HxHippy

User and Group Management

Create, modify, and manage users and groups on Linux systems.

Last updated: 2024-12-18

Managing users and groups is essential for system administration. Learn to create accounts, manage permissions, and implement security best practices.

Understanding Users

Every user has:

  • UID: Unique numeric identifier
  • GID: Primary group ID
  • Home directory: Personal workspace
  • Login shell: Command interpreter
  • Password: Stored in /etc/shadow
# View your user info
id
# uid=1000(user) gid=1000(user) groups=1000(user),27(sudo)

# View all users
cat /etc/passwd

# View password info (requires root)
sudo cat /etc/shadow

Creating Users

useradd (Low-level)

# Basic user creation
sudo useradd newuser

# Full featured user creation
sudo useradd -m -s /bin/bash -c "John Doe" -G sudo,developers johndoe
# -m = create home directory
# -s = login shell
# -c = comment (full name)
# -G = additional groups

# Set password
sudo passwd johndoe

# Create system user (no home, no login)
sudo useradd -r -s /usr/sbin/nologin appuser

adduser (Interactive, Debian/Ubuntu)

# Interactive user creation
sudo adduser newuser
# Prompts for password, full name, etc.

Modifying Users

# Change username
sudo usermod -l newname oldname

# Change home directory
sudo usermod -d /new/home -m username

# Change shell
sudo usermod -s /bin/zsh username

# Add to groups (append)
sudo usermod -aG docker,developers username
# IMPORTANT: -a (append) is crucial! Without it, you REPLACE groups

# Lock account (disable login)
sudo usermod -L username

# Unlock account
sudo usermod -U username

# Set account expiration
sudo usermod -e 2025-12-31 contractor

Deleting Users

# Delete user (keep home directory)
sudo userdel username

# Delete user and home directory
sudo userdel -r username

# Delete user, home, and remove from all groups
sudo deluser --remove-home --remove-all-files username

Managing Groups

# View all groups
cat /etc/group

# View user's groups
groups username

# Create group
sudo groupadd developers

# Create system group
sudo groupadd -r appgroup

# Delete group
sudo groupdel groupname

# Rename group
sudo groupmod -n newname oldname

# Add user to group
sudo gpasswd -a username groupname

# Remove user from group
sudo gpasswd -d username groupname

Password Management

# Change your password
passwd

# Change another user's password (root)
sudo passwd username

# Force password change on next login
sudo passwd -e username

# Set password expiration policy
sudo chage -M 90 username  # Max days before change
sudo chage -m 7 username   # Min days between changes
sudo chage -W 14 username  # Warn days before expiration

# View password aging info
sudo chage -l username

# Lock password (cannot login with password)
sudo passwd -l username

# Unlock password
sudo passwd -u username

The passwd and shadow Files

/etc/passwd (readable by all)

username:x:1000:1000:Full Name:/home/username:/bin/bash
   1     2   3    4      5            6           7

1. Username
2. Password placeholder (x means shadow file)
3. UID
4. GID (primary group)
5. GECOS (comment/full name)
6. Home directory
7. Login shell

/etc/shadow (root only)

username:$6$salt$hash:19500:0:99999:7:::
   1         2         3   4   5   6

1. Username
2. Password hash ($6$ = SHA-512)
3. Days since epoch when password was last changed
4. Minimum days between changes
5. Maximum days before change required
6. Warning days before expiration

Sudo Access

# Add user to sudo group (Debian/Ubuntu)
sudo usermod -aG sudo username

# Add user to wheel group (RHEL/CentOS)
sudo usermod -aG wheel username

# Edit sudoers file safely
sudo visudo

# Grant full sudo (in sudoers)
username ALL=(ALL:ALL) ALL

# Grant specific command without password
username ALL=(ALL) NOPASSWD: /usr/bin/apt update

# Grant sudo to group
%developers ALL=(ALL:ALL) ALL

Practical Examples

Create Developer User

# Create user with proper groups
sudo useradd -m -s /bin/bash -c "Alice Developer" \
    -G sudo,docker,developers alice

# Set password
sudo passwd alice

# Create SSH directory
sudo -u alice mkdir -p /home/alice/.ssh
sudo -u alice chmod 700 /home/alice/.ssh

Create Service Account

# No home, no login shell
sudo useradd -r -s /usr/sbin/nologin -M appservice

# Give ownership of app directory
sudo chown -R appservice:appservice /opt/myapp

Bulk User Creation

#!/bin/bash
# Create users from list
while IFS=: read -r username fullname; do
    sudo useradd -m -c "$fullname" "$username"
    echo "$username:ChangeMe123" | sudo chpasswd
    sudo passwd -e "$username"  # Force password change
done < users.txt

Audit User Accounts

# Find users who can login
grep -v '/nologin\|/false' /etc/passwd

# Find users with UID 0 (root privileges)
awk -F: '$3 == 0 {print $1}' /etc/passwd

# Find users with empty passwords
sudo awk -F: '$2 == "" {print $1}' /etc/shadow

# Find users who haven't logged in
lastlog | grep "Never logged in"
beginner Getting Started 25 min read

Related Tutorials

useraddusermodgroupaddpasswdlinux usersgroups