Linux User and Group Management Guide
User and group management is fundamental to Linux system administration and security. This guide covers creating, modifying, and managing users and groups effectively.
Overview: User Management Commands
| Command | Purpose | Example |
|---|---|---|
useradd |
Add new user | useradd john |
usermod |
Modify user | usermod -aG sudo john |
userdel |
Delete user | userdel john |
passwd |
Change password | passwd john |
groupadd |
Create group | groupadd developers |
groupmod |
Modify group | groupmod -n newname oldname |
groupdel |
Delete group | groupdel groupname |
id |
Show user info | id username |
groups |
Show user groups | groups username |
sudo |
Execute as superuser | sudo command |
Creating Users
useradd - Add New User
# Create basic user
sudo useradd username
# Create user with home directory
sudo useradd -m username
# Create user with specific shell
sudo useradd -m -s /bin/bash username
# Create user with UID
sudo useradd -m -u 1500 username
# Create user with specific group
sudo useradd -m -g groupname username
# Create user with multiple groups
sudo useradd -m -G group1,group2,group3 username
# Create user with comment/description
sudo useradd -m -c "John Doe" john
# Create user with expiry date
sudo useradd -m -e 2025-12-31 tempuser
# Complete example
sudo useradd -m -s /bin/bash -G sudo,developers -c "John Doe" john
adduser - Interactive User Creation (Debian/Ubuntu)
# Interactive user creation
sudo adduser username
# Add user to group
sudo adduser username groupname
# This script prompts for:
# - Password
# - Full name
# - Room number
# - Work phone
# - Home phone
# - Other info
Setting User Password
# Set password interactively
sudo passwd username
# Set password non-interactively
echo "password" | sudo passwd --stdin username # RHEL/CentOS
echo "username:password" | sudo chpasswd # All systems
# Force password change on next login
sudo passwd -e username
# Lock user account
sudo passwd -l username
# Unlock user account
sudo passwd -u username
# Check password status
sudo passwd -S username
Modifying Users
usermod - Modify User Account
# Change username
sudo usermod -l newname oldname
# Change user's home directory
sudo usermod -d /new/home -m username
# Change user's shell
sudo usermod -s /bin/zsh username
# Change user ID
sudo usermod -u 2000 username
# Change primary group
sudo usermod -g newgroup username
# Add user to supplementary groups
sudo usermod -aG group1,group2 username
# Replace all supplementary groups
sudo usermod -G group1,group2 username
# Set account expiry
sudo usermod -e 2025-12-31 username
# Lock account
sudo usermod -L username
# Unlock account
sudo usermod -U username
# Change comment/GECOS
sudo usermod -c "New Description" username
Common User Modifications
# Add user to sudo group
sudo usermod -aG sudo username # Debian/Ubuntu
sudo usermod -aG wheel username # RHEL/CentOS
# Add user to docker group
sudo usermod -aG docker username
# Add to multiple groups
sudo usermod -aG sudo,docker,developers username
# Move user's home directory
sudo usermod -d /home/newhome -m username
Deleting Users
userdel - Delete User
# Delete user (keep home directory)
sudo userdel username
# Delete user and home directory
sudo userdel -r username
# Delete user and mail spool
sudo userdel -r -f username
# Check before deleting
sudo find / -user username 2>/dev/null
Handling User Data After Deletion
# Archive user's home before deletion
sudo tar -czf /backup/username-$(date +%Y%m%d).tar.gz /home/username
sudo userdel -r username
# Find files owned by deleted user (by UID)
sudo find / -uid 1001 -ls 2>/dev/null
# Reassign files to another user
sudo find / -uid 1001 -exec chown newuser {} \;
Group Management
Creating Groups
# Create group
sudo groupadd groupname
# Create group with specific GID
sudo groupadd -g 5000 groupname
# Create system group
sudo groupadd -r systemgroup
Modifying Groups
# Rename group
sudo groupmod -n newname oldname
# Change group ID
sudo groupmod -g 6000 groupname
Deleting Groups
# Delete group
sudo groupdel groupname
# Check group members first
grep groupname /etc/group
Managing Group Membership
# Add user to group
sudo usermod -aG groupname username
# Or
sudo gpasswd -a username groupname
# Remove user from group
sudo gpasswd -d username groupname
# Set group admins
sudo gpasswd -A admin1,admin2 groupname
# List group members
getent group groupname
# Show user's groups
groups username
id username
User Information
Viewing User Details
# Show user ID and groups
id username
# Show all groups for user
groups username
# Show detailed user info
getent passwd username
# Show all users
cat /etc/passwd
# Show only usernames
cut -d: -f1 /etc/passwd
# Count users
wc -l /etc/passwd
# Show recently logged in users
last
lastlog
# Show currently logged in users
who
w
users
User Database Files
# User accounts
cat /etc/passwd
# Format: username:x:UID:GID:comment:home:shell
# Encrypted passwords (shadow passwords)
sudo cat /etc/shadow
# Format: username:encrypted-password:last-change:min:max:warn:inactive:expire
# Group information
cat /etc/group
# Format: groupname:x:GID:members
# Group passwords
sudo cat /etc/gshadow
# Default values for useradd
cat /etc/default/useradd
# Login definitions
cat /etc/login.defs
Sudo Configuration
Basic sudo Usage
# Execute command as root
sudo command
# Execute command as specific user
sudo -u username command
# Start shell as root
sudo -i
sudo -s
# Run previous command with sudo
sudo !!
