Linux User and Group Management: Controlling System Access
User and group management is fundamental to Linux system administration. It involves controlling who can access the system, what level of privileges they have, and how resources are organized. This comprehensive guide covers creating, modifying, and managing user accounts and groups on Linux systems.
Understanding User Accounts
Where User Information is Stored
/etc/passwd: Contains user account information
- Each line represents a user
- Fields include: username, user ID (UID), group ID (GID), home directory, and default shell
- World-readable (passwords are not stored here)
/etc/shadow: Contains password hashes and password aging information
- More secure than
/etc/passwd - Only accessible by root
- Contains encrypted passwords and expiration dates
/etc/group: Contains group account information
- Lists groups and their members
- Includes group ID (GID) and group members
Home Directories
- Default Location:
/home/<username> - Template Directory:
/etc/skelcontains default files copied to new user home directories - Files like
.bashrc,.profileare copied from/etc/skelduring user creation - The
useraddcommand creates users but does not automatically set passwords
Creating Users with useradd
The useradd command is the primary tool for creating new user accounts.
Common useradd Options
| Option | Meaning | Example |
|---|---|---|
-c | Adds a comment (usually the full name or description) | useradd -c "Alex the Developer" alex |
-d | Specifies the home directory path/name | useradd -d /data/alex_home alex |
-e | Sets an expiration date (in YYYY-MM-DD format) | useradd -e 2025-01-01 alex |
-f | Inactive days after password expires before disabling | useradd -f 7 alex (7 days) |
-g | Sets the primary group (by name or GID) | useradd -g developers alex |
-G | Sets secondary (supplementary) groups | useradd -G wheel,qa alex |
-m | Creates the home directory (default behavior) | useradd -m alex |
-M | Does not create a home directory | useradd -M alex |
-n | Avoids creating a user-specific group | useradd -n alex |
-r | Creates a system account (usually for services) | useradd -r nginx |
-s | Specifies the user's default shell | useradd -s /bin/zsh alex |
-u | Specifies a custom user ID (UID) | useradd -u 1050 alex |
-D | Displays or sets default useradd configuration | useradd -D (shows defaults) |
Practical Examples
Standard User Creation:
# Create a user 'alex' with a home directory, comment, and default shell
sudo useradd -m -c "Alex the Developer" -s /bin/bash alex
# Set a password
sudo passwd alex
User with Specific Groups:
# Create a user with primary group 'developers' and secondary group 'wheel'
sudo useradd -m -g developers -G wheel -s /bin/bash jen
sudo passwd jen
User with Expiration Date:
# Create a temporary user who can only login until Dec 31, 2024
sudo useradd -m -e 2024-12-31 tempuser
sudo passwd tempuser
System Account:
# Create a system account for a service (no home directory, no login shell)
sudo useradd -r -s /sbin/nologin nginx
Modifying Users with usermod
The usermod command modifies existing user accounts.
Common usermod Options
Basic Syntax: sudo usermod [options] <username>
| Option | Description |
|---|---|
-aG <group> | Append (-a) the user to a supplementary group (-G). Critical: Omitting -a overwrites existing group memberships |
-l <new_name> | Rename the user from <old_name> to <new_name> |
-d <new_home> | Specify a new home directory path. Use -m alongside to move existing files |
-s <shell> | Change the user's default login shell |
Examples
# Add user "alex" to group "sudo" without overwriting other groups
sudo usermod -aG sudo alex
# Change user's home directory and move files
sudo usermod -d /new/home/alex -m alex
# Change user's default shell
sudo usermod -s /bin/zsh alex
# Rename a user
sudo usermod -l newname oldname
Important: Always use -a with -G to append groups. Without -a, usermod -G will replace all supplementary groups.
Deleting Users with userdel
The userdel command removes user accounts.
Basic Syntax: sudo userdel <username>
Common Option:
-r: Delete the user and their home directory- Without
-r, the home directory remains even after the user is removed
- Without
Example:
# Remove user "alex" and their home directory
sudo userdel -r alex
Password Management with passwd
The passwd command manages user passwords.
Basic Syntax: sudo passwd <username>
Common Options
| Option | Description |
|---|---|
-e <username> | Expire a user's password (forces reset on next login) |
-l <username> | Lock a user's password (prevents login) |
-u <username> | Unlock a user's password (reverses the lock) |
Examples
# Set or change a user's password
sudo passwd alex
# Force user to change password at next login
sudo passwd -e alex
# Lock a user account
sudo passwd -l alex
# Unlock a user account
sudo passwd -u alex
Additional User Management Commands
chfn - Change Finger Information
Modifies a user's GECOS (General Electric Comprehensive Operating System) information.
Options:
-f: Full name-o: Office/Other information-h: Home phone-por-w: Work phone
Example:
# Update the full name of user "alex"
chfn -f "Alex The Great" alex
chsh - Change Shell
Changes a user's login shell.
Example:
# Change user's shell to zsh
sudo chsh -s /bin/zsh alex
# Interactive mode (prompts for new shell)
chsh
chage - Change Password Aging
Manages password expiration policies.
