CCNA User Group Management Questions

75 of 88 questions · Page 1/2 · User Group Management topic · Answers revealed

1
MCQmedium

A system administrator needs to create a new group named 'developers' with GID 1500 and add the user 'alice' to this group. Which set of commands accomplishes this?

A.newgrp -g 1500 developers; adduser alice developers
B.create group developers gid=1500; useradd -G developers alice
C.groupadd developers -g 1500; usermod -G developers alice
D.groupadd -g 1500 developers; usermod -aG developers alice
AnswerD

Correct: groupadd creates the group with GID 1500, usermod appends alice to the supplementary group.

Why this answer

First create the group with the specific GID using groupadd -g, then add the user to the group using usermod -aG.

2
MCQmedium

A security policy requires that a user's password must expire 90 days after last change, and the user must change it immediately on next login. The last password change was 30 days ago. Which set of commands achieves this?

A.chage -M 90 user1; chage -d 0 user1
B.chage -M 90 user1; chage -m 1 user1
C.chage -M 90 user1; chage -W 7 user1
D.chage -M 90 user1; chage -I 5 user1
AnswerA

-M sets max days; -d 0 forces immediate change on next login.

Why this answer

Option A is correct because chage -M 90 sets maximum days to 90, and chage -d 0 forces password change on next login. Option B sets warning days, not forced change. Option C sets inactivity period.

Option D sets minimum days before change.

3
MCQmedium

Refer to the exhibit. An administrator adds user 'frank' to the group 'projectx' by editing /etc/group directly and changing the line to 'projectx:x:500:carol,dave,frank'. After saving, the administrator runs 'groups frank' and sees only 'frank' in the output. Why does frank not appear in the group 'projectx'?

A.Editing /etc/group directly is not a valid method; 'usermod -aG' must be used instead.
B.The group 'projectx' has a GID conflict with another group.
C.The 'groups' command reads only from /etc/group and the change should appear immediately.
D.The user 'frank' is still logged into the same session; he must log out and log back in for the new group to be recognized.
AnswerD

Group membership is cached at login; re-login is required to refresh.

Why this answer

Option D is correct. Direct editing requires the user to log out and log back in for the new group to take effect. Option A is wrong because the GID is fine.

Option B is wrong because usermod wasn't used, but editing is valid if syntax is correct. Option C is wrong because groups command reads from current session's group list, not just /etc/group.

4
MCQhard

A security policy requires that user 'svc_backup' have a password that never expires. Additionally, the account should be locked after 90 days of inactivity. Which set of commands achieves this?

A.chage -W 7 -I 90 svc_backup
B.chage -E 2025-01-01 -I 90 svc_backup
C.chage -M 99999 -I 90 svc_backup
D.chage -M 90 -I 90 svc_backup
AnswerC

-M 99999 effectively disables password expiration; -I 90 locks account after 90 days of inactivity.

Why this answer

Option C is correct because `chage -M 99999` sets the maximum password age to 99999 days, effectively preventing the password from ever expiring (since 99999 days far exceeds any practical lifespan). The `-I 90` flag sets the inactivity period to 90 days, meaning the account will be locked after 90 days of no login activity. This combination satisfies both security policy requirements: a non-expiring password and automatic lockout after 90 days of inactivity.

Exam trap

The trap here is that candidates often confuse `-I` (inactivity lock) with `-E` (account expiration) or assume that setting `-M 90` combined with `-I 90` will satisfy both requirements, but `-M 90` causes the password to expire, which violates the 'never expires' mandate.

How to eliminate wrong answers

Option A is wrong because `-W 7` sets a warning period of 7 days before password expiration, but it does not disable password expiration; the password will still expire based on the default maximum age (typically 99999 or a system-defined value), and `-I 90` alone does not prevent expiration. Option B is wrong because `-E 2025-01-01` sets an absolute account expiration date, which would lock the account on that date regardless of inactivity, and does not prevent password expiration; the policy requires the password to never expire, not the account to expire on a fixed date. Option D is wrong because `-M 90` sets the maximum password age to 90 days, meaning the password will expire after 90 days, contradicting the requirement that the password never expires; the `-I 90` inactivity lock would only apply after the password expires, not independently.

5
Multi-Selectmedium

Which TWO commands can be used to list all users currently logged into the system?

Select 2 answers
A.w
B.last
C.users
D.id
E.who
AnswersA, E

Shows who is logged in and what they are doing.

Why this answer

The `w` command displays a list of currently logged-in users along with detailed information such as login time, idle time, JCPU, PCPU, and the current process. It reads from /var/run/utmp to show active sessions, making it a correct choice for listing current users.

Exam trap

The trap here is that candidates often confuse `last` (which shows historical logins) with `who` or `w` (which show current logins), or they overlook that `users` also lists current users but is not the intended answer in this specific pairing.

6
MCQmedium

An admin needs to change the primary group of user 'alice' from 'grp1' to 'grp2', but alice should still be a member of 'grp1' as a supplementary group. Which command accomplishes this?

A.usermod -s /bin/bash alice
B.usermod -g grp2 -aG grp1 alice
C.usermod -g grp2 alice
D.usermod -G grp2 alice
AnswerB

Correctly sets primary group to grp2 and adds grp1 as a supplementary group without affecting other groups.

Why this answer

Option C is correct. usermod -g changes the primary group to grp2, and -aG grp1 adds grp1 as a supplementary group without removing other groups.

7
Multi-Selectmedium

Which TWO commands can be used to display the groups to which the current user belongs? (Select exactly two.)

Select 2 answers
A.cat /etc/group
B.groupmems -l
C.id
D.getent group
E.groups
AnswersC, E

Displays user identity including group memberships.

Why this answer

The `id` command (option C) displays the current user's UID, GID, and all supplementary group memberships. When run without arguments, it shows the effective user and group IDs along with all groups the user belongs to, making it a direct and reliable way to list group membership.

Exam trap

The trap here is that candidates often confuse commands that list all system groups (like `cat /etc/group` or `getent group`) with commands that specifically show only the groups of the current user, leading them to select options A or D as correct.

8
MCQeasy

Refer to the exhibit. User 'alice' cannot log in. What is the most likely problem?

A.The shadow file is missing alice's entry
B.The user's UID or GID is not unique
C.The home directory ownership is incorrect
D.The login shell /bin/bash does not exist
AnswerC

Home directory should be owned by alice:alice, not root:root.

Why this answer

Option B is correct because the home directory is owned by root, not alice. Many systems use PAM modules like pam_umask that require the home directory to be owned by the user. Option A: shadow entry seems valid (x indicates password in shadow).

Option C: shell is /bin/bash which is valid. Option D: UID exists and matches; GID is 1001, group may exist but missing group entry affects group permissions, not login directly.

9
MCQhard

A user 'alice' cannot log in via SSH. The administrator checks /etc/passwd and sees: alice:x:1002:1002::/home/alice:/sbin/nologin. Which command should be used to allow alice to log in with a bash shell?

A.usermod -d /home/alice alice
B.usermod -u 1002 alice
C.usermod -s /bin/bash alice
D.useradd -m -s /bin/bash alice
AnswerC

usermod -s changes the login shell to /bin/bash, allowing interactive login.

Why this answer

Option C is correct because the /sbin/nologin shell in the /etc/passwd entry prevents alice from logging in via SSH. The usermod -s /bin/bash alice command changes alice's login shell to /bin/bash, allowing interactive SSH sessions. This directly addresses the shell restriction without altering other account properties.

Exam trap

The trap here is that candidates may confuse the shell field with other fields like home directory or UID, or attempt to recreate the user with useradd instead of modifying the existing account with usermod.

How to eliminate wrong answers

Option A is wrong because usermod -d /home/alice alice changes the home directory, but alice's home directory is already /home/alice, and this does not affect the login shell restriction. Option B is wrong because usermod -u 1002 alice changes the UID to 1002, which is already alice's UID, and has no impact on the shell or login ability. Option D is wrong because useradd -m -s /bin/bash alice attempts to create a new user 'alice', which will fail if the user already exists, and it does not modify the existing user's shell.

