User management is one of the most important things to understand before using any operating system. In this tutorial we will talk about user management in Linux and we will focus only on Linux command line interface. This tutorial is designed for beginners and go through most of the stuff a newbie requires without going into too much details. Following topics is going to be covered in this tutorial.

  1. Introduction to Linux users & groups
  2. System users & normal users in Linux
  3. Root user in Linux
  4. Show user/group details in Linux
  5. User & group configuration files in Linux
  6. User creation in Linux
  7. Difference between useradd and adduser
  8. Set password for user in Linux
  9. Create group in Linux
  10. Add user to a group in Linux
  11. Add user to sudoers in Linux
  12. Set user account expiry date in Linux
  13. Delete user in Linux
  14. Delete group in Linux

Introduction to Linux users & groups

In Linux, every user has his unique id called user id or UID and at least a member of one group. When a user is created, it’s group with the same name is also created. This group is by default treated as user’s primary group. A user can be a member of two type of groups. The main group which is compulsory and only one group can be a primary group. A secondary group which is optional and a user can be a member of multiple secondary groups. 

System users & normal users in Linux

There are two types of users in Linux: System user & normal user. System users are used by operating system it’self. Mostly applications we install after the installation of OS, make their own users as well like Apache webserver has it’s own user apache in case of rpm distributions and www-data in case of Ubuntu/Debian. Main distinction between both types of users is UID allocations. In RPM distributions first 500 (0-499) UIDs are reserved for system users and first normal user will be given 500 UID but In Ubuntu/Debian first 1000 (0-999) UIDs are reserved for system users and first user is given UID of 1000.

Root user in Linux

Root user in Linux is a super user who have all powers in that system. Whatever permissions files and directories have, will not affect root privileges. The root user has “0” uid. For the beginners, it is extremely dangerous to have root access on production servers. Unlike Windows, Linux will not ask for any confirmation before doing any operation neither will stop you if you are root. It is also not recommended to have direct root ssh access in some cases.  

Show user/group details in Linux

The id command is a way to check whether the user exists in the current operating system or not.

[root@server01 ~]# id linux
uid=1000(linux) gid=1000(linux) groups=1000(linux)

In the above case,  id command verifies that user Linux exists. It shows uid, the primary group, and it’s group id or GID and a secondary group. If you observe group id and groups are added when we create a user. 

User & group configuration files in Linux

There are many things associated with a Linux user that are defined in different files. They are /etc/passwd, /etc/shadow, /etc/group etc.

/etc/passwd contains user information and can be edited to change user settings. Each user in this file is defined in a separate line which looks like this;

[root@server01 ~]# grep linux /etc/passwd
linux:x:1000:1000::/home/linux:/bin/bash

We can see this line contains the username, x is for shadow file, uid, gid, home directory and login shell.

/etc/shadow contains user’s passwords and password related information, but this information is in encrypted form. The second field In /etc/passwd is x which represents that information of this user also exists in /etc/shadow file.

[root@server01 ~]# grep linux /etc/shadow
linux:$6$sD1qoxqx$GeiB5/uWEVt9dhQ6Ju2KtWAsYBYATu0elZ/:17114:0:99999:7:::

/etc/group contains groups information. Each group is defined on a separate line.

[root@server01 ~]# grep linux /etc/group
linux:x:1000:

User creation in Linux

User creation is very simple in Linux and it is almost same in all Linux distributions. There are three commands Linux offers for creation users: useradd, adduser and a multiple user creation command newusers. User creation using useradd is like this;

[root@server01 ~]# id linux
id: linux: no such user
[root@server01 ~]# useradd linux
[root@server01 ~]# id linux
uid=1000(linux) gid=1000(linux) groups=1000(linux)

User configuration file /etc/defaults/useradd sets the basic default parameters for the new user like shell, home directory and skeleton directory etc. By default skeleton directory is /etc/skel which contains user profile files like .bash_logout .bashrc .profile. These files contain important parameters and environment variables required by each user.

When a user is created, it’s basic default parameters are set according to /etc/defaults/useradd file. Then user profile files are copied from skeleton directory /etc/skel to new user’s home directories. After creation of above user linux following lines will be appended at the end of /etc/passwd, /etc/shadow & /etc/group.

[root@server01 ~]# grep linux /etc/passwd
linux:x:1000:1000::/home/linux:/bin/bash
[root@server01 ~]# grep linux /etc/shadow
linux:!:17114:0:99999:7:::
[root@server01 ~]# grep linux /etc/group
linux:x:1000:

Difference between useradd and adduser

In rpm distributions like Redhat/CentOS/Fedora, there is no difference between useradd and adduser. Command adduser is basically a soft link to useradd there.

