User and group management is fundamental to Linux administration. Here’s how to manage accounts and access control.
Understanding Users and Groups
Key Files
| File |
Purpose |
/etc/passwd |
User account information |
/etc/shadow |
Encrypted passwords |
/etc/group |
Group definitions |
/etc/gshadow |
Group passwords (rarely used) |
username:x:UID:GID:comment:home:shell
alice:x:1001:1001:Alice Smith:/home/alice:/bin/bash
username:password_hash:lastchange:min:max:warn:inactive:expire
alice:$6$rounds=...:19000:0:99999:7:::
groupname:x:GID:members
developers:x:1002:alice,bob,charlie
Creating Users
useradd (Low-Level)
1
2
3
4
5
|
# Basic user creation
sudo useradd alice
# With options
sudo useradd -m -s /bin/bash -c "Alice Smith" alice
|
Options:
-m: Create home directory
-s: Set shell
-c: Comment (full name)
-G: Additional groups
-d: Custom home directory
-u: Specific UID
-e: Expiration date
adduser (Debian/Ubuntu - Interactive)
1
2
|
# Interactive, creates home, sets password
sudo adduser alice
|
Creating System Users
For services, not humans:
1
2
|
# No home, no login shell
sudo useradd -r -s /usr/sbin/nologin appuser
|
Setting Passwords
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
# Set/change password
sudo passwd alice
# Force password change on login
sudo passwd -e alice
# Lock account
sudo passwd -l alice
# Unlock account
sudo passwd -u alice
# Check password status
sudo passwd -S alice
|
Password Policy
1
2
3
4
5
6
7
8
|
# Set password aging
sudo chage -M 90 -W 7 alice # Max 90 days, warn 7 days before
# View password info
sudo chage -l alice
# Force change on next login
sudo chage -d 0 alice
|
Modifying Users
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
# Change shell
sudo usermod -s /bin/zsh alice
# Change home directory
sudo usermod -d /new/home -m alice # -m moves files
# Add to group
sudo usermod -aG docker alice # -a = append, don't replace
# Change username
sudo usermod -l newname oldname
# Lock/unlock
sudo usermod -L alice # Lock
sudo usermod -U alice # Unlock
# Set expiration
sudo usermod -e 2026-12-31 alice
|
Deleting Users
1
2
3
4
5
6
7
8
|
# Remove user (keep home)
sudo userdel alice
# Remove user and home directory
sudo userdel -r alice
# Debian/Ubuntu interactive
sudo deluser --remove-home alice
|
Managing Groups
Create Groups
1
2
3
4
5
|
# Create group
sudo groupadd developers
# With specific GID
sudo groupadd -g 2000 developers
|
Modify Groups
1
2
3
4
5
|
# Rename group
sudo groupmod -n newname oldname
# Change GID
sudo groupmod -g 2001 developers
|
Delete Groups
1
|
sudo groupdel developers
|
Managing Group Membership
1
2
3
4
5
6
7
8
9
10
11
12
13
|
# Add user to group
sudo usermod -aG developers alice
# or
sudo gpasswd -a alice developers
# Remove user from group
sudo gpasswd -d alice developers
# Set group members (replaces all)
sudo gpasswd -M alice,bob,charlie developers
# View group members
getent group developers
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
# Current user
whoami
# User ID and groups
id
id alice
# Groups for current user
groups
groups alice
# Logged in users
who
w
# User details
getent passwd alice
# All users
cat /etc/passwd
getent passwd
|
Switching Users
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
# Switch to user
su - alice
# Run command as user
su - alice -c "whoami"
# Switch to root
su -
sudo -i
# Run command as root
sudo command
# Run command as another user
sudo -u alice command
|
sudo Configuration
/etc/sudoers
Edit with visudo (validates syntax):
Common entries:
# User alice can run any command
alice ALL=(ALL:ALL) ALL
# User bob can run specific commands
bob ALL=(ALL) /usr/bin/apt, /usr/bin/systemctl
# Group wheel/sudo can run anything
%wheel ALL=(ALL:ALL) ALL
%sudo ALL=(ALL:ALL) ALL
# No password required
alice ALL=(ALL) NOPASSWD: ALL
# No password for specific commands
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx
sudoers.d
Drop-in files:
1
2
|
# Create file in /etc/sudoers.d/
sudo visudo -f /etc/sudoers.d/alice
|
alice ALL=(ALL) NOPASSWD: /usr/bin/docker
User Environment
.bashrc vs .profile
| File |
When Loaded |
~/.profile |
Login shell |
~/.bashrc |
Interactive non-login shell |
~/.bash_profile |
Login shell (if exists) |
/etc/profile |
All login shells |
/etc/bash.bashrc |
All interactive shells |
Skeleton Directory
Default files for new users:
1
2
3
4
5
|
ls /etc/skel
# .bashrc, .profile, etc.
# Add files for all new users
sudo cp myfile /etc/skel/
|
Practical Examples
Create Developer User
1
2
3
|
# Create user with proper setup
sudo useradd -m -s /bin/bash -c "Developer Account" -G sudo,docker developer
sudo passwd developer
|
Create Service Account
1
2
3
4
|
# For running applications
sudo useradd -r -s /usr/sbin/nologin -d /opt/myapp myapp
sudo mkdir -p /opt/myapp
sudo chown myapp:myapp /opt/myapp
|
Set Up Shared Group
1
2
3
4
5
6
7
8
9
10
11
|
# Create group
sudo groupadd project-team
# Add users
sudo usermod -aG project-team alice
sudo usermod -aG project-team bob
# Create shared directory
sudo mkdir /shared/project
sudo chgrp project-team /shared/project
sudo chmod 2775 /shared/project # SGID
|
Audit User Activity
1
2
3
4
5
6
7
8
9
10
11
12
13
|
# Last logins
last alice
last -n 10
# Failed logins
sudo lastb
# Currently logged in
who
w
# User's processes
ps -u alice
|
Security Best Practices
- Use strong passwords or SSH keys
- Disable root login over SSH
- Use sudo instead of root shell
- Audit sudo usage:
sudo grep sudo /var/log/auth.log
- Remove unused accounts:
sudo userdel olduser
- Set password expiration for compliance
- Use groups for access control, not individual permissions
Quick Reference
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
# User management
useradd -m -s /bin/bash user # Create
passwd user # Set password
usermod -aG group user # Add to group
userdel -r user # Delete with home
# Group management
groupadd group # Create
gpasswd -a user group # Add member
groupdel group # Delete
# Information
id user # UID, GID, groups
groups user # Groups only
getent passwd user # User details
|
Proper user management is the foundation of Linux security. Take time to set it up right.
Comments