Linux users and groups the complete guide (for any distro!)
Linux users and groups are one of the basis of every Linux distribution. Linux is a multi-user environment and how to manage users and groups, and permissions, is a fundamental skill every system administrator should have. In this article we’ll take a look at Linux user and groups, how they are organized and how you can manage them.
User basics
Linux Users are users of the system, they can be either used by a human or they can be used by a software such as a web server or a database. The latter are also known as system users. There is no clear way to tell the difference between a system user and a human user, the former tend to have names associated with their services (e.g. apache: www-data or httpd).
Users information are stored in the /etc/passwd file, users password may be stored in the passwd file but it is unusual in modern systems. In modern systems password are hashed and stored in /etc/shadow.
Each user is identified by a unique UID (User ID) and can log into the system using an authentication mechanism (usually password). System users are usually unable to log into the system for the software using them is not human, this is done to prevent unauthorized access. UIDs lower than 1000 are usually associated with system users, while normal users start with 1001. The ranges specified are usually valid for most modern systems, however they can be easily changed by an administrator. A special UID is 0 which belongs to the root user.
Each user has a primary group and can have zero or more secondary groups. The primary group is applied when creating new files/folders (more on permissions), other than that there is no substantial difference between primary and secondary groups.
Users may or may not have a home directory usually stored in /home. The home directory is a folder in which the user can store its files, documents. The home directory is also the place where the user is when accessing a shell. System users do not have a home directory under the /home directory for they do not need to store various files, documents (software controlling them is structured to store them following configuration files).
A user has one default shell (e.g. /bin/sh, /bin/bash) that is opened when the user opens a terminal, or a terminal emulator. System users usually have /sbin/nologin as shell, for they are not allowed to login and be presented with an interactive shell.
A user may be locked out of the system by a superuser (administrator). Only an administrator can lock, unlock other users.
Managing users
In this section we’ll take a look at how to manage users by showing common operations.
Listing users
Users are stored in a standard file: /etc/passwd this file is usually intimidating for newbie system administrators, but there is really no need to panic, let’s take a look:
# getent passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin
You can use getent passwd or cat /etc/passwd to access the passwd file. Here you will get a list (the above list has been truncated) of all the users. Each line represents a user, the column (:) separates the various fields. Let’s analyze the fields:
root : x : 0 : 0 : root : /root : /bin/bash
- first field: represents the username
- second field: represents the password.
- third field: the UID.
- fourth field: the GID.
- fifth field: the GECOS is a remnant of early *nix systems. It is used to store general information about the user, usually the full name only.
- sixth field: the home directory.
- seventh field: the default shell.
As you can see it is not that difficult. You might’ve noticed most users in the excerpt have an “x” in the password field. That indicates the password is hashed and stored in the /etc/shadow file rather than /etc/passwd one.
Searching a user
You can search a user by using one of the following:
# getent passwd | grep username # grep username /etc/passwd
Adding a user
There are two tools that you can use to add a user: useradd and adduser. The first one is the most standard while the second is an interactive version of the process.
# useradd -m -s /bin/bash testuser
The command above must be executed by a user who can write /etc/passwd (usually a superuser). This will add a user named testuser. The -m flag tells the command to create a home directory and populate it according to the configuration (usually stored in /etc/skel). The -s flag followed by a parameter indicates the default shell to assign the user. The newly created user won’t have a password by default.
You may be tempted to edit the /etc/passwd file directly with a text editor, and yes it can work but that is usually a bad idea, use the tools instead.
Modifying a user password
Only a superuser can modify other users passwords. Only the user running passwd can modify its password (without being a superuser).
# passwd username Changing password for user username New password: Retype new password: passwd: all authentication tokens updated successfully.
You will be prompted to enter the password twice, and will get notified if the password doesn’t match the system criteria for security (your password is weak). The last line tells you that the action was successful (it may not always be the case).
Deleting a user password
You can delete a password from a user (only as superuser), by doing this the user will be able to login without a password (everyone can access the user)!
# passwd -d username
Locking/unlocking a user
You can lock a user’s password as a superuser, this will prevent the user from logging in using a password (the user may still enter using another mechanism that doesn’t require one e.g SSH using keys):
# passwd -l username # passwd -u username
Modifying the user primary group
Notice you need elevated privileges to do this:
# usermod -g groupname username
Adding a secondary group to user
Notice you need elevated privileges to do this:
# usermod -aG groupname username
Deleting a user
Notice you need elevated privileges to do this:
# userdel username
This action is irreversible, pay attention. You may additionally pass the -r flag to remove the home directory of the user (and the mail spool).
Listing password aging information for a user
Users password can expire and show warnings on a per-user basis. Here’s how to show the current status:
$ chage -l username Last password change : Feb 19, 2020 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
Disabling password aging for a user
# chage -I -1 -E -1 -m 0 -M 99999 username
The -I (capital i) parameter decides the inactivity period after a password has expired after which the user is locked. As an example: your password has expired and -I is set to 10, if you don’t login in 10 days, your account will be locked. Setting -I to -1 disables this behavior.
The -E parameter specifies the date when the account will expire. Passing -1 disables the mechanism.
The -m (and -M) parameter decides the minimum (maximum) number of days between a password change, setting 0 and 99999 effectively tells the system that the user can change the password at any time, and will be prompted to change it after 99999 days (~274 years).
Enabling password expiring for a user
# chage -M 20 username
This will set the expiration date for the user’s password in 20 days starting from the moment the command has been issued.
For other modifications
For any other operation that comes to your mind refer to the usermod command. You can pass the –help flag to get a full list of parameters and associated actions.
Group basics
Linux groups are used to group users and manage permissions more efficiently.
Each group is identified by a unique GID (Group ID) and may have a password to access them. Information about groups is stored in /etc/group, while hashed password are stored in /etc/gshadow.
Managing groups
In this section we’ll take a look at common operations that involve groups.
Adding a group
# groupadd groupname
Modifying a group name
# groupmod -n newname oldname
Deleting a group
# groupdel groupname
Adding a password to a group
# passwd -g groupname
Deleting a group password
# gpasswd -r
Displaying the groups a user belongs to
$ groups username
- 2020 A year in review for Marksei.com - 30 December 2020
- Red Hat pulls the kill switch on CentOS - 16 December 2020
- OpenZFS 2.0 released: unified ZFS for Linux and BSD - 9 December 2020
Recent Comments