Linux users and groups the complete guide (for any distro!)

Code on black

Linux users and groups are one of the basis of every Linux distribution. Linux is a multi-user environment and how to manage users and groups, and permissions, is a fundamental skill every system administrator should have. In this article we’ll take a look at Linux user and groups, how they are organized and how you can manage them.

Important
I take NO responsibility of what you do with your machine; use this tutorial as a guide and remember you can possibly cause data loss if you touch things carelessly.
Info
In this guide you will use the terminal, every time you see a code section or a command you are expected to open one. Commands preceded by a dollar sign ($ command) can be executed as regular user, while commands preceded by a hashtag (# command) need to be executed by a superuser. The dollar sign, hashtag are not part of the command. You can prefix “sudo” to the command as an unprivileged user to become a privileged one for the commands that require it (# command -> $ sudo command).

User basics

Linux Users are users of the system, they can be either used by a human or they can be used by a software such as a web server or a database. The latter are also known as system users. There is no clear way to tell the difference between a system user and a human user, the former tend to have names associated with their services (e.g. apache: www-data or httpd).

Users information are stored in the /etc/passwd file, users password may be stored in the passwd file but it is unusual in modern systems. In modern systems password are hashed and stored in /etc/shadow.

Each user is identified by a unique UID (User ID) and can log into the system using an authentication mechanism (usually password). System users are usually unable to log into the system for the software using them is not human, this is done to prevent unauthorized access. UIDs lower than 1000 are usually associated with system users, while normal users start with 1001. The ranges specified are usually valid for most modern systems, however they can be easily changed by an administrator. A special UID is 0 which belongs to the root user.

Each user has a primary group and can have zero or more secondary groups. The primary group is applied when creating new files/folders (more on permissions), other than that there is no substantial difference between primary and secondary groups.

Users may or may not have a home directory usually stored in /home. The home directory is a folder in which the user can store its files, documents. The home directory is also the place where the user is when accessing a shell. System users do not have a home directory under the /home directory for they do not need to store various files, documents (software controlling them is structured to store them following configuration files).

A user has one default shell (e.g. /bin/sh, /bin/bash) that is opened when the user opens a terminal, or a terminal emulator. System users usually have /sbin/nologin as shell, for they are not allowed to login and be presented with an interactive shell.

A user may be locked out of the system by a superuser (administrator). Only an administrator can lock, unlock other users.

Managing users

In this section we’ll take a look at how to manage users by showing common operations.

Listing users

Users are stored in a standard file: /etc/passwd this file is usually intimidating for newbie system administrators, but there is really no need to panic, let’s take a look:

# getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin

You can use getent passwd or cat /etc/passwd to access the passwd file. Here you will get a list (the above list has been truncated) of all the users. Each line represents a user, the column (:) separates the various fields. Let’s analyze the fields:

root  :  x  :  0  :  0  :  root  :  /root  :  /bin/bash
  • first field: represents the username
  • second field: represents the password.
  • third field: the UID.
  • fourth field: the GID.
  • fifth field: the GECOS is a remnant of early *nix systems. It is used to store general information about the user, usually the full name only.
  • sixth field: the home directory.
  • seventh field: the default shell.

As you can see it is not that difficult. You might’ve noticed most users in the excerpt have an “x” in the password field. That indicates the password is hashed and stored in the /etc/shadow file rather than /etc/passwd one.

Searching a user

You can search a user by using one of the following:

# getent passwd | grep username
# grep username /etc/passwd

Adding a user

There are two tools that you can use to add a user: useradd and adduser. The first one is the most standard while the second is an interactive version of the process.

# useradd -m -s /bin/bash testuser

The command above must be executed by a user who can write /etc/passwd (usually a superuser). This will add a user named testuser. The -m flag tells the command to create a home directory and populate it according to the configuration (usually stored in /etc/skel). The -s flag followed by a parameter indicates the default shell to assign the user. The newly created user won’t have a password by default.

You may be tempted to edit the /etc/passwd file directly with a text editor, and yes it can work but that is usually a bad idea, use the tools instead.

Modifying a user password

Only a superuser can modify other users passwords. Only the user running passwd can modify its password (without being a superuser).

# passwd username
Changing password for user username
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

You will be prompted to enter the password twice, and will get notified if the password doesn’t match the system criteria for security (your password is weak). The last line tells you that the action was successful (it may not always be the case).

Deleting a user password

You can delete a password from a user (only as superuser), by doing this the user will be able to login without a password (everyone can access the user)!

# passwd -d username

Locking/unlocking a user

You can lock a user’s password as a superuser, this will prevent the user from logging in using a password (the user may still enter using another mechanism that doesn’t require one e.g SSH using keys):

# passwd -l username
# passwd -u username

Modifying the user primary group

Notice you need elevated privileges to do this:

# usermod -g groupname username

Adding a secondary group to user

Notice you need elevated privileges to do this:

# usermod -aG groupname username

Deleting a user

Notice you need elevated privileges to do this:

# userdel username

This action is irreversible, pay attention. You may additionally pass the -r flag to remove the home directory of the user (and the mail spool).

Listing password aging information for a user

Users password can expire and show warnings on a per-user basis. Here’s how to show the current status:

$ chage -l username
Last password change                                    : Feb 19, 2020
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

Disabling password aging for a user

# chage -I -1 -E -1 -m 0 -M 99999 username

The -I (capital i) parameter decides the inactivity period after a password has expired after which the user is locked. As an example: your password has expired and -I is set to 10, if you don’t login in 10 days, your account will be locked. Setting -I to -1 disables this behavior.

The -E parameter specifies the date when the account will expire. Passing -1 disables the mechanism.

The -m (and -M) parameter decides the minimum (maximum) number of days between a password change, setting 0 and 99999 effectively tells the system that the user can change the password at any time, and will be prompted to change it after 99999 days (~274 years).

Enabling password expiring for a user

# chage -M 20 username

This will set the expiration date for the user’s password in 20 days starting from the moment the command has been issued.

For other modifications

For any other operation that comes to your mind refer to the usermod command. You can pass the –help flag to get a full list of parameters and associated actions.

Group basics

Linux groups are used to group users and manage permissions more efficiently.

Each group is identified by a unique GID (Group ID) and may have a password to access them. Information about groups is stored in /etc/group, while hashed password are stored in /etc/gshadow.

Managing groups

In this section we’ll take a look at common operations that involve groups.

Adding a group

# groupadd groupname

Modifying a group name

# groupmod -n newname oldname

Deleting a group

# groupdel groupname

Adding a password to a group

# passwd -g groupname

Deleting a group password

# gpasswd -r

Displaying the groups a user belongs to

$ groups username
Image courtesy of rh2ox
mark

You may also like...

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.