10
MCQeasy

A system administrator needs to create a user 'john' with a home directory in /data/users and an expiry date of 2025-12-31. Which command accomplishes this?

A.useradd -d /data/users -c 2025-12-31 john
B.adduser --home /data/users --expiredate 2025-12-31 john
C.useradd -d /data/users -e 2025-12-31 john
D.useradd -m -e 2025-12-31 john
AnswerC

Correctly sets home directory and expiry.

Why this answer

Option C is correct because the `useradd` command with `-d /data/users` sets the home directory to the specified path, and `-e 2025-12-31` sets the account expiry date in YYYY-MM-DD format. The `-e` flag directly corresponds to the `EXPIRE_DATE` field in `/etc/shadow`, which controls when the account becomes locked.

Exam trap

The trap here is that candidates confuse `-c` (comment) with `-e` (expiry) or assume `adduser` supports the same long options as `useradd`, leading them to pick A or B, while D is tempting because it includes `-m` but misses the required `-d` to specify the custom path.

How to eliminate wrong answers

Option A is wrong because `-c` is used for the GECOS comment field (e.g., full name), not for setting an expiry date; using `-c 2025-12-31` would incorrectly store that string as the user's comment. Option B is wrong because `adduser` is a Perl script that does not accept `--home` or `--expiredate` flags; it uses different syntax (e.g., `--home` is not a valid long option, and the correct flag for expiry in `adduser` is `--expiredate` but it is not supported in standard LFCS distributions). Option D is wrong because while `-e 2025-12-31` is correct for expiry, `-m` creates the home directory in the default location (e.g., `/home/john`) rather than `/data/users`, and no `-d` is provided to override the path.

11
MCQhard

You are a system administrator for a company with a strict security policy: user accounts must be disabled after 90 days of inactivity. The tool used is the chage command with the -I (inactive) option. User 'bob' has been on leave and cannot log in. You run 'chage -l bob' and see: Last password change: Jan 10, 2024; Password expires: Apr 09, 2024; Account expires: never; Minimum number of days between password change: 0; Maximum number of days between password change: 90; Number of days of warning before password expires: 7; Number of days of inactivity after password expires: 90. Bob tells you he tried to log in today (date is July 15, 2024) and received 'Your account has expired; contact your system administrator'. You need to restore Bob's account access immediately while still enforcing the inactivity lock for future periods. What should you do?

A.Run 'chage -M 99999 bob' to set password to never expire, then 'passwd bob' to set a new password, and finally 'chage -d 0 bob'.
B.Run 'chage -E -1 bob' to clear account expiration, then 'chage -I 90 bob' to set inactivity period, then instruct Bob to change his password immediately.
C.Run 'passwd bob' to reset his password, then 'chage -d 0 bob' to force password change on next login.
D.Delete Bob's user account with 'userdel -r bob' and recreate it with 'useradd bob', then assign him to his groups and restore his data from backup.
AnswerB

This correctly removes the account expiration and resets the inactivity timer. Bob can then log in with his current password (which will force a change if password is expired) or reset it.

Why this answer

Option A is correct because chage -E -1 bob removes any account expiration date (setting it to never), and chage -I 90 bob re-sets the inactivity period to 90 days after password expiry. This allows Bob to log in after resetting his password (since his password has already expired), and future inactivity will be tracked. Option B only resets the password but does not address the expired account; the account may still be locked due to inactivity.

Option C resets the password and changes the maximum password age, but does not clear the account expiration or inactivity counter. Option D creates a new user with a clean slate, which is overkill and loses Bob's home directory, files, and group memberships.

12
Multi-Selectmedium

Which TWO options in /etc/shadow are correctly described?

Select 2 answers
A.The password expiration date is stored in the third field
B.The minimum number of days between password changes is the fourth field
C.The account expiration date is the sixth field
D.The number of days since Jan 1, 1970 until the account expires is stored in the seventh field
E.The maximum number of days a password is valid is the fifth field
AnswersB, E

Field 4 is minimum days (pass_min days).

Why this answer

Options B and E are correct. The shadow file has 9 fields: login name, encrypted password, last changed, minimum, maximum, warning, inactivity, expiration, reserved. Option B: maximum days between password changes is field 5.

Option E: minimum days between password changes is field 4. Option A: password expiration date is not directly stored; it's calculated from last change + max. Option C: account expiration date is field 8, not 6.

Option D: days since Jan 1, 1970 when account expires is indeed in field 8 but that's the account expiration field, not password change.

13
MCQmedium

A system administrator needs to ensure that all users in the 'developers' group have read and write access to a shared project directory /project/data, but new files created in that directory should belong to the 'developers' group automatically. Which command sequence achieves this goal?

A.setfacl -m g:developers:rwx /project/data && chmod 2775 /project/data
B.chown root:developers /project/data && chmod u+s /project/data
C.chmod g+s /project/data && chown root:developers /project/data
D.chown :developers /project/data && chmod g+s /project/data
AnswerD

chown :developers sets the group to developers; chmod g+s sets the SGID bit so new files inherit the group.

Why this answer

Option D is correct because `chown :developers /project/data` changes the group ownership of the directory to 'developers', and `chmod g+s /project/data` sets the setgid bit on the directory. The setgid bit ensures that new files created inside inherit the directory's group ('developers') instead of the creator's primary group, and the group ownership gives all members of 'developers' read and write access based on the directory's permissions (e.g., 775).

Exam trap

The trap here is that candidates confuse the setuid bit (u+s) with the setgid bit (g+s), or they forget that group ownership must be explicitly set to 'developers' for inheritance to work, leading them to choose options that set the wrong sticky bit or omit the group change.

How to eliminate wrong answers

Option A is wrong because `setfacl -m g:developers:rwx` grants read, write, and execute access via ACL, but `chmod 2775` sets the setgid bit (2) and permissions 775, which does not automatically assign new files to the 'developers' group—the setgid bit is set, but the group ownership of the directory must be 'developers' for inheritance to work, and this command does not change the group. Option B is wrong because `chown root:developers` sets the group to 'developers', but `chmod u+s` sets the setuid bit (not setgid), which affects the user owner, not group inheritance; new files will not automatically belong to the 'developers' group. Option C is wrong because `chmod g+s` sets the setgid bit, but `chown root:developers` changes the group to 'developers'—however, the order is reversed: the setgid bit should be set after changing group ownership to ensure proper inheritance, though technically the commands would work if executed in any order; the primary issue is that the setgid bit is set before the group change, which is not a functional error but the sequence is less logical; more importantly, the option does not include the necessary permissions (e.g., 2775) to guarantee read/write access for the group, relying on default umask, which may not grant write access.

14
MCQmedium

You are managing a Linux server that hosts web applications. Developers often need to access the server via SSH using their personal accounts. You have been asked to create a new user 'devops' who will have sudo privileges to restart services. The user 'devops' should be a member of the 'sudo' group and also have a secondary group 'devs' for file access. The user's home directory should be /home/devops. You need to create this user with a password that is set to expire immediately so that the user must choose a new password upon first login. Which command would you use to accomplish this?

A.useradd -m -g sudo -G devs devops && passwd -e devops
B.useradd -m -g devs -G sudo devops && chage -d 0 devops
C.useradd -m -G sudo,devs -p '' devops && passwd -d devops
D.useradd -m -g sudo -G devs -p $(openssl passwd -1 temp) -e 0 devops
AnswerB

Creates user with primary group devs, supplementary group sudo, and forces password change at first login.

Why this answer

Option D is correct. useradd -m creates home, -g devs sets primary group to devs, -G sudo sets supplementary groups, and chage -d 0 forces immediate password change. Option A: -e 0 sets account expiry. Option B: -p '' sets empty password, not secure.

Option C: passwd -e is not a standard command.

