Manage Local Users and Groups
Learn to create, modify, and delete user accounts and groups. Master password policies, user configuration files, and effective user management strategies for multi-user Linux systems.
๐ Table of Contents
๐ฏ Introduction
User and group management is fundamental to Linux security and system organization. Every process runs as a specific user, and access to files and resources is controlled through user and group permissions.
In this chapter, you'll learn to:
- Create and manage local user accounts
- Configure user properties and home directories
- Manage group memberships
- Set and enforce password policies
- Understand key configuration files (/etc/passwd, /etc/shadow, /etc/group)
๐ค Understanding User Accounts
User Account Components
Each user account in Linux consists of:
- Username: Unique identifier for the user
- UID: User ID number (numeric identifier)
- Primary Group: Default group (GID)
- Home Directory: User's personal workspace
- Login Shell: Default command interpreter
- Password: Encrypted authentication credential
User Types
| User Type | UID Range | Purpose |
|---|---|---|
| Root | 0 | Superuser (full system access) |
| System | 1-999 | Service accounts (daemons) |
| Regular | 1000+ | Human users |
Key Configuration Files
/etc/passwd
Contains basic user account information:
student:x:1000:1000:Student User:/home/student:/bin/bash
โ โ โ โ โ โ โ
โ โ โ โ โ โ โโ Login shell
โ โ โ โ โ โโ Home directory
โ โ โ โ โโ GECOS (comment field)
โ โ โ โโ Primary GID
โ โ โโ UID
โ โโ Password (x = stored in /etc/shadow)
โโ Username/etc/shadow
Stores encrypted passwords and password policies:
student:$6$random$hash:18900:0:99999:7:::
โ โ โ โ โ โ
โ โ โ โ โ โโ Password warning period
โ โ โ โ โโ Maximum password age
โ โ โ โโ Minimum password age
โ โ โโ Last password change
โ โโ Encrypted password
โโ Username/etc/group
Defines groups and membership:
developers:x:2000:alice,bob,charlie
โ โ โ โ
โ โ โ โโ Group members
โ โ โโ GID
โ โโ Password field (usually x or empty)
โโ Group name๐ฅ Manage User Accounts
Creating Users
useradd Command
# Basic user creation
sudo useradd john
# Create with specific UID
sudo useradd -u 1500 jane
# Create with specific home directory
sudo useradd -d /custom/home/path alice
# Create with specific shell
sudo useradd -s /bin/zsh bob
# Create without home directory
sudo useradd -M serviceaccount
# Create with comment
sudo useradd -c "John Doe" john
# Create with specific groups
sudo useradd -G developers,admins charlie
# Complete example
sudo useradd -u 1501 -g users -G developers,docker -c "Alice Developer" -s /bin/bash alice๐ Note
By default, useradd creates a home directory, assigns the next available UID, and uses /bin/bash as the shell.
Modifying Users
usermod Command
# Change username
sudo usermod -l newname oldname
# Change UID
sudo usermod -u 2000 john
# Change home directory
sudo usermod -d /new/home -m john
# Change shell
sudo usermod -s /bin/zsh john
# Add to supplementary groups
sudo usermod -aG docker,wheel john
# Set expiration date
sudo usermod -e 2025-12-31 john
# Lock account
sudo usermod -L john
# Unlock account
sudo usermod -U johnโ ๏ธ Warning
Use -aG to add groups. Using only -G replaces all supplementary groups!
