User management is the backbone of Linux system administration. It controls who accesses your system, what they can do, and how resources are shared. Whether you’re managing a multi-user server, securing a workstation, or automating user provisioning, mastering Linux user management is essential.
Linux provides a rich set of commands and configuration files to create, modify, delete, and monitor users and groups. This guide covers everything you need to manage users efficiently.
Key Concepts
- User: An individual account for logging into the system.
- Group: A collection of users sharing permissions (e.g., developers, admins).
- UID (User ID): Unique numeric identifier for users (0 for root, 1000+ for regular users).
- GID (Group ID): Unique identifier for groups.
- Home Directory: User-specific storage, typically /home/username.
- Shell: Command interpreter, like /bin/bash or /bin/zsh.
Essential Configuration Files
These files store user and group data. Always backup before editing.
| File | Permissions | Owner:Group | Purpose |
|---|---|---|---|
/etc/passwd | 644 (-rw-r--r--) | root:root | Basic user info: username, UID, GID, home, shell. Readable by all. |
/etc/shadow | 640 (-rw-r-----) | root:shadow | Encrypted passwords, aging, locks. Root/shadow group only. |
/etc/group | 644 (-rw-r--r--) | root:root | Group names, GIDs, members. Readable by all. |
/etc/gshadow | 640 (-rw-r-----) | root:shadow | Group passwords/admins. Restricted access. |
/etc/login.defs | 644 | root:root | Password policies, UID/GID ranges, defaults. |
/etc/default/useradd | 644 | root:root | useradd defaults (shell, home path). |
/etc/skel/ | 755 (dir) | root:root | Template files (.bashrc, etc.) copied to new homes. |
/etc/sudoers | 440 (-r--r-----) | root:root | Sudo privileges. Edit with visudo. |
/etc/pam.d/ | 755 (dir) | root:root | PAM modules for auth, passwords, sessions. |
Pro Tip: Always use visudo to edit /etc/sudoers to prevent syntax errors. Test with sudo -l.
Creating Users
Linux provides useradd for creating users. On Debian-based systems, adduser offers an interactive alternative.
Basic Creation
# useradd john
Creates a user without a home directory or password. Set those next.
Full Creation (Recommended)
# useradd -m -d /home/john -s /bin/bash -c "John Doe, Developer" -G developers john
Options explained:
- -m → Create home directory from /etc/skel/.
- -d → Specify custom home path.
- -s → Set default shell.
- -c → Comment (GECOS field).
- -G → Add to supplementary groups.
Set the user password:
# passwd john
Managing Groups
By default, each user gets a primary group named after their username. Add users to other groups for additional permissions.
Add to groups (append, don't replace)
# usermod -aG wheel,developers,www-data john
Verify
# groups john
Output: john : john developers wheel www-data
Create groups if they don’t exist:
# groupadd developers
# usermod -aG developers john
The wheel group allows sudo access on many distributions.
Viewing and Verifying Users
User details from /etc/passwd
# grep john /etc/passwd
john:x:1001:1001:John Doe, Developer:/home/john:/bin/bash
User ID, primary group, and supplementary groups
# id john
uid=1001(john)gid=1001(john)groups=1001(john),1000(developers),27(sudo)
Current user's groups
# groups
Modifying Users
Change shell
# usermod -s /bin/zsh john
Change home directory and move files
# usermod -d /new/home/john -m john
Lock/unlock account
# usermod -L john # Lock
# usermod -U john # Unlock
Expire password
# chage -E 2026-12-31 john
Deleting Users
Delete user and home directory
# userdel -r john
Delete user only (keep home)
# userdel john
Use -r carefully—always back up data first.
Password Policies (/etc/login.defs)
PASS_MAX_DAYS 90 # Password expires after 90 days
PASS_MIN_DAYS 7 # Cannot change for 7 days
PASS_MIN_LEN 8 # Minimum length
UID_MIN 1000 # Regular user UIDs start at 1000
Security Best Practices
- No shared root: Use sudo instead.
- Strong passwords: Enforce via PAM (pam_pwquality).
- Disable unused accounts: sudo passwd -l username.
- Monitor logins: Check /var/log/auth.log.
- Prefer SSH keys: ssh-copy-id user@server.
- Principle of least privilege: Audit groups with getent group.
- Never store plaintext passwords: Use /etc/shadow.
Troubleshooting Common Issues
- useradd: group 'xyz' does not exist": Create group first with groupadd.
- Home dir ownership wrong: sudo chown -R john:john /home/john.
- Sudo not working: Add to wheel/sudo group; check /etc/sudoers.
- Locked shell: sudo usermod -s /bin/bash user or check shadow for !!.
- PAM errors: Verify /etc/pam.d/sshd and /etc/pam.d/common-password.
Master these commands and concepts, and you’ll confidently manage users in any Linux environment. For practice, spin up a VM and try creating, modifying, and deleting users safely.
No comments:
Post a Comment