15
MCQhard

Refer to the exhibit. Assuming today is Feb 20, 2025, what happens when 'bob' attempts to log in today?

A.Login is denied because the password has expired
B.Login is successful, but a warning message is displayed that password will expire soon
C.Login is denied because the account expired on Mar 01
D.Login is successful without warnings
AnswerD

Both account and password are still valid; no warning period yet.

Why this answer

Option D is correct. Account expiration is Mar 01, 2025, which is in the future, so account is not yet expired. Password expires on Apr 15, also future.

Warning period started after Jan 15+81 days? Actually warning starts 7 days before expiration, which would be around Apr 8, not yet. So login should succeed. Option A: Account expires Mar 01, not yet.

Option B and C are incorrect because conditions are not met.

16
MCQhard

You are a systems administrator at a company that uses a centralized LDAP server for authentication, but also maintains local users for emergency access. Recently, the compliance team mandated that all service accounts must have passwords that expire every 90 days. You have a local service account 'svc_backup' with UID 2000 and GID 2000. The account is used by a backup script that runs nightly. You have updated the password aging policy but the account still shows 'Password expires : never' when you run 'chage -l svc_backup'. You suspect that the account was created without an expiry date. Which command would you use to force the password to expire 90 days from now and also ensure that the account's password is changed at the next login?

A.usermod -e $(date -d '+90 days' +%Y-%m-%d) svc_backup
B.chage -M 90 -d 0 svc_backup
C.passwd -x 90 svc_backup
D.chage -W 7 -I 30 svc_backup
AnswerB

Sets max password age to 90 days and forces password change at next login.

Why this answer

Option A is correct. chage -M 90 sets maximum days to 90, and -d 0 forces immediate password change. Option B uses passwd -x which sets max days but does not force immediate change. Option C sets account expiry, not password expiry.

Option D sets warning and inactive days but does not enforce max days or immediate change.

17
MCQeasy

Which command will display all groups a specific user belongs to, including both primary and supplementary groups?

A.cat /etc/passwd | grep username
B.groups username
C.id -g username
D.grep username /etc/group
AnswerB

Correct: displays all groups.

Why this answer

Option C is correct: groups command lists all groups for a user. Option A lists only primary group. Option B lists supplementary groups from /etc/group but not primary if not listed.

Option D is incorrect: the id command with -Gn shows group names, which is also correct but option C is simpler. However, both C and D are technically correct? Let's see: id -Gn also lists all groups. I need to make only one correct.

I'll adjust: Option C: groups, Option D: id -g (only primary). So make D wrong. Actually id -g shows primary GID only.

So D is wrong. That's fine.

18
Multi-Selecthard

Which THREE of the following are valid methods to temporarily switch to a different user account without logging out entirely? (Choose three.)

Select 3 answers
A.sudo -u username -s
B.su - username
C.newgrp groupname
D.login username
E.runuser -l username -c 'bash'
AnswersA, B, E

Launches a shell as the specified user with sudo.

Why this answer

Options A, B, and D are correct. su - username starts a login shell as that user. sudo -u username -s launches a shell as that user. runuser is a command that runs a program as another user (used in scripts). Option C (newgrp) changes the group, not user. Option E (login) requires a full login.

19
MCQmedium

An administrator needs to create a user 'john' with a home directory in /data/home/john, a UID of 1500, and membership in the group 'developers' as a secondary group. The group 'developers' already exists. Which single command accomplishes this?

A.adduser --uid 1500 --home /data/home/john --group developers john
B.useradd john; usermod -u 1500 -d /data/home/john -G developers john
C.useradd -u 1500 -d /data/home/john -g developers john
D.useradd -u 1500 -d /data/home/john -G developers john
AnswerD

Correct: all options in one useradd.

Why this answer

Option B is correct: useradd -u -d -G all in one command. Option A uses usermod which requires the user to exist first. Option C uses adduser which is distribution-specific and may not support all flags.

Option D is missing the secondary group flag.

20
MCQeasy

An administrator wants to change the primary group of user 'jane' from 'staff' to 'developers'. Which command accomplishes this?

A.usermod -g developers jane
B.usermod -G developers jane
C.groupmod -g developers jane
D.chgrp developers jane
AnswerA

Correct: -g sets the primary group.

Why this answer

Option A is correct because usermod -g changes the primary group. Option B adds a secondary group. Option C changes the group name, not user's group.

Option D is a non-existent command.

21
Multi-Selecthard

Which two commands can add an existing user to a supplementary group?

Select 2 answers
A.useradd -G
B.gpasswd -a
C.addgroup
D.groupmod
E.usermod -aG
AnswersB, E

Adds user to a group.

Why this answer

usermod -aG appends a user to a group, gpasswd -a adds a user to a group.

22
Drag & Dropmedium

Order the steps to set up passwordless SSH key-based authentication.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Key generation, copying, and testing are essential; permissions and file verification ensure security.

23
MCQhard

A user reports that they cannot execute a file even though they are in the file's group. The file has permissions 644 and group ownership 'staff'. The user is a member of 'staff'. What is the likely issue?

A.The file lacks execute permission for the group
B.The file does not have the setgid bit
C.The user's primary group is not 'staff'
D.The user is not the owner of the file
AnswerA

644 gives read/write to owner, read to group, no execute. Group needs execute to run.

Why this answer

The file permissions 644 (rw-r--r--) do not include execute for group, so the user cannot execute it.

24
MCQmedium

A large company needs to create 100 user accounts from a list of names in a CSV file. Which tool is most efficient for batch user creation?

A.vipw
B.for loop with useradd
C.newusers
D.pwconv
AnswerC

Designed for batch user creation from a formatted file.

Why this answer

The newusers command reads a file with specific format (username:password:UID:GID:... ) and creates multiple users at once.

25
MCQeasy

A junior administrator issued the command 'usermod -L alice' to lock the account of user alice. However, alice is still able to log in via SSH using a public key. What is the most likely reason?

A.The usermod -L command only locks the password but does not prevent SSH key-based authentication.
B.The usermod -L command only changes the user's shell to /sbin/nologin.
C.The usermod -L command requires a restart of the SSH service to take effect.
D.The usermod -L command is not effective on accounts with a UID less than 1000.
AnswerA

Correct as described.

Why this answer

Option A is correct because usermod -L locks the password by adding a '!' to the password hash, but SSH key authentication bypasses password verification. Option B is wrong because usermod changes take effect immediately; SSH restart is not required for account locking. Option C is wrong because changing shell is not part of -L.

Option D is wrong because UID doesn't affect locking.

26
MCQeasy

Refer to the exhibit. What is the primary group ID of user 'charlie'?

A.1000
B.Charlie Brown
C.1005 (the same as UID)
D.1005
AnswerC

The fourth field is GID, which equals UID in this case.

Why this answer

Option B is correct. In /etc/passwd, the fourth field (after the second colon) is the primary group GID. Here it is 1005.

Option A is the UID (third field). Option C is the GECOS field (fifth field). Option D is not directly listed.

27
MCQhard

A sysadmin set up a shared directory /data/project with group ownership project and permissions 2775 (rwxrwsr-x). Users in the project group can create files, but when they try to edit files created by other group members, they get permission denied. Which is the most likely cause?

A.The directory is owned by root, so files inherit owner root, not the user's primary group.
B.The umask of users is set to 027, which prevents group write on new files.
C.The sticky bit interferes with group editing.
D.The SGID bit is not set; the directory must be chmod g+s to enforce group ownership inheritance.
AnswerB

A umask of 027 results in files with 640 permissions, no group write.

Why this answer

Option A is correct because a umask of 027 would result in new files having permissions 640 (rw-r-----), lacking group write. Option B is wrong because 2775 includes the SGID bit. Option C is wrong because SGID still works with root ownership.

Option D is wrong because the sticky bit affects deletion, not editing.

28
Multi-Selectmedium

A Linux administrator wants to restrict user 'alice' to only be able to use the system for non-interactive tasks (e.g., running cron jobs and receiving mail) but not allow her to log in via SSH or console. Which TWO actions would achieve this goal? (Choose two.)