Deleting Users
userdel Command
# Delete user (keep home directory)
sudo userdel john
# Delete user and home directory
sudo userdel -r john
# Force deletion (even if user is logged in)
sudo userdel -f johnViewing User Information
# View user details
id john
# View current user
whoami
# View logged-in users
who
# View user's groups
groups john
# Last login information
lastlog -u johnProcedure: Creating a Complete User Account
- Create the user with options:
sudo useradd -u 1600 -c "Developer Account" -s /bin/bash developer - Set the password:
sudo passwd developer - Add to supplementary groups:
sudo usermod -aG wheel,developers developer - Verify the account:
id developer grep developer /etc/passwd - Test login:
su - developer
๐จโ๐ฉโ๐งโ๐ฆ Manage Group Accounts
Creating Groups
groupadd Command
# Create basic group
sudo groupadd developers
# Create with specific GID
sudo groupadd -g 5000 admins
# Create system group
sudo groupadd -r sysgroupModifying Groups
groupmod Command
# Rename group
sudo groupmod -n newname oldname
# Change GID
sudo groupmod -g 6000 developersDeleting Groups
groupdel Command
# Delete group
sudo groupdel developersโ ๏ธ Warning
You cannot delete a group if it's the primary group of any user. Change the user's primary group first.
Managing Group Membership
# Add user to group
sudo gpasswd -a username groupname
# Remove user from group
sudo gpasswd -d username groupname
# Set group administrators
sudo gpasswd -A admin1,admin2 groupname
# Set group members
sudo gpasswd -M user1,user2,user3 groupnameAlternative Methods
# Using usermod (append to groups)
sudo usermod -aG group1,group2 username
# View group members
getent group groupname
# View all groups
getent group๐ Password Management
Setting Passwords
passwd Command
# Set password for current user
passwd
# Set password for specific user (as root)
sudo passwd john
# Set password from stdin (scripting)
echo "newpassword" | sudo passwd --stdin john
# Force password change on next login
sudo passwd -e john
# Lock user account
sudo passwd -l john
# Unlock user account
sudo passwd -u john
# Delete password (dangerous!)
sudo passwd -d johnPassword Aging
chage Command
# View password aging information
sudo chage -l john
# Set maximum password age (days)
sudo chage -M 90 john
# Set minimum password age
sudo chage -m 7 john
# Set password expiration warning
sudo chage -W 14 john
# Set account expiration date
sudo chage -E 2025-12-31 john
# Force password change
sudo chage -d 0 john
# Set inactive period after password expiration
sudo chage -I 30 johnExample: Complete Password Policy
# Set comprehensive password policy
sudo chage -M 90 -m 7 -W 14 -I 30 john
# Explanation:
# -M 90: Password expires in 90 days
# -m 7: Minimum 7 days between password changes
# -W 14: Warn user 14 days before expiration
# -I 30: Account locks 30 days after password expirationDefault Password Policies
/etc/login.defs
Configure default password policies for new users:
# Edit /etc/login.defs
PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_MIN_LEN 8
PASS_WARN_AGE 14๐ก Tip
Password policies in /etc/login.defs only apply to newly created users. Existing users must be updated with chage.
Password Quality Requirements
Configure password complexity using PAM (Pluggable Authentication Modules):
# Edit /etc/security/pwquality.conf
minlen = 12
dcredit = -1 # At least 1 digit
ucredit = -1 # At least 1 uppercase
lcredit = -1 # At least 1 lowercase
ocredit = -1 # At least 1 special character
difok = 3 # At least 3 different characters from old password๐ Practice Questions
Question 1: What is the UID of the root user?
Answer: B) 0
The root user always has UID 0. Regular users typically start at UID 1000.
The root user always has UID 0. Regular users typically start at UID 1000.
Question 2: Which file stores encrypted user passwords?
Answer: B) /etc/shadow
/etc/shadow stores encrypted passwords and password aging information. It's only readable by root for security.
/etc/shadow stores encrypted passwords and password aging information. It's only readable by root for security.
Question 3: How do you add a user to supplementary groups without removing existing groups?
Answer: B) usermod -aG groups user
The -a (append) flag with -G adds groups without removing existing memberships.
The -a (append) flag with -G adds groups without removing existing memberships.
Question 4: Which command forces a user to change password on next login?
Answer: D) Both A and B
Both
Both
passwd -e and chage -d 0 expire the password immediately,
forcing a change on next login.
Question 5: What does the command 'userdel -r john' do?
Answer: B) Deletes user and home directory
The -r option removes the user's home directory and mail spool along with the account.
The -r option removes the user's home directory and mail spool along with the account.