username.

x
The group password password. An x points to /etc/gshadow for the password. As user password on /etc/passwd random group of letters and numbers represents the encrypted password.

500
The group ID (GID) associated with user.

user1,user2
Lists of users that belong to the group. If it's blank means that there is a username that is identical to the groupname.

In order add/delete groups to the system this file can be edited directly with vigr or using useradd/userdel commands as described in next sections.
/etc/shadow

The /etc/passwd file is can be read for every user on the system so include the encrypted password there is not a good idea. For this reason the file /etc/shadow accessible to root only is used to store the encrypted password :
...

username
Username shadow entry, it is related with 'username' account on /etc/passwd.

$1sdsew$td%wqee@132ewSDADdsa
Encrypted password. An x in the second column of /etc/passwd means that the encrypted password is stored here.

14860
Last password change date, in Linux epoch number of days: number of days after January 1, 1970.

0
The value of 0 here means that this user can keep this password forever.

99999
The system will ask to username to change his password after 99999 days since account creation.

::
This value means the number of days before password expiration when a warning is given, in this case none.

::
It sets the number of days after password expiration when an account is made inactive, in this case none.

::
This value means the number of days after password expiration when an account is disabled, in this case none.
Adding user account

When a user account needs to be added to the system the command useradd must be used :
With this command we have created the user account 'john' with UID=600 which home directory in /home/john and default shell bash. By default the user is assigned to a new created group 'john' with GID=600. This value can be changed using the -g option.

Next step must be create a password to 'john' account with the command '$ passwd john'
Deleting user account

When a user account needs to be removed in the system the command userdel must be used :

With this command all information about 'john' account is removed on the system, including all /home/john directory and mail spool files.

Modifying user account

In order to change the parameters of an existing account the commands usermod and/or chage can be used :
By default when a user account is created some environment files stored in /etc/skel are copied to the user home directory. Any changes applied to this files on /etc/skel directory are propagated to the new users home directories.

.bashrc
This file points to the general /etc/bashrc configuration file. It normally includes the commands to be run bash shell is started.

.bash_logout
This file is executed when the user exits a bash shell. It normally includes commands for clearing screen, umount partitions, etc.

.bash_profile
It is the bash startup environment where environment variables as PATH and LIB_PATH are configured.

The system-wide shell configuration files are stored in /etc/bashrc and /etc/profile. These files configure the default system-wide umask value for default file creation permission, the default prompt display, the system-wide PATH, aliases, etc.
Switch accounts with 'su'

The 'su' commands allows the change between users accounts without logout :
It also allows to execute some command/script as another user after authentication without changing the user account :
Without changing user john account we have executed the 'id' command as 'cate' user after typing cate password
Execute a command as another user with 'sudo'

A most powerful way to execute process as another user than 'su -c' is the sudo command. The file /etc/sudoers accessible with visudo command controls how sudo is executed.

The sudoers file format looks like:

user host = (userl) command

* user is the username or groupname to which the rule applies
* host is a list of hosts where the rule applies
* userl is the user that this rule can be run as. If it is not specified sudo run the command as root user
* command is the command/s that can be run as userl from user account

The parameters host, userl and command can be replaced with the ALL, meaning unrestricted access for this parameter. The parameter NOPASSWD after userl means that no passowrd authentication is required on sudo execution.
Sudo examples

%john ALL=(cate) /usr/bin/id


Without changing user john account we have executed the 'id' command as 'cate' user after typing john password. Note the difference with the 'su' command, with sudo you do not need to know the user password to run a process as that user.

%john ALL=(cate)NOPASSWD: /usr/bin/id

The same as before without typing any password

%john ALL=NOPASSWD: /bin/mount, /bin/umount

User john can execute mount/umount (only root can run these commands) as root without typing any password. Note that no userl is specified the sudo execution is done as root.

SUID

The Set User ID permission changes the effective user ID permission to the owner file user ID in the file execution. It allows run a command/script as the owner´s file. In this case the permission is set up on the standard file permission with the chmod u+s command. One common example is the passwd command that allow system users change their password without being root on the system :
The 's' on the user permission field means that this when a system user like 'john' will run this command it will be executed with the effective owner file user ID root which has the right permissions to modify the /etc/shadow file in order to change 'john' password.
SGID

The Set Group ID permission changes the effective group ID permission to the owner file group ID in the file execution. It allows share files between users in the same group. As the SUID the permission is set up on the standard group directory using the command chmod g+s command:

Create a new system group called admin.


Add users john, cate and mike to 'admin' group.

Create the shared directory '/home/admin'.

Change the shared directory group ownership to 'admin'.
Only group 'admin' has access to the shared directory '/home/admin'.
Set the group bit to the shared directory '/home/admin', the 's' in the group permission field. Now the files created on /home/admin automatically inherits 'admin' group ID so all 'admin' group members (john ,cate and mike) can access rw directly to all the files on the shared /home/admin group directory without changing any permission.

STICKY DIRECTORY

The sticky permission ('t' on others permission field) allows to remove files only to the owner in 777 directories as /tmp. Thanks to the sticky permission on /tmp everybody can create/remove files but only the owner of the file can remove it. As previous examples the permission is applied on the directory with the chmod o+t command :


The file /tmp/cate has 777 permision so everybody can remove it, but the directory that contains the file /tmp has the sticky bit set so only the file owner ('cate') can remove /tmp/cate.