Back to Articles
Linux

Linux User and Group Management: Controlling System Access

A Comprehensive Guide to Creating, Modifying, and Managing User Accounts and Groups

Alex Lux2023-11-249 min read
LinuxUser ManagementGroup ManagementSystem AdministrationRHCSA
Linux User and Group Management: Controlling System Access
Use this link for review flash cards

Linux User and Group Management: Controlling System Access

User and group management is fundamental to Linux system administration. It involves controlling who can access the system, what level of privileges they have, and how resources are organized. This comprehensive guide covers creating, modifying, and managing user accounts and groups on Linux systems.

Understanding User Accounts

Where User Information is Stored

/etc/passwd: Contains user account information

  • Each line represents a user
  • Fields include: username, user ID (UID), group ID (GID), home directory, and default shell
  • World-readable (passwords are not stored here)

/etc/shadow: Contains password hashes and password aging information

  • More secure than /etc/passwd
  • Only accessible by root
  • Contains encrypted passwords and expiration dates

/etc/group: Contains group account information

  • Lists groups and their members
  • Includes group ID (GID) and group members

Home Directories

  • Default Location: /home/<username>
  • Template Directory: /etc/skel contains default files copied to new user home directories
  • Files like .bashrc, .profile are copied from /etc/skel during user creation
  • The useradd command creates users but does not automatically set passwords

Creating Users with useradd

The useradd command is the primary tool for creating new user accounts.

Common useradd Options

Option Meaning Example
-c Adds a comment (usually the full name or description) useradd -c "Alex the Developer" alex
-d Specifies the home directory path/name useradd -d /data/alex_home alex
-e Sets an expiration date (in YYYY-MM-DD format) useradd -e 2025-01-01 alex
-f Inactive days after password expires before disabling useradd -f 7 alex (7 days)
-g Sets the primary group (by name or GID) useradd -g developers alex
-G Sets secondary (supplementary) groups useradd -G wheel,qa alex
-m Creates the home directory (default behavior) useradd -m alex
-M Does not create a home directory useradd -M alex
-n Avoids creating a user-specific group useradd -n alex
-r Creates a system account (usually for services) useradd -r nginx
-s Specifies the user's default shell useradd -s /bin/zsh alex
-u Specifies a custom user ID (UID) useradd -u 1050 alex
-D Displays or sets default useradd configuration useradd -D (shows defaults)

Practical Examples

Standard User Creation:

# Create a user 'alex' with a home directory, comment, and default shell
sudo useradd -m -c "Alex the Developer" -s /bin/bash alex

# Set a password
sudo passwd alex

User with Specific Groups:

# Create a user with primary group 'developers' and secondary group 'wheel'
sudo useradd -m -g developers -G wheel -s /bin/bash jen
sudo passwd jen

User with Expiration Date:

# Create a temporary user who can only login until Dec 31, 2024
sudo useradd -m -e 2024-12-31 tempuser
sudo passwd tempuser

System Account:

# Create a system account for a service (no home directory, no login shell)
sudo useradd -r -s /sbin/nologin nginx

Modifying Users with usermod

The usermod command modifies existing user accounts.

Common usermod Options

Basic Syntax: sudo usermod [options] <username>

Option Description
-aG <group> Append (-a) the user to a supplementary group (-G). Critical: Omitting -a overwrites existing group memberships
-l <new_name> Rename the user from <old_name> to <new_name>
-d <new_home> Specify a new home directory path. Use -m alongside to move existing files
-s <shell> Change the user's default login shell

Examples

# Add user "alex" to group "sudo" without overwriting other groups
sudo usermod -aG sudo alex

# Change user's home directory and move files
sudo usermod -d /new/home/alex -m alex

# Change user's default shell
sudo usermod -s /bin/zsh alex

# Rename a user
sudo usermod -l newname oldname

Important: Always use -a with -G to append groups. Without -a, usermod -G will replace all supplementary groups.

Deleting Users with userdel

The userdel command removes user accounts.

Basic Syntax: sudo userdel <username>

Common Option:

  • -r: Delete the user and their home directory
    • Without -r, the home directory remains even after the user is removed

Example:

# Remove user "alex" and their home directory
sudo userdel -r alex

Password Management with passwd

The passwd command manages user passwords.

Basic Syntax: sudo passwd <username>

Common Options

Option Description
-e <username> Expire a user's password (forces reset on next login)
-l <username> Lock a user's password (prevents login)
-u <username> Unlock a user's password (reverses the lock)

Examples

# Set or change a user's password
sudo passwd alex

# Force user to change password at next login
sudo passwd -e alex

# Lock a user account
sudo passwd -l alex

# Unlock a user account
sudo passwd -u alex

Additional User Management Commands

chfn - Change Finger Information

Modifies a user's GECOS (General Electric Comprehensive Operating System) information.

Options:

  • -f: Full name
  • -o: Office/Other information
  • -h: Home phone
  • -p or -w: Work phone

Example:

# Update the full name of user "alex"
chfn -f "Alex The Great" alex

chsh - Change Shell

Changes a user's login shell.

Example:

# Change user's shell to zsh
sudo chsh -s /bin/zsh alex

# Interactive mode (prompts for new shell)
chsh

chage - Change Password Aging

Manages password expiration policies.

