Table of Contents
Linux CentOS - Redhat Installation Best practice
Partitioning
By separating file systems into various partitions, you can fine tune permissions and functionality. Doing so will provide you greater granularity for permissions, as well as adding a layer of security for any potential bad guys to work through.
Steve Grubb suggests, and quite rightly so, that areas where users have write privileges be kept on their own partition. This allows you to prevent hard link privilege escalation attempts, prevent creative device additions, and other unsavory behavior.
Once you have your partitions broken out and sized accordingly, you can begin to restrict the various mount points as much as possible. You should add nodev, noexec, and nosuid wherever possible. An example of a decently restricted /etc/fstab file is below:
Disk OS with LVM (required) Disks data with LVM (required)
| type | name | size | mount point | |
|---|---|---|---|---|
| disk 1 (18GB) | static | /dev/sda1 | 512M | /boot |
| LVM | /dev/mapper/rootvg-root | 2G | / | |
| LVM | /dev/mapper/rootvg-usr | 6G | /usr | |
| LVM | /dev/mapper/rootvg-var | 2G | /var | |
| LVM | /dev/mapper/rootvg-opt | 1G | /opt | |
| LVM | /dev/mapper/rootvg-tmp | 2G | /tmp | |
| LVM | /dev/mapper/rootvg-home | 2G | /home | |
| LVM | /dev/mapper/rootvg-swap | 2G | swap |
| disk2 | LVM | /dev/mapper/datavg-data | 10G | /data |
Modifying fstab
Once you have your partitions broken out and sized accordingly, you can begin to restrict the various mount points as much as possible. You should add nodev, noexec, and nosuid wherever possible.
An example of a decently restricted /etc/fstab file is below:
/dev/mapper/rootvg-root / ext4 defaults 1 1 /dev/sda1 /boot ext4 defaults,nosuid,noexec,nodev 1 2 /dev/mapper/rootvg-home /home ext4 defaults,nosuid,nodev 1 2 /dev/mapper/rootvg-opt /opt ext4 defaults 1 2 /dev/mapper/rootvg-tmp /tmp ext4 defaults,nosuid,noexec,nodev 1 2 /dev/mapper/rootvg-usr /usr ext4 defaults 1 2 /dev/mapper/rootvg-var /var ext4 defaults,nosuid 1 2 /dev/mapper/rootvg-swap swap swap defaults 0 0 /dev/mapper/reposvg-reposlv /repos ext4 defaults 1 2 /dev/mapper/reposvg-repcentoslv /repos/CentOS ext4 defaults 1 2 /dev/mapper/reposvg-weblv /var/www ext4 defaults,nosuid,nodev 1 2
Customize profile
Add into /etc/profile
HISTSIZE=10000 EXTENDED_HISTORY=ON HISTTIMEFORMAT="%F %T " export HISTSIZE EXTENDED_HISTORY HISTTIMEFORMAT
Install additional packages
Some alternatives commands exists natively
tracepath ==> traceroute
Adapt the yum repositories in /etc/yum.repos.d/ to be able to reach the right repositories
Add ntp and net-tools (for ifconfig command), and other utilities
yum -y install chrony yum -y install gdisk yum -y install psmisc # (fuser, killall, pstree...) yum -y install yum-utils #(needs-restarting) yum -y install telnet #(client only to debug) yum -y install net-tools #(ifconfig, arp, netstat) yum -y install lsof yum -y install mlocate #(locate) yum -y install bind-utils #(host, nslookup) yum -y install open-vm-tools #(VMware Tools) yum -y install sg3_utils #(scsi-rescan, alias for rescan-scsi-bus.sh) yum -y install cpulimit #(limit CPU usage per process) yum -y install nmap-ncat # nc command yum -y install system-storage-manager #ssm list yum -y install dosfstools # to mount USB keys in vfat, extfat yum -y install gmp # copy/paste using mouse (in terminal) yum -y install screen # start a terminal in background (in terminal) yum -y install cloud-utils-growpart # growpart
Also for NTFS USB keys you can download and install ntfs-3g package from EPEL
http://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/n/
List and remove unused services
On Redhat and CentOS 7, some services are replaced by their new version:
NetworkManager.service (network service) instead of network.service
chronyd.service (NTP service) instead of ntpd.service
firewalld.service (firewall service) instead of iptable.service and ip6tables.services
[root@centos7 ~]# systemctl list-unit-files | egrep -i "firew|Network|chrony|postfix|tables|bluetooth" chrony-wait.service disabled chronyd.service enabled firewalld.service disabled NetworkManager-dispatcher.service active NetworkManager-wait-online.service active NetworkManager.service running postfix.service disabled network-online.target static network.target static iptables.service disabled ip6tables.service disabled bluetooth.service disabled bluetooth.target static
Disable unused services
If not required for security purpose, you can disable SELINUX and then reboot. Selinux will prevent many action like automatic connection for user using ssh public keys…(you can also use it and enable each part you require)
[root@centos7 ~]# vi /etc/selinux/config SELINUX=disabled
Reboot now.