Viewing Current Settings:
chage -l alex
Common Options:
-E <YYYY-MM-DD>: Set account expiration date-M <days>: Maximum days before password must be changed-m <days>: Minimum days between password changes
Example:
# Force password change on next login
sudo chage -d 0 alex
# Set maximum password age to 90 days
sudo chage -M 90 alex
Group Management
Creating Groups with groupadd
Basic Syntax: sudo groupadd <groupname>
Common Options:
-g <GID>: Specify a group ID-r: Create a system group (GID typically <1000)-f: Exit silently if the group already exists
Example:
# Create a regular group
sudo groupadd developers
# Create a system group
sudo groupadd -r systemgroup
# Create a group with specific GID
sudo groupadd -g 1500 developers
Modifying Groups with groupmod
Basic Syntax: sudo groupmod [options] <groupname>
Common Options:
-g <GID>: Change the group's GID-n <newname>: Rename the group
Example:
# Rename a group
sudo groupmod -n newgroupname oldgroupname
# Change group GID
sudo groupmod -g 2000 developers
Deleting Groups with groupdel
Basic Syntax: sudo groupdel <groupname>
Important:
- Removes a group but does not remove user accounts
- You must remove or reassign any user references to that group first
- No standard
-ror-foption (unlikeuserdel)
Example:
# Remove a group (ensure no users are assigned first)
sudo groupdel developers
Managing Group Membership
Add a user to a group:
# Critical: Use -a to append, not replace
sudo usermod -aG <groupname> <username>
Remove a user from a group:
# Use gpasswd to remove from group
sudo gpasswd -d <username> <groupname>
Viewing User and Group Information
Basic Commands
id <username>: Displays UID, GID, and all groups
id alex
# Output: uid=1000(alex) gid=1000(alex) groups=1000(alex),27(sudo),999(docker)
groups <username>: Shows which groups a user belongs to
groups alex
# Output: alex sudo docker
getent passwd <username>: Retrieves user info from NSS databases
getent passwd alex
getent group <groupname>: Retrieves group info
getent group sudo
Viewing System Files
/etc/passwd:
# View all users
cat /etc/passwd
# Find specific user
cat /etc/passwd | grep alex
/etc/shadow:
# View password information (root only)
sudo cat /etc/shadow | grep alex
/etc/group:
# View all groups
cat /etc/group
# Find specific group
cat /etc/group | grep sudo
Login Information Commands
whoami: Displays current username
whoami
who: Shows who is currently logged in
who
who -u # Shows login time and idle times
who -b # Shows last system boot time
who -r # Shows current runlevel
w: Shows logged-in users with running processes
w
last: Shows login history
last
last -n 10 # Show last 10 logins
last alex # Show logins for specific user
lastlog: Shows most recent login for every user
lastlog
Advanced Commands
gpasswd - Group Password Management
Manages group passwords and memberships.
Common Subcommands:
gpasswd -a <username> <groupname>: Add user to groupgpasswd -d <username> <groupname>: Remove user from group
Example:
# Add developer to docker group
sudo gpasswd -a devuser docker
# Remove user from group
sudo gpasswd -d oldemployee devops
vipw and vigr - Safe Editing
Safely edit /etc/passwd or /etc/group with file locking.
Example:
# Safely edit /etc/passwd
sudo vipw
# Safely edit /etc/group
sudo vigr
Password File Conversion
pwconv: Creates /etc/shadow from /etc/passwd
pwunconv: Merges /etc/shadow back into /etc/passwd
grpconv: Creates /etc/gshadow from /etc/group
grpunconv: Merges /etc/gshadow back into /etc/group
Configuration Files
/etc/login.defs
Default settings for user accounts:
UID_MIN: Minimum UID for a userUID_MAX: Maximum UID for a userGID_MIN: Minimum GID for a groupGID_MAX: Maximum GID for a groupPASS_MAX_DAYS: Maximum password agePASS_MIN_DAYS: Minimum password agePASS_WARN_AGE: Password warning periodPASS_MIN_LEN: Minimum password lengthUMASK: Default file creation mask
/etc/skel
Template directory for new user home directories:
- Files in
/etc/skelare copied to new user home directories - Common files:
.bashrc,.profile,.bash_profile - Customize this directory to set default configurations for new users
Best Practices
Security Considerations
- Always Set Passwords:
useradddoesn't set passwords automatically - Use Strong Passwords: Enforce password complexity requirements
- Regular Audits: Periodically review user accounts and group memberships
- Remove Inactive Accounts: Use
lastlogto identify inactive users - Lock Unused Accounts: Use
passwd -linstead of deleting immediately
Group Organization
- Use Functional Groups: Organize users by function (developers, admins, etc.)
- Principle of Least Privilege: Grant only necessary group memberships
- Document Group Purposes: Keep notes on group naming conventions
- Regular Reviews: Periodically audit group memberships
User Creation Workflow
- Create User: Use
useraddwith appropriate options - Set Password: Use
passwdto set initial password - Assign Groups: Add user to necessary groups with
usermod -aG - Verify: Use
idandgroupsto confirm configuration - Test: Log in as the user to verify everything works
Troubleshooting
Common Issues
User Cannot Log In:
- Check if account is locked:
passwd -S username - Verify shell is correct:
cat /etc/passwd | grep username - Check home directory permissions
Group Membership Not Working:
- Verify with
groups username - Ensure you used
-aflag withusermod -G - User may need to log out and back in for changes to take effect
Permission Denied:
- Verify user is in correct groups
- Check file permissions and ownership
- Review SELinux contexts if applicable
Conclusion
User and group management is a core skill for Linux system administrators. Understanding how to create, modify, and manage user accounts and groups enables you to control system access effectively. From basic user creation with useradd to advanced group management with gpasswd, these commands form the foundation of Linux access control.
By following best practices for security, organization, and workflow, you can maintain a well-organized and secure system. Regular audits and proper documentation ensure that user and group management remains manageable as your system grows.
In the next article, we'll explore root access and sudo configuration, essential for managing administrative privileges securely. Stay tuned!