Select 2 answers
A.Lock alice's password with 'passwd -l alice'.
B.Set alice's login shell to /sbin/nologin in /etc/passwd.
C.Add alice to the DenyUsers directive in /etc/ssh/sshd_config.
D.Change alice's UID to 0.
E.Add alice to /etc/cron.deny.
AnswersB, C

Prevents interactive login without affecting cron/mail.

Why this answer

Options A and B are correct. Setting the shell to /sbin/nologin prevents interactive logins but cron and mail still work because they use /bin/sh independently. Adding to DenyUsers in sshd_config blocks SSH only.

Option C does not block SSH key authentication. Option D gives root privileges instead of blocking. Option E blocks cron, which is not desired.

29
Multi-Selecteasy

An administrator needs to grant a user named 'john' the ability to switch to any other user without a password. Which TWO of the following steps are required to achieve this?

Select 2 answers
A.Add 'john' to the 'wheel' group and configure /etc/pam.d/su to use pam_wheel.so with the 'trust' option.
B.Add a sudo rule: 'john ALL=(ALL) NOPASSWD: ALL' to /etc/sudoers.
C.Set the suid bit on /bin/su.
D.Run 'usermod -L john'.
E.Add 'john' to the 'root' group.
AnswersA, B

Correct: This allows members of the wheel group to su without a password if pam_wheel.so is configured.

Why this answer

Option A is correct because adding 'john' to the 'wheel' group and configuring /etc/pam.d/su with pam_wheel.so and the 'trust' option allows members of the 'wheel' group to switch to any user via su without being prompted for a password. The 'trust' modifier in PAM bypasses the password authentication for users in the specified group, effectively granting passwordless su access.

Exam trap

The trap here is that candidates may confuse the 'wheel' group's traditional role in restricting su access (via pam_wheel.so without 'trust') with granting passwordless su, or they may incorrectly assume that adding a user to the 'root' group or locking the account would enable privilege escalation.

30
MCQhard

A team of developers must share files under /opt/project. All developers are members of the 'devteam' group. New files must be automatically assigned to group 'devteam' and be writable by the group. Which umask and setgid configuration should be applied?

A.Set setgid bit on /opt/project and set umask to 007
B.Set the sticky bit on /opt/project and umask to 022
C.Set umask for developers to 002 only
D.Set setgid bit on /opt/project and set umask for developers to 002
AnswerD

Setgid ensures group ownership inheritance; umask 002 ensures group write.

Why this answer

Option A is correct: chmod g+s sets the setgid bit so new files inherit the group; umask 002 gives group write permission (files 664, dirs 775). Option B: umask 002 but no setgid means new files will inherit the creator's primary group, not necessarily 'devteam'. Option C: umask 007 removes group permissions entirely.

Option D: umask 022 gives group read-only.

31
Multi-Selecthard

Which THREE fields are part of a standard /etc/group entry?

Select 3 answers
A.Group password (often 'x')
B.Primary GID of user
C.Group name
D.Home directory of group
E.Group members list
AnswersA, C, E

Second field, usually placeholder.

Why this answer

Options A, C, and E are correct. /etc/group has four fields: group_name, password (usually 'x' or empty), GID, and comma-separated list of members. Option B: user's primary GID is in /etc/passwd, not /etc/group. Option D: home directory is in /etc/passwd.

32
MCQhard

After running 'chage -l bob', the output shows: 'Last password change: Apr 01, 2023', 'Password expires: May 31, 2023', 'Account expires: Jul 15, 2023'. What will happen on May 31, 2023?

A.Bob can still log in but will be forced to change his password.
B.Bob's account will be locked.
C.Bob's password will be disabled.
D.Bob will receive a warning message only.
AnswerA

Password expiry forces a password change on next login, but login is still allowed until account expiry.

Why this answer

Option A is correct. On the password expiration date, the user is forced to change password at next login; the account remains active until the account expiry date.

33
MCQhard

A security policy requires that a user account 'temp_audit' be locked immediately without changing the password. Which command locks the account and prevents login?

A.userdel temp_audit
B.usermod -L temp_audit
C.chage -E 0 temp_audit
D.passwd -u temp_audit
AnswerB

Locks the account by prepending '!' to the encrypted password.

Why this answer

usermod -L locks the account by placing an '!' in the password field of /etc/shadow, preventing password authentication.

34
MCQeasy

Which command adds an existing user to a supplementary group without removing the user from other groups?

A.groupmod -a username groupname
B.usermod -A groupname username
C.usermod -aG groupname username
D.usermod -g groupname username
AnswerC

-a (append) with -G adds to supplementary group without affecting other groups.

Why this answer

Option A is correct because usermod -aG appends the user to the specified group while retaining existing supplementary group memberships.

35
MCQeasy

Which file stores the encrypted password (or password hash) for user accounts?

A./etc/group
B./etc/shadow
C./etc/passwd
D./etc/gshadow
AnswerB

Correct. Contains password hashes and aging info.

Why this answer

Option B is correct. The /etc/shadow file contains the encrypted password and password aging information. The /etc/passwd file historically contained passwords but now uses 'x' placeholder.

36
MCQhard

A security policy requires that all users in the 'admin' group must have a umask of 027 set automatically upon login. An administrator adds 'umask 027' to /etc/profile. However, users report that the umask is still 022. What is a likely cause?

A.The umask in /etc/profile is overridden by user-specific .bash_profile or .bashrc files.
B.The umask command in /etc/profile has a syntax error that is silently ignored.
C.The admin placed the umask command after the call to /etc/bash.bashrc which resets it.
D.The admin forgot to run 'source /etc/profile' on each user's session.
AnswerA

User files commonly override global settings.

Why this answer

Option A is correct because user-specific startup files (like .bash_profile) can override /etc/profile. Option B is wrong because /etc/profile is sourced automatically for login shells. Option C is possible but less likely since syntax is correct.

Option D is wrong because /etc/profile executes before user files; any reset would be in user files.

37
Drag & Dropmedium

Order the steps to create a systemd service unit that runs a script at boot.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Creating the unit file, enabling for boot, starting, and checking status are standard steps.

38
MCQeasy

An administrator needs to delete user 'obsolete' and remove its home directory and mail spool. Which command should be used?

A.userdel -f obsolete
B.userdel -r obsolete
C.userdel obsolete
D.groupdel obsolete
AnswerB

-r removes home and mail spool along with user account.

Why this answer

Option C is correct because userdel -r removes home directory and mail spool. Option A (-f) forces but does not remove files. Option B deletes group, not user.

Option D without -r leaves files behind.

39
MCQhard

A user reports that they cannot log in via SSH. The system administrator checks that the account is not locked, the password is correct, and the shell is valid. However, the user's home directory is owned by root instead of the user. What is the most likely cause of the login failure?

A.The home directory ownership is incorrect, causing SSH PAM session module to reject login
B.The user's login shell is not listed in /etc/shells
C.The /etc/nologin file exists
D.The user's entry in /etc/shadow is corrupted
AnswerA

pam_umask or pam_limits may check ownership; many systems require home owned by user.

Why this answer

Option D is correct because SSH uses PAM, and the pam_unix module checks that the home directory is owned by the user and not writable by others. If owned by root, SSH may deny login for security reasons. Option A (shadow file) would be different if permission wrong.

Option B (nologin) would affect all users. Option C (shell not in /etc/shells) would give a different error.

40
MCQmedium

A user must change their password at next login per security policy. The admin wants to expire the password immediately. Which command accomplishes this?

A.passwd -f username
B.usermod -p '' username
C.chage -M 90 username
D.chage -d 0 username
AnswerD

Sets last password change date to 0, forcing change on next login.

Why this answer

Option B is correct because chage -d 0 sets the last password change date to the epoch, forcing a password change on next login.