Example of disable/enable services:
[root@centos7 ~]# for i in postfix.service firewalld.service bluetooth.service do systemctl disable $i systemctl stop $i done
For info postfix is required to forward email
Enable some services
chronyd.service
[root@centos7 ~]# yum -y install ntp [root@centos7 ~]# for i in chronyd.service do systemctl enable $i systemctl start $i done
Enable additional useful services if needed
[root@centos7 scripts]# systemctl enable httpd.service ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service' [root@centos7 scripts]# systemctl start httpd.service
Remove services that are in LISTEN state
In this example, you could disable the rpcbind.service
[root@centos7 ~]# netstat -an | grep LIST tcp 0 0 0.0.0.0:51579 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp 0 0 192.168.22.136:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN unix 2 [ ACC ] STREAM LISTENING 14412 @ISCSIADM_ABSTRACT_NAMESPACE unix 2 [ ACC ] STREAM LISTENING 10242 /run/lvm/lvmetad.socket unix 2 [ ACC ] STREAM LISTENING 16930 @/tmp/dbus-wEGN6K01Pn unix 2 [ ACC ] STREAM LISTENING 16307 /tmp/.X11-unix/X0 unix 2 [ ACC ] STREAM LISTENING 17599 /tmp/.ICE-unix/1146 unix 2 [ ACC ] SEQPACKET LISTENING 10256 /run/udev/control unix 2 [ ACC ] STREAM LISTENING 15164 /var/run/lsm/ipc/sim unix 2 [ ACC ] STREAM LISTENING 15166 /var/run/lsm/ipc/simc unix 2 [ ACC ] STREAM LISTENING 14413 @ISCSID_UIP_ABSTRACT_NAMESPACE unix 2 [ ACC ] STREAM LISTENING 14414 /var/run/avahi-daemon/socket unix 2 [ ACC ] STREAM LISTENING 14417 /var/run/rpcbind.sock unix 2 [ ACC ] STREAM LISTENING 16306 @/tmp/.X11-unix/X0 unix 2 [ ACC ] STREAM LISTENING 8042 /run/systemd/private unix 2 [ ACC ] STREAM LISTENING 18796 /run/user/42/pulse/native unix 2 [ ACC ] STREAM LISTENING 1388 /run/systemd/journal/stdout unix 2 [ ACC ] STREAM LISTENING 17778 /var/run/rpcbind.sock unix 2 [ ACC ] STREAM LISTENING 14458 /var/run/dbus/system_bus_socket unix 2 [ ACC ] STREAM LISTENING 18556 /var/run/libvirt/libvirt-sock unix 2 [ ACC ] STREAM LISTENING 18558 /var/run/libvirt/libvirt-sock-ro unix 2 [ ACC ] STREAM LISTENING 17598 @/tmp/.ICE-unix/1146 unix 2 [ ACC ] STREAM LISTENING 16036 /var/run/abrt/abrt.socket unix 2 [ ACC ] STREAM LISTENING 17418 @/tmp/dbus-0PYMRpYu unix 2 [ ACC ] STREAM LISTENING 16892 @/tmp/dbus-bKDTQeVf unix 2 [ ACC ] STREAM LISTENING 16893 @/tmp/dbus-Skwj1TBB unix 2 [ ACC ] STREAM LISTENING 17543 @/tmp/dbus-qVKMoS2bff unix 2 [ ACC ] STREAM LISTENING 18410 @/tmp/dbus-V9cHUqaM unix 2 [ ACC ] STREAM LISTENING 17419 @/tmp/dbus-9XjDfCN8 [root@centos7 ~]# lsof -i :111 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rpcbind 1243 rpc 7u IPv4 17780 0t0 UDP *:sunrpc rpcbind 1243 rpc 9u IPv4 17782 0t0 TCP *:sunrpc (LISTEN) [root@lstor2rrd ~]# systemctl list-unit-files | egrep -i "rpc" var-lib-nfs-rpc_pipefs.mount static rpcbind.service enabled rpcgssd.service disabled rpcidmapd.service disabled rpcsvcgssd.service disabled rpcbind.socket enabled rpcbind.target static [root@centos7 ~]# systemctl list-units | egrep -i "rpc" proc-fs-nfsd.mount loaded active mounted RPC Pipe File System var-lib-nfs-rpc_pipefs.mount loaded active mounted RPC Pipe File System rpcbind.service loaded active running RPC bind service rpcbind.socket loaded active running RPCbind Server Activation Socket