# Show sudo privileges
sudo -l
# Validate sudo credentials (extend timeout)
sudo -v
Configuring sudo
# Edit sudoers file (ALWAYS use visudo)
sudo visudo
# Add user to sudoers
# Add this line:
username ALL=(ALL:ALL) ALL
# Allow group
%groupname ALL=(ALL:ALL) ALL
# Allow without password
username ALL=(ALL:ALL) NOPASSWD: ALL
# Allow specific commands
username ALL=(ALL:ALL) /bin/systemctl, /usr/bin/apt
# Using sudoers.d (recommended)
echo "username ALL=(ALL:ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/username
sudo chmod 440 /etc/sudoers.d/username
sudo Best Practices
# Grant limited permissions
username ALL=(ALL:ALL) /usr/bin/systemctl restart nginx
# Use groups instead of individuals
%devops ALL=(ALL:ALL) /usr/bin/docker
# Disable root login, use sudo only
sudo passwd -l root
# Log sudo usage
# Logs are in /var/log/auth.log (Debian) or /var/log/secure (RHEL)
sudo grep sudo /var/log/auth.log
Password Policies
Setting Password Requirements
# Edit password policy
sudo vi /etc/login.defs
# Key settings:
PASS_MAX_DAYS 90 # Maximum password age
PASS_MIN_DAYS 0 # Minimum password age
PASS_MIN_LEN 8 # Minimum password length
PASS_WARN_AGE 7 # Warning days before expiry
Using pam_pwquality
# Install (Debian/Ubuntu)
sudo apt install libpam-pwquality
# Configure
sudo vi /etc/security/pwquality.conf
# Example settings:
minlen = 12 # Minimum length
dcredit = -1 # At least 1 digit
ucredit = -1 # At least 1 uppercase
lcredit = -1 # At least 1 lowercase
ocredit = -1 # At least 1 symbol
Password Aging
# Set password expiry
sudo chage -M 90 username
# Set minimum days between changes
sudo chage -m 2 username
# Set warning days
sudo chage -W 7 username
# Set account expiry date
sudo chage -E 2025-12-31 username
# Force password change on next login
sudo chage -d 0 username
# View password aging info
sudo chage -l username
User Session Management
Managing Logged-In Users
# See who is logged in
who
w
# See last logins
last username
# See last bad login attempts
lastb
# Send message to all users
sudo wall "System maintenance in 10 minutes"
# Kill user's all processes
sudo pkill -u username
sudo pkill -9 -u username # Force kill
# Disable user login temporarily
sudo usermod -L username
sudo usermod -s /sbin/nologin username
Common Use Cases
Creating Developer Account
# Create user with appropriate groups
sudo useradd -m -s /bin/bash -G docker,sudo -c "Developer Account" devuser
sudo passwd devuser
# Set up SSH key
sudo -u devuser mkdir /home/devuser/.ssh
sudo -u devuser chmod 700 /home/devuser/.ssh
# Add public key to /home/devuser/.ssh/authorized_keys
Service Account Creation
# Create system user for service
sudo useradd -r -s /sbin/nologin -d /opt/appname appuser
# Set up directories
sudo mkdir -p /opt/appname
sudo chown -R appuser:appuser /opt/appname
Team Setup
# Create development team group
sudo groupadd developers
# Add team members
sudo useradd -m -G developers alice
sudo useradd -m -G developers bob
sudo useradd -m -G developers charlie
# Create shared project directory
sudo mkdir /projects/team-project
sudo chgrp developers /projects/team-project
sudo chmod 2775 /projects/team-project # SGID for group inheritance
Troubleshooting
User Cannot Login
# Check if account is locked
sudo passwd -S username
# Check shell
grep username /etc/passwd
# Check home directory permissions
ls -ld /home/username
# Check SSH authentication
sudo tail -f /var/log/auth.log
Permission Issues
# Verify group membership
groups username
id username
# Re-login to apply group changes
sudo -u username -i
# Check file ownership
ls -l filename
# Fix home directory ownership
sudo chown -R username:username /home/username
Quick Reference
Essential Commands
# Create user
sudo useradd -m username
sudo passwd username
# Add to sudo
sudo usermod -aG sudo username
# Create group
sudo groupadd groupname
# Add user to group
sudo usermod -aG groupname username
# Delete user
sudo userdel -r username
# View user info
id username
groups username
getent passwd username
# Password management
passwd # Change own password
sudo passwd username # Change user password
sudo chage -l username # View password info
# Session management
who # Logged in users
last # Login history
sudo pkill -u username # Kill user sessions