41
MCQhard

You are managing a multi-user Linux server used by a development team. The server has a shared directory /data/projects where each project has a subdirectory owned by a project lead. The requirement is that all members of the 'devteam' group need to be able to create files in any project subdirectory, but only the project lead (owner) should be able to delete files. Currently, members of devteam are unable to create files in /data/projects. You check permissions: /data/projects has drwxrwxr-x root:devteam. Each project subdirectory, e.g., /data/projects/proj1, has drwx------ lead1:devteam. The lead1 user is in devteam. What is the most likely reason that devteam members cannot create files in proj1, and what is the correct solution?

A.The devteam group does not include all members; add each user to the devteam group.
B.The parent directory /data/projects lacks execute permission for devteam; add execute permission to /data/projects.
C.The sticky bit is not set; set the sticky bit on proj1 to allow only owners to delete files.
D.The proj1 directory lacks group write and execute permissions; use chmod g+rwx proj1 and chmod g+s proj1 to allow group members to create files and ensure new files inherit group.
AnswerD

drwx------ means only owner has access; adding group rwx gives devteam access; SGID ensures new files belong to devteam.

Why this answer

Option D is correct because the project subdirectory /data/projects/proj1 has permissions drwx------ (700), which means only the owner (lead1) has read, write, and execute access. The devteam group lacks both write and execute permissions, preventing group members from creating files. The solution is to add group write and execute permissions (chmod g+rwx proj1) and set the setgid bit (chmod g+s proj1) so that new files inherit the group ownership, ensuring all devteam members can create files while only the owner can delete them.

Exam trap

The trap here is that candidates may focus on the sticky bit (Option C) because it relates to deletion control, but they overlook that the primary issue is the lack of group write and execute permissions on the subdirectory, which prevents file creation entirely.

How to eliminate wrong answers

Option A is wrong because the problem states that the devteam group already includes all members (lead1 is in devteam), and the issue is not group membership but missing permissions on the subdirectory. Option B is wrong because /data/projects already has drwxrwxr-x permissions, which include execute for the group (the 'x' in 'rwx' for the group), so the parent directory does not lack execute permission. Option C is wrong because the sticky bit prevents users from deleting files they do not own, but the requirement is that only the project lead (owner) should be able to delete files; however, the immediate problem is that group members cannot create files at all due to missing group write and execute permissions, not deletion control.

42
MCQmedium

A developer was removed from the 'developers' group but still needs to run commands that require membership in that group. The user has logged out and back in, but the issue persists. What is the most likely cause?

A.The user did not explicitly start a new login shell after group removal.
B.The user's primary group is different from the 'developers' group.
C.The user is using 'newgrp developers' but is no longer a member.
D.The 'id' command shows the old group because the user's shell is still running.
AnswerA

Group membership changes require a new login session; logging out and back in should suffice, but if the user only logged out of the desktop and the session manager cached credentials, it might not refresh. The most likely cause is that the user's current shell environment still has cached group membership from the previous session.

Why this answer

When a user is removed from a supplementary group, the group membership is cached in the user's current login session. Even after logging out and back in, if the user does not explicitly start a new login shell (e.g., by using `su -` or `login`), the old group membership persists because the session's group list is inherited from the parent process. The `newgrp` command or a fresh login shell is required to re-read the group database and update the group list.

Exam trap

The trap here is that candidates assume logging out and back in always refreshes group membership, but the LFCS exam tests the nuance that a new login shell (e.g., `su -` or `login`) is required to reinitialize the group list, not just a graphical logout/login.

How to eliminate wrong answers

Option B is wrong because the primary group is irrelevant to supplementary group membership; the issue is that the user's current session still holds the old supplementary group list from before removal. Option C is wrong because `newgrp developers` would fail with an error if the user is no longer a member of the 'developers' group; it does not cause the issue described. Option D is wrong because the `id` command reflects the actual group membership of the current process, not a cached value from a previous state; if the shell were still running, `id` would show the old group because the process's group list is inherited and not automatically updated.

43
Multi-Selecteasy

Which THREE of the following actions require root privileges?

Select 3 answers
A.Changing your own login shell
B.Changing another user's password
C.Changing your own password
D.Viewing /etc/shadow
E.Creating a new group
AnswersB, D, E

Requires root unless using sudo.

Why this answer

Options B, C, and D require root. Changing another user's password, creating a new group, and viewing /etc/shadow (due to permissions) all require root. Changing your own password or shell does not require root.

44
Multi-Selecteasy

Which two commands can be used to set password expiration policies for a user?

Select 2 answers
A.usermod
B.passwd
C.chage
D.expiry
E.pwconv
AnswersB, C

Can set expiration with appropriate options.

Why this answer

chage is the dedicated tool for password aging; passwd can also set expiration with -x (max days), -n (min days), etc.

45
MCQmedium

A company follows the principle of least privilege. Several developers need sudo access to run specific commands like systemctl and journalctl. What is the best practice for granting this access?

A.Use 'usermod -a -G sudo' for each developer and edit /etc/sudoers manually with visudo
B.Create a new group 'devops', add developers to it, and create a sudoers drop-in file with rules for specific commands
C.Add all developers to the 'wheel' group and configure %wheel ALL=(ALL) ALL
D.Edit /etc/sudoers directly to add each developer username with command restrictions
AnswerB

Allows granular command restrictions and is maintainable.

Why this answer

Option B is correct because creating a group (e.g., 'devops') and adding a sudoers rule for that group via a file in /etc/sudoers.d is manageable and follows best practice. Option A gives full root access to the group. Option C modifies a user's own login, not sudo.

Option D uses visudo default file but adding users directly is less scalable.

46
MCQeasy

An administrator wants to force a user to change their password at next login. Which command should be used?

A.passwd -l user
B.passwd -e user
C.chage -m 0 user
D.usermod -p '!' user
AnswerB

Correct: -e expires the password immediately, forcing change. Also chage -d 0 is valid, but passwd -e is simpler.

Why this answer

chage -d 0 sets the last password change date to the epoch (1970-01-01), forcing a password change on next login.

47
MCQmedium

An administrator needs to view a list of users who have logged in recently. Which command provides this information?

A.users
B.who
C.finger
D.last
AnswerD

Shows login history.

Why this answer

The 'last' command displays a list of last logged-in users from /var/log/wtmp.

48
MCQeasy

A user 'alice' is unable to log in via SSH. The administrator checks /etc/shadow and sees 'alice:!:19234:0:99999:7:::'. What does the '!' in the password field indicate?

A.The password must be changed at next login.
B.The account is disabled.
C.The account is locked.
D.The password is expired.
AnswerC

'!' is a common indicator of a locked account in /etc/shadow.

Why this answer

The '!' in the password field of /etc/shadow indicates that the account is locked. This is a standard convention in Linux shadow password files: an exclamation mark placed before the hashed password (or replacing it entirely) disables password-based authentication, effectively locking the account. SSH login fails because the system refuses to authenticate any password attempt against a locked entry.

Exam trap

The trap here is that candidates confuse 'account locked' (indicated by '!' in the password field) with 'password expired' (indicated by aging fields) or 'password must be changed at next login' (indicated by a last-change value of 0).

How to eliminate wrong answers

Option A is wrong because the '!' does not force a password change at next login; that behavior is triggered by setting the password's last-change field to 0 (or a value in the past) or using the 'passwd -e' command. Option B is wrong because 'disabled' is not a standard term in shadow file semantics; the account is specifically 'locked' via the password field, not disabled via other mechanisms like nologin shell or account expiration. Option D is wrong because password expiration is indicated by the aging fields (e.g., a value of 0 in the third field or a warning in the seventh field), not by a '!' in the password hash.

49
MCQhard

An administrator wants to temporarily disable a user account without deleting it. The account should be locked, expire immediately, and the user should not be able to log in. Which single command accomplishes this with minimum side effects?

A.usermod -L user1; chage -E 0 user1
B.usermod -L -e 1970-01-01 user1
C.usermod -L user1
D.usermod -e 1970-01-01 user1
AnswerB

Combined lock and account expiration; -e sets account expiration date.