Configure the network
Use nmcli command to configure the network, install it if required, partof NetworkManager.
Check your IP config and routes
[root@centos7 sysctl.d]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: eno16780032: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 link/ether 00:50:56:83:33:1e brd ff:ff:ff:ff:ff:ff inet 192.168.21.194/24 brd 192.168.21.255 scope global eno16780032 valid_lft forever preferred_lft forever [root@lproxymail sysctl.d]# ip route default via 192.168.21.250 dev eno16780032 169.254.0.0/16 dev eno16780032 scope link metric 1002 192.168.21.0/24 dev eno16780032 proto kernel scope link src 192.168.21.194
For information
Due to new network adapter naming convention, you 'll find network interface called enp6s0 or enp4s2f0 doesn’t satisfy everybody.
Ex:
[root@centos7 ~]# dmesg | grep NIC [ 2.318327] VMware vmxnet3 virtual NIC driver - version 1.1.30.0-k-NAPI [ 2.333886] vmxnet3 0000:0b:00.0 eth0: NIC Link is Up 10000 Mbps [ 3.373209] vmxnet3 0000:0b:00.0 eno16780032: NIC Link is Up 10000 Mbps
You can switch to the old naming convention eth0, eth1… by changing boot parameters (optional):
grubby --update-kernel=ALL --args="net.ifnames=0 biosdevname=0"
Remove interface vibr0
If not using libvirtd service then you may stop that service.
[root@centos7 ~]# systemctl stop libvirtd.service [root@centos7 ~]# systemctl disable libvirtd.service
Stop IPV6 best practice
Disable IPV6 on network adapter
On most current OS, IPV6 is activate by default. It wouldn't be a good practice to completely unload the kernel module, but better disable it for most applications. You have to know that some application, like SELINUX will load IPV6 module if needed!
Create a file /etc/sysctl.d/98-disable_ipv6.conf
[root@centos7 ~]# cat /etc/sysctl.d/98-disable_ipv6.conf net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1
To disable in the running system:
[root@centos7 ~]# echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6 [root@lstor2rrd ~]# echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
or
[root@centos7 ~]# sysctl -w net.ipv6.conf.all.disable_ipv6=1 [root@lstor2rrd ~]# sysctl -w net.ipv6.conf.default.disable_ipv6=1
Disable IPV6 on SSH server
If problems with X forwarding are encountered on systems with IPv6 disabled, edit /etc/ssh/sshd_config and make either of the following changes:
(1) Change the line
#AddressFamily any
to
AddressFamily inet
(inet is ipv4 only; inet6 is ipv6 only)
or
(2) Remove the hash mark (#) in front of the line
#ListenAddress 0.0.0.0
Then restart ssh.
systemctl restart sshd.service
Disable IPV6 on postfix
If problems with starting postfix are encountered on systems with IPv6 disabled, either
edit /etc/postfix/main.cf and comment out the localhost part of the config and use ipv4 loopback.
#inet_interfaces = localhost inet_interfaces = 127.0.0.1
Disable IPV6 on NTP client
Edit the file /etc/ntp.conf, and comment the line related to IPV6
# restrict ::1
Disable IPV6 on RPCBIND
To disable RPCBIND ipv6 (rpcbind, rpc.mountd, prc.statd) remark out the udp6 and tcp6 lines in /etc/netconfig:
udp tpi_clts v inet udp - - tcp tpi_cots_ord v inet tcp - - #udp6 tpi_clts v inet6 udp - - #tcp6 tpi_cots_ord v inet6 tcp - - rawip tpi_raw - inet - - - local tpi_cots_ord - loopback - - - unix tpi_cots_ord - loopback - - -
Chrony stop IPV6
If you'd prefer chrony instead of ntpd, then create the file chronyd and restart the related systemd deamon:
[root@fedora22 sysconfig]# cat /etc/sysconfig/chronyd OPTIONS= -4
List or set a Time Zone
List the current TimeZone:
[root@fedora22 ~]# timedatectl Local time: mar. 2015-10-27 14:12:13 CET Universal time: mar. 2015-10-27 13:12:13 UTC RTC time: mar. 2015-10-27 13:12:14 Time zone: Europe/Luxembourg (CET, +0100) NTP enabled: yes NTP synchronized: yes RTC in local TZ: no DST active: no Last DST change: DST ended at dim. 2015-10-25 02:59:59 CEST dim. 2015-10-25 02:00:00 CET Next DST change: DST begins (the clock jumps one hour forward) at dim. 2016-03-27 01:59:59 CET dim. 2016-03-27 03:00:00 CEST
List available TimeZones:
[root@dlp ~]# timedatectl list-timezones ... Pacific/Rarotonga Pacific/Saipan Pacific/Tahiti Pacific/Tarawa Pacific/Tongatapu Pacific/Wake Pacific/Wallis
Change the current TimeZone:
[root@dlp ~]# timedatectl set-timezone Pacific/Wallis
Custom
[root@rhlnx01 ~]# fdisk /dev/mapper/mpathi -l Disk /dev/mapper/mpathi: 40 GiB, 42949672960 bytes, 83886080 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 32768 bytes / 32768 bytes Disklabel type: dos Disk identifier: 0xdd417826
Device Boot Start End Sectors Size Id Type /dev/mapper/mpathi1 * 2048 22527 20480 10M 41 PPC PReP Boot /dev/mapper/mpathi2 22528 2080767 2058240 1005M 83 Linux /dev/mapper/mpathi3 2080768 83886079 81805312 39G 8e Linux LVM
[root@rhlnx01 ~]# vgs
VG #PV #LV #SN Attr VSize VFree rootvg 1 7 0 wz--n- 39.00g 24.00g
[root@rhlnx01 ~]# lvs
LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert home rootvg -wi-ao---- 1.00g root rootvg -wi-ao---- 3.00g swap rootvg -wi-ao---- 2.00g tmp rootvg -wi-ao---- 1.00g usr rootvg -wi-ao---- 4.00g var rootvg -wi-ao---- 3.00g
Linux x86 installation --> Use deployment via with VCenter
All isos for installation are located in IsoScratch Datastore in VCenter:
- Navigate to ISO>LINUX>rhel-8.6-x86_64-dvd.iso.
Base linux installation
- For installation target select a disk and choose either LVM, or BTRFS.
- Installation with GUI will be prefered instead of minimal which has very few number of packages.
Nework configuration
NMCLI to update network parameters, if not configured:
[root@localhost ~]# nmcli general hostname localhost [root@localhost ~]# nmcli general hostname rhlnx01 [root@rhlnx01 ~]# nmcli device status DEVICE TYPE STATE CONNECTION eth0 ethernet disconnected -- lo loopback unmanaged -- [root@rhlnx01 ~]# nmcli con show NAME UUID TYPE DEVICE eth0 3d89591d-bc03-4299-80cf-645b97ce1812 802-3-ethernet -- [root@rhlnx01 ~]# nmcli con mod eth0 ipv4.addresses 10.10.10.10/16 ipv4.gateway 10.10.10.100 [root@rhlnx01 ~]# nmcli con mod eth0 connection.autoconnect yes [root@rhlnx01 ~]# nmcli con mod eth0 ipv4.dns 10.10.10.2,10.10.10.1 ipv4.dns-search "mydom.local" [root@rhlnx01 ~]# nmcli con mod eth0 ipv4.method manual [root@rhlnx01 ~]# nmcli con up eth0 ifname eth0 [root@rhlnx01 ~]# nmcli -p con show eth0 =============================================================================== Connection profile details (eth0) =============================================================================== connection.id: eth0 connection.uuid: 0fd0c630-a54e-4f01-a9fc-4d1c3c42921e connection.interface-name: eth0 connection.type: 802-3-ethernet connection.autoconnect: yes connection.autoconnect-priority: 0 connection.timestamp: 1464786900 connection.read-only: no .... ------------------------------------------------------------------------------- ipv4.method: manual ipv4.dns: ipv4.dns-search: ipv4.addresses: 10.10.10.10/16 ipv4.gateway: 10.10.10.100 ipv4.routes: ....
Add entry in /etc/hosts:
[root@rhlnx01 ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.10.10.10 rhlnx01
Update the time servers and start the chronyd demon if not enable
[root@rhlnx01 ~]# cat /etc/chrony.conf # This loadbalancer server is defined in the installation: server ntp-server.local iburst ...
Enable/Start Chrony service:
[root@rhlnx01 ~]# systemctl enable chronyd [root@rhlnx01 ~]# systemctl start chronyd [root@rhlnx01 ~]# systemctl status chronyd
Check if Chrony service is synchronized:
[root@rhlnx01 ~]# chronyc tracking Reference ID : 00000000 () Stratum : 0 Ref time (UTC) : Thu Jan 01 00:00:00 1970 System time : 0.000000000 seconds fast of NTP time Last offset : +0.000000000 seconds RMS offset : 0.000000000 seconds Frequency : 0.000 ppm slow Residual freq : +0.000 ppm Skew : 0.000 ppm Root delay : 1.000000000 seconds Root dispersion : 1.000000000 seconds Update interval : 0.0 seconds Leap status : Not synchronised #Means that it's not synchronised where as Normal would mean that everything is ok
Time zone
[root@rhlnx01 ~]# timedatectl set-timezone Europe/Luxembourg [root@rhlnx01 ~]# timedatectl Local time: mar. 2015-10-27 14:12:13 CET Universal time: mar. 2015-10-27 13:12:13 UTC RTC time: mar. 2015-10-27 13:12:14 Time zone: Europe/Luxembourg (CET, +0100) NTP enabled: yes NTP synchronized: yes RTC in local TZ: no DST active: no Last DST change: DST ended at dim. 2015-10-25 02:59:59 CEST dim. 2015-10-25 02:00:00 CET Next DST change: DST begins (the clock jumps one hour forward) at dim. 2016-03-27 01:59:59 CET dim. 2016-03-27 03:00:00 CEST
Firewall and SElinux
If the firewall is required
Minimum ports to open:
8162/tcp (lpar2rrd agent) 657/tcp and 657/udp (HMC dynamic LPAR)
List firewall rules
[root@rhlnx01 ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 wlan0 sources: services: dhcpv6-client ms-wbt ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Check the firewall status
[root@rhlnx01 ~]# firewall-cmd --state running
Add a rule
[root@rhlnx01 ~]# firewall-cmd --add-service=http --zone=public --permanent [root@rhlnx01 ~]# firewall-cmd --add-port=1600/tcp --zone=public --permanent [root@rhlnx01 ~]# firewall-cmd --reload
Example of minimum ports
firewall-cmd --list-all firewall-cmd --add-port=10050/tcp --zone=public --permanent # Zabbix firewall-cmd --add-port=8162/tcp --zone=public --permanent # LPAR2RRD firewall-cmd --add-port=657/tcp --zone=public --permanent # HMC dynamic LPAR firewall-cmd --add-port=657/udp --zone=public --permanent # HMC dynamic LPAR firewall-cmd --add-port=5666/tcp --zone=public --permanent # nagios firewall-cmd --reload
If no firewall is required
Disable the firewall and SELINUX, if not required:
systemctl stop firewalld systemctl disable firewalld
Disable SElinux
[root@rhlnx01 ~]# cat /etc/selinux/config SELINUX=disabled SELINUXTYPE=targeted [root@rhlnx01 ~]# reboot
Change YUM repository
On server, change the repository files to use repository from reposerver:
[root@rhlnx01 ~]# cd /etc/yum.repos.d [root@rhlnx01 ~]# cat CentOS-Base.repo # CentOS-Base.repo # # The mirror system uses the connecting IP address of the client and the # update status of each mirror to pick mirrors that are updated to and # geographically close to the client. You should use this for CentOS updates # unless you are manually picking other mirrors. # # If the mirrorlist= does not work for you, as a fall back you can try the # remarked out baseurl= line instead. # # [base] name=CentOS-$releasever - Base baseurl=http://reposerver/linux/altarch/7.6.1810/os/ppc64le/Packages/ enabled=1 gpgcheck=0 #released updates [updates] name=CentOS-$releasever - Updates baseurl=http://reposerver/linux/altarch/7.6.1810/updates/ppc64le/Packages/ enabled=1 gpgcheck=0 [root@lnxb082 yum.repos.d]# cat ibmtools.repo # CentOS-Base.repo # # The mirror system uses the connecting IP address of the client and the # update status of each mirror to pick mirrors that are updated to and # geographically close to the client. You should use this for CentOS updates # unless you are manually picking other mirrors. # # If the mirrorlist= does not work for you, as a fall back you can try the # remarked out baseurl= line instead. # # [ibmtools] name=CentOS-$releasever - IBMtools baseurl=http://reposerver/linux/ibmtools/centos/ppc64le enabled=1 gpgcheck=0
Then update using the new defined repository
[root@rhlnx01 ~]# dnf update
Additionnal packages to install
dnf -y install mailx dnf -y install ksh dnf -y install rear #Relax-and-Recover like mksysb dnf -y install nfs-utils dnf -y install lshw dnf -y install psmisc #(pstree,fuser) dnf -y install chrony #replacement for ntpd dnf -y install telnet #(client only useful to debug) dnf -y install net-tools #(ifconfig, arp, netstat) dnf -y install lsof dnf -y install mlocate #(locate) dnf -y install bind-utils #(host, nslookup) dnf -y install sg3_utils #(scsi-rescan) dnf -y install nmap-ncat # nc command dnf -y install nmon # perf tool command line dnf -y install lpar2rrd-agent # perf tool LPAR2RRD dnf -y install yum-utils # needs-restarting, reposync dnf -y install cloud-utils-growpart # growpart utility to increase partitions size
Check if reboot is needed after packages installation:
needs-restarting
Creating Users
Keep a reference table ID for user and group to use always the same on each server !!! Very important on UNIX/Linux
groupadd -g 600 nagios groupadd -g 601 nrpe useradd -u 600 -c "Nagios User" -g nagios -d /var/spool/nagios -s /sbin/nologin nagios useradd -u 601 -c "NRPE user" -d /var/run/nrpe -g nrpe -G nagios -s /sbin/nologin nrpe
Create a user
useradd -u 4000 -c 'My first user' -g users -G users,admin user01
Change all files owner for a user or group
You can change user ID and group ID directly into /etc/passwd and /etc/group
find / -user 1000 -exec chown user01 {} \; find / -group 1000 -exec chgrp users {} \;
