🚀 Update your knowledge with this new Linux Blog Post
Managing users and groups is a fundamental skill for anyone working with Linux — from sysadmins to DevOps engineers.
In my latest post, I walk through the essential commands for adding, modifying, and deleting users and groups, with real-world examples and pro tips for safer account handling (like disabling login access properly).
Introduction
Managing users and groups is one of the fundamental responsibilities of Linux system administration. Whether you’re setting up a personal workstation or managing a server with multiple users, understanding how Linux handles user accounts and group permissions is essential for maintaining system security and organization. This guide covers the core concepts, commands, and best practices for effective user and group management in Linux environments.
Linux’s multi-user nature allows multiple users to access the system simultaneously, with each user having specific permissions and restrictions. This design offers both security and flexibility through a robust permission system built around users and groups.
Essential Commands for User Management
Creating Users
# Create a new user
sudo useradd username
# Create a user with specific settings
sudo useradd -m -d /home/customhome -s /bin/bash -c "Full Name" username
# Add a user with a specific user ID
sudo useradd -u 1500 usernameModifying User Accounts
# Change a user's home directory
sudo usermod -d /new/home/dir username
# Change a user's shell
sudo usermod -s /bin/zsh username
# Change a user's UID
sudo usermod -u 1001 username
# Add a user to additional groups
sudo usermod -aG group1,group2 username
Managing Passwords
# Set or change a user's password
sudo passwd username
# Set password expiration information
sudo chage -E 2023-12-31 -m 30 -M 90 -W 7 usernameDisabling User Accounts
# Method 1: Lock the user's password
sudo passwd -l username
# Method 2: Set the account expiration date to a past date
sudo usermod -e 1970-01-01 username
# OR
sudo chage -E 0 username
# Method 3: Change the user's shell to nologin
sudo usermod -s /usr/sbin/nologin username
# OR
sudo usermod -s /bin/false username
# Method 4: Combine multiple approaches for stronger security
sudo passwd -l username && \
sudo usermod -s /usr/sbin/nologin username && \
sudo chage -E 0 username
# Verify account status
sudo chage -l usernameRe-enabling Disabled Accounts
# Check the current state of the account
sudo chage -l username
sudo grep "^username:" /etc/passwd
sudo passwd -S username
# Step 1: Unlock the password if it was locked
sudo passwd -u username
# Step 2: Reset account expiration (remove expiry or set to future date)
sudo chage -E -1 username # No expiration
# OR
sudo usermod -e "" username # No expiration
# OR set to a future date
sudo chage -E $(date -d "+1 year" +%Y-%m-%d) username
# Step 3: Restore the original shell if it was changed
sudo usermod -s /bin/bash username # For bash users
# OR
sudo usermod -s /bin/zsh username # For zsh users
# Check default shell in /etc/default/useradd if unsure
# Step 4: Reset the password if necessary
sudo passwd username
# Step 5: Verify the changes
sudo chage -l username
sudo passwd -S username
getent passwd usernameDeleting Users
# Delete a user
sudo userdel username
# Delete a user and their home directory
sudo userdel -r usernameGroup Management Commands
Creating and Modifying Groups
# Create a new group
sudo groupadd groupname
# Create a group with specific GID
sudo groupadd -g 1500 groupname
# Change a group's name
sudo groupmod -n newname oldname
# Change a group's GID
sudo groupmod -g 1600 groupnameManaging Group Membership
# Add a user to a group
sudo gpasswd -a username groupname
# Remove a user from a group
sudo gpasswd -d username groupname
# Set a list of users as members of a group
sudo gpasswd -M user1,user2,user3 groupnameDeleting Groups
# Delete a group
sudo groupdel groupnameUser and Group Information Commands
# Display user information
id username
# Show current user's groups
groups
# Show groups for a specific user
groups username
# List all users
cat /etc/passwd
# Find a specific user
grep '^username:' /etc/passwd
# List all groups
cat /etc/group
# Who is currently logged in
who
# Show detailed information about users logged in
wPractical Use Cases with Hands-on Examples
# Create a group for the team
sudo groupadd developers
# Add users to the group
sudo gpasswd -a alex developers
sudo gpasswd -a sam developers
sudo gpasswd -a taylor developers
# Create a shared directory
sudo mkdir -p /opt/projects/team-project
# Set group ownership
sudo chgrp developers /opt/projects/team-project
# Set directory permissions with SGID bit
sudo chmod 2775 /opt/projects/team-projectThe SGID bit (2) ensures that all files created in this directory inherit the group ownership, making collaboration seamless.
Setting Up a System Service Account
# Create a system user without login privileges
sudo useradd -r -s /usr/sbin/nologin -d /opt/appservice svcappuser1
# Create app directories
sudo mkdir -p /opt/appservice/data
# Set proper ownership
sudo chown -R appuser:appuser /opt/appserviceThis creates a service account that applications can run under, enhancing security by isolating service processes.