Why this answer

Option C is correct because usermod -L locks the password (adds ! in shadow) and -e 1970-01-01 sets account expiration far in the past, effectively locking. Option A does not expire; chage -E also sets expiration but -L locks. Option B locks but does not expire.

Option D sets expiration but does not lock password.

50
Multi-Selectmedium

Which TWO commands will correctly add the user 'john' to the 'docker' group without removing him from any existing supplementary groups?

Select 2 answers
A.adduser john docker
B.gpasswd -a john docker
C.groupmod -a john docker
D.usermod -G docker john
E.usermod -aG docker john
AnswersB, E

Adds john to the docker group without affecting other groups.

Why this answer

Options A and C are correct. usermod -aG appends to supplementary groups. gpasswd -a adds a user to a group without affecting other memberships.

51
MCQhard

You are the Linux administrator for a medium-sized company that uses a centralized authentication system (LDAP) for user accounts, but local files (/etc/passwd, /etc/shadow, /etc/group) are also used for a few service accounts. The server is running RHEL 8. A new employee, 'jane', needs to be added to the local system for a temporary project. You create the user with 'useradd jane' and set a password with 'passwd jane'. However, when jane tries to log in via SSH using her password, she receives 'Permission denied, please try again.' The SSH server is configured to allow password authentication. Other users (both LDAP and local) can log in successfully. You verify that the password was set correctly and that the account is not locked. What is the most likely cause and solution?

A.Configure the SSH daemon to allow password authentication for local users
B.Change jane's login shell to /bin/bash using usermod -s /bin/bash jane
C.Unlock the account using passwd -u jane
D.Remove the password expiry for jane using chage -E -1 jane
AnswerB

If the user's shell is set to /sbin/nologin or a non-existent shell, SSH will reject authentication despite correct password.

Why this answer

Option B is correct because the default shell for a new user created with 'useradd' on RHEL 8 is often /sbin/nologin, which prevents login. SSH authentication succeeds at the password level, but the session is immediately rejected because the shell is not a valid interactive shell. Changing the shell to /bin/bash with 'usermod -s /bin/bash jane' resolves this.

Exam trap

The trap here is that candidates often focus on password authentication or account locking, overlooking that the default shell for new users on RHEL 8 may be /sbin/nologin, which silently rejects login after authentication succeeds.

How to eliminate wrong answers

Option A is wrong because the SSH daemon is already configured to allow password authentication, as stated in the scenario, and other users (both LDAP and local) can log in successfully. Option C is wrong because the account is not locked; the scenario explicitly states the account is not locked, and 'passwd -u jane' would only unlock an account that had been locked with 'usermod -L' or similar. Option D is wrong because password expiry is not the issue; the password was set correctly and the account is not expired, so removing expiry with 'chage -E -1' would not fix the login rejection caused by a nologin shell.

52
Drag & Dropmedium

Arrange the steps to configure a new user account with sudo privileges on a Linux system.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

After creating the user and setting a password, adding to the wheel group grants sudo access. Verification and testing confirm it works.

53
Multi-Selectmedium

Which three files contain user account information?

Select 3 answers
A./etc/passwd
B./etc/shadow
C./etc/gshadow
D./etc/login.defs
E./etc/group
AnswersA, B, E

User account database.

Why this answer

/etc/passwd contains basic user info, /etc/shadow contains password hashes and aging, /etc/group contains group membership.

54
MCQhard

An administrator wants to enforce that users in the 'contractors' group must change their password every 30 days, with a warning 7 days before expiry. Which command should be used?

A.groupmod -p 30 contractors
B.passwd -x 30 -w 7 contractors
C.usermod -e 30 contractors
D.chage -M 30 -W 7 contractors
AnswerD

chage modifies password aging for a user; but the question says 'users in the group', so you would need to apply to each user. However, among the options, this is the closest correct command for a user.

Why this answer

The `chage` command is specifically designed to manage user password aging policies. The `-M 30` option sets the maximum number of days a password is valid (30 days), and `-W 7` sets the number of days before expiry to start warning the user (7 days). This directly fulfills the requirement for the 'contractors' group by applying the policy to each user in that group.

Exam trap

The trap here is that candidates confuse commands that modify group properties (`groupmod`) with commands that enforce user password policies (`chage`), and they forget that `passwd` and `chage` require a username, not a group name, as an argument.

How to eliminate wrong answers

Option A is wrong because `groupmod` is used to modify group properties (like GID or group name), not password aging; the `-p` flag does not exist for password expiration. Option B is wrong because `passwd` with `-x` and `-w` can set password aging for a user, but the syntax requires a username, not a group name; it cannot be applied to a group directly. Option C is wrong because `usermod -e` sets an account expiration date (a specific date), not a password aging interval; it does not enforce a 30-day password change cycle.

55
MCQmedium

Refer to the exhibit. User 'alice' is a member of groups 'users' and 'projectx'? She needs to be a member of 'staff' as well. Which of the following statements is true?

A.Alice is a member of 'projectx' but the groups command is outdated
B.Alice's primary group is 'users' and she cannot have supplementary groups
C.The entry in /etc/group for 'projectx' is incorrect because alice is not a member
D.To become a member of 'staff', alice must either log out and log in, or use newgrp command
AnswerD

New group memberships are only effective after re-login or newgrp.

Why this answer

Option C is correct. The groups command shows only 'users', meaning her secondary groups are not updated; she is not actually a member of 'projectx' yet because new group memberships require re-login. Option A: /etc/group lists her in projectx but groups command hasn't updated because she hasn't re-logged in.

Option B: She is in users as primary? Actually users is likely her primary group? Not necessarily, but the groups command shows users as the only group. Option D: The primary group is determined by /etc/passwd, not shown here.

56
MCQhard

A user named 'charlie' has just been added to the 'devops' group. However, when 'charlie' runs 'sudo -l', no sudo entries are shown. What is the most likely cause?

A.'charlie' is not listed by name in the sudoers file.
B.'charlie' must log out and log back in for the group change to take effect.
C.'charlie' is also a member of another group that restricts sudo.
D.The systemctl command is not executable by 'charlie'.
E.The sudoers file has a syntax error.
AnswerB

Correct: Group changes require a new login session to be recognized by PAM and sudo.

Why this answer

Option B is correct because when a user is added to a new group, the group membership is only applied to new login sessions. The `sudo -l` command checks the user's current group memberships, which are cached at login time. Since 'charlie' was added to the 'devops' group while already logged in, the new group membership is not reflected until 'charlie' logs out and logs back in, or uses `newgrp` or `sg` to start a new session with the updated groups.

Exam trap

The trap here is that candidates assume group changes are immediate for all processes, but Linux caches group membership at login time, so `sudo -l` reflects only the groups present when the session started.

How to eliminate wrong answers

Option A is wrong because the sudoers file can grant sudo access via group membership (e.g., `%devops ALL=(ALL) ALL`), so 'charlie' does not need to be listed by name; the group membership should suffice. Option C is wrong because being a member of another group does not restrict sudo unless that group is explicitly denied in sudoers; group membership is additive, not restrictive. Option D is wrong because the `systemctl` command's executability is irrelevant to `sudo -l` showing entries; `sudo -l` displays the commands the user is allowed to run, not whether a specific command is executable.

Option E is wrong because a syntax error in the sudoers file would typically cause `sudo` to fail with an error message (e.g., 'syntax error near line X'), not silently show no entries.

57
MCQmedium

You are a system administrator for a financial firm. One of your users, 'alice', has forgotten her password and is locked out of the system. The security policy requires that all passwords must be changed every 30 days. Alice's account was disabled due to inactivity; the account has been inactive for 45 days. You need to unlock the account and ensure that Alice must change her password at the next login. You have root access. Which set of commands should you run?

A.usermod -U alice; chage -d 0 alice
B.passwd -u alice; chage -M 30 alice
C.usermod -e '' alice; passwd alice
D.chage -E -1 alice; usermod -L alice
AnswerA

Unlocks and forces immediate password change.