Viewing Current Settings:

chage -l alex

Common Options:

  • -E <YYYY-MM-DD>: Set account expiration date
  • -M <days>: Maximum days before password must be changed
  • -m <days>: Minimum days between password changes

Example:

# Force password change on next login
sudo chage -d 0 alex

# Set maximum password age to 90 days
sudo chage -M 90 alex

Group Management

Creating Groups with groupadd

Basic Syntax: sudo groupadd <groupname>

Common Options:

  • -g <GID>: Specify a group ID
  • -r: Create a system group (GID typically <1000)
  • -f: Exit silently if the group already exists

Example:

# Create a regular group
sudo groupadd developers

# Create a system group
sudo groupadd -r systemgroup

# Create a group with specific GID
sudo groupadd -g 1500 developers

Modifying Groups with groupmod

Basic Syntax: sudo groupmod [options] <groupname>

Common Options:

  • -g <GID>: Change the group's GID
  • -n <newname>: Rename the group

Example:

# Rename a group
sudo groupmod -n newgroupname oldgroupname

# Change group GID
sudo groupmod -g 2000 developers

Deleting Groups with groupdel

Basic Syntax: sudo groupdel <groupname>

Important:

  • Removes a group but does not remove user accounts
  • You must remove or reassign any user references to that group first
  • No standard -r or -f option (unlike userdel)

Example:

# Remove a group (ensure no users are assigned first)
sudo groupdel developers

Managing Group Membership

Add a user to a group:

# Critical: Use -a to append, not replace
sudo usermod -aG <groupname> <username>

Remove a user from a group:

# Use gpasswd to remove from group
sudo gpasswd -d <username> <groupname>

Viewing User and Group Information

Basic Commands

id <username>: Displays UID, GID, and all groups

id alex
# Output: uid=1000(alex) gid=1000(alex) groups=1000(alex),27(sudo),999(docker)

groups <username>: Shows which groups a user belongs to

groups alex
# Output: alex sudo docker

getent passwd <username>: Retrieves user info from NSS databases

getent passwd alex

getent group <groupname>: Retrieves group info

getent group sudo

Viewing System Files

/etc/passwd:

# View all users
cat /etc/passwd

# Find specific user
cat /etc/passwd | grep alex

/etc/shadow:

# View password information (root only)
sudo cat /etc/shadow | grep alex

/etc/group:

# View all groups
cat /etc/group

# Find specific group
cat /etc/group | grep sudo

Login Information Commands

whoami: Displays current username

whoami

who: Shows who is currently logged in

who
who -u    # Shows login time and idle times
who -b    # Shows last system boot time
who -r    # Shows current runlevel

w: Shows logged-in users with running processes

w

last: Shows login history

last
last -n 10    # Show last 10 logins
last alex      # Show logins for specific user

lastlog: Shows most recent login for every user

lastlog

Advanced Commands

gpasswd - Group Password Management

Manages group passwords and memberships.

Common Subcommands:

  • gpasswd -a <username> <groupname>: Add user to group
  • gpasswd -d <username> <groupname>: Remove user from group

Example:

# Add developer to docker group
sudo gpasswd -a devuser docker

# Remove user from group
sudo gpasswd -d oldemployee devops

vipw and vigr - Safe Editing

Safely edit /etc/passwd or /etc/group with file locking.

Example:

# Safely edit /etc/passwd
sudo vipw

# Safely edit /etc/group
sudo vigr

Password File Conversion

pwconv: Creates /etc/shadow from /etc/passwd pwunconv: Merges /etc/shadow back into /etc/passwd grpconv: Creates /etc/gshadow from /etc/group grpunconv: Merges /etc/gshadow back into /etc/group

Configuration Files

/etc/login.defs

Default settings for user accounts:

  • UID_MIN: Minimum UID for a user
  • UID_MAX: Maximum UID for a user
  • GID_MIN: Minimum GID for a group
  • GID_MAX: Maximum GID for a group
  • PASS_MAX_DAYS: Maximum password age
  • PASS_MIN_DAYS: Minimum password age
  • PASS_WARN_AGE: Password warning period
  • PASS_MIN_LEN: Minimum password length
  • UMASK: Default file creation mask

/etc/skel

Template directory for new user home directories:

  • Files in /etc/skel are copied to new user home directories
  • Common files: .bashrc, .profile, .bash_profile
  • Customize this directory to set default configurations for new users

Best Practices

Security Considerations

  1. Always Set Passwords: useradd doesn't set passwords automatically
  2. Use Strong Passwords: Enforce password complexity requirements
  3. Regular Audits: Periodically review user accounts and group memberships
  4. Remove Inactive Accounts: Use lastlog to identify inactive users
  5. Lock Unused Accounts: Use passwd -l instead of deleting immediately

Group Organization

  1. Use Functional Groups: Organize users by function (developers, admins, etc.)
  2. Principle of Least Privilege: Grant only necessary group memberships
  3. Document Group Purposes: Keep notes on group naming conventions
  4. Regular Reviews: Periodically audit group memberships

User Creation Workflow

  1. Create User: Use useradd with appropriate options
  2. Set Password: Use passwd to set initial password
  3. Assign Groups: Add user to necessary groups with usermod -aG
  4. Verify: Use id and groups to confirm configuration
  5. Test: Log in as the user to verify everything works

Troubleshooting

Common Issues

User Cannot Log In:

  • Check if account is locked: passwd -S username
  • Verify shell is correct: cat /etc/passwd | grep username
  • Check home directory permissions

Group Membership Not Working:

  • Verify with groups username
  • Ensure you used -a flag with usermod -G
  • User may need to log out and back in for changes to take effect

Permission Denied:

  • Verify user is in correct groups
  • Check file permissions and ownership
  • Review SELinux contexts if applicable

Conclusion

User and group management is a core skill for Linux system administrators. Understanding how to create, modify, and manage user accounts and groups enables you to control system access effectively. From basic user creation with useradd to advanced group management with gpasswd, these commands form the foundation of Linux access control.

By following best practices for security, organization, and workflow, you can maintain a well-organized and secure system. Regular audits and proper documentation ensure that user and group management remains manageable as your system grows.

In the next article, we'll explore root access and sudo configuration, essential for managing administrative privileges securely. Stay tuned!

Related Reading