LUNAROPS · OPERATIONAL UPLINK 100% UPTIME 1,247d POSTS 893 JEFF.MOON@LUNAROPS.DEV UTC --:--:--

Linux User and Group Management

linuxusersgroupssecurityadministration

User and group management is fundamental to Linux administration. Here’s how to manage accounts and access control.

Understanding Users and Groups

Key Files

File Purpose
/etc/passwd User account information
/etc/shadow Encrypted passwords
/etc/group Group definitions
/etc/gshadow Group passwords (rarely used)

/etc/passwd Format

username:x:UID:GID:comment:home:shell
alice:x:1001:1001:Alice Smith:/home/alice:/bin/bash

/etc/shadow Format

username:password_hash:lastchange:min:max:warn:inactive:expire
alice:$6$rounds=...:19000:0:99999:7:::

/etc/group Format

groupname:x:GID:members
developers:x:1002:alice,bob,charlie

Creating Users

useradd (Low-Level)

1
2
3
4
5
# Basic user creation
sudo useradd alice

# With options
sudo useradd -m -s /bin/bash -c "Alice Smith" alice

Options:

  • -m: Create home directory
  • -s: Set shell
  • -c: Comment (full name)
  • -G: Additional groups
  • -d: Custom home directory
  • -u: Specific UID
  • -e: Expiration date

adduser (Debian/Ubuntu - Interactive)

1
2
# Interactive, creates home, sets password
sudo adduser alice

Creating System Users

For services, not humans:

1
2
# No home, no login shell
sudo useradd -r -s /usr/sbin/nologin appuser

Setting Passwords

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
# Set/change password
sudo passwd alice

# Force password change on login
sudo passwd -e alice

# Lock account
sudo passwd -l alice

# Unlock account
sudo passwd -u alice

# Check password status
sudo passwd -S alice

Password Policy

1
2
3
4
5
6
7
8
# Set password aging
sudo chage -M 90 -W 7 alice  # Max 90 days, warn 7 days before

# View password info
sudo chage -l alice

# Force change on next login
sudo chage -d 0 alice

Modifying Users

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
# Change shell
sudo usermod -s /bin/zsh alice

# Change home directory
sudo usermod -d /new/home -m alice  # -m moves files

# Add to group
sudo usermod -aG docker alice  # -a = append, don't replace

# Change username
sudo usermod -l newname oldname

# Lock/unlock
sudo usermod -L alice  # Lock
sudo usermod -U alice  # Unlock

# Set expiration
sudo usermod -e 2026-12-31 alice

Deleting Users

1
2
3
4
5
6
7
8
# Remove user (keep home)
sudo userdel alice

# Remove user and home directory
sudo userdel -r alice

# Debian/Ubuntu interactive
sudo deluser --remove-home alice

Managing Groups

Create Groups

1
2
3
4
5
# Create group
sudo groupadd developers

# With specific GID
sudo groupadd -g 2000 developers

Modify Groups

1
2
3
4
5
# Rename group
sudo groupmod -n newname oldname

# Change GID
sudo groupmod -g 2001 developers

Delete Groups

1
sudo groupdel developers

Managing Group Membership

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
# Add user to group
sudo usermod -aG developers alice
# or
sudo gpasswd -a alice developers

# Remove user from group
sudo gpasswd -d alice developers

# Set group members (replaces all)
sudo gpasswd -M alice,bob,charlie developers

# View group members
getent group developers

Viewing User Information

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
# Current user
whoami

# User ID and groups
id
id alice

# Groups for current user
groups
groups alice

# Logged in users
who
w

# User details
getent passwd alice

# All users
cat /etc/passwd
getent passwd

Switching Users

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
# Switch to user
su - alice

# Run command as user
su - alice -c "whoami"

# Switch to root
su -
sudo -i

# Run command as root
sudo command

# Run command as another user
sudo -u alice command

sudo Configuration

/etc/sudoers

Edit with visudo (validates syntax):

1
sudo visudo

Common entries:

# User alice can run any command
alice ALL=(ALL:ALL) ALL

# User bob can run specific commands
bob ALL=(ALL) /usr/bin/apt, /usr/bin/systemctl

# Group wheel/sudo can run anything
%wheel ALL=(ALL:ALL) ALL
%sudo ALL=(ALL:ALL) ALL

# No password required
alice ALL=(ALL) NOPASSWD: ALL

# No password for specific commands
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx

sudoers.d

Drop-in files:

1
2
# Create file in /etc/sudoers.d/
sudo visudo -f /etc/sudoers.d/alice
alice ALL=(ALL) NOPASSWD: /usr/bin/docker

User Environment

.bashrc vs .profile

File When Loaded
~/.profile Login shell
~/.bashrc Interactive non-login shell
~/.bash_profile Login shell (if exists)
/etc/profile All login shells
/etc/bash.bashrc All interactive shells

Skeleton Directory

Default files for new users:

1
2
3
4
5
ls /etc/skel
# .bashrc, .profile, etc.

# Add files for all new users
sudo cp myfile /etc/skel/

Practical Examples

Create Developer User

1
2
3
# Create user with proper setup
sudo useradd -m -s /bin/bash -c "Developer Account" -G sudo,docker developer
sudo passwd developer

Create Service Account

1
2
3
4
# For running applications
sudo useradd -r -s /usr/sbin/nologin -d /opt/myapp myapp
sudo mkdir -p /opt/myapp
sudo chown myapp:myapp /opt/myapp

Set Up Shared Group

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
# Create group
sudo groupadd project-team

# Add users
sudo usermod -aG project-team alice
sudo usermod -aG project-team bob

# Create shared directory
sudo mkdir /shared/project
sudo chgrp project-team /shared/project
sudo chmod 2775 /shared/project  # SGID

Audit User Activity

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
# Last logins
last alice
last -n 10

# Failed logins
sudo lastb

# Currently logged in
who
w

# User's processes
ps -u alice

Security Best Practices

  1. Use strong passwords or SSH keys
  2. Disable root login over SSH
  3. Use sudo instead of root shell
  4. Audit sudo usage: sudo grep sudo /var/log/auth.log
  5. Remove unused accounts: sudo userdel olduser
  6. Set password expiration for compliance
  7. Use groups for access control, not individual permissions

Quick Reference

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
# User management
useradd -m -s /bin/bash user    # Create
passwd user                      # Set password
usermod -aG group user          # Add to group
userdel -r user                 # Delete with home

# Group management
groupadd group                  # Create
gpasswd -a user group           # Add member
groupdel group                  # Delete

# Information
id user                         # UID, GID, groups
groups user                     # Groups only
getent passwd user              # User details

Proper user management is the foundation of Linux security. Take time to set it up right.

Comments