Why this answer

Option A is correct. usermod -U unlocks the account, and chage -d 0 forces password change. Option B: passwd -u is not standard on all distros; chage -M 30 sets max days but does not force immediate change. Option C: usermod -e '' sets no account expiry but may not unlock; passwd alice sets a new password but does not force change.

Option D: chage -E -1 sets no account expiry but also uses usermod -L which locks the account.

58
MCQmedium

Refer to the exhibit. The 'developers' group has members alice, bob, and charlie. User 'charlie' is not in the 'developers' group. Which statement is true?

A.alice can write to file.txt because she is in the developers group and the file has group write.
B.bob can delete /shared/project because he is the owner? No, directory permissions apply.
C.charlie can read /shared because the directory has world read? No, it's --- for others.
D.charlie can list the contents of /shared if he knows the path.
AnswerA

File has rw-rw----, group can write; alice is in developers, so she can write.

Why this answer

The setgid bit (s in group execute) on /shared means new files inherit the group (developers). However, /shared has permissions 770 for owner and group, so charlie (not in group) cannot access it.

59
MCQhard

Refer to the exhibit. The shadow entry for user 'carol' shows 18000 in the third field. What does the value 18000 represent?

A.The number of days until the account expires.
B.The minimum number of days required between password changes.
C.The number of days since the password was last changed.
D.The number of days before password expiration that the user is warned.
AnswerC

Third field is days since epoch of last password change.

Why this answer

Option B is correct. The third field in /etc/shadow is the date of last password change (in days since epoch). 18000 corresponds to about April 2025 (as of 2025). Option A is the first field (last change).

Option C is the minimum days field (fourth field, which is 0). Option D is the warning days field (seventh field, which is 7).

60
MCQhard

A user 'alice' has a umask of 027 in her .bashrc, but the system administrator wants to enforce a umask of 007 for all users in the 'staff' group. Where should the administrator place the umask command to ensure it cannot be overridden by users?

A./etc/bash.bashrc
B./etc/skel/.bashrc
C./etc/profile
D.In /etc/pam.d/common-session with pam_umask.so
AnswerD

PAM umask module applies the umask regardless of shell scripts.

Why this answer

Option C is correct: /etc/bash.bashrc is sourced before user files, but users can still override? Actually, the safest is to use /etc/profile.d/ with a script, but the question asks for a location that cannot be overridden? Typically, /etc/bash.bashrc is for all bash users, but users can still override in their .bashrc after it. The only way to enforce is to set umask in /etc/profile or /etc/bash.bashrc and also in /etc/skel/.bashrc, but users can still change. Actually, no shell-level enforcement is absolute; root can set it in a login script that runs after user scripts? But the question is tricky.

I'll set the correct answer to a pam module: option D: using pam_umask.so in /etc/pam.d/common-session. That ensures it is applied regardless of shell configuration. So D is correct.

Other options are overrideable.

61
MCQeasy

An administrator needs to create a system user that runs a service (no login, no home directory). Which command is appropriate?

A.useradd -r myservice
B.useradd -r -m myservice
C.useradd -r -M myservice
D.useradd -M myservice
AnswerC

-r system user, -M no home directory. Perfect for service account.

Why this answer

Option C is correct because useradd -r creates a system account (UID < 1000 typically), -M suppresses home directory creation. Option A creates a regular user with home. Option B creates system user but with home.

Option D creates regular user without home.

62
MCQhard

Refer to the exhibit. What is the most likely security issue with this configuration?

A.The 'daemon' user has a login shell of /usr/sbin/nologin, which is not secure.
B.The 'user1' home directory does not match the username.
C.There are multiple users with UID 0.
D.The 'admin' user has no password set (x in place of password).
AnswerC

Both root and admin have UID 0, which gives root privileges to admin.

Why this answer

The user 'admin' has UID 0 (root UID), giving it root privileges. This is a backdoor or misconfiguration.

63
MCQeasy

Refer to the exhibit. User alice attempts to create a file in /data/project but receives 'Permission denied'. User bob can create files successfully. What is the most likely reason?

A.The directory's SGID bit requires primary group membership for write access.
B.Alice is not a member of the project group.
C.The directory has an ACL that denies write to user alice.
D.Alice needs to run 'newgrp project' or log out and back in for her group membership to take effect.
AnswerD

Group membership changes apply only to new sessions.

Why this answer

Option C is correct. Although alice is a member of the project group, she was likely added after her current login session started; her supplementary groups are not updated until she logs out and back in or runs newgrp. Option A is false because groups shows she is in project.

Option B is false because SGID does not affect write permission for project members. Option D is speculative and not indicated.

64
MCQmedium

A system administrator needs to add a new user 'alice' with UID 1050 and a home directory at /home/alice. Which command should be used?

A.useradd -u 1050 -d /home/alice -m alice
B.useradd -U 1050 -h /home/alice alice
C.useradd --uid 1050 --home /home/alice alice
D.useradd --create-home --skel /etc/skel -u 1050 alice
AnswerA

Correct syntax. -u sets UID, -d sets home directory, -m creates it.

Why this answer

Option A is correct because useradd -u sets UID, -d sets home directory, -m creates the home directory. Option B uses incorrect flags -U and -h. Option C uses --home but not --create-home.

Option D uses --create-home but without -d, it defaults to /home/alice with UID 1050, but the home directory path is not explicitly set to /home/alice.

65
MCQmedium

A temporary contractor 'contractor1' has left the company. The administrator needs to remove the user account and all associated files in the home directory. Which command accomplishes this?

A.userdel contractor1
B.passwd -d contractor1
C.userdel -r contractor1
D.deluser --remove-home contractor1
AnswerC

Removes the user and their home directory (-r).

Why this answer

userdel -r removes the user and their home directory and mail spool.

66
MCQhard

Your company has a server that hosts a critical application. The application runs under a service account 'appuser'. Due to a security audit, it was discovered that 'appuser' has a password that never expires, which is against company policy. The policy requires that all user passwords expire after 60 days. Additionally, the application developers have requested that 'appuser' should not be allowed to change its own password via the 'passwd' command to prevent accidental lockouts. You need to enforce password expiry for 'appuser' but also ensure that only root can change its password. Which of the following approaches is the best course of action?

A.Run 'chage -M 60 appuser' and then 'passwd -e appuser' to expire the password immediately.
B.Run 'chage -M 60 -d 0 appuser' and then 'usermod -r appuser' to make it a system account.
C.Run 'chage -M 60 -d 0 appuser' and then 'passwd -l appuser' to lock the password, ensuring that the application uses sudo to run commands as appuser.
D.Run 'chage -M 60 -W 7 appuser' and then modify /etc/shadow to set the password field to '!', and configure the application to use SSH keys for authentication.
AnswerD

Disables password authentication and prevents password changes; SSH keys allow access; password expiry becomes moot.

Why this answer

Option C is the best. By setting the password to '!' in /etc/shadow, password authentication is disabled, and using SSH keys ensures continued access without allowing password changes. Password expiry becomes irrelevant.

Option A: passwd -e is not standard; setting password to expire and allowing user to change it violates the requirement. Option B: usermod -r removes user from system, inappropriate. Option D: locking password with passwd -l prevents any password auth, but then the application must use a different method like sudo, which may be complex; option C is simpler.

67
MCQhard

An administrator runs 'pwck' and receives an error indicating a user in /etc/passwd has no matching group in /etc/group. What is the most likely cause and the appropriate corrective action?

A.The user's GID in /etc/passwd is invalid; use usermod -g to set a valid group.
B.The user's secondary group in /etc/group is missing; add the user back to the group.
C.The group was deleted with groupdel but the user's primary group in /etc/passwd was not updated; recreate the group.
D.The user's password hash is corrupted; run 'pwconv' to synchronize.
AnswerA

Correct: usermod -g can change the primary group to an existing one.