Setting Up a User for Contractor Account
# Step 1: Create the user account with basic settings
sudo useradd -m -s /bin/bash -c "Contractor - Expires Dec 2025" contractor_name
# Step 2: Set initial password
sudo passwd contractor_name
# Step 3: Configure all password and account expiration policies
sudo chage -E 2025-12-31 -M 90 -m 30 -W 7 contractor_nameLet me break down what this chage command does:
-E 2025-12-31: Sets the account expiration date to December 31, 2025. After this date, the account will be automatically disabled.-M 90: Sets maximum password age to 90 days (force password rotation every 3 months)-m 30: Sets minimum password age to 30 days (prevents changing password more than once in 30 days)-W 7: Sets the warning period to 7 days (warns user 7 days before password expires)
You can verify these settings with:
sudo chage -l contractor_name
Last password change : [current date]
Password expires : [current date + 90 days]
Password inactive : never
Account expires : Dec 31, 2025
Minimum number of days between password change : 30
Maximum number of days between password change : 90
Number of days of warning before password expires : 7Additional security tips:
# Add the contractor to only necessary groups
sudo usermod -aG project_group contractor_name
# Consider setting up a custom login message to
# remind them of the temporary nature of the account
sudo touch /home/contractor_name/.bash_login
echo 'echo "Notice: This is a temporary account expiring on December 31, 2025"' | \
sudo tee -a /home/contractor_name/.bash_login
sudo chown contractor_name:contractor_name /home/contractor_name/.bash_loginImplementing User Quotas
# Install quota tools
sudo apt-get install quota
# Enable quotas in /etc/fstab
# Add usrquota,grpquota to mount options
# Remount filesystem with quota support
sudo mount -o remount /home
# Initialize quota database
sudo quotacheck -cugm /home
# Turn quotas on
sudo quotaon -v /home
# Set quota for a user (soft limit: 5GB, hard limit: 6GB)
sudo setquota -u username 5242880 6291456 0 0 /homeProperly Disabling a User Account Before Deletion
# Step 1: Check for running processes by the user
ps -u username
# Step 2: Lock the password
sudo passwd -l username
# Step 3: Expire the account immediately
sudo chage -E 0 username
# Step 4: Change the shell to prevent login
sudo usermod -s /usr/sbin/nologin username
# Step 5: Remove the user from any sensitive groups (especially sudo)
sudo gpasswd -d username sudo
sudo gpasswd -d username admin
sudo gpasswd -d username wheel
# Step 6: Check for files owned by the user before deletion
sudo find / -user username -ls 2>/dev/null
# Step 7: Consider backing up the user's home directory
sudo tar -czf username-backup-$(date +%Y%m%d).tar.gz /home/username
# Once you've verified it's safe, delete the user account
sudo userdel -r usernameRecovering an Accidentally Disabled Account
# Scenario: Critical user account "dbadmin" was mistakenly disabled
# Step 1: Verify how the account was disabled
sudo passwd -S dbadmin # Check if locked (L flag)
sudo chage -l dbadmin # Check expiration
sudo grep "^dbadmin:" /etc/passwd # Check shell
# Step 2: Comprehensive recovery
sudo passwd -u dbadmin # Unlock password
sudo chage -E -1 dbadmin # Remove expiration
sudo usermod -s /bin/bash dbadmin # Restore shell
sudo usermod -U dbadmin # Alternative way to unlock
# Step 3: Verify original group memberships and restore if needed
# First check what groups the user should be in
sudo grep -E ":[^:]*dbadmin" /etc/group
# or from backups if available
# Then add back to critical groups
sudo usermod -aG sudo,dba,developers dbadmin
# Step 4: Test the account
su - dbadmin # Try to switch to the user
# Check if they can execute their normal tasksThings to Remember
- User and Group IDs: System users typically have UIDs below 1000, while regular users have UIDs 1000 and above. Keep UID/GID assignments consistent across systems for easier file sharing.
- Password Policies: Implement strong password policies using PAM modules and
chagefor password expiration. - Primary vs. Supplementary Groups: Every user has one primary group (specified in /etc/passwd) and can belong to multiple supplementary groups (listed in /etc/group).
- Special Permission Bits: Understand SGID and SUID bits for advanced permission management.
- Home Directory Management: When deleting users, decide whether to keep or remove their home directories based on your data retention policies.
- Backup User Data: Before making significant changes to user accounts, back up important files.
- Sudo Access: Manage administrative privileges carefully using
/etc/sudoersor preferably files in/etc/sudoers.d/. - Name Service Switch: If using centralized authentication (LDAP, NIS, etc.), understand how NSS works via
/etc/nsswitch.conf. - Disabling vs. Deleting: Always disable accounts before deleting them. This provides a grace period to ensure no critical services are disrupted.
- Check for Running Processes: Before disabling or deleting accounts, check for and properly handle any running processes owned by that user.
- Document User Changes: Keep logs of all user account changes, especially for system or service accounts. This documentation is invaluable during troubleshooting.
- Regular Audit: Periodically audit user accounts and group memberships to ensure they align with current access requirements.
Final Thoughts
Effective user and group management is foundational to Linux system administration. By mastering these concepts and commands, you can maintain a secure, organized, and efficient multi-user environment. Remember that user management strategies should evolve with your organization’s needs while maintaining security best practices.
As your systems grow, consider implementing centralized authentication mechanisms like LDAP, Active Directory integration, or FreeIPA for more scalable user management across multiple systems.
Further Reading
- Linux System Administrator’s Guide (Chapter on User Management)
- The Linux Documentation Project: User and Group Administration
- Red Hat/Ubuntu/Debian documentation on user management (specific to your distribution)
- “Linux Administration Handbook” by Evi Nemeth
- “UNIX and Linux System Administration Handbook” by Evi Nemeth et al.
0 Comments