In Debian/Ubuntu, it is recommended to use adduser/deluser commands because they are more friendly and interactive, unlike useradd. Both commands reside in /usr/sbin but useradd command is in binary compiled form whereas adduser is written in Perl scripting language in the plain text. Command adduser basically uses compiled binary of useradd in back-end but adds some more functionalities. Using useradd here will only associate home directories with the user but it will not create the home directories. Here is an example of how much adduser command is interactive. 

[root@server01 ~]# adduser dbadmin
Adding user `dbadmin' ...
Creating new group `dbadmin' (1003) ...
Adding new user `dbadmin' (1003) with group `dbadmin' ...
Creating home directory `/home/dbadmin' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for dbadmin
Enter the new value, or press ENTER for the default
        Full Name []: DB Administrator
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] y
[root@server01 ~]# id dbadmin
uid=1003(dbadmin) gid=1003(dbadmin) groups=1003(dbadmin)

Set password for user in Linux

Command adduser sets the password during the creation of the user. In case the user is created using useradd command then it will be a passwordless user which is not recommended. We cannot switch user if user password is not set unless we are root which does not need any password. We already made a passwordless user linux and it is time to set the password separately using passwd command.  

[root@server01 ~]# grep linux /etc/shadow 
linux:!:17114:0:99999:7:::
[root@server01 ~]# passwd linux
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
[root@server01 ~]# grep linux /etc/shadow 
linux:$6$sD1qoxqx$GeiB5/uWEVt9dhQ6Ju2KtWAsYBYATu0elZ/:17114:0:99999:7:::

Notice the difference between /etc/shadow file output before and after setting the password for user linux. Output containing different fields separated by colons (:). Second field represents password and when there is no password it only shows ‘!’. As we know password is stored in encrypted form so this ‘!’ is replaced by long encrypted string when password is set.

Create group in Linux

For creating a new group, groupadd command is used and new group information is stored in /etc/group file.

[root@server01 ~]# groupadd finance
[root@server01 ~]# grep finance /etc/group
Finance:x:1003:

Add user to a group in Linux

As we discussed earlier that a user can have multiple secondary groups. For adding more secondary groups we can use -G switch. But -G alone will remove the user from the the previous secondary group and add it to the new secondary group. Simply without any additional parameter with -G it is considered that user should be a member of only one secondary group. For adding multiple secondary groups we should use -a along with -G.

[root@server01 ~]# usermod -a -G finance linux
[root@server01 ~]# id linux
uid=1002(linux) gid=1002(linux) groups=1002(linux),1003(finance)

Add user to sudoers in Linux

In Linux sudo stands for ‘superuser do’ and it is used to give elevated privileges to nonroot users. It means using sudo a normal user can do everything a root user can do or what additional privileges have been granted to that specific user. Every user cannot use sudo unless we add them into sudoers groups. In simple, Linux by default has a group with sudo privileges both in rpm distribution (wheel) and in Debian/Ubuntu (sudo). By making the user be a member of those groups, we can make a user to use sudo.

usermod -aG wheel username → For rpm distributions

usermod -aG sudo username → For Debian/Ubuntu

Here is how it works;

[root@server01 ~]# su - dbadmin
[dbadmin@server01 ~]$ sudo service apache2 status
[sudo] password for dbadmin:
dbadmin is not in the sudoers file.  This incident will be reported.
[dbadmin@server01 ~]$ exit
logout
[root@server01 ~]# usermod -a -G sudo dbadmin
[root@server01 ~]# su - dbadmin
[dbadmin@server01 ~]$ sudo service apache2 status
[sudo] password for dbadmin:
 * apache2 is running

Set user account expiry date in Linux

For setting user account expiry either we can do this while user creation using useradd or we can modify later using usermod. In both cases, we can do this using -e switch. To verify it we can use change command like below.

[root@server01 ~]# chage -l dbadmin | grep "Account expires"
Account expires                                         : never
[root@server01 ~]# usermod -e 2016-12-31 dbadmin
[root@server01 ~]# chage -l dbadmin | grep "Account expires"
Account expires                                         : Dec 31, 2016

Delete user in Linux

The deleting user is as simple as creating a user in Linux. Below are both examples of the deleting user using deluser as well userdel.

[root@server01 ~]# deluser dbadmin
Removing user `dbadmin' ...
Warning: group `dbadmin' has no more members.
Done.
[root@server01 ~]# userdel linux

If you want to remove home directories as well then both commands need extra switches to add with them.

[root@server01 ~]# deluser --remove-home dbadmin
Looking for files to backup/remove ...
Removing files ...
Removing user `dbadmin' ...
Warning: group `dbadmin' has no more members.
Done.
[root@server01 ~]# userdel -r linux

Delete group in Linux

Deleting group is also pretty easy and can be done using both groupdel and delgroup commands. Using groupdel there will not be any output but delgroup will show the output as well.

[root@server01 ~]# grep finance /etc/group
finance:x:1003:linux
[root@server01 ~]# delgroup finance
Removing group `finance' ...
Done.
[root@server01 ~]# grep finance /etc/group
The following two tabs change content below.