Why this answer

Option D is correct: the user may belong to a group that was removed; the admin should assign an existing group. Option A is wrong because groupdel does not automatically modify /etc/passwd. Option B is backwards.

Option C is incomplete; verifying password hashes is not directly related.

68
Multi-Selectmedium

Which TWO commands can be used to display the group membership of a user? (Choose two.)

Select 2 answers
A.id -Gn username
B.cat /etc/passwd | grep username
C.id -g username
D.groups username
E.grep username /etc/group
AnswersA, D

Correct: shows all group names.

Why this answer

Options B and D are correct. id -Gn shows all group names for a user. groups also shows all groups. groups <user> is also correct. Option A shows only primary group. Option C shows only groups where user is explicitly listed, missing primary if inherited.

Option E shows group ID only.

69
MCQmedium

You are managing a Linux server that hosts a shared project directory /projects/alpha, owned by the group 'alpha' (GID 2001). The directory has permissions 2770 (setgid, rwx for owner and group, no access for others). User 'jane' (UID 1501) has a primary group 'staff' (GID 1001) and is not in the 'alpha' group. She reports being unable to list or modify files in /projects/alpha. You need to give her access as a member of the 'alpha' group without changing her primary group. Which command sequence should you use?

A.usermod -aG alpha jane; usermod -G '' jane; usermod -aG alpha jane
B.usermod -aG alpha jane
C.usermod -g alpha jane
D.usermod -G alpha jane
AnswerB

This correctly adds Jane to the supplementary group 'alpha' without affecting her existing supplementary groups, and preserves her primary group.

Why this answer

Option C is correct because usermod -aG alpha jane adds Jane to the supplementary group 'alpha' without removing her from other supplementary groups, and the -a flag is essential to avoid overwriting existing supplementary group memberships. The setgid bit on the directory ensures new files inherit group ownership. Option A fails because it changes her primary group, which may break other permissions.

Option B clears all supplementary groups before adding alpha. Option D uses -G without -a, which would replace all supplementary groups with just alpha.

70
MCQhard

An administrator needs to set up a shared directory /project for the group 'projectteam' (GID 5000). All members of the group should be able to create and delete files, but only the file owner can modify their own files. The directory should also ensure that new files inherit the group ownership. Which set of commands achieves this?

A.chown root:projectteam /project; chmod 2775 /project; setfacl -m g:projectteam:rwx /project
B.chown root:projectteam /project; chmod 2770 /project; setfacl -d -m o::--- /project
C.chown root:projectteam /project; chmod 2775 /project
D.chown root:projectteam /project; chmod 1770 /project; setfacl -m m::rwx /project
AnswerB

SGID (2) inherits group; 770 gives group rwx; default ACL denies others.

Why this answer

Option B is correct because it sets the SGID bit (2770) so new files inherit the group 'projectteam', grants rwx to the group, and uses a default ACL with `setfacl -d -m o::---` to remove 'other' permissions, ensuring only the file owner can modify their own files while group members can create/delete but not modify others' files.

Exam trap

Linux Foundation often tests the distinction between SGID (2xxx) and sticky bit (1xxx), and candidates confuse them, thinking the sticky bit ensures group inheritance, or they overlook that removing 'other' permissions is necessary to prevent unauthorized access.

How to eliminate wrong answers

Option A is wrong because the SGID bit (2) is set but the default ACL `-m g:projectteam:rwx` is redundant and doesn't restrict 'other' permissions, allowing non-group users to read files. Option C is wrong because it only sets SGID and 2775, which gives 'other' read/execute access, violating the requirement that only group members can create/delete files. Option D is wrong because 1770 sets the sticky bit instead of SGID, so new files don't inherit group ownership, and `setfacl -m m::rwx` sets a mask but doesn't enforce owner-only modification or remove 'other' permissions.

71
Matchingmedium

Match each logical volume management (LVM) term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

A disk or partition used by LVM

Pool of physical volumes

Virtual block device created from a volume group

Smallest allocatable unit in a physical volume

Maps to a physical extent in a logical volume

Why these pairings

These are core LVM concepts.

72
Multi-Selecteasy

Which TWO commands are used to modify user account attributes such as password age, expiration, or lock status? (Choose two.)

Select 2 answers
A.chage
B.useradd
C.chsh
D.usermod
E.passwd
AnswersA, D

Used for password aging and account expiration.

Why this answer

Options A and D are correct. chage is used for password aging. usermod can lock/unlock accounts (-L/-U) and set account expiration (-e). Option B (passwd) is used to change password, but not to set expiration directly (though -x can set max days). Option C (chsh) changes shell.

Option E (useradd) creates users, not modify existing.

73
MCQmedium

Scenario: You are managing a Linux server that hosts a web application. The application runs under the user 'webapp' and the group 'webgroup'. Recently, a new intern 'john' (username 'john') needs to be able to view and modify files in /var/www/html, which is owned by root:webgroup with permissions 775. John is currently a member of the group 'staff', but not 'webgroup'. The security policy requires that John must be able to edit files without using sudo, and his primary group must remain 'staff'. Which of the following actions should you take to meet the requirements?

A.Add John to the 'webgroup' supplementary group with 'usermod -a -G webgroup john'.
B.Change the group ownership of /var/www/html to 'staff' and set the setgid bit.
C.Change John's primary group to 'webgroup' with 'usermod -g webgroup john'.
D.Set the setgid bit on /var/www/html with 'chmod g+s /var/www/html'.
AnswerA

Correct: John gains the group permissions of webgroup, allowing read/write access to the directory, while his primary group remains 'staff'.

Why this answer

Option A is correct because adding John to the 'webgroup' supplementary group with `usermod -a -G webgroup john` grants him group-level access to /var/www/html (owned by root:webgroup with permissions 775) without changing his primary group 'staff'. This allows him to view and modify files as a member of 'webgroup', satisfying the security policy that he must not use sudo and his primary group must remain unchanged.

Exam trap

The trap here is that candidates may confuse the setgid bit (Option D) with granting group membership, or incorrectly assume that changing the primary group (Option C) is acceptable despite the explicit requirement to keep it as 'staff'.

How to eliminate wrong answers

Option B is wrong because changing the group ownership of /var/www/html to 'staff' would grant access to all members of 'staff', which violates the principle of least privilege and does not specifically give John access as a member of 'webgroup'. Option C is wrong because changing John's primary group to 'webgroup' with `usermod -g webgroup john` would violate the requirement that his primary group must remain 'staff'. Option D is wrong because setting the setgid bit on /var/www/html with `chmod g+s /var/www/html` only ensures new files inherit the group ownership of the directory, but does not grant John membership in 'webgroup' or access to the directory itself.

74
Multi-Selectmedium

Which TWO commands can change a user's primary group?

Select 2 answers
A.groupdel groupname
B.groupmod -g newGID groupname
C.usermod -g groupname username
D.usermod -G groupname username
E.useradd -g groupname username
AnswersB, C

Changing a group's GID updates the GID in /etc/passwd for users whose primary group is that group.

Why this answer

Options A and D are correct. usermod -g changes the primary group for existing user. groupmod -g changes the GID of a group, but if that group is the primary group of a user, the user's primary GID changes accordingly. Option B changes supplementary groups. Option C deletes group.

Option E adds a new user with specified primary group.

75
MCQeasy

An administrator needs to grant a user 'bob' the ability to run all commands as root without a password prompt. Which configuration in /etc/sudoers accomplishes this?

A.bob ALL=(ALL) NOPASSWD: ALL
B.bob ALL=(ALL) PASSWD: ALL
C.bob ALL=(root) NOPASSWD: ALL
D.bob ALL=(ALL) ALL
AnswerA

Grants password-less sudo for all commands.

Why this answer

The line 'bob ALL=(ALL) NOPASSWD: ALL' in /etc/sudoers gives bob full passwordless sudo access.

Page 1 of 2 · 88 questions totalNext →

Ready to test yourself?

Try a timed practice session using only User Group Management questions.