← All chapters · Book · Repository
Chapter 4: User and Group Management Answers
Red Hat RHCSA 10 Study Companion: Getting Ready for the EX200 Exam by Andrey Markelov (May 2026).
Topics
- Creating users and groups
- User modification and deletion
- Password aging policies
- Sudo configuration
exercise_01.sh
executable safe: no requires: root#!/bin/bash
# @type: executable
# @requires: root
# @safe: no
set -euo pipefail
# Exercise 1: Create a new devusers group. Create new users named devuser1, devuser2, and devuser3,
# and add them to the devusers group. Add devuser1 to the wheel group.
#
# Task: Set up a new group and three users with proper group memberships.
sudo groupadd devusers
sudo useradd -G devusers devuser1
sudo useradd -G devusers devuser2
sudo useradd -G devusers devuser3
sudo usermod -aG wheel devuser1
# Set passwords for the users
echo "Password for user devuser1"
sudo passwd devuser1
echo "Password for user devuser2"
sudo passwd devuser2
echo "Password for user devuser3"
sudo passwd devuser3
# Verify user configurations
id devuser1
id devuser2
id devuser3
# Verify group memberships
getent group wheel
getent group devusers
exercise_02.sh
executable safe: no requires: root#!/bin/bash
# @type: executable
# @requires: root
# @safe: no
set -euo pipefail
# Exercise 2: Modify the devuser3 account. Change the comment field to "Senior Developer - devuser3",
# add him to an existing secondary group named sshd, and change their default shell to /usr/sbin/nologin.
# Ensure that existing secondary groups are preserved.
#
# Task: Modify user attributes including comment, shell, and group membership.
sudo usermod -c "Senior Developer - devuser3" -aG sshd -s /usr/sbin/nologin devuser3
# Verify the changes
getent passwd devuser3
id devuser3
exercise_03.sh
executable safe: no requires: root#!/bin/bash
# @type: executable
# @requires: root
# @safe: no
set -euo pipefail
# Exercise 3: Lock the devuser2 account. Verify the change by checking entry in /etc/shadow.
#
# Task: Lock a user account and verify the lock status in the shadow file.
sudo usermod -L devuser2
# Verify the lock (should see '!' before the password hash)
sudo grep devuser2 /etc/shadow
exercise_04.sh
executable safe: no requires: root#!/bin/bash
# @type: executable
# @requires: root
# @safe: no
set -euo pipefail
# Exercise 4: Delete the devuser2 account, ensuring the home directory is also deleted.
# Verify that the entry is no longer in /etc/passwd.
#
# Task: Remove a user account completely including their home directory.
sudo userdel -r devuser2
# Verify deletion
sudo grep devuser2 /etc/shadow
sudo ls /home
exercise_05.sh
executable safe: no requires: root#!/bin/bash
# @type: executable
# @requires: root
# @safe: no
set -euo pipefail
# Exercise 5: For devuser1, set the minimum number of days between password changes to 8 and
# the maximum number of days to 40. Set the warning period before devuser1's password expires
# to 14 days. Force devuser1 to change their password on the next login.
# Set the devuser1's account to expire on December 30, 2028.
#
# Task: Configure password aging and account expiration settings for a user.
sudo chage -m 8 -M 40 -W 14 -d 0 -E 2028-12-31 devuser1
# Verify the settings
sudo chage -l devuser1
exercise_06.sh
executable safe: no requires: root#!/bin/bash
# @type: executable
# @requires: root
# @safe: no
set -euo pipefail
# Exercise 6: Create a new file /etc/sudoers.d/devs using visudo with option -f.
# In this new file, add a rule that allows the user devuser2 to run all commands as root
# without needing a password. Add a rule that allows the group devusers to run all commands
# defined by alias SERVICES from /etc/sudoers as root that require a password.
# Make sure SERVICES is uncommented in /etc/sudoers.
# Will devuser2 be required to use a password for /usr/bin/systemctl start?
#
# Task: Configure sudo rules for users and groups with specific permissions.
# Create the sudoers file using visudo
sudo visudo -f /etc/sudoers.d/devs
# Add these lines to the file:
# devuser2 ALL=(ALL) NOPASSWD: ALL
# %devusers ALL=(ALL) SERVICES
# Answer: No, devuser2 will not be required to use a password for /usr/bin/systemctl start
# because devuser2 has NOPASSWD for ALL commands.
echo "After running this script, edit /etc/sudoers.d/devs with:"
echo "devuser2 ALL=(ALL) NOPASSWD: ALL"
echo "%devusers ALL=(ALL